Community discussions

MikroTik App

Search found 10811 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 37
by sindy
Mon Oct 07, 2024 4:59 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

Do I understand correctly then that the best way would be to create different subnets for 2ghz and 5ghz guest networks? I cannot see a reason for that. I am just saying that I don't think there is a way to make a particular wireless device keep its IP address when it moves from a 2.4 GHz network to...
by sindy
Mon Oct 07, 2024 3:46 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

I think I understand the problem with the ax3's 2 routes to the same destination, but I don't know how to fix it. As I wrote above, on the hAP ax³, the best way would be to create a "br-guest" bridge as I wrote above: " Either use a different subnet for each of the two guest WiFi int...
by sindy
Mon Oct 07, 2024 1:59 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

Is the fact that there are 2 routes with 0.0.0.0/0 destinations a problem? Two routes with the same destination may be both a desired setup or a wrong one - it depends on circumstances. E.g. if you had two WANs, two default routes could be a desired setup, as the ultimate destination would be the s...
by sindy
Sun Oct 06, 2024 10:03 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

Your complete export has revealed that there is a DHCP client attached to ether1 of the 5009 that is allowed to add a dedault route. So which port of the 5009 is connected to FIOS, ether1 or some other one? What does /ip route print detail show on the 5009?
by sindy
Sat Oct 05, 2024 8:41 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

I removed what I believe are the non-relevant sections. In general, doing so is actually a bad idea - more often than not, the issue is caused by something in those parts of the configuration that one deems irrelevant. Does anything look the routing or gateway is misconfigured? I don't understand h...
by sindy
Sat Oct 05, 2024 7:47 pm
Forum: General
Topic: Can firewall rules slow down bandwidth test?
Replies: 8
Views: 324

Re: Can firewall rules slow down bandwidth test?

Every single packet passes through the raw table, no matter whether it is an initial one of a connection or a mid-connection one. The issue here is that raw stands before connection tracking on the path, so the connection-state attribute is not yet known as the packet is being matched against the ru...
by sindy
Sat Oct 05, 2024 4:55 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

that is such a fantastic explanation and analysis! [...] It sure seems like it is your #2 explanation: timed out connection resulting in connection-state=new Unfortunately, your conclusion suggests that the explanation wasn't as fantastic as I would like it to be :) Let me reiterate - since the sou...
by sindy
Sat Oct 05, 2024 2:36 pm
Forum: General
Topic: Can firewall rules slow down bandwidth test?
Replies: 8
Views: 324

Re: Can firewall rules slow down bandwidth test?

Sir, you complain about getting generic info but you actually did the same - there is no point in referring to an example, even a specific one. You may have had to modify it to adjust it to your environment, you may have made a mistake when copying it, there may be a traffic in your environment that...
by sindy
Sat Oct 05, 2024 2:08 pm
Forum: General
Topic: bridge setting ip filter problem
Replies: 3
Views: 150

Re: bridge setting ip filter problem

The use-ip-firewall setting under interface/bridge/settings is used to force also packets that are bridged (forwarded at L2 level) from one port of a bridge to another port of the same bridge (like your NVR and your camera) through the IP firewall. The original purpose of this setting is to allow Qo...
by sindy
Sat Oct 05, 2024 12:33 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 925

Re: Need a forward rule

To be precise, it actually is a problem, but for sure adding a permissive rule would not be a solution to it. As in IPv4, the majority of user endpoints have private addresses, there are not many useful scenarios where endpoints in the internet would initiate connections to them, as they could only ...
by sindy
Fri Oct 04, 2024 8:53 pm
Forum: General
Topic: IPSEC VPN slow behind Mikrotik Router
Replies: 1
Views: 106

Re: IPSEC VPN slow behind Mikrotik Router

The first thing to come to my mind is increased packet rate due to fragmentation of the IPsec transport packets, so whilst the bit rate increases only up to, say, 10 % as compared to the amount of the payload traffic of the IPsec connection, the packet rate almost doubles; if, on top of that, some o...
by sindy
Fri Oct 04, 2024 8:29 pm
Forum: General
Topic: multiple devices whit one wireguard client
Replies: 6
Views: 257

Re: multiple devices whit one wireguard client

The only practical use case I can imagine from your description is to share an account on some paid "VPN" service among multiple people to save money. Leaving aside whether it is in accord with the terms of use, such an approach requires coordination of the use (as in, only one person can ...
by sindy
Fri Oct 04, 2024 7:27 pm
Forum: General
Topic: LTE Modem Firmware Upgrade - Has anyone got any troubleshooting tips?
Replies: 8
Views: 9902

Re: LTE Modem Firmware Upgrade - Has anyone got any troubleshooting tips?

Once I download the file - and get it via winbox to the routerboard - how do I then run the upgrade? If the LTE modem does support the local upgrade, interface lte firmware-upgrade firmware-file=xyz upgrade=yes should execute the upgrade. But as @Amm0 says, why do you need to do it this way? Is tha...
by sindy
Sun Sep 29, 2024 5:28 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Somehow, I would expect gentlemen in Riga to provide either "BIOS CHR" and "UEFI CHR" images or a "universal CHR" image off the shelf rather than offloading that task to volunteers. I am still not sure why I had to use the UEFI-compatible image for the recent lot of CHR...
by sindy
Sat Sep 28, 2024 8:00 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

@jaclaz, you're the boss - 7.17.beta2 mangled using your gdisk magic made Vultr happy.
by sindy
Thu Sep 26, 2024 11:29 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

as soon as Sindy will be able to (hopefully) report success in the environment(s) he uses, the matter should be pseudo-solved. Sorry, it was neither soon nor 100% success. Both the pre-cooked images from @Amm0 I've tried, i.e. chr-7.16.uefi-fat.raw and chr-7.16.uefi-fat-kriszos.raw, work both in Pr...
by sindy
Wed Sep 25, 2024 5:32 pm
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1214

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

The exports should have been placed between [ code] and [ /code] tags (using the </> button above the edit form). You may prefer to "un-post" the usernames for the pppoe services (and maybe some other logins to external services). Both can be fixed by editing the post. You do not use actio...
by sindy
Wed Sep 25, 2024 11:42 am
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1214

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

A blind shot as you haven't posted the configurations: you may be using mangle rules to choose traffic that has to go via Wireguard and haven't prevented that traffic from hitting the action=fasttrack rule in filter. If it's not this, post the configuration exports from both routers - check the othe...
by sindy
Tue Sep 24, 2024 9:27 pm
Forum: General
Topic: Routing Btw subnets same router
Replies: 1
Views: 275

Re: Routing Btw subnets same router

What you are missing is that from the perspective of Server 1, the addres of Server 2 (38.x.x.10) is within its own subnet (38.x.x.0/23). So when it wants to send a packet to it, it sends an ARP request "who has 38.x.x.10", but since Server 2 is in another L2 segment, the ARP request does ...
by sindy
Tue Sep 24, 2024 9:05 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 102
Views: 90347

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

I'm not sure what kind of reaction you actually expect from me :) A failed Phase 2 indeed means that the L2TP transport packets carrying your payload, which are supposed to get encrypted using that very Phase 2 SA, are not delivered - when an IPsec policy is in place, it intercepts matching packets ...
by sindy
Mon Sep 23, 2024 11:44 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 916

Re: "Routing Rules" vs "Mangle Route Rule"

So now as the basic issue has been resolved, we can come back to the ones that popped up in the process. My full config looks like the following (with both mangle and routing rules): The only chain where an action=fasttrack-connection makes any actual sense is forward . If RouterOS itself is an endp...
by sindy
Mon Sep 23, 2024 11:22 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Thinking about it, it is entirely possible as the overlap is only on the last sector of the two partitions Just to be sure, did you actually mean that the last sector of one partition overlaps with the first sector of the following one, as in "the first one is one sector larger than it should ...
by sindy
Mon Sep 23, 2024 7:46 pm
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

For me it does (7.14.3), so it must be something else.
by sindy
Mon Sep 23, 2024 10:13 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

I also convert the result to raw as I use ceph on Proxmox that does not support qcow2, so the difference in disk image format is not the magic that saves things. Still using version #3 (I will get to the other ones later), I haven't seen any complaints of gdisk in the log, except the one regarding t...
by sindy
Sun Sep 22, 2024 10:15 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Tested at Proxmox. With 7.15.3 as a base and your gdisk script #3, after some time of black screen, it said: ERROR: could not find disk! Please attach it somewhere else. I have tried to emulate both SCSI and IDE, no difference. Since this was my first ever attempt to UEFI-boot a CHR on Proxmox, the ...
by sindy
Sun Sep 22, 2024 8:56 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 916

Re: "Routing Rules" vs "Mangle Route Rule"

My full config looks like the following (with both mangle and routing rules): OK, so the difference from the configuration I have used to test it that causes the two to yield different results is that in yours, 123.123.123.123 is an own address of the router whereas in mine it wasn't. This has a hu...
by sindy
Sun Sep 22, 2024 4:39 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

In this context, I cannot see any benefit in testing 50 incremental scenarios just to find the one that makes it work with the minimum number of changes. The amount of CPU that has to be spent on a Linux machine to make the resulting layout "the most correct one" is not a limiting factor h...
by sindy
Sun Sep 22, 2024 2:33 pm
Forum: Virtualization
Topic: Help in setting up CHR version 7.x on Gcore Labs VPS
Replies: 1
Views: 721

Re: Help in setting up CHR version 7.x on Gcore Labs VPS

/dev/vda2 is just a partition on /dev/vda whereas the .img file contains an image of a complete disk including the MBR, so you have to use of=/dev/vda in step 3. If you did and it crashes nevertheless, how exactly does the "crash" look in the console window? Maybe those new machines only ...
by sindy
Sun Sep 22, 2024 12:06 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 916

Re: "Routing Rules" vs "Mangle Route Rule"

I have noticed this train of thought on the forum recently and I don't get it. Why presence of a route to a given destination (or even less logically, of a default route) in the main table should be a mandatory pre-requisite for a route to that destination to work in another table?
by sindy
Sun Sep 22, 2024 11:57 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Is there a free environment where the image bootability can be tested? It depends on the local meaning of the symbolic address "there" :D On Proxmox, you can choose between BIOS and UEFI boot. According to the OP, a "Gen2" machine in Hyper V means that UEFI boot is used; strictl...
by sindy
Sun Sep 22, 2024 11:41 am
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 916

Re: "Routing Rules" vs "Mangle Route Rule"

Since the result is different on my 7.15.3 in terms that both ways the packet for "123.123.123.123" does reach "192.168.9.9", something in your overall setup must be different from mine. Without seeing the obfuscated export of your configuration, there is no way to identify that ...
by sindy
Sun Sep 22, 2024 10:16 am
Forum: General
Topic: Switch rules
Replies: 4
Views: 667

Re: Switch rules

Ah, sorry - new-dst-ports=switch1-cpu is what you need. I forgot that you only needed to drop traffic from one external port to another.
by sindy
Sat Sep 21, 2024 2:55 pm
Forum: General
Topic: Switch rules
Replies: 4
Views: 667

Re: Switch rules

As-is, the rule does not drop the matching frames but redirects them to CPU. To actually drop them, you should use new-dst-ports="" instead of redirect-to-cpu=yes.
by sindy
Sat Sep 21, 2024 2:05 pm
Forum: General
Topic: :find vs. find
Replies: 3
Views: 517

