Community discussions

MikroTik App

Search found 7291 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 25
by sindy
Wed Jun 23, 2021 12:33 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn
Replies: 6
Views: 368

Re: Mangle L2TP vpn

L2TP clients connects but suddenly disconect
How long after connection establishment this happens? Seconds, hours? If it works for a minute and then fails, the root cause may not be related to the policy routing (mangle rules etc.) at all.
by sindy
Tue Jun 22, 2021 11:23 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn
Replies: 6
Views: 368

Re: Mangle L2TP vpn

Fasttracking is only used in the forward chain, and L2TP transport packets are handled by input and output chains, not the forward one. Your mangle rules seem fine for the L2TP session to get established, except if the L2TP client connects from 888.888.888.0/24 or 999.999.999.0/24. Are you testing f...
by sindy
Mon Jun 21, 2021 11:02 pm
Forum: General
Topic: Frequent PPPoE terminations
Replies: 15
Views: 6159

Re: Frequent PPPoE terminations

You need to sniff into a file, or maybe better stream to the PC unless you can connect a large enough USB drive, the traffic on the physical interface to which the PPPoE client one is attached. Start sniffing while the working PPPoE session still exists, then reboot the GPON box, and then stop the s...
by sindy
Mon Jun 21, 2021 2:19 pm
Forum: General
Topic: Frequent PPPoE terminations
Replies: 15
Views: 6159

Re: Frequent PPPoE terminations

Your log shows that the connection establishment has succeeded, and almost immediately after the PPPoE server asked your client to terminate it. Without seeing the sniff, I can only guess that your Mikrotik kept sending from the previously assigned IP address, and that was the reason why the server ...
by sindy
Sun Jun 20, 2021 9:40 pm
Forum: General
Topic: IPSec: need to ping before send traffic
Replies: 1
Views: 230

Re: IPSec: need to ping before send traffic

Always post complete exports, anonymized as per my automatic signature below. Without seeing the exports I can only speculate that both RTR1 and RTR3 have public IPs directly on themselves, and hence they use ESP as transport protocol. And if this is the case, you have to add an action=accept rule i...
by sindy
Sun Jun 20, 2021 9:23 pm
Forum: General
Topic: Add Bond or Ports to Bridge?
Replies: 2
Views: 186

Re: Add Bond or Ports to Bridge?

Only add bond1 to the bridge.

balance-rr doesn't boost throughput, and may cause headache to some TCP stacks. You may or may not be able to make use of the aggregate bandwidth depending on the traffic pattern.
by sindy
Thu Jun 17, 2021 3:15 pm
Forum: General
Topic: VPN special usage
Replies: 5
Views: 607

Re: VPN special usage

The traffic of the TV doesn't pass through the laptop, so set the /tool sniffer on the router in such a way that it streams the traffic matching the capture filter to the IP address of the laptop (which should be connected using an Ethernet cable, not wirelessly): /tool sniffer set streaming-enabled...
by sindy
Sun Jun 13, 2021 7:12 pm
Forum: General
Topic: VPN special usage
Replies: 5
Views: 607

Re: VPN special usage

The way you describe it, it seems as if the IPTV provider doesn't care from which IP address the client establishes the session for streaming the content and only checks the IP address for the control session used to display the guide, switch channels etc. What is the motivation to let the content s...
by sindy
Thu Jun 03, 2021 8:57 am
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Hi, How does the core router know to send traffic for 6.0.0.0/25 and 6.0.0.128/25 to the access routers? BGP is disabled at access router 1 and not configured at all at access router 2, and there are no static routes to 6.0.0.x/y at the core router. as the hotspot handling is done at the access rout...
by sindy
Mon May 31, 2021 6:16 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

As I've understood, the hotspot functionality is running at the edge router, but the src-nat rules are already at the access routess, is that correct? At which router have you "disabled it (the other public /25 I assume) from IP>Address", at the edge one or at the access one? Are the confi...
by sindy
Mon May 31, 2021 4:55 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Nice to learn at this stage that there are actually two routers, so the whole exercise with the hairpin IPIP tunnel could probably be omitted as the access router could as well send the packets to your own egde router which would happily send them back. I've proposed the IPIP tunnel in order that it...
by sindy
Mon May 31, 2021 3:26 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 867

Re: CHR possible when host machine has no Internal IP?

I am attaching both results with ARP filter on External virtual card and Dst host to 22.22.22.22 (ping from laptop) . Didn't see any ARP requests for 22.22.22.22 when I run ping to it. ... but the ping requests did nevertheless arrive. So if you gave the ISP router enough time to forget the eventua...
by sindy
Sun May 30, 2021 11:05 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

So would the following be correct? ... To make the action=src-nat rule act also on the hairpinned traffic, which is necessary for the whole idea to work, you must make both hairpin-1 and hairpin-2 members of interface list WAN (which they indeed are from the point of view of the network topology). ...
by sindy
Sun May 30, 2021 9:47 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

What a coincidence... another forum member was fighting a seemingly unrelated problem, and it came out that if you set an Ethernet interface as a gateway of a route to a destination, it sends ARP requests for the destination addresses out that interface. So if any router connected to that interface ...
by sindy
Sun May 30, 2021 6:07 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

What's the network parameter of that /ip address row? x.y.z.(w+1), x.y.z.(w-1), other?
by sindy
Sun May 30, 2021 4:57 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

How does the /ip address row look like at that CCR? I just hazily remember someone to mention that Mikrotik sends the packets to a broadcast MAC address under some circumstances. But other than that, no ideas. What RouterOS version is running there?
by sindy
Sun May 30, 2021 4:47 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Okay so only one src NAT rule is good enough I believe? For connections between a peer inside your 10.64.0.0/10 and a peer out there in the internet - yes. For connections between two of your peers, it will be more interesting. In order that it worked, you need to src-nat also the connections your ...
by sindy
Sun May 30, 2021 1:29 pm
Forum: General
Topic: How do we properly perform CGNAT on a MikroTik Router for customers?
Replies: 21
Views: 1412

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

I still don't get why you need any dst-nat rules at all. To my understanding, the only thing the two peers in any p2p network need is that all the NATs between each peer and the internet do not change the source port (unless it cannot be kept because some other client is connecting from the same sou...
by sindy
Sun May 30, 2021 12:06 pm
Forum: General
Topic: warm spare: design question
Replies: 11
Views: 660

Re: warm spare: design question

so do i have only the choice of vrp and eventually synchronize the configuration in routeros 6? i am not sure how routeros7 will work, will it add something similar to pfsync? There are actually three separate things to address: providing the routing redundancy itself synchronisation of the (static...
by sindy
Sun May 30, 2021 9:10 am
Forum: General
Topic: Mikroitk Router OS (Trial Version Limits) [SOLVED]
Replies: 3
Views: 431

Re: Mikroitk Router OS (Trial Version Limits) [SOLVED]

No link needed. Just download the .ova template from the Mikrotik software download page and deploy it. The rest are settings related to networking on the ESXi, and these depend on the intended use case - whether you want to handle VLANs on the CHR or in the ESXi and whether you want to use bridging...
by sindy
Sat May 29, 2021 9:42 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

But then why did it work on the /31 static IP i configured on a CCR some time ago ( it is working up to now without problems ) Btw, you can sniff to a file on the port of the CCR connected to the non-Mikrotik, filtering on ICMP, for about 5-10 minutes. Wireshark should then show you a few ICMP rout...
by sindy
Sat May 29, 2021 9:12 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

what do you mean by point to multi point ? Connecting a router directly to another one is a point to point one, so ptmp means ? If you connect Ethernet ports of two routers using a patchcord, it is indeed a point to point connection physically . But the interfaces are still Ethernet ones. And since...
by sindy
Sat May 29, 2021 5:50 pm
Forum: General
Topic: DST NAT to WAN
Replies: 5
Views: 401

Re: DST NAT to WAN

Regarding the dst-nat rule: it must work, but you'll likely need a src-nat one as well, or a route on the modem, so that the modem knew where to send the response. Regarding the VPN: PPTP provides ridiculously weak encryption and doesn't reliably pass through NAT as it is based on GRE, which is hard...
by sindy
Sat May 29, 2021 5:21 pm
Forum: General
Topic: warm spare: design question
Replies: 11
Views: 660

Re: warm spare: design question

I confirm the synchronisation of connection tracking state was working in 7.1beta something, it just sometimes started consuming lots of CPU and had other issues (stopped working when the master/backup roles changed forth and back or something). I haven't checked the state of the art in 7.1beta6 yet...
by sindy
Sat May 29, 2021 4:39 pm
Forum: General
Topic: Connect devices in different VLANs
Replies: 9
Views: 714

Re: Connect devices in different VLANs

Given that you have no access ports to the VLANs at the 3011 itself, I induce that there is either an external switch or an external access point (or more) to which the devices are connected. I cannot find any explanation of what you experience in the configuration of the 3011, so I expect some issu...
by sindy
Sat May 29, 2021 4:01 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 849

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

It doesn't matter that there is just a single address at each end of the physical interconnection if the interface type is a point-to-multipoint one, as the router handles the interface depending on the interface type. So on point-to-point interfaces, the only possible destination is "the remot...
by sindy
Sat May 29, 2021 3:21 pm
Forum: General
Topic: IP Firewall Nat
Replies: 15
Views: 1799

Re: IP Firewall Nat

There's no way to prevent, in advance, third parties from logging in using credentials they've obtained from an authorized person, with or without consent/intention of the authorized person. You can ban the account after you notice that, but it's typically too late. To some extent, two-factor authen...
by sindy
Fri May 28, 2021 11:27 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 867

Re: CHR possible when host machine has no Internal IP?

The provider suggests to use the second IP in this way: https://adminforge.de/windows-allgemein/ip-adressen-hinzufuegen-windows/ had to translate it on google in English , they didn't give me an English version one , apologies. You wrote before that the additional IP address was routed via the firs...
by sindy
Thu May 27, 2021 12:54 pm
Forum: General
Topic: Multiple ip WAN and isolated VLANs
Replies: 13
Views: 1199

Re: Multiple ip WAN and isolated VLANs

Definitely there is.

I gave you some advice on Sat Mar 06, 2021 9:43 pm above, you never responded to it, not have you posted the current export after the changes you've made in the meantime. Without that, there is no way to help you.
by sindy
Wed May 26, 2021 6:04 pm
Forum: General
Topic: L2TP IPsec ends connection immediately after Phase 2 is established
Replies: 2
Views: 300

Re: L2TP IPsec ends connection immediately after Phase 2 is established

Activate L2TP logging as well (/system logging add topics=l2tp) and try again. Since Phase 2 hasestablished successfully, the issue is most likely in the L2TP settings, the and the L2TP log should show that.
by sindy
Wed May 26, 2021 1:49 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 867

Re: CHR possible when host machine has no Internal IP?

