Community discussions

MikroTik App

Search found 7351 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 25
by sindy
Sat Jul 31, 2021 7:33 pm
Forum: General
Topic: SIP ALG issue not resolving.
Replies: 5
Views: 65

Re: SIP ALG issue not resolving.

Yes.
by sindy
Sat Jul 31, 2021 6:23 pm
Forum: General
Topic: SIP ALG issue not resolving.
Replies: 5
Views: 65

Re: SIP ALG issue not resolving.

Start by removing to-ports=9000-10999 from the dstnat rule with comment="3CX Media UDP" . The thing is that if you specify the to-ports range, the firewall randomly assigns a port from that range to each connection; if you don't specify it, it only changes the address but keeps the origina...
by sindy
Sat Jul 31, 2021 3:25 pm
Forum: General
Topic: L2TP with IPsec - Traffic pass only if initial Traffic from remote Site
Replies: 1
Views: 79

Re: L2TP with IPsec - Traffic pass only if initial Traffic from remote Site

Thanks for any kind of hints. If it's necessary, i could share the configs... At "any kind of hint" level: look closely at the firewall rules at the 4011. The thing is that the default firewall rules of older RouterOS versions say (very simplified) "drop anything that comes from WAN ...
by sindy
Sat Jul 31, 2021 2:56 pm
Forum: General
Topic: NAT: Masquerade can leak private IP, why&how?
Replies: 21
Views: 629

Re: NAT: Masquerade can leak private IP, why&how?

How is the outcome: 1 SNAT/Masq-Rule with WAN-Interface-List (as Out Interface List) multiple SNAT/Masq-Rules with dedicated WAN-Interfaces (Out Interface) There's no difference in the outcome. Expanding into more detail: /interface list add name=WAN /interface list member add interface=wan1 list=W...
by sindy
Sat Jul 31, 2021 1:07 pm
Forum: General
Topic: NAT: Masquerade can leak private IP, why&how?
Replies: 21
Views: 629

Re: NAT: Masquerade can leak private IP, why&how?

Personally seen UDP traffic leaking from NAT as well in both: I didn't write that an UDP packet can never leak with a source IP unchanged - I just wrote that it cannot happen where the removal of the NATed connection from the list of tracked ones is caused by that connection being terminated at pro...
by sindy
Sat Jul 31, 2021 9:21 am
Forum: General
Topic: NAT: Masquerade can leak private IP, why&how?
Replies: 21
Views: 629

Re: NAT: Masquerade can leak private IP, why&how?

There are two separate phenomena that cause the leakage. A src-nated connection is only removed from the connection tracking list when the router loses the address used as that connection's reply-dst-address and the src-nat handling has been triggered by an action=masquerade rule. Connections whose ...
by sindy
Thu Jul 29, 2021 3:46 pm
Forum: General
Topic: Port Forward - Translate to local IP
Replies: 4
Views: 162

Re: Port Forward - Translate to local IP

OK, and what do you expect from me now? To me this example seems to work, does it fail? It could be also simplified to reduce the CPU load.
by sindy
Thu Jul 29, 2021 10:05 am
Forum: General
Topic: Port Forward - Translate to local IP
Replies: 4
Views: 162

Re: Port Forward - Translate to local IP

Port forwarding is a dst-nat operation, which is performed before the packet enters the routing process. Source address change (a src-nat operation) takes place after the packet has been routed. Hence you need a separate action=src-nat rule in chain=srcnat of /ip firewall nat . Maybe you need the ac...
by sindy
Thu Jul 29, 2021 9:41 am
Forum: General
Topic: Semi-randomly change src-port originating from ROS - is it possible?
Replies: 2
Views: 109

Re: Semi-randomly change src-port originating from ROS - is it possible?

If I remember well, the netfilter module in the kernel does support stateless NAPT (i.e. a per-packet one), but configuration of this feature is not available in RouterOS. But that doesn't matter much as it wouldn't help per se for reasons @mkx has explained. Instead, try setting up multiple wiregua...
by sindy
Thu Jul 29, 2021 9:12 am
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15444

Re: Block Ping request

You don't seriously relate the source IP address of an attack with the person behind that attack, do you? I'm afraid that there are simply most public IPv4 addresses per country in the U.S., so if we assume that the share of vulnerable systems is equal everywhere, the most zombies following someone ...
by sindy
Wed Jul 28, 2021 8:30 pm
Forum: General
Topic: IPSec VPN tunnels not working when upgraded to 6.45.1
Replies: 10
Views: 7026

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

What problem in particular do you have in mind? If the "clients" (initiators) are on dynamic addresses, but the "server" (responder) is on a static one, there is no problem atop short time interruptions when the client's address changed. If the "server" is on a dynamic ...
by sindy
Mon Jul 26, 2021 9:36 pm
Forum: General
Topic: Site to Site IPsec - muti subnet routing & capturing
Replies: 4
Views: 248

Re: Site to Site IPsec - muti subnet routing & capturing

What you are essentially looking for is the "culprit" of the issue. If everything works properly: an icmp echo request packet is sent by the PC it reaches router A whose firewall lets it in the packet gets routed using the regular routing at router A via some interface the header of this p...
by sindy
Mon Jul 26, 2021 2:25 pm
Forum: General
Topic: Site to Site IPsec - muti subnet routing & capturing
Replies: 4
Views: 248

Re: Site to Site IPsec - muti subnet routing & capturing

Payload packets being sent via an IPsec SA cannot be captured using /tool sniffer , whereas received payload packets decapsulated from IPsec SA transport packets can. They used to appear in the capture earlier than the transport packets that brought them, which was rather confusing; I don't know whe...
by sindy
Mon Jul 26, 2021 12:43 pm
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

as VPN internal traffic, i tried to do the firewall rule via IP matching. i was monitoring the packet movement and the count was always 0. If you take the very same rule that now matches on in-interface=the-one-representing-that-client-tunnel and make it match on src-address=the.internally.assigned...
by sindy
Sun Jul 25, 2021 8:27 pm
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

Matching traffic by interface is a tiny bit more secure than matching it by IP address, because the source address can be spoofed, and some attacks may possibly not need a response. But no matter which packet property you choose for matching, the key was to place the rule at the proper position in t...
by sindy
Sat Jul 24, 2021 12:00 am
Forum: General
Topic: How to access local resources via a VPN if ARP is set to reply-only (static)?
Replies: 1
Views: 417

Re: How to access local resources via a VPN if ARP is set to reply-only (static)?

"Different IP pool" is not the same thing as "different IP subnet". If you use different subnets for the L2TP clients and for the LAN hosts, you won't need proxy-arp. If this is already the case, and the L2TP clients cannot access LAN resources despite that, it must be a firewall...
by sindy
Thu Jul 22, 2021 5:02 pm
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

OK, so maybe start from reading this post , and also have a look at the packet flow diagram to find out what are the roles of the input and forward chains. And also google something regarding the concept of a stateful firewall and the role of the connection tracking and the connection-state property...
by sindy
Wed Jul 21, 2021 11:42 pm
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

OK. Now please post the export of firewall filter rules alone, but including the rule you tried to add in order to let the OVPN client connect to the individual subnets/VLANs. When looking at your rules, I have a feeling that you haven't completely grasped how they work, but I may be wrong.
by sindy
Wed Jul 21, 2021 1:27 pm
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

You've exported the part of configuration you assume to be related, but the issue is typically where you do not expect it. That's why my signature doesn't say /<some particular branch> export hide-sensitive but /export hide-sensitive . e.g. here, the firewall rules you use refer to interface-list it...
by sindy
Wed Jul 21, 2021 1:15 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1070

Re: Cannot access router over trunk+switch

It surprises me that you can only see ARP responses, because the requests are sent from the individual MAC address to a broadcast one (ff:ff:ff:ff:ff:ff), so if you filter using the MAC address of the remote device at each side, you should see both. Another question, what are your STP settings on al...
by sindy
Tue Jul 20, 2021 7:48 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1070

Re: Cannot access router over trunk+switch

Given that the size of the frame carrying the echo request when it arrives to r02 doesn't differ between the two cases (sw01 connected to r02 directly and sw01 connected to r02 via sw02), and that the frame arrives to r02 with a VLAN tag, I would assume that there is no issue with missing tags or, i...
by sindy
Mon Jul 19, 2021 9:06 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 425

Re: How to connect 2 networks

I need them to communicate two way, so basically all I need to do is add this FW rule? You need to add more rules than this one - maybe check this post first? With a stateful firewall, "to communicate two way" and "to be able to initiate a new connection from eithe side" are not...
by sindy
Mon Jul 19, 2021 8:52 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1070

Re: Cannot access router over trunk+switch

I hazily remember someone here had a mysterious-looking problem with some specific CSS model. Can you sniff on the devices between which SW02 is placed, in order to eventually spot some VLAN tags not to be added where they should have been or added where they should not have been?
by sindy
Fri Jul 16, 2021 11:47 am
Forum: General
Topic: OVPN client unable to reach internal network
Replies: 15
Views: 775

Re: OVPN client unable to reach internal network

To get an assistance, you must provide useful information. See my automatic signature just below for a hint.
by sindy
Thu Jul 15, 2021 5:51 pm
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

Here, Offset Hex is the right choice (or Offset Hex Text, but it has no advantage for this purpose). What makes you use such an old release of Wireshark, the operating system is too old to be supported by contemporary Wireshark releases?
by sindy
Thu Jul 15, 2021 2:43 pm
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

I've told you exactly how to get a hex dump of the packet data from Wireshark and you've nevertheless posted a screenshot 😞 Also the log can be obtained in text form, which is much more useful for analysis: run /log print follow-only file=some-name do the action that needs to be logged press Ctrl-C ...
by sindy
Tue Jul 13, 2021 10:16 pm
Forum: General
Topic: RBM33g, how to bind the hardware slot lte0 to the Winbox's LTE1 label, and lte1 to the LTE2 label?
Replies: 8
Views: 482

Re: RBM33g, how to bind the hardware slot lte0 to the Winbox's LTE1 label, and lte1 to the LTE2 label?

I've asked for two prints (with both SIMs inserted and with only one). But as you can see, everything is the same except from the USB address.