Re: :find vs. find

The full tutorial is the manual , but the TL;DR is: :find can be used to find a position of an element in an array or a position of a substring in a string: :local myArray {"127";"226";"313"} ; put [:find $myArray "226" 0] ; put ($myArray->1) 1 226 :local mySt...
by sindy
Sat Sep 21, 2024 1:29 pm
Forum: General
Topic: Unlock different country in ax3
Replies: 2
Views: 426

Re: Unlock different country in ax3

Devices purchased in the U.S. or Canada cannot be unlocked to use WiFi regulations from other countries, otherwise FCC would not allow them to be sold on those markets.
by sindy
Sat Sep 21, 2024 9:23 am
Forum: General
Topic: Exclude 1 MAC address from logging
Replies: 14
Views: 986

Re: Exclude 1 MAC address from logging

It is indeed not possible to filter the messages on their way to be logged by contents, nor to tell the processes generating them (dhcp, wireless in your case) to filter them by some parameters of the object being processed. You can only filter them when watching the log.
by sindy
Sat Sep 21, 2024 9:05 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

The good news for those who don't want to dive that deep (respect, @jaclaz!) is that an upgrade of an already installed CHR apparently doesn't affect the boot partition. So installing an image of 7.14.3 that has been made acceptable for UEFI using the script (whichever part of it is the actual reaso...
by sindy
Fri Sep 20, 2024 10:28 pm
Forum: General
Topic: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)
Replies: 1
Views: 518

Re: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)

As of current, Wireguard listens on all the addresses of the router and the VRRP ones are no exception; what may require some additional measures is that it would use the VRRP address as the source one of the packets it sends . To ensure that, it may be necessary to use techniques similar to one of ...
by sindy
Thu Sep 19, 2024 11:46 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Do I understand correclty that I can take a regular x86 PC, put a few NICs in it and run a virtualized instance of ROS making the entire box a router (or firewall)? Indeed. Mikrotik recommends exactly this approach (a virtualization platform and a CHR on it even if the CHR would be the only VM runn...
by sindy
Thu Sep 19, 2024 10:45 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

CHR is intended for deployment as a virtual machine - where you need a virtualized router you are familiar with rather than a bare Linux for production, or where you need to simulate some complicated setups, or where you just need a Mikrotik router running on a public IP for some training, which was...
by sindy
Thu Sep 19, 2024 9:32 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11397

Re: Router OS 7 on UEFI

Bellow is a script to correct this issues. Huge thanks. It helped me out as I've just hit some improvement at a cloud provider where only UEFI boot became possible since I've installed a CHR there the last time. Even better, I've installed CHR 7.14.3 using the script and the console works just fine.
by sindy
Thu Sep 19, 2024 7:25 pm
Forum: General
Topic: DCCP, H.323, IRC, PPTP, RTSP, SCTP, SIP, TFTP, and UPDLite Service Ports
Replies: 1
Views: 420

Re: DCCP, H.323, IRC, PPTP, RTSP, SCTP, SIP, TFTP, and UPDLite Service Ports

It depends on what your Mikrotik is used for. If you do not use any of those protocols across NAT (i.e. your LAN side clients do not use them to connect to servers in the internet nor vice versa), it is OK to disable all of them. PPTP is an exception in terms that even if you do not use PPTP as such...
by sindy
Thu Sep 19, 2024 7:10 pm
Forum: General
Topic: Mangle and Queue
Replies: 1
Views: 407

Re: Mangle and Queue

It's not this simple. A rule with the same conditions you use to assign the connection-mark may be used to assign the packet-mark directly if you only need packets in that direction to get the packet-mark. If you need to assign the packet-mark (also) to packets in the other direction than where you ...
by sindy
Thu Sep 19, 2024 7:03 pm
Forum: General
Topic: VRRP with VLANs and redundant topology [SOLVED]
Replies: 5
Views: 744

Re: VRRP with VLANs and redundant topology [SOLVED]

Indeed the mst-override is what you need, you have to set the internal-path-cost to be higher on the port to which the "wrong" switch for that VLAN (corresponding to the vlan group identifier) is connected and lower for the one to which the "correct" switch is connected - lower p...
by sindy
Wed Sep 18, 2024 9:07 pm
Forum: General
Topic: Can anyone help me understand what is going on with my сAP ac
Replies: 4
Views: 491

Re: Can anyone help me understand what is going on with my сAP ac

for the last 2-3 years ap has been running from a poe switch and I have tried changing ports and using with the adapter and power supply from the kit and the behaviour persists.
Given the above, I agree with the below.
Well, it seems it's time to switch to ax
by sindy
Wed Sep 18, 2024 5:17 pm
Forum: General
Topic: Can anyone help me understand what is going on with my сAP ac
Replies: 4
Views: 491

Re: Can anyone help me understand what is going on with my сAP ac

How long in weeks/months is "long time"? The way you describe it it looks like an overheating problem, but in general, the first thing to degrade always used to be the electrolytic capacitors in the power adaptors (nothing specific to Mikrotik), so if you can try a newer one which matches ...
by sindy
Tue Sep 17, 2024 10:24 am
Forum: General
Topic: VRRP with VLANs and redundant topology [SOLVED]
Replies: 5
Views: 744

Re: VRRP with VLANs and redundant topology [SOLVED]

If you want each of the two USW switches to only handle a single VLAN, they cannot be connected to the same bridges on the CHRs, or you must use MSTP that can handle a separate spanning tree for each group of VLANs. Since the configuration exports suggest that there are some other switches in your t...
by sindy
Mon Sep 16, 2024 11:32 pm
Forum: General
Topic: Multiple PPP clients over RS-485
Replies: 1
Views: 335

Re: Multiple PPP clients over RS-485

PPP stands for Point-to-Point Protocol, which gives a hint that it does not include any support for Point-to-Multipoint channels, i.e. it does not contain any Media Access Control address allowing to indicate for which of the devices on the RS485 bus the packet is intended, or from which of them it ...
by sindy
Mon Sep 16, 2024 11:16 pm
Forum: General
Topic: How to prioritize packets to/from LAN IP
Replies: 9
Views: 1768

Re: How to prioritize packets to/from LAN IP

Indeed, in order to give some packets a higher priority, the most important thing is to queue all the other packets that have to "give way" to the priority ones. Any packets that need to be queued must not be fasttracked (except some specific case mentioned in the manual, which is not rele...
by sindy
Mon Sep 16, 2024 10:41 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 256888

Re: v7.15.3 [stable] is released!

What else should I change?
The topic, please. This one is not the right place for discussing this, create a new one.
by sindy
Mon Sep 16, 2024 6:06 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 256888

Re: v7.15.3 [stable] is released!

Is here anyone with working Netwatch/Fetch? Anyone know how to solve it? I do send Telegram notifications using /tool/fetch in 7.15.3 and I do not suffer from this kind of problems: /tool fetch url="https://api.telegram.org/$botId:$botPwd/sendMessage\?chat_id=$chatId&text=$message&pars...
by sindy
Mon Sep 16, 2024 4:11 pm
Forum: General
Topic: May you recomend me an SSTP VPN service?
Replies: 9
Views: 909

Re: May you recomend me an SSTP VPN service?

Have you checked your mailbox recently?
by sindy
Mon Sep 16, 2024 2:01 pm
Forum: General
Topic: IPSec - routing problem
Replies: 11
Views: 4401

Re: IPSec - routing problem

The issue you describe is definitely not "normal" so it is either a misconfiguration or some issue between the Mikrotik's and Ubiquiti's implementations of IPsec. So as the first step, post the export of the Mikrotik configuration (after proper obfuscation - serial numbers, public addresse...
by sindy
Mon Sep 16, 2024 12:05 pm
Forum: General
Topic: Masquerade on interface with multiple public IPs addresses [SOLVED]
Replies: 4
Views: 531

Re: Masquerade on interface with multiple public IPs addresses [SOLVED]

Use action=src-nat to-addresses=the.chosen.ip.address instead of action=masquerade. It will only work if the.chosen.ip.address is static.
by sindy
Mon Sep 16, 2024 12:01 pm
Forum: General
Topic: May you recomend me an SSTP VPN service?
Replies: 9
Views: 909

Re: May you recomend me an SSTP VPN service?

No one (except maybe the forum administrators) can respond to you by e-mail as the e-mail address you have entered when registering to the forum is not shown to other users and Personal Messages only worked for several brief periods. You can use the approach from this post if you generate your own k...
by sindy
Mon Sep 16, 2024 10:59 am
Forum: General
Topic: Masquerade on interface with multiple public IPs addresses [SOLVED]
Replies: 4
Views: 531

Re: Masquerade on interface with multiple public IPs addresses [SOLVED]

I understand I do not answer your question, but why do you insist on use of masquerade if you assign the addresses manually anyway? The purpose of masquerade is to handle a single dynamically changing address and remove connections src-nated to that address if it disappears.
by sindy
Mon Sep 16, 2024 10:54 am
Forum: General
Topic: Cannot ping from console VETH interface in containers bridge
Replies: 4
Views: 485

Re: Cannot ping from console VETH interface in containers bridge

This (address not responding while container is down) was the first thing to come to my mind when @lpetrov posted the question, because it would be a logical behavior as you've pointed out. But the behavior I observe in 7.15.3 is not logical - the veth interface is "running", the /interfac...
by sindy
Mon Sep 16, 2024 10:47 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1426

Re: IPv6 for SSH Tunnel Server

It did not come to my mind, but indeed - if you cannot identify traffic generated by the router itself, you may instead identify the one that was not . So if you don't mind setting a connection-mark or a packet-mark to the initial packets of any forwarded traffic in chain forward in mangle , you can...
by sindy
Sun Sep 15, 2024 10:33 pm
Forum: General
Topic: Identity selection when Mikrotik working as initiator in ipsec
Replies: 1
Views: 271

Re: Identity selection when Mikrotik working as initiator in ipsec

1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity. It may be a misinterpretation. Multiple "peers" as in "remote devices" can indeed match (hence "use") th...
by sindy
Sun Sep 15, 2024 8:55 pm
Forum: General
Topic: send-initial-contact v.s passive parameters of peer configuration in ipsec
Replies: 3
Views: 707

Re: send-initial-contact v.s passive parameters of peer configuration in ipsec

Can you be more clear? ... How this parameter works if it is used by initiator? and how does it work if used by responder? ... Do I understand correctly, that: if Mikrotik is used as a responder than send-initial-contact is simply ignored, and will not be used (meaning that Mikrotik always drops ex...
by sindy
Sun Sep 15, 2024 7:17 pm
Forum: General
Topic: Letting an LGTV in other VLAN "castable"?
Replies: 1
Views: 341

Re: Letting an LGTV in other VLAN "castable"?

