Community discussions

MikroTik App

Search found 7212 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 25
by sindy
Fri May 14, 2021 7:44 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 4
Views: 200

Re: RB trying to be hacked by a mac to an internal IP of internal network

I'm afraid I need a drawing to understand what you explain, but I'll try without it first: if I get it right, when it didn't work, the LAN side of the Mikrotik in question actually was not completely disconnected as I understood from your Original Post, except that only the PC from which you manage ...
by sindy
Thu May 13, 2021 11:34 pm
Forum: General
Topic: How to prioritize all OSPF traffic?
Replies: 6
Views: 302

Re: How to prioritize all OSPF traffic?

The priority you set in the respective field of a VLAN tag is only honored, if at all, by an external device. All priority handling in Mikrotik itself is done by means of queues ( queue tree and/or queue simple ) and the only ways to let a packet (or frame) be handled by a particular queue are to as...
by sindy
Thu May 13, 2021 11:19 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 4
Views: 200

Re: RB trying to be hacked by a mac to an internal IP of internal network

If you have a decent firewall, there's nothing to actually worry about regarding these messages. The ones with in: WAN - 1 out: (unknown 0) log packets that have been sent to broadcast MAC addresses, hence the machine receives them and the firewall logs them. The first one is sent by some device (74...
by sindy
Thu May 13, 2021 10:50 pm
Forum: General
Topic: VRRP on WAN
Replies: 1
Views: 103

Re: VRRP on WAN

You can set multiple VRRP interfaces with different virtual IPs on the same group of physical interfaces, you just have to use a different VRRP ID for each of them (exceptions exist but better avoid using the same one). To synchronize the state of VRRP running on different physical interfaces in ord...
by sindy
Thu May 13, 2021 9:47 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 329

Re: Multiple L2TP clients on single device

You're not forgotten, but this is my voluntary activity and I have more than enough else to do these days. And you've said you are a beginner so reddit-style brief hints don't help much. So below is a config to be set on a router with no configuration at all. Which is not the same as a router with a...
by sindy
Mon May 10, 2021 5:33 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

OK, so please show me the output of /tool sniffer quick ip-protocol=icmp ip-address=192.168.9.2 while pinging 192.168.9.2 from the PC.

And then Wireshark on the PC while pinging 192.168.9.1. It starts being crazy.
by sindy
Mon May 10, 2021 5:15 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

OK, still the same - the 3011 pings the LTE from wan2-100 and gets a response every 30 s, except that now with hw=no you can see also the ping request to leave tagged via ether10 , not just the response to come in through there. So everything is fine regarding the VLAN setup. As the ping requests fr...
by sindy
Mon May 10, 2021 5:09 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 5422

Re: Very high sector writes

Does wear leveling include moving static data, thus causing more writes? If not, all your calculations have to be adjusted to take into account that all that happnes only in the part of the flash which doesn't hold the RouterOS image itself. So from your 100 years life expectancy for full 16 MB with...
by sindy
Mon May 10, 2021 4:51 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

Ah, hw=yes strikes again... Please set hardware acceleration to no under /interface bridge port for ether10 and for the port to which you connect the PC, and try again. When hw=yes , some packets do not get captured on the Ethernet interface. I keep forgetting about that. In any case, your sniff onl...
by sindy
Mon May 10, 2021 4:02 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

eth10 remains in the bridge
That's correct.
by sindy
Mon May 10, 2021 4:00 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

If you have in mind adding wan2-100 as a member port of a bridge, it's correct that you cannot add it. wan2-100 is a VLAN interface whose tagged end is attached to the bridge, so making its tagless end a member port of the same bridge would create a loop, hence it is good it is not possible. Your pr...
by sindy
Mon May 10, 2021 3:42 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?
by sindy
Mon May 10, 2021 3:25 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

@anav: What scripts? Where? If you mean the reconfiguration script a few posts above, a script is the most concise way of expressing the necessary configuration changes. I'm not going to create a presentation with screenshots of all the relevant windows before and after. But you can always translate...
by sindy
Mon May 10, 2021 3:19 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 329

Re: Multiple L2TP clients on single device

Given the clear separation between the management addresses (10.200.0.0/16, btw quite an overkill for a "dozen" clients) and the corporate range (192.168.0.0/16), it's nothing extremely complex. In particular, there is no need for policy routing, just tell me whether you'll be managing the...
by sindy
Mon May 10, 2021 11:44 am
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

This interface list row is definitely an error - my script should have changed ether10 to wan2-100 on it. I've tested it on my lab CHR and it worked, interesting. Nevertheless, this does not explain why you cannot ping the LTE IP. So once you fix that row, make the command line window as wide as you...
by sindy
Mon May 10, 2021 8:05 am
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

When you connect the same client to any of ether2..ether9 on the 3011 instead of 02..04 on the GS105E, do you get the same result?

Can you show me the export after applying my script?
by sindy
Mon May 10, 2021 12:16 am
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 290
Views: 39357

Re: v7.1beta5 [development] is released!

You wrote you need the 4-(mac)-address mode and capsman to be supported on wifiwave2 in order to be able to test it. That implies to me that you normally use both these features simultaneously (i.e. a capsman-controlled AP in AP-bridge mode), which I thought was impossible. What am I missing?
by sindy
Sun May 09, 2021 10:38 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 290
Views: 39357

Re: v7.1beta5 [development] is released!

need 4 address mode support for that, plus CAPsMAN support
Sorry for off-topic, but how do you make these two work together on any ROS release, without wifiwave2?
by sindy
Sun May 09, 2021 8:03 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

I am now testing the switch with the image configuration and I can reach vlan10 anyway. Again... when something is connected to port 02 of Netgear, it gets an IP address from 10.0.0.0/24 because that port is an access one to VLAN 1 which is tagless at port 01 of the GS105E and at ether2 .. ether10 ...
by sindy
Sun May 09, 2021 4:12 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

this should not happen if not enabling the vlan on the android devices. It's a misunderstanding. The fact that the subnet 172.16.10.0/24 lives in a dedicated VLAN does not mean that devices in other subnets cannot reach devices in 172.16.10.0/24, as the very purpose of a router is to forward traffi...
by sindy
Sun May 09, 2021 11:57 am
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

Yes, if everything else works properly, there will be no problem. However, the configuration you've posted shows that a static address is assigned to WAN2: /ip address ... add address=192.168.9.2/24 interface=ether10-WAN2 network=192.168.9.0 So what have I missed? Also, take care about changing the ...
by sindy
Sun May 09, 2021 11:26 am
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

So before copy-pasting my script above, rename ether10-WAN2 to ether10.
Then copy-paste that script except the last row.
Instead of the last row, use /interface bridge port enable [find interface=ether10].
by sindy
Sun May 09, 2021 10:36 am
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 329

Re: Multiple L2TP clients on single device

Yes, it is possible. Two L2TP clients towards different servers are OK. You can even use the automatically generated IPsec configurations if both servers accept the same Phase 1 and Phase 2 proposal, otherwise you'd have to configure the IPsec layer manually. Regarding the different usage policies o...
by sindy
Sun May 09, 2021 10:15 am
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

OK. So let's assume you've started from a default configuration, where ether2 .. ether10 were member ports of a bridge named bridge , and you've just removed ether10 from that bridge and used it as WAN2. So as I wrote above /interface vlan add name=wan2-100 interface=bridge vlan-id=100 /ip address s...
by sindy
Sun May 09, 2021 10:14 am
Forum: General
Topic: VPN special usage
Replies: 1
Views: 215

Re: VPN special usage

You'll have to elaborate on what you mean by download and upload, as it can be understood in multiple ways: from the perspective of a single packet, where "download" means that a packet goes from router A to router B and "upload" means a packet goes from router B to router A from...
by sindy
Sat May 08, 2021 11:01 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

If the ether10 itself currently acts as WAN2, do you want ether2..ether4 of the netgear to extend some existing LAN bridge of the 3011? Or will it be a separate LAN segment? The necessary changes on the 3011 depend on the answer.
by sindy
Sat May 08, 2021 9:59 pm
Forum: General
Topic: VPN L2TP/IPSEC RouterOS 6.11
Replies: 19
Views: 775

Re: VPN L2TP/IPSEC RouterOS 6.11

My approach would have been to install the new 1100 next to the old one and connect one of the new one's ports to the old one's LAN, port-forward UDP port 4500 from the old one's WAN to new one's IP address on the LAN, and set up the L2TP/IPsec server on the new one. And later copy the firewall conf...
by sindy
Sat May 08, 2021 9:24 pm
Forum: General
Topic: WAN over VLAN
Replies: 43
Views: 1479

Re: WAN over VLAN

if ether10 of the 3011 is a member port of a bridge, hook an /interface vlan with vlan-id=100 to that bridge, otherwise add it directly to ether10 . Let's name it wan2-100 for simplicity. move all the IP address configuration from the current etherX acting as WAN2 to wan2-100 you've added above. Al...
by sindy
Thu May 06, 2021 8:59 am
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 488

Re: IPsec Site to SIte behind NAT

don't know if that is possible in Windows server It is. Option 249 is Microsoft's proprietary alternative to Option 121. The difference between the two is that Option 249 is used in addition to Option 3 (list of default gateways), whereas Option 121 replaces Option 3 (i.e. it contains the complete ...
by sindy
Wed May 05, 2021 10:42 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 488

Re: IPsec Site to SIte behind NAT

Is it possible to have ddns name on Site B router so when ip changes that tunnel stays up, or no? RouterOS doesn't support IPsec MOBIKE yet, so the tunnel won't exactly stay up but it will re-establish. You can use the /ip cloud to update the dynamic DNS operated by Mikrotik (xxxxxxxx.sn.mynetname....
by sindy
Wed May 05, 2021 9:08 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 488

Re: IPsec Site to SIte behind NAT

I'd say it's simply a routing issue at Site A. I assume all the devices in 192.168.97.0/24 get their IP configuration via DHCP from the Huawei, so their default route's gateway is the Huawei itself, 192.168.97.254. Hence when a ping packet arrives to them from 10.0.0.1, i.e. from an address outside ...
by sindy
Mon May 03, 2021 1:25 pm
Forum: General
Topic: Src-nat on output + IPsec?
Replies: 5
Views: 483

Re: Src-nat on output + IPsec?

Regarding where the NAT is executed, it's a bit more complex: change of destination address, i.e. dst-nat and un-src-nat, is done before routing, just after the packet has arrived. change of source address, i.e. src-nat and un-dst-nat, is done after routing, just before the packet is sent. So if I g...
by sindy
Fri Apr 30, 2021 9:59 pm
Forum: General
Topic: VPN IPsec with BINAT configuration
Replies: 1
Views: 188

Re: VPN IPsec with BINAT configuration

The term BINAT seems to be pfSense specific; in fact, it addresses a situation where you interconnect two sites and same subnets are used at both of them, and you need devices at site A to communicate with devices in a site B subnet shadowed by a local one at site A. This issue needs to be addressed...
by sindy
Fri Apr 30, 2021 8:46 pm
Forum: General
Topic: MAC based port forwarding rule
Replies: 7
Views: 466

Re: MAC based port forwarding rule

I want port forward rule work after check device's MAC, I will store some device's MAC in router. if device's MAC same then Mikrotik apply port forwarding rule otherwise denied. While matching on src-mac-address does work in /ip firewall if some other pre-requisites are met, it only makes sense to ...
by sindy
Fri Apr 30, 2021 8:40 pm
Forum: General
Topic: Issues with IPsec between Sophos and Mikrotik
Replies: 5
Views: 330

Re: Issues with IPsec between Sophos and Mikrotik

There is no route setup on the mikrotik's side to get to the Sophos side however I can access all resources on the other side of the tunnel. Don't worry, it's because the IPsec policies intercept the traffic and divert it into the tunnel. But some route for the traffic must exist, as the IPsec poli...
by sindy
Fri Apr 30, 2021 8:15 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 471

Re: NAT problem with host's internal traffic using route marking.