As you can see here, the only difference is the USB address. Whether RouterOS links the LTE interface name to the USB address is a question for developers.
by sindy
Tue Jul 13, 2021 10:02 pm
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

OK. So could it be that you've sent to support only the supout.rif from the TekRADIUS case? To conclude whether the MSK AVP is really present in the packet or it is a parsing error at RouterOS side, I need the .pcap file or a hexdump of the frame carrying the Access-Accept - right click the row in t...
by sindy
Mon Jul 12, 2021 10:20 pm
Forum: General
Topic: RBM33g, how to bind the hardware slot lte0 to the Winbox's LTE1 label, and lte1 to the LTE2 label?
Replies: 8
Views: 482

Re: RBM33g, how to bind the hardware slot lte0 to the Winbox's LTE1 label, and lte1 to the LTE2 label?

the MAC address are both mac-address=AC:FF:FF:00:00:00 and I do not understand how mikrotik work on this case Since the two MAC addresses are not in the same L2 segment, it doesn't matter for network operation that they are identical - e.g. two /interface vlan hooked to the same bearer interface sh...
by sindy
Mon Jul 12, 2021 7:21 pm
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

It's a forum, and I'm a fellow user, not a member of Mikrotik support staff. So I can give you advice, and I can analyse the data you collect, but I have enough else to do, so I won't spend my time by the routine of data collection. I've only tried to turn your attention to the fact that there is a ...
by sindy
Mon Jul 12, 2021 9:37 am
Forum: General
Topic: How to config mikrotik to be able to access it via winbox with pivpn+wireguard? [SOLVED]
Replies: 4
Views: 533

Re: How to config mikrotik to be able to access it via winbox with pivpn+wireguard? [SOLVED]

You expect too much mentalist capability from the forum users as you don't provide any details about the network topology, routes etc. Is 192.16.88.x a typo or the second byte is really 16? Is there a route to 10.6.0.2 on the Mikrotik via 192.16.88.10 (the RPi's address in the common subnet)? Do the...
by sindy
Mon Jul 12, 2021 9:23 am
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

Since you don't obfuscate any identifiers (MAC addresses, IP addresses), posting the .pcap files would have been more useful than posting an incomplete set of screenshots. In the analysis of Emīls, there is an Access-Accept message, whereas on your screenshots from both the TekRADIUS and the NPS, th...
by sindy
Sun Jul 11, 2021 3:55 pm
Forum: General
Topic: How to config mikrotik to be able to access it via winbox with pivpn+wireguard? [SOLVED]
Replies: 4
Views: 533

Re: How to config mikrotik to be able to access it via winbox with pivpn+wireguard? [SOLVED]

Where it "cannot be seen"? If you mean you cannot see the Mikrotik in the neighbor list of Winbox, that a) is no surprise as the Mikrotik Neighbor Discovery Protocol is a broadcast one whereas your Mikrotik and the laptop where the Winbox is running are in different IP subnets, b) doesn't ...
by sindy
Sun Jul 11, 2021 2:14 pm
Forum: General
Topic: ASK[CAPsMAN]
Replies: 13
Views: 778

Re: ASK[CAPsMAN]

The identity-regexp and common-name-regexp are useful in large networks with tens or even hundreds of cAPs where some groups of cAPs need specific configurations not due to their technical parameters (support of various frequency bands and Modulation and Coding Schemes) but e.g. due to "geograp...
by sindy
Sun Jul 11, 2021 12:22 pm
Forum: General
Topic: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails
Replies: 16
Views: 824

Re: MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

Since Emīls has declared a clear suspicion regarding the root cause, my first step would be to verify that suspicion. First, sniff the packet exchange between Mikrotik and the Radius server, and check (using Wireshark) that the MSK information element is actually present in the Access-Accept message...
by sindy
Sun Jul 11, 2021 12:11 pm
Forum: General
Topic: ASK[CAPsMAN]
Replies: 13
Views: 778

Re: ASK[CAPsMAN]

You mean how you can automate the creation of the interface names?
by sindy
Sun Jul 11, 2021 11:08 am
Forum: General
Topic: ASK[CAPsMAN]
Replies: 13
Views: 778

Re: ASK[CAPsMAN]

I'm not sure I understand your expectation properly, but if you assume that the regexp is used to control what name will be assigned to the interface created according to the rule, it is a wrong assumption. All the regexp fields are match fields, i.e. they are used to select cAPs to which the rule w...
by sindy
Sun Jul 11, 2021 9:14 am
Forum: General
Topic: ASK[CAPsMAN]
Replies: 13
Views: 778

Re: ASK[CAPsMAN]

Show me the complete provisioning rules including the exact regexps that don't work and the exact names and MAC addresses (or certificate common names if you use them) of the cAPs that should match these regexps but don't. Do you realize that the caps-man provisioning rules are processed the same wa...
by sindy
Sat Jul 10, 2021 5:34 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 889

Re: Help MT constantly sending request to Google

Okay, so if I get you right, you know you've got some issue somewhere in your network because your public IP is getting blacklisted, but you don't know what went actually wrong and these DNS requests are just the first thing you've noticed so far? On your last screenshot, the packets to Google DNS s...
by sindy
Sat Jul 10, 2021 5:21 pm
Forum: General
Topic: Port Forwarding of a Moxa NPort 5150A Not Working
Replies: 17
Views: 718

Re: Port Forwarding of a Moxa NPort 5150A Not Working

I think I follow what your are trying to do, but I am not quite sure how to set it up.. can you give me an example? /ip address add address=10.10.10.111/24 interface=Data-Bridge network=10.10.10.0 (instead of 10.10.10.111 here and later on, use some addres that doesn't conflict with any already use...
by sindy
Sat Jul 10, 2021 5:09 pm
Forum: General
Topic: Congestion based QoS
Replies: 4
Views: 460

Re: Congestion based QoS

I'm afraid the role of SQM is different from what you expect - it uses ECN to notify endpoints about the queue being almost full in order to avoid the need to actually drop packets, and it takes into account specific features (overhead size) of the bottleneck link to allow the shaping to work more p...
by sindy
Sat Jul 10, 2021 4:31 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 889

Re: Help MT constantly sending request to Google

Why do you consider up to 10 DNS queries per minute a "flood"? Unless this happens even when nothing is connected to the LAN of that router, that's a pretty normal traffic.

So what makes you believe it is unusual?
by sindy
Sat Jul 10, 2021 4:11 pm
Forum: General
Topic: Strange issue with port forwarding even if traffic seems on counters
Replies: 9
Views: 526

Re: Strange issue with port forwarding even if traffic seems on counters

Disabling firewalls is never a good idea. The fastest way to diagnose any network problem (and many other kinds of technical problems too) is recursive cutting of the path between endpoints into halves to find the problematic part of the path. Since you have a Mikrotik router also at the client side...
by sindy
Sat Jul 10, 2021 12:43 pm
Forum: General
Topic: Strange issue with port forwarding even if traffic seems on counters
Replies: 9
Views: 526

Re: Strange issue with port forwarding even if traffic seems on counters

Any ideas??? The sniff from the WAN side clearly shows that something (most likely a firewall) on the path between the client and the Mikrotik is forging the RST packets on behalf of the client. If you only look at the packets with the same client-side port, you can see that the client sends the SY...
by sindy
Sat Jul 10, 2021 10:59 am
Forum: General
Topic: Port Forwarding of a Moxa NPort 5150A Not Working
Replies: 17
Views: 718

Re: Port Forwarding of a Moxa NPort 5150A Not Working

The newer firmwares of the MOXA only allows connections to the webinterface from inside the LAN. It also does not like the connection coming from the default gateway. Connecting to the ports for the serial connection works. In that case, the solution would be to set up an additional IP address on t...
by sindy
Sat Jul 10, 2021 9:05 am
Forum: General
Topic: Strange issue with port forwarding even if traffic seems on counters
Replies: 9
Views: 526

Re: Strange issue with port forwarding even if traffic seems on counters

The sniff shows that the Unifi Cloud Key did respond with SYN,ACK to the SYN an the RST came from the client side. So we can be sure that no access list or missing route at the Unifi Cloud Key are the reason of the failure. What surprises me is that the packet numbering starts from 84, what was happ...
by sindy
Fri Jul 09, 2021 11:05 pm
Forum: General
Topic: Strange issue with port forwarding even if traffic seems on counters
Replies: 9
Views: 526

Re: Strange issue with port forwarding even if traffic seems on counters

All your logging shows that the initial SYN packet from the internet has been properly redirected and let through to the server. So the questions are whether a) the Unifi Cloud Key has a default route, and if yes, whether its gateway is Mikrotik's IP address in 10.1.0.x, b) the Unifi Cloud Key itsel...
by sindy
Fri Jul 09, 2021 9:05 pm
Forum: General
Topic: Avoid Double NAT - need "wormhole" for default route of my PBX
Replies: 6
Views: 507

Re: Avoid Double NAT - need "wormhole" for default route of my PBX

english is not my native tongue Can you reveal the native one? either enable or disable one of these two last rules, based on WANx availability...is this what you mean by your statement? Correct. It is enough to disable and enable the one for WAN1, because if both WANs are available and thus the ru...
by sindy
Fri Jul 09, 2021 7:39 pm
Forum: General
Topic: Strange routing behaviour
Replies: 3
Views: 644

Re: Strange routing behaviour

As far as I understand packet flow, the packets with 192.168.14.0/24 destination should leave the routing process towards the ipsec bridge, and the ESP encapsulation should happen after that. The above is only true if also the source address of such packets matches the IPsec policy, i.e. falls into...
by sindy
Fri Jul 09, 2021 1:03 pm
Forum: General
Topic: Avoid Double NAT - need "wormhole" for default route of my PBX
Replies: 6
Views: 507

Re: Avoid Double NAT - need "wormhole" for default route of my PBX

I'm still waiting for someone to explain me where is the difference in impact on SIP&RTP between a single NAT and a multiple NAT, except where SIP ALGs make things worse because they are either broken or people expect them to work beyond what is actually possible. Since you mention a PBX, do you...
by sindy
Wed Jul 07, 2021 11:03 am
Forum: General
Topic: ASK [VRF-Mangle]
Replies: 3
Views: 351

Re: ASK [VRF-Mangle]

I did not understand the meaning of "a device is in a VRF group". Communication with the router itself bypasses any VRF handling. So be more verbose (or even more illustrative) regarding the topology, please.
by sindy
Sat Jul 03, 2021 6:36 pm
Forum: General
Topic: WAN failover
Replies: 2
Views: 351

Re: WAN failover

Two things I find fishy:
  • Except for IPsec packages, packages from the LAN interface won't go through the output chain
Am I missing something?
You are. Check this chapter of the documentation, it will explain you why rules in the output chain don't handle LAN->WAN packets.
by sindy
Sat Jul 03, 2021 6:29 pm
Forum: General
Topic: 2 VLANs and DHCP only for 1
Replies: 2
Views: 352

Re: 2 VLANs and DHCP only for 1

Untagging vlan 1101 alone won't give you anything. To simplify things, I would recommend to start from the default configuration "DHCP client on WAN", and modify it the following way: /interface vlan add name=bridge.wan.1101 interface=bridge vlan-id=1101 /interface list member add list=WAN...
by sindy
Tue Jun 29, 2021 10:27 pm
Forum: General
Topic: L2tp/ipsec server/client and side2side
Replies: 3
Views: 502

Re: L2tp/ipsec server/client and side2side

By "bare" I mean it is not "some other tunneling protocol over IPsec" but just "the payload over IPsec". On Windows, the traffic selector negotiated is 0.0.0.0/0 <=> individual.ip.assigned.to.windows , but the Windows only actually use the IPsec connection for traffic t...
by sindy
Tue Jun 29, 2021 10:07 pm
Forum: General
Topic: IPsec tunnel not passing traffic
Replies: 2
Views: 599

Re: IPsec tunnel not passing traffic

Your solution is correct, the reasons are slightly different. It doesn't matter whether IPsec creates a virtual interface or not; the thing is that the traffic to be delivered using IPsec is encapsulated into the ESP packets, and ESP packets are only sent when there is any payload to be transported....
by sindy
Sun Jun 27, 2021 9:32 pm
Forum: General
Topic: What is rx-code-error?
Replies: 4
Views: 466

Re: What is rx-code-error?