What about moving the action=add-src-to-address-list rule from chain forward in /ip/firewal/filter to chain prerouting in /ip/firewall/raw or /ip/firewall/mangle?
by sindy
Sun Sep 15, 2024 6:19 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 554

Re: need help with ip redirection

In an hour at the earliest. If you don't want to reveal your contact information publicly, you can use the method described here.
by sindy
Sun Sep 15, 2024 6:06 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 554

Re: need help with ip redirection

right :)
by sindy
Sun Sep 15, 2024 5:50 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 77
Views: 10485

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Reading RFCs is often helpful. Also, I would swear I have seen somewhere the INITIAL_CONTACT to cause connections from the same address to be dropped as written above, but today I could only find in both RFC 5996 and RFC 4306 that it is related to connections authenticated using the same credentials...
by sindy
Sun Sep 15, 2024 5:44 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 554

Re: need help with ip redirection

->
by sindy
Sun Sep 15, 2024 5:43 pm
Forum: General
Topic: send-initial-contact v.s passive parameters of peer configuration in ipsec
Replies: 3
Views: 707

Re: send-initial-contact v.s passive parameters of peer configuration in ipsec

The Mikrotik documentation often assumes the reader is familiar with the standards regarding the protocol and only explains the particular ways how that protocol is implemented on Mikrotik. Plus, like other vendors, Mikrotik sometimes uses shorter keywords to express the behavior. So passive should ...
by sindy
Sun Sep 15, 2024 5:24 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 554

Re: need help with ip redirection

Unless you use bare IPsec, the following rule in the dstnat chain of /ip firewall nat should be sufficient: chain=dstnat in-interface=name-of-the-vpn-interface protocol=xyz port=xyz action=dst-nat to-addresses=192.168.2.200 But that rule alone does not address the need that the PC has to send the re...
by sindy
Sun Sep 15, 2024 5:15 pm
Forum: General
Topic: Cannot ping from console VETH interface in containers bridge
Replies: 4
Views: 485

Re: Cannot ping from console VETH interface in containers bridge

I would expect that the address you define for vethN only responds if the container linked to that veth is up and listening on that address, but on 7.12.1, the address linked to a veth responds even if no container has ever been using it, let alone being currently attached to it. On 7.15.3, it doesn...
by sindy
Sun Sep 15, 2024 4:42 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 554

Re: need help with ip redirection

Sorry, you'll have to express the setup and issue using a drawing (a photo of a hand-drawn sketch is normally enough) as it is not really clear (at least to me) what the issue is. I did understand that you've got multiple sites where the ISP modem provides the same LAN subnet, and I assume I have un...
by sindy
Sun Sep 15, 2024 3:03 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

Is my statement (at high level) correct?
If the intention is to get the same behavior like a single VLAN-aware hardware switch, then yes.
by sindy
Sun Sep 15, 2024 1:28 pm
Forum: General
Topic: My new hAP ax lite LTE6 looses its lte after a few days
Replies: 27
Views: 1388

Re: My new hAP ax lite LTE6 looses its lte after a few days

I'll check it once it fails again, if its gone form there I just wanted to be sure that the router uses USB to talk to this particular modem model. So do check whether the row is still there once it fails, but after you do that, try /system/routerboard/usb/power-reset duration=20s . If it asks for ...
by sindy
Sun Sep 15, 2024 12:50 pm
Forum: General
Topic: My new hAP ax lite LTE6 looses its lte after a few days
Replies: 27
Views: 1388

Re: My new hAP ax lite LTE6 looses its lte after a few days

I'm not sure how it the LTE modem is connected on hAP ax lite LTE6 - what does /system/resource/usb/print show when the LTE interface is present in the configuration?
by sindy
Sun Sep 15, 2024 12:47 pm
Forum: General
Topic: User manager et mikhmon accès à distance
Replies: 3
Views: 367

Re: User manager et mikhmon accès à distance

Whilst my personal opinion is that it is better to post in the original language than to post already machine-translated text (as posting in original language prevents information loss), other forum users may have a different opinion. But more important - it is not clear to me whether you want the t...
by sindy
Sun Sep 15, 2024 12:15 pm
Forum: General
Topic: Issues when connectin is routed in/out same interface
Replies: 5
Views: 441

Re: Issues when connectin is routed in/out same interface

I would say that like in many other cases, sniffing is your friend here. If a router finds out that the out-interface is the same like in-interface for a packet towards a given destination, it does forward the packet, but it also sends an ICMP message to the original sender, informing it that a bett...
by sindy
Sat Sep 14, 2024 9:37 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

VLAN virtual interfaces Does a virtual VLAN interface react only to packets tagged with the specific VLAN ID? What happens when a properly tagged packet reaches a virtual VLAN interface? Does it get "untagged" by the interface, or does it preserve the 4bytes for VLAN identifier? What happ...
by sindy
Sat Sep 14, 2024 5:05 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1301

Re: Route wireguard peers through vxlan

As for the cross DHCP offers, I have enabled DHCP Snooping on the bridge and made the VXLAN port untrusted, is there still a problem? I'm not sure the treatment of DHCP packets on a VLAN-enabled bridge is any more useful than matching by IP address in bridge filter rules, you have to try - the manu...
by sindy
Thu Sep 12, 2024 9:36 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

Many things may be set up differently on both the Mikrotiks and the Windows PCs. Since the pinging between the bridge addresses of the Mikrotiks themselves works, and even some connection between the two PCs does (the VNC one), it means that Wireguard itself and the associated routes are OK. Unless ...
by sindy
Thu Sep 12, 2024 9:30 am
Forum: General
Topic: IPSEC VPN Multiples Subnets
Replies: 7
Views: 708

Re: IPSEC VPN Multiples Subnets

If I configured more that one subnet on the polices and the nat settings, but only one subnet has communication end to end.
Set the level of all the policies you've added to unique. If that does not help, post the configuration exports from both devices.
by sindy
Wed Sep 11, 2024 10:02 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 930

Re: Odd LTE issue

In easy things to try... setting the mode to "IPv4" instead "auto" in the APN is worth a shot.
Somehow there is an IPv6 DNS query that got responded in the sniff above... so I wonder what the mode setting is actually worth :D
by sindy
Wed Sep 11, 2024 9:35 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

and how if i want to access the windows service such smb or windows sharing ? No idea, I'm not that deep into Windows so I have no idea what is the default behavior for their various proprietary protocols. right now i can access VNC PC B from PC A and vice versa, so how can i access windows share o...
by sindy
Wed Sep 11, 2024 11:13 am
Forum: General
Topic: How to tell current config file name
Replies: 3
Views: 340

Re: How to tell current config file name

Or export the current config and compare it using diff on an external computer with all the other ones.
by sindy
Wed Sep 11, 2024 11:11 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1426

Re: IPv6 for SSH Tunnel Server

You can src-nat to any address you want but in order that the response could reach your router, the routers on the return path must send it to your router, and if L2 network is used between your router and the neighbor, your router must respond to ARP or ND messages for that address. However, the th...
by sindy
Wed Sep 11, 2024 10:53 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

As written above - Windows by default would not respond to ping requests that arrive from outside its local subnets, i.e. where the ping response would have to be sent via a gateway. So you have to change the Windows firewall settings, use some other method to determine that the PC is alive, or use ...
by sindy
Wed Sep 11, 2024 10:44 am
Forum: General
Topic: Where can I find GOOD documetation of IPSEC in Mikrotik?
Replies: 6
Views: 568

Re: Where can I find GOOD documetation of IPSEC in Mikrotik?

Do you mean, that a Peer field in Policy itself will be used? and the policies are reverse matched to peer? Indeed. A manually configured policy must refer to one or two peer objects and if the actually connected remote initiator proposes a traffic selector, only the manually configured policies th...
by sindy
Tue Sep 10, 2024 10:22 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

Did you actually used udp for that? Rest assured I did :D Maybe the missing dstnat EINAT rule is the problem? Indeed. It did not come to my mind that filtering might be controlled by a rule in dstnat chain, although now as you've pushed my nose into it I can imagine the mechanism behind. OK, I will...
by sindy
Tue Sep 10, 2024 9:24 pm
Forum: General
Topic: Where can I find GOOD documetation of IPSEC in Mikrotik?
Replies: 6
Views: 568

Re: Where can I find GOOD documetation of IPSEC in Mikrotik?

I can't give you a link to a better documentation that the Mikrotik one, but I can help you in question-and-anwer mode :) First answer: Phase 1 proposal parameters are aggregated on rows of /ip/ipsec/profile , Phase 2 proposal parameters are aggregated on rows of /ip/ipsec/proposal . Second answer: ...
by sindy
Tue Sep 10, 2024 9:09 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1039

Re: Passthrough Network Via Mikrotiks

Apparently I was reading too diagonally today :) My impression from your OP was that R3 was a wireless client of R2. Since it is not, there is no need to configure its wireless interface(s) to station-bridge mode. Just two AP mode interfaces, one master and one slave, each linked to another VLAN. As...
by sindy
Tue Sep 10, 2024 4:48 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

The routes and allowed-address items seem fine to me. Windows devices by default only respond to pings coming from the own subnet of the interface, could it be this simple?
by sindy
Tue Sep 10, 2024 4:44 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1039

Re: Passthrough Network Via Mikrotiks

If the question was for me - if R1 presents 192.168.1.0/24 and the path to the PPPoE server on the same physical interface, then indeed the PPPoE client has to be connected to the VLAN interface on the common bridge. If there are two separate interfaces on R1, one for LAN and another one for the PPP...
by sindy
Tue Sep 10, 2024 1:28 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

Both ways are possible, each Wireguard interface may have multiple peers, that's how it is designed.
by sindy
Tue Sep 10, 2024 11:54 am
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1039

Re: Passthrough Network Via Mikrotiks

I think the above would be unnecessarily complicated. I would set the master wireless interface of R3 to station-bridge mode, make it a trunk port for multiple VLANs, and use the "single common bridge with vlan-filtering=yes for all VLANs" mode also on R2, so that its WAN would be yet anot...
by sindy
Tue Sep 10, 2024 11:17 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

I'm not sure I understand properly, but the fact that it works for the road warrior means that the port 13231 on site A is reachable from the internet. So in order to add the site-to-site functionality, return the /interface/wireguard/peer row representing site b (with allowed-address=192.168.90.0/2...
by sindy
Tue Sep 10, 2024 8:56 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

The other address comes by SLAAC and is the one MT's DDNS reports. Ah... as you have to force Mikrotik to use SLAAC when configured as a router, I never went that way. The SA's correctly go out the AT&T side, so there is no encapsulation. You mean IKE/IKEv2 here. Both Phase 1 (IKE, IKEv2) and P...
by sindy
Tue Sep 10, 2024 8:41 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

1. should Set keepalive on site b to 30s, but not on site A or on both site ? site b only. 2. should i add ip address for both wireguard interface? and add route for both interface? Only add the routes corresponding to allowed-address at the same device. There is no need to attach an interface to t...
by sindy
Mon Sep 09, 2024 10:22 pm
Forum: General
Topic: Tagged packets simply do not match any longer in srcnat chain for packets tagged in output chain!
Replies: 2
Views: 493

Re: Tagged packets simply do not match any longer in srcnat chain for packets tagged in output chain!