I'd have to see the actual configurations to suggest something more.
by sindy
Tue Apr 27, 2021 9:50 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 630

Re: IKEv2 + android clients [SOLVED]

Was about to shoot a bazooka at that router :D Waste of ammo... using a hammer provides more relief to your soul :) Plus in your locality, you've got the globally unique possibility to get it run over by a šalina. about this: add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none ...
by sindy
Tue Apr 27, 2021 12:53 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 630

Re: IKEv2 + android clients [SOLVED]

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500 diverts any TCP connection co...
by sindy
Mon Apr 26, 2021 11:17 am
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 175
Views: 121224

Re: Using RouterOS to VLAN your network

Not sure it belongs here (as you've properly stated, this topic should actually be a wiki article). However: There is no equivalent of Cisco's VTP on Mikrotik, so you cannot dynamically distribute VLAN configuration across wired network from a single device. But if you are interested solely in cAPs,...
by sindy
Mon Apr 26, 2021 8:32 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 630

Re: IKEv2 + android clients [SOLVED]

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383); As my router is running 6.47.9, this could be the cause ( fragmentation) ? RFC7383 only deals with application-level fragmentation of the control traffic (IKE), not of transport packets. Since the connection has established properly...
by sindy
Sun Apr 25, 2021 5:08 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 537

Re: Static WAN IP not working - mask issue?

I didn't try Sindy's advice because it looked like what you would do on the upstream router to me to mimic the behaviour of my ISP. Sure, you've got it right - that wasn't an advice what to do at your router. There is nothing to advise regarding static address configuration if the ISP only allows t...
by sindy
Sun Apr 25, 2021 5:03 pm
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 630

Re: IKEv2 + android clients [SOLVED]

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like? I also hazily remember I had cases where I had to remo...
by sindy
Sun Apr 25, 2021 4:28 pm
Forum: General
Topic: Routes to multiple addresses
Replies: 5
Views: 437

Re: Routes to multiple addresses

There is no way to use a list of prefixes as a dst-address of a single route. The usual approach is to use a dynamic routing protocol such as OSPF or BGP. Another approach might be to use mangle rules (which can match on dst-address-list) to assign routing-mark values, and have just a default route ...
by sindy
Sun Apr 25, 2021 4:19 pm
Forum: General
Topic: Same subnets to L2TP/IPsec, possible?
Replies: 3
Views: 274

Re: Same subnets to L2TP/IPsec, possible?

Have a look at action=netmap in /ip firewall nat. It's the best you can have, with some drawbacks of course - it's still NAT.
by sindy
Sun Apr 25, 2021 3:44 pm
Forum: General
Topic: DHCP client Ether1 looses IP address every1-5 minutes
Replies: 4
Views: 579

Re: DHCP client Ether1 looses IP address every1-5 minutes

As you've explicitly asked for a response in this thread: 1. /tool sniffer set file-name=dhcp.pcap file-limit=100000 filter-interface=your-wan-interface-name filter-ip-protocol=udp filter-port=bootps 2. make sure that all other filter-xxx fields of /tool sniffer settings are empty 3. /tool sniffer s...
by sindy
Sun Apr 25, 2021 1:37 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 537

Re: Static WAN IP not working - mask issue?

I copy the IP data into static entries and it doesn't work. If so, I'd assume the provider uses some kind of protection against people arbitrarily assigning public IPs on their own. In RouterOS, you would do this by setting arp=reply-only in the configuration of the interface and setting add-arp=ye...
by sindy
Sun Apr 25, 2021 1:22 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 537

Re: Static WAN IP not working - mask issue?

When you say "I turn off DHCP client", does that mean that with DHCP client on, you get some public IP and everything works? But once you assign the same IP address, mask and gateway you have previously obtained using the DHCP client before, it doesn't?
by sindy
Sat Apr 24, 2021 10:08 pm
Forum: General
Topic: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2
Replies: 1
Views: 328

Re: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2

What you describe sounds like you've got multiple peers with same values of local-address, address, and exchange-mode, where one of them is dynamically generated by the L2TP setting use-ipsec=yes.

What does /ip ipsec peer print detail show while the L2TP server is enabled?
by sindy
Sat Apr 24, 2021 10:03 pm
Forum: General
Topic: Marking IKEv2 dynamic connection for Firewall?
Replies: 1
Views: 199

Re: Marking IKEv2 dynamic connection for Firewall?

chain=input protocol=tcp dst-port=8291 in-interface-list=WAN ipsec-policy=in,ipsec action=accept
by sindy
Sat Apr 24, 2021 9:52 pm
Forum: General
Topic: Blocking LLDP / Protocol 35020
Replies: 4
Views: 536

Re: Blocking LLDP / Protocol 35020

@changeip, too many things work different than you expect. The ip firewall only deals with IP packets, so the protocol matches on the payload protocols of IP, such as UDP, TCP, GRE... MNDP is an application using UDP and port 5678, but RouterOS sends MNDP packes in such a way that they bypass the IP...
by sindy
Sat Apr 24, 2021 9:30 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 471

Re: NAT problem with host's internal traffic using route marking.

You haven't posted the configurations, but you mention default firewall rules. The default firewall rule "drop invalid" in chain forward of filter prevents those SYN,ACK packets from reaching the out-interface (LAN in this case) and thus triggering the sending of ICMP redirect, as the conn...
by sindy
Sat Apr 24, 2021 4:45 pm
Forum: General
Topic: VLAN separation using new Bridge VLAN Filtering feature
Replies: 9
Views: 2295

Re: VLAN separation using new Bridge VLAN Filtering feature

This post may explain why the configuration changes mentioned by @jahudka are necessary.
by sindy
Fri Apr 23, 2021 11:17 pm
Forum: General
Topic: Bridge/vlan configuration advice
Replies: 3
Views: 285

Re: Bridge/vlan configuration advice

I'll go a bit deeper into the reasons than @mkx: As you intend to set up an L2 ring configuration (the CCR will be connected to two CRS and those will be connected to each other), you need to use some STP flavor to prevent L2 looping. And in order that xSTP behaved correctly, you must use the "...
by sindy
Thu Apr 22, 2021 7:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

The price is about 1 month of my brother income, So it's a lot. ... the bad news is the Mikrotik is only brand which is accepted by my country ISPs. Which seems to be related, other vendors may be prohibitively expensive or embargoed. And they don't support NV2 of course. They already have connecte...
by sindy
Thu Apr 22, 2021 7:01 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 684

Re: NETMAP vs SRCNAT

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible). example: /ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47 results in the sam...
by sindy
Thu Apr 22, 2021 6:58 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 684

Re: NETMAP vs SRCNAT

f.e., if we have 10.35.27.10 as a source address, netmap will replace it with 192.168.143.40?
No, with 192.168.143.42 (32 + 10)
by sindy
Thu Apr 22, 2021 6:38 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

the only situation that I don't get timeout and the problem gets solve, is by disabling other clients on ISP radio device. So they suggest me to buy one more radio and make a PTP connection, but it cost a lot of price, I believe the problem is solvable so it's not worth to pay that much money for t...
by sindy
Thu Apr 22, 2021 5:20 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 684

Re: NETMAP vs SRCNAT

Because the netmask part of the to-addresses value is 28, i.e. 255.255.255.240. So the value of the bits of the original address whose positions match the zero bits in the mask, i.e. the least significant four bits, is 12 in all three cases, and the bits whose positions match the one bits in the mas...
by sindy
Thu Apr 22, 2021 5:09 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

There is the local noippass "xxxxx" line in the script; if someone has downloaded the original file, they can update your DynDNS now, until you change the password on the DynDNS web selfcare page and then update it accordingly in your script. To the original topic: given how the two Mikrot...
by sindy
Thu Apr 22, 2021 4:31 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

You may want to remove the script part from the configuration export (edit the post, remove the file and re-post it without the /system script and all the lines following it) and change your password to the DynDNS service. It didn't come to my mind you could have something like that in operation. I'...
by sindy
Thu Apr 22, 2021 3:34 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

It is hard to say as I don't know the complete setup. The LHG5 may be working in bridge mode an have no IP address, or there may be a management IP address assigned by the ISP. When you connect your PC to the hAP lite, you can see only the hAP lite in the neighbour list in Winbox because the hAP lit...
by sindy
Thu Apr 22, 2021 2:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

In such case, ask the ISP for that, as it is apparently their device. Just as a blind shot until you can arrange that, press [Interfaces], and in the "Interface List" window that opens, press the [Detect Internet] button just above the table on the (Interface) tab. Post the screenshot of t...
by sindy
Thu Apr 22, 2021 2:14 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

Instead of posting 150 screenshots which show 5 % of the configuration, please use the [New Terminal] button to open a command line window, type /export hide-sensitive file=current-config in that window and press Enter. A file named current-config.rsc will appear in the file list; download it, and i...
by sindy
Mon Apr 19, 2021 8:16 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9154

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Do i have to do the RIP rules? I live quite far away from that ISP and only had the situation proxied by @rabienz and @Najifares. So from what I got that way, you have to advertise those IPs to ISP's equipment using RIP so that it would send you the traffic. Don't ask me why the ISP needs it, and e...
by sindy
Mon Apr 19, 2021 5:00 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9154

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN If we leave aside all the security aspects, all you need is a set of src-nat and dst-nat rules. So for a bi-directional, port-agnostic 1:1 NAT between a public IP address A.A.A.A ...
by sindy
Mon Apr 19, 2021 9:28 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2000

Re: CRS317-1G-16S+ High CPU lead to drop packet

If all your cAPs do local forwarding, the only way how the CPU load on the CRS could be coming from CAPsMAN processing would be if the clients would keep re-authenticating, as the client traffic is converted between wireless and wired one at the cAPs themselves. So most likely there is a traffic tha...
by sindy
Sat Apr 17, 2021 11:56 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2000

Re: CRS317-1G-16S+ High CPU lead to drop packet

Please show the typical output of /tool profile cpu=all on the CRS317, and also the typical output of /interface monitor-traffic interface=aggregate and /interface monitor-traffic interface=the-wan-interface-name . And the question is not how many cAPs but how many clients, and what you ask the rout...
by sindy
Tue Apr 13, 2021 10:24 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