I would assume that a code error prevents the affected frame from even reaching the FCS verification phase.
by sindy
Sun Jun 27, 2021 8:05 pm
Forum: General
Topic: IPsec s2s and src-nat :-/
Replies: 3
Views: 651

Re: IPsec s2s and src-nat :-/

on mtik3 i see incoming ICMP from zabbix with src-address 172.24.255.1 but i can not receive echo reply on zabbix How exactly do you "see" it? Using /tool sniffer or using some action=log or log=yes firewall rule? I would suspect most a firewall rule in chain input of /ip firewall filter ...
by sindy
Sun Jun 27, 2021 7:46 pm
Forum: General
Topic: L2tp/ipsec server/client and side2side
Replies: 3
Views: 502

Re: L2tp/ipsec server/client and side2side

1.,2.: the only VPN protocol for which RouterOS currently supports pushing routes to the client is bare IKEv2. The native VPN client of Windows supports the same mechanism (Option 249 via DHCPINFORM) also in LT2P but RouterOS doesn't. But pushing routes to iOS and Strongswan is restricted to a singl...
by sindy
Sun Jun 27, 2021 7:36 pm
Forum: General
Topic: default route prevents use of additional LTE passthrough WAN
Replies: 22
Views: 1597

Re: default route prevents use of additional LTE passthrough WAN

The description is too generic, so the answer cannot be any better. The only reason to come to my mind is that you initiate the test connections from the router itself, which means that the source address is chosen according to the default route via PPPoE, and when the packet gets a routing-mark in ...
by sindy
Sun Jun 27, 2021 7:28 pm
Forum: General
Topic: How can I use a custom ipsec profile for L2TP server?
Replies: 4
Views: 376

Re: How can I use a custom ipsec profile for L2TP server?

It's "all or nothing". Either you ask RouterOS to create the IPsec configuration for the L2TP server "dynamically" by setting use-ipsec=yes or required and non-empty ipsec-secret , and it uses the default rows of /ip ipsec profile and /ip ipsec policy group when creating the peer...
by sindy
Sun Jun 27, 2021 7:01 pm
Forum: General
Topic: What is rx-code-error?
Replies: 4
Views: 466

Re: What is rx-code-error?

I would expect it to be an error in the line code - search for 4B/5B and MLT-3 to get the idea. The actual reason of these errors may be anything from weird sending device through ill-crimped connectors on the patchcords through to a damaged receiving circuitry of the Mikrotik that reports the errors.
by sindy
Thu Jun 24, 2021 10:00 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn [SOLVED]
Replies: 10
Views: 1368

Re: Mangle L2TP vpn [SOLVED]

I know that when the package leave the router mangle marks are cleaned, then how know the response from the webserver that must go out to backupISP and not by default gateway? This is what connection-mark is used for - it is assigned to the connection as a whole when one of the first packets belong...
by sindy
Wed Jun 23, 2021 12:33 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn [SOLVED]
Replies: 10
Views: 1368

Re: Mangle L2TP vpn [SOLVED]

L2TP clients connects but suddenly disconect
How long after connection establishment this happens? Seconds, hours? If it works for a minute and then fails, the root cause may not be related to the policy routing (mangle rules etc.) at all.
by sindy
Tue Jun 22, 2021 11:23 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn [SOLVED]
Replies: 10
Views: 1368

Re: Mangle L2TP vpn [SOLVED]

Fasttracking is only used in the forward chain, and L2TP transport packets are handled by input and output chains, not the forward one. Your mangle rules seem fine for the L2TP session to get established, except if the L2TP client connects from 888.888.888.0/24 or 999.999.999.0/24. Are you testing f...
by sindy
Mon Jun 21, 2021 11:02 pm
Forum: General
Topic: Frequent PPPoE terminations
Replies: 15
Views: 6740

Re: Frequent PPPoE terminations

You need to sniff into a file, or maybe better stream to the PC unless you can connect a large enough USB drive, the traffic on the physical interface to which the PPPoE client one is attached. Start sniffing while the working PPPoE session still exists, then reboot the GPON box, and then stop the s...
by sindy
Mon Jun 21, 2021 2:19 pm
Forum: General
Topic: Frequent PPPoE terminations
Replies: 15
Views: 6740

Re: Frequent PPPoE terminations

Your log shows that the connection establishment has succeeded, and almost immediately after the PPPoE server asked your client to terminate it. Without seeing the sniff, I can only guess that your Mikrotik kept sending from the previously assigned IP address, and that was the reason why the server ...
by sindy
Sun Jun 20, 2021 9:40 pm
Forum: General
Topic: IPSec: need to ping before send traffic
Replies: 1
Views: 376

Re: IPSec: need to ping before send traffic

Always post complete exports, anonymized as per my automatic signature below. Without seeing the exports I can only speculate that both RTR1 and RTR3 have public IPs directly on themselves, and hence they use ESP as transport protocol. And if this is the case, you have to add an action=accept rule i...
by sindy
Sun Jun 20, 2021 9:23 pm
Forum: General
Topic: Add Bond or Ports to Bridge?
Replies: 2
Views: 364

Re: Add Bond or Ports to Bridge?

Only add bond1 to the bridge.

balance-rr doesn't boost throughput, and may cause headache to some TCP stacks. You may or may not be able to make use of the aggregate bandwidth depending on the traffic pattern.
by sindy
Thu Jun 17, 2021 3:15 pm
Forum: General
Topic: VPN special usage
Replies: 5
Views: 746

Re: VPN special usage

The traffic of the TV doesn't pass through the laptop, so set the /tool sniffer on the router in such a way that it streams the traffic matching the capture filter to the IP address of the laptop (which should be connected using an Ethernet cable, not wirelessly): /tool sniffer set streaming-enabled...
by sindy
Sun Jun 13, 2021 7:12 pm
Forum: General
Topic: VPN special usage
Replies: 5
Views: 746

Re: VPN special usage

The way you describe it, it seems as if the IPTV provider doesn't care from which IP address the client establishes the session for streaming the content and only checks the IP address for the control session used to display the guide, switch channels etc. What is the motivation to let the content s...
by sindy
Thu Jun 03, 2021 8:57 am
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Hi, How does the core router know to send traffic for 6.0.0.0/25 and 6.0.0.128/25 to the access routers? BGP is disabled at access router 1 and not configured at all at access router 2, and there are no static routes to 6.0.0.x/y at the core router. as the hotspot handling is done at the access rout...
by sindy
Mon May 31, 2021 6:16 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

As I've understood, the hotspot functionality is running at the edge router, but the src-nat rules are already at the access routess, is that correct? At which router have you "disabled it (the other public /25 I assume) from IP>Address", at the edge one or at the access one? Are the confi...
by sindy
Mon May 31, 2021 4:55 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Nice to learn at this stage that there are actually two routers, so the whole exercise with the hairpin IPIP tunnel could probably be omitted as the access router could as well send the packets to your own egde router which would happily send them back. I've proposed the IPIP tunnel in order that it...
by sindy
Mon May 31, 2021 3:26 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 937

Re: CHR possible when host machine has no Internal IP?

I am attaching both results with ARP filter on External virtual card and Dst host to 22.22.22.22 (ping from laptop) . Didn't see any ARP requests for 22.22.22.22 when I run ping to it. ... but the ping requests did nevertheless arrive. So if you gave the ISP router enough time to forget the eventua...
by sindy
Sun May 30, 2021 11:05 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

So would the following be correct? ... To make the action=src-nat rule act also on the hairpinned traffic, which is necessary for the whole idea to work, you must make both hairpin-1 and hairpin-2 members of interface list WAN (which they indeed are from the point of view of the network topology). ...
by sindy
Sun May 30, 2021 9:47 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

What a coincidence... another forum member was fighting a seemingly unrelated problem, and it came out that if you set an Ethernet interface as a gateway of a route to a destination, it sends ARP requests for the destination addresses out that interface. So if any router connected to that interface ...
by sindy
Sun May 30, 2021 6:07 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

What's the network parameter of that /ip address row? x.y.z.(w+1), x.y.z.(w-1), other?
by sindy
Sun May 30, 2021 4:57 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

How does the /ip address row look like at that CCR? I just hazily remember someone to mention that Mikrotik sends the packets to a broadcast MAC address under some circumstances. But other than that, no ideas. What RouterOS version is running there?
by sindy
Sun May 30, 2021 4:47 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Okay so only one src NAT rule is good enough I believe? For connections between a peer inside your 10.64.0.0/10 and a peer out there in the internet - yes. For connections between two of your peers, it will be more interesting. In order that it worked, you need to src-nat also the connections your ...
by sindy
Sun May 30, 2021 1:29 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1740

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

I still don't get why you need any dst-nat rules at all. To my understanding, the only thing the two peers in any p2p network need is that all the NATs between each peer and the internet do not change the source port (unless it cannot be kept because some other client is connecting from the same sou...
by sindy
Sun May 30, 2021 12:06 pm
Forum: General
Topic: warm spare: design question
Replies: 11
Views: 760

Re: warm spare: design question

so do i have only the choice of vrp and eventually synchronize the configuration in routeros 6? i am not sure how routeros7 will work, will it add something similar to pfsync? There are actually three separate things to address: providing the routing redundancy itself synchronisation of the (static...
by sindy
Sun May 30, 2021 9:10 am
Forum: General
Topic: Mikroitk Router OS (Trial Version Limits) [SOLVED]
Replies: 3
Views: 508

Re: Mikroitk Router OS (Trial Version Limits) [SOLVED]

No link needed. Just download the .ova template from the Mikrotik software download page and deploy it. The rest are settings related to networking on the ESXi, and these depend on the intended use case - whether you want to handle VLANs on the CHR or in the ESXi and whether you want to use bridging...
by sindy
Sat May 29, 2021 9:42 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

But then why did it work on the /31 static IP i configured on a CCR some time ago ( it is working up to now without problems ) Btw, you can sniff to a file on the port of the CCR connected to the non-Mikrotik, filtering on ICMP, for about 5-10 minutes. Wireshark should then show you a few ICMP rout...
by sindy
Sat May 29, 2021 9:12 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

what do you mean by point to multi point ? Connecting a router directly to another one is a point to point one, so ptmp means ? If you connect Ethernet ports of two routers using a patchcord, it is indeed a point to point connection physically . But the interfaces are still Ethernet ones. And since...
by sindy
Sat May 29, 2021 5:50 pm
Forum: General
Topic: DST NAT to WAN
Replies: 5
Views: 443

Re: DST NAT to WAN

Regarding the dst-nat rule: it must work, but you'll likely need a src-nat one as well, or a route on the modem, so that the modem knew where to send the response. Regarding the VPN: PPTP provides ridiculously weak encryption and doesn't reliably pass through NAT as it is based on GRE, which is hard...
by sindy
Sat May 29, 2021 5:21 pm
Forum: General
Topic: warm spare: design question
Replies: 11
Views: 760

Re: warm spare: design question

I confirm the synchronisation of connection tracking state was working in 7.1beta something, it just sometimes started consuming lots of CPU and had other issues (stopped working when the master/backup roles changed forth and back or something). I haven't checked the state of the art in 7.1beta6 yet...
by sindy
Sat May 29, 2021 4:39 pm
Forum: General
Topic: Connect devices in different VLANs
Replies: 9
Views: 792

Re: Connect devices in different VLANs

Given that you have no access ports to the VLANs at the 3011 itself, I induce that there is either an external switch or an external access point (or more) to which the devices are connected. I cannot find any explanation of what you experience in the configuration of the 3011, so I expect some issu...
by sindy
Sat May 29, 2021 4:01 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1010

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

It doesn't matter that there is just a single address at each end of the physical interconnection if the interface type is a point-to-multipoint one, as the router handles the interface depending on the interface type. So on point-to-point interfaces, the only possible destination is "the remot...
by sindy
Sat May 29, 2021 3:21 pm
Forum: General
Topic: IP Firewall Nat
Replies: 15
Views: 1860

Re: IP Firewall Nat

There's no way to prevent, in advance, third parties from logging in using credentials they've obtained from an authorized person, with or without consent/intention of the authorized person. You can ban the account after you notice that, but it's typically too late. To some extent, two-factor authen...
by sindy
Fri May 28, 2021 11:27 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 937

Re: CHR possible when host machine has no Internal IP?