Other packets are accepted in filter established rule That's not true. The individual stages (tables) of the firewall are passed independently and accept in filter is only relevant for filter . It's the first packet because the following ones go to connection tracking. But honestly, I am still a li...
by sindy
Mon Sep 09, 2024 9:12 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

how can i check if there was successfull handshake ? The last-handshake column as mentioned above is completely absent if no successful handshake took place yet. If the column is present but the time shown is longer than 2 minutes, it is also suspicious. There is a moment in your exports that I don...
by sindy
Mon Sep 09, 2024 6:48 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 930

Re: Odd LTE issue

I did not ask for results of torch , I asked for results of sniffer , and there was a reason to it. Recently I have seen a situation where the traffic from the router to the LTE modem went from a more or less normally looking MAC address but the LTE modem was sending the responses to MAC address 00:...
by sindy
Mon Sep 09, 2024 11:45 am
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

We have to go step by step. So far I still have no other idea than fragmentation issues (the EoIP transport packets carrying a 1514-byte Ethernet frame are far bigger than 1500 bytes, so they have to be fragmented in order to pass through paths with L3 MTU of 1500, and if something is miscofnigured ...
by sindy
Mon Sep 09, 2024 10:59 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

how can i get the configurtaion ?
Here's why and how.

how can i check if the wireguard connection was working ?
/interface/wireguard/peers/print detail shows items like current-endpoint-address, current-endpoint-port, rx, tx, last-handshake.
by sindy
Sun Sep 08, 2024 10:54 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1336

Re: VPN 2 Sites With Mikrotik But only one has public ip

can anyone give me some guide to solve this ? It "should" work so the best course of action is to post the exports of the configuration of both devices (after removing any serial numbers, logins to external services, and replacing the prefixes of public addresses in such a way that the re...
by sindy
Sun Sep 08, 2024 10:34 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

They are not untagged by the bridge, they get from ether2 to the tagged end of the VLAN20 pipe still tagged. It's the passage through VLAN20 that removes the tag. In the opposite direction, the tagless frame that arrives via eoip-tunnel1 passes through Bridge_VLAN to the tagless end of the VLAN20 pi...
by sindy
Sun Sep 08, 2024 10:20 pm
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

my understanding is that Starlink does randomly change the prefix. Sometimes every day, other times it may stay for weeks. My own experience was that the /56 did not change for months (until the Ethernet adaptor finally broke so it wasn't possible to use the bypass mode any more without an addition...
by sindy
Sun Sep 08, 2024 9:59 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

It's not adding the tagless end of VLAN20 as a member port of the bridge, it's rooting the tagged end of VLAN20 in the bridge whose member port is ether2 . So the frames tagged with VID 20 that ingress via ether2 will get to the tagged end of VLAN20 via bridge bridge and egress there, get untagged, ...
by sindy
Sun Sep 08, 2024 9:45 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

You have posted only the export from the "local" end, so some information is missing; however, what is definitely wrong is that the VLAN interface VLAN20 is hooked to ether2 whilst ether2 is a member port of bridge bridge . Such an arrangement is incorrect and known to cause issues, so you...
by sindy
Sun Sep 08, 2024 9:07 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

Show me the configuration exports, that indeed sounds strange, unless the addresses are from the same subnet.
by sindy
Sun Sep 08, 2024 8:42 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

If so, try attaching a DHCP client with add-default-route set to no to the bridge that joins the EoIP with the Ubnt-facing VLAN interface and try pinging the IP attached to the remote end of the EoIP tunnel with size=1500. Do you get responses?
by sindy
Sun Sep 08, 2024 8:24 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1178

Re: Bridging VLAN and EoIP

If you can ping even public addresses through the EoIP tunnel, it sounds like an MTU issue (if you haven't forced the MTU of the EoIP interfaces to 1500, which is what the wireless clients probably expect) or a reassembly issue (if you have forced the MTU of the EoIP interfaces to 1500, so the size ...
by sindy
Sun Sep 08, 2024 3:49 pm
Forum: General
Topic: PPPoE connection losses - more detailed logging? [SOLVED]
Replies: 8
Views: 725

Re: PPPoE connection losses - more detailed logging? [SOLVED]

Even in debug, the logging typically shows only control traffic and omits the packets carrying only payload. So sniffing may show you e.g. long periods of silence in one direction and corresponding retransmissions in the other one. Less important, my personal experience is that people tend to accept...
by sindy
Sun Sep 08, 2024 3:08 pm
Forum: General
Topic: PPPoE connection losses - more detailed logging? [SOLVED]
Replies: 8
Views: 725

Re: PPPoE connection losses - more detailed logging? [SOLVED]

I can only suggest sniffing on the underlying Ethernet interface. As the sniffing has to record all the traffic right before the disconnect, the amount of sniffed data will be proportional to your total traffic on that PPPoE interface. So unless your router has a USB port and you can sniff to a file...
by sindy
Sun Sep 08, 2024 11:05 am
Forum: General
Topic: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface
Replies: 6
Views: 565

Re: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface

There are very few Mikrotik products whose switch chips support VLAN ID manipulation using rules, and I do not happen to own one of these so I cannot test it, hence the following is just a theoretical suggestion. The switch chip rules handle the frames as they ingress, so the rule you have used, /in...
by sindy
Sun Sep 08, 2024 9:08 am
Forum: General
Topic: multiple wireguard listening ports for the same interface [SOLVED]
Replies: 1
Views: 418

Re: multiple wireguard listening ports for the same interface [SOLVED]

You can use a dst-nat rule to forward a list of ports or port ranges to the one where the Wireguard instance listens, but in countries where this is a concern, those "someones" typically use DPI to filter wireguard and other VPN types by packet contents rather than by port numbers.
by sindy
Sun Sep 08, 2024 9:01 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

I added 4500 and 500 (maybe that one's not necessary since I have NAT traversal set on the office side?) accept rules on the office side, and esp rules on both sides. Support of NAT traversal is an optional extension in case of IKE (v1); in IKEv2, it is part of the standard so there is no need to e...
by sindy
Sat Sep 07, 2024 11:29 pm
Forum: General
Topic: Wireguard with relay [SOLVED]
Replies: 6
Views: 706

Re: Wireguard with relay [SOLVED]

Just for the case - if you activate the bypass mode on Starlink, you get a static global /56 on the LAN side of the Starlink dish (in addition to the CGNAT IP address). But assuming you have your reasons to stick with IPv4, if by "relay" you mean a device on a public address that both the ...
by sindy
Sat Sep 07, 2024 10:55 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 815

Re: WierGuard not working [SOLVED]

At this stage I've got no other idea than checking one more time that there is no typo in the settings of the .2 and .3 peers in the central site configuration, as .2 may shadow the .3 due to a typo in the mask (e.g. /3 1 instead of /3 2 ) and the .3 may be just wrong (something similar to 20.99.9 8...
by sindy
Sat Sep 07, 2024 9:01 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 815

Re: WierGuard not working [SOLVED]

Grrr... I've got it in front of my eyes all the time. The mistake are the /24 masks in the allowed-address lists on the "hub" device. Change 20.99.99.1/24 to 20.99.99.1/32, 20.99.99.2/24 to 20.99.99.2/32 and so on and you'll be good. The thing is that when the virtual Wireguard router rece...
by sindy
Sat Sep 07, 2024 6:28 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 815

Re: WierGuard not working [SOLVED]

Strictly speaking both 20.99.99.254/30 and 20.99.99.254/24 are incorrect ways to express the 30-bit prefix 20.99.99.252 and the 24-bit prefix 20.99.99(.xx), respectively, but the Wireguard configuration is apparently not that picky and accepts these formats, treating them the same like the formally ...
by sindy
Sat Sep 07, 2024 4:20 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 815

Re: WierGuard not working [SOLVED]

Sorry for gramer. No need to say sorry, I was just explaining where my uncertainty regarding what is the actual issue comes from. In your OP, you've mostly used 2 0.99.99.x , now you show to be pinging 1 0.99.99.x . Could it be as simple as having a typo on the first two peers? I have seen a manual...
by sindy
Sat Sep 07, 2024 3:36 pm
Forum: General
Topic: Node Red on MIPSBE, possible?
Replies: 3
Views: 386

Re: Node Red on MIPSBE, possible?

I'm not sure what you have in mind, running a container with NodeRed on a Mikrotik device? Containers can only run on arm, arm64, and x86_64 devices, so anything *mips* is out of question. And an external disk is a must for containers, otherwise you'll kill your internal flash in weeks even if it is...
by sindy
Sat Sep 07, 2024 3:23 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 815

Re: WierGuard not working [SOLVED]

Wireguard is up, there is tunnel betwen server and all 4 peer Based on what have you concluded this? The wireguard interfaces are always shown as R unning, even if no peers are configured. So it requires sniffing to determine whether the communicaton between the peers has indeed been established. F...
by sindy
Sat Sep 07, 2024 12:27 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 930

Re: Odd LTE issue

First, what do /interface/lte/monitor lte1 duration=1s and /ip/address/print where interface=lte1 show (obfuscate a public IP if you get one)? Second, can you ping 8.8.8.8 from the router itself? Third, if not, open a command line window, make it as wide as your screen allows, run /tool sniffer quic...
by sindy
Sat Sep 07, 2024 10:44 am
Forum: General
Topic: Forward all local traffic for all IPs to certain gateway [SOLVED]
Replies: 6
Views: 681

Re: Forward all local traffic for all IPs to certain gateway [SOLVED]

Assuming that neither Router C itself nor any client connected to it use 10.0.0.1, on Router C, you can add a route to 10.0.0.1/32 via the address of Router B in 10.20.x.x, and then you can make Router C selectively respond with its own address only to 10.0.0.1 using /ip arp add address=10.0.0.1 int...
by sindy
Sat Sep 07, 2024 10:13 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

First, is my assumption correct that currently both devices have a public IP address on their WAN, so IPsec does not have to encapsulate ESP packets into UDP? Second, there is nothing in chain input of your firewall filter rules that would permit the Main Office router to accept incoming IKEv2 conne...
by sindy
Sat Sep 07, 2024 9:53 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 949

Re: v6 IPSEC problems

You may want to revisit the configuration of the Main Office router and improve the obfuscation.
by sindy
Sat Sep 07, 2024 9:38 am
Forum: General
Topic: Forward all local traffic for all IPs to certain gateway [SOLVED]
Replies: 6
Views: 681

Re: Forward all local traffic for all IPs to certain gateway [SOLVED]

configure it so that it replies to ALL possible IPs with it's own MAC and forwards all traffic to router C, say, 10.20.0.1. I figure you mean all possible IPs within 10.0.0.0/24, as that is all it ever gets any traffic for from Router A, is that a correct assumption? The key here is the proxy-arp f...
by sindy
Fri Sep 06, 2024 10:56 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1426

Re: IPv6 for SSH Tunnel Server

right? right. Is there any special settings required for CHR1? None I would be aware of. If you can telnet to port 80 on the global IP of CHR2 from CHR1 (in terms that the TCP connection gets established) and ssh forwarding is enabled ( forwarding-enabled: both ) on CHR1, it should work also via th...
by sindy
Fri Sep 06, 2024 9:31 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1426

Re: IPv6 for SSH Tunnel Server

... couldn't get any traffic over IPv6, which I guess is due to the fact that there are some configs and setting missing on my routeros end which I don't know of :( ... proxy forwarding without any additional settings on Linux itself ... I have just tested the suggestion of @mkx with PuTTY where I'...
by sindy
Fri Sep 06, 2024 9:13 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

I have to test how exactly the endpoint-independent-nat works before commenting on the case when there is no manually configured dst-nat rule but the action of the rule in srcnat is the endpoint-independent-nat one, so I won't speculate here until then. Did you already investigated on this? So I've...
by sindy
Thu Sep 05, 2024 10:05 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1301

Re: Route wireguard peers through vxlan

OK, so indeed ether2-clientB is an access port to VLAN 88 on bridge1 , same like vxlan2-home . But in that case, the topic actually changes from "why is the packet for (presumably) 192.168.189.x that came in via ether2-ClientB routed using a 'wrong' route" to "why is the packet that c...
by sindy
Thu Sep 05, 2024 9:08 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1461