...do you think I should make the delay 1m longer, say 3 minutes? Possibly yes, but to me 1m should also be sufficient, the mAP lite is not that lazy. Maybe add a delay 1m before the disable . It is still possible that the result depends on whether the initial request comes first from the remote pe...
by sindy
Mon Apr 12, 2021 10:35 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

I have one more question related to IKEv2. Is it possible to switch on/off user-led based on IKEv2 peer status? Similar to interface-status under /system leds It is, but only using a periodically scheduled script. None of the possible type values has any relationship to IPsec. So you must use a scr...
by sindy
Mon Apr 12, 2021 6:18 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot. The scheduled script is a workaround. For a solution in future RouterOS versions, you have to raise a support ticket with Mikrotik; before d...
by sindy
Mon Apr 12, 2021 3:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

local-address=empty/not set and local-address=0.0.0.0 is the same thing, as you can see if you use /ip ipsec peer export verbose (without the verbose modifier, export does not show default values). Mikrotik's DHCP server apparently expects an L2 frame in order that it responded, so if the DHCPINFOR...
by sindy
Sun Apr 11, 2021 5:44 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

Given that all policies are static, the proposals they use are identical at both ends, and there is no NAT involved at the client device itself, I'm afraid the fact that you get NO_PROPOSAL_CHOSEN is a consequence of some bug. So I can only suggest a workaround: /system scheduler add name=ipsec-wa o...
by sindy
Sat Apr 10, 2021 2:02 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

You've provided a lot of information but still some bits are missing, so let me rephrase it. No matter what the reasons are, the essence is that the IKEv2 VPN client needs to connect also from the server's LAN. According to your configuration excerpt, the responder peer listens at all addresses. Acc...
by sindy
Sat Apr 10, 2021 11:31 am
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

I've realized that my suggestion above regarding sniffing may be overly complex and inconsistent. To see that the switch chip rule works for the initial DHCPDISCOVER, which is sent to a broadcast address, it is enough to make the bridge a member port of the bridge (see this for clarification of this...
by sindy
Thu Apr 08, 2021 9:05 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

It seems that the log is from the only client whose configuration you haven't posted. As you specify the peers' addresses as domain names, I can imagine the incoming initial packet from the "server" to land on a wrong peer there, as I had such an issue when testing my setup with no static ...
by sindy
Thu Apr 08, 2021 8:50 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

OK, so I have debugged it locally, setting a switch chip rule to handle tagged traffic for the Tik's own IP address, which therefore that lands at the bridge interface: dst-address=192.168.6.2/32 dst-port=53 mac-protocol=ip new-vlan-priority=3 ports=ether1 protocol=udp switch=switch1 vlan-id=6 If VL...
by sindy
Wed Apr 07, 2021 9:24 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rules.
by sindy
Wed Apr 07, 2021 9:19 pm
Forum: General
Topic: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore
Replies: 5
Views: 616

Re: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore

why did it manifest when I replaced the router I've seen unrelated events to synchronize within tenths of second (not necessarily in networking), so I would not be surprised if something was wrong on the network path. Here, the window was longer, between the last establishment of the tunnel on the ...
by sindy
Wed Apr 07, 2021 8:39 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

If you use that "bridge-reinforced" VLAN interface also for other traffic than the VPN one, some CPU cycles will indeed be wasted on the additional bridging. So my solution would be to use a dedicated VLAN and IP address only for the IPsec responder to listen at. But I don't get the differ...
by sindy
Wed Apr 07, 2021 2:03 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 613

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Also running OpenVPN on a single core 600MHz CPU / 650MHz on the other side, and PPPoE on both of them .... that's an incoming bottleneck. For me, a bigger problem with OpenVPN is its use of TCP as transport (which is a limitation of RouterOS 6.x, not of OpenVPN itself), which may amplify eventual ...
by sindy
Tue Apr 06, 2021 9:18 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 609

Re: VPN internet routing

The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots so i need to add this on Windows client side? Add-VpnConnectionRoute -ConnectionName "VPNconnectionname" -DestinationPrefix 192.168.40.0/24 -PassThru I...
by sindy
Tue Apr 06, 2021 7:07 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 457

Re: CAPSMann no usable channel error message

You cannot set the country locally on the cAP once its wireless interface is controlled by CAPsMAN, but you can still see the setting if you use the command line (available after pressing the [Terminal] button) command I've suggested. My speculation was that some other country profile than netherlan...
by sindy
Tue Apr 06, 2021 6:45 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 609

Re: VPN internet routing

Windows 10 - i found a way named split tunneling by disabling "use the default gateway of the remote network" on VPN connection, but i am not sure if this is the correct way It is, provided that the LAN consists of a single subnet and you assign addresses from the same subnet to the L2TP ...
by sindy
Tue Apr 06, 2021 6:36 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 613

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Multiple issues exist. First, at the OVPN client side (Site A), your only action=masquerade rule there is not restricted to out-interface=pppoe-out1 or out-interface-list=WAN (adding either of these match condition is sufficient as a fix), so connections whose first packet is sent from Site A to Sit...
by sindy
Tue Apr 06, 2021 4:58 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 609

Re: VPN internet routing

What kind of client are we talking about? Windows, Android, iOS, MacOS...?
by sindy
Tue Apr 06, 2021 4:56 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 613

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Are the subnets you've shown the only ones used at each site? I.e. is the VoIP phone also in 172.16.0.0/16 at site B? That other guy is right in terms that on a usual VoIP PBX, the phone exchanges signalling information only with the PBX which controls it, but the media (audio) stream is established...
by sindy
Tue Apr 06, 2021 4:33 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 457

Re: CAPSMann no usable channel error message

You've answered just one of my questions, so I repeat the second one: what country is set at the cAP itself under /interface wireless ? Also, there is another possibly interesting point in the actual-interface-configuration above: channel.band=5ghz-onlyac , does the problematic cAP support the AC mo...
by sindy
Tue Apr 06, 2021 3:40 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 484

Re: WPA2 EAP-TLS + userman only. Is it possible ?

It depends on what exactly you mean by a deauthentication attack. If you have in mind that the attacker cannot trick your STA into associating with a forged AP with the same SSID and better signal by sending it a deauthentication frame, then yes, the STA will not authenticate a connection to an AP w...
by sindy
Tue Apr 06, 2021 2:16 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 457

Re: CAPSMann no usable channel error message

1) I'd believe that the error message is relevant, so what is the value of the configuration.country value in the output of /caps-man actual-interface-configuration print where name~"11-E-2" , and what is the output of :put [/interface wireless get 0 country] on the cAP itself? 2) yes, R i...
by sindy
Tue Apr 06, 2021 2:02 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 484

Re: WPA2 EAP-TLS + userman only. Is it possible ?

When exporting the certificate generated for the client, have you specified any export-passphrase value? If you don't specify any, the private key to the certificate is not exported at all, and therefore the client cannot use the certificate to authenticate itself. The fact that you cannot choose th...
by sindy
Mon Apr 05, 2021 8:46 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

As you want it wirespeed, the switch chip must do all the job. Hence you have to make sfp1 and etherX member ports of a bridge with hw=yes on the respective /interface bridge port rows, and if you ever add any other port of that switch chip to any other bridge, it must be added with hw=no (only a si...
by sindy
Mon Apr 05, 2021 5:16 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1681

Re: why youtube is not blocked?

Whether TLS 1.3 is used atop QUIC or not changes nothing about the fact that the tls-host match condition in RouterOS firewall only works with TCP, so it can never see any QUIC payload.
by sindy
Mon Apr 05, 2021 4:51 pm
Forum: General
Topic: Email smtp timeout on mikrotik
Replies: 7
Views: 826

Re: Email smtp timeout on mikrotik

It needs sniffing to find out what's going on. Ideally you'd have a second PC, or a second Ethernet interface on the same PC from which you send the e-mail, to which the Mikrotik would stream the sniffed packets. If this is not possible, you can sniff into a file on the Mikrotik itself, but then the...
by sindy
Mon Apr 05, 2021 4:26 pm
Forum: General
Topic: vlan problem on hEX [SOLVED]
Replies: 20
Views: 1535

Re: vlan problem on hEX [SOLVED]

The configuration you have posted as a file seems fine to me regarding VLANs. VLAN 100 is tagged on both the bridge and ether2 ports of the bridge, VLAN1 is not tagged on either of the two, and the DHCP servers are attached as appropriate, the one for VLAN 100 is attached to the /interface vlan and ...
by sindy
Mon Apr 05, 2021 3:35 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

Agree that the hEX S will be the bottleneck and switch rules are not supported for vlan and also for sfp1. On MT7621 based routers, RouterOS doesn't support switch chip rules at all, not only on sfp1. I plan to replace my hEX S for each box by : - RB2011iLS-IN - or RB935GS-5HnT-RP Both should work ...
by sindy
Mon Apr 05, 2021 1:45 pm
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 749

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own o...
by sindy
Mon Apr 05, 2021 1:30 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 484

Re: WPA2 EAP-TLS + userman only. Is it possible ?

for a client authenticating itself to the AP using a certificate alone , you don't need RADIUS at all for a client authenticating itself using a username/password tuple rather than a certificate , you either need an external RADIUS server or you must run RouterOS 7 (I don't know the state of the ar...
by sindy
Mon Apr 05, 2021 12:55 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 20
Views: 1625

Re: Transparent hEX S to change vlan-priority for DHCP request only

It's almost the same except that in the bridge filter rules, you have to use chain=forward rather than chain=output , and add an in-interface=ether3 match condition. And you still have to use a dedicated bridge for VLAN 832, because the bridge filter rules currently do not support matching on IP hea...
by sindy
Mon Apr 05, 2021 12:26 pm
Forum: General
Topic: marking packets to an external gateway
Replies: 2
Views: 224

Re: marking packets to an external gateway

You can use src-nat instead of masquerade and ask the linux box admin to choose the routing table depending on the source address of the packet coming from you, DSCP values, VLAN ID in VLAN tags, priority in VLAN tags There are no other fields in the frame or packet headers you could modify without ...
by sindy
Mon Apr 05, 2021 11:34 am
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 749

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules ...
by sindy
Fri Apr 02, 2021 7:13 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

A) The way you describe it, you've opted to use a dst-nat rule rather than to restrict the IPsec policy to carry only the L2TP transport packets. Nothing wrong about that. However, it then cannot be a matter of a bypassed dst-nat any more, but there may still be an MTU issue. I'd suggest to run /too...
by sindy
Fri Apr 02, 2021 4:07 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2000

Re: CRS317-1G-16S+ High CPU lead to drop packet

If I remember right, the APs look for the channel with least interference among those permitted by the channel configuration; try /caps-man interface scan to check what you can really see in the air. Plus I'm not an expert here and the manual is silent about this, but as you have specified C e for t...
by sindy
Fri Apr 02, 2021 3:44 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4048

Re: Two EOIP tunnels and traffic problem

If the log is complete, it means the client did not respond to the last PDU (split into two packets), either because it didn't like it or because it did not receive it at all. Misconfigurations I've spotted: the presentation you refer to uses username&password authentication of the clients, but ...
by sindy
Fri Apr 02, 2021 2:45 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4048

Re: Two EOIP tunnels and traffic problem

It has to be /export hide-sensitive file=any-name-you-prefer. The result of /system backup save cannot be read.

