Community discussions

MikroTik App

Search found 10221 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 35
by sindy
Fri Mar 29, 2024 2:57 pm
Forum: General
Topic: Drop all from WAN not DSTNATed
Replies: 13
Views: 5032

Re: Drop all from WAN not DSTNATed

The "one-liner" is indeed just a different way of doing the same which, compared to the "three-rule" way, is a tiny bit more efficient both typing/clicking-wise and CPU-wise but may also be a tiny bit less comprehensible for newbies. My personal view is that anyone who cannot und...
by sindy
Thu Mar 07, 2024 11:22 am
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Apps work well, google yeilds search results yet 90% websites don't load. To provide a conclusion to the story: the root cause of the issue was a dst-nat rule matching on in-interface-list=WANxy but not taking into account whether the packet coming in through WAN was indeed a "direct" one...
by sindy
Wed Mar 06, 2024 2:35 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Can you show me the sniffer settings? Because it is normal that the source address is the private one on the way from the phone to the router, but on the way from the router to the external server, the source address should be the WAN one of the router. In your sniffs, there is only one copy of each...
by sindy
Wed Mar 06, 2024 12:07 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Sorry for my lack of responsiveness, yesterday and today are quite busy. The TCP SYN packets in your last screenshots only show that the server did not respond at all, so that's definitely not MTU related. But there are no addresses so I can't see whether the NAT did not happen or something else wen...
by sindy
Mon Mar 04, 2024 11:47 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Wireshark I'm running it on a PC that connects to Mikrotik via IKEv2, right? No. Sniff into a file on the Mikrotik itself as you supposedly did before, connect to the unreachable site from a phone connected via IKEv2, then stop sniffing, download the file to a PC and open it using Wireshark. Here i...
by sindy
Mon Mar 04, 2024 11:23 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

If it behaves the same when the tunnel is established via another ISP, I agree with you that it does not look like an ISP issue. Hence it needs to sniff a single connection to a web site that fails and see what exactly is going on there. So find a web site that does not work, find out its IP address...
by sindy
Mon Mar 04, 2024 10:49 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Well, the idea was to see whether the ISP does not set the MSS back to high value if you lower it using your mangle rules. From our description I am not sure whether we understood each other - my idea was that you don't change a single thing on your local machine and try to connect from a browser on...
by sindy
Mon Mar 04, 2024 8:08 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Sniff to file on both, matching on the public ip address of the other one at each (so if the public IP address of your local one is l.l.l.l, set ip-address=l.l.l.l in the sniffer filter. What we are interested in are not just the TCP packets but also ICMP ones, so we cannot filter on anything more d...
by sindy
Mon Mar 04, 2024 5:17 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

The policy looks fairly normal (the dst-address is a /32 one), and this time it is not invalid. So there is no way how the policy could cause it. So time for sniffing I'd say, ideally at both ends of the TCP connection - "we don't do anything special" is the standard Layer 1 support respon...
by sindy
Mon Mar 04, 2024 2:20 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

I have asked for /ip ipsec policy print detail. But what bothers me here is that the dynamically generated policy for the phone is marked as I (Invalid), which makes little sense to me given that there is only a single actual policy - the rest are templates.
by sindy
Mon Mar 04, 2024 1:43 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

Export shows the configured items; the actual policies are generated dynamically from the templates. And your templates are quite wide. That's why I want the output of the print rather than the export for the policies.
by sindy
Mon Mar 04, 2024 1:11 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

To identify that, I would sniff the TCP SYN+ACK packets arriving via WAN and see what MSS they carry. If it is smaller than 1460, it suggests something between your WAN and the sender is tampering with it. But to be really sure, you need a device on a public address somewhere in the internet (like y...
by sindy
Mon Mar 04, 2024 12:45 pm
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

First, you may want to edit also the gateway IP from the export. Next, I can see you've got the two action=change-mss rules in forward mangle, do I get it right that they don't help? I'd like to see the output of /ip ipsec policy print detail (with public addresses redacted of course); if that gives...
by sindy
Mon Mar 04, 2024 9:13 am
Forum: General
Topic: IKEv2 mtu issue
Replies: 38
Views: 3330

Re: IKEv2 mtu issue

what needs to be checked? Post the export ( not screenshots) of your configuration. Something similar as described in post #2 must be happening, but in your case, it would be the remote server (web site) that doesn't receive the information that the usable MTU is lower on the path from your router ...
by sindy
Thu Feb 15, 2024 3:39 pm
Forum: General
Topic: CRS326 loop-protect with pvid != 1 and VLAN filtering
Replies: 18
Views: 5444

Re: CRS326 loop-protect with pvid != 1 and VLAN filtering

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance.
by sindy
Tue Feb 13, 2024 9:33 am
Forum: General
Topic: VRRP and ISP failover?
Replies: 14
Views: 5412

Re: VRRP and ISP failover?

I enabled connection tracking on RTR1's VRRP1 interface. Same thing happens as before In the meantime I gave it a try too, running 7.13.4 on a pair of CHRs, and got the same results (plus, like months before, the router acting as VRRP master goes to 100 % of CPU usage). So there is still an issue w...
by sindy
Sat Feb 10, 2024 10:51 am
Forum: General
Topic: VRRP and ISP failover?
Replies: 14
Views: 5412

Re: VRRP and ISP failover?

Any idea what causes this? I dare to answer although I'm obviously not @ConnyMercier :) The stateful firewall tracks the state of connections for multiple reasons - to allow most packets to only run through a few firewall rules, to provide NAT etc. Unless connection state synchronisation has been a...
by sindy
Sun Jan 14, 2024 9:15 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 98
Views: 84305

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Hi, no notification has arrived back in March... I guess it is already irrelevant for you, but if not, try responding again.
by sindy
Sat Jan 13, 2024 6:52 pm
Forum: General
Topic: QinQ trunk port
Replies: 14
Views: 12144

Re: QinQ trunk port

srechna ti nova godina. [/quite] I tebi :) basically i'm referring to the config. provided by @rradu92 Ah, I haven't noticed that the stub of a configuration in the OP has some mistakes - since the configuration branch is called /interface bridge port I just skipped it, not realizing that the first...
by sindy
Sat Jan 13, 2024 12:37 pm
Forum: General
Topic: QinQ trunk port
Replies: 14
Views: 12144

Re: QinQ trunk port

why not vlan-filtering?
What do you refer to? The video? Nobody mentions vlan-filtering in this topic in written, neither positive nor negative.
by sindy
Sun Dec 31, 2023 3:46 pm
Forum: General
Topic: Wireless VLAN Trunk
Replies: 5
Views: 1532

Re: Wireless VLAN Trunk

First of all, vlan-filtering may be a slightly misleading name, but vlan-awareness may be equally misleading so I guess it can't be helped. The thing is that this setting affects the way how the bridge handles the VLAN tags. With yes , the bridge respects them and can add/strip them on ingress/egres...
by sindy
Fri Dec 22, 2023 11:42 pm
Forum: General
Topic: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]
Replies: 9
Views: 2274

Re: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]

Sorry, of course I had in mind reply-only when writing that.
by sindy
Fri Dec 22, 2023 7:37 pm
Forum: General
Topic: CGN NAT ( NAT444 ) help
Replies: 39
Views: 6347

Re: CGN NAT ( NAT444 ) help

I think using 250 ports may cause problems, for example a crowded restaurant... It didn't even come to my mind you might plan on connecting businesses, let alone hospitality ones, this way. Indeed if the whole restaurant is watching youtube, or even worse, if the restaurant has a cloud-based order ...
by sindy
Fri Dec 22, 2023 12:33 pm
Forum: General
Topic: CGN NAT ( NAT444 ) help
Replies: 39
Views: 6347

Re: CGN NAT ( NAT444 ) help

still no any problem with 250 port ? Bear in mind that 250 ports per customer actually mean 250 ports per connection to a particular remote socket, so far more than 250 connections per customer in total. There are just a few scenarios where that may still be a limitation - what comes to my mind is ...
by sindy
Fri Dec 22, 2023 12:16 pm
Forum: General
Topic: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]
Replies: 9
Views: 2274

Re: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]

PPPoE server drops all active sessions just after I switch VLAN ARP to reply-only. Clients began to reconnect very slowly one by one only in 1 minute or so. ... As this is production router I changed settings back immediately previously because of panic and rush, so I did not wait for it to start w...
by sindy
Wed Dec 06, 2023 6:54 pm
Forum: General
Topic: problem about Mikrotik L2tp
Replies: 6
Views: 1639

Re: problem about Mikrotik L2tp

So a recent experience from another installation suggests that the L2TP server does not check for duplicities - if one client gets an address from a pool and an address that fits into the pool is assigned to another client using the remote-address parameter of the /ppp secret row for that client, yo...
by sindy
Mon Dec 04, 2023 10:50 pm
Forum: General
Topic: VLAN over EoIP between Cloud Routers
Replies: 3
Views: 1785

Re: VLAN over EoIP between Cloud Routers

By default, the virtual switches of most virtualisation platforms only forward frames whose source MAC address matches the one of the virtual NIC sending them. This has to be changed in the NIC settings in order that the vswitch would accept the frames that came via the EoIP tunnel and forward them....
by sindy
Mon Dec 04, 2023 10:45 pm
Forum: General
Topic: Ipsec not traffic passing
Replies: 1
Views: 1207

Re: Ipsec not traffic passing

I would switch to the "installed SA" tab in the IPsec window and start pinging something in 192.168.55.0/24 specifying 192.168.228.1 as the source address for the ping. If the packet counter in the SA from your Mikrotik to the Checkpoint increases once per second, i.e. per each ping reques...
by sindy
Mon Dec 04, 2023 10:20 pm
Forum: General
Topic: Migrate configuration to different hardware [SOLVED]
Replies: 8
Views: 2448

Re: Migrate configuration to different hardware [SOLVED]

You can use /certificate export-certificate to copy the certificate from the hEX S to the 5009. Just remember that you have to specify the passphrase for the export, otherwise the private key will not be exported. When importing, import the certificate file first (it will ask for a passphrase but it...
by sindy
Mon Dec 04, 2023 10:14 pm
Forum: General
Topic: "NAT forward to gateway"
Replies: 12
Views: 1983

Re: "NAT forward to gateway"

So my guess was wrong, your firewall setup is very unusual to put it softly. I could understand that if router A was an ISP router with no NAT and you would avoid using connection tracking to save CPU, but since NAT is necessary at least for the connections to/from the internet, connection tracking ...
by sindy
Mon Dec 04, 2023 5:04 pm
Forum: General
Topic: "NAT forward to gateway"
Replies: 12
Views: 1983

Re: "NAT forward to gateway"

in general, how would you recommend setting the rules when I want block so that clients cant reach each other (IP addresses in the "ip_clients" list) and so that even the ISP company (WAN) can't access them. At the same time, of course, I also need them to have Internet access. I normally...
by sindy
Mon Dec 04, 2023 12:43 am
Forum: General
Topic: "NAT forward to gateway"
Replies: 12
Views: 1983

Re: "NAT forward to gateway"

Is this ok like that or is there a better solution? The rule you have added looks strange to me in terms that you permit access to client subnets from WAN, but again - what you have shown is a modification to a configuration unknown to me, so how can I say it is the best way to do it or the worst? ...
by sindy
Sun Dec 03, 2023 2:17 pm
Forum: General
Topic: Wireguard Road Warrior to L2 LAN [SOLVED]
Replies: 4
Views: 1848

Re: Wireguard Road Warrior to L2 LAN [SOLVED]