You mean to chose the physical connection and the "new" internal virtual connection, and click "bridge" to share Internet? No, that's two different functionalities. When you select two or more network interfaces in Windows, you can bridge them together, but what I have in mind i...
by sindy
Wed May 26, 2021 12:47 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

Can't say right now - my life has enough dynamics these days, so I'm at long-term 6.47.9 everywhere.
by sindy
Tue May 25, 2021 10:10 pm
Forum: General
Topic: How to get a persistent site-to-site tunnel? (IPSEC drops connections)
Replies: 6
Views: 550

Re: How to get a persistent site-to-site tunnel? (IPSEC drops connections)

I am not sure I understand the possible reason you are suggesting. I have my mikrotiks DMZed and all PCs connect through mikrotiks... Should I observe something else? The DMZ functionality may be implemented in many ways in the LAN->WAN direction. In WAN->LAN direction, a DMZ is always a 1:1 dst-na...
by sindy
Tue May 25, 2021 2:35 pm
Forum: General
Topic: How to get a persistent site-to-site tunnel? (IPSEC drops connections)
Replies: 6
Views: 550

Re: How to get a persistent site-to-site tunnel? (IPSEC drops connections)

There must be some root cause behind both the failures of the tunnel and its inability to re-establish autonomously. Most of the devices I'm running IKEv2 tunnels among restart quite frequently due to the regional specifcs and the fact that none of them is on a UPS, and all my tunnels automatically ...
by sindy
Tue May 25, 2021 10:53 am
Forum: General
Topic: Strange bonding behavior with EOIP slaves [SOLVED]
Replies: 1
Views: 317

Re: Strange bonding behavior with EOIP slaves [SOLVED]

Look at that from a wider perspective. each end of the bond uses its own strategy to choose a particular link for a particular frame, independent from the other end's one in association with the above, each end is only interested in availability (transparency) of the links in its sending direction t...
by sindy
Tue May 25, 2021 9:01 am
Forum: General
Topic: Unexpected NAT behaviour when a port flaps
Replies: 2
Views: 299

Re: Unexpected NAT behaviour when a port flaps

On ether1 port are visible packets source 1.2.3.4 destination 8.9.10.11:22 RX only. On bridge interface are visible packets source 1.2.3.4 destination 192.168.88.100:22 TX and in opposite direction source 192.168.88.100:22 destination 1.2.3.4 RX. Such returning packets are not visible on ether1 (wa...
by sindy
Mon May 24, 2021 7:43 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1661

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

The rules say "use routing table xyz for anything with source address a.b.c.0/24". Whereas packets for the router itself (192.168.3.1, 192.168.4.1) are not affected by these rules (that's how linux kernel works, quite logically matching of the destination address of a received packet to ow...
by sindy
Mon May 24, 2021 12:34 am
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1661

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

By means of the rules, you choose a dedicated routing table for each source subnet. So one possibility is to add a backup default route via "Telekom" to both routing tables, home-connection-mark as well as work-connection-mark , with distance=2 . Another possibility is to change the action...
by sindy
Sun May 23, 2021 11:54 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1661

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

Maybe this points something out: I noticed if I uncheck the "add default route" in my two pppoe interfaces, then it doesn't connect to internet at all, I thought it should use the two routes I manually set (as in above image). This could be a DNS issue. Whereas the devices in 192.168.3.0/...
by sindy
Sun May 23, 2021 11:34 pm
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 622

Re: SIP registration issues with MikroTik PPPoE client

The carrier interface of pppoe-fiber-ipv4 is interface-vlan-internet , whose carrier interface is ethernet-1-fiber . So run a ping to the IP address of the registrar in parallel to the phone attempting to register and run the sniffer at interface-vlan-internet at first. Let Wireshark show you whethe...
by sindy
Sun May 23, 2021 10:15 pm
Forum: Beginner Basics
Topic: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]
Replies: 43
Views: 1661

Re: Setting two ISP connections on 2 vlans, same ISP cable [SOLVED]

So I added the two routes and created two rules (this is under routes window > rules, correct ?!) With the attached setup, both 192.168.3.x computers and 192.168.4.x computers seem to use the "home" connection. I tried setting the interface under rules, associating with each of the two br...
by sindy
Sun May 23, 2021 6:36 pm
Forum: General
Topic: Automatic default route change [SOLVED]
Replies: 2
Views: 328

Re: Automatic default route change [SOLVED]

There's no "dynamic routing", the reason why it happens is that 192.168.1.1 (the gateway IP) fits both into 192.168.1.0/24 (the WAN subnet) and 192.168.1.0/25 (the LAN1 subnet), and if both interfaces are up, RouterOS probably throws a coin to choose. But such a setup with overlapping subn...
by sindy
Sun May 23, 2021 6:25 pm
Forum: General
Topic: Bandwidth issues with WireGuard and 7.1beta6
Replies: 9
Views: 590

Re: Bandwidth issues with WireGuard and 7.1beta6

Just guessing... what happens if you swap the roles of the routers in the bandwidth test, is it always the server->client direction (or always the client->server one) that is slow, or it is always the KZ->RU one? The manual says you should not run the bandwidth test on the router whose throughput yo...
by sindy
Sun May 23, 2021 3:11 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 506

Re: missing basic router protocols

can you guide me how can i add a static route to the huawei router to reach 192.168.100.0 network instead of using default gateway?
Not unless you give me a link to the user manual of that exact router model.
by sindy
Sun May 23, 2021 2:52 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 506

Re: missing basic router protocols

all i want is my edge router check inside before sending packet to default gateway. why it is not checking inside while i have put 192.168.1.2 ip to my mikrotik? Because dynamic discovery of network topology (aka dynamic routing protocols) is not automatically enabled even on enterprise or ISP rout...
by sindy
Sun May 23, 2021 12:53 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 506

Re: missing basic router protocols

I don't think it is a missing protocol on the Mikrotik, I'd say it is a missing route at the ISP router and/or on the laptop. When your laptop obtains a DHCP lease from the ISP router, not only it gets an IP address 192.168.1.10/24, but it likely also gets an address of a default gateway, which is 1...
by sindy
Sun May 23, 2021 8:42 am
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 622

Re: SIP registration issues with MikroTik PPPoE client

Yes, this doesn't seem to be an MTU issue. Can you sniff on any other device with a public IP than your own PPPoE one? I'd configure the phone to register to that one (using a static DNS record to make the REGISTER look the same if needed) and compare the REGISTER packets arriving there via the othe...
by sindy
Sat May 22, 2021 10:45 pm
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 1114

Re: Packet Loss on Router Ping

Curious - I know that capacitors are a common issue. I checked the voltages on those are they are within 0.1v of the expected value. What is the tolerance of the capacitor? Are they bad? Any other hardware issue that I should check for? When capacitors are an issue, you won't find out by measuring ...
by sindy
Sat May 22, 2021 10:33 pm
Forum: General
Topic: can I replace a RB3011with an RB201 ? [SOLVED]
Replies: 6
Views: 567

Re: can I replace a RB3011with an RB201 ? [SOLVED]

It's a 2011, it's just that the font used on the front panel is weird :) The switch chip used for ports ether6-ether10 only has FastEthernet (100 Mbit/s) ports and some other limitations that may not limit you at all. Besides being weaker, the CPU also doesn't support IPsec encryption in hardware. S...
by sindy
Sat May 22, 2021 9:43 pm
Forum: General
Topic: SIP registration issues with MikroTik PPPoE client
Replies: 7
Views: 622

Re: SIP registration issues with MikroTik PPPoE client

I can't see anything wrong with the PPPoE setup as such. There's a nonsense in the /interface bridge vlan configuration subtree where you specify ethernet-2-switch-trunk on the tagged list for vlan-ids=80 on bridge=bridge-vod-iptv whereas in the /interface bridge port subtree you state that ethernet...
by sindy
Sat May 22, 2021 5:33 pm
Forum: General
Topic: IP Cloud Update Problem.
Replies: 12
Views: 770

Re: IP Cloud Update Problem.

wh... wh... whhh.... what the f???
Yes. Same feelings here. U.S., mobile operator, I don't remember exactly which one it was, so won't name any not to get sued :)
by sindy
Sat May 22, 2021 5:27 pm
Forum: General
Topic: IP Cloud Update Problem.
Replies: 12
Views: 770

Re: IP Cloud Update Problem.

would you be able to give us an example about use-local-address If use-local-address=no (the default), the xxx.sn.mynetname.net resolves to the public IP from which the DDNS update request has arrived to the cloud server. If use-local-address=yes , the xxx.sn.mynetname.net resolves to the WAN IP fr...
by sindy
Sat May 22, 2021 2:52 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 266
Views: 27233

Re: v7.1beta6 [development] is released!

Given that there is a possibility to fasttrack connections on CHR and the connections are even marked as fasttracked in /ip firewall connection print , although all their packets actually take the full path (at least they do in 6.x), and given that you can set up /interface ethernet switch vlan item...
by sindy
Sat May 22, 2021 10:36 am
Forum: General
Topic: better way for failover 2 ISP
Replies: 5
Views: 407

Re: better way for failover 2 ISP

As said, the way you've set it up, it normally works as expected. Just to be sure, I did the following test, replicating your setup, except that I used a test route with dst-address=1.2.3.0/24 instead of a default one with dst-address=0.0.0.0/0 . [me@myTik] > ip route print detail where dst-address~...
by sindy
Sat May 22, 2021 10:03 am
Forum: General
Topic: Mikrotik VLAN Configuration / switch ports
Replies: 3
Views: 310

Re: Mikrotik VLAN Configuration / switch ports

The configuration with a dedicated bridge for VLAN 40 is perfectly "legal". Whether it is also preferred depends more on your personal preference. However, the switch chip used in the RB1100AHx4 (RTL8367) doesn't support VLAN handling , at least under control of RouterOS, so you cannot set...
by sindy
Sat May 22, 2021 9:04 am
Forum: General
Topic: 802.1aq
Replies: 2
Views: 351

Re: 802.1aq

This is a fellow user forum, not a channel to product management. So no matter how many times you bump, Mikrotik staff has no obligation to respond here, and fellow users have no clue. Plus since it is a roadmap question, not a support one, I have no idea whether a "correct channel" for it...
by sindy
Fri May 21, 2021 8:30 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 937

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

I noticed in the Wiki that those Firewall Filter rules to bypass Fasttrack with ipsec traffic, should have connection-state=established,related , but won't those always be skipped because initial packet never matches? All rules matching on connection-state=established,related will be skipped by any...
by sindy
Fri May 21, 2021 8:12 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 50
Views: 15019

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

I can't see anything unusual regarding IPsec there. The action=none policy preventing the packets from the router to the LAN clients from being diverted into the tunnel (which is no workaround, it's merely how IPsec works) permits PMTUD to work for packets sent by the client via the IPsec tunnel. Bu...
by sindy
Fri May 21, 2021 7:36 pm
Forum: General
Topic: i need a firewall expert or many brain....
Replies: 3
Views: 372

Re: i need a firewall expert or many brain....