And the log seems to be cut short, is it really all?
by sindy
Fri Apr 02, 2021 12:50 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4048

Re: Two EOIP tunnels and traffic problem

I don't think Mikrotik support has enough manpower to provide individual configuration assistance even to first time users, that's a job for consultants or maybe distributors. Here on the forum, please, don't refer to presentations or, even worse, videos. The time used to watch these can be used mor...
by sindy
Thu Apr 01, 2021 2:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

If it works when the IKE connection establishes with a local IP address attached to a bridge with no member ports at all, you indeed don't need the VLAN to join this bridge to the main one. But at least until recently, Windows clients didn't like by default that the responder was behind a NAT, and y...
by sindy
Thu Apr 01, 2021 1:14 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4048

Re: Two EOIP tunnels and traffic problem

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously? I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the re...
by sindy
Thu Apr 01, 2021 11:05 am
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1015

Re: IPsec site to site tunnels, security issue question?

The whole point of a VTI is that you can use regular routing rather than traffic matching by selectors, which quickly turns into a nightmare if you use more subnets at each end of a link. VTI violates the security concept of IPsec in terms that if you use VTI, traffic matching an existing traffic se...
by sindy
Thu Apr 01, 2021 10:45 am
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 791

Re: Forward all wan traffic to another firewall

I don't think there is a documentation example that would cover exactly this. Search for "policy routing" (nothing to do with IPsec policies), i.e. how to create multiple routing tables and choose one for each individual packet depending on its origin and possibly other properties, and als...
by sindy
Tue Mar 30, 2021 11:01 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

A) Why when connected to client1's WiFi, I cannot connect to the Server through DDNS (WinBox)? If I try from my phone's 4G I can. I understand that this happens because I am connected to that network, that has the L2TP link with the Server (and I can connect using server's 172.21.69.153) but cannot...
by sindy
Tue Mar 30, 2021 9:30 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1261

Re: IKEv2 server ignores dhcp query on vlan interface

I don't think you're doing anything wrong. I had the same experience when the IKEv2 session was landing on an IPIP tunnel interface at the responder, but I was assuming back then it had to do with DHCP server expecting the client messages to come to L2 interfaces. Depending on the throughput require...
by sindy
Tue Mar 30, 2021 4:59 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1681

Re: why youtube is not blocked?

This rule works fine for me: chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp log=no log-prefix="" tls-host=*youtube* This rule can only work if placed before the "accept established,related" one, and if fasttracking is disabled. The reason is that t...
by sindy
Tue Mar 30, 2021 4:40 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 784

Re: pppoe problem [SOLVED]

the output of the /ip firewall connection print detail where dst-address~":1812" command: ... This one with detail shows the connection when the RADIUS server does respond, so it is unusable for the analysis. In this one, the S is an upper-case (capital) one, indicating seen-reply , where...
by sindy
Tue Mar 30, 2021 10:39 am
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 784

Re: pppoe problem [SOLVED]

This is the output of the /ip firewall connection print interval=1 where dst-address~":1812" command : # PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS 27 C s udp 127.0.0.1:35747 127.0.0.1:1812 9s 0bps 0bps 3 0 What is surprising here is the s...
by sindy
Tue Mar 30, 2021 10:29 am
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4048

Re: Two EOIP tunnels and traffic problem

Yes, multiple bare L2TP clients can connect from behind the same NAT. And bare L2TP connections do not interfere with IKEv2 in any way. The issue L2TP/IPsec has with NAT is caused by the fact that its standard requires use of transport mode of IPsec SA. If you don't use the dynamically generated IPs...
by sindy
Mon Mar 29, 2021 12:32 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 6
Views: 627

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

As said - if it started after the upgrade, file a ticket with Mikrotik. They'll ask for autosupout.rif or, if not available, a supout.rif created manually just after the reboot. So best attach it to the ticket straight away.
by sindy
Sun Mar 28, 2021 2:12 pm
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 791

Re: Forward all wan traffic to another firewall

In that case, let's suppose the pfSense has two physical interfaces (or two VLANs), a "WAN" one and a "LAN" one. You will partition the Mikrotik into two virtual routers - one will forward the traffic between pfSense's WAN and the Mikrotik's WAN interfaces, and the other one will...
by sindy
Sun Mar 28, 2021 11:01 am
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 791

Re: Forward all wan traffic to another firewall

It is possible to place the pfSense between the load balancer part and the rest of your network. The pfSense will see the remote addresses (the source ones of the incoming traffic from the internet), but it will not know to which WAN interface that traffic has arrived. Is that sufficient for you?
by sindy
Sun Mar 28, 2021 10:48 am
Forum: General
Topic: ISP speed is 200 MB but Mikrotik speed is 100 MB
Replies: 14
Views: 1729

Re: ISP speed is 200 MB but Mikrotik speed is 100 MB

In the same [interface <ether1>] window where you've viewed the [Overall Stats] and [Status] tabs as shown above, choose the [Ethernet] tab, and tick the [ ] 1000M full checkbox. In some RouterOS releases there was apparently a bug, causing only speeds up to 100M to be advertised even on interfaces ...
by sindy
Sun Mar 28, 2021 9:12 am
Forum: General
Topic: What is sensitive
Replies: 1
Views: 342

Re: What is sensitive

The list is quite brief. passwords (e.g. in /ppp secret rows), passphrases (e.g. in wireless/capsman security profiles), and secrets (in IPsec identities) are "sensitive". Usernames, public IP addresses, MAC addresses, and serial numbers are not treated as "sensitive". Nor is any...
by sindy
Sat Mar 27, 2021 7:47 pm
Forum: General
Topic: No internet connection after PPPOE reconnect (disable, pause, enable)
Replies: 5
Views: 551

Re: No internet connection after PPPOE reconnect (disable, pause, enable)

If, under /interface detect-internet , anything else than none is configured for detect-interface-list , change that to none . If that doesn't help, post the export of your configuration. See my automatic signature below regarding anonymisation. Out of curiosity, what are your reasons to disconnect ...
by sindy
Sat Mar 27, 2021 3:31 pm
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 656

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]

Sounds like a case of knowing too much. I would have simply put the square peg into the square hole instead of contemplating the depth of the hole and what instrument was used to cut the holes. With a usual client like the Windows or iOS one, the peg is flexible, so you can push it into a hole of a...
by sindy
Sat Mar 27, 2021 2:03 pm
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 656

Re: EAP-TLS wireless authentication - why a Mikrotik client cannot connect to Mikrotik AP? [SOLVED]

OK, so the answer to the topic title is "because the wording in the manual is misleading". It says: eap-methods | ... This property only has effect on Access Points. ... tls-mode | This property has effect only when eap-methods contains eap-tls . tls-certificate | ... Client needs a certif...
by sindy
Sat Mar 27, 2021 12:21 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 784

Re: pppoe problem [SOLVED]

OK, so it may be a firewall issue (not much likely, but possible), or the networking stack is broken (even less likely), or the UserManager stopped responding. Since /tool sniffer doesn't seem to work on the loopback interface, you have to use alternative means: what does /ip firewall connection pri...
by sindy
Sat Mar 27, 2021 12:02 pm
Forum: General
Topic: Master port is back in 6.48.1?
Replies: 5
Views: 788

Re: Master port is back in 6.48.1?

I agree because fw will be downgrade to default ver, am I right? But what will be next step? After upgrade I`ll have the same problem. No, @Jotne's idea was to reset the router to default configuration whith 6.48.1 installed. So the default configuration of 6.48.1 will be created, and you'll then m...
by sindy
Sat Mar 27, 2021 12:26 am
Forum: General
Topic: How to view or retrieve 'autosupout.rif' file without networking?
Replies: 2
Views: 489

Re: How to view or retrieve 'autosupout.rif' file without networking?

You can use /tool fetch to download the file from the router itself using the loopback address and specify the USB or SD card as a destination: /tool fetch url="ftp://127.0.0.1/autosupout.rif" user=abc password=def output=file dst-path=disk1/some-new-name.rif Of course provided that user a...
by sindy
Fri Mar 26, 2021 5:22 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 801

Re: Sending all traffic through a L2TP interface [SOLVED]

Ah, sorry, I've missed the BCP. If you really tunnel the L2, all that routing changes I gave before are not necessary if you simply tell the devices connected to the bridge to use the IP of the router at the remote end of the tunnel as their default gateway. And yes, the MRRU must be high enough to ...
by sindy
Fri Mar 26, 2021 4:27 pm
Forum: General
Topic: Reset and load a custom save.rsc file
Replies: 7
Views: 711

Re: Reset and load a custom save.rsc file

... by connecting to MAC address in a hardware router) and clear the entire config, ... There's that caveat I've mentioned above, it seems that when the configuration is totally empty, MAC access is blocked. So a dedicated .rsc file enabling just the MAC access may have to be used as run-after-rese...
by sindy
Fri Mar 26, 2021 4:20 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 801

Re: Sending all traffic through a L2TP interface [SOLVED]

You've likely identified the issue (MTU) but not the solution. There are two possibilities. Either you use mangle rules at one of the routers to force TCP MSS to a value corresponding to the reduction of the MTU caused by the L2TP encapsulation, or you activate use of MLPPP on the L2TP tunnel by set...
by sindy
Fri Mar 26, 2021 3:45 pm
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1015

Re: IPsec site to site tunnels, security issue question?

What is stopping a user in LA from spoofing his IP as a LB and force the packet to the routers LA interface? This rule: /ip firewall filter add chain=forward in-interface=if_A src-address= ! ip.sub.net.A/mask action=drop To be precise, it doesn't stop the user from sending a packet with a spoofed s...
by sindy
Fri Mar 26, 2021 3:21 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 801

Re: Sending all traffic through a L2TP interface [SOLVED]

If I got you right, it was the desired behaviour that everything went through the L2TP tunnel, except the L2TP transport packets. Have I missed something?
by sindy
Fri Mar 26, 2021 3:19 pm
Forum: General
Topic: PCC with two routers
Replies: 1
Views: 250

Re: PCC with two routers

Scenario #2 can definitely work to a limited extent if you use VRRP. You can set up two virtual gateways, each of which will prefer a different one of the routers, so while both will be alive, you will be able to choose the preferred WAN per each LAN device or even per remote destination if you conf...
by sindy
Fri Mar 26, 2021 2:04 pm
Forum: General
Topic: Reset and load a custom save.rsc file
Replies: 7
Views: 711

Re: Reset and load a custom save.rsc file

As I wrote, unfortunately there are configuration element values which could be entered in older RouterOS versions, survived the subsequent upgrades, and survived the export, but aren't accepted in the current version when input. So even if you export a file from a machine running a particular versi...
by sindy
Fri Mar 26, 2021 12:57 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 784

Re: pppoe problem [SOLVED]

/system logging add topics=radius /log print follow-only where topics~"radius" Then try to connect a client and see whether there is a corresponding radius message in the log. The subsequent steps depend on whether you use the embedded RADIUS server of Mikrotik (user manager) or an extern...
by sindy
Fri Mar 26, 2021 12:41 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

To access only the client Routerboards themselves for management purposes, you just have to choose a pool of addresses to assign them that will not overlap with the LAN subnet(s) of any of the clients. This is normally a non-issue if you are the administrator; if you are not, it's more complex as ea...
by sindy
Fri Mar 26, 2021 11:59 am
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 656

EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]

Hello everybody, I wanted to get ready to use a routerboard device as a STA in a 3rd party WiFi network that requires clients to authentify themselves to the infrastructure using certificates. So the logical first step was to create my own AP with mode=dynamic-keys authentication-types=wpa2-eap unic...
by sindy
Fri Mar 26, 2021 11:08 am
Forum: General
Topic: Master port is back in 6.48.1?
Replies: 5
Views: 788

Re: Master port is back in 6.48.1?