If you only want the roaming client to be able to connect to devices in 192.168.20.0/24 and not vice versa (i.e. you don't need that those devices could actively initiate connections to the roaming client), /ip/firewall/nat/add src-address=172.16.10.2 dst-address=192.168.20.0/24 action=masquerade sh...
by sindy
Sun Dec 03, 2023 2:07 pm
Forum: General
Topic: "NAT forward to gateway"
Replies: 12
Views: 1983

Re: "NAT forward to gateway"

If you have a route to 10.20.7.0/24 (or what the actual mask is) on router A, NAT at router B should normally not be necessary. So there must be some additional issue which I cannot guess. Hence post the configuration exports of router A and router B ( /export hide-sensitive file=router-X ) between ...
by sindy
Sun Dec 03, 2023 1:09 pm
Forum: General
Topic: "NAT forward to gateway"
Replies: 12
Views: 1983

Re: "NAT forward to gateway"

You can selectively disable NAT for 10.20.7.2 on router B by placing an action=accept rule before the action=masquerade (or action=src-nat ) one and let it match on src-address=10.20.7.2 , or by adding src-address=!10.20.7.2 to the action=masquerade one if src-address match is not used in that rule ...
by sindy
Sun Dec 03, 2023 12:31 pm
Forum: General
Topic: IKEv2 VPN Certificate issues on Windows
Replies: 3
Views: 1770

Re: IKEv2 VPN Certificate issues on Windows

If you have multiple machine certificates on that machine, maybe this is what you are looking for?
by sindy
Sun Dec 03, 2023 12:15 pm
Forum: General
Topic: RSTP - Disable on one port
Replies: 9
Views: 6142

Re: RSTP - Disable on one port

But I noticed even with those rules enabled and the ports set to edge, when I click on the status page I see saw that it was checked on SENDING RTSP. Unfortunately, sending-rstp shows yes even on a port that is configured as edge=yes and sniffing shows that indeed no BPDUs are sent out via that por...
by sindy
Sat Dec 02, 2023 10:35 pm
Forum: General
Topic: mikrotik sip don't forward bye commands
Replies: 8
Views: 2182

Re: mikrotik sip don't forward bye commands

Do you think I should set dst-nat for port 5062? No, just because two distinct ports are used for SIP at 192.168.181.15, I've assumed it's some 2-port gateway or so and hence I was expecting you to have a symmetric setup for both; since you don't, I am a bit confused about the type of the SIP devic...
by sindy
Sat Dec 02, 2023 9:10 pm
Forum: General
Topic: Need help with L2TP connection
Replies: 6
Views: 1405

Re: Need help with L2TP connection

You have leaked the public address of the server; if it bothers you, remove the screenshot. Then, disable the L2TP client, wait 60 seconds, run /log print follow-only file=l2tp-start , enable the L2TP client, wait 60 seconds and stop the /log print... by pressing Ctrl-C. Then download the file l2tp-...
by sindy
Sat Dec 02, 2023 5:51 pm
Forum: General
Topic: mikrotik sip don't forward bye commands
Replies: 8
Views: 2182

Re: mikrotik sip don't forward bye commands

Also we can't reproduce problem, it just happens several times a week. Even better... OK, what I could imagine would be expiration of ARP cache and lazy reaction of the ISP gateway at 192.168.181.15 to ARP requests, making the Mikrotik unable to send the message received from the SIP server after u...
by sindy
Sat Dec 02, 2023 2:03 pm
Forum: General
Topic: SIP Packets Passthrough not working
Replies: 5
Views: 1540

Re: SIP Packets Passthrough not working

The SIP ALG should only act if NAT rules are in place, which is not your case. To cover the case that this is eventually not true for 7.11.2, rather than disabling it, try setting it to act on an unused port like 65060. Also, what does /ip firewall connection print detail where dst-port~":506&q...
by sindy
Sat Dec 02, 2023 1:56 pm
Forum: General
Topic: mikrotik sip don't forward bye commands
Replies: 8
Views: 2182

Re: mikrotik sip don't forward bye commands

OK. Since the distance between the 183 (that went through) and the 200 OK (that didn't) is some 27 seconds, which is far less than the UDP stream timeout on the firewall, we can exclude an issue with the normal UDP NAT. The 200 OK may be huge but the BYE should be relatively small, so issues with LA...
by sindy
Sat Dec 02, 2023 1:45 pm
Forum: General
Topic: Need help with L2TP connection
Replies: 6
Views: 1405

Re: Need help with L2TP connection

Something did not go as expected. When I enable logging of L2TP using /system/logging/add topics=l2tp and set up an L2TP client connecting to a non-existent server address, my log shows the following: 12:39:46 l2tp,ppp,info test: initializing... 12:39:46 l2tp,ppp,info test: connecting... 12:39:46 l2...
by sindy
Thu Nov 30, 2023 3:30 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I am using x86 Mikrotik on a VMware ESXi for 280Mbps download and 150 Upload. If so, conserving CPU on the Mikrotik VM might help the other VMs on the machine, but if that's not important, no need to change anything about the configuration. the script am talking about was posted by DjSam Indeed, I'...
by sindy
Thu Nov 30, 2023 1:33 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I would like to know if that's Okay or if i can improve something. I have no idea what Mikrotik model you use and what DL/UL bandwidth Ogero gives you. Depening on these factors, you might want to save some CPU cycles per packet. Assigning the public IP directly to the Fortigate would remove the ne...
by sindy
Thu Nov 30, 2023 10:31 am
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

settings provided from ISP is PPPoE username and password. in addition they provided 1 static real IP to be used in a /30 subnet. and require to disable NAT and use RIPv2. In design [ISP Fiber Modem in bridge mode] Connected Cat6 Cable to Mikrotik Port1 then Mikrotik Port2 connected to Fortigate Wa...
by sindy
Wed Nov 29, 2023 10:07 am
Forum: General
Topic: Forwarding Radius authentication traffic to specific WAN
Replies: 3
Views: 1053

Re: Forwarding Radius authentication traffic to specific WAN

So just set WAN1 public IP as the source IP for the radius server and it will exit that interface. It doesn't work this simple. The regular routing only takes into account the destination address. So without adding a routing rule or a mangle rule that would order which routing table to use based on...
by sindy
Wed Nov 29, 2023 1:05 am
Forum: General
Topic: Problems with IPSEC VPN
Replies: 1
Views: 886

Re: Problems with IPSEC VPN

Post the output of /export hide-sensitive, between [code] and [/code] tags, after removing any additional sensitive information not suppressed by hide-sensitive (public addresses, serial numbers, usernames, secrets, private keys). Is the Mikrotik the default gateway for the LAN devices?
by sindy
Wed Nov 29, 2023 1:00 am
Forum: General
Topic: Forwarding Radius authentication traffic to specific WAN
Replies: 3
Views: 1053

Re: Forwarding Radisu authentication traffic to specific WAN

Simply by adding a /32 route to the address of the RADIUS server via WAN 1 gateway to all routing tables, so regardless which routing table the "bonding" (actually, it's most likely load distribution) chooses, the packets to the RADIUS server will always go via WAN 1.
by sindy
Wed Nov 29, 2023 12:55 am
Forum: General
Topic: Need help with L2TP connection
Replies: 6
Views: 1405

Re: Need help with L2TP connection

The log should tell you more than this if you set /system/logging/add topics=l2tp. Can you see the log also on the server or is the server not yours?
by sindy
Tue Nov 28, 2023 7:37 pm
Forum: General
Topic: Second third party WireGuard VPN with same network provided [SOLVED]
Replies: 30
Views: 4576

Re: Second third party WireGuard VPN with same network provided [SOLVED]

in other thread someone said the fix is with listening port So you had two interfaces listening on the same port? If so, one of them must have been showing an error too, so the inactive address associated to it was just a consequence. now that i have 2 surfshark wireguard vpn running, how can i the...
by sindy
Tue Nov 28, 2023 7:26 pm
Forum: General
Topic: Second third party WireGuard VPN with same network provided [SOLVED]
Replies: 30
Views: 4576

Re: Second third party WireGuard VPN with same network provided [SOLVED]

However, in my setup, the IP address in the list in Winbox looks exactly this way if I disable the Wireguard interface it is attached to. Could it be as simple as that at your end as well?
by sindy
Tue Nov 28, 2023 7:16 pm
Forum: General
Topic: Second third party WireGuard VPN with same network provided [SOLVED]
Replies: 30
Views: 4576

Re: Second third party WireGuard VPN with same network provided [SOLVED]

heres a screenshot
I did not ask for a screenshot, I do believe you when you say it is red, no need to prove it to me by a screenshot. I asked for an export to see what is wrong in the configuration.
by sindy
Tue Nov 28, 2023 12:10 pm
Forum: General
Topic: problem about Mikrotik L2tp
Replies: 6
Views: 1639

Re: problem about Mikrotik L2tp

That looks pretty normal - distinct remote-address values, no pool used on either the /ppp secret row or on the /ppp profile row. What are the L2TP clients, also Mikrotiks or something else? I can imagine the client can suggest an address of its choice and the server may accept it, but already that ...
by sindy
Tue Nov 28, 2023 10:07 am
Forum: General
Topic: problem about Mikrotik L2tp
Replies: 6
Views: 1639

Re: problem about Mikrotik L2tp

Show me the two /ppp secret rows in question, remove passwords before posting of course:
/ppp secret print where name~"test-(0033|0162)"
by sindy
Mon Nov 27, 2023 11:21 pm
Forum: General
Topic: Second third party WireGuard VPN with same network provided [SOLVED]
Replies: 30
Views: 4576

Re: Second third party WireGuard VPN with same network provided [SOLVED]

Hi im facing same problem can you elaborate how did you made it work, because when i try to assign same ip to 2 wireguard interface the other turns red and invalid Something else must be wrong or you are running a strange version of RouterOS: [me@myTik] > ip address/print where interface~"w&qu...
by sindy
Mon Nov 27, 2023 9:07 pm
Forum: General
Topic: problem about Mikrotik L2tp
Replies: 6
Views: 1639

Re: problem about Mikrotik L2tp

Do you use /ppp secret items or RADIUS (User Manager or an external one) to store the configuration of the L2TP clients?
by sindy
Mon Nov 27, 2023 9:05 pm
Forum: General
Topic: L2TP/IPSec VPN - Cannot get past phase 1
Replies: 5
Views: 1606

Re: L2TP/IPSec VPN - Cannot get past phase 1

On the main router (I cannot get rid of it) there is a DMZ set up pointing to Mikrotik. In the log, I see the following, and it stays without any changes before I cancel the connection: respond new phase 1 (Identity Protection): 192.168.10.1[500]<=>"Client's IP"[500] Please help me find o...
by sindy
Sun Nov 26, 2023 11:51 am
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

In the configuration export you have posted earlier, 192.168.121.0/24 does not exist, nor is there any route to that subnet via some tunnel. So I cannot give you any useful response until you clarify this discrepancy.
by sindy
Sun Nov 26, 2023 1:15 am
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I can access this router using 192.168.121.200, but I cannot access it with 81.143.42.218 I would like to access this router with the public IP of 81.143.42.218 From where??? From a device on a private address in LAN or from a device in the internet, such as your mobile cphone connected to LTE rath...
by sindy
Sat Nov 25, 2023 1:13 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Please bear in mind that English is not my native language, which is probably the reason why I cannot extrapolate from your minimalistic descriptions. I need an example of a particular connection that does not work, with the private (and public, if used) address of the initiator of that connection (...
by sindy
Fri Nov 24, 2023 1:01 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I still cannot access private IP's when allocated with a public IP. I don't understand this sentence. Tell me the exact address you want to access and the exact address you want to access it from. Should I drop the idea of using dst-nat and src-nat rules and use another method? If so which one? I d...
by sindy
Thu Nov 23, 2023 9:30 pm
Forum: General
Topic: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]
Replies: 9
Views: 2274