Re: Seperate multiple public IPs to different devices [SOLVED]

If the router was offline for long enough that the lease has expired (or if the interface to which the DHCP client is attached went down), a new lease is requested rather than the previous one being renewed, and therefore the script does get invoked.
by sindy
Thu Sep 05, 2024 8:39 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1301

Re: Route wireguard peers through vxlan

Since VxLAN is normally used for L2 tunneling, I did not study your config too deeply at first and assumed that the issue was with routing of the VxLAN transport packets (the UDP ones carrying the payload L2 frames inside), sorry for this lack of concentration. However, when looking at it with more ...
by sindy
Thu Sep 05, 2024 8:03 pm
Forum: General
Topic: Multiple L2TP/IPSEC clients dropping over Starlink
Replies: 2
Views: 361

Re: Multiple L2TP/IPSEC clients dropping over Starlink

The explanation why this happens and the solution if you insist on L2TP/IPsec is here ; further in the discussion there are some suggestions what else to use, but in my case, I use SSTP clients on the remote Mikrotiks to manage them remotely. Be aware that using SSTP without at least a server-side c...
by sindy
Wed Sep 04, 2024 9:48 pm
Forum: General
Topic: SSTP VPN issue -certificate fails Terminated in root
Replies: 1
Views: 350

Re: SSTP VPN issue -certificate fails Terminated in root

One possible cause of this is that some security appliance on the path between the client and the server inspects the payload of the TLS connections using a MITM techniques, i.e. it behaves as a client towards the server and presents an ad-hoc certificate signed by its own root CA to the client. Fro...
by sindy
Wed Sep 04, 2024 9:38 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1461

Re: Seperate multiple public IPs to different devices [SOLVED]

There is a script item of the dhcp client, which is invoked each time the DHCP asignment changes (address is lost, address is obtained, address is changed); it is not invoked if the lease is renewed without any change. So instead of scheduling the scripts for a periodical run, you can just set this ...
by sindy
Wed Sep 04, 2024 9:27 pm
Forum: General
Topic: disable logging on ip tunnels
Replies: 5
Views: 580

Re: disable logging on ip tunnels

i use ipip tunnels from each side , i don't see any passive options That's the case I have anticipated above - you've told RouterOS to create the IPsec configuration providing the IPsec encryption for the IPIP tunnel for you automatically, by setting ipsec-secret parameter of the row of /interface/...
by sindy
Wed Sep 04, 2024 9:12 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1301

Re: Route wireguard peers through vxlan

I'm still missing something because the return traffic is routed using the catchall route to the WAN interface where its getting lost obviously. I've reviewed the post I've linked and it indeed does not deal with anything but the mangle rules, assuming that the reader already understands the rest o...
by sindy
Wed Sep 04, 2024 8:00 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1426

Re: IPv6 for SSH Tunnel Server

Can you elaborate on how you connect via the ssh "tunnel"? Do you configure forwarding to a particular address:port combination (or a list of them) or you use the proxy mode tunneling?
by sindy
Wed Sep 04, 2024 5:17 pm
Forum: General
Topic: Mikrotik Vlan
Replies: 2
Views: 333

Re: Mikrotik Vlan

Most likely yes if you post the export of your configuration (go to command line, use /export hide-sensitive file=somenicename , then download somenicename.rsc , open it using a text editor, obfuscate public addresses and other sensitive information and post the result here between [ code] and [ /co...
by sindy
Wed Sep 04, 2024 4:16 pm
Forum: General
Topic: IPSEC between 2 Mikrotik behind ISP modem
Replies: 1
Views: 298

Re: IPSEC between 2 Mikrotik behind ISP modem

Such a setup is indeed possible. Post exports of both Mikrotik devices to get to the root cause of that "no Phase 2". When obfuscating public IP addresses, take care so that all occurrences of the same public subnet are aliased the same, i.e. that the obfuscation does not break the relatio...
by sindy
Mon Sep 02, 2024 9:45 pm
Forum: General
Topic: disable logging on ip tunnels
Replies: 5
Views: 580

Re: disable logging on ip tunnels

One of the parameters of an /ip ipsec peer item is passive ; if you set it to yes , the device will only act as a responder for that peer, i.e. it will not try to establish a connection to it actively (i.e. act as an initiator). With passive set to no , which is the default, it does both. If you use...
by sindy
Mon Sep 02, 2024 9:37 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2720

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

As was explained to me, Ping is checking to see if if something is UP or ON, while ARP is checking if something is down or OFF. Reverse viewpoint same results...... Nope. Just some devices choose to respond only at protocols and ports they like, so they may ignore even pings from their connected su...
by sindy
Mon Sep 02, 2024 9:31 pm
Forum: General
Topic: Simple failover on dhcp server
Replies: 19
Views: 1331

Re: Simple failover on dhcp server

The example Sindy posted, making use of the scheduler, runs every x time so it needs both a check and a conditional execution inside the script. The only reason why I prefer scheduled scripts to netwatch is that netwatch can monitor only a single host, so if that host becomes unreachable (and I hav...
by sindy
Mon Sep 02, 2024 9:22 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1461

Re: Seperate multiple public IPs to different devices [SOLVED]

Sounds like my skill issue :D "Skill" and "experience with the oddities of various ISPs" are not the same thing :) I'd suggest to disable just the routing rule and try the same ping again - if that prevents the pings from getting responded, we can be sure that the ISP indeed che...
by sindy
Sun Sep 01, 2024 10:42 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1301

Re: Route wireguard peers through vxlan

I would expect the traffic to return the same way it came in. That's exactly what does not happen automatically. The basic routing only takes into account the destination address. If you want the route to be chosen according to any additional criteria, like the source address, protocol, source and/...
by sindy
Sun Sep 01, 2024 5:47 pm
Forum: General
Topic: [Help] Setting Up MikroTik FTTH Connection
Replies: 4
Views: 863

Re: [Help] Setting Up MikroTik FTTH Connection

Step 1 - insert the Huawei ONU SFP into SFP port 1 of your CRS. Check whether interface ethernet monitor sfp-sfpplus1 (or an equivalent in Winbox) even shows you the module. Step 2 - if it does, create a new bridge interface, and move one of the copper Ethernet ports (basically any of them except th...
by sindy
Sun Sep 01, 2024 4:44 pm
Forum: General
Topic: Unable to get basic VXLAN tunnel to work over Wireguard
Replies: 5
Views: 656

Re: Unable to get basic VXLAN tunnel to work over Wireguard

Since the VxLAN transport is not "symmetric" in terms that the packets from node A to node B use the port specified in the /interface vxlan vteps table as destination but a randomly chosen one as source, and so do the packets from node B to node A, could it be that a firewall on the Linux ...
by sindy
Sun Sep 01, 2024 4:09 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1461

Re: Seperate multiple public IPs to different devices [SOLVED]

A lot depends on how paranoid your ISP is - they may check whether you send the packets from an IP address from the same MAC address from which you have requested the lease of that IP address. So first of all I would check that the dhcp client attached to the macvlan inteface has a valid lease, and ...
by sindy
Sun Sep 01, 2024 2:41 pm
Forum: General
Topic: disable logging on ip tunnels
Replies: 5
Views: 580

Re: disable logging on ip tunnels

Sadly, there is no way to selectively suppress IPsec logs per peer (or interface logs per interface, ...). If you can the peers at your side to passive mode, you can reduce that to a single error as the branch disconnects.
by sindy
Sun Sep 01, 2024 2:21 pm
Forum: General
Topic: Help please, router working only as a bridge.
Replies: 11
Views: 896

Re: Help please, router working only as a bridge.

The above may be confusing, so if you haven't changed anything yet as compared to the configuration you have posted, copy-paste the following rows into a terminal window one by one: /ip pool set [find name=dhcp] ranges=192.168.88.10-192.168.88.254 /ip dhcp-server set [find name=dhcp1] interface=brid...
by sindy
Sun Sep 01, 2024 12:37 pm
Forum: General
Topic: Help please, router working only as a bridge.
Replies: 11
Views: 896

Re: Help please, router working only as a bridge.

Oops, I have missed this one:

/interface bridge port
add bridge=bridge1 hw=no interface=ether1


So this one does explain why ether1 is bridged with the remaining ports.

But it places a big question mark over the presumed "reset to defaults", it seems it has never actually happened.
by sindy
Sun Sep 01, 2024 12:03 pm
Forum: General
Topic: Help please, router working only as a bridge.
Replies: 11
Views: 896

Re: Help please, router working only as a bridge.

Weird but zip file can not be extracted or opened, errors invalid file etc. downloaded by WinBox. Only was able to view file if open it without extraction inside WinRar Nothing weird about that - it indeed is a plain text file. .rsc probably stands for R outerOS Sc ript or so. There are several wei...
by sindy
Sat Aug 31, 2024 10:20 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2720

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

When a PPP-something (L2TP, SSTP, PPTP, even OpenVPN) client establishes a connection to the server, a virtual interface is created for that client on the server, the name consisting of a <pppoe- prefix, the username, eventually and order extension like -2 , and a suffix > . So if user john has conn...
by sindy
Sat Aug 31, 2024 8:49 pm
Forum: General
Topic: NAS-IP-Address ATTRIBUTE not working
Replies: 2
Views: 580

Re: NAS-IP-Address ATTRIBUTE not working

Nothing in https://help.mikrotik.com/docs/display/ROS/User+Manager#UserManager-Overview suggests that User Manager could (currently!) use anything else than User-Name and Calling-Station-Id when searching through the list of users. The attributes list configured for a user indicates which attributes...
by sindy
Sat Aug 31, 2024 3:59 pm
Forum: General
Topic: IPv6 over SSTP [SOLVED]
Replies: 2
Views: 611

Re: IPv6 over SSTP [SOLVED]

1. the SSTP control and transport packets use the IP protocol you have chosen implicitly by setting an IPv4 or IPv6 connect-to address. Inside the transport packets, the PPP does its usual job, so there are more or less independent tunnels for each type of payload (IPv4, IPv6, BCP, MPLS, ...). 2. th...
by sindy
Sat Aug 31, 2024 3:25 pm
Forum: General
Topic: Simple failover on dhcp server
Replies: 19
Views: 1331

Re: Simple failover on dhcp server

Copy-paste the following commands into a command line window on each LHGG - it is not dangerous as the scheduler row will be added as disabled and a script does nothing until you execute it manually or using the scheduler (or another script). /system script add name=test-wan source=":local locG...
by sindy
Sat Aug 31, 2024 1:03 pm
Forum: General
Topic: Simple failover on dhcp server
Replies: 19
Views: 1331

Re: Simple failover on dhcp server

The way you describe it you indeed need a scheduled script at each LHGG that will check the transparency of the local WAN by pinging some addresses in the internet via the local ISP router, and if none of them responds, update the gateway item of /ip dhcp-server network with the IP address of the re...
by sindy
Fri Aug 30, 2024 4:47 pm
Forum: General
Topic: L2TP IPSEC Secrets [SOLVED]
Replies: 3
Views: 587

Re: L2TP IPSEC Secrets [SOLVED]