The provider suggests to use the second IP in this way: https://adminforge.de/windows-allgemein/ip-adressen-hinzufuegen-windows/ had to translate it on google in English , they didn't give me an English version one , apologies. You wrote before that the additional IP address was routed via the firs...
by sindy
Thu May 27, 2021 12:54 pm
Forum: General
Topic: Multiple ip WAN and isolated VLANs
Replies: 13
Views: 1251

Re: Multiple ip WAN and isolated VLANs

Definitely there is.

I gave you some advice on Sat Mar 06, 2021 9:43 pm above, you never responded to it, not have you posted the current export after the changes you've made in the meantime. Without that, there is no way to help you.
by sindy
Wed May 26, 2021 6:04 pm
Forum: General
Topic: L2TP IPsec ends connection immediately after Phase 2 is established
Replies: 2
Views: 324

Re: L2TP IPsec ends connection immediately after Phase 2 is established

Activate L2TP logging as well (/system logging add topics=l2tp) and try again. Since Phase 2 hasestablished successfully, the issue is most likely in the L2TP settings, the and the L2TP log should show that.
by sindy
Wed May 26, 2021 1:49 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 937

Re: CHR possible when host machine has no Internal IP?

You mean to chose the physical connection and the "new" internal virtual connection, and click "bridge" to share Internet? No, that's two different functionalities. When you select two or more network interfaces in Windows, you can bridge them together, but what I have in mind i...
by sindy
Wed May 26, 2021 12:47 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

Can't say right now - my life has enough dynamics these days, so I'm at long-term 6.47.9 everywhere.
by sindy
Tue May 25, 2021 10:10 pm
Forum: General
Topic: How to get a persistent site-to-site tunnel? (IPSEC drops connections)
Replies: 6
Views: 620

Re: How to get a persistent site-to-site tunnel? (IPSEC drops connections)

I am not sure I understand the possible reason you are suggesting. I have my mikrotiks DMZed and all PCs connect through mikrotiks... Should I observe something else? The DMZ functionality may be implemented in many ways in the LAN->WAN direction. In WAN->LAN direction, a DMZ is always a 1:1 dst-na...
by sindy
Tue May 25, 2021 2:35 pm
Forum: General
Topic: How to get a persistent site-to-site tunnel? (IPSEC drops connections)
Replies: 6
Views: 620

Re: How to get a persistent site-to-site tunnel? (IPSEC drops connections)

There must be some root cause behind both the failures of the tunnel and its inability to re-establish autonomously. Most of the devices I'm running IKEv2 tunnels among restart quite frequently due to the regional specifcs and the fact that none of them is on a UPS, and all my tunnels automatically ...
by sindy
Tue May 25, 2021 10:53 am
Forum: General
Topic: Strange bonding behavior with EOIP slaves [SOLVED]
Replies: 1
Views: 360

Re: Strange bonding behavior with EOIP slaves [SOLVED]

Look at that from a wider perspective. each end of the bond uses its own strategy to choose a particular link for a particular frame, independent from the other end's one in association with the above, each end is only interested in availability (transparency) of the links in its sending direction t...
by sindy
Tue May 25, 2021 9:01 am
Forum: General
Topic: Unexpected NAT behaviour when a port flaps
Replies: 2
Views: 330

Re: Unexpected NAT behaviour when a port flaps

On ether1 port are visible packets source 1.2.3.4 destination 8.9.10.11:22 RX only. On bridge interface are visible packets source 1.2.3.4 destination 192.168.88.100:22 TX and in opposite direction source 192.168.88.100:22 destination 1.2.3.4 RX. Such returning packets are not visible on ether1 (wa...
by sindy
Mon May 24, 2021 7:43 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1858

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

The rules say "use routing table xyz for anything with source address a.b.c.0/24". Whereas packets for the router itself (192.168.3.1, 192.168.4.1) are not affected by these rules (that's how linux kernel works, quite logically matching of the destination address of a received packet to ow...
by sindy
Mon May 24, 2021 12:34 am
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1858

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

By means of the rules, you choose a dedicated routing table for each source subnet. So one possibility is to add a backup default route via "Telekom" to both routing tables, home-connection-mark as well as work-connection-mark , with distance=2 . Another possibility is to change the action...
by sindy
Sun May 23, 2021 11:54 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1858

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

Maybe this points something out: I noticed if I uncheck the "add default route" in my two pppoe interfaces, then it doesn't connect to internet at all, I thought it should use the two routes I manually set (as in above image). This could be a DNS issue. Whereas the devices in 192.168.3.0/...
by sindy
Sun May 23, 2021 11:34 pm
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 682

Re: SIP registration issues with MikroTik PPPoE client

The carrier interface of pppoe-fiber-ipv4 is interface-vlan-internet , whose carrier interface is ethernet-1-fiber . So run a ping to the IP address of the registrar in parallel to the phone attempting to register and run the sniffer at interface-vlan-internet at first. Let Wireshark show you whethe...
by sindy
Sun May 23, 2021 10:15 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1858

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

So I added the two routes and created two rules (this is under routes window > rules, correct ?!) With the attached setup, both 192.168.3.x computers and 192.168.4.x computers seem to use the "home" connection. I tried setting the interface under rules, associating with each of the two br...
by sindy
Sun May 23, 2021 6:36 pm
Forum: General
Topic: Automatic default route change [SOLVED]
Replies: 2
Views: 373

Re: Automatic default route change [SOLVED]

There's no "dynamic routing", the reason why it happens is that 192.168.1.1 (the gateway IP) fits both into 192.168.1.0/24 (the WAN subnet) and 192.168.1.0/25 (the LAN1 subnet), and if both interfaces are up, RouterOS probably throws a coin to choose. But such a setup with overlapping subn...
by sindy
Sun May 23, 2021 6:25 pm
Forum: General
Topic: Bandwidth issues with WireGuard and 7.1beta6
Replies: 9
Views: 731

Re: Bandwidth issues with WireGuard and 7.1beta6

Just guessing... what happens if you swap the roles of the routers in the bandwidth test, is it always the server->client direction (or always the client->server one) that is slow, or it is always the KZ->RU one? The manual says you should not run the bandwidth test on the router whose throughput yo...
by sindy
Sun May 23, 2021 3:11 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 582

Re: missing basic router protocols

can you guide me how can i add a static route to the huawei router to reach 192.168.100.0 network instead of using default gateway?
Not unless you give me a link to the user manual of that exact router model.
by sindy
Sun May 23, 2021 2:52 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 582

Re: missing basic router protocols

all i want is my edge router check inside before sending packet to default gateway. why it is not checking inside while i have put 192.168.1.2 ip to my mikrotik? Because dynamic discovery of network topology (aka dynamic routing protocols) is not automatically enabled even on enterprise or ISP rout...
by sindy
Sun May 23, 2021 12:53 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 582

Re: missing basic router protocols

I don't think it is a missing protocol on the Mikrotik, I'd say it is a missing route at the ISP router and/or on the laptop. When your laptop obtains a DHCP lease from the ISP router, not only it gets an IP address 192.168.1.10/24, but it likely also gets an address of a default gateway, which is 1...
by sindy
Sun May 23, 2021 8:42 am
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 682

Re: SIP registration issues with MikroTik PPPoE client

Yes, this doesn't seem to be an MTU issue. Can you sniff on any other device with a public IP than your own PPPoE one? I'd configure the phone to register to that one (using a static DNS record to make the REGISTER look the same if needed) and compare the REGISTER packets arriving there via the othe...
by sindy
Sat May 22, 2021 10:45 pm
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 1248

Re: Packet Loss on Router Ping

Curious - I know that capacitors are a common issue. I checked the voltages on those are they are within 0.1v of the expected value. What is the tolerance of the capacitor? Are they bad? Any other hardware issue that I should check for? When capacitors are an issue, you won't find out by measuring ...
by sindy
Sat May 22, 2021 10:33 pm
Forum: General
Topic: can I replace a RB3011with an RB201 ? [SOLVED]
Replies: 6
Views: 620

Re: can I replace a RB3011with an RB201 ? [SOLVED]

It's a 2011, it's just that the font used on the front panel is weird :) The switch chip used for ports ether6-ether10 only has FastEthernet (100 Mbit/s) ports and some other limitations that may not limit you at all. Besides being weaker, the CPU also doesn't support IPsec encryption in hardware. S...
by sindy
Sat May 22, 2021 9:43 pm
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 682

Re: SIP registration issues with MikroTik PPPoE client

I can't see anything wrong with the PPPoE setup as such. There's a nonsense in the /interface bridge vlan configuration subtree where you specify ethernet-2-switch-trunk on the tagged list for vlan-ids=80 on bridge=bridge-vod-iptv whereas in the /interface bridge port subtree you state that ethernet...
by sindy
Sat May 22, 2021 5:33 pm
Forum: General
Topic: IP Cloud Update Problem.
Replies: 12
Views: 882

Re: IP Cloud Update Problem.

wh... wh... whhh.... what the f???
Yes. Same feelings here. U.S., mobile operator, I don't remember exactly which one it was, so won't name any not to get sued :)
by sindy
Sat May 22, 2021 5:27 pm
Forum: General
Topic: IP Cloud Update Problem.
Replies: 12
Views: 882

Re: IP Cloud Update Problem.

would you be able to give us an example about use-local-address If use-local-address=no (the default), the xxx.sn.mynetname.net resolves to the public IP from which the DDNS update request has arrived to the cloud server. If use-local-address=yes , the xxx.sn.mynetname.net resolves to the WAN IP fr...
by sindy
Sat May 22, 2021 2:52 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 335
Views: 45812

Re: v7.1beta6 [development] is released!