Re: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]

As you say you are not interested in suggestions regarding other ways of connecting the public addresses but only in why it does not work this way, what "other ideas" do you have in mind? I've already written before that if setting arp to reply-only affects the pppoe server operation on an...
by sindy
Thu Nov 23, 2023 3:21 pm
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

I don't get it. The only call in "remote" is at 12:00:02, from 501 to 1601, Call-ID 7-44Ub0OL5NSjkjmcN94jA.. The only call in "central" is at 11:52:30, from 1270 to 1270, Call-ID d3Rz1_aeZjjXSCHjjjVcPA.. . How are these two related? The time spans of the captures do not even over...
by sindy
Thu Nov 23, 2023 3:10 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

If e.g. GB3WK needs to talk to GB3MW's public address, the dst-nat rule must act not only for in-interface=pppoe-out1 (or what the uplink interface name is) for access from the internet, but also for in-interface=bridge (or what the name of the interface to which GB3WK and GB3MW are connected is), s...
by sindy
Thu Nov 23, 2023 1:21 pm
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

It's a mess this time. The single call in "central" and "remote" captures is not the same one, and the capture from "3cx" sends the SIP messages between two local processes across 127.0.0.1. To be able to say something, I need a capture of the same call from the router ...
by sindy
Thu Nov 23, 2023 1:09 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Trying to copy and paste the line into a terminal window failed, so I tried to enter the line manually, this also failed. Have you replaced the xxx in the IP addresses by the correct numeric values before pasting? But as you say you had to adjust the OSPF settings, maybe the sniffing is not necessa...
by sindy
Wed Nov 22, 2023 9:54 pm
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

It was filter with by IP 192.168.59.95 (remote SBC), with no other exclusions. The only explanation I can imagine is that there is a bug in sniffing on Wireguard interface. Ok, found a missing nat, but this not resolved problem... What I saw was one NAT too many, not a missing one... https://drive....
by sindy
Tue Nov 21, 2023 1:21 pm
Forum: General
Topic: wireguard not working any more
Replies: 10
Views: 2038

Re: wireguard not working any more

I'am not sure about everything: When the automatic signatures still worked on this forum, Anav's said "use my advice at your own risk". So: 1. a /30 mask is fine 2.+3. you only need to add the subnet attached to Wireguard interface if you want to access that address through the tunnel. We...
by sindy
Tue Nov 21, 2023 12:51 am
Forum: General
Topic: wireguard not working any more
Replies: 10
Views: 2038

Re: wireguard not working any more

What about the routes? You should have a route to 172.16.0.0/24 with wireguard_g43 or 10.255.255.2 as a gateway at Side A, and a route to 192.168.23.0/24 with wireguard_f2 or 10.255.255.1 as a gateway at Side B, have you got them?
by sindy
Mon Nov 20, 2023 10:08 pm
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

Attached pcap files, thanks!!!! Interesting, what was the sniffer filter on "local"? Because on "remote" I can see the SIP signaling from the phone at 192.168.66.22 to come from 172.31.192.2, which suggests that there is a src-nat on the "local", but in the "local...
by sindy
Mon Nov 20, 2023 5:18 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Does this help? It defnitely does. You can actually attach all the public addresses to a single interface, but having dedicated ones is not a mistake. I can see your src-nat and dst-nat rules do not match on out-interface and in-interface, respectively, but that is also not a mistake in this partic...
by sindy
Mon Nov 20, 2023 10:01 am
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Post the export of the current configuration, replace any occurrence of the first three bytes of the 8 public addresses with pub.pub.pub and of course remove any usernames/passwords/secrets/private keys before posting, and tell me what kind of equipment it is that your users connect to it (other Mik...
by sindy
Mon Nov 20, 2023 1:43 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

The reason my customer SMs lost connection as did I was due to firewall being too restrictive. I had gone further in the Mikrotik Wiki https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall and added in the rules under Protect the LAN devices. Turns out I probably shouldn't have do...
by sindy
Mon Nov 20, 2023 1:05 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

the action=mark-routing ones in prerouting do not stay at 0 and I lost my connection. I had safe mode enabled so I am back in. So much about a low-profile testing with minimum impact on the traffic :( I've missed a small difference between the action=mark-connection rules. In the ones that match on...
by sindy
Sun Nov 19, 2023 11:41 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

OK. So now, move the action=mark-routing chain=output connection-mark=wan10 dst-address-list=l2tp-sonar new-routing-mark=l2tp-sonar passthrough=no rule to the top of the chain output . Then you can enable all the action=mark-routing rules in prerouting , but keep the action=mark-connection ones matc...
by sindy
Sun Nov 19, 2023 10:05 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Do you have any recommendations on other firewall rules that may be required that are not on the Wiki or will the defaults be sufficient enough? If you haven't changed anything in chain input of /ip/firewall/filter since the last export you've posted, please do the following steps until the first u...
by sindy
Sun Nov 19, 2023 9:31 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

I'll have to imitate that case and give you an update for the script. Remove the existing lease-script and copy-paste the following to the terminal: /system script add name=lease-script source=":if (\$bound=1) do={\ \n /ip route {\ \n :if ([:typeof \$\"gateway-address\"]!=\"noth...
by sindy
Sun Nov 19, 2023 8:44 pm
Forum: General
Topic: Killing my head with L2TP server configuration !
Replies: 2
Views: 2023

Re: Killing my head with L1TP server configuration !

A full export of the current configuration, please (with the public address obfuscated if it is present in the export, and any passwords/secrets/private keys/usernames removed). Too many things may be involved. The order of firewall rules matters, that's the first thing I would look at.
by sindy
Sun Nov 19, 2023 8:12 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

screenshot attached. Now hold up. The 10.5 GiB of data shown in most mark-routing rules in chain output mean that your device itself is sending tons of its own traffic (not one forwarded from the customers); as it has no reason to do that actively, and as these rules translate connection marks to r...
by sindy
Sun Nov 19, 2023 8:00 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

To ensure I understand correctly. Once final configuration is done, I shouldn't need to link Sonar and the VPN to a WAN? Yes for the Sonar if you keep connection marks in use (which is what I was expecting), maybe for the VPN. I cannot say why the L2TP was struggling initially and then later after ...
by sindy
Sun Nov 19, 2023 6:51 pm
Forum: General
Topic: DSCP Tagging missing
Replies: 7
Views: 1054

Re: DSCP Tagging missing

Great that you have found the issue elsewhere, but please be aware that a packet trace on the switch cannot show you how the packets looked on the wire, because the CPU recording the trace can only see the frames after they passed through the switch chip, so some switch chip rules may have already m...
by sindy
Sun Nov 19, 2023 6:21 pm
Forum: General
Topic: DSCP Tagging missing
Replies: 7
Views: 1054

Re: DSCP Tagging missing

In my understanding of the universe, it would be a serious bug if a switch would modify the contents of the frame beyond the L2 header without being explicitly told so. So the first thing to show is the export of your configuration, with any private information like passwords, secrets, private keys,...
by sindy
Sun Nov 19, 2023 3:46 pm
Forum: General
Topic: wireguard not working any more
Replies: 10
Views: 2038

Re: wireguard not working any more

There should be nothing special for a CCR 10xx vs. RB2011 configuration-wise. There may be an architecture related bug that cannot be affected by configuration, there may be an issue in 7.12 (you haven't specified what version was running on the 2011), but most likely by experience, there is some di...
by sindy
Sun Nov 19, 2023 3:28 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

I am sure there is some changes I could make to improve things so please do let me know what you find that needs to be changed. I kept the PCC mangles for the bridge-lan disabled for now until those can be fixed but so far I don't see any problems at this time. What I can see is that you have decid...
by sindy
Sun Nov 19, 2023 12:53 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

(1) I like that idea and I am implementing that now. Well, I don't like that idea, and we already had a private discussion about it with @anav. Your configuration is already complicated enough, and creating multiple connection marks and routing marks/tables that get ultimately translated to the sam...
by sindy
Sat Nov 18, 2023 9:17 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

1) I would use Wireguard (if possible) for the management VPN. If one end (your office) has a static IP, the remote end(s) (the router(s) behind Starlink) can be configured to always connect to that IP, and it reconnects really fast. Event better, strictly speaking it even isn't a reconnection - if...
by sindy
Sat Nov 18, 2023 3:43 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

This is the documentation ... I am not sure if it answers your question but this is all I really know about it. It does. The good news is that as they ask you to create the rules manually, they are interested in their ultimate effect, not in the particular rules themselves. Apparently all of our 10...
by sindy
Sat Nov 18, 2023 3:08 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

With every single page these days pulling in feeds from multiple locations... And sites requiring log ins from a specific IP address... And if the IP changes... You have to log back in. I mean voip and video calling take it the worst, actually wifi calling takes it the worst. As for src-nating the ...
by sindy
Sat Nov 18, 2023 12:47 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

... tried disabling the forward mangles as you suggested. Although those are needed for Sonar per their documentation ... A very important question here is whether Sonar needs just the effect of these rules or these rules must be there literally because Sonar's API scripts check or even manipulate ...
by sindy
Sat Nov 18, 2023 1:16 am
Forum: General
Topic: Low WAN Throughput on CRS312 Compared to Direct ISP Connection
Replies: 3
Views: 937

Re: Low WAN Throughput on CRS312 Compared to Direct ISP Connection

CRS devices are switches with a full routing feature set but a too weak CPU to provide routing of LAN <-> WAN traffic. As you mention LAN & WAN and firewall rules, I gather you are indeed using the device as a router with NAT. Look at the test results tab on the product home page, in particular ...
by sindy
Sat Nov 18, 2023 12:39 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

I ... tried disabling the forward mangles as you suggested. ... in any case it seems to have broken our VPN connection as the logs are showing it trying but failing to establish a connection. The only way how disabling only the mangle rules in forward chain could affect the L2TP would be that it wo...
by sindy
Sat Nov 18, 2023 12:20 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Hello Sindy,
I've sent you an e-mail, check your spam folder if you haven't received it.
by sindy
Fri Nov 17, 2023 9:59 pm
Forum: General
Topic: L2TP port remains open after disabling l2tp
Replies: 2
Views: 869

Re: L2TP port remains open after disabling l2tp

First of all, what does the sniffer show you on the WAN port of the Brand New Router when you run the scanner? The definition of "open port" is not that easy with UDP. With TCP, if you send the initial SYN packet from a client, the server must respond with a SYN+ACK one so that the session...
by sindy
Fri Nov 17, 2023 9:47 pm
Forum: General
Topic: Official docs to L2TP-v3 L2TP-ETHER
Replies: 13
Views: 5585

Re: Official docs to L2TP-v3 L2TP-ETHER

Can it be done with L2TPv3 Ethernet over UDP? I haven't tried that with L2TPv3, but it does work with traditional L2TP with BCP (that allows to interconnect bridges on the tunnel endpoints, no VLAN filtering supported as the tunnel is added as a bridge port dynamically and there is no way to define...
by sindy
Fri Nov 17, 2023 8:07 pm
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

Before reading the configurations, I'd rather see the sniffing results first. It should show you whether the RTP arrives from the 3CX to the router that is closer to it. If it does, the RTP may get lost when forwarded by that router to the Wireguard tunnel, or when passing through the tunnel, or whe...
by sindy
Fri Nov 17, 2023 7:59 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