Assuming you've made your research, and hence you are sure that the Teamviewer application always uses DNS to determine the IP address for the new connection, you have to schedule the following script populating the address list to run periodically, say, every 5 seconds: :foreach item in=[/ip dns ca...
by sindy
Thu May 20, 2021 7:36 pm
Forum: General
Topic: MTU troubles using IKEv2 providers like NordVPN [work around]
Replies: 50
Views: 15019

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Show the complete setup which is not working and we may get somewhere. PPPoE may surely be related as it can cause MTU problems on its own.
by sindy
Thu May 20, 2021 1:00 am
Forum: General
Topic: better way for failover 2 ISP
Replies: 5
Views: 407

Re: better way for failover 2 ISP

problem is when GW is alive from another ISP but there is no access to internet (provider problem), and when my 1 uplink disconnect, second also not working, but in my routing table it is shows me like reachable (it is , but only gateway). And in the dude i wonder why its red :D I'm not sure I get ...
by sindy
Thu May 20, 2021 12:39 am
Forum: General
Topic: VRRP-VLANs
Replies: 7
Views: 518

Re: VRRP-VLANs

1. re-wording what @JelleM wrote: all routers negotiating using VRRP which one of them will listen on a particular IP address must be in the same L2 segment (VLAN). They use that same L2 segment to inform each other about their state. 2. re-wording what @JelleM wrote as well: you can have multiple V...
by sindy
Wed May 19, 2021 11:47 pm
Forum: General
Topic: Regular expression too complex
Replies: 2
Views: 303

Re: Regular expression too complex

Shouldn't this regex work? I'd say it should work as such, but it's too complex, to the developer's opinion, for a DNS regexp. And I cannot imagine how to document the "acceptable complexity of a regexp" in the manual. So try to split it into four rows, expanding the second () into one wo...
by sindy
Wed May 19, 2021 11:08 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

I have no idea how the switch chip handles ports with IPv6. I'd assume it is either clever enough to check the ethertype value in the 802.1Q tag and look for port values at appropriate positions in the frame autonomously, or adding mac-protocol=ipv6 won't help either. But if it does adjust to IP typ...
by sindy
Wed May 19, 2021 9:35 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

Does each bridge could act and handle each vlan 832 as separate vlan ? Yes, but only one of these bridges can (at least to date) outsource its job to the switch chip, so the other one would forward in software. That's why I've suggested the described solution with port isolation using switch chip r...
by sindy
Wed May 19, 2021 7:32 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

Yes, it will work with hardware forwarding, hence at fiber speed. You probably have to make sure no traffic will leak between the two uplinks, or at least ensuring that should cause no harm. So assuming the management interface of the CRS305 is ether1 , the management IP subnet of the CRS305 is atta...
by sindy
Wed May 19, 2021 5:13 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 867

Re: CHR possible when host machine has no Internal IP?

A private network on the virtual switch is accessible to the virtual machines alone, not to the host, so it is useless for connection of the CHR to the internet. If you create an internal network, a corresponding virtual interface is created in the host Windows, which you can use to share internet w...
by sindy
Tue May 18, 2021 9:23 pm
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 559

Re: Question involving multiple IPSEC tunnels

OK. As private messages have been disabled again after a few months of working, you can send me your e-mail address and/or mobile phone number using this instruction (the method at line 16). After creating the-encrypted-short-file , run openssl base64 -e -in the-encrypted-short-file and paste the ou...
by sindy
Tue May 18, 2021 12:02 am
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 559

Re: Question involving multiple IPSEC tunnels

as you may have guessed, I have no control over the business sides chosen setupnetwork setup. I didn't have to guess, you've stated that clearly. But the thing is that no matter what you do at your router "2", you cannot make it a backup point of access to their network without cooperatio...
by sindy
Mon May 17, 2021 11:02 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 866

Re: Redundancy failover ISP [SOLVED]

Surely that is not correct if the ISP is using VRRP, or similar, for failover as this relies on communications between the two devices.
That's disputable - as it works when the OP manually changes cables, I'd assume it doesn't depend on the links to be bridged together at the client side.
by sindy
Sun May 16, 2021 9:53 pm
Forum: General
Topic: IPsec Policies with multiple subnets
Replies: 1
Views: 272

Re: IPsec Policies with multiple subnets

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet) Correct (except that it rather "links" then "maps" subnets). I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one ...
by sindy
Sun May 16, 2021 3:58 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 937

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

The packet passes through the postrouting chain of mangle before getting to chain srcnat of nat , see this diagram . So the only way to see what happened in src-nat is by sniffing on the out-interface, of course if IPsec policy hasn't matched and encrypted the packet. Or you can see it on the remote...
by sindy
Sun May 16, 2021 12:48 pm
Forum: General
Topic: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]
Replies: 7
Views: 937

Re: Masquerade IPSec/IKEv2 traffic from Road Warrior [SOLVED]

The only thing to come to my mind is that other rules in the srcnat chain of nat shadow the two you've posted. The posted rules themselves should do what you expect them to do.
by sindy
Sun May 16, 2021 12:41 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 866

Re: Redundancy failover ISP [SOLVED]

As you haven't posted your current configuration, let me assume that sfp-sfpplus1 is your current single WAN interface ether1 is free So copy the code below, substitute sfp-sfpplus1 and ether1 by the actual names of the interfaces, and paste the result on a command line: /system script add name=reco...
by sindy
Sun May 16, 2021 11:40 am
Forum: General
Topic: Question involving multiple IPSEC tunnels
Replies: 6
Views: 559

Re: Question involving multiple IPSEC tunnels

If you were starting from scratch: bare IPsec takes least overhead and is most different from normal routing IPsec-encrypted IPIP tunnels allow you to use normal routing with dynamic routing protocols but there's additional overhead, albeit a few bits smaller than with GRE However, you're not starti...
by sindy
Sat May 15, 2021 9:44 pm
Forum: General
Topic: Join two seperate subnets on a single router
Replies: 2
Views: 368

Re: Join two seperate subnets on a single router

I may be missing something, but a masquerade rule does exactly what its name suggests, it makes connections coming from both 172.21.0.0/16 and 192.168.100.0/24 appear to come from 192.168.30.80 to the rest of 192.168.30.0/24. The connection tracking remembers this in each connection's context, so wh...
by sindy
Sat May 15, 2021 8:19 pm
Forum: General
Topic: CHR possible when host machine has no Internal IP?
Replies: 10
Views: 867

Re: CHR possible when host machine has no Internal IP?

Any virtualization platform I know for Windows does address also networking. So as soon as you install/activate it, a virtual Ethernet interface will be added to the Windows system, and you'll be able to add more manually. And you will also be able to specify how to use them. So if there is just a s...
by sindy
Sat May 15, 2021 7:51 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 866

Re: Redundancy failover ISP [SOLVED]

They don't mention anything more other than a plain vlan if your equipment supports it. I'd say the ISP guys use "VLAN" in the meaning of "L2 segment". So whether you install an external dumb switch and connect both uplinks and the WAN interface of the CCR1009 to it, or whether ...
by sindy
Sat May 15, 2021 12:40 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 573

Re: RB trying to be hacked by a mac to an internal IP of internal network

OK. I am pretty sure these "hack attempts" are unrelated to your issue, and that they have been there also before the problems with viewing pages started. But before these problems started, you had no reason to take a close watch, so now you've made a conclusion that the two things (imposs...
by sindy
Fri May 14, 2021 7:44 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 573

Re: RB trying to be hacked by a mac to an internal IP of internal network

I'm afraid I need a drawing to understand what you explain, but I'll try without it first: if I get it right, when it didn't work, the LAN side of the Mikrotik in question actually was not completely disconnected as I understood from your Original Post, except that only the PC from which you manage ...
by sindy
Thu May 13, 2021 11:34 pm
Forum: General
Topic: How to prioritize all OSPF traffic?
Replies: 6
Views: 557

Re: How to prioritize all OSPF traffic?

The priority you set in the respective field of a VLAN tag is only honored, if at all, by an external device. All priority handling in Mikrotik itself is done by means of queues ( queue tree and/or queue simple ) and the only ways to let a packet (or frame) be handled by a particular queue are to as...
by sindy
Thu May 13, 2021 11:19 pm
Forum: General
Topic: RB trying to be hacked by a mac to an internal IP of internal network
Replies: 5
Views: 573

Re: RB trying to be hacked by a mac to an internal IP of internal network

If you have a decent firewall, there's nothing to actually worry about regarding these messages. The ones with in: WAN - 1 out: (unknown 0) log packets that have been sent to broadcast MAC addresses, hence the machine receives them and the firewall logs them. The first one is sent by some device (74...
by sindy
Thu May 13, 2021 10:50 pm
Forum: General
Topic: VRRP on WAN
Replies: 1
Views: 282

Re: VRRP on WAN

You can set multiple VRRP interfaces with different virtual IPs on the same group of physical interfaces, you just have to use a different VRRP ID for each of them (exceptions exist but better avoid using the same one). To synchronize the state of VRRP running on different physical interfaces in ord...
by sindy
Thu May 13, 2021 9:47 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 553

Re: Multiple L2TP clients on single device

You're not forgotten, but this is my voluntary activity and I have more than enough else to do these days. And you've said you are a beginner so reddit-style brief hints don't help much. So below is a config to be set on a router with no configuration at all. Which is not the same as a router with a...
by sindy
Mon May 10, 2021 5:33 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

OK, so please show me the output of /tool sniffer quick ip-protocol=icmp ip-address=192.168.9.2 while pinging 192.168.9.2 from the PC.

And then Wireshark on the PC while pinging 192.168.9.1. It starts being crazy.
by sindy
Mon May 10, 2021 5:15 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

OK, still the same - the 3011 pings the LTE from wan2-100 and gets a response every 30 s, except that now with hw=no you can see also the ping request to leave tagged via ether10 , not just the response to come in through there. So everything is fine regarding the VLAN setup. As the ping requests fr...
by sindy
Mon May 10, 2021 5:09 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6069

Re: Very high sector writes

Does wear leveling include moving static data, thus causing more writes? If not, all your calculations have to be adjusted to take into account that all that happnes only in the part of the flash which doesn't hold the RouterOS image itself. So from your 100 years life expectancy for full 16 MB with...
by sindy
Mon May 10, 2021 4:51 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

Ah, hw=yes strikes again... Please set hardware acceleration to no under /interface bridge port for ether10 and for the port to which you connect the PC, and try again. When hw=yes , some packets do not get captured on the Ethernet interface. I keep forgetting about that. In any case, your sniff onl...
by sindy
Mon May 10, 2021 4:02 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

eth10 remains in the bridge
That's correct.
by sindy
Mon May 10, 2021 4:00 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

If you have in mind adding wan2-100 as a member port of a bridge, it's correct that you cannot add it. wan2-100 is a VLAN interface whose tagged end is attached to the bridge, so making its tagless end a member port of the same bridge would create a loop, hence it is good it is not possible. Your pr...
by sindy
Mon May 10, 2021 3:42 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?
by sindy
Mon May 10, 2021 3:25 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

@anav: What scripts? Where? If you mean the reconfiguration script a few posts above, a script is the most concise way of expressing the necessary configuration changes. I'm not going to create a presentation with screenshots of all the relevant windows before and after. But you can always translate...
by sindy
Mon May 10, 2021 3:19 pm
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 553

Re: Multiple L2TP clients on single device

Given the clear separation between the management addresses (10.200.0.0/16, btw quite an overkill for a "dozen" clients) and the corporate range (192.168.0.0/16), it's nothing extremely complex. In particular, there is no need for policy routing, just tell me whether you'll be managing the...
by sindy
Mon May 10, 2021 11:44 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

This interface list row is definitely an error - my script should have changed ether10 to wan2-100 on it. I've tested it on my lab CHR and it worked, interesting. Nevertheless, this does not explain why you cannot ping the LTE IP. So once you fix that row, make the command line window as wide as you...
by sindy
Mon May 10, 2021 8:05 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

When you connect the same client to any of ether2..ether9 on the 3011 instead of 02..04 on the GS105E, do you get the same result?