I`m not able to get eth1 back to the bridge because master port can`t do it. Master port was just a different way of configuration of hardware forwarding among ports of a switch chip. So there is no reason why you could not make ether1 an ordinary member of a bridge. The fact that it still bears a ...
by sindy
Fri Mar 26, 2021 10:44 am
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

First, even a whole elephant can be eaten, but you have to chop it into small enough pieces. So mixing together the issues of overlapping internal addresses of VPN clients with the issues of establishing tunnels between devices NATed behind dynamically changing public IPs will only create a mess. Re...
by sindy
Fri Mar 26, 2021 9:44 am
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1015

Re: IPsec site to site tunnels, security issue question?

While I'd like to have VTIs too, they're still L3 interfaces, so adding them to bridges is not possible. 802.1x only allows an authenticated device to connect to a given port of a switch and eventually make that port an access one to a specific VLAN, but doesn't care about IP addresses in any way. T...
by sindy
Fri Mar 26, 2021 8:54 am
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 801

Re: Sending all traffic through a L2TP interface [SOLVED]

Assuming the wAP ac LTE6 is the client in the L2TP link,

/ip route
add dst-address=ip.of.l2tp.server gateway=lte1
add gateway=l2tp-out1

/interface lte apn set [find] default-route-distance=3


should do the trick.
by sindy
Fri Mar 26, 2021 8:42 am
Forum: General
Topic: Why can't I make my hEX lite into a router?
Replies: 19
Views: 1318

Re: Why can't I make my hEX lite into a router?

It would have been different if the quick set had worked, but it did not. Exactly. Don't come to Ireland for nice weather, and don't buy Mikrotik for simplicity. Both have other advantages. Quickset is an attempt to add the simplicity by allowing to set up only the basics, but everyone's perception...
by sindy
Fri Mar 26, 2021 8:26 am
Forum: General
Topic: I can access remotely but not locally
Replies: 2
Views: 235

Re: I can access remotely but not locally

To get a useful suggestion, you have to send a crystal ball or the export of your configuration. Whichever will do.
by sindy
Thu Mar 25, 2021 11:54 pm
Forum: General
Topic: Backup Mikrotik RouterBoard Mikrotik RB 3011UiAS-RM
Replies: 2
Views: 428

Re: Backup Mikrotik RouterBoard Mikrotik RB 3011UiAS-RM

For same routerboard models it does. For different models it doesn't. So in your case, it is OK.
by sindy
Thu Mar 25, 2021 3:53 pm
Forum: General
Topic: I can't connect to my NVRs [SOLVED]
Replies: 12
Views: 862

Re: I can't connect to my NVRs [SOLVED]

what is the solution I can do in mikrotik configuration to access nvrs from outside using the app .. like before .. That's the reason why I asked those questions. Some NVRs work the cloud way, where they actively build connections to cloud servers, and the mobile application or browser connects to ...
by sindy
Thu Mar 25, 2021 8:12 am
Forum: General
Topic: How to search a large IP Firewall Address List?
Replies: 5
Views: 667

Re: How to search a large IP Firewall Address List?

Mostly now I'm wondering if I found a bug in the way the filter works in Winbox that I need to report. Looks like that. Two possible interpretations of the contains operator in Winbox come to my mind: a regular expression matching of the column value interpreted as text, which on command line would...
by sindy
Wed Mar 24, 2021 11:24 pm
Forum: General
Topic: How to search a large IP Firewall Address List?
Replies: 5
Views: 667

Re: How to search a large IP Firewall Address List?

Have you used the in operator the right way? [me@myTik] > ip firewall address-list add list=test address=193.168.0.0/16 [me@myTik] > ip firewall address-list print where 193.168.1.2 in address Flags: X - disabled, D - dynamic # LIST ADDRESS CREATION-TIME TIMEOUT 0 test 193.168.0.0/16 mar/24/2021 22:...
by sindy
Wed Mar 24, 2021 11:20 pm
Forum: General
Topic: help fix leaky vlans, NP16 + PBP
Replies: 7
Views: 606

Re: help fix leaky vlans, NP16 + PBP

Filtering ON and 'admit-only*' for the 'access' ports that will receive untagged traffic and ADD the tag assigned to PVID. admit-only- untagged-and-priority-tagged Filtering OFF and set to 'all' for the trunk port(s) when ingress-filtering=no , it doesn't matter what you set as frame-types In VLANs...
by sindy
Wed Mar 24, 2021 8:40 pm
Forum: General
Topic: Strange one
Replies: 12
Views: 946

Re: Strange one

expires-after=3h26m41s and last-seen=6h33m19s not only indicate that you've set the DHCP server to assign the address for 10 hours but also that the client failed to renew the lease at 1/2 of the lease lifetime as instructed by the server in the DHCPACK message (this is not configurable). I don't r...
by sindy
Wed Mar 24, 2021 6:50 pm
Forum: General
Topic: Strange one
Replies: 12
Views: 946

Re: Strange one

What does /ip dhcp-server lease print detail where mac-address=the:one:of:the:lo:ck show when the lock starts saying it has no IP address? In general IoT devices may have just limited hardware resources available and thus use small footprint protocol stacks made for them, which haven't been tested i...
by sindy
Wed Mar 24, 2021 2:17 pm
Forum: General
Topic: Port Forward to a Hostname
Replies: 3
Views: 419

Re: Port Forward to a Hostname

Even if it was possible to use an fqdn as to-addresses (it's not), you would still have to update the DNS record based on the availability of the primary server, so some process tracking its availability would be necessary anyway. So depending on how frequently the primary server is unavailable, you...
by sindy
Wed Mar 24, 2021 9:02 am
Forum: General
Topic: I can't connect to my NVRs [SOLVED]
Replies: 12
Views: 862

Re: I can't connect to my NVRs [SOLVED]

I can't access the nvrs from wan .. ... I have no public static IP configured ... it is just a normal dynamic public ip .. ADSL modem ( router mode _ portt 1 ) 192.168.1.1/24 Mikrotik Router ( router mode - automatic - Eth1 - Gateway - WAN ) 192.168.1.29/24 Bridge ( LAN ) 192.168.100.100/16 MIKROTI...
by sindy
Wed Mar 24, 2021 8:41 am
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 818

Re: Port forwarding issue [SOLVED]

Do you mean that it should be something like this? Yes, but not exactly. These four rules will forward ports 67 and 68 to .71, and ports 70 and 71 to .72, without changing them. So a single rule for each target device, with a range as dst-port , would be sufficient. This way is fine if you can conf...
by sindy
Tue Mar 23, 2021 11:24 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 121
Views: 30046

Re: v6.48.1 [stable] is released!

MNDP is a UDP broadcast and will not work when IP is not configured. But Winbox can still detect devices in that state, it will list them without IP address. So apparently Winbox does not use or does not rely on MNDP, but uses at least one of the LLDP or CDP protocols. Nope. MNDP is sent even if no...
by sindy
Tue Mar 23, 2021 11:07 pm
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 818

Re: Port forwarding issue [SOLVED]

The first one, to .71 works. The second one to .72 doesn't. The description in the first post differs from the export in the second post. When a dst-nat rule (or src-nat rule) doesn't need to change a port, the to-ports parameter need not be specified at all. When it has to change a port, and you s...
by sindy
Tue Mar 23, 2021 10:58 pm
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 818

Re: Port forwarding issue [SOLVED]

c. Understand that port forwarding is not going to work if your ISP gives you a private IP address.
It was working with the previous router, so this point is irrelevant.
by sindy
Tue Mar 23, 2021 10:51 pm
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1015

Re: IPsec site to site tunnels, security issue question?

The question you ask has little to do with IPsec policies. If I get you right, what you actually want is to make sure that a device connected to a given interface cannot use an address from a subnet not associated to that interface. So the permissive firewall rules must match on both in-interface an...
by sindy
Tue Mar 23, 2021 6:02 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 17836

Re: Netwatch deprecated ? [SOLVED]

You could imagine many other uses to the MT cloud service, but there is some CAPEX & OPEX associated to running a server in a datacenter, whilst each RouterBoard device is only sold once. So the price of every device would have to include, say, 10 years of running your own CHR in Mikrotik's data...
by sindy
Tue Mar 23, 2021 5:30 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 17836

Re: Netwatch deprecated ? [SOLVED]

Problem2 -*stuck*- if the router goes down or power to route r& Modem I have no way of knowing this, no emails, no telegrams!! Haven't you stated in another thread that multiple family members yell at you if "internet breaks" for a few seconds? On a serious note - to cover these situa...
by sindy
Tue Mar 23, 2021 4:19 pm
Forum: General
Topic: IP blocks ping
Replies: 2
Views: 298

Re: IP blocks ping

If that IP is assigned to an L2 interface and your Mikrotik has an interface in the same LAN segment, you can use ARP to see whether the device responds ( :ping arp=yes interface=xyz ) If some process is running at that IP that responds on a TCP or UDP port, you can try to send a packet to that port...
by sindy
Tue Mar 23, 2021 4:08 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 121
Views: 30046

Re: v6.48.1 [stable] is released!

It seems that MNDP (neighbour discovery) runs on top of LLDP. I may have misunderstood what you mean by "on top". If it means "in addition to", then that's correct - three protocols in total are used in parallel unless you disable some of them - MNDP (which is a UDP broadcast on...
by sindy
Tue Mar 23, 2021 3:47 pm
Forum: General
Topic: Cannot Use Multiple IPs
Replies: 13
Views: 870

Re: Cannot Use Multiple IPs

That's strange. If they had it as a local subnet on one of their interfaces, the network address (.0,.8, etc. depending on the prefix) and one of the other addresses should also not reach your router.