Sindy this is what he says ... There are multiple posts where @kissge83 describes it and I read all of them the same, that the packet does not leave the local router, i.e. the packet is not sent via the local GRE interface. Of course that also means that it never reaches the remote router, but whil...
by sindy
Fri Nov 17, 2023 7:20 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

A question I have on that lease script. I assume that is meant to be placed inside the script section in each DHCP client? It makes sense to me that it would be appropriate to put it there but figured I would ask. To be precise, it is meant to be placed just once into the /system script section, an...
by sindy
Fri Nov 17, 2023 6:19 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

You are stating and seeing exactly what I am seeing as well no packets exit the far end of the tunnel from the tunnel IP which is why you can't ping pr route thru it. But that's something else that what @kissge83 has described in the OP. You can see that the packets do not exit the far end which ma...
by sindy
Fri Nov 17, 2023 5:58 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

It might be best to start fresh with the mangle rules. Let's go that way if you like, but I'd prefer a more interactive communication channel than the forum. This kind of "share the wisdom" sites is great to describe typical setups and principles so that others could follow them, but ther...
by sindy
Fri Nov 17, 2023 4:46 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Can you let me have the instructions for programming a LAN port with a public IP, without using scr-nat and dst-nat rules that you mentioned in a previous post. There are many ways, from one wasting 5 of your 8 addresses for "overhead" that works with any type of LAN client to more effici...
by sindy
Fri Nov 17, 2023 2:18 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

I can assure you on OS7.12 you can't IP route thru the GRE tunnel IP's. Maybe there is some misunderstanding? Without IPsec, it works in ROS 7.12 as expected, see below. Test setup: a /24 subnet is attached to the GRE tunnel interface on the DUT: [me@myTik] > /ip/address/print where interface=gre-t...
by sindy
Fri Nov 17, 2023 2:12 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Could you provide some assistance with getting this going? I have read a bit about PCC and started working on it with the help of anov who was the first to respond to my post. I do have many mangle rules and static routes created but they are currently disabled until I am certain they are configure...
by sindy
Fri Nov 17, 2023 1:30 am
Forum: General
Topic: Is Mangle Output Chain broken? [SOLVED]
Replies: 5
Views: 3376

Re: Is Mangle Output Chain broken? [SOLVED]

You get it right. The first routing chooses an out-interface and assigns a source address (unless the packet being routed is a response and unless its source address has been assigned according to configuration or a command line parameter). The mangle rules in chain output can see this out-interface...
by sindy
Fri Nov 17, 2023 1:17 am
Forum: General
Topic: One ipsec policy and two peers
Replies: 5
Views: 2423

Re: One ipsec policy and two peers

can anybody shed some light on the significance of this... I cannot provide an official documentation, only practical experience. The use case is that the router with dual-peer policy (typically acting as an initiator) establishes an IKE/IKEv2 SA with both peers (typically acting as responders) but...
by sindy
Fri Nov 17, 2023 12:31 am
Forum: General
Topic: VoIP over Wireguard Vpn: one way audio problem.
Replies: 17
Views: 2739

Re: VoIP over Wireguard Vpn: one way audio problem.

The only idea I've got is to sniff the same call simultaneously at both Mikrotiks to see whether it's the phone asking the 3CX via SDP to send the RTP to a wrong public address it has detected using STUN or some firewall/routing issue on one of the Mikrotiks.
by sindy
Thu Nov 16, 2023 10:49 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Unfortunately it does not have the capability to use FQDN and not sure if they will add that in future updates. The reason for the question was that the router could update a DNS record in your company DNS if the latter has an API for that, or using the Mikrotik "ip cloud" service, or usi...
by sindy
Thu Nov 16, 2023 9:31 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

There are chains srcnat and dstnat , and there are actions src-nat and dst-nat (and for the sake of completeness, there also connection states srcnat and dstnat that firewall rules in other tables than nat may use to match packets). Action masquerade is a special case of action src-nat that a) deter...
by sindy
Thu Nov 16, 2023 7:41 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

A couple of questions regarding Sonar:
  • can it use an FQDN of the router it manages rather than an IPv4 number?
  • does it require a continuous connection or it is not an issue if it loses contact for minutes?
by sindy
Thu Nov 16, 2023 5:07 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Can you help me please? I assume I can help but I am not sure what the problem is. The order of firewall rules is important but only within the same chain (i.e. rules in chain dstnat can be interleaved with rules in chain scrnat, only the mutual order of rules in the same chain actually matters). I...
by sindy
Thu Nov 16, 2023 2:30 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Currently I have no filter rules that would block incoming connections, Firewall is wide open until I get it working then I will work on the security. A big fat NO for this. Firewall is the first thing to deal with when you connect something directly to the internet, always, no exceptions. The filt...
by sindy
Wed Nov 15, 2023 10:58 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

I had just added -wanN to the end of the default names but willing to rename them to simplify things if necessary. Depending on the order of creating the DHCP client, renaming the interface it is attached to, and possibly rebooting the router in the past the result may be different. The lease scrip...
by sindy
Wed Nov 15, 2023 8:55 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

Maybe consider adding some monitoring of the starlink performance — which is kinda annoying since it use gRPC, not SNMP. I know there is starlink plugin for Prometheus, but if you have some other NMS somewhere... imagine there are plugins for starlink. The terminal's gRPC data includes stuff like m...
by sindy
Wed Nov 15, 2023 8:12 pm
Forum: General
Topic: mikrotik sip don't forward bye commands
Replies: 8
Views: 2182

Re: mikrotik sip don't forward bye commands

I suppose the 192.168.181.15 is on the LAN side of the Mikrotik, is that correct? The timestamps are missing in your screenshot, but already the 200 OK messages are not forwarded, so the timeout has to be quite short or the called party must be picking up quite late, as the normal timeout for a resp...
by sindy
Wed Nov 15, 2023 7:41 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

So here's how to make the DHCP clients add/modify the routes the necessary way. First, copy-paste the following script to the command line window of the router. The exported form looks awful, but it is not invoked until you change other things in the configuration, so you can paste the creation scri...
by sindy
Wed Nov 15, 2023 5:55 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

I had removed some sensitive data in the config before posting it. That's likely why it wasn't in there. Clear. OK. Now let me clarify some points that may not be obvious. First a disclaimer - I am aware that you have inherited most of the current configuration from the previous administrator, so i...
by sindy
Wed Nov 15, 2023 1:43 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

The L2TP client is running directly on the Mikrotik router in Alaska and it connects to another Mikrotik router at our HQ in Oregon running the L2TP server. Then something must have gone wrong in the process of posting the configuration, because I can see no /interface l2tp-client section there. Th...
by sindy
Wed Nov 15, 2023 1:35 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

ECMP works fine V7 – it relies on connection tracking to store the routing decision for future packets. Thanks. I was wondering about this for some time already. The LTE being 600ms would imply the cell networks backhaul is using GEO sat, which at a full transponder would be ~50-100Mb capacity rang...
by sindy
Wed Nov 15, 2023 12:32 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12631

Re: Multi-WAN Load Balancing Starlink issue

So I finally got to reading through it, and I am trying to put the bits together. You wrote that the public IP addresses assigned by Starlink with the high priority subscription were changing but now they are not, but if I get it right, the L2TP/IPsec tunnel still keeps disconnecting (or is not conn...
by sindy
Tue Nov 14, 2023 1:11 pm
Forum: General
Topic: IPsec Policies same dst.address to different peer
Replies: 3
Views: 646

Re: IPsec Policies same dst.address to different peer

Well, use cases where it would make sense actually do exist. Some of them could be resolved by using a multicast address, other ones by taking source addresses into account when choosing the route/gateway/peer. I have even met people who had valid reasons to connect multiple devices with exactly the...
by sindy
Tue Nov 14, 2023 1:05 pm
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

Could you please give an advise, how to tune it up to make more efficient ? The efficiency consists in pushing the mid-connection packets through as few firewall rules as possible. In your case, a mid-connection packet that must not be fasttracked hits 4 rules in total - the one in mangle that sets...
by sindy
Tue Nov 14, 2023 12:03 pm
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

I can see if they really do manage to "escape" by looking at masquerade rule packet count for that interface You cannot. A stateful nat, which is the only variant of NAT made available to the administrator in RouterOS, is just one of the many functions of the connection tracking. So whils...
by sindy
Tue Nov 14, 2023 11:01 am
Forum: General
Topic: PPPoE Static IP fast switch
Replies: 5
Views: 735

Re: PPPoE Static IP fast switch

Yes, two uplinks are continuously available on one cable. If so, you can use the mode switch button to modify the configuration. But not all router models support a mode switch button. You can use multiple LAN ports and multiple routing tables, so equipment connected to one of the LAN ports will us...
by sindy
Tue Nov 14, 2023 10:22 am
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

I much like certificates more as authentication. You are one of few :) Certificates are essential for proxied trust (i.e. where you have to rely on a 3rd party to guarantee authenticity of your peer because it is impossible to exchange keys with the peer before entering into contact, or in full mes...
by sindy
Tue Nov 14, 2023 2:14 am
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

there's HAVE TO BE a default 0.0.0.0/0 route in @main routing table, even if you're routing differently. If there's none, mangle gets very confused Mangle doesn't get confused, mangle most likely has nothing to handle. When a process on the router itself sends a packet, it uses table main first, un...
by sindy
Mon Nov 13, 2023 11:43 pm
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

I failed to get working lots of variants of fasttrack that I tried to study. The default action=fasttrack-connection rule doesn't care about packet direction. Packets belonging to a given connection can either be mangled or fasttracked, not both. So no packet of a connection whose traffic needs to ...
by sindy
Mon Nov 13, 2023 11:21 pm
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

@sindy – I have no idea :lol: I suspect it's from the times I've tried to make multicast work between VLANs and it's a leftover from previous config... Thanks! I removed it Nice to learn that you have removed it, but I've mentioned that because I've thought that the strict setting was the reason wh...
by sindy
Mon Nov 13, 2023 9:19 pm
Forum: General
Topic: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding
Replies: 10
Views: 1211

Re: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding

it seems that it does not need a public IP on both sides, which would be perfect and it would be L2. Do you think it would work in my case? For all VPN protocols supported by Mikrotik, it is enough that just one end of the link has a public IP address, or at least that you can set up port forwardin...
by sindy
Mon Nov 13, 2023 5:14 pm
Forum: General
Topic: PPPoE Static IP fast switch
Replies: 5
Views: 735

Re: PPPoE Static IP fast switch

my eth1 and the pppoe connection is same connector. That's what I have expected, but I cannot see any static IP configuration linked to ether1 in the .rsc file, nor a DHCP client, so what have I missed? Other than that, do you have in mind that both uplinks are available on the same cable all the t...
by sindy
Mon Nov 13, 2023 5:11 pm
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2527

Re: WireGuard and mangle routing

What has made you set rp-filter to strict under /ip settings ? With this setting, the router silently drops incoming packets if routing indicates that a (potential) response to such an incoming packet would be routed via some other interface than the one through which the incoming packet came in, an...
by sindy
Mon Nov 13, 2023 4:36 pm
Forum: General
Topic: Mikrotik linked to another router via WAN
Replies: 2
Views: 635

Re: Mikrotik linked to another router via WAN

DHCP can only hand out a single default gateway (it can also hand out a routing table but still just a single gateway per destination prefix, and there is nothing related to this in your config). Since your /ip dhcp-server network items look fine to me, could it be that the devices have the route vi...
by sindy
Mon Nov 13, 2023 4:27 pm
Forum: General
Topic: PPPoE Static IP fast switch
Replies: 5
Views: 735

Re: PPPoE Static IP fast switch

You may want to remove at least the password from the /interface pppoe-client row in the .rsc file you have posted (remove the file from the post, edit it and attach it again). You can attach the static IP configuration to ether1 and add a default route via the corresponding gateway with distance=2 ...
by sindy
Mon Nov 13, 2023 4:01 pm
Forum: General
Topic: IPsec Policies same dst.address to different peer
Replies: 3
Views: 646

Re: IPsec Policies same dst.address to different peer

Forget about IPsec for a moment and think where the real problem is. Let's suppose it was possible to add the 10.251.0.0/16 to two distinct peers. Now state the criteria the router should use to decide to which one of those two peers to send a packet for 10.251.1.3. The solution will depend on these...
by sindy
Mon Nov 13, 2023 3:40 pm
Forum: General
Topic: Multiple ISP with Public IP unreachable
Replies: 3
Views: 705

Re: Multiple ISP with Public IP unreachable

If you currently don't use any mangle rules assigning routing-mark and you don't have any routing tables except the default one, use the following: If you use RouterOS 6: /ip route add routing-mark=via-wan2 gateway=gw.ip.of.wan2 /ip route rule add src-address=own.ip.of.wan2 action=lookup-only-in-tab...
by sindy
Mon Nov 13, 2023 2:20 pm
Forum: General
Topic: Limit bandwidth to internet of MikroTik router itself?
Replies: 4
Views: 818

Re: Limit bandwidth to internet of MikroTik router itself?