Da-a-a-m ba-a-a-d 🐑 (© 1900 Jerome Klapka Jerome) The thing is that the essence of all the challenge-based algorithms (including the two MS-CHAP ones) is not to transport the password itself across the link between the client and the server, so there is no way how it could get logged. So it might be...
by sindy
Fri Aug 30, 2024 4:12 pm
Forum: General
Topic: L2TP IPSEC Secrets [SOLVED]
Replies: 3
Views: 587

Re: L2TP IPSEC Secrets [SOLVED]

Not sure whether in the logs, but: if the client allows PAP, you can set the L2TP server to only accept PAP, and then you will see the password in plaintext - at least in .pcap (sniff) if not in the log. Otherwise you'll have to assign new passwords to the users.
by sindy
Fri Aug 30, 2024 3:26 pm
Forum: General
Topic: Problem with L2tp+ipsec connection gateway(remote users)
Replies: 2
Views: 320

Re: Problem with L2tp+ipsec connection gateway(remote users)

Windows use a specific method to obtain a route list from the VPN server - they send a DHCPINFORM request asking for Option 249, which is a route list. The only VPN type where RouterOS responds this request is bare IKEv2 (and to make things worse, I have recently come across a case where a particula...
by sindy
Fri Aug 30, 2024 11:22 am
Forum: General
Topic: Simple failover on dhcp server
Replies: 19
Views: 1331

Re: Simple failover on dhcp server

I would say that what you need to look at is VRRP. Assuming you now have physical.ip.A and physical.ip.L as the addresses of the two routers on sites A(DSL) and L(TE) respectively, you would add two VRRP interfaces to each router, one with virtual.ip.A and the other one with virtual.ip.L, but the pr...
by sindy
Thu Aug 29, 2024 9:09 pm
Forum: General
Topic: Help please, router working only as a bridge.
Replies: 11
Views: 896

Re: Help please, router working only as a bridge.

as a bridge i use WAN port to connect main router and then any LAN port to connect to laptop/PC in PTP Bridge AP mode all working good including Wi-fi, just tested Please post the export of the configuration: run /export hide-sensitive file=somenicename in terminal download somenicename.rsc to your...
by sindy
Thu Aug 29, 2024 7:38 pm
Forum: General
Topic: Guidance on Internal Fiber [SOLVED]
Replies: 9
Views: 1238

Re: Guidance on Internal Fiber [SOLVED]

...and if you purchased both the SFPs and the patchcords in the same human-operated shop, I would suggest to use some other one.
by sindy
Thu Aug 29, 2024 7:35 pm
Forum: General
Topic: Guidance on Internal Fiber [SOLVED]
Replies: 9
Views: 1238

Re: Guidance on Internal Fiber [SOLVED]

Since the existing cables are orange (but my color perception is not ideal so I may be wrong), your choice of SFP was incidentally correct (orange coating normally means multimode), whereas your choice of the adaptor patchcords was incidentally wrong (yellow coating normally means single mode). The ...
by sindy
Thu Aug 29, 2024 1:01 pm
Forum: General
Topic: CapXL simple VLAN tagging [SOLVED]
Replies: 15
Views: 1234

Re: CapXL simple VLAN tagging [SOLVED]

There are actually three elements under a common name bridge - the virtual switch, one of its ports, and an interface of the router that is connected to that port. The virtual switch does not touch VLAN tags when forwarding frames from one port to another; the tag may be added as the frame ingresses...
by sindy
Thu Aug 29, 2024 12:34 pm
Forum: General
Topic: CapXL simple VLAN tagging [SOLVED]
Replies: 15
Views: 1234

Re: CapXL simple VLAN tagging [SOLVED]

No idea what that indicates - in both cases the DHCP server indicates the same in-interface, vlan0.50. But the sniff shows that the DHCP server response arrives to ether1 without tag. I have no idea why that happens.
by sindy
Thu Aug 29, 2024 11:38 am
Forum: General
Topic: CapXL simple VLAN tagging [SOLVED]
Replies: 15
Views: 1234

Re: CapXL simple VLAN tagging [SOLVED]

The sniffing result shows that the tagging by the wireless stack works fine, and that the frame received from 2.4 GHz guest interface gets properly multicasted to the 5 GHz interface, ether1, and bridge. But there is no response from the router in what you posted. Can you add port=67 to the sniffer ...
by sindy
Thu Aug 29, 2024 10:48 am
Forum: General
Topic: CapXL simple VLAN tagging [SOLVED]
Replies: 15
Views: 1234

Re: CapXL simple VLAN tagging [SOLVED]

I also think that setting vlan-id=300 and vlan-mode=use-tag on the two wireless interfaces should be sufficient and you should not need to set vlan-filtering to yes on the bridge and use the pvid=300 setting on the /interface bridge port rows and the row for vlan-ids=300 settings in /interface bridg...
by sindy
Thu Aug 29, 2024 10:00 am
Forum: General
Topic: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco
Replies: 6
Views: 457

Re: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco

I may be wrong here, it's only my own conclusion from observing the behavior, as the desrciption in the manual says something else (or maybe the same but in a pythic wording): if you have two policies between the same peers, require allows to use the same pair of SAs to deliver packets matching to e...
by sindy
Thu Aug 29, 2024 9:35 am
Forum: General
Topic: Help please, router working only as a bridge.
Replies: 11
Views: 896

Re: Help please, router working only as a bridge.

It sounds very strange, as you say the management access is still possible and you could upgrade and downgrade it even using netinstall. Since netinstall is not exactly user friendly, I suppose you did check after netinstall what the version was using a normal management connection (winbox, webfig, ...
by sindy
Thu Aug 29, 2024 9:24 am
Forum: General
Topic: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco
Replies: 6
Views: 457

Re: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco

First of all, change the level parameter of both policies from required to unique. If that does not help, we'll dig further.
by sindy
Wed Aug 28, 2024 12:33 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

Do you think I can or should add another layer of access as a backup to the WG?
I have already expressed my opinion on that here. An additional tunnel can be useful but it is not a panacea.
by sindy
Wed Aug 28, 2024 9:03 am
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

No updates were installed, just like the user posted on the Samsung site. Somehow, magically it started working. This is very strange. Somewhere at the beginning of that Samsung thread someone said that these "security updates" are downloaded in the background and installed without asking...
by sindy
Tue Aug 27, 2024 9:44 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

I don't know is GRE, IPIP, or L2TP would be an alternative to EoIP that would satisfy the needs above, or if there is a better alternative (something without the unnecessary broadcast/multicast traffic problem). I'd suggest you study a bit of the networking basics, like the meaning of L2 and L3 in ...
by sindy
Tue Aug 27, 2024 8:15 pm
Forum: General
Topic: executing script from winbox failed, please check it manually
Replies: 13
Views: 2347

Re: executing script from winbox failed, please check it manually

What is the topics list for that log line?

19:13:29 fetch,info Download from api.telegram.org FINISHED
19:13:35 certificate,debug start CRL update
19:13:36 system,info,account user me logged in from 192.168.88.254 via ssh
by sindy
Tue Aug 27, 2024 5:24 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

It's at the other site with a working /56 IPv6 prefix.
I've got that, I just used the VLAN numbes from the problematic site as a shortcut. I should have written "WAN VLAN" instead of "VLAN 10" and "LAN VLAN" instead of "VLAN 2" to avoid confusion.
by sindy
Tue Aug 27, 2024 1:51 pm
Forum: General
Topic: Can't access a single website
Replies: 12
Views: 877

Re: Can't access a single website

Hehe. Remember English is not my first language. So the most accurate wording would probably be "been there, fucked that up myself, more than once" :D
by sindy
Tue Aug 27, 2024 1:48 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

However, the NS messages in the ND process refer to the global IPv6 address of the target, and not the solicited-node multicast address. It's weird. Or my IPv6 knowledge is a bit lacking. Maybe it's the effect of a properly configured static route on their part? Wait. By "target" you mean...
by sindy
Tue Aug 27, 2024 9:42 am
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

Some change in vlan over wireless... sorry, I don't remember exactly, it's been years ago.
by sindy
Tue Aug 27, 2024 9:39 am
Forum: General
Topic: Can't access a single website
Replies: 12
Views: 877

Re: Can't access a single website

That's where selective thinking comes into play - the change (addition of the first EoIP interface to the bridge) was made so long before the issue with access to Yahoo got spotted that the relationship did not pop up immediately, and when thinking back, it was "just adding EoIP to the bridge, ...
by sindy
Tue Aug 27, 2024 9:30 am
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

MT's Torch is showing some confusing info. Indeed. That's why I always use /tool/sniffer and, if necessary, Wireshark. I can see neighbor solicitation messages and the solicited-node multicast address from the ISP router that go unanswered. ...   I temporarily added an address from the internal pre...
by sindy
Tue Aug 27, 2024 9:04 am
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

IPv6 addresses are set without prefix length, they should have /64 included. Without it, it's taken to be /128 (just like in IPv4 it's assumed to be /32). This also caught my eye so I've made a test, and the default behavior in IPv6 indeed differs from the one in IPv4, at least in 7.15.3: [me@myTik...
by sindy
Mon Aug 26, 2024 10:48 pm
Forum: General
Topic: Can't access a single website
Replies: 12
Views: 877

Re: Can't access a single website

Mysteries like this one often happen if the MTU in your network becomes smaller than the "usual" 1500 for some reason and PMTUD (Path MTU Discovery) is broken (google up "criminally braindead ISP" to learn the details) on the path between the client and the server. So knowing abo...
by sindy
Mon Aug 26, 2024 10:36 pm
Forum: General
Topic: "Find" command [SOLVED]
Replies: 5
Views: 1395

Re: "Find" command [SOLVED]

the result of your test is the same using find or find where? ... an old discussion (can't find the link right now) that suggested find is used for single results I have never seen any difference betwen the results of find <condition expression> and find where <condition expression> . So I've tried...
by sindy
Mon Aug 26, 2024 10:10 pm
Forum: General
Topic: Ike2 Ipsec random peer connections after reboots
Replies: 3
Views: 1313

Re: Ike2 Ipsec random peer connections after reboots

For those who may have a similar problem or are interested, setting the PFS Group to none in the proposal solved the problem. It seems like an unrelated issue to me. A mismatch in PFS settings affects the connection at the first Phase 2 rekey, so typically in about half an hour after the communicat...
by sindy
Mon Aug 26, 2024 9:46 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

I still suspect on their side of the link they are doing the equivalent of Only now I understood what you had in mind in your previous post. Yes, indeed, since @kobuki explicitly mentioned "v6 ICMP Echo Request" to arrive to the remote host, I somehow did not expect that (s)he hasn't chec...
by sindy
Mon Aug 26, 2024 6:14 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

Unfortunately I soon will be on holiday Sounds funny to me to complain about being on vacation :) There is no static priority between manually configured dst-nat rules and src-nat ones (including endpoint-independent-nat). Any incoming packet is checked against a list of tracked connections (unless...
by sindy
Mon Aug 26, 2024 4:49 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

since I had added those two forwarding rules in the filter table I yet had no "stuck" calls anymore. Either this is just luck or those rules might capture the cases where the connection state is recognized from the endpoint-indepenant-nat/nat as new and would not be catched by the establi...
by sindy
Mon Aug 26, 2024 1:26 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

Would you suggest leaving the nat-traversal methods of the grandstreams to the keep-alive mechanism or rather switch to STUN? The whole purpose of STUN is to determine the behavior of the NAT behind which the phone is located, so that the phone could put the correct public address and port into the...
by sindy
Mon Aug 26, 2024 12:58 pm
Forum: General
Topic: Can not NAT packets after PBR [SOLVED]
Replies: 6
Views: 1132