I assume you've assigned those addresses as individual /32 ones to the loopback interface, correct?
by sindy
Tue Mar 23, 2021 3:38 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 17836

Re: Netwatch deprecated ? [SOLVED]

Seems to work fine for simple netwatch scripts but doesnt work well for System Fetch scripts. I'd think the issue here is the same like we've discussed yesterday - there are spaces before and after $sub1 . As /tool fetch doesn't substitute space symbols in the URL sent to the server automatically, ...
by sindy
Tue Mar 23, 2021 2:23 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 6
Views: 627

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

The volume of traffic is roughly proportional to the number of clients, and the volume of traffic is responsible for some part of power consumption, that's why I was thinking about this. A 10 meter cable would have to be really bad, or the voltage of the source would have to be very close to the bot...
by sindy
Tue Mar 23, 2021 1:02 pm
Forum: General
Topic: help fix leaky vlans, NP16 + PBP
Replies: 7
Views: 606

Re: help fix leaky vlans, NP16 + PBP

So if I re-word it: on the NP16, each port except ether1 should be an access port to a single VLAN (ether2 - VLAN 102 through to ether16 - VLAN 116). Ingress filtering doesn't care about particular VLAN ID. It only distinguishes between two types of ingress frames: ones tagged with a non-0 VLAN ID o...
by sindy
Tue Mar 23, 2021 12:03 pm
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 904

Re: RB4011 > hAP AC Lite VLAN configuration

Do I need to tag the default Bridge with all the VLANs I will be using or is the bridge dynamically added? Tagging the Bridge results in loss of access. What do you mean by "tagging the bridge"? Frames can be tagged and untagged, bridges cannot. The bridge forwards a frame with any VLAN I...
by sindy
Tue Mar 23, 2021 11:26 am
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 17836

Re: Netwatch deprecated ? [SOLVED]

I would think it's the typo in the name of the script - TelelgramFetch.

Otherwise, all three variants should work,

down-script="{/system script run TelegramFetch}"

down-script="/system script run [/system script find name=TelegramFetch]"

down-script=TelegramFetch
by sindy
Tue Mar 23, 2021 8:00 am
Forum: General
Topic: Strange one
Replies: 12
Views: 946

Re: Strange one

The thing with the VPN firewall rules is not their count but their position. If you move the "accept established or related" rule in chain input to the beginning of that chain, everything will keep working the same but less CPU will be spent per packet, that's all. The importance of this d...
by sindy
Mon Mar 22, 2021 11:20 pm
Forum: General
Topic: CAPsMAN - AP falls out of the bridge after a few hours
Replies: 7
Views: 721

Re: CAPsMAN - AP falls out of the bridge after a few hours

However this can be a problem if bridge (to which wlan interface is attached) runs any of xSTP because xSTP causes a delay when port becomes active to test for any loops. Delay can be long enough for wireless client to freak out. This behaviour can be disabled by setting disable-running-check=yes o...
by sindy
Mon Mar 22, 2021 8:38 pm
Forum: General
Topic: PPP on a specific Wan connection
Replies: 5
Views: 584

Re: PPP on a specific Wan connection

Everything you need should be in this post. The last paragraph explains its relationship to your case.
by sindy
Mon Mar 22, 2021 4:21 pm
Forum: General
Topic: Static routes via non persistent connections
Replies: 2
Views: 335

Re: Static routes via non persistent connections

At ovpn server side, there is an parameter routes on the /ppp secret row, where you can specify a comma separated list of destination gateway metric tuples. These items are added to the routing table when the client represented by that /ppp secret row connects. But I'm not sure I've answered your ac...
by sindy
Mon Mar 22, 2021 2:39 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 6
Views: 627

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

To get Mikrotik support involved, you have to contact them directly, at support@mikrotik.com or, better, at https://help.mikrotik.com/servicedesk/servicedesk/ . You have mentioned changing an "injector" - do you use the one with a power adaptor inside or just the passive one connected to a...
by sindy
Mon Mar 22, 2021 2:23 pm
Forum: General
Topic: Strange one
Replies: 12
Views: 946

Re: Strange one

In your /ip dhcp-server network , I can see no dns-server value on the single row, address=192.168.254.0/24 comment=defconf gateway=192.168.254.250 netmask=24 , but this just means that the router sends its own address in that subnet as the DNS server. I have seen cases where the fact that the DNS p...
by sindy
Sun Mar 21, 2021 10:25 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 4
Views: 647

Re: RouterOS bridge mysteries explained

I hope you add information about creating VLANs by new way...
What is missing in this topic about the subject of "VLANs the new way" that I should repeat it here?
by sindy
Sun Mar 21, 2021 9:49 pm
Forum: General
Topic: packet loss between CPU and switch [SOLVED]
Replies: 4
Views: 872

Re: packet loss between CPU and switch [SOLVED]

It would be good to understand exactly what that function does and why it caused the problem? I agree it would be good. Unfortunately, no one but Mikrotik knows that, and they didn't bother to explain in detail. Worse than that, I haven't heard a single person so far to say that they've found that ...
by sindy
Sun Mar 21, 2021 9:43 pm
Forum: General
Topic: allow SSL VPN to bypass IPSEC SurfShark tunnel
Replies: 3
Views: 443

Re: allow SSL VPN to bypass IPSEC SurfShark tunnel

In step 16 of that tutorial, they set a src-address-list parameter on the mode-config row to local . This causes an action=src-nat rule to be dynamically added to the srcnat chain of /ip firewall nat , which matches on src-address-list=local whenever the IPsec connection established. This rule is al...
by sindy
Sun Mar 21, 2021 8:49 pm
Forum: General
Topic: attack simulation with TFGEN
Replies: 1
Views: 318

Re: attack simulation with TFGEN

You cannot stop the incoming traffic from reaching your router interface by any firewall rule - the packet must first arrive so that the firewall rule could see it. /tool sniffer and /tool torch show you the actual traffic on the interface, before the firewall rules in the wire -> silicon direction,...
by sindy
Sun Mar 21, 2021 8:17 pm
Forum: General
Topic: packet loss between CPU and switch [SOLVED]
Replies: 4
Views: 872

Re: packet loss between CPU and switch [SOLVED]

It should help to set detect-interface-list=none under /interface detect-internet on all routers.
by sindy
Sun Mar 21, 2021 8:12 pm
Forum: General
Topic: CAPsMan table overview - Clarification requested.
Replies: 7
Views: 619

Re: CAPsMan table overview - Clarification requested.

In many countries, some 5 GHz channels are used by meteoradars, so the AP must passively listen on such channel for minutes before starting to use it, in order to prevent causing interference to the radars. So depending on how you've configured your /caps-man channel settings for the 5 GHz interface...
by sindy
Sun Mar 21, 2021 7:51 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 4
Views: 647

RouterOS bridge mysteries explained

This topic is a reaction to the countless cases of confusion regarding why the bridge “itself” must be listed among tagged or untagged ports of a VLAN in some cases, why the VLAN interfaces must be attached to the “bridge” rather than to its member ports etc. The fact that both “interface” and “port...
by sindy
Sun Mar 21, 2021 2:33 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

In a typical case, there may be multiple hosts with private IP (LAN devices) connected to the internet via a single device with a public IP (the WAN router). If the first ever packet of a new connection comes from the LAN device for a destination accessible via the WAN interface, the WAN router repl...
by sindy
Sat Mar 20, 2021 8:21 pm
Forum: General
Topic: How to access AP on PPPoE port
Replies: 2
Views: 411

Re: How to access AP on PPPoE port

There is nothing wrong about attaching an IP configuration to the same interface at which a PPPoE server is listening. The thing is that you have to make sure that bare IP packets from customers' devices (i.e. those not encapsulated inside the PPPoE ones) will not be let in to the Powerbox and the r...
by sindy
Sat Mar 20, 2021 6:44 pm
Forum: General
Topic: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore
Replies: 5
Views: 616

Re: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore

I can't see anything wrong in your firewall rules, nor rp-filter=strict that can sometimes surprise. So the next thing to come to my mind is that the packet sent by RtrB is fragmented as it travels to RtrA, and the second fragment gets dropped by some firewall on the way. Since the UDP header is pre...
by sindy
Sat Mar 20, 2021 5:49 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2293

Re: Discovery of external IP address (Noip.com)

I was also under the impression that the DNS name in ip/cloud is not accessible when behind a NAT modem (and needs port forwarding) or are you saying that this MT dns name will me sufficient to enter it on the remote side MT and through this discovery be able to create a successful link? Looking fo...
by sindy
Thu Mar 18, 2021 2:53 pm
Forum: General
Topic: Mikrotik cloud, choose IP interface to update
Replies: 13
Views: 1013

Re: Mikrotik cloud, choose IP interface to update

Sindy, do pray tell, what is the value of this IP, in other words, how does the router find out what the IP is??? ... Second the question is : how do I choose one of the WANIPs to be my cloud IP. I dont understand the question and thus dont understand your answer either. The cloud IP is assigned pe...
by sindy
Thu Mar 18, 2021 2:33 pm
Forum: General
Topic: Hot to handle VOIP on multiple WANs/backup
Replies: 21
Views: 1361

Re: Hot to handle VOIP on multiple WANs/backup

The reason why I mentioned masquerade in the first place is that I have recognized the issue without OP even mentioning it. I have seen it many times in production back when I was involved with VoIP systems and switching NAT method from masquerade to src-nat together with properly setting up NAT he...
by sindy
Thu Mar 18, 2021 2:25 pm
Forum: General
Topic: Dual WAN Routing
Replies: 11
Views: 921

Re: Dual WAN Routing

The only change i had to make was leaving the "in-interface" blank because i got an error message when its configured. It sounds as and indication that you haven't removed ether2 from the bridge, which would be wrong as you would be still bridging together the two LANs, which is exactly w...
by sindy
Thu Mar 18, 2021 11:21 am
Forum: General
Topic: Ovpn-client on proto udp
Replies: 8
Views: 628

Re: Ovpn-client on proto udp

OK. So two points. First, the certificate you set in the /interface ovpn-client configuration must be the one authenticating your client to the server, which is the one for which you have the private key, i.e. the dyn05-10-8-0-75.ovpn_ 1 one. Second, under normal circumstances, you should not need t...
by sindy
Wed Mar 17, 2021 11:46 pm
Forum: General
Topic: Ovpn-client on proto udp
Replies: 8
Views: 628

Re: Ovpn-client on proto udp

Show me the output of /certificate print detail.
by sindy
Wed Mar 17, 2021 11:45 pm
Forum: General
Topic: Hot to handle VOIP on multiple WANs/backup
Replies: 21
Views: 1361

Re: Hot to handle VOIP on multiple WANs/backup

It doesn't matter whether action=masquerade or action=src-nat rule sets up the NAT behavior of the connection. Only the initial packet of each connection is matched against the NAT rule chains, and the behaviour imposed by the rules it matches is then remembered in the context of the connection and ...
by sindy
Wed Mar 17, 2021 10:16 pm
Forum: General
Topic: Ovpn-client on proto udp
Replies: 8
Views: 628

Re: Ovpn-client on proto udp

The certificate you've downloaded has been generated specifically for you? If not, you should not use it as a client certificate, but as a certificate of a trusted certification authority, which authenticates the certificate presented by the server. So in the client configuration, no certificate sho...
by sindy
Wed Mar 17, 2021 6:26 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

If you set the passive parameter of peer1 at Branch to yes , it might be OK even without the NAT rules. If you keep it at no , whenever the site-to-site connection goes down, the Branch router will try to actively connect to Home until the connection attempt in the opposite direction (from Home to B...
by sindy
Wed Mar 17, 2021 5:00 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

As private messages don't work again, you can send me your e-mail address and/or mobile phone number using this instruction (the method at line 16). After creating the-encrypted-short-file , run openssl base64 -e -in the-encrypted-short-file and paste the output of that here as text. My public key f...
by sindy
Wed Mar 17, 2021 4:47 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