Thanks for reply, but unfortunately simple queue seems does not match any packet with target: wan IP of the MikroTik itself, zero packet in stats :( You are right, I've just tested that and got the same result. I've also tried to set the WAN interface name as target and let the simple queue match o...
by sindy
Mon Nov 13, 2023 2:12 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

You can not "IP route" thru the GRE addresses they do not form a proper network they are just tunnel ends even if they have what looks like a network between them. You will find you can change to /32 non connected network IPs and they will work exactly the same. This is your confusion and...
by sindy
Sun Nov 12, 2023 8:40 pm
Forum: General
Topic: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding
Replies: 10
Views: 1211

Re: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding

As I explained above, I have a dedicated IP (only mine) from PureVPN and I can control all ports. I got PureVPN with the intention of setting up an EoIP tunnel. As I explained above, a port number is not the same like protocol number. So even if the PureVPN service does a 1:1 dstnat to the private ...
by sindy
Sun Nov 12, 2023 8:14 pm
Forum: General
Topic: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding
Replies: 10
Views: 1211

Re: EOIP Tunnel between two Mikrotiks, one is behind CGNat with VPN with Post Forwarding

So on the one that is connected to the PureVPN, currently all ports are open. The other one has been added to the DMZ of my ISP router and has the GRE port open in the firewall The thing is that GRE is not a port but a protocol (like UDP or TCP), and unlike TCP and UDP, it has no notion of ports, w...
by sindy
Sun Nov 12, 2023 2:38 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

I cannot see anything in your configuration export that would explain the behaviour you encounter. You assign a connection-mark ( ipsec ) to packets that go from 10.1.1.192/28 to 10.77.0.0/24, but you do not match on any connection-mark anywhere so that cannot be the explanation. But it will cause n...
by sindy
Sun Nov 12, 2023 1:38 pm
Forum: General
Topic: multicast filter
Replies: 1
Views: 584

Re: multicast filter

You can prevent multicast traffic towards certain multicast MAC addresses from getting forwarded to other switch ports (including the CPU-facing one), so the bridge FDB (MAC-address-to-port mapping table) should not learn the source MAC addresses from these frames, but the FDB of the switch will nev...
by sindy
Sun Nov 12, 2023 12:54 pm
Forum: General
Topic: Migrate configuration to different hardware [SOLVED]
Replies: 8
Views: 2448

Re: Migrate configuration to different hardware [SOLVED]

If you think that is a bad idea (or not necessary) then I will do without - and use the default MACs of that device. It's not a matter of what a random forum user thinks (you know neither of us three who have responded, do you), it's a matter of what Mikrotik says in the manual: "can be re-app...
by sindy
Sun Nov 12, 2023 12:35 pm
Forum: General
Topic: VRRP + MLAG
Replies: 7
Views: 1496

Re: VRRP + MLAG

Well, my suggestion to use VRRP on WAN side was based on the wrong understanding I've built, that the cloudflared establishes a pair of tunnels to each POP for redundancy and each of them should use another WAN (ISP1 and ISP2) of your setup. So the essence of the idea was to have two VRRP interfaces...
by sindy
Sat Nov 11, 2023 10:45 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Neznášam príbehy s otvoreným koncom... posunul si sa niekam? Not to leave the hypothetical future readers curious about the outcome: there was a happy end, they broke up... The LAN side clients are UBNT devices, and we haven't found a way to configure them to use a /32 public address on their end a...
by sindy
Sat Nov 11, 2023 10:38 pm
Forum: General
Topic: Migrate configuration to different hardware [SOLVED]
Replies: 8
Views: 2448

Re: Migrate configuration to different hardware [SOLVED]

The export should contain lines like
set [ find default-name=ether1 ] name=ether1-renamed in the /interface ethernet section.
Is that the case? If so, what default-name values are shown in the export of the RB1100Hx2? Are they the same like on the CCR1036?
by sindy
Sat Nov 11, 2023 9:58 pm
Forum: General
Topic: Limit bandwidth to internet of MikroTik router itself?
Replies: 4
Views: 818

Re: Limit bandwidth to internet of MikroTik router itself?

Sure there is. Own traffic of the router is handled by firewall chain output , and packets sent by the router itself do pass through the queue tree and the "simple" queues too. So you can let a simple queue match on the own address of the router, or you can use mangle rules in chain output...
by sindy
Sat Nov 11, 2023 9:42 pm
Forum: General
Topic: ipv4 & ipv6 dual stack shunt
Replies: 5
Views: 2041

Re: ipv4 & ipv6 dual stack shunt

First, I absolutely agree with @joegoldman regarding what the correct approach would be. Second, my solution to your required behaviour would be the following: create a static associative array of the profile names indexed by the pppoe interface names as a global variable using a scheduler running a...
by sindy
Sat Nov 11, 2023 7:44 pm
Forum: General
Topic: VRRP + MLAG
Replies: 7
Views: 1496

Re: VRRP + MLAG

The servers have 3 NICs total. - 4-port 1Gb Ethernet LOM which is used as the VMWare management ports. - Mellanox ConnectX-4 dual 10Gb which are used for the application/VM traffic - Mellanox ConnectX-4 dual 25Gb which are used for the vSAN traffic Just a terminological remark, the abbrevaiation NI...
by sindy
Sat Nov 11, 2023 5:28 pm
Forum: General
Topic: VRRP + MLAG
Replies: 7
Views: 1496

Re: VRRP + MLAG

Hello, regarding MLAG: traffic between two IP addresses in the same subnet does not need to go up to the routers because, scrictly speaking, it is not routed . The behavior is the same as if there was a single switch, the Ethernet frames carrying those IP packets are L2-forwarded/bridged/switched be...
by sindy
Sat Nov 11, 2023 4:30 pm
Forum: General
Topic: Mikrotik strange problem, drop connections
Replies: 3
Views: 805

Re: Mikrotik strange problem, drop connections

If the pings and DNS were not working, I would assume it would be caused by some ARP cache expiring and being updated only by received IP packets rather by responses to ARP requests. But since DNS and ping work during the strange period, the only thing I can think of is some strange firewall setting...
by sindy
Sat Nov 11, 2023 1:54 pm
Forum: General
Topic: VPN Ipsec active/active or active/standby scenario
Replies: 1
Views: 556

Re: VPN Ipsec active/active or active/standby scenario

Your picture suggests that the remote peers are Fortigate devices, so your choice of options may be restricted. When using bare IPsec, only one policy may be active at a time for any given traffic selector (a combination of local and remote prefixes), so only an active+standby setup is possible in t...
by sindy
Thu Nov 09, 2023 11:17 am
Forum: Beginner Basics
Topic: Recursive routing using LTE
Replies: 11
Views: 2685

Re: Recursive routing using LTE

I've realized that this very script can actually be used with any kind of point-to-point tunnel interface, not necessarily a LTE one. So I ran it on my test CHR and it did what it was expected to do. The only modification I've done was that I have replaced lte1 by <pppoe-test> to match the test envi...
by sindy
Wed Nov 08, 2023 8:42 pm
Forum: Beginner Basics
Topic: Recursive routing using LTE
Replies: 11
Views: 2685

Re: Recursive routing using LTE

It doesn't "correct" the entry with the correct address. When you run the script manually, does it throw any error or it just silently does nothing? In general debugging 5 lines of code via a forum with a round-trip time of several hours is a bad idea. So you if you want me to assist, fol...
by sindy
Wed Nov 08, 2023 1:37 pm
Forum: Beginner Basics
Topic: Recursive routing using LTE
Replies: 11
Views: 2685

Re: Recursive routing using LTE

The challenge is that I cannot find any script examples to achieve this, it could very well be my searching ability and/or the choice of words, but is there any chance anyone can point me in the right direction please? You'll probably need a lot of debugging as I write this without a possibility to...
by sindy
Tue Nov 07, 2023 11:19 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

it seems, if the source address is not the local GRE interface, but one of the LAN IPs (for example 10.1.1.193 at home), I can see the ICMP packet on the firewall's out chain (logged) in the direction of the other router's network - 10.77.0.160, but once I created a pcap (with sniffer) and checked ...
by sindy
Tue Nov 07, 2023 11:19 am
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2767

Re: GRE over IPSEC - cannot reach clients

In order that ping from IP address A to IP address B could succeed, all devices in the path from A to B (includung device with IP address A itself) must have a correct route to B, and all devices in the path from B to A must have a correct route to A. So the first question is whether the Mikrotik in...
by sindy
Mon Nov 06, 2023 12:31 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Fine but i dont understand completly, sorry but can you write me example for this ... I set it up and send export file Export the file as it is now, I will give you a script to modify it. Or maybe even better if you follow this post . 173 need connect to 60ghzap1 and client1 and finally this public...
by sindy
Mon Nov 06, 2023 11:53 am
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Your settings only work when I set pppoe connection to bridge-lan interface. That's strange, but as you haven't posted the export of your configuration, I can't see why. My next question is, can I assign 1 of the static ip to acess my mikrotik router and manage it? Of course you can. Just assign it...
by sindy
Sun Nov 05, 2023 9:00 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Sorry, you quote my whole post and then ask a question without referring to any particular part of it, so it is hard to understand what you actually have in mind. So guessing: On the 4011, keep pppoe settings as they are now. Regarding firewall, no idea how it looks like now, so no idea whether it n...
by sindy
Sun Nov 05, 2023 6:42 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Sorry but I dont see you answer Don't you see it at all (even now) or you didn't see it before because no notification e-mail has arrived? What does the forum show you if you click this link ? On the Mikrotk side, you would set the following: /ip address add address=10.100.10.100/32 interface=bridg...
by sindy
Sun Nov 05, 2023 4:36 pm
Forum: General
Topic: Hairpin doesnt work
Replies: 2
Views: 581

Re: Hairpin doesnt work

It all depends on how exactly you have implemented the forwarding of incoming traffic from the internet towards the public addresses to UBNT 1 and UBNT 2 from the 4011, but normally, it should work just fine. So post the output of /export hide-sensitive command on the 4011 after redacting all occurr...
by sindy
Sun Nov 05, 2023 3:16 pm
Forum: General
Topic: why can't use internal things when forward to another ISP
Replies: 4
Views: 823

Re: why can't use internal things when forward to another ISP

What you did wrong when posting is that you haven't given enough details: are the addresses of all the "internal things" within just 10.10.0.0/16 or are there any also in other private subnets? does the "I" in "I can't go to some internal things" mean only 10.10.155.5 o...
by sindy
Sun Nov 05, 2023 2:22 pm
Forum: General
Topic: Wireless VLAN Trunk
Replies: 5
Views: 1532

Re: Wireless VLAN Trunk

Just curious; if I would replace the TP-Link with a MikroTik, why would that work? Because RouterOS uses proprietary extensions to the wireless protocol that allow it to be used for transparent bridging. Some other vendors do that too but there is no vendor that would have a compatibility agreement...
by sindy
Sun Nov 05, 2023 11:10 am
Forum: General
Topic: loud balance 3 starlink
Replies: 19
Views: 2861

Re: loud balance 3 starlink

i test by bandwidth test and by speedtest by cable 1g You seem to keep assuming we have all got crystal balls allowing us to add the parts you haven't written. So my crystal ball tells me you are using the Mikrotik bandwidth test utility and speedtest .net by Ookla . Is that correct? i don't enable...
by sindy
Sun Nov 05, 2023 1:28 am
Forum: General
Topic: loud balance 3 starlink
Replies: 19
Views: 2861

Re: loud balance 3 starlink

How exactly do you test the speed? Are you aware that a single session can only use a single WAN?