Re: Can not NAT packets after PBR [SOLVED]

The reason why it does not work is that the first pass of the packet from client 2 to wan-srv (client 2 -> R1) uses the same IP addresses and ports like the second one (R1->wan-srv), so the RouterOS firewall handles them using the same tracked connection. So the initial packet of that connection (fr...
by sindy
Sun Aug 25, 2024 10:41 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

you configured the ether1, ether2 interfaces as access ports Indeed, and I have admitted that openly straight away :) However, I can't imagine how this difference should be related, given that you can ping the router itself from both sides (VLAN 10 and VLAN 2), so the IPv6 packets clearly do pass t...
by sindy
Sun Aug 25, 2024 10:01 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

set file-name=usb2/voip-debug.log filter-ip-protocol=udp filter-port=5066,5067 memory-limit=100000KiB memory-limit and file-limit are two different things, and the 3011 does not have that much memory, please fix that ASAP. Also, the default value of filter-operator-between-entries is or , so try fi...
by sindy
Sun Aug 25, 2024 9:37 pm
Forum: General
Topic: "Find" command [SOLVED]
Replies: 5
Views: 1395

Re: "Find" command [SOLVED]

There are many other places in RouterOS scripting where some keywords are optional. Maybe where used to be mandatory after find and now it remains only for backward compatibility reasons, like hide-sensitive which does nothing (as hiding sensitive information during export finally became the default...
by sindy
Sun Aug 25, 2024 9:03 pm
Forum: General
Topic: Mikrotik DDNS just doesn't work
Replies: 3
Views: 499

Re: Mikrotik DDNS just doesn't work

https://help.mikrotik.com/docs/display/ROS/Cloud :
/!\ IP/Cloud requires a working perpetual license on Cloud Hosted Router (CHR).
by sindy
Sun Aug 25, 2024 8:58 pm
Forum: General
Topic: I'm not finding the wireguard interface
Replies: 8
Views: 1622

Re: I'm not finding the wireguard interface

Leaving aside that I forgot to press Ctrl-C once so instead of pasting just the single ovpn-client line to my test CHR (to check what is the default value of add-default-route ), I pasted your complete configuration there, there is indeed no reason why enabling and disabling the ovpn client should i...
by sindy
Sun Aug 25, 2024 7:36 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

/interface bridge add frame-types=admit-only-vlan-tagged name=bridge protocol-mode=none vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] disable-running-check=no set [ find default-name=ether2 ] disable-running-check=no /interface vlan add interface=bridge name=bridge.402 vla...
by sindy
Sun Aug 25, 2024 6:37 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

OK, so no dynamic rules there. I wasn't sure how exactly Mikrotik has implemented the part of the RFC that mentions the filtering requirements related to endpoint-independent NAT, and as no rules have been added dynamically to filter (which would be kind of similar to dst-nat rules being added dynam...
by sindy
Sun Aug 25, 2024 5:02 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

I don't know whether it is a bad news or a good one, but I have replicated your setup as closely as I could on a CHR running 7.15.3, and it just works. In my case, ether1 is an access port in VLAN 410, and ether2 is an access port in VLAN 402, /interface/vlan for both vlan IDs are attached to the br...
by sindy
Sun Aug 25, 2024 3:29 pm
Forum: General
Topic: CA CRL OPENVPN
Replies: 8
Views: 595

Re: CA CRL OPENVPN

So you wanted the forum to confirm your suspicion before eventually filing a ticket? Sorry, that explanation did not come to my mind.

I wonder how many other people took my non-sterile formulations as insults but did not let me know :?
by sindy
Sun Aug 25, 2024 3:22 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

Think of the EoIP tunnel the same way like of a loooong Ethernet cable connecting two Ethernet interfaces on the two routers. So same steps would be required to use them as a backup communication channel. For example do not make either of the Ethernet interfaces a member port of any bridge, just ass...
by sindy
Sun Aug 25, 2024 3:01 pm
Forum: General
Topic: CA CRL OPENVPN
Replies: 8
Views: 595

Re: CA CRL OPENVPN

OK. So shall I get it that all you took from my whole post is that I've suggested you to send your valid concern where it will be handled in a form you perceive as offending? Can you imagine how many people believe that Mikrotik support staff reads every single post on the forum? How could I know yo...
by sindy
Sun Aug 25, 2024 2:43 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

I'm not sure this method would be adequate on the longer term.
Diagnostic. Temporary. Where did I suggest it as a long term solution :D ?
by sindy
Sun Aug 25, 2024 2:42 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

Could I run ndproxy in a separate server/VM? That might be a temporary solution, if it works. According to the description in the OP, folks at your ISP use the method mentioned in par. 4.1.4 of the RIPE document, i.e. they sacrifice a single /64 from the /48 they gave you as a link subnet. Could be...
by sindy
Sun Aug 25, 2024 2:25 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

Advice? You can use EoIP just like any other L2 ("ethernet-like") interface without adding it to a bridge. And as an alternative (to Wireguard) way to access devices, there is also SSTP, L2TP/IPsec*, IPIP/IPsec* or even bare IPsec*... those marked with an asterisk can be set up using a pr...
by sindy
Sun Aug 25, 2024 1:18 pm
Forum: General
Topic: CA CRL OPENVPN
Replies: 8
Views: 595

Re: CA CRL OPENVPN

Indeed the ca-crl-host only makes sense if it is part of the CA certificate. Talking about that, a CRL on a private address also only makes sense in a limited number of real life scenarios. So apart from fixing a documentation bug (which requires to file a ticket at https://help.mikrotik.com/service...
by sindy
Sun Aug 25, 2024 12:51 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

Ah, sorry - TIL that whilst in RouterOS 6, no was the default for ingress-filtering , in 7.15.3 it is yes - not sure when exactly this change took place. As I saw pvid=2 on both the default port of the bridge and the row that makes ether1 a bridge port, I did not even think about such a change. Some...
by sindy
Sun Aug 25, 2024 4:53 am
Forum: General
Topic: I'm not finding the wireguard interface
Replies: 8
Views: 1622

Re: I'm not finding the wireguard interface

What went wrong?
No way to find out unless you post the export of your actual configuration.
by sindy
Sun Aug 25, 2024 3:36 am
Forum: General
Topic: CRS310-8G+2S+ is choking my internet bandwidth
Replies: 5
Views: 649

Re: CRS310-8G+2S+ is choking my internet bandwidth

Have you enabled routing in hardware? If not, you results are not surprising for a dual-core, 800 Mhz, 32-bit ARM CPU.
by sindy
Sat Aug 24, 2024 9:14 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1804

Re: IPv6 routing using VLANs [SOLVED]

I suspect that setting frame-types to admit-only-vlan-tagged on the bridge is not sufficient alone and you also have to set ingress-filtering to yes if you want VLAN 2 to pass tagged through the bridge port of the virtual switch and the /interface/vlan interface to process it at the bridge interface...
by sindy
Sat Aug 24, 2024 3:39 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

The input chain should block it, but given how the DHCP is hooked into the networking stack (e.g. you cannot block DHCP using IP firewall), I'm not sure whether blocking it is sufficient to prevent the DHCP stack from seeing them already on the member ports of the bridge. I'd say try with some other...
by sindy
Sat Aug 24, 2024 3:30 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 1610

Re: Firewall drop DHCP across EoIP

The bridge filter also uses chains, so if you block the server responses in forward, the Mikrotik itself will receive them, whilst other devices on the same bridge will not.
by sindy
Sat Aug 24, 2024 1:22 pm
Forum: General
Topic: List for interface type
Replies: 2
Views: 422

Re: List for interface type

You can add a whole interface list as a bridge member port rather than a single individual interface; if you do that, the interface list is a static member port of the bridge (so shown by export ) and the member interfaces of the list are added as dynamic member ports (so only shown by print ). You ...
by sindy
Sat Aug 24, 2024 3:49 am
Forum: General
Topic: Guidance on Internal Fiber [SOLVED]
Replies: 9
Views: 1238

Re: Guidance on Internal Fiber [SOLVED]

And an afterthought as you are apparently a true newbie in optics - there are multiple caveats: two parts of the connector shape: the "visible" one (on the picture, ST) and the "invisible" one - how the contact surface is polished (PC, UPC, and APC, where the first two are mutual...
by sindy
Sat Aug 24, 2024 1:45 am
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

What would you recommend as the simplest option to get a working connection from Android to the Mikrotik? Would it be to use the native VPN client or strongSwan? You can try with the native client, and if it still does not work, install Strongswan. The steps of installing a Let's Encrypt certificat...
by sindy
Sat Aug 24, 2024 1:42 am
Forum: General
Topic: Route some vlans to breakout via different internet gateway
Replies: 2
Views: 371

Re: Route some vlans to breakout via different internet gateway

What I have tried So what is it that you have actually tried? In the terminal window in Winbox, or in any other command line, run export hide-sensitive file=somenicename , then download somenicename.rsc , open it in your favourite text editor, obfuscate any public IP addresses, usernames to externa...
by sindy
Sat Aug 24, 2024 1:37 am
Forum: General
Topic: Guidance on Internal Fiber [SOLVED]
Replies: 9
Views: 1238

Re: Guidance on Internal Fiber [SOLVED]

Assuming you have LC-Duplex SFPs (one fiber for Tx, another one for Rx), have you tried to swap the two fiber connectors at one of the ends? Or perhaps you know exactly which one is which and you have connected Tx of one SFP to Rx of the other one and vice versa?
by sindy
Fri Aug 23, 2024 11:26 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

In this case I think you won't need to install strongSwan As in "the Samsung bug is only related to PSK authentication", which the thread dealing with that bug suggests. It implies that the same stock VPN client that fails to work with PSK should behave properly if using other authenticat...
by sindy
Fri Aug 23, 2024 11:17 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1754

Re: VoIP no incoming calls

It is not a big deal that a SIP provider gives you a choice of multiple IP addresses to register to, but normal SIP providers understand how a typical firewall and NAT works and send incoming calls to registered users from the same public IP and port to which said users have chosen to register. But ...
by sindy
Fri Aug 23, 2024 10:00 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

Guilty.
Nope, turns out it's me who has commited diagonal reading - the OP's issue is actually the same like @johnb175a's, except that the OP did not take as much effort to analyse it as @johnb175a :D
by sindy
Fri Aug 23, 2024 7:47 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

I do use Strongswan on my Android phone - https://play.google.com/store/apps/details?id=org.strongswan.android . It also has its caveats (if you want to access multiple remote subnets, you have to configure that in the client), but what may be most complicated for you is the authentication. The Andr...
by sindy
Fri Aug 23, 2024 7:10 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

This is so strange to me. Same here. All explanations I can imagine seem equally crazy to me. So in your opinion the VPN tunnel is working correctly? On Mikrotik side, yes. It receives the transport packet carrying the request, decrypts it, extracts the plaintext payload, delivers it to the destina...
by sindy
Fri Aug 23, 2024 6:45 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

I'm afraid we have exhausted all diagnostic steps we could use at Mikrotik side. In the log, every plaintext packet of 84 byte size is followed by an IPsec transport packet of 148 byte size, and there is no reason why encryption of the ICMP responses should differ from encryption of other payload pa...
by sindy
Fri Aug 23, 2024 5:30 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