Is there any reason to quote my directly preceding post as a whole? This is no e-mail, I could see what I wrote just above even if you answered a month later. Is there any way of doing this but with dynamic ip? My Public IP on both MikroTik's are not statically assigned. Sure. One pre-requisite to t...
by sindy
Wed Mar 17, 2021 12:51 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

OK, so I was blind and haven't noticed the profile named ikev2 in your export from Home above, which uses default values of all parameters, so it 1. admits modp2048 and 2. doesn't show any parameters except the name in the export, as default values of parameters are not shown unless you use the verb...
by sindy
Wed Mar 17, 2021 11:35 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2000

Re: CRS317-1G-16S+ High CPU lead to drop packet

Hard to say. There might be some wireless protocol incompatibility with certain client models (this forum mostly mentions Apple devices to suffer from this but I assume it's just because they are the most ubiquitous ones among those experiencing those problems), but if so, it should affect both CAPs...
by sindy
Wed Mar 17, 2021 11:26 am
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

The two Phase 1 proposals coming from the phone are indeed incompatible with the Phase 1 proposal (specified on both /ip ipsec profile rows) of RouterOS, hence I have no idea why the same phone connects successfully when it connects using some other uplink than the WiFi at the Branch. I.e. all the s...
by sindy
Wed Mar 17, 2021 9:01 am
Forum: General
Topic: Route to a LAN VPN
Replies: 5
Views: 418

Re: Route to a LAN VPN

Well you must be wrong What I wrote was not wrong as such, but it was an answer to a question you didn't actually ask :) Was it not sufficient to add a regular route, /ip route add dst-address=10.8.0.0/24 gateway=192.168.88.2 rather than a mangle/prerouting rule with action=route ? If it wasn't, on...
by sindy
Tue Mar 16, 2021 11:40 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

Nor do I. We may try with your phone and one of my IKEv2 servers running just fine on a public IP if you want.
by sindy
Tue Mar 16, 2021 11:37 pm
Forum: General
Topic: Remote L2TP-IPsec access to router
Replies: 3
Views: 382

Re: Remote L2TP-IPsec access to router

None of the rules in chain input of your /ip firewall filter allows management access to the router itself from the L2TP client IP address and/or interface, and all packets not matching any of the previous rules in that chain are dropped by the last one unless they came in via an interface which is ...
by sindy
Tue Mar 16, 2021 11:24 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

That sounds like the large ssh ones are not sent to the phone at all, i.e. the fragmentation issue is not related, it fails already at TCP session establishment phase.
by sindy
Tue Mar 16, 2021 10:30 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1150

Re: Internet connection drops for 4-3 second every few moment

A more friendly advice: post the export of both configurations (hAP lite and LHG5), and you'll likely get some instruction on what and where to sniff while testing to help identify the problem. Before starting, install the latest long-term version (6.47.9 at the moment of writing this) on both devic...
by sindy
Tue Mar 16, 2021 10:24 pm
Forum: General
Topic: Route to a LAN VPN
Replies: 5
Views: 418

Re: Route to a LAN VPN

The only VPN protocol, at which Mikrotik currently supports pushing routes to a Windows client, is IKEv2.
by sindy
Tue Mar 16, 2021 10:20 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

OK, so when you run /tool sniffer quick ip-address=5.x.x.x ip-protocol=udp and try the SSH connection from the phone, can you see just large packets to be sent by the Tik to the phone's public IP or it's always one 1514-byte frame on the WAN interface followed by some smaller one?
by sindy
Tue Mar 16, 2021 10:15 pm
Forum: General
Topic: Ovpn-client on proto udp
Replies: 8
Views: 628

Re: Ovpn-client on proto udp

At the moment, Mikrotik only supports OpenVPN on UDP in RouterOS 7 which is in a beta stage (7.1beta 4 as of writing this). So if you accept to run a beta, you should be able to connect. The (user)name and password are specified among other parameters on the /interface/ovpn-client row.
by sindy
Tue Mar 16, 2021 10:05 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

The mangle rule above is correct but not sufficient - it only adjusts the MSS in the SYN packets sent to the phone, which means that it prevents the phone from sending larger ones. You need the same rule with 192.168.100.0/24 as src-address instead of dst-address , to modify also the MSS announcemen...
by sindy
Tue Mar 16, 2021 8:24 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]
Replies: 36
Views: 2374

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1 [SOLVED]

The NAT-T feature (or its equivalent which is an intrinsic part of the IKEv2 specification) is sufficient to overcome any number of NATs at any end of the connection. There is a detection phase, and an "executive" phase. In the detection phase, each peer sends the actual address and port i...
by sindy
Tue Mar 16, 2021 7:11 pm
Forum: General
Topic: Dual WAN Routing
Replies: 11
Views: 921

Re: Dual WAN Routing

That's what I had in mind. Just one point regarding the above, in chain srcnat , you cannot refer to in-interface (no idea why), but you can refer to src-address=192.168.0.0/24 instead to restrict the rule to traffic coming from the "flat" subnet. You may want to add a filter rule chain=in...
by sindy
Mon Mar 15, 2021 10:19 pm
Forum: General
Topic: Hot to handle VOIP on multiple WANs/backup
Replies: 21
Views: 1361

Re: Hot to handle VOIP on multiple WANs/backup

The failover from primary to backup WAN can't be flawless either - some time will elapse until the phones re-register (and thus the registration arrives to the remote registrar from the new WAN IP), and until that happens, the incoming calls keep being sent to the dead WAN IP. So what you have in mi...
by sindy
Mon Mar 15, 2021 10:01 pm
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 578

Re: No thermal pads with R11e-LTE6

Mentioned right there: https://help.mikrotik.com/docs/display/UM/R11e+series "Optionally you can use the thermal pad by placing it under the card, the thermal pad is not included in the package;" Great, but the word "optionally" is missing in the manual for LtAP, yet so do the &...
by sindy
Mon Mar 15, 2021 5:05 pm
Forum: General
Topic: Dual WAN Routing
Replies: 11
Views: 921

Re: Dual WAN Routing

Sorry for maybe misleading you. The thing which may not be obvious to you is that an IP configuration may be attached directly to an ethernet port, it is not mandatory that it was attached to a bridge. So when I said you don't need multiple bridges, I didn't mean that you should bridge together the ...
by sindy
Mon Mar 15, 2021 4:21 pm
Forum: General
Topic: Run One Connection PPPOE Over 3 Interafce
Replies: 2
Views: 262

Re: Run One Connection PPPOE Over 3 Interafce

As a PPPoE server, RouterOS does support MLPPP as a protocol, but only on a single link.
by sindy
Mon Mar 15, 2021 2:40 pm
Forum: General
Topic: Hot to handle VOIP on multiple WANs/backup
Replies: 21
Views: 1361

Re: Hot to handle VOIP on multiple WANs/backup

I don't get how the connections can continue working as they move from WAN 1 to WAN 2 whereas they hang on WAN 2 when WAN 1 becomes available again. There is a possibility to run a virtual router somewhere in a data center, create two VPN tunnels to it from the customer premises router, each via one...
by sindy
Mon Mar 15, 2021 2:29 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1551

Re: Automatically update ipsec peer addresses from script

Hence it will be IMPOSSIBLE to track hackers who (In the isp network) have same public ip as gateway of ISP means no one can get exact location of the hacker...??? The ISP must help with the tracking, as only the NAT device knows the mapping between the internal address of the real customer and the...
by sindy
Mon Mar 15, 2021 2:22 pm
Forum: General
Topic: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore
Replies: 5
Views: 616

Re: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore

A misconfigured firewall at rtr A can cause this. Show the complete configuration export from rtr A (see the hint on anonymisation in my automatic signature below).
by sindy
Sun Mar 14, 2021 6:25 pm
Forum: General
Topic: Multi site-to-site setup advice
Replies: 8
Views: 802

Re: Multi site-to-site setup advice

To me it seems like a case for a hub-and-spoke L3 VPN with multicast routing as you want the subnets at sites A, B, ... to be distinct ones. But I have no practical experience with multicast routing so can't give you the exact configuration. The multicast package has to be installed on all routers. ...
by sindy
Sun Mar 14, 2021 6:17 pm
Forum: General
Topic: What is the best scenario?
Replies: 13
Views: 1094

Re: What is the best scenario?

i forgot packet mark rules here you are As @anav pointed out, you forgot much more. The purpose of the packet marks is to choose a queue for the packet, and you haven't shown a smallest bit of your queue configuration yet. Also the rules assigning other packet marks are necessary to understand the ...
by sindy
Sun Mar 14, 2021 12:44 pm
Forum: General
Topic: What is the best scenario?
Replies: 13
Views: 1094

Re: What is the best scenario?

None of the rules you've posted assigns a packet-mark ; they just change the DSCP value and set the 802.1p or 802.11 priority field. Does that mean that you don't use queues at the Mikrotik where you assign these values, and just mark them with DSCP and priority so that other devices down the stream...
by sindy
Sun Mar 14, 2021 11:20 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 4
Views: 490

Re: Hetzner Subnet on Mikrotik CHR

I'm not familiar with the Hetzner Subnet, so is it an L2 tunnel with one of the /29 addresses acting as a gateway, or it just means that traffic for any of the /29 is delivered to you via an L3 tunnel? If it is an L2 tunnel: one possibility is to insert a bridge between the uplink interface and the ...
by sindy
Sun Mar 14, 2021 11:00 am
Forum: General
Topic: routing question
Replies: 2
Views: 245

Re: routing question

The question is not easy to understand at first place. What is "incoming traffic"? The one coming via the L2TP tunnel? If so, what means "route the traffic to one of the bound IPs"? It either arrives through the tunnel with that address as a destination one (so nothing to do at t...
by sindy
Sun Mar 14, 2021 10:55 am
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 48
Views: 37292

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Logging of the VPN operation would be a good start if you can notice the outage quickly enough or if you can connect a USB drive to the hAP ac²'s USB port. Sniffing of network traffic may be necessary if the above doesn't reveal the issue, which may require external hardware. What kind of VPN is it?...
by sindy
Sun Mar 14, 2021 10:34 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1551

Re: Automatically update ipsec peer addresses from script

Nope that one is Private IP only in the network its accessible The difference between a "private" IP and a "public" IP is not whether they can be accessed from the internet or not; the difference is that public IPs should be globally unique and are assigned in a coordinated way ...
by sindy
Sat Mar 13, 2021 10:07 pm
Forum: General
Topic: How do you know that Mikrotik had become popular ?
Replies: 5
Views: 596

Re: How do you know that Mikrotik had become popular ?