Can you show me the export after applying my script?
by sindy
Mon May 10, 2021 12:16 am
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 45103

Re: v7.1beta5 [development] is released!

You wrote you need the 4-(mac)-address mode and capsman to be supported on wifiwave2 in order to be able to test it. That implies to me that you normally use both these features simultaneously (i.e. a capsman-controlled AP in AP-bridge mode), which I thought was impossible. What am I missing?
by sindy
Sun May 09, 2021 10:38 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 45103

Re: v7.1beta5 [development] is released!

need 4 address mode support for that, plus CAPsMAN support
Sorry for off-topic, but how do you make these two work together on any ROS release, without wifiwave2?
by sindy
Sun May 09, 2021 8:03 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

I am now testing the switch with the image configuration and I can reach vlan10 anyway. Again... when something is connected to port 02 of Netgear, it gets an IP address from 10.0.0.0/24 because that port is an access one to VLAN 1 which is tagless at port 01 of the GS105E and at ether2 .. ether10 ...
by sindy
Sun May 09, 2021 4:12 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

this should not happen if not enabling the vlan on the android devices. It's a misunderstanding. The fact that the subnet 172.16.10.0/24 lives in a dedicated VLAN does not mean that devices in other subnets cannot reach devices in 172.16.10.0/24, as the very purpose of a router is to forward traffi...
by sindy
Sun May 09, 2021 11:57 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

Yes, if everything else works properly, there will be no problem. However, the configuration you've posted shows that a static address is assigned to WAN2: /ip address ... add address=192.168.9.2/24 interface=ether10-WAN2 network=192.168.9.0 So what have I missed? Also, take care about changing the ...
by sindy
Sun May 09, 2021 11:26 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

So before copy-pasting my script above, rename ether10-WAN2 to ether10.
Then copy-paste that script except the last row.
Instead of the last row, use /interface bridge port enable [find interface=ether10].
by sindy
Sun May 09, 2021 10:36 am
Forum: General
Topic: Multiple L2TP clients on single device
Replies: 6
Views: 553

Re: Multiple L2TP clients on single device

Yes, it is possible. Two L2TP clients towards different servers are OK. You can even use the automatically generated IPsec configurations if both servers accept the same Phase 1 and Phase 2 proposal, otherwise you'd have to configure the IPsec layer manually. Regarding the different usage policies o...
by sindy
Sun May 09, 2021 10:15 am
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

OK. So let's assume you've started from a default configuration, where ether2 .. ether10 were member ports of a bridge named bridge , and you've just removed ether10 from that bridge and used it as WAN2. So as I wrote above /interface vlan add name=wan2-100 interface=bridge vlan-id=100 /ip address s...
by sindy
Sun May 09, 2021 10:14 am
Forum: General
Topic: VPN special usage
Replies: 5
Views: 607

Re: VPN special usage

You'll have to elaborate on what you mean by download and upload, as it can be understood in multiple ways: from the perspective of a single packet, where "download" means that a packet goes from router A to router B and "upload" means a packet goes from router B to router A from...
by sindy
Sat May 08, 2021 11:01 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

If the ether10 itself currently acts as WAN2, do you want ether2..ether4 of the netgear to extend some existing LAN bridge of the 3011? Or will it be a separate LAN segment? The necessary changes on the 3011 depend on the answer.
by sindy
Sat May 08, 2021 9:59 pm
Forum: General
Topic: VPN L2TP/IPSEC RouterOS 6.11
Replies: 19
Views: 1013

Re: VPN L2TP/IPSEC RouterOS 6.11

My approach would have been to install the new 1100 next to the old one and connect one of the new one's ports to the old one's LAN, port-forward UDP port 4500 from the old one's WAN to new one's IP address on the LAN, and set up the L2TP/IPsec server on the new one. And later copy the firewall conf...
by sindy
Sat May 08, 2021 9:24 pm
Forum: General
Topic: WAN over VLAN
Replies: 45
Views: 2201

Re: WAN over VLAN

if ether10 of the 3011 is a member port of a bridge, hook an /interface vlan with vlan-id=100 to that bridge, otherwise add it directly to ether10 . Let's name it wan2-100 for simplicity. move all the IP address configuration from the current etherX acting as WAN2 to wan2-100 you've added above. Al...
by sindy
Thu May 06, 2021 8:59 am
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 606

Re: IPsec Site to SIte behind NAT

don't know if that is possible in Windows server It is. Option 249 is Microsoft's proprietary alternative to Option 121. The difference between the two is that Option 249 is used in addition to Option 3 (list of default gateways), whereas Option 121 replaces Option 3 (i.e. it contains the complete ...
by sindy
Wed May 05, 2021 10:42 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 606

Re: IPsec Site to SIte behind NAT

Is it possible to have ddns name on Site B router so when ip changes that tunnel stays up, or no? RouterOS doesn't support IPsec MOBIKE yet, so the tunnel won't exactly stay up but it will re-establish. You can use the /ip cloud to update the dynamic DNS operated by Mikrotik (xxxxxxxx.sn.mynetname....
by sindy
Wed May 05, 2021 9:08 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 606

Re: IPsec Site to SIte behind NAT

I'd say it's simply a routing issue at Site A. I assume all the devices in 192.168.97.0/24 get their IP configuration via DHCP from the Huawei, so their default route's gateway is the Huawei itself, 192.168.97.254. Hence when a ping packet arrives to them from 10.0.0.1, i.e. from an address outside ...
by sindy
Mon May 03, 2021 1:25 pm
Forum: General
Topic: Src-nat on output + IPsec?
Replies: 5
Views: 592

Re: Src-nat on output + IPsec?

Regarding where the NAT is executed, it's a bit more complex: change of destination address, i.e. dst-nat and un-src-nat, is done before routing, just after the packet has arrived. change of source address, i.e. src-nat and un-dst-nat, is done after routing, just before the packet is sent. So if I g...
by sindy
Fri Apr 30, 2021 9:59 pm
Forum: General
Topic: VPN IPsec with BINAT configuration
Replies: 1
Views: 275

Re: VPN IPsec with BINAT configuration

The term BINAT seems to be pfSense specific; in fact, it addresses a situation where you interconnect two sites and same subnets are used at both of them, and you need devices at site A to communicate with devices in a site B subnet shadowed by a local one at site A. This issue needs to be addressed...
by sindy
Fri Apr 30, 2021 8:46 pm
Forum: General
Topic: MAC based port forwarding rule
Replies: 7
Views: 577

Re: MAC based port forwarding rule

I want port forward rule work after check device's MAC, I will store some device's MAC in router. if device's MAC same then Mikrotik apply port forwarding rule otherwise denied. While matching on src-mac-address does work in /ip firewall if some other pre-requisites are met, it only makes sense to ...
by sindy
Fri Apr 30, 2021 8:40 pm
Forum: General
Topic: Issues with IPsec between Sophos and Mikrotik
Replies: 5
Views: 420

Re: Issues with IPsec between Sophos and Mikrotik

There is no route setup on the mikrotik's side to get to the Sophos side however I can access all resources on the other side of the tunnel. Don't worry, it's because the IPsec policies intercept the traffic and divert it into the tunnel. But some route for the traffic must exist, as the IPsec poli...
by sindy
Fri Apr 30, 2021 8:15 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 553

Re: NAT problem with host's internal traffic using route marking.

I'd have to see the actual configurations to suggest something more.
by sindy
Tue Apr 27, 2021 9:50 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 764

Re: IKEv2 + android clients [SOLVED]

Was about to shoot a bazooka at that router :D Waste of ammo... using a hammer provides more relief to your soul :) Plus in your locality, you've got the globally unique possibility to get it run over by a šalina. about this: add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none ...
by sindy
Tue Apr 27, 2021 12:53 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 764

Re: IKEv2 + android clients [SOLVED]

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500 diverts any TCP connection co...
by sindy
Mon Apr 26, 2021 11:17 am
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 182
Views: 129042

Re: Using RouterOS to VLAN your network

Not sure it belongs here (as you've properly stated, this topic should actually be a wiki article). However: There is no equivalent of Cisco's VTP on Mikrotik, so you cannot dynamically distribute VLAN configuration across wired network from a single device. But if you are interested solely in cAPs,...
by sindy
Mon Apr 26, 2021 8:32 am
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 764

Re: IKEv2 + android clients [SOLVED]

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383); As my router is running 6.47.9, this could be the cause ( fragmentation) ? RFC7383 only deals with application-level fragmentation of the control traffic (IKE), not of transport packets. Since the connection has established properly...
by sindy
Sun Apr 25, 2021 5:08 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 625

Re: Static WAN IP not working - mask issue?

I didn't try Sindy's advice because it looked like what you would do on the upstream router to me to mimic the behaviour of my ISP. Sure, you've got it right - that wasn't an advice what to do at your router. There is nothing to advise regarding static address configuration if the ISP only allows t...
by sindy
Sun Apr 25, 2021 5:03 pm
Forum: General
Topic: IKEv2 + android clients [SOLVED]
Replies: 9
Views: 764

Re: IKEv2 + android clients [SOLVED]

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like? I also hazily remember I had cases where I had to remo...
by sindy
Sun Apr 25, 2021 4:28 pm
Forum: General
Topic: Routes to multiple addresses
Replies: 5
Views: 521

Re: Routes to multiple addresses

There is no way to use a list of prefixes as a dst-address of a single route. The usual approach is to use a dynamic routing protocol such as OSPF or BGP. Another approach might be to use mangle rules (which can match on dst-address-list) to assign routing-mark values, and have just a default route ...
by sindy
Sun Apr 25, 2021 4:19 pm
Forum: General
Topic: Same subnets to L2TP/IPsec, possible?
Replies: 3
Views: 450

Re: Same subnets to L2TP/IPsec, possible?

Have a look at action=netmap in /ip firewall nat. It's the best you can have, with some drawbacks of course - it's still NAT.
by sindy
Sun Apr 25, 2021 3:44 pm
Forum: General
Topic: DHCP client Ether1 looses IP address every1-5 minutes
Replies: 5
Views: 779

Re: DHCP client Ether1 looses IP address every1-5 minutes

As you've explicitly asked for a response in this thread: 1. /tool sniffer set file-name=dhcp.pcap file-limit=100000 filter-interface=your-wan-interface-name filter-ip-protocol=udp filter-port=bootps 2. make sure that all other filter-xxx fields of /tool sniffer settings are empty 3. /tool sniffer s...
by sindy
Sun Apr 25, 2021 1:37 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 625

Re: Static WAN IP not working - mask issue?

I copy the IP data into static entries and it doesn't work. If so, I'd assume the provider uses some kind of protection against people arbitrarily assigning public IPs on their own. In RouterOS, you would do this by setting arp=reply-only in the configuration of the interface and setting add-arp=ye...
by sindy
Sun Apr 25, 2021 1:22 pm
Forum: General
Topic: Static WAN IP not working - mask issue?
Replies: 11
Views: 625

Re: Static WAN IP not working - mask issue?