Given that there is a possibility to fasttrack connections on CHR and the connections are even marked as fasttracked in /ip firewall connection print , although all their packets actually take the full path (at least they do in 6.x), and given that you can set up /interface ethernet switch vlan item...
by sindy
Sat May 22, 2021 10:36 am
Forum: General
Topic: better way for failover 2 ISP
Replies: 5
Views: 446

Re: better way for failover 2 ISP

As said, the way you've set it up, it normally works as expected. Just to be sure, I did the following test, replicating your setup, except that I used a test route with dst-address=1.2.3.0/24 instead of a default one with dst-address=0.0.0.0/0 . [me@myTik] > ip route print detail where dst-address~...
by sindy
Sat May 22, 2021 10:03 am
Forum: General
Topic: Mikrotik VLAN Configuration / switch ports
Replies: 3
Views: 338

Re: Mikrotik VLAN Configuration / switch ports

The configuration with a dedicated bridge for VLAN 40 is perfectly "legal". Whether it is also preferred depends more on your personal preference. However, the switch chip used in the RB1100AHx4 (RTL8367) doesn't support VLAN handling , at least under control of RouterOS, so you cannot set...
by sindy
Sat May 22, 2021 9:04 am
Forum: General
Topic: 802.1aq
Replies: 2
Views: 387

Re: 802.1aq

This is a fellow user forum, not a channel to product management. So no matter how many times you bump, Mikrotik staff has no obligation to respond here, and fellow users have no clue. Plus since it is a roadmap question, not a support one, I have no idea whether a "correct channel" for it...
by sindy
Fri May 21, 2021 8:30 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 1045

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

I noticed in the Wiki that those Firewall Filter rules to bypass Fasttrack with ipsec traffic, should have connection-state=established,related , but won't those always be skipped because initial packet never matches? All rules matching on connection-state=established,related will be skipped by any...
by sindy
Fri May 21, 2021 8:12 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 50
Views: 16630

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

I can't see anything unusual regarding IPsec there. The action=none policy preventing the packets from the router to the LAN clients from being diverted into the tunnel (which is no workaround, it's merely how IPsec works) permits PMTUD to work for packets sent by the client via the IPsec tunnel. Bu...
by sindy
Fri May 21, 2021 7:36 pm
Forum: General
Topic: i need a firewall expert or many brain....
Replies: 3
Views: 399

Re: i need a firewall expert or many brain....

Assuming you've made your research, and hence you are sure that the Teamviewer application always uses DNS to determine the IP address for the new connection, you have to schedule the following script populating the address list to run periodically, say, every 5 seconds: :foreach item in=[/ip dns ca...
by sindy
Thu May 20, 2021 7:36 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 50
Views: 16630

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Show the complete setup which is not working and we may get somewhere. PPPoE may surely be related as it can cause MTU problems on its own.
by sindy
Thu May 20, 2021 1:00 am
Forum: General
Topic: better way for failover 2 ISP
Replies: 5
Views: 446

Re: better way for failover 2 ISP

problem is when GW is alive from another ISP but there is no access to internet (provider problem), and when my 1 uplink disconnect, second also not working, but in my routing table it is shows me like reachable (it is , but only gateway). And in the dude i wonder why its red :D I'm not sure I get ...
by sindy
Thu May 20, 2021 12:39 am
Forum: General
Topic: VRRP-VLANs
Replies: 7
Views: 596

Re: VRRP-VLANs

1. re-wording what @JelleM wrote: all routers negotiating using VRRP which one of them will listen on a particular IP address must be in the same L2 segment (VLAN). They use that same L2 segment to inform each other about their state. 2. re-wording what @JelleM wrote as well: you can have multiple V...
by sindy
Wed May 19, 2021 11:47 pm
Forum: General
Topic: Regular expression too complex
Replies: 2
Views: 352

Re: Regular expression too complex

Shouldn't this regex work? I'd say it should work as such, but it's too complex, to the developer's opinion, for a DNS regexp. And I cannot imagine how to document the "acceptable complexity of a regexp" in the manual. So try to split it into four rows, expanding the second () into one wo...
by sindy
Wed May 19, 2021 11:08 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

I have no idea how the switch chip handles ports with IPv6. I'd assume it is either clever enough to check the ethertype value in the 802.1Q tag and look for port values at appropriate positions in the frame autonomously, or adding mac-protocol=ipv6 won't help either. But if it does adjust to IP typ...
by sindy
Wed May 19, 2021 9:35 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

Does each bridge could act and handle each vlan 832 as separate vlan ? Yes, but only one of these bridges can (at least to date) outsource its job to the switch chip, so the other one would forward in software. That's why I've suggested the described solution with port isolation using switch chip r...
by sindy
Wed May 19, 2021 7:32 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

Yes, it will work with hardware forwarding, hence at fiber speed. You probably have to make sure no traffic will leak between the two uplinks, or at least ensuring that should cause no harm. So assuming the management interface of the CRS305 is ether1 , the management IP subnet of the CRS305 is atta...
by sindy
Wed May 19, 2021 5:13 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 937

Re: CHR possible when host machine has no Internal IP?

A private network on the virtual switch is accessible to the virtual machines alone, not to the host, so it is useless for connection of the CHR to the internet. If you create an internal network, a corresponding virtual interface is created in the host Windows, which you can use to share internet w...
by sindy
Tue May 18, 2021 9:23 pm
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 607

Re: Question involving multiple IPSEC tunnels

OK. As private messages have been disabled again after a few months of working, you can send me your e-mail address and/or mobile phone number using this instruction (the method at line 16). After creating the-encrypted-short-file , run openssl base64 -e -in the-encrypted-short-file and paste the ou...
by sindy
Tue May 18, 2021 12:02 am
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 607

Re: Question involving multiple IPSEC tunnels

as you may have guessed, I have no control over the business sides chosen setupnetwork setup. I didn't have to guess, you've stated that clearly. But the thing is that no matter what you do at your router "2", you cannot make it a backup point of access to their network without cooperatio...
by sindy
Mon May 17, 2021 11:02 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 995

Re: Redundancy failover ISP [SOLVED]

Surely that is not correct if the ISP is using VRRP, or similar, for failover as this relies on communications between the two devices.
That's disputable - as it works when the OP manually changes cables, I'd assume it doesn't depend on the links to be bridged together at the client side.
by sindy
Sun May 16, 2021 9:53 pm
Forum: General
Topic: IPsec Policies with multiple subnets
Replies: 1
Views: 330

Re: IPsec Policies with multiple subnets

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet) Correct (except that it rather "links" then "maps" subnets). I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one ...
by sindy
Sun May 16, 2021 3:58 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 1045

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

The packet passes through the postrouting chain of mangle before getting to chain srcnat of nat , see this diagram . So the only way to see what happened in src-nat is by sniffing on the out-interface, of course if IPsec policy hasn't matched and encrypted the packet. Or you can see it on the remote...
by sindy
Sun May 16, 2021 12:48 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 1045

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

The only thing to come to my mind is that other rules in the srcnat chain of nat shadow the two you've posted. The posted rules themselves should do what you expect them to do.
by sindy
Sun May 16, 2021 12:41 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 995

Re: Redundancy failover ISP [SOLVED]

As you haven't posted your current configuration, let me assume that sfp-sfpplus1 is your current single WAN interface ether1 is free So copy the code below, substitute sfp-sfpplus1 and ether1 by the actual names of the interfaces, and paste the result on a command line: /system script add name=reco...
by sindy
Sun May 16, 2021 11:40 am
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 607

Re: Question involving multiple IPSEC tunnels

If you were starting from scratch: bare IPsec takes least overhead and is most different from normal routing IPsec-encrypted IPIP tunnels allow you to use normal routing with dynamic routing protocols but there's additional overhead, albeit a few bits smaller than with GRE However, you're not starti...
by sindy
Sat May 15, 2021 9:44 pm
Forum: General
Topic: Join two seperate subnets on a single router
Replies: 2
Views: 398

Re: Join two seperate subnets on a single router

I may be missing something, but a masquerade rule does exactly what its name suggests, it makes connections coming from both 172.21.0.0/16 and 192.168.100.0/24 appear to come from 192.168.30.80 to the rest of 192.168.30.0/24. The connection tracking remembers this in each connection's context, so wh...
by sindy
Sat May 15, 2021 8:19 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 937

Re: CHR possible when host machine has no Internal IP?

Any virtualization platform I know for Windows does address also networking. So as soon as you install/activate it, a virtual Ethernet interface will be added to the Windows system, and you'll be able to add more manually. And you will also be able to specify how to use them. So if there is just a s...
by sindy
Sat May 15, 2021 7:51 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 995

Re: Redundancy failover ISP [SOLVED]

They don't mention anything more other than a plain vlan if your equipment supports it. I'd say the ISP guys use "VLAN" in the meaning of "L2 segment". So whether you install an external dumb switch and connect both uplinks and the WAN interface of the CCR1009 to it, or whether ...
by sindy
Sat May 15, 2021 12:40 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 638

Re: RB trying to be hacked by a mac to an internal IP of internal network

OK. I am pretty sure these "hack attempts" are unrelated to your issue, and that they have been there also before the problems with viewing pages started. But before these problems started, you had no reason to take a close watch, so now you've made a conclusion that the two things (imposs...
by sindy
Fri May 14, 2021 7:44 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 638

Re: RB trying to be hacked by a mac to an internal IP of internal network

I'm afraid I need a drawing to understand what you explain, but I'll try without it first: if I get it right, when it didn't work, the LAN side of the Mikrotik in question actually was not completely disconnected as I understood from your Original Post, except that only the PC from which you manage ...
by sindy
Thu May 13, 2021 11:34 pm
Forum: General
Topic: How to prioritize all OSPF traffic?
Replies: 6
Views: 620

Re: How to prioritize all OSPF traffic?

The priority you set in the respective field of a VLAN tag is only honored, if at all, by an external device. All priority handling in Mikrotik itself is done by means of queues ( queue tree and/or queue simple ) and the only ways to let a packet (or frame) be handled by a particular queue are to as...
by sindy
Thu May 13, 2021 11:19 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 638

Re: RB trying to be hacked by a mac to an internal IP of internal network

If you have a decent firewall, there's nothing to actually worry about regarding these messages. The ones with in: WAN - 1 out: (unknown 0) log packets that have been sent to broadcast MAC addresses, hence the machine receives them and the firewall logs them. The first one is sent by some device (74...
by sindy
Thu May 13, 2021 10:50 pm
Forum: General
Topic: VRRP on WAN
Replies: 1
Views: 321

Re: VRRP on WAN

You can set multiple VRRP interfaces with different virtual IPs on the same group of physical interfaces, you just have to use a different VRRP ID for each of them (exceptions exist but better avoid using the same one). To synchronize the state of VRRP running on different physical interfaces in ord...
by sindy
Thu May 13, 2021 9:47 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 606

Re: Multiple L2TP clients on single device

You're not forgotten, but this is my voluntary activity and I have more than enough else to do these days. And you've said you are a beginner so reddit-style brief hints don't help much. So below is a config to be set on a router with no configuration at all. Which is not the same as a router with a...
by sindy
Mon May 10, 2021 5:33 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

OK, so please show me the output of /tool sniffer quick ip-protocol=icmp ip-address=192.168.9.2 while pinging 192.168.9.2 from the PC.