The trainer doesn't, the trainer just says the bots do.
by sindy
Sat Mar 13, 2021 10:06 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 685

Re: Having issues with NAT mapping

It depends on the use case whether you want the setup to act as a firewall against incoming connections or not. The OP wasn't clear about that, but yes, if you create a dst-nat rule matching on dst-address alone and keep the default "only drop what comes in from WAN if it is not dst-nated"...
by sindy
Sat Mar 13, 2021 7:32 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 685

Re: Having issues with NAT mapping

Correct. NAT rules handle only the initial packet of each connection, i.e. one not matching any existing connection. So for a bi-directional 1:1 NAT, you need both a src-nat rule for connections initiated from LAN side and a dst-nat rule for connections initiated from WAN (internet) side. The NAT de...
by sindy
Sat Mar 13, 2021 7:28 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

One public IP and the phone is passing through the MikroTik at Branch. If so, the IKE initial request from the phone arrives to Home with the same source IP like the site-to-site tunnel from the Branch Mikrotik itself. So normally also the one from the phone should match on the first peer with that...
by sindy
Sat Mar 13, 2021 5:26 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

Checking the Branch Log from my home for the specific date i was there shows up with nothing either but the Home point had this in the log section after all ... can you give me roughly an idea on how to dstnat at Branch Mikrotik? No point in doing so as the whole assumption that it is a dstnat issu...
by sindy
Sat Mar 13, 2021 2:19 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1551

Re: Automatically update ipsec peer addresses from script

im just at 17 now That probably explains the amount of emotion in your posts. there is no option to create a post Here??? There is - when you display the list of topics in a subforum (e.g. General ), there is a [New Topic] button above the topic list. IF THE IP of radius server is ... It is not wis...
by sindy
Sat Mar 13, 2021 11:11 am
Forum: General
Topic: DHCP and NAT on L3 switches
Replies: 1
Views: 241

Re: DHCP and NAT on L3 switches

The fact that they run RouterOS does imply all router functionalities are available - RouterOS has all features on all hardware models, except those which depend on hardware support, like wireless or temperature/voltage monitoring or switch chip rule configuration where a switch chip doesn't support...
by sindy
Sat Mar 13, 2021 10:59 am
Forum: General
Topic: Tunnel IPv6 over IPv4 doesnt works when crosses a Mikrotik
Replies: 1
Views: 216

Re: Tunnel IPv6 over IPv4 doesnt works when crosses a Mikrotik

Three points to think about: The rules in srcnat and dstnat chains are only used to handle the initial packet of each tracked connection; the result is stored in that connection's context and all subsequent packets belonging to the same connection get the same treatment. So if the first ever ipv6-en...
by sindy
Sat Mar 13, 2021 10:44 am
Forum: General
Topic: Dual WAN Routing
Replies: 11
Views: 921

Re: Dual WAN Routing

Since the subnets used in both networks (company and flat) apparently do not overlap, and you don't need things like an IP phone in a company's VoIP VLAN physically connected to the router in the flat, there is no point in creating an additional bridge - you can attach the IP configuration to ether2...
by sindy
Sat Mar 13, 2021 10:31 am
Forum: General
Topic: ASK [option66 over vpls]
Replies: 2
Views: 313

Re: ASK [option66 over vpls]

Wow. Can you see in the debug log of the DHCP server that the DHCPDISCOVER and the DHCPREQUEST from the factory-reset phone arrives and Option 66 is on the list of requested ones? Can you see Option 66 in the DHCPOFFER and DHCPACK sniffed at the phone-facing end of the tunnel? Was the EoIP tunnel in...
by sindy
Sat Mar 13, 2021 10:18 am
Forum: General
Topic: What is the best scenario?
Replies: 13
Views: 1094

Re: What is the best scenario?

yes i need to do best QOS thats is the purpose yes i have 3 WAN And 6LAN all what i need to know is Mark Conn in prerouting = Mark conn in postrouting or not ? because i see the 2 rule of mark conn have the same packets so if i made 1 prerouting mark conn is this enough ???? OK, so finally a concis...
by sindy
Fri Mar 12, 2021 9:17 pm
Forum: General
Topic: IKEv2 Connectivity [SOLVED]
Replies: 14
Views: 921

Re: IKEv2 Connectivity [SOLVED]

Since the log at Home Mikrotik shows nothing whilst the Strongswan did have a chat with some IPsec stack, and since I remember your previous issue, I would expect dst-nat rules at Branch Mikrotik to divert the IPsec connection attempt to the Branch Mikrotik itself. So as the first thing, check the l...
by sindy
Fri Mar 12, 2021 8:18 pm
Forum: General
Topic: How to access to local network chat server from PPPoE?
Replies: 2
Views: 207

Re: How to access to local network chat server from PPPoE?

Sure it can be achieved. A caveat may be overlapping subnets if the chat server runs at private addresses (as the PPPoE clients may use the same private ranges inside their networks), so you may need to dedicate a public IP (or a CGNAT one) to the chat server to avoid some clients being "myster...
by sindy
Fri Mar 12, 2021 8:14 pm
Forum: General
Topic: Mikrotik and Cisco Router GRE Tunnel Problem
Replies: 19
Views: 1404

Re: Mikrotik and Cisco Router GRE Tunnel Problem

As you've posted only the part of Mikrotik configuration you deemed relevant, is it possible that you have the same setting found to be a culprit here?
by sindy
Fri Mar 12, 2021 7:53 pm
Forum: General
Topic: blocking port 53 incoming from WAN ports, block tons of packets
Replies: 9
Views: 656

Re: blocking port 53 incoming from WAN ports, block tons of packets

As both me and @CZFan have pointed out, it is not a DNS attack against your router, it is a deployment of a security hole on your router (if there actually was one, maybe allow-remote-requests was set to no ?) for attacking someone else. And the real targets of the attacks were the source addresses ...
by sindy
Fri Mar 12, 2021 2:15 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1551

Re: Automatically update ipsec peer addresses from script

hey sindy plz reply me my friend how do i access that RADIUS server... Why are u ignoring me(im a noob??? that's why!!!) If the ISP are not totally stupid, there should be no way for you to access the management of their radius server to modify anything there (but there also should be no way for yo...
by sindy
Fri Mar 12, 2021 12:55 pm
Forum: General
Topic: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]
Replies: 8
Views: 573

Re: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]

i wanted to ask you where did the 172.32.0.16/29 came from ? it is not even in dhcp range for my clients or did you assume that as it's public it's better to cut off less public address from clients but if so why not 172.32.0.16/30 ? 172.32.0.16/29 is .16 to .24, so it includes .19 and .20. 172.32....
by sindy
Fri Mar 12, 2021 8:56 am
Forum: General
Topic: Mikrotik/Cisco GRE Tunnel Establishment [SOLVED]
Replies: 10
Views: 738

Re: Mikrotik/Cisco GRE Tunnel Establishment [SOLVED]

What are your reasons to use /ip settings set rp-filter=strict ? This setting checks whether a packet comes in via an interface through which a response to it would be routed, and if it doesn't, the router silently drops it before it even gets to the firewall. Since the route for the GRE keepalive r...
by sindy
Thu Mar 11, 2021 11:32 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 772

Re: SIP Packets dropped unless Torch running

Torch is a SW running on the CPU. So this is required for torch being able to see all incoming packets on an interface. So what you are saying is that I was wrong when mentioning the bridge, because it is actually the switch chip hardware that doesn't forward those frames to the CPU port, not the b...
by sindy
Thu Mar 11, 2021 11:25 pm
Forum: General
Topic: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]
Replies: 8
Views: 573

Re: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]

The traffic selector of the policy on the site-to-site IPsec link chooses just the traffic between 10.16.0.0/24 and 172.16.0.0/24, whereas you assign addresses from 172.32.0.0/x (do you realize that 172.32.0.0/16 is not a private range?) to the dial-in clients. So you need to add another policy to t...
by sindy
Thu Mar 11, 2021 11:11 pm
Forum: General
Topic: Bridege, Vlans & Firewall [SOLVED]
Replies: 6
Views: 635

Re: Bridege, Vlans & Firewall [SOLVED]

VLANs are used to partition a physical network, i.e. to prevent devices in different VLANs from talking directly to each other at L2. The communication between devices in different VLANs is possible thanks to routing between subnets hosted in these VLANs. It is a best common practice, not a law of p...
by sindy
Thu Mar 11, 2021 11:02 pm
Forum: General
Topic: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]
Replies: 11
Views: 953

Re: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]

So in order to resolve this how should I correct my configuration inorder to leave the Hairpin NAT for 10.10.10.0/24? It depends on what is the overall topology and what you can afford to change. On the DNS filter, you can remove the 192.168.0.33, and add a route to 192.168.0.0/24 via the address o...
by sindy
Thu Mar 11, 2021 10:52 pm
Forum: General
Topic: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]
Replies: 8
Views: 573

Re: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]

I don't understand the meaning of the green and red lines. The diagram shows a butterfly topology, so are the road warrior clients running Strongswan supposed to be connected to both Mikrotik routers simultaneously, and the IPsec connection to the bottom Mikrotik doesn't work? My automatic signature...
by sindy
Thu Mar 11, 2021 10:35 pm
Forum: General
Topic: blocking port 53 incoming from WAN ports, block tons of packets
Replies: 9
Views: 656

Re: blocking port 53 incoming from WAN ports, block tons of packets

You haven't provided any context. If it is your home router, and you didn't have any rules blocking access to your DNS before, bots around the planet got used to the possibility to use your device as a DNS amplifier for DDoS attacks, and it will take some time until they find out it does not make an...
by sindy
Thu Mar 11, 2021 9:18 pm
Forum: General
Topic: Mikrotik/Cisco GRE Tunnel Establishment [SOLVED]
Replies: 10
Views: 738

Re: Mikrotik/Cisco GRE Tunnel Establishment [SOLVED]

What we are interested in are the two pairs of packets at 14.574 and at 24.573. The first packet is the keepalive request coming from the Cisco address, whose payload is the keepalive response, which is shown at the next line on Tunnel1 . What is missing is that very same keepalive response at ether...
by sindy
Thu Mar 11, 2021 6:20 pm
Forum: General
Topic: Forwarding GRE packets not working
Replies: 9
Views: 546

Re: Forwarding GRE packets not working

Instead of waiting the 10 minutes, couldnt he also go into /ip firewall connection find it and remove it? As I wrote - removal of connection normally works, but the handling of GRE in connection tracking is weird in many aspects. I had multiple cases where the removal of GRE didn't succeed in the p...
by sindy
Thu Mar 11, 2021 5:17 pm
Forum: General
Topic: Forwarding GRE packets not working
Replies: 9
Views: 546

Re: Forwarding GRE packets not working

In that case, the only thing I can imagine is that the GRE packets started arriving before this dst-nat rule has been added, so a tracked GRE connection has been created. And only packets not matching any existing connection are pushed through the srcnat and dstnat chains. So /ip firewall connection...
by sindy
Thu Mar 11, 2021 5:07 pm
Forum: General
Topic: Mikrotik Tunneling
Replies: 1
Views: 196

Re: Mikrotik Tunneling

No idea what means rXg; when you speak about "tunneling the local LAN connection", do you mean you need an L2 tunnel, which delivers Ethernet frames?
by sindy
Thu Mar 11, 2021 5:05 pm
Forum: General
Topic: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]
Replies: 8
Views: 573

Re: IPsec/IKEv2 can't connect multiple dial-in clients [SOLVED]

Use just a single /ip ipsec peer row with address=::/0 and link both the /ip ipsec identity rows to it. That's how it is intended to work, and that's why the identity parameters are located in a separate table.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25