When you say "I turn off DHCP client", does that mean that with DHCP client on, you get some public IP and everything works? But once you assign the same IP address, mask and gateway you have previously obtained using the DHCP client before, it doesn't?
by sindy
Sat Apr 24, 2021 10:08 pm
Forum: General
Topic: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2
Replies: 1
Views: 428

Re: L2TP/IPSec VPN problem on 6.48.1 and 6.48.2

What you describe sounds like you've got multiple peers with same values of local-address, address, and exchange-mode, where one of them is dynamically generated by the L2TP setting use-ipsec=yes.

What does /ip ipsec peer print detail show while the L2TP server is enabled?
by sindy
Sat Apr 24, 2021 10:03 pm
Forum: General
Topic: Marking IKEv2 dynamic connection for Firewall?
Replies: 1
Views: 247

Re: Marking IKEv2 dynamic connection for Firewall?

chain=input protocol=tcp dst-port=8291 in-interface-list=WAN ipsec-policy=in,ipsec action=accept
by sindy
Sat Apr 24, 2021 9:52 pm
Forum: General
Topic: Blocking LLDP / Protocol 35020
Replies: 4
Views: 613

Re: Blocking LLDP / Protocol 35020

@changeip, too many things work different than you expect. The ip firewall only deals with IP packets, so the protocol matches on the payload protocols of IP, such as UDP, TCP, GRE... MNDP is an application using UDP and port 5678, but RouterOS sends MNDP packes in such a way that they bypass the IP...
by sindy
Sat Apr 24, 2021 9:30 pm
Forum: General
Topic: NAT problem with host's internal traffic using route marking.
Replies: 6
Views: 553

Re: NAT problem with host's internal traffic using route marking.

You haven't posted the configurations, but you mention default firewall rules. The default firewall rule "drop invalid" in chain forward of filter prevents those SYN,ACK packets from reaching the out-interface (LAN in this case) and thus triggering the sending of ICMP redirect, as the conn...
by sindy
Sat Apr 24, 2021 4:45 pm
Forum: General
Topic: VLAN separation using new Bridge VLAN Filtering feature
Replies: 9
Views: 2500

Re: VLAN separation using new Bridge VLAN Filtering feature

This post may explain why the configuration changes mentioned by @jahudka are necessary.
by sindy
Fri Apr 23, 2021 11:17 pm
Forum: General
Topic: Bridge/vlan configuration advice
Replies: 3
Views: 350

Re: Bridge/vlan configuration advice

I'll go a bit deeper into the reasons than @mkx: As you intend to set up an L2 ring configuration (the CCR will be connected to two CRS and those will be connected to each other), you need to use some STP flavor to prevent L2 looping. And in order that xSTP behaved correctly, you must use the "...
by sindy
Thu Apr 22, 2021 7:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

The price is about 1 month of my brother income, So it's a lot. ... the bad news is the Mikrotik is only brand which is accepted by my country ISPs. Which seems to be related, other vendors may be prohibitively expensive or embargoed. And they don't support NV2 of course. They already have connecte...
by sindy
Thu Apr 22, 2021 7:01 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 789

Re: NETMAP vs SRCNAT

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible). example: /ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47 results in the sam...
by sindy
Thu Apr 22, 2021 6:58 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 789

Re: NETMAP vs SRCNAT

f.e., if we have 10.35.27.10 as a source address, netmap will replace it with 192.168.143.40?
No, with 192.168.143.42 (32 + 10)
by sindy
Thu Apr 22, 2021 6:38 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

the only situation that I don't get timeout and the problem gets solve, is by disabling other clients on ISP radio device. So they suggest me to buy one more radio and make a PTP connection, but it cost a lot of price, I believe the problem is solvable so it's not worth to pay that much money for t...
by sindy
Thu Apr 22, 2021 5:20 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 8
Views: 789

Re: NETMAP vs SRCNAT

Because the netmask part of the to-addresses value is 28, i.e. 255.255.255.240. So the value of the bits of the original address whose positions match the zero bits in the mask, i.e. the least significant four bits, is 12 in all three cases, and the bits whose positions match the one bits in the mas...
by sindy
Thu Apr 22, 2021 5:09 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

There is the local noippass "xxxxx" line in the script; if someone has downloaded the original file, they can update your DynDNS now, until you change the password on the DynDNS web selfcare page and then update it accordingly in your script. To the original topic: given how the two Mikrot...
by sindy
Thu Apr 22, 2021 4:31 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

You may want to remove the script part from the configuration export (edit the post, remove the file and re-post it without the /system script and all the lines following it) and change your password to the DynDNS service. It didn't come to my mind you could have something like that in operation. I'...
by sindy
Thu Apr 22, 2021 3:34 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

It is hard to say as I don't know the complete setup. The LHG5 may be working in bridge mode an have no IP address, or there may be a management IP address assigned by the ISP. When you connect your PC to the hAP lite, you can see only the hAP lite in the neighbour list in Winbox because the hAP lit...
by sindy
Thu Apr 22, 2021 2:32 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

In such case, ask the ISP for that, as it is apparently their device. Just as a blind shot until you can arrange that, press [Interfaces], and in the "Interface List" window that opens, press the [Detect Internet] button just above the table on the (Interface) tab. Post the screenshot of t...
by sindy
Thu Apr 22, 2021 2:14 pm
Forum: General
Topic: Internet connection drops for 4-3 second every few moment
Replies: 22
Views: 1362

Re: Internet connection drops for 4-3 second every few moment

Instead of posting 150 screenshots which show 5 % of the configuration, please use the [New Terminal] button to open a command line window, type /export hide-sensitive file=current-config in that window and press Enter. A file named current-config.rsc will appear in the file list; download it, and i...
by sindy
Mon Apr 19, 2021 8:16 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9584

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Do i have to do the RIP rules? I live quite far away from that ISP and only had the situation proxied by @rabienz and @Najifares. So from what I got that way, you have to advertise those IPs to ISP's equipment using RIP so that it would send you the traffic. Don't ask me why the ISP needs it, and e...
by sindy
Mon Apr 19, 2021 5:00 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 49
Views: 9584

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN If we leave aside all the security aspects, all you need is a set of src-nat and dst-nat rules. So for a bi-directional, port-agnostic 1:1 NAT between a public IP address A.A.A.A ...
by sindy
Mon Apr 19, 2021 9:28 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2125

Re: CRS317-1G-16S+ High CPU lead to drop packet

If all your cAPs do local forwarding, the only way how the CPU load on the CRS could be coming from CAPsMAN processing would be if the clients would keep re-authenticating, as the client traffic is converted between wireless and wired one at the cAPs themselves. So most likely there is a traffic tha...
by sindy
Sat Apr 17, 2021 11:56 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2125

Re: CRS317-1G-16S+ High CPU lead to drop packet

Please show the typical output of /tool profile cpu=all on the CRS317, and also the typical output of /interface monitor-traffic interface=aggregate and /interface monitor-traffic interface=the-wan-interface-name . And the question is not how many cAPs but how many clients, and what you ask the rout...
by sindy
Tue Apr 13, 2021 10:24 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

...do you think I should make the delay 1m longer, say 3 minutes? Possibly yes, but to me 1m should also be sufficient, the mAP lite is not that lazy. Maybe add a delay 1m before the disable . It is still possible that the result depends on whether the initial request comes first from the remote pe...
by sindy
Mon Apr 12, 2021 10:35 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

I have one more question related to IKEv2. Is it possible to switch on/off user-led based on IKEv2 peer status? Similar to interface-status under /system leds It is, but only using a periodically scheduled script. None of the possible type values has any relationship to IPsec. So you must use a scr...
by sindy
Mon Apr 12, 2021 6:18 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot. The scheduled script is a workaround. For a solution in future RouterOS versions, you have to raise a support ticket with Mikrotik; before d...
by sindy
Mon Apr 12, 2021 3:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

local-address=empty/not set and local-address=0.0.0.0 is the same thing, as you can see if you use /ip ipsec peer export verbose (without the verbose modifier, export does not show default values). Mikrotik's DHCP server apparently expects an L2 frame in order that it responded, so if the DHCPINFOR...
by sindy
Sun Apr 11, 2021 5:44 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

Given that all policies are static, the proposals they use are identical at both ends, and there is no NAT involved at the client device itself, I'm afraid the fact that you get NO_PROPOSAL_CHOSEN is a consequence of some bug. So I can only suggest a workaround: /system scheduler add name=ipsec-wa o...
by sindy
Sat Apr 10, 2021 2:02 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

You've provided a lot of information but still some bits are missing, so let me rephrase it. No matter what the reasons are, the essence is that the IKEv2 VPN client needs to connect also from the server's LAN. According to your configuration excerpt, the responder peer listens at all addresses. Acc...
by sindy
Sat Apr 10, 2021 11:31 am
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

I've realized that my suggestion above regarding sniffing may be overly complex and inconsistent. To see that the switch chip rule works for the initial DHCPDISCOVER, which is sent to a broadcast address, it is enough to make the bridge a member port of the bridge (see this for clarification of this...
by sindy
Thu Apr 08, 2021 9:05 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

It seems that the log is from the only client whose configuration you haven't posted. As you specify the peers' addresses as domain names, I can imagine the incoming initial packet from the "server" to land on a wrong peer there, as I had such an issue when testing my setup with no static ...
by sindy
Thu Apr 08, 2021 8:50 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

OK, so I have debugged it locally, setting a switch chip rule to handle tagged traffic for the Tik's own IP address, which therefore that lands at the bridge interface: dst-address=192.168.6.2/32 dst-port=53 mac-protocol=ip new-vlan-priority=3 ports=ether1 protocol=udp switch=switch1 vlan-id=6 If VL...
by sindy
Wed Apr 07, 2021 9:24 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rules.
by sindy
Wed Apr 07, 2021 9:19 pm
Forum: General
Topic: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore
Replies: 5
Views: 654

Re: Upgraded from 750G to RB4011iGS+ and my IKE2 IPSEC doesn't work anymore

why did it manifest when I replaced the router I've seen unrelated events to synchronize within tenths of second (not necessarily in networking), so I would not be surprised if something was wrong on the network path. Here, the window was longer, between the last establishment of the tunnel on the ...
by sindy
Wed Apr 07, 2021 8:39 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

If you use that "bridge-reinforced" VLAN interface also for other traffic than the VPN one, some CPU cycles will indeed be wasted on the additional bridging. So my solution would be to use a dedicated VLAN and IP address only for the IPsec responder to listen at. But I don't get the differ...
by sindy
Wed Apr 07, 2021 2:03 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 650

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Also running OpenVPN on a single core 600MHz CPU / 650MHz on the other side, and PPPoE on both of them .... that's an incoming bottleneck. For me, a bigger problem with OpenVPN is its use of TCP as transport (which is a limitation of RouterOS 6.x, not of OpenVPN itself), which may amplify eventual ...
by sindy
Tue Apr 06, 2021 9:18 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 783

Re: VPN internet routing

The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots so i need to add this on Windows client side? Add-VpnConnectionRoute -ConnectionName "VPNconnectionname" -DestinationPrefix 192.168.40.0/24 -PassThru I...
by sindy
Tue Apr 06, 2021 7:07 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 493

Re: CAPSMann no usable channel error message

You cannot set the country locally on the cAP once its wireless interface is controlled by CAPsMAN, but you can still see the setting if you use the command line (available after pressing the [Terminal] button) command I've suggested. My speculation was that some other country profile than netherlan...
by sindy
Tue Apr 06, 2021 6:45 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 783