Also, as you have only posted part of your configuration, is there no action=fasttrack-connection rule in /ip firewall filter?
by sindy
Sun Nov 05, 2023 12:32 am
Forum: General
Topic: Wireless VLAN Trunk
Replies: 5
Views: 1532

Re: Wireless VLAN Trunk

Even if the way how the VLAN tags are transmitted would be compatible between Mikrotik and TP-Link, I'm afraid the 4-address format of the wireless frame, which you need for bridging, is not. 802.11 only specifies a 3-address frame format where the MAC address of the wireless receiver and the MAC ad...
by sindy
Sat Nov 04, 2023 9:06 pm
Forum: General
Topic: Help with routing
Replies: 1
Views: 614

Re: Help with routing

Let's start from an explanation what a "direct link" means in case of your datacenter. Is it a cable, or at least an L2 interconnect provided by the DC? If so, you can bridge the LANs of the two Mikrotik routers together using that "direct link", and use the one in the Rack 2 as ...
by sindy
Sat Nov 04, 2023 8:14 pm
Forum: General
Topic: wifiwave2: no connection to CAPsMAN
Replies: 10
Views: 1664

Re: wifiwave2: no connection to CAPsMAN

Indeed, there is a clear statement by Mikrotik staff in the same topic: viewtopic.php?p=988941#p988941 . Nice :(
by sindy
Sat Nov 04, 2023 7:20 pm
Forum: General
Topic: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]
Replies: 9
Views: 2274

Re: PPPoE Server on VLAN Interface with ARP Reply-Only [SOLVED]

Have you narrowed the search down to the topic title, i.e. if you change arp to enabled for that /interface vlan , the PPPoE server starts working, or is it just the only unusual setting you have found and you only suspect it to be related? There is no reason why arp=reply-only on an interface shoul...
by sindy
Sat Nov 04, 2023 5:39 pm
Forum: General
Topic: loud balance 3 starlink
Replies: 19
Views: 2861

Re: loud balance 3 starlink

In my experience so far, bypass mode indeed gives 100.64.0.1 as the default gateway to all clients. But that doesn't matter for load balancing alone because you can indicate both the IP address of a gateway and the interface to use, using the gateway=100.64.0.1%ether1 syntax. Only recursive next-hop...
by sindy
Sat Nov 04, 2023 5:21 pm
Forum: General
Topic: wifiwave2: no connection to CAPsMAN
Replies: 10
Views: 1664

Re: wifiwave2: no connection to CAPsMAN

I haven't got a wifiwave2 device at hand, but with the default wireless package, you have to explicitly tell the cAP that the CAPsMAN is listening on 127.0.0.1 if the wireless interface that seeks CAPsMAN control is colocated with the CAPsMAN itself on the same hardware. I assume it's still the case...
by sindy
Sat Nov 04, 2023 3:18 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Neznášam príbehy s otvoreným koncom... posunul si sa niekam?
by sindy
Sat Nov 04, 2023 3:16 pm
Forum: General
Topic: GRE and IKEv2
Replies: 1
Views: 572

Re: GRE and IKEv2

wondered if this could be a done dynamically?
No.
by sindy
Fri Nov 03, 2023 1:53 am
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

The next question is good for me, yes I have 3 router after this mikrotik router on lan, and when its possible, I set 1 of public IPs on every router after this mikrotik. ... Please help me and thank you for answer. When you can any question I answer it. Sorry for late answer, the e-mail notificati...
by sindy
Thu Nov 02, 2023 4:40 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Som voľaaký zmätený where the problem is. You say you have purchased static addresses but at the same time you declare you need all 4 of them to get dynamic which I don't understand. For me the categories are public/private/CGNAT in one dimension, static/dynamic in another one, and manually/automati...
by sindy
Thu Nov 02, 2023 1:46 pm
Forum: General
Topic: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP
Replies: 19
Views: 2332

Re: MikroTik-RB4011iGS+RM PPPoE Dynamic Static IP

Is the single address you get from the ISP on the 4011 a public one? I.e. does it fit into 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 range (private) or into 100.64.0.0/10 range (CGNAT), or into none of them? There are multiple ways how an ISP can deliver public addresses to a PPPoE client, so it ...
by sindy
Wed Oct 18, 2023 9:16 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

If someone properly reports that to Mikrotik, there sure will. But that's just my experience-based opinion, and I have no power over Mikrotik R&D priorities. Some fixes have taken years to happen. Are you sure nothing has changed in the configuration between the last known good state and the occ...
by sindy
Tue Oct 17, 2023 10:46 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

the netfilter (firewall) does not allow to change MSS in prerouting and input chains, and the two Mikrotiks most likely normally do not talk to each other using the addresses from the subnet that lives inside the EoIP tunnel. So I assume what happens is that when you spawn the internal speedtest be...
by sindy
Mon Oct 16, 2023 5:57 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

use-ip-firewall=yes is a special setting of bridge whose primary purpose is to allow insertion of queues (for QoS) to the bridging path; for any other purposes it just causes unpleasant surprises. The fact that the ip firewall does not see the packet marks assigned by bridge filter may be one of th...
by sindy
Sat Oct 14, 2023 1:23 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

/interface bridge filter add action=mark-packet chain=input in-interface=eoip1 new-packet-mark=eoip1 /ip firewall mangle add action=add-src-to-address-list address-list=eoip1 address-list-timeout=10m chain=prerouting packet-mark=eoip1 Of course these rules must be blended properly into your existin...
by sindy
Thu Oct 12, 2023 12:12 pm
Forum: General
Topic: most effective failover? [SOLVED]
Replies: 53
Views: 8332

Re: most effective failover? [SOLVED]

thanks, so we have 2 possible situation, first is that my cpe is not reachable, then we need blackhole? And if my cpe is not reachable then we need blackhole ? I'm not sure what you actually wanted to express, so please reword that. So how can i improve my firewall settings further on, can we preve...
by sindy
Thu Oct 12, 2023 11:54 am
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

Should there be a mac address associated with this interface somewhere? Also should arp=proxy-arp be set on the bridges and the admin-mac address at both ends? No and no. The bridges the BCP tunnels become dynamic ports of already have some MAC addresses; whether these are assigned automatically or...
by sindy
Thu Oct 12, 2023 1:12 am
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

Is any local-address and remote-address specified on the /ppp secret row at the server side? If yes, what happens if you remove them?
by sindy
Thu Oct 12, 2023 12:40 am
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

I would guess you have somehow managed to engage the L3 and L2 tunnel in parallel, but it's just a wild guess. I'd have to see the complete configuration exports from both ends of the tunnel as well as the addresses you used for the ping (both source and destination). Don't forget to anonymize the e...
by sindy
Wed Oct 11, 2023 12:12 pm
Forum: General
Topic: most effective failover? [SOLVED]
Replies: 53
Views: 8332

Re: most effective failover? [SOLVED]

If ISP_1 "goes down" in terms that internet is not reachable via ISP_1 but the physical interface connected to the CPE provided by ISP_1 stays up (which is your main concern as per post #4 , you don't need the blackhole route because in such a situation, the route to 9.9.9.9 via 192.168.0....
by sindy
Mon Oct 09, 2023 9:32 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

is there a better more modern way to connect remote sites across the internet instead of EoIP where MTU sizing is not an issue and may also take less CPU resources and have better throughput? The best way is to avoid L2 tunneling completely, so the MTU issues are handled at routing level as they sh...
by sindy
Mon Oct 09, 2023 7:59 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

Is there any other way to lower the MTU below 1500 on an EoIP interface and not affect everyone else on the bridge even though they aren't even sending traffic over the EoIP interface. There isn't. From the point of view of the IP stack, which deals with the MTU, the bridge (as in "the virtual...
by sindy
Mon Oct 09, 2023 3:46 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 4096

Re: Site to Site EOIP with Local Internet Access Problem

You can use those mangle rules using a slightly more complicated way. Use a bridge filter rule to assign a packet mark (for simplicity, EoIP ) to frames entering the bridge via the EoIP interface, and use mangle/prerouting rules to add source IP addresses of packets bearing this packet mark to an ad...
by sindy
Fri Oct 06, 2023 9:30 pm
Forum: General
Topic: How to setup WiFi calling (aka VoWIFI) on mikrotik
Replies: 20
Views: 10688

Re: How to setup WiFi calling (aka VoWIFI) on mikrotik

OK. So the idea is based on the fact that the connection tracking itself (not the firewall as a whole) only takes into account the IP part of the packets (addresses, protocol, and ports) - it doesn't care about in/out interface or MAC addresses. Also, to reset the timeout of the connection, it is en...
by sindy
Fri Oct 06, 2023 7:31 pm
Forum: General
Topic: How to setup WiFi calling (aka VoWIFI) on mikrotik
Replies: 20
Views: 10688

Re: How to setup WiFi calling (aka VoWIFI) on mikrotik

OK, are you interested in the UGLY workaround then?
by sindy
Fri Oct 06, 2023 7:10 pm
Forum: General
Topic: How to setup WiFi calling (aka VoWIFI) on mikrotik
Replies: 20
Views: 10688

Re: How to setup WiFi calling (aka VoWIFI) on mikrotik

On this forum, feature requests can be only raised within a specific topic dedicated to them. You can also issue a support ticket. The official way to open feature requests is via your distributor. I have a rough idea of an ugly workaround which involves a hairpin tunnel and spoofing of UDP packets ...
by sindy
Mon Oct 02, 2023 8:38 pm
Forum: General
Topic: 2 IP Addresses 1 interface - DHCP on the first, firewall on the second
Replies: 23
Views: 2255

Re: 2 IP Addresses 1 interface - DHCP on the first, firewall on the second

So, I found a better way of doing this, if anyone will find this usefull one day. ... The server is already on the local lan as 192.168.1.100 (static DHCP) ... Quick, Clean, Easy, Painless. This was the essence of my alternative suggestion back then: ... or it must have a private address and a dst-...
by sindy
Thu Sep 28, 2023 12:04 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

What you want cannot be accomplished to the letter. With LTE bridge mode active, the router gets a single /32 IP address from the mobile ISP, and based on that address, it either creates the smallest possible subnet into which this address fits and attaches another IP address from that subnet to the...
by sindy
Thu Sep 28, 2023 12:04 am
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

Since you can ping a public IP from the RBwAPR itself now as the passthrough-interface is unset, we have successfully confirmed that the Beeline service is OK. So you may set the passthrough-interface back to internet . However, what you wrote regarding the direct connection of the PC suggests that ...
by sindy
Wed Sep 27, 2023 11:16 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

Wow. If the only thing you have done was to change the APN proflle settings, disable and re-enable the LTE interface and give it some 3 minutes before sending the monitor command again.
by sindy
Wed Sep 27, 2023 10:49 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

What bothers me is that the apn profile sets the apn name to free whereas the LTE monitor states you are connected to Beeline network, and, more important, that you are using a Beeline SIM, so the APN name should be set to internet.beeline.ru . If that change doesn't help, the next step is to unset ...
by sindy
Wed Sep 27, 2023 4:52 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

What does /interface/lte/monitor lte1 once show?
by sindy
Tue Sep 26, 2023 8:21 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

Maybe your version of RouterOS (which one it is?) does not support one of the parameters on some of the lines. Instead of pasting the whole configuration, go line by line, i.e. start from just /interface lte , if it succeeds (it really should :) ), paste just set [ find ] mac-address=AC:50:43:1A:EE:...
by sindy
Sun Sep 17, 2023 11:50 pm
Forum: General
Topic: how to monitor 4G LtAP mini LTE
Replies: 5
Views: 3638

Re: how to monitor 4G LtAP mini LTE

all the various tutorials I can find online refuse to work, I can't get a connection. Does someone have a method that actually works? Thanks. What "various tutorials"? If you want to get a useful help, follow one of those tutorials, show the resulting configuration of both devices involve...
by sindy
Wed Sep 13, 2023 8:42 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 54
Views: 27332

Re: LHG LTE - Bridge mode???