I had to change this ... Sorry, mea culpa. I wasn't sure if you wanted the test done with it enabled or disabled. Disabled, but never mind, we've smashed two flies with a single sweep. The less important one is that indeed IPsec treats lo differently from other interfaces so if you ever need to pro...
by sindy
Fri Aug 23, 2024 4:02 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

I can imagine that it is the fact that 192.168.10.1/24 is attached to lo in particular (rather than some other interface) that breaks the access to the client, but if you can ping the client and get a response when this idea of @TheCat12 is not used, it means that some other route to 192.168.10.x (p...
by sindy
Thu Aug 22, 2024 10:21 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 3595

Re: My IKEV2 vpn stopped working

That's why I'll once again ask @sindy to have a look at your case This forum does not support automatic notifications when someone mentions you so the only reliable way of paging someone is to find a recent topic to which that user has contributed and post an off-topic message there (usually with a...
by sindy
Thu Aug 22, 2024 9:25 pm
Forum: General
Topic: Port forwarding to router itself doesn't work
Replies: 12
Views: 839

Re: Port forwarding to router itself doesn't work

Maybe this and this will help you understand the basic idea of how the firewall rules work and interact.
by sindy
Wed Aug 21, 2024 10:42 pm
Forum: General
Topic: Port forwarding to router itself doesn't work
Replies: 12
Views: 839

Re: Port forwarding to router itself doesn't work

my_server_ip is a public IP somewhere in the internet?
by sindy
Wed Aug 21, 2024 10:12 pm
Forum: General
Topic: Port forwarding to router itself doesn't work
Replies: 12
Views: 839

Re: Port forwarding to router itself doesn't work

First, given your location, I would not be surprised if incoming connections to port 1194 were blocked by your ISP by government order. Your dst-nat rule does not match on in-interface , so try to connect from the LAN side of your Mikrotik (a device in the 192.168.88.x/24 subnet) using telnet or cur...
by sindy
Wed Aug 21, 2024 9:45 pm
Forum: General
Topic: State of IPv6?
Replies: 4
Views: 754

Re: State of IPv6?

When acting as a DHCPv6 client, ROS 7 can also request an address for itself from an external DHCPv6 server, even together with the prefix.
by sindy
Wed Aug 21, 2024 1:59 pm
Forum: General
Topic: Unable to establish ipsec VPNs
Replies: 7
Views: 666

Re: Unable to establish ipsec VPNs

OK, so let's concentrate on a single session in the first scenario, choose one of the "outer" Mikrotiks and let's debug the current state. Show me the configuration exports of both of them, with public addresses and any kind of other sensitive information filtered out.
by sindy
Wed Aug 21, 2024 1:24 pm
Forum: General
Topic: Problem with MACVLAN configuration
Replies: 6
Views: 638

Re: Problem with MACVLAN configuration

So In this case, just using firewall rules can effectively separate the two subnets from each other? What exactly you mean by separation of the subnets? You wanted each of the two LAN subnets to be reachable from the internet, and to send its own traffic to the internet, from another public address...
by sindy
Wed Aug 21, 2024 1:00 pm
Forum: General
Topic: Fetch returns "failure: Unexpected payload received"
Replies: 14
Views: 875

Re: Fetch returns "failure: Unexpected payload received"

What I had in mind was to capture (sniff) the communication with Shelly when the request is sent from the browser and when it is sent from the Tik and use Wireshark to "find 10 differences" between the two cases. "Plaintext" means that the communication is not encrypted (you use ...
by sindy
Wed Aug 21, 2024 11:47 am
Forum: General
Topic: Fetch returns "failure: Unexpected payload received"
Replies: 14
Views: 875

Re: Fetch returns "failure: Unexpected payload received"

I don't think you should set Content-Type to json in the request, as there is no content at all in the request, the command for Shelly is in the url - only the result of the command comes as a json payload in the 200. But since it is plaintext http, sniffing should show you what the Shelly actually ...
by sindy
Wed Aug 21, 2024 11:43 am
Forum: General
Topic: Unable to establish ipsec VPNs
Replies: 7
Views: 666

Re: Unable to establish ipsec VPNs

"First scenario" mentions a single peer; what is the other peer in this scenario, another Mikrotik or a VPN client on a computer or phone? "Second scenario" mentions a "main mikrotik" and multiple remote clients - does MAP mean a Mikrotik mAP? Or did I get you wrong and...
by sindy
Tue Aug 20, 2024 10:25 pm
Forum: General
Topic: Occasional FIN or RST packet showing up on WAN from my private subnets
Replies: 9
Views: 866

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

funny you say that, I totally locked myself out of my crs309 earlier and had to use a serial console to get back into it :) Actually, that reminds me that whilst in ROS 6, the USB-to-serial converter was the only way and you had to configure it in advance, in ROS 7, I could dig my way back to a CRS...
by sindy
Tue Aug 20, 2024 10:10 pm
Forum: General
Topic: Routing Issue
Replies: 1
Views: 371

Re: Routing Issue

Your current config is messy - the bridge named bridge has pvid 199 and 10.20.99.200 is attached to that bridge itself, so it is reachable using frames tagged with VID199 via ether2. That's probably intended. It seems that ether49 is or used to be a member port of bridge mgmt , but you have somehow ...
by sindy
Tue Aug 20, 2024 9:28 pm
Forum: General
Topic: Occasional FIN or RST packet showing up on WAN from my private subnets
Replies: 9
Views: 866

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Well.. more elegant... Using switch chip rules for the purpose means not adding any load to the CPU, so the only better solution would be to apply the switch chip rules directly on the 5009 rather than on the 309. But I don't have one handy, so you have to check on your own whether the switch chip u...
by sindy
Tue Aug 20, 2024 9:06 pm
Forum: General
Topic: Problem with MACVLAN configuration
Replies: 6
Views: 638

Re: Problem with MACVLAN configuration

I applied that, and it worked perfectly. Now, if I want to route traffic for bridge1 through x.x.50.24 and traffic for bridge2 through x.x.50.25, is it enough to use routing rules? You don't need even that - the interface is the same for both addresses, and the gateway is the same as well, so your ...
by sindy
Tue Aug 20, 2024 3:43 pm
Forum: General
Topic: Unable to establish ipsec VPNs
Replies: 7
Views: 666

Re: Unable to establish ipsec VPNs

Sounds like your ISP has changed some settings. Since you mention "all", can you provide the details of the one with the simplest topology?
by sindy
Tue Aug 20, 2024 3:34 pm
Forum: General
Topic: How to notify for port's speed changing
Replies: 5
Views: 571

Re: How to notify for port's speed changing

:put ([/interface ethernet monitor ether1 once as-value]->"rate")
by sindy
Tue Aug 20, 2024 1:07 pm
Forum: General
Topic: Occasional FIN or RST packet showing up on WAN from my private subnets
Replies: 9
Views: 866

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

What are my options here?
The only solution I could ever find was to use bridge filter to drop packets escaping via WAN with any unexpected source address, but that is only possible for WANs using L2 interfaces ("IP over Ethernet" ones), not for PPP-based ones as those cannot be bridged.
by sindy
Tue Aug 20, 2024 12:01 pm
Forum: General
Topic: LtAP LTE6 DDNS
Replies: 1
Views: 476

Re: LtAP LTE6 DDNS

You haven't provided any details regarding the overall topology, so other explanations may exist. But assuming that the LTE is your only WAN: I have seen cases where the mobile operator was assigning "internal" public addresses to the LTE devices, but nevertheless was NATing them to other ...
by sindy
Mon Aug 19, 2024 10:55 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 3239

Re: Wireguard in 2nd WAN [SOLVED]

@Sindy, what's you take on dst-nat vs policy routing as a fix for the multiwan wireguard bug? Do you think it's possible to create a generic solution that only affects WireGuard's initial handshake? I still struggle to understand whether that weird behavior of Wireguard is indeed a bug or some clev...
by sindy
Mon Aug 19, 2024 8:52 pm
Forum: General
Topic: Internet adress forwarding [SOLVED]
Replies: 11
Views: 1318

Re: Internet adress forwarding [SOLVED]

Sorry... even after translating it back to your suspected first language I cannot imagine what "high cycling increasing ping" means... can you post an example of the output of the ping command?
by sindy
Mon Aug 19, 2024 8:48 pm
Forum: General
Topic: Problem with MACVLAN configuration
Replies: 6
Views: 638

Re: Problem with MACVLAN configuration

First of all, for what you describe (distinct dst-nat rules per public IP), you do not need to create a macvlan interface, it is enough to attach both public addresses to ether1 and simply let some of your dst-nat rules match on dst-address=x.x.50.24 and some on dst-address=x.x.50.25 . You only real...
by sindy
Mon Aug 19, 2024 11:26 am
Forum: General
Topic: Wireguard peer as exit node
Replies: 11
Views: 1104

Re: Wireguard peer as exit node

just self-taught guy I am afraid I can say the same about myself when it comes to networking, but I admit I have spent quite a lot of time on that :) Am I understanding you correctly ... this will "connect" wg0 and wg1 "networks"? All the way to the last statement I've quoted, y...
by sindy
Sun Aug 18, 2024 8:06 pm
Forum: General
Topic: [SOLVED] VPN L2TP IPSEC connect to one ip address only
Replies: 5
Views: 518

Re: VPN L2TP IPSEC connect to one ip address only

Not that it would matter, but next to the [Edit], [Report], and [Quote] buttons, there is also a [Mark as Solution] one. So instead of editing the topic title, pressing that button on the post that contained the final bit of the solution is normally used to mark the topic as solved.
by sindy
Sun Aug 18, 2024 7:31 pm
Forum: General
Topic: [SOLVED] VPN L2TP IPSEC connect to one ip address only
Replies: 5
Views: 518

Re: VPN L2TP IPSEC connect to one ip address only

OK, so the simplest change, in order to avoid breaking something else, will be to add another rule to the end of the forward chain: chain=forward src-address=10.10.10.10 dst-address= ! 10.0.1.10 action=drop But this is not how a secure firewall should look like. The firewall rules from the default c...
by sindy
Sun Aug 18, 2024 7:00 pm
Forum: General
Topic: [SOLVED] VPN L2TP IPSEC connect to one ip address only
Replies: 5
Views: 518

Re: VPN L2TP IPSEC connect to one ip address only

The name L2TP is a bit misleading. Unless the client device is another Mikrotik and you use BCP to extend the local L2 segment all the way to the client, the traffic between the client and the devices in LAN is actually routed, despite the fact that the address of the client fits into the LAN subnet...
by sindy
Sun Aug 18, 2024 1:28 pm
Forum: General
Topic: Question about RouterOS License
Replies: 2
Views: 418

Re: Question about RouterOS License

At the moment Mikrotik still proudly declares that there are no recurring fees, i.e. the validity of the licenses is not limited by time. Not even the ones for virtual routers (CHR).
by sindy
Sun Aug 18, 2024 12:06 pm
Forum: General
Topic: Wireguard peer as exit node
Replies: 11
Views: 1104

Re: Wireguard peer as exit node

On a worldwide forum, owls may talk to early birds, and each of them may be in another time zone, so you cannot expect immediate answers :) Issue #1 is that this is a Mikrotik forum and you effectively seek advice for Linux (Debian), and the people fluent in Linux are just a subset of forum members....
  • 1
  • 2
  • 3
  • 4
  • 5
  • 37