Re: VPN internet routing

Windows 10 - i found a way named split tunneling by disabling "use the default gateway of the remote network" on VPN connection, but i am not sure if this is the correct way It is, provided that the LAN consists of a single subnet and you assign addresses from the same subnet to the L2TP ...
by sindy
Tue Apr 06, 2021 6:36 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 650

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Multiple issues exist. First, at the OVPN client side (Site A), your only action=masquerade rule there is not restricted to out-interface=pppoe-out1 or out-interface-list=WAN (adding either of these match condition is sufficient as a fix), so connections whose first packet is sent from Site A to Sit...
by sindy
Tue Apr 06, 2021 4:58 pm
Forum: General
Topic: VPN internet routing
Replies: 8
Views: 783

Re: VPN internet routing

What kind of client are we talking about? Windows, Android, iOS, MacOS...?
by sindy
Tue Apr 06, 2021 4:56 pm
Forum: General
Topic: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]
Replies: 8
Views: 650

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's [SOLVED]

Are the subnets you've shown the only ones used at each site? I.e. is the VoIP phone also in 172.16.0.0/16 at site B? That other guy is right in terms that on a usual VoIP PBX, the phone exchanges signalling information only with the PBX which controls it, but the media (audio) stream is established...
by sindy
Tue Apr 06, 2021 4:33 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 493

Re: CAPSMann no usable channel error message

You've answered just one of my questions, so I repeat the second one: what country is set at the cAP itself under /interface wireless ? Also, there is another possibly interesting point in the actual-interface-configuration above: channel.band=5ghz-onlyac , does the problematic cAP support the AC mo...
by sindy
Tue Apr 06, 2021 3:40 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 550

Re: WPA2 EAP-TLS + userman only. Is it possible ?

It depends on what exactly you mean by a deauthentication attack. If you have in mind that the attacker cannot trick your STA into associating with a forged AP with the same SSID and better signal by sending it a deauthentication frame, then yes, the STA will not authenticate a connection to an AP w...
by sindy
Tue Apr 06, 2021 2:16 pm
Forum: General
Topic: CAPSMann no usable channel error message
Replies: 7
Views: 493

Re: CAPSMann no usable channel error message

1) I'd believe that the error message is relevant, so what is the value of the configuration.country value in the output of /caps-man actual-interface-configuration print where name~"11-E-2" , and what is the output of :put [/interface wireless get 0 country] on the cAP itself? 2) yes, R i...
by sindy
Tue Apr 06, 2021 2:02 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 550

Re: WPA2 EAP-TLS + userman only. Is it possible ?

When exporting the certificate generated for the client, have you specified any export-passphrase value? If you don't specify any, the private key to the certificate is not exported at all, and therefore the client cannot use the certificate to authenticate itself. The fact that you cannot choose th...
by sindy
Mon Apr 05, 2021 8:46 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

As you want it wirespeed, the switch chip must do all the job. Hence you have to make sfp1 and etherX member ports of a bridge with hw=yes on the respective /interface bridge port rows, and if you ever add any other port of that switch chip to any other bridge, it must be added with hw=no (only a si...
by sindy
Mon Apr 05, 2021 5:16 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1821

Re: why youtube is not blocked?

Whether TLS 1.3 is used atop QUIC or not changes nothing about the fact that the tls-host match condition in RouterOS firewall only works with TCP, so it can never see any QUIC payload.
by sindy
Mon Apr 05, 2021 4:51 pm
Forum: General
Topic: Email smtp timeout on mikrotik
Replies: 7
Views: 888

Re: Email smtp timeout on mikrotik

It needs sniffing to find out what's going on. Ideally you'd have a second PC, or a second Ethernet interface on the same PC from which you send the e-mail, to which the Mikrotik would stream the sniffed packets. If this is not possible, you can sniff into a file on the Mikrotik itself, but then the...
by sindy
Mon Apr 05, 2021 4:26 pm
Forum: General
Topic: vlan problem on hEX [SOLVED]
Replies: 20
Views: 1603

Re: vlan problem on hEX [SOLVED]

The configuration you have posted as a file seems fine to me regarding VLANs. VLAN 100 is tagged on both the bridge and ether2 ports of the bridge, VLAN1 is not tagged on either of the two, and the DHCP servers are attached as appropriate, the one for VLAN 100 is attached to the /interface vlan and ...
by sindy
Mon Apr 05, 2021 3:35 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

Agree that the hEX S will be the bottleneck and switch rules are not supported for vlan and also for sfp1. On MT7621 based routers, RouterOS doesn't support switch chip rules at all, not only on sfp1. I plan to replace my hEX S for each box by : - RB2011iLS-IN - or RB935GS-5HnT-RP Both should work ...
by sindy
Mon Apr 05, 2021 1:45 pm
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 780

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own o...
by sindy
Mon Apr 05, 2021 1:30 pm
Forum: General
Topic: WPA2 EAP-TLS + userman only. Is it possible ?
Replies: 5
Views: 550

Re: WPA2 EAP-TLS + userman only. Is it possible ?

for a client authenticating itself to the AP using a certificate alone , you don't need RADIUS at all for a client authenticating itself using a username/password tuple rather than a certificate , you either need an external RADIUS server or you must run RouterOS 7 (I don't know the state of the ar...
by sindy
Mon Apr 05, 2021 12:55 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 28
Views: 2145

Re: Transparent hEX S to change vlan-priority for DHCP request only

It's almost the same except that in the bridge filter rules, you have to use chain=forward rather than chain=output , and add an in-interface=ether3 match condition. And you still have to use a dedicated bridge for VLAN 832, because the bridge filter rules currently do not support matching on IP hea...
by sindy
Mon Apr 05, 2021 12:26 pm
Forum: General
Topic: marking packets to an external gateway
Replies: 2
Views: 239

Re: marking packets to an external gateway

You can use src-nat instead of masquerade and ask the linux box admin to choose the routing table depending on the source address of the packet coming from you, DSCP values, VLAN ID in VLAN tags, priority in VLAN tags There are no other fields in the frame or packet headers you could modify without ...
by sindy
Mon Apr 05, 2021 11:34 am
Forum: General
Topic: PPTP S2S bridge - Wrong output IP [SOLVED]
Replies: 8
Views: 780

Re: PPTP S2S bridge - Wrong output IP [SOLVED]

The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules ...
by sindy
Fri Apr 02, 2021 7:13 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

A) The way you describe it, you've opted to use a dst-nat rule rather than to restrict the IPsec policy to carry only the L2TP transport packets. Nothing wrong about that. However, it then cannot be a matter of a bypassed dst-nat any more, but there may still be an MTU issue. I'd suggest to run /too...
by sindy
Fri Apr 02, 2021 4:07 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2125

Re: CRS317-1G-16S+ High CPU lead to drop packet

If I remember right, the APs look for the channel with least interference among those permitted by the channel configuration; try /caps-man interface scan to check what you can really see in the air. Plus I'm not an expert here and the manual is silent about this, but as you have specified C e for t...
by sindy
Fri Apr 02, 2021 3:44 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4208

Re: Two EOIP tunnels and traffic problem

If the log is complete, it means the client did not respond to the last PDU (split into two packets), either because it didn't like it or because it did not receive it at all. Misconfigurations I've spotted: the presentation you refer to uses username&password authentication of the clients, but ...
by sindy
Fri Apr 02, 2021 2:45 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4208

Re: Two EOIP tunnels and traffic problem

It has to be /export hide-sensitive file=any-name-you-prefer. The result of /system backup save cannot be read.

And the log seems to be cut short, is it really all?
by sindy
Fri Apr 02, 2021 12:50 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4208

Re: Two EOIP tunnels and traffic problem

I don't think Mikrotik support has enough manpower to provide individual configuration assistance even to first time users, that's a job for consultants or maybe distributors. Here on the forum, please, don't refer to presentations or, even worse, videos. The time used to watch these can be used mor...
by sindy
Thu Apr 01, 2021 2:38 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

If it works when the IKE connection establishes with a local IP address attached to a bridge with no member ports at all, you indeed don't need the VLAN to join this bridge to the main one. But at least until recently, Windows clients didn't like by default that the responder was behind a NAT, and y...
by sindy
Thu Apr 01, 2021 1:14 pm
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4208

Re: Two EOIP tunnels and traffic problem

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously? I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the re...
by sindy
Thu Apr 01, 2021 11:05 am
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1069

Re: IPsec site to site tunnels, security issue question?

The whole point of a VTI is that you can use regular routing rather than traffic matching by selectors, which quickly turns into a nightmare if you use more subnets at each end of a link. VTI violates the security concept of IPsec in terms that if you use VTI, traffic matching an existing traffic se...
by sindy
Thu Apr 01, 2021 10:45 am
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 843

Re: Forward all wan traffic to another firewall

I don't think there is a documentation example that would cover exactly this. Search for "policy routing" (nothing to do with IPsec policies), i.e. how to create multiple routing tables and choose one for each individual packet depending on its origin and possibly other properties, and als...
by sindy
Tue Mar 30, 2021 11:01 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

A) Why when connected to client1's WiFi, I cannot connect to the Server through DDNS (WinBox)? If I try from my phone's 4G I can. I understand that this happens because I am connected to that network, that has the L2TP link with the Server (and I can connect using server's 172.21.69.153) but cannot...
by sindy
Tue Mar 30, 2021 9:30 pm
Forum: General
Topic: IKEv2 server ignores dhcp query on vlan interface
Replies: 13
Views: 1313

Re: IKEv2 server ignores dhcp query on vlan interface

I don't think you're doing anything wrong. I had the same experience when the IKEv2 session was landing on an IPIP tunnel interface at the responder, but I was assuming back then it had to do with DHCP server expecting the client messages to come to L2 interfaces. Depending on the throughput require...
by sindy
Tue Mar 30, 2021 4:59 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1821

Re: why youtube is not blocked?