Hi, so looks like I have exactly the same issue. From your description it does not look like the same issue. There are two points: to let the WAN of the unifi device get its address via DHCP - this is no different to connecting it to any device/network that runs a DHCP server, such as a DSL router ...
by sindy
Thu Aug 31, 2023 11:13 am
Forum: Forwarding Protocols
Topic: tracerout shows both the WANs GateWays in my routerOS(load balancer)
Replies: 7
Views: 2967

Re: tracerout shows both the WANs GateWays in my routerOS(load balancer)

my routerOS(having laadbalancer PCC with two WANs) . When I do the traceroute, I observe the request is passing through BOTH the IPS's Gateways every time! To understand why this happens you have to understand how traceroute works and how PCC works. tcpdump/wireshark are of great help here: tcpdump...
by sindy
Thu Aug 03, 2023 4:26 pm
Forum: Beginner Basics
Topic: L2TP on custom port or other tunnel type
Replies: 23
Views: 5834

Re: L2TP on custom port or other tunnel type

Do you mean the new endpoint NAT function?
Exactly. It's just that the official name is so meaningless that I cannot remember it.
by sindy
Thu Aug 03, 2023 12:24 pm
Forum: Beginner Basics
Topic: L2TP on custom port or other tunnel type
Replies: 23
Views: 5834

Re: L2TP on custom port or other tunnel type

You can do that but it would only make sense if you wanted another application to listen for incoming connections at port 12345. There are multiple cases how to let an "innocent application" listen on a port on WAN: you manually set up a dst-nat rule (clearly not your case here) the applic...
by sindy
Tue Aug 01, 2023 5:15 pm
Forum: Beginner Basics
Topic: L2TP on custom port or other tunnel type
Replies: 23
Views: 5834

Re: L2TP on custom port or other tunnel type

maybe i got that wrong You have reverted the logic. The client actively initiates the connection by sending a request packet to the server which passively listens and responds if a request arrives. As the NAT rules are only consulted for the initial packet of each connection, and the subsequent pac...
by sindy
Tue Aug 01, 2023 10:30 am
Forum: Beginner Basics
Topic: L2TP on custom port or other tunnel type
Replies: 23
Views: 5834

Re: L2TP on custom port or other tunnel type

the server is output client is input Can you rephrase these? In addition to posting the configurations of both the client and the server, describe or draw what you want to achieve. The original topic was dealing with making a RouterOS L2TP server listen on some other port than 1701 (which only requ...
by sindy
Sat Jul 29, 2023 12:42 pm
Forum: General
Topic: modifying route distance dual wan
Replies: 63
Views: 9235

Re: modifying route distance dual wan

1. YES (but I don't know if it a good pratice) It is OK if it is your intention (to keep a connection on the secondary WAN even if the primary one recovers). 2. in the last version, I removed the input mangle rules and it works (but I think this not optimized) Traffic that uses input chain also use...
by sindy
Sat Jul 29, 2023 11:43 am
Forum: General
Topic: modifying route distance dual wan
Replies: 63
Views: 9235

Re: modifying route distance dual wan

I'm not sure I understand your intentions properly, so just some points: in prerouting , you first assign the routing-mark to packets that did not come via WAN, and only the next rule assigns the connection-mark depedning on in-interface . From this, and from the absence of any rules distributing th...
by sindy
Sat Jul 29, 2023 9:21 am
Forum: General
Topic: modifying route distance dual wan
Replies: 63
Views: 9235

Re: modifying route distance dual wan

I read somewhere that Fasttrack and mangle dual-wan are incompatible, is it a mistake ? The very principle of fasttrack operation is that the fasttracked packets bypass some stages of packet processing, mangle is just one of these stages. is there a workaround to keep fasttrack only for some packet...
by sindy
Wed Jul 19, 2023 7:40 am
Forum: General
Topic: What is wrong with bridges and eoip?
Replies: 18
Views: 6047

Re: What is wrong with bridges and eoip?

First of all, elaborate on "same problem". Multiple issues have been discussed throughout this topic so describe your particular configuration and your particular problem.
by sindy
Sun Jul 09, 2023 7:38 pm
Forum: General
Topic: Dual WAN/Router internet backup
Replies: 17
Views: 1447

Re: Dual WAN/Router internet backup

You need to additionally deny access to the test IP through any other interface than the desired one in the firewall. For that, routes to /32 destinations are usually enough, maybe with blackhole ones with higher distance to the same /32 destination where necessary. But you can do that using firewa...
by sindy
Sun Jul 09, 2023 7:18 pm
Forum: General
Topic: Dual WAN/Router internet backup
Replies: 17
Views: 1447

Re: Dual WAN/Router internet backup

check-gateway=ping is only useable if the modems are unreachable (power outage or bricked, gateway IP is the modem itself) If you use check-gateway=ping with the recursive routing, where you ping the virtual gateway (1.0.0.1 or 8.8.4.4 in your case) rather than the physical one, you check the actua...
by sindy
Sun Jul 09, 2023 12:53 pm
Forum: General
Topic: Dual WAN/Router internet backup
Replies: 17
Views: 1447

Re: Dual WAN/Router internet backup

The two routes, check-gateway=ping comment="Netwatch ISP1" distance=1 dst-address=1.0.0.1/32 gateway=1.1.1.2 check-gateway=ping distance=1 dst-address=1.1.1.2/32 gateway=172.16.1.254 suggest that you want to use recursive routing (indicating that the remote gateway 1.1.1.2 is reachable via...
by sindy
Sat Jul 08, 2023 10:14 am
Forum: General
Topic: Proper VRRP configuration
Replies: 10
Views: 1993

Re: Proper VRRP configuration

hmm.. do you have multipath interface for it? i mean, multipath eoip for it as well? Sorry to disappoint you, no, it's just that the CHRs run on Hyper-V, which by default (like many other virtualization platforms) filters frames with source MAC addresses different from the own ones of the sending v...
by sindy
Fri Jul 07, 2023 9:20 pm
Forum: General
Topic: Proper VRRP configuration
Replies: 10
Views: 1993

Re: Proper VRRP configuration

My ROS 7 test CHRs never ran ROS 6, and they accept an address with a /24 without any issue (freshly deleted an added to be sure): [me@chr-7-1] > ip/address/print where interface=vrrp1 Columns: ADDRESS, NETWORK, INTERFACE # ADDRESS NETWORK INTERFACE 15 192.168.216.1/24 192.168.216.0 vrrp1 [me@chr-7-...
by sindy
Fri Jul 07, 2023 9:44 am
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Since you have 3 lines, it is quite likely you'll need 3 Mikrotiks, as I cannot see a way to make RIP advertise each of the 3 public IPs via another PPPoE client - no instances, no routing filters. I have to correct myself - routing filters cannot be used with RIP, but routing prefix lists can, so ...
by sindy
Wed Jul 05, 2023 2:58 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Is this the correct info that i should provide ?
I don't like open ends, so yes, it is :)
by sindy
Wed Jul 05, 2023 1:45 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

If we can setup a teamviewer/remote session that we could work through it the mikrotik config part in order for it to push a static ip for the sonicwall i would really be grateful.
Here you go: viewtopic.php?p=902082#p902082 (and the three posts after just in case).
by sindy
Tue Jul 04, 2023 5:19 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 101
Views: 23640

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I can help with the Mikrotik part if that's enough. Since you have 3 lines, it is quite likely you'll need 3 Mikrotiks, as I cannot see a way to make RIP advertise each of the 3 public IPs via another PPPoE client - no instances, no routing filters. If you have a spare PC with two Ethernet cards, it...
by sindy
Thu Jun 29, 2023 6:48 pm
Forum: Beginner Basics
Topic: Cannot port forward through dstnat
Replies: 10
Views: 1804

Re: Cannot port forward through dstnat

One query - why cannot I see the ssh connection in firewall connections list? Most likely due to wrong syntax of the filter expression if you use command line or because you cannot spot it among other connections if you don't. Or, less likely, it is some glitch of ROS 7.10. NAT is a functionality o...
by sindy
Thu Jun 29, 2023 4:33 pm
Forum: Beginner Basics
Topic: Cannot port forward through dstnat
Replies: 10
Views: 1804

Re: Cannot port forward through dstnat

For some time I ... saw that the tcp connection stopped at handshake (no synack packets making their way back to ssh client) This happens because you assign the routing mark l2tp-table to all packets belonging to connections bearing the connection mark L2TP_CONN regardless their direction, so the r...
by sindy
Thu Jun 29, 2023 11:21 am
Forum: General
Topic: Cant access WebFig when router is connected to VPN
Replies: 14
Views: 6769

Re: Cant access WebFig when router is connected to VPN

If vpn interface is down - how to block all local devices traffic? Simple not to switch on main default route, just block internet access? One possibility would be to add another default route to table vpn with type=blackhole , no gateway , and a higer distance than the one with gateway=PPTP-VPN . ...
by sindy
Sun Jun 25, 2023 1:25 pm
Forum: General
Topic: "L2TP Client" vs. "L2TP Server"
Replies: 9
Views: 2227

Re: "L2TP Client" vs. "L2TP Server"

Start from adding a route for the test. At the client, add a route dst-address=1.1.1.1 gateway=l2tpaa , and try pinging from the client router itself, not specifying the interface. Depending on the actual use case, you may need multiple routes at both the client and the server, or a src-nat/masquera...
by sindy
Tue Jun 20, 2023 12:16 pm
Forum: General
Topic: "L2TP Client" vs. "L2TP Server"
Replies: 9
Views: 2227

Re: "L2TP Client" vs. "L2TP Server"

The terms "client" and "server" come from regular business, where the client requests a service and the server provides that service. Other protocol standards call the client an "initiator" and the server a "responder", which better illustrates their respectiv...
by sindy
Mon Jun 19, 2023 5:17 pm
Forum: General
Topic: Routing the vpn over a specific WAN
Replies: 5
Views: 1018

Re: Routing the vpn over a specific WAN

For L2TP, you can tell a particular L2TP client interface which particular own address of the router to use for the control & transport packets, overriding the normal choice made by routing. To make use of it, you have to use a routing rule saying that whatever has a source address of a particul...
by sindy
Wed Jun 14, 2023 9:06 am
Forum: General
Topic: One question on BCP L2 tunnel [SOLVED]
Replies: 6
Views: 1247

Re: One question on BCP L2 tunnel [SOLVED]

i thign that i got that going Maybe it is correct, maybe it is not - the documentation only mentions in-interface-list so I use that one. I never needed to use the same bridge filter rule on multiple bridges so far, so I haven't even noticed the existence of in-bridge-list and out-bridge-list match...
by sindy
Mon Jun 12, 2023 3:16 pm
Forum: General
Topic: Firewall blocking remote ipsec packages?
Replies: 1
Views: 364

Re: Firewall blocking remote ipsec packages?