And then Wireshark on the PC while pinging 192.168.9.1. It starts being crazy.
by sindy
Mon May 10, 2021 5:15 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

OK, still the same - the 3011 pings the LTE from wan2-100 and gets a response every 30 s, except that now with hw=no you can see also the ping request to leave tagged via ether10 , not just the response to come in through there. So everything is fine regarding the VLAN setup. As the ping requests fr...
by sindy
Mon May 10, 2021 5:09 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6924

Re: Very high sector writes

Does wear leveling include moving static data, thus causing more writes? If not, all your calculations have to be adjusted to take into account that all that happnes only in the part of the flash which doesn't hold the RouterOS image itself. So from your 100 years life expectancy for full 16 MB with...
by sindy
Mon May 10, 2021 4:51 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

Ah, hw=yes strikes again... Please set hardware acceleration to no under /interface bridge port for ether10 and for the port to which you connect the PC, and try again. When hw=yes , some packets do not get captured on the Ethernet interface. I keep forgetting about that. In any case, your sniff onl...
by sindy
Mon May 10, 2021 4:02 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

eth10 remains in the bridge
That's correct.
by sindy
Mon May 10, 2021 4:00 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

If you have in mind adding wan2-100 as a member port of a bridge, it's correct that you cannot add it. wan2-100 is a VLAN interface whose tagged end is attached to the bridge, so making its tagless end a member port of the same bridge would create a loop, hence it is good it is not possible. Your pr...
by sindy
Mon May 10, 2021 3:42 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?
by sindy
Mon May 10, 2021 3:25 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

@anav: What scripts? Where? If you mean the reconfiguration script a few posts above, a script is the most concise way of expressing the necessary configuration changes. I'm not going to create a presentation with screenshots of all the relevant windows before and after. But you can always translate...
by sindy
Mon May 10, 2021 3:19 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 606

Re: Multiple L2TP clients on single device

Given the clear separation between the management addresses (10.200.0.0/16, btw quite an overkill for a "dozen" clients) and the corporate range (192.168.0.0/16), it's nothing extremely complex. In particular, there is no need for policy routing, just tell me whether you'll be managing the...
by sindy
Mon May 10, 2021 11:44 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

This interface list row is definitely an error - my script should have changed ether10 to wan2-100 on it. I've tested it on my lab CHR and it worked, interesting. Nevertheless, this does not explain why you cannot ping the LTE IP. So once you fix that row, make the command line window as wide as you...
by sindy
Mon May 10, 2021 8:05 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

When you connect the same client to any of ether2..ether9 on the 3011 instead of 02..04 on the GS105E, do you get the same result?

Can you show me the export after applying my script?
by sindy
Mon May 10, 2021 12:16 am
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 47360

Re: v7.1beta5 [development] is released!

You wrote you need the 4-(mac)-address mode and capsman to be supported on wifiwave2 in order to be able to test it. That implies to me that you normally use both these features simultaneously (i.e. a capsman-controlled AP in AP-bridge mode), which I thought was impossible. What am I missing?
by sindy
Sun May 09, 2021 10:38 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 47360

Re: v7.1beta5 [development] is released!

need 4 address mode support for that, plus CAPsMAN support
Sorry for off-topic, but how do you make these two work together on any ROS release, without wifiwave2?
by sindy
Sun May 09, 2021 8:03 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

I am now testing the switch with the image configuration and I can reach vlan10 anyway. Again... when something is connected to port 02 of Netgear, it gets an IP address from 10.0.0.0/24 because that port is an access one to VLAN 1 which is tagless at port 01 of the GS105E and at ether2 .. ether10 ...
by sindy
Sun May 09, 2021 4:12 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

this should not happen if not enabling the vlan on the android devices. It's a misunderstanding. The fact that the subnet 172.16.10.0/24 lives in a dedicated VLAN does not mean that devices in other subnets cannot reach devices in 172.16.10.0/24, as the very purpose of a router is to forward traffi...
by sindy
Sun May 09, 2021 11:57 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

Yes, if everything else works properly, there will be no problem. However, the configuration you've posted shows that a static address is assigned to WAN2: /ip address ... add address=192.168.9.2/24 interface=ether10-WAN2 network=192.168.9.0 So what have I missed? Also, take care about changing the ...
by sindy
Sun May 09, 2021 11:26 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

So before copy-pasting my script above, rename ether10-WAN2 to ether10.
Then copy-paste that script except the last row.
Instead of the last row, use /interface bridge port enable [find interface=ether10].
by sindy
Sun May 09, 2021 10:36 am
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 606

Re: Multiple L2TP clients on single device

Yes, it is possible. Two L2TP clients towards different servers are OK. You can even use the automatically generated IPsec configurations if both servers accept the same Phase 1 and Phase 2 proposal, otherwise you'd have to configure the IPsec layer manually. Regarding the different usage policies o...
by sindy
Sun May 09, 2021 10:15 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

OK. So let's assume you've started from a default configuration, where ether2 .. ether10 were member ports of a bridge named bridge , and you've just removed ether10 from that bridge and used it as WAN2. So as I wrote above /interface vlan add name=wan2-100 interface=bridge vlan-id=100 /ip address s...
by sindy
Sun May 09, 2021 10:14 am
Forum: General
Topic: VPN special usage
Replies: 5
Views: 746

Re: VPN special usage

You'll have to elaborate on what you mean by download and upload, as it can be understood in multiple ways: from the perspective of a single packet, where "download" means that a packet goes from router A to router B and "upload" means a packet goes from router B to router A from...
by sindy
Sat May 08, 2021 11:01 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

If the ether10 itself currently acts as WAN2, do you want ether2..ether4 of the netgear to extend some existing LAN bridge of the 3011? Or will it be a separate LAN segment? The necessary changes on the 3011 depend on the answer.
by sindy
Sat May 08, 2021 9:59 pm
Forum: General
Topic: VPN L2TP/IPSEC RouterOS 6.11
Replies: 19
Views: 1147

Re: VPN L2TP/IPSEC RouterOS 6.11

My approach would have been to install the new 1100 next to the old one and connect one of the new one's ports to the old one's LAN, port-forward UDP port 4500 from the old one's WAN to new one's IP address on the LAN, and set up the L2TP/IPsec server on the new one. And later copy the firewall conf...
by sindy
Sat May 08, 2021 9:24 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2409

Re: WAN over VLAN

if ether10 of the 3011 is a member port of a bridge, hook an /interface vlan with vlan-id=100 to that bridge, otherwise add it directly to ether10 . Let's name it wan2-100 for simplicity. move all the IP address configuration from the current etherX acting as WAN2 to wan2-100 you've added above. Al...
by sindy
Thu May 06, 2021 8:59 am
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 664

Re: IPsec Site to SIte behind NAT

don't know if that is possible in Windows server It is. Option 249 is Microsoft's proprietary alternative to Option 121. The difference between the two is that Option 249 is used in addition to Option 3 (list of default gateways), whereas Option 121 replaces Option 3 (i.e. it contains the complete ...
by sindy
Wed May 05, 2021 10:42 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 664

Re: IPsec Site to SIte behind NAT

Is it possible to have ddns name on Site B router so when ip changes that tunnel stays up, or no? RouterOS doesn't support IPsec MOBIKE yet, so the tunnel won't exactly stay up but it will re-establish. You can use the /ip cloud to update the dynamic DNS operated by Mikrotik (xxxxxxxx.sn.mynetname....
by sindy
Wed May 05, 2021 9:08 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 664

Re: IPsec Site to SIte behind NAT

I'd say it's simply a routing issue at Site A. I assume all the devices in 192.168.97.0/24 get their IP configuration via DHCP from the Huawei, so their default route's gateway is the Huawei itself, 192.168.97.254. Hence when a ping packet arrives to them from 10.0.0.1, i.e. from an address outside ...
by sindy
Fri Apr 30, 2021 9:59 pm
Forum: General
Topic: VPN IPsec with BINAT configuration
Replies: 1
Views: 332

Re: VPN IPsec with BINAT configuration

The term BINAT seems to be pfSense specific; in fact, it addresses a situation where you interconnect two sites and same subnets are used at both of them, and you need devices at site A to communicate with devices in a site B subnet shadowed by a local one at site A. This issue needs to be addressed...
by sindy
Fri Apr 30, 2021 8:46 pm
Forum: General
Topic: MAC based port forwarding rule
Replies: 7
Views: 613

Re: MAC based port forwarding rule

I want port forward rule work after check device's MAC, I will store some device's MAC in router. if device's MAC same then Mikrotik apply port forwarding rule otherwise denied. While matching on src-mac-address does work in /ip firewall if some other pre-requisites are met, it only makes sense to ...
by sindy
Fri Apr 30, 2021 8:40 pm
Forum: General
Topic: Issues with IPsec between Sophos and Mikrotik
Replies: 5
Views: 440

Re: Issues with IPsec between Sophos and Mikrotik

There is no route setup on the mikrotik's side to get to the Sophos side however I can access all resources on the other side of the tunnel. Don't worry, it's because the IPsec policies intercept the traffic and divert it into the tunnel. But some route for the traffic must exist, as the IPsec poli...
by sindy
Fri Apr 30, 2021 8:15 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 590

Re: NAT problem with host's internal traffic using route marking.

I'd have to see the actual configurations to suggest something more.
by sindy
Tue Apr 27, 2021 9:50 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 907

Re: IKEv2 + android clients [SOLVED]

Was about to shoot a bazooka at that router :D Waste of ammo... using a hammer provides more relief to your soul :) Plus in your locality, you've got the globally unique possibility to get it run over by a šalina. about this: add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none ...
by sindy
Tue Apr 27, 2021 12:53 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 907

Re: IKEv2 + android clients [SOLVED]

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500 diverts any TCP connection co...
by sindy
Mon Apr 26, 2021 11:17 am
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 184
Views: 136435

Re: Using RouterOS to VLAN your network

Not sure it belongs here (as you've properly stated, this topic should actually be a wiki article). However: There is no equivalent of Cisco's VTP on Mikrotik, so you cannot dynamically distribute VLAN configuration across wired network from a single device. But if you are interested solely in cAPs,...
by sindy
Mon Apr 26, 2021 8:32 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 907

Re: IKEv2 + android clients [SOLVED]

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383); As my router is running 6.47.9, this could be the cause ( fragmentation) ? RFC7383 only deals with application-level fragmentation of the control traffic (IKE), not of transport packets. Since the connection has established properly...
by sindy
Sun Apr 25, 2021 5:08 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 673

Re: Static WAN IP not working - mask issue?