This rule works fine for me: chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp log=no log-prefix="" tls-host=*youtube* This rule can only work if placed before the "accept established,related" one, and if fasttracking is disabled. The reason is that t...
by sindy
Tue Mar 30, 2021 4:40 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 827

Re: pppoe problem [SOLVED]

the output of the /ip firewall connection print detail where dst-address~":1812" command: ... This one with detail shows the connection when the RADIUS server does respond, so it is unusable for the analysis. In this one, the S is an upper-case (capital) one, indicating seen-reply , where...
by sindy
Tue Mar 30, 2021 10:39 am
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 827

Re: pppoe problem [SOLVED]

This is the output of the /ip firewall connection print interval=1 where dst-address~":1812" command : # PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS 27 C s udp 127.0.0.1:35747 127.0.0.1:1812 9s 0bps 0bps 3 0 What is surprising here is the s...
by sindy
Tue Mar 30, 2021 10:29 am
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 26
Views: 4208

Re: Two EOIP tunnels and traffic problem

Yes, multiple bare L2TP clients can connect from behind the same NAT. And bare L2TP connections do not interfere with IKEv2 in any way. The issue L2TP/IPsec has with NAT is caused by the fact that its standard requires use of transport mode of IPsec SA. If you don't use the dynamically generated IPs...
by sindy
Mon Mar 29, 2021 12:32 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 7
Views: 884

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

As said - if it started after the upgrade, file a ticket with Mikrotik. They'll ask for autosupout.rif or, if not available, a supout.rif created manually just after the reboot. So best attach it to the ticket straight away.
by sindy
Sun Mar 28, 2021 2:12 pm
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 843

Re: Forward all wan traffic to another firewall

In that case, let's suppose the pfSense has two physical interfaces (or two VLANs), a "WAN" one and a "LAN" one. You will partition the Mikrotik into two virtual routers - one will forward the traffic between pfSense's WAN and the Mikrotik's WAN interfaces, and the other one will...
by sindy
Sun Mar 28, 2021 11:01 am
Forum: General
Topic: Forward all wan traffic to another firewall
Replies: 9
Views: 843

Re: Forward all wan traffic to another firewall

It is possible to place the pfSense between the load balancer part and the rest of your network. The pfSense will see the remote addresses (the source ones of the incoming traffic from the internet), but it will not know to which WAN interface that traffic has arrived. Is that sufficient for you?
by sindy
Sun Mar 28, 2021 10:48 am
Forum: General
Topic: ISP speed is 200 MB but Mikrotik speed is 100 MB
Replies: 14
Views: 1794

Re: ISP speed is 200 MB but Mikrotik speed is 100 MB

In the same [interface <ether1>] window where you've viewed the [Overall Stats] and [Status] tabs as shown above, choose the [Ethernet] tab, and tick the [ ] 1000M full checkbox. In some RouterOS releases there was apparently a bug, causing only speeds up to 100M to be advertised even on interfaces ...
by sindy
Sun Mar 28, 2021 9:12 am
Forum: General
Topic: What is sensitive
Replies: 1
Views: 356

Re: What is sensitive

The list is quite brief. passwords (e.g. in /ppp secret rows), passphrases (e.g. in wireless/capsman security profiles), and secrets (in IPsec identities) are "sensitive". Usernames, public IP addresses, MAC addresses, and serial numbers are not treated as "sensitive". Nor is any...
by sindy
Sat Mar 27, 2021 7:47 pm
Forum: General
Topic: No internet connection after PPPOE reconnect (disable, pause, enable)
Replies: 9
Views: 1133

Re: No internet connection after PPPOE reconnect (disable, pause, enable)

If, under /interface detect-internet , anything else than none is configured for detect-interface-list , change that to none . If that doesn't help, post the export of your configuration. See my automatic signature below regarding anonymisation. Out of curiosity, what are your reasons to disconnect ...
by sindy
Sat Mar 27, 2021 3:31 pm
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 702

Re: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]

Sounds like a case of knowing too much. I would have simply put the square peg into the square hole instead of contemplating the depth of the hole and what instrument was used to cut the holes. With a usual client like the Windows or iOS one, the peg is flexible, so you can push it into a hole of a...
by sindy
Sat Mar 27, 2021 2:03 pm
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 702

Re: EAP-TLS wireless authentication - why a Mikrotik client cannot connect to Mikrotik AP? [SOLVED]

OK, so the answer to the topic title is "because the wording in the manual is misleading". It says: eap-methods | ... This property only has effect on Access Points. ... tls-mode | This property has effect only when eap-methods contains eap-tls . tls-certificate | ... Client needs a certif...
by sindy
Sat Mar 27, 2021 12:21 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 827

Re: pppoe problem [SOLVED]

OK, so it may be a firewall issue (not much likely, but possible), or the networking stack is broken (even less likely), or the UserManager stopped responding. Since /tool sniffer doesn't seem to work on the loopback interface, you have to use alternative means: what does /ip firewall connection pri...
by sindy
Sat Mar 27, 2021 12:02 pm
Forum: General
Topic: Master port is back in 6.48.1?
Replies: 5
Views: 843

Re: Master port is back in 6.48.1?

I agree because fw will be downgrade to default ver, am I right? But what will be next step? After upgrade I`ll have the same problem. No, @Jotne's idea was to reset the router to default configuration whith 6.48.1 installed. So the default configuration of 6.48.1 will be created, and you'll then m...
by sindy
Sat Mar 27, 2021 12:26 am
Forum: General
Topic: How to view or retrieve 'autosupout.rif' file without networking?
Replies: 2
Views: 525

Re: How to view or retrieve 'autosupout.rif' file without networking?

You can use /tool fetch to download the file from the router itself using the loopback address and specify the USB or SD card as a destination: /tool fetch url="ftp://127.0.0.1/autosupout.rif" user=abc password=def output=file dst-path=disk1/some-new-name.rif Of course provided that user a...
by sindy
Fri Mar 26, 2021 5:22 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 870

Re: Sending all traffic through a L2TP interface [SOLVED]

Ah, sorry, I've missed the BCP. If you really tunnel the L2, all that routing changes I gave before are not necessary if you simply tell the devices connected to the bridge to use the IP of the router at the remote end of the tunnel as their default gateway. And yes, the MRRU must be high enough to ...
by sindy
Fri Mar 26, 2021 4:27 pm
Forum: General
Topic: Reset and load a custom save.rsc file
Replies: 7
Views: 755

Re: Reset and load a custom save.rsc file

... by connecting to MAC address in a hardware router) and clear the entire config, ... There's that caveat I've mentioned above, it seems that when the configuration is totally empty, MAC access is blocked. So a dedicated .rsc file enabling just the MAC access may have to be used as run-after-rese...
by sindy
Fri Mar 26, 2021 4:20 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 870

Re: Sending all traffic through a L2TP interface [SOLVED]

You've likely identified the issue (MTU) but not the solution. There are two possibilities. Either you use mangle rules at one of the routers to force TCP MSS to a value corresponding to the reduction of the MTU caused by the L2TP encapsulation, or you activate use of MLPPP on the L2TP tunnel by set...
by sindy
Fri Mar 26, 2021 3:45 pm
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1069

Re: IPsec site to site tunnels, security issue question?

What is stopping a user in LA from spoofing his IP as a LB and force the packet to the routers LA interface? This rule: /ip firewall filter add chain=forward in-interface=if_A src-address= ! ip.sub.net.A/mask action=drop To be precise, it doesn't stop the user from sending a packet with a spoofed s...
by sindy
Fri Mar 26, 2021 3:21 pm
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 870

Re: Sending all traffic through a L2TP interface [SOLVED]

If I got you right, it was the desired behaviour that everything went through the L2TP tunnel, except the L2TP transport packets. Have I missed something?
by sindy
Fri Mar 26, 2021 3:19 pm
Forum: General
Topic: PCC with two routers
Replies: 1
Views: 270

Re: PCC with two routers

Scenario #2 can definitely work to a limited extent if you use VRRP. You can set up two virtual gateways, each of which will prefer a different one of the routers, so while both will be alive, you will be able to choose the preferred WAN per each LAN device or even per remote destination if you conf...
by sindy
Fri Mar 26, 2021 2:04 pm
Forum: General
Topic: Reset and load a custom save.rsc file
Replies: 7
Views: 755

Re: Reset and load a custom save.rsc file

As I wrote, unfortunately there are configuration element values which could be entered in older RouterOS versions, survived the subsequent upgrades, and survived the export, but aren't accepted in the current version when input. So even if you export a file from a machine running a particular versi...
by sindy
Fri Mar 26, 2021 12:57 pm
Forum: General
Topic: pppoe problem [SOLVED]
Replies: 9
Views: 827

Re: pppoe problem [SOLVED]

/system logging add topics=radius /log print follow-only where topics~"radius" Then try to connect a client and see whether there is a corresponding radius message in the log. The subsequent steps depend on whether you use the embedded RADIUS server of Mikrotik (user manager) or an extern...
by sindy
Fri Mar 26, 2021 12:41 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

To access only the client Routerboards themselves for management purposes, you just have to choose a pool of addresses to assign them that will not overlap with the LAN subnet(s) of any of the clients. This is normally a non-issue if you are the administrator; if you are not, it's more complex as ea...
by sindy
Fri Mar 26, 2021 11:59 am
Forum: General
Topic: EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]
Replies: 4
Views: 702

EAP-TLS wireless authentication - why a Mikrotik station cannot connect to a Mikrotik AP? [SOLVED]

Hello everybody, I wanted to get ready to use a routerboard device as a STA in a 3rd party WiFi network that requires clients to authentify themselves to the infrastructure using certificates. So the logical first step was to create my own AP with mode=dynamic-keys authentication-types=wpa2-eap unic...
by sindy
Fri Mar 26, 2021 11:08 am
Forum: General
Topic: Master port is back in 6.48.1?
Replies: 5
Views: 843

Re: Master port is back in 6.48.1?

I`m not able to get eth1 back to the bridge because master port can`t do it. Master port was just a different way of configuration of hardware forwarding among ports of a switch chip. So there is no reason why you could not make ether1 an ordinary member of a bridge. The fact that it still bears a ...
by sindy
Fri Mar 26, 2021 10:44 am
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2417

Re: Discovery of external IP address (Noip.com)

First, even a whole elephant can be eaten, but you have to chop it into small enough pieces. So mixing together the issues of overlapping internal addresses of VPN clients with the issues of establishing tunnels between devices NATed behind dynamically changing public IPs will only create a mess. Re...
by sindy
Fri Mar 26, 2021 9:44 am
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1069

Re: IPsec site to site tunnels, security issue question?

While I'd like to have VTIs too, they're still L3 interfaces, so adding them to bridges is not possible. 802.1x only allows an authenticated device to connect to a given port of a switch and eventually make that port an access one to a specific VLAN, but doesn't care about IP addresses in any way. T...
by sindy
Fri Mar 26, 2021 8:54 am
Forum: General
Topic: Sending all traffic through a L2TP interface [SOLVED]
Replies: 10
Views: 870

Re: Sending all traffic through a L2TP interface [SOLVED]

Assuming the wAP ac LTE6 is the client in the L2TP link,

/ip route
add dst-address=ip.of.l2tp.server gateway=lte1
add gateway=l2tp-out1

/interface lte apn set [find] default-route-distance=3


should do the trick.
by sindy
Fri Mar 26, 2021 8:42 am
Forum: General
Topic: Why can't I make my hEX lite into a router?
Replies: 19
Views: 1403

Re: Why can't I make my hEX lite into a router?

It would have been different if the quick set had worked, but it did not. Exactly. Don't come to Ireland for nice weather, and don't buy Mikrotik for simplicity. Both have other advantages. Quickset is an attempt to add the simplicity by allowing to set up only the basics, but everyone's perception...
by sindy
Fri Mar 26, 2021 8:26 am
Forum: General
Topic: I can access remotely but not locally
Replies: 2
Views: 258

Re: I can access remotely but not locally

To get a useful suggestion, you have to send a crystal ball or the export of your configuration. Whichever will do.
by sindy
Thu Mar 25, 2021 11:54 pm
Forum: General
Topic: Backup Mikrotik RouterBoard Mikrotik RB 3011UiAS-RM
Replies: 2
Views: 454

Re: Backup Mikrotik RouterBoard Mikrotik RB 3011UiAS-RM

For same routerboard models it does. For different models it doesn't. So in your case, it is OK.
by sindy
Thu Mar 25, 2021 3:53 pm
Forum: General
Topic: I can't connect to my NVRs [SOLVED]
Replies: 12
Views: 950

Re: I can't connect to my NVRs [SOLVED]

what is the solution I can do in mikrotik configuration to access nvrs from outside using the app .. like before .. That's the reason why I asked those questions. Some NVRs work the cloud way, where they actively build connections to cloud servers, and the mobile application or browser connects to ...
by sindy
Thu Mar 25, 2021 8:12 am
Forum: General
Topic: How to search a large IP Firewall Address List?
Replies: 5
Views: 704

Re: How to search a large IP Firewall Address List?