If there is no NAT on the network path between the Mikrotik and the remote peer(s), bare ESP is used to transport the encrypted payload, so you need to add a rule protocol=ipsec-esp action=accept before the last action=drop one in chain input of /ip firewall filter . If you are not sure, look what /...
by sindy
Sun Jun 11, 2023 11:36 pm
Forum: General
Topic: Trying to make a sneaky VPN [SOLVED]
Replies: 17
Views: 2737

Re: Trying to make a sneaky VPN [SOLVED]

There is a chance when sending multiple udp payloads with traffic generator in some period with same data... This idea is great! Given the timeouts, it may take quite long (minutes) to collect them all, but on the other hand, as this is not port knocking per se (the purpose here is not to only allo...
by sindy
Sun Jun 11, 2023 10:40 pm
Forum: General
Topic: Trying to make a sneaky VPN [SOLVED]
Replies: 17
Views: 2737

Re: Trying to make a sneaky VPN [SOLVED]

Can you give me an example of an appropriate output rule? If you want exactly one packet, and the output and postrouting chains are currently empty in all tables, it would be something like /ip firewall filter add chain=output dst-address-list=packet-already-sent protocol=tcp-or-udp dst-port=port-t...
by sindy
Sun Jun 11, 2023 6:46 pm
Forum: General
Topic: Routing the vpn over a specific WAN
Replies: 5
Views: 1018

Re: Routing the vpn over a specific WAN

The description is a bit vague, but I assume you actually ask two separate questions: how to make a VPN client running on the router always use a particular uplink how to make only particular LAN side clients use a particular VPN client to access a particular site Is my understanding correct? If yes...
by sindy
Sun Jun 11, 2023 2:39 pm
Forum: General
Topic: Twice NAT example
Replies: 12
Views: 1408

Re: Twice NAT example

I am not aware of any way to implement "Solution 2" where everything is done on the same router, because I believe doing so requires VRF That article just uses a mystical "twice nat" name for dst-natting the requests coming from Site A subnet X to subnet Y used on Site A as an a...
by sindy
Sun Jun 11, 2023 1:16 pm
Forum: General
Topic: Trying to make a sneaky VPN [SOLVED]
Replies: 17
Views: 2737

Re: Trying to make a sneaky VPN [SOLVED]

your question description is too obvious that the company simply don't trust you
You seem to have been lucky so far to only meet customers that are small enough and/or competent enough that setting up remote access for contractors is a fast process. Believe me or not, it is not always the case :)
by sindy
Sun Jun 11, 2023 1:00 pm
Forum: General
Topic: Upload Speed on RB3011 is half of when I connect directly to my ISP modem
Replies: 4
Views: 679

Re: Upload Speed on RB3011 is half of when I connect directly to my ISP modem

To the actual (updated) topic - as ISP2 uses a plain IP over Ethernet encapsulation, you cannot use the interface name ( ether2 - ISP-2 ) as a gateway parameter of a route unless the router at the ISP side supports proxy-arp functionality. And if it does, I'm not sure whether the check-gateway=ping ...
by sindy
Sun Jun 11, 2023 12:23 pm
Forum: General
Topic: Upload Speed on RB3011 is half of when I connect directly to my ISP modem
Replies: 4
Views: 679

Re: Upload Speed on RB3011 is half of when I connect directly to my ISP modem

In ROS 6, you must use hide-sensitive when doing export to prevent passwords, secrets and similar stuff from being shown. You may want to withdraw the .rsc from your previous post and re-post it after sanitization.
by sindy
Sun Jun 11, 2023 12:14 pm
Forum: General
Topic: Trying to make a sneaky VPN [SOLVED]
Replies: 17
Views: 2737

Re: Trying to make a sneaky VPN [SOLVED]

Port knocking on TCP ports is as easy as using /tool fetch url="http://ip.to.be.knocked:port-to-be-knocked/some-bogus-file-name" , and port knocking on UDP ports is as easy as using resolve some.bogus.string.with.dots server=ip.to.be.knocked port=port-to-be-knocked . But there are limitati...
by sindy
Sun Jun 11, 2023 12:04 pm
Forum: General
Topic: RB5009 to HAP AC^3 PoE
Replies: 5
Views: 1036

Re: RB5009 to HAP AC^3 PoE

All good now! ... until the first power outage. It seems as if the total of the inrush current of the hAP ac³ and the own inrush current of the RBGPOE-CON-HP was too high for the RB5009 to provide, so it detects an overload and shuts the PoE down. One idea here would be to add a relay to the RBGPOE...
by sindy
Sat Jun 10, 2023 12:18 pm
Forum: General
Topic: Proper VRRP configuration
Replies: 10
Views: 1993

Re: Proper VRRP configuration

Even at v6 times, the manual was suggesting that the IP address attached to the VRRP interface should be a /32 one. The thing is that in the generic case, the /24 may be up on multiple routers simultaneously, and there may be multiple VRRP interfaces within that /24, each preferring another physical...
by sindy
Sat Jun 10, 2023 10:45 am
Forum: General
Topic: One question on BCP L2 tunnel [SOLVED]
Replies: 6
Views: 1247

Re: One question on BCP L2 tunnel [SOLVED]

Consider using bridge filter rules to implement DHCP snooping manually - you can drop DHCP server responses coming in via ports that are members of an interface list, or reverse, drop them all except those coming in via ports on an access list. The ppp profile permits to make the dynamically created...
by sindy
Sat Jun 10, 2023 10:31 am
Forum: General
Topic: Another IPsec Tunnel question [SOLVED]
Replies: 2
Views: 625

Re: Another IPsec Tunnel question [SOLVED]

You should only use bare IPsec for simple cases, as you need a dedicated policy for each combination of local and remote subnet. So for more complicated scenarios, it is always better to use IPsec only to encrypt the transport packets of some tunneling protocol like IPIP, GRE, or L2TP, and use the &...
by sindy
Mon Jun 05, 2023 8:43 am
Forum: General
Topic: CRS328 vlan configuration
Replies: 1
Views: 531

Re: CRS328 vlan configuration

I can share my configuration if necessary. The actual configuration is indeed necessary. The manual page you have linked says nothing about how IP addresses are linked to the bridge interface itself and to the VLANs. I'm unable to establish NTP client connection from switch itself to the public NTP...
by sindy
Mon Jun 05, 2023 8:28 am
Forum: General
Topic: Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]
Replies: 2
Views: 3253

Re: Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

Without seeing the complete configuration of the Mikrotik, sendmsg (Invalid argument) sendfromto failed phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500] 48234ee72dbe88a3:0000000000000000 suggest that there is a routing issue, i.e. that the Mikrotik cannot find a route...
by sindy
Sun Jun 04, 2023 10:27 pm
Forum: General
Topic: WAN doesn't failover when it can no longer ping gateway. (check-gateway=ping with recursive routing)
Replies: 2
Views: 671

Re: WAN doesn't failover when it can no longer ping gateway. (check-gateway=ping with recursive routing)

I cannot see anything wrong in your recursive routing setup, so first imitate the outage of the Verizon uplink and after 20 seconds, check whether the default routes via Verizon are still marked as A ctive. If they are, there is indeed something wrong with the setup. If they are not, maybe your expe...
by sindy
Sun Jun 04, 2023 10:00 pm
Forum: General
Topic: Both VRRP interfaces running as master
Replies: 1
Views: 628

Re: Both VRRP interfaces running as master

The second MAC address is a multicast one to which the active master periodically sends a notification for the other VRRP devices. If a VRRP device doesn't receive such a notification from a device with a higher priority than its own, it becomes a master itself. The source MAC address is reserved fo...
by sindy
Sun Jun 04, 2023 9:38 pm
Forum: General
Topic: Filter by packet content containing CR LF
Replies: 2
Views: 604

Re: Filter by packet content containing CR LF

/ip firewall filter add action=log chain=forward content="\r\n"
by sindy
Sun Jun 04, 2023 7:06 pm
Forum: General
Topic: ipsec vpn issue between mikrotik and juniper
Replies: 2
Views: 653

Re: ipsec vpn issue between mikrotik and juniper

Off-topic but really important, please do have a look into the philosophy of the Mikrotik firewall, especially the role of the chains ( input / output vs. forward ) and the purpose of connection tracking. Your current firewall rules effectively do nothing because the default behavior of all filter c...
by sindy
Sun Jun 04, 2023 4:35 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 27385

Re: RouterOS bridge mysteries explained

Once traffic is forward it is necessarily untagged at that point for the router-side since it only deal with Layer3, so has to be matched with mac-protocol=ip in the bridge filter. I have to disagree here. input , output , and forward in the context of the bridge filter are all L2 operations, so ev...
by sindy
Sat Jun 03, 2023 8:12 am
Forum: Beginner Basics
Topic: Starlink router with Ethernet connection LAN IP conflict
Replies: 8
Views: 13791

Re: Starlink router with Ethernet connection LAN IP conflict

in general I don't recommend Triple NAT 100.64.x.x->192.168.3.0/24->192.168.1.0/24.... There will be no triple NAT - in fact, there will be no NAT on the 'Tik at all. The whole trick is to make the 'Tik respond with the MAC address of its WAN interface to the ARP requests sent by the Starlink route...
by sindy
Fri Jun 02, 2023 11:41 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 27385

Re: RouterOS bridge mysteries explained

I'm not sure I've understood you well - I've tested on 7.9 and the rule only counts if I remove the mac-protocol=ip src-address=192.168.229.1/32 conditions: [me@myTik] > interface/bridge/filter/print Flags: X - disabled, I - invalid, D - dynamic 0 chain=output action=log out-interface=vxlan1 mac-pro...
by sindy
Fri Jun 02, 2023 8:50 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 27385

Re: RouterOS bridge mysteries explained

No as in "enabling use-ip-firewall in bridge settings will not change the fact that you cannot match on ports, IP protocol etc. in bridge filter if the ethernet protocol field (mac-protocol) is different from IPv4 or IPv6": [me@myTik] > system/resource/print uptime: 1w4d21h5m46s version: 7...
by sindy
Fri Jun 02, 2023 8:12 pm
Forum: Beginner Basics
Topic: Starlink router with Ethernet connection LAN IP conflict
Replies: 8
Views: 13791

Re: Starlink router with Ethernet connection LAN IP conflict

The tcpdump shows that you have missed the step of setting up the static ARP ecord for 192.168.33.1 - if it was set, there would be no ARP requests for that address.
by sindy
Fri Jun 02, 2023 8:02 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 27385

Re: RouterOS bridge mysteries explained

No. These are intended to allow traffic prioritization using queues (aka QoS) also for bridged traffic, but it causes a lot of headache if used along with NAT, so only enable these items if you exactly know what you need them for.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 35