I didn't try Sindy's advice because it looked like what you would do on the upstream router to me to mimic the behaviour of my ISP. Sure, you've got it right - that wasn't an advice what to do at your router. There is nothing to advise regarding static address configuration if the ISP only allows t...
by sindy
Sun Apr 25, 2021 5:03 pm
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 907

Re: IKEv2 + android clients [SOLVED]

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like? I also hazily remember I had cases where I had to remo...
by sindy
Sun Apr 25, 2021 4:28 pm
Forum: General
Topic: Routes to multiple addresses
Replies: 5
Views: 565

Re: Routes to multiple addresses

There is no way to use a list of prefixes as a dst-address of a single route. The usual approach is to use a dynamic routing protocol such as OSPF or BGP. Another approach might be to use mangle rules (which can match on dst-address-list) to assign routing-mark values, and have just a default route ...
by sindy
Sun Apr 25, 2021 4:19 pm
Forum: General
Topic: Same subnets to L2TP/IPsec, possible?
Replies: 3
Views: 482

Re: Same subnets to L2TP/IPsec, possible?

Have a look at action=netmap in /ip firewall nat. It's the best you can have, with some drawbacks of course - it's still NAT.
by sindy
Sun Apr 25, 2021 3:44 pm
Forum: General
Topic: DHCP client Ether1 looses IP address every1-5 minutes
Replies: 5
Views: 1059

Re: DHCP client Ether1 looses IP address every1-5 minutes

As you've explicitly asked for a response in this thread: 1. /tool sniffer set file-name=dhcp.pcap file-limit=100000 filter-interface=your-wan-interface-name filter-ip-protocol=udp filter-port=bootps 2. make sure that all other filter-xxx fields of /tool sniffer settings are empty 3. /tool sniffer s...
by sindy
Sun Apr 25, 2021 1:37 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 673

Re: Static WAN IP not working - mask issue?

I copy the IP data into static entries and it doesn't work. If so, I'd assume the provider uses some kind of protection against people arbitrarily assigning public IPs on their own. In RouterOS, you would do this by setting arp=reply-only in the configuration of the interface and setting add-arp=ye...
by sindy
Sun Apr 25, 2021 1:22 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 673

Re: Static WAN IP not working - mask issue?

When you say "I turn off DHCP client", does that mean that with DHCP client on, you get some public IP and everything works? But once you assign the same IP address, mask and gateway you have previously obtained using the DHCP client before, it doesn't?
by sindy
Sat Apr 24, 2021 10:08 pm
Forum: General
Topic: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2
Replies: 1
Views: 526

Re: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2

What you describe sounds like you've got multiple peers with same values of local-address, address, and exchange-mode, where one of them is dynamically generated by the L2TP setting use-ipsec=yes.

What does /ip ipsec peer print detail show while the L2TP server is enabled?
by sindy
Sat Apr 24, 2021 10:03 pm
Forum: General
Topic: Marking IKEv2 dynamic connection for Firewall?
Replies: 1
Views: 269

Re: Marking IKEv2 dynamic connection for Firewall?

chain=input protocol=tcp dst-port=8291 in-interface-list=WAN ipsec-policy=in,ipsec action=accept
by sindy
Sat Apr 24, 2021 9:52 pm
Forum: General
Topic: Blocking LLDP / Protocol 35020
Replies: 4
Views: 667

Re: Blocking LLDP / Protocol 35020

@changeip, too many things work different than you expect. The ip firewall only deals with IP packets, so the protocol matches on the payload protocols of IP, such as UDP, TCP, GRE... MNDP is an application using UDP and port 5678, but RouterOS sends MNDP packes in such a way that they bypass the IP...
by sindy
Sat Apr 24, 2021 9:30 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 590

Re: NAT problem with host's internal traffic using route marking.

You haven't posted the configurations, but you mention default firewall rules. The default firewall rule "drop invalid" in chain forward of filter prevents those SYN,ACK packets from reaching the out-interface (LAN in this case) and thus triggering the sending of ICMP redirect, as the conn...
by sindy
Sat Apr 24, 2021 4:45 pm
Forum: General
Topic: VLAN separation using new Bridge VLAN Filtering feature
Replies: 9
Views: 2624

Re: VLAN separation using new Bridge VLAN Filtering feature

This post may explain why the configuration changes mentioned by @jahudka are necessary.
by sindy
Fri Apr 23, 2021 11:17 pm
Forum: General
Topic: Bridge/vlan configuration advice
Replies: 3
Views: 374

Re: Bridge/vlan configuration advice

I'll go a bit deeper into the reasons than @mkx: As you intend to set up an L2 ring configuration (the CCR will be connected to two CRS and those will be connected to each other), you need to use some STP flavor to prevent L2 looping. And in order that xSTP behaved correctly, you must use the "...
by sindy
Thu Apr 22, 2021 7:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

The price is about 1 month of my brother income, So it's a lot. ... the bad news is the Mikrotik is only brand which is accepted by my country ISPs. Which seems to be related, other vendors may be prohibitively expensive or embargoed. And they don't support NV2 of course. They already have connecte...
by sindy
Thu Apr 22, 2021 7:01 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 902

Re: NETMAP vs SRCNAT

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible). example: /ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47 results in the sam...
by sindy
Thu Apr 22, 2021 6:58 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 902

Re: NETMAP vs SRCNAT

f.e., if we have 10.35.27.10 as a source address, netmap will replace it with 192.168.143.40?
No, with 192.168.143.42 (32 + 10)
by sindy
Thu Apr 22, 2021 6:38 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

the only situation that I don't get timeout and the problem gets solve, is by disabling other clients on ISP radio device. So they suggest me to buy one more radio and make a PTP connection, but it cost a lot of price, I believe the problem is solvable so it's not worth to pay that much money for t...
by sindy
Thu Apr 22, 2021 5:20 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 902

Re: NETMAP vs SRCNAT

Because the netmask part of the to-addresses value is 28, i.e. 255.255.255.240. So the value of the bits of the original address whose positions match the zero bits in the mask, i.e. the least significant four bits, is 12 in all three cases, and the bits whose positions match the one bits in the mas...
by sindy
Thu Apr 22, 2021 5:09 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

There is the local noippass "xxxxx" line in the script; if someone has downloaded the original file, they can update your DynDNS now, until you change the password on the DynDNS web selfcare page and then update it accordingly in your script. To the original topic: given how the two Mikrot...
by sindy
Thu Apr 22, 2021 4:31 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

You may want to remove the script part from the configuration export (edit the post, remove the file and re-post it without the /system script and all the lines following it) and change your password to the DynDNS service. It didn't come to my mind you could have something like that in operation. I'...
by sindy
Thu Apr 22, 2021 3:34 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

It is hard to say as I don't know the complete setup. The LHG5 may be working in bridge mode an have no IP address, or there may be a management IP address assigned by the ISP. When you connect your PC to the hAP lite, you can see only the hAP lite in the neighbour list in Winbox because the hAP lit...
by sindy
Thu Apr 22, 2021 2:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

In such case, ask the ISP for that, as it is apparently their device. Just as a blind shot until you can arrange that, press [Interfaces], and in the "Interface List" window that opens, press the [Detect Internet] button just above the table on the (Interface) tab. Post the screenshot of t...
by sindy
Thu Apr 22, 2021 2:14 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1450

Re: Internet connection drops for 4-3 second every few moment

Instead of posting 150 screenshots which show 5 % of the configuration, please use the [New Terminal] button to open a command line window, type /export hide-sensitive file=current-config in that window and press Enter. A file named current-config.rsc will appear in the file list; download it, and i...
by sindy
Mon Apr 19, 2021 8:16 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9941

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Do i have to do the RIP rules? I live quite far away from that ISP and only had the situation proxied by @rabienz and @Najifares. So from what I got that way, you have to advertise those IPs to ISP's equipment using RIP so that it would send you the traffic. Don't ask me why the ISP needs it, and e...
by sindy
Mon Apr 19, 2021 5:00 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9941

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN If we leave aside all the security aspects, all you need is a set of src-nat and dst-nat rules. So for a bi-directional, port-agnostic 1:1 NAT between a public IP address A.A.A.A ...
by sindy
Mon Apr 19, 2021 9:28 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2239

Re: CRS317-1G-16S+ High CPU lead to drop packet

If all your cAPs do local forwarding, the only way how the CPU load on the CRS could be coming from CAPsMAN processing would be if the clients would keep re-authenticating, as the client traffic is converted between wireless and wired one at the cAPs themselves. So most likely there is a traffic tha...
by sindy
Sat Apr 17, 2021 11:56 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2239

Re: CRS317-1G-16S+ High CPU lead to drop packet

Please show the typical output of /tool profile cpu=all on the CRS317, and also the typical output of /interface monitor-traffic interface=aggregate and /interface monitor-traffic interface=the-wan-interface-name . And the question is not how many cAPs but how many clients, and what you ask the rout...
by sindy
Tue Apr 13, 2021 10:24 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2495

Re: Discovery of external IP address (Noip.com)

...do you think I should make the delay 1m longer, say 3 minutes? Possibly yes, but to me 1m should also be sufficient, the mAP lite is not that lazy. Maybe add a delay 1m before the disable . It is still possible that the result depends on whether the initial request comes first from the remote pe...
by sindy
Mon Apr 12, 2021 10:35 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1370

Re: IKEv2 server ignores dhcp query on vlan interface

I have one more question related to IKEv2. Is it possible to switch on/off user-led based on IKEv2 peer status? Similar to interface-status under /system leds It is, but only using a periodically scheduled script. None of the possible type values has any relationship to IPsec. So you must use a scr...
by sindy
Mon Apr 12, 2021 6:18 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2495

Re: Discovery of external IP address (Noip.com)

Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot. The scheduled script is a workaround. For a solution in future RouterOS versions, you have to raise a support ticket with Mikrotik; before d...
by sindy
Mon Apr 12, 2021 3:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1370

Re: IKEv2 server ignores dhcp query on vlan interface

local-address=empty/not set and local-address=0.0.0.0 is the same thing, as you can see if you use /ip ipsec peer export verbose (without the verbose modifier, export does not show default values). Mikrotik's DHCP server apparently expects an L2 frame in order that it responded, so if the DHCPINFOR...
by sindy
Sun Apr 11, 2021 5:44 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2495

Re: Discovery of external IP address (Noip.com)

Given that all policies are static, the proposals they use are identical at both ends, and there is no NAT involved at the client device itself, I'm afraid the fact that you get NO_PROPOSAL_CHOSEN is a consequence of some bug. So I can only suggest a workaround: /system scheduler add name=ipsec-wa o...
by sindy
Sat Apr 10, 2021 2:02 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1370

Re: IKEv2 server ignores dhcp query on vlan interface

You've provided a lot of information but still some bits are missing, so let me rephrase it. No matter what the reasons are, the essence is that the IKEv2 VPN client needs to connect also from the server's LAN. According to your configuration excerpt, the responder peer listens at all addresses. Acc...
by sindy
Sat Apr 10, 2021 11:31 am
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

I've realized that my suggestion above regarding sniffing may be overly complex and inconsistent. To see that the switch chip rule works for the initial DHCPDISCOVER, which is sent to a broadcast address, it is enough to make the bridge a member port of the bridge (see this for clarification of this...
by sindy
Thu Apr 08, 2021 9:05 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2495