Mostly now I'm wondering if I found a bug in the way the filter works in Winbox that I need to report. Looks like that. Two possible interpretations of the contains operator in Winbox come to my mind: a regular expression matching of the column value interpreted as text, which on command line would...
by sindy
Wed Mar 24, 2021 11:24 pm
Forum: General
Topic: How to search a large IP Firewall Address List?
Replies: 5
Views: 704

Re: How to search a large IP Firewall Address List?

Have you used the in operator the right way? [me@myTik] > ip firewall address-list add list=test address=193.168.0.0/16 [me@myTik] > ip firewall address-list print where 193.168.1.2 in address Flags: X - disabled, D - dynamic # LIST ADDRESS CREATION-TIME TIMEOUT 0 test 193.168.0.0/16 mar/24/2021 22:...
by sindy
Wed Mar 24, 2021 11:20 pm
Forum: General
Topic: help fix leaky vlans, NP16 + PBP
Replies: 7
Views: 639

Re: help fix leaky vlans, NP16 + PBP

Filtering ON and 'admit-only*' for the 'access' ports that will receive untagged traffic and ADD the tag assigned to PVID. admit-only- untagged-and-priority-tagged Filtering OFF and set to 'all' for the trunk port(s) when ingress-filtering=no , it doesn't matter what you set as frame-types In VLANs...
by sindy
Wed Mar 24, 2021 8:40 pm
Forum: General
Topic: Strange one
Replies: 12
Views: 987

Re: Strange one

expires-after=3h26m41s and last-seen=6h33m19s not only indicate that you've set the DHCP server to assign the address for 10 hours but also that the client failed to renew the lease at 1/2 of the lease lifetime as instructed by the server in the DHCPACK message (this is not configurable). I don't r...
by sindy
Wed Mar 24, 2021 6:50 pm
Forum: General
Topic: Strange one
Replies: 12
Views: 987

Re: Strange one

What does /ip dhcp-server lease print detail where mac-address=the:one:of:the:lo:ck show when the lock starts saying it has no IP address? In general IoT devices may have just limited hardware resources available and thus use small footprint protocol stacks made for them, which haven't been tested i...
by sindy
Wed Mar 24, 2021 2:17 pm
Forum: General
Topic: Port Forward to a Hostname
Replies: 3
Views: 448

Re: Port Forward to a Hostname

Even if it was possible to use an fqdn as to-addresses (it's not), you would still have to update the DNS record based on the availability of the primary server, so some process tracking its availability would be necessary anyway. So depending on how frequently the primary server is unavailable, you...
by sindy
Wed Mar 24, 2021 9:02 am
Forum: General
Topic: I can't connect to my NVRs [SOLVED]
Replies: 12
Views: 950

Re: I can't connect to my NVRs [SOLVED]

I can't access the nvrs from wan .. ... I have no public static IP configured ... it is just a normal dynamic public ip .. ADSL modem ( router mode _ portt 1 ) 192.168.1.1/24 Mikrotik Router ( router mode - automatic - Eth1 - Gateway - WAN ) 192.168.1.29/24 Bridge ( LAN ) 192.168.100.100/16 MIKROTI...
by sindy
Wed Mar 24, 2021 8:41 am
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 848

Re: Port forwarding issue [SOLVED]

Do you mean that it should be something like this? Yes, but not exactly. These four rules will forward ports 67 and 68 to .71, and ports 70 and 71 to .72, without changing them. So a single rule for each target device, with a range as dst-port , would be sufficient. This way is fine if you can conf...
by sindy
Tue Mar 23, 2021 11:24 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 121
Views: 31436

Re: v6.48.1 [stable] is released!

MNDP is a UDP broadcast and will not work when IP is not configured. But Winbox can still detect devices in that state, it will list them without IP address. So apparently Winbox does not use or does not rely on MNDP, but uses at least one of the LLDP or CDP protocols. Nope. MNDP is sent even if no...
by sindy
Tue Mar 23, 2021 11:07 pm
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 848

Re: Port forwarding issue [SOLVED]

The first one, to .71 works. The second one to .72 doesn't. The description in the first post differs from the export in the second post. When a dst-nat rule (or src-nat rule) doesn't need to change a port, the to-ports parameter need not be specified at all. When it has to change a port, and you s...
by sindy
Tue Mar 23, 2021 10:58 pm
Forum: General
Topic: Port forwarding issue [SOLVED]
Replies: 8
Views: 848

Re: Port forwarding issue [SOLVED]

c. Understand that port forwarding is not going to work if your ISP gives you a private IP address.
It was working with the previous router, so this point is irrelevant.
by sindy
Tue Mar 23, 2021 10:51 pm
Forum: General
Topic: IPsec site to site tunnels, security issue question?
Replies: 10
Views: 1069

Re: IPsec site to site tunnels, security issue question?

The question you ask has little to do with IPsec policies. If I get you right, what you actually want is to make sure that a device connected to a given interface cannot use an address from a subnet not associated to that interface. So the permissive firewall rules must match on both in-interface an...
by sindy
Tue Mar 23, 2021 6:02 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 18393

Re: Netwatch deprecated ? [SOLVED]

You could imagine many other uses to the MT cloud service, but there is some CAPEX & OPEX associated to running a server in a datacenter, whilst each RouterBoard device is only sold once. So the price of every device would have to include, say, 10 years of running your own CHR in Mikrotik's data...
by sindy
Tue Mar 23, 2021 5:30 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 18393

Re: Netwatch deprecated ? [SOLVED]

Problem2 -*stuck*- if the router goes down or power to route r& Modem I have no way of knowing this, no emails, no telegrams!! Haven't you stated in another thread that multiple family members yell at you if "internet breaks" for a few seconds? On a serious note - to cover these situa...
by sindy
Tue Mar 23, 2021 4:19 pm
Forum: General
Topic: IP blocks ping
Replies: 2
Views: 314

Re: IP blocks ping

If that IP is assigned to an L2 interface and your Mikrotik has an interface in the same LAN segment, you can use ARP to see whether the device responds ( :ping arp=yes interface=xyz ) If some process is running at that IP that responds on a TCP or UDP port, you can try to send a packet to that port...
by sindy
Tue Mar 23, 2021 4:08 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 121
Views: 31436

Re: v6.48.1 [stable] is released!

It seems that MNDP (neighbour discovery) runs on top of LLDP. I may have misunderstood what you mean by "on top". If it means "in addition to", then that's correct - three protocols in total are used in parallel unless you disable some of them - MNDP (which is a UDP broadcast on...
by sindy
Tue Mar 23, 2021 3:47 pm
Forum: General
Topic: Cannot Use Multiple IPs
Replies: 13
Views: 942

Re: Cannot Use Multiple IPs

That's strange. If they had it as a local subnet on one of their interfaces, the network address (.0,.8, etc. depending on the prefix) and one of the other addresses should also not reach your router.

I assume you've assigned those addresses as individual /32 ones to the loopback interface, correct?
by sindy
Tue Mar 23, 2021 3:38 pm
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 18393

Re: Netwatch deprecated ? [SOLVED]

Seems to work fine for simple netwatch scripts but doesnt work well for System Fetch scripts. I'd think the issue here is the same like we've discussed yesterday - there are spaces before and after $sub1 . As /tool fetch doesn't substitute space symbols in the URL sent to the server automatically, ...
by sindy
Tue Mar 23, 2021 2:23 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 7
Views: 884

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

The volume of traffic is roughly proportional to the number of clients, and the volume of traffic is responsible for some part of power consumption, that's why I was thinking about this. A 10 meter cable would have to be really bad, or the voltage of the source would have to be very close to the bot...
by sindy
Tue Mar 23, 2021 1:02 pm
Forum: General
Topic: help fix leaky vlans, NP16 + PBP
Replies: 7
Views: 639

Re: help fix leaky vlans, NP16 + PBP

So if I re-word it: on the NP16, each port except ether1 should be an access port to a single VLAN (ether2 - VLAN 102 through to ether16 - VLAN 116). Ingress filtering doesn't care about particular VLAN ID. It only distinguishes between two types of ingress frames: ones tagged with a non-0 VLAN ID o...
by sindy
Tue Mar 23, 2021 12:03 pm
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 928

Re: RB4011 > hAP AC Lite VLAN configuration

Do I need to tag the default Bridge with all the VLANs I will be using or is the bridge dynamically added? Tagging the Bridge results in loss of access. What do you mean by "tagging the bridge"? Frames can be tagged and untagged, bridges cannot. The bridge forwards a frame with any VLAN I...
by sindy
Tue Mar 23, 2021 11:26 am
Forum: General
Topic: Netwatch deprecated ? [SOLVED]
Replies: 69
Views: 18393

Re: Netwatch deprecated ? [SOLVED]

I would think it's the typo in the name of the script - TelelgramFetch.

Otherwise, all three variants should work,

down-script="{/system script run TelegramFetch}"

down-script="/system script run [/system script find name=TelegramFetch]"

down-script=TelegramFetch
by sindy
Tue Mar 23, 2021 8:00 am
Forum: General
Topic: Strange one
Replies: 12
Views: 987

Re: Strange one

The thing with the VPN firewall rules is not their count but their position. If you move the "accept established or related" rule in chain input to the beginning of that chain, everything will keep working the same but less CPU will be spent per packet, that's all. The importance of this d...
by sindy
Mon Mar 22, 2021 11:20 pm
Forum: General
Topic: CAPsMAN - AP falls out of the bridge after a few hours
Replies: 7
Views: 758

Re: CAPsMAN - AP falls out of the bridge after a few hours

However this can be a problem if bridge (to which wlan interface is attached) runs any of xSTP because xSTP causes a delay when port becomes active to test for any loops. Delay can be long enough for wireless client to freak out. This behaviour can be disabled by setting disable-running-check=yes o...
by sindy
Mon Mar 22, 2021 8:38 pm
Forum: General
Topic: PPP on a specific Wan connection
Replies: 5
Views: 625

Re: PPP on a specific Wan connection

Everything you need should be in this post. The last paragraph explains its relationship to your case.
by sindy
Mon Mar 22, 2021 4:21 pm
Forum: General
Topic: Static routes via non persistent connections
Replies: 2
Views: 365

Re: Static routes via non persistent connections

At ovpn server side, there is an parameter routes on the /ppp secret row, where you can specify a comma separated list of destination gateway metric tuples. These items are added to the routing table when the client represented by that /ppp secret row connects. But I'm not sure I've answered your ac...
by sindy
Mon Mar 22, 2021 2:39 pm
Forum: General
Topic: RouterBOARD wAP G-5HacT2HnD keeps rebooting
Replies: 7
Views: 884

Re: RouterBOARD wAP G-5HacT2HnD keeps rebooting

To get Mikrotik support involved, you have to contact them directly, at support@mikrotik.com or, better, at https://help.mikrotik.com/servicedesk/servicedesk/ . You have mentioned changing an "injector" - do you use the one with a power adaptor inside or just the passive one connected to a...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25