Re: Discovery of external IP address (Noip.com)

It seems that the log is from the only client whose configuration you haven't posted. As you specify the peers' addresses as domain names, I can imagine the incoming initial packet from the "server" to land on a wrong peer there, as I had such an issue when testing my setup with no static ...
by sindy
Thu Apr 08, 2021 8:50 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

OK, so I have debugged it locally, setting a switch chip rule to handle tagged traffic for the Tik's own IP address, which therefore that lands at the bridge interface: dst-address=192.168.6.2/32 dst-port=53 mac-protocol=ip new-vlan-priority=3 ports=ether1 protocol=udp switch=switch1 vlan-id=6 If VL...
by sindy
Wed Apr 07, 2021 9:24 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rules.
by sindy
Wed Apr 07, 2021 9:19 pm
Forum: General
Topic: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore
Replies: 5
Views: 673

Re: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore

why did it manifest when I replaced the router I've seen unrelated events to synchronize within tenths of second (not necessarily in networking), so I would not be surprised if something was wrong on the network path. Here, the window was longer, between the last establishment of the tunnel on the ...
by sindy
Wed Apr 07, 2021 8:39 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1370

Re: IKEv2 server ignores dhcp query on vlan interface

If you use that "bridge-reinforced" VLAN interface also for other traffic than the VPN one, some CPU cycles will indeed be wasted on the additional bridging. So my solution would be to use a dedicated VLAN and IP address only for the IPsec responder to listen at. But I don't get the differ...
by sindy
Wed Apr 07, 2021 2:03 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 716

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Also running OpenVPN on a single core 600MHz CPU / 650MHz on the other side, and PPPoE on both of them .... that's an incoming bottleneck. For me, a bigger problem with OpenVPN is its use of TCP as transport (which is a limitation of RouterOS 6.x, not of OpenVPN itself), which may amplify eventual ...
by sindy
Tue Apr 06, 2021 9:18 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 834

Re: VPN internet routing

The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots so i need to add this on Windows client side? Add-VpnConnectionRoute -ConnectionName "VPNconnectionname" -DestinationPrefix 192.168.40.0/24 -PassThru I...
by sindy
Tue Apr 06, 2021 7:07 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 554

Re: CAPSMann no usable channel error message

You cannot set the country locally on the cAP once its wireless interface is controlled by CAPsMAN, but you can still see the setting if you use the command line (available after pressing the [Terminal] button) command I've suggested. My speculation was that some other country profile than netherlan...
by sindy
Tue Apr 06, 2021 6:45 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 834

Re: VPN internet routing

Windows 10 - i found a way named split tunneling by disabling "use the default gateway of the remote network" on VPN connection, but i am not sure if this is the correct way It is, provided that the LAN consists of a single subnet and you assign addresses from the same subnet to the L2TP ...
by sindy
Tue Apr 06, 2021 6:36 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 716

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Multiple issues exist. First, at the OVPN client side (Site A), your only action=masquerade rule there is not restricted to out-interface=pppoe-out1 or out-interface-list=WAN (adding either of these match condition is sufficient as a fix), so connections whose first packet is sent from Site A to Sit...
by sindy
Tue Apr 06, 2021 4:58 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 834

Re: VPN internet routing

What kind of client are we talking about? Windows, Android, iOS, MacOS...?
by sindy
Tue Apr 06, 2021 4:56 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 716

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Are the subnets you've shown the only ones used at each site? I.e. is the VoIP phone also in 172.16.0.0/16 at site B? That other guy is right in terms that on a usual VoIP PBX, the phone exchanges signalling information only with the PBX which controls it, but the media (audio) stream is established...
by sindy
Tue Apr 06, 2021 4:33 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 554

Re: CAPSMann no usable channel error message

You've answered just one of my questions, so I repeat the second one: what country is set at the cAP itself under /interface wireless ? Also, there is another possibly interesting point in the actual-interface-configuration above: channel.band=5ghz-onlyac , does the problematic cAP support the AC mo...
by sindy
Tue Apr 06, 2021 3:40 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 667

Re: WPA2 EAP-TLS + userman only. Is it possible ?

It depends on what exactly you mean by a deauthentication attack. If you have in mind that the attacker cannot trick your STA into associating with a forged AP with the same SSID and better signal by sending it a deauthentication frame, then yes, the STA will not authenticate a connection to an AP w...
by sindy
Tue Apr 06, 2021 2:16 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 554

Re: CAPSMann no usable channel error message

1) I'd believe that the error message is relevant, so what is the value of the configuration.country value in the output of /caps-man actual-interface-configuration print where name~"11-E-2" , and what is the output of :put [/interface wireless get 0 country] on the cAP itself? 2) yes, R i...
by sindy
Tue Apr 06, 2021 2:02 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 667

Re: WPA2 EAP-TLS + userman only. Is it possible ?

When exporting the certificate generated for the client, have you specified any export-passphrase value? If you don't specify any, the private key to the certificate is not exported at all, and therefore the client cannot use the certificate to authenticate itself. The fact that you cannot choose th...
by sindy
Mon Apr 05, 2021 8:46 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

As you want it wirespeed, the switch chip must do all the job. Hence you have to make sfp1 and etherX member ports of a bridge with hw=yes on the respective /interface bridge port rows, and if you ever add any other port of that switch chip to any other bridge, it must be added with hw=no (only a si...
by sindy
Mon Apr 05, 2021 5:16 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1906

Re: why youtube is not blocked?

Whether TLS 1.3 is used atop QUIC or not changes nothing about the fact that the tls-host match condition in RouterOS firewall only works with TCP, so it can never see any QUIC payload.
by sindy
Mon Apr 05, 2021 4:51 pm
Forum: General
Topic: Email smtp timeout on mikrotik
Replies: 7
Views: 942

Re: Email smtp timeout on mikrotik

It needs sniffing to find out what's going on. Ideally you'd have a second PC, or a second Ethernet interface on the same PC from which you send the e-mail, to which the Mikrotik would stream the sniffed packets. If this is not possible, you can sniff into a file on the Mikrotik itself, but then the...
by sindy
Mon Apr 05, 2021 4:26 pm
Forum: General
Topic: vlan problem on hEX [SOLVED]
Replies: 18
Views: 1665

Re: vlan problem on hEX [SOLVED]

The configuration you have posted as a file seems fine to me regarding VLANs. VLAN 100 is tagged on both the bridge and ether2 ports of the bridge, VLAN1 is not tagged on either of the two, and the DHCP servers are attached as appropriate, the one for VLAN 100 is attached to the /interface vlan and ...
by sindy
Mon Apr 05, 2021 3:35 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

Agree that the hEX S will be the bottleneck and switch rules are not supported for vlan and also for sfp1. On MT7621 based routers, RouterOS doesn't support switch chip rules at all, not only on sfp1. I plan to replace my hEX S for each box by : - RB2011iLS-IN - or RB935GS-5HnT-RP Both should work ...
by sindy
Mon Apr 05, 2021 1:45 pm
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 804

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own o...
by sindy
Mon Apr 05, 2021 1:30 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 667

Re: WPA2 EAP-TLS + userman only. Is it possible ?

for a client authenticating itself to the AP using a certificate alone , you don't need RADIUS at all for a client authenticating itself using a username/password tuple rather than a certificate , you either need an external RADIUS server or you must run RouterOS 7 (I don't know the state of the ar...
by sindy
Mon Apr 05, 2021 12:55 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2242

Re: Transparent hEX S to change vlan-priority for DHCP request only

It's almost the same except that in the bridge filter rules, you have to use chain=forward rather than chain=output , and add an in-interface=ether3 match condition. And you still have to use a dedicated bridge for VLAN 832, because the bridge filter rules currently do not support matching on IP hea...
by sindy
Mon Apr 05, 2021 12:26 pm
Forum: General
Topic: marking packets to an external gateway
Replies: 2
Views: 255

Re: marking packets to an external gateway

You can use src-nat instead of masquerade and ask the linux box admin to choose the routing table depending on the source address of the packet coming from you, DSCP values, VLAN ID in VLAN tags, priority in VLAN tags There are no other fields in the frame or packet headers you could modify without ...
by sindy
Mon Apr 05, 2021 11:34 am
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 804

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules ...
by sindy
Fri Apr 02, 2021 7:13 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2495

Re: Discovery of external IP address (Noip.com)

A) The way you describe it, you've opted to use a dst-nat rule rather than to restrict the IPsec policy to carry only the L2TP transport packets. Nothing wrong about that. However, it then cannot be a matter of a bypassed dst-nat any more, but there may still be an MTU issue. I'd suggest to run /too...
by sindy
Fri Apr 02, 2021 4:07 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2239

Re: CRS317-1G-16S+ High CPU lead to drop packet

If I remember right, the APs look for the channel with least interference among those permitted by the channel configuration; try /caps-man interface scan to check what you can really see in the air. Plus I'm not an expert here and the manual is silent about this, but as you have specified C e for t...
by sindy
Fri Apr 02, 2021 3:44 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4396

Re: Two EOIP tunnels and traffic problem

If the log is complete, it means the client did not respond to the last PDU (split into two packets), either because it didn't like it or because it did not receive it at all. Misconfigurations I've spotted: the presentation you refer to uses username&password authentication of the clients, but ...
by sindy
Fri Apr 02, 2021 2:45 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4396

Re: Two EOIP tunnels and traffic problem

It has to be /export hide-sensitive file=any-name-you-prefer. The result of /system backup save cannot be read.

And the log seems to be cut short, is it really all?
by sindy
Fri Apr 02, 2021 12:50 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4396

Re: Two EOIP tunnels and traffic problem

I don't think Mikrotik support has enough manpower to provide individual configuration assistance even to first time users, that's a job for consultants or maybe distributors. Here on the forum, please, don't refer to presentations or, even worse, videos. The time used to watch these can be used mor...
by sindy
Thu Apr 01, 2021 2:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1370

Re: IKEv2 server ignores dhcp query on vlan interface

If it works when the IKE connection establishes with a local IP address attached to a bridge with no member ports at all, you indeed don't need the VLAN to join this bridge to the main one. But at least until recently, Windows clients didn't like by default that the responder was behind a NAT, and y...
by sindy
Thu Apr 01, 2021 1:14 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4396

Re: Two EOIP tunnels and traffic problem

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously? I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the re...
by sindy
Thu Apr 01, 2021 11:05 am
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1115

Re: IPsec site to site tunnels, security issue question?

The whole point of a VTI is that you can use regular routing rather than traffic matching by selectors, which quickly turns into a nightmare if you use more subnets at each end of a link. VTI violates the security concept of IPsec in terms that if you use VTI, traffic matching an existing traffic se...
by sindy
Thu Apr 01, 2021 10:45 am
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 895

Re: Forward all wan traffic to another firewall

I don't think there is a documentation example that would cover exactly this. Search for "policy routing" (nothing to do with IPsec policies), i.e. how to create multiple routing tables and choose one for each individual packet depending on its origin and possibly other properties, and als...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25