Community discussions

MikroTik App

Search found 11072 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 37
by sindy
Wed Dec 11, 2024 2:47 pm
Forum: General
Topic: IPv6 Neighbor Discovery (ND) disable
Replies: 3
Views: 269

Re: IPv6 Neighbor Discovery (ND) disable

Not enough data to agree or disagree.
by sindy
Wed Dec 11, 2024 9:21 am
Forum: General
Topic: Blocking Static IP assignments
Replies: 3
Views: 251

Re: Blocking Static IP assignments

Only on the bridge, as that's what the IP stack is linked to. The Ethernet interfaces are just member ports of the bridge in this setup.
by sindy
Tue Dec 10, 2024 10:47 pm
Forum: General
Topic: IPv6 Neighbor Discovery (ND) disable
Replies: 3
Views: 269

Re: IPv6 Neighbor Discovery (ND) disable

In IPv6, Neighbor Discovery is a protocol (actually, a subset of ICMPv6) that allows the hosts to discover the router reachable through the interface and use the network address (most significant 64 bits) of the router to create their own address. This is an optional approach that can be enabled or ...
by sindy
Tue Dec 10, 2024 9:37 pm
Forum: General
Topic: Synchronizing Configurations on Multiple MikroTik Routers with VRRP (v7+)
Replies: 12
Views: 1343

Re: Synchronizing Configurations on Multiple MikroTik Routers with VRRP (v7+)

this will not work in production environment. I would say rather the opposite - cloning the configuration from the active device to the standby one, i.e. copying it to the last bit, is the only way to make it work in a production environment without using any external device that would handle the &...
by sindy
Tue Dec 10, 2024 7:53 pm
Forum: General
Topic: Need help with blocking port 25
Replies: 2
Views: 167

Re: Need help with blocking port 25

The log message clearly indicates that it is the Mikrotik itself that initiates the TCP connections to port 25 - it says output which is the firewall chain that handles packets sent by the router itself, and it says in:(unknown 0) which says the same in another way (packets sent by the router itself...
by sindy
Tue Dec 10, 2024 1:29 pm
Forum: General
Topic: 2 WAN active at the same time
Replies: 7
Views: 414

Re: 2 WAN active at the same time

Even the "free text" description reveals a misunderstanding of the concept. Routing rules do not care about the role of "source" and "destination" in a connection as a whole, they only care about individual packets. So your routing rule must say "if the source addr...
by sindy
Tue Dec 10, 2024 11:17 am
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

is this limited to OS v7 or the same in v6 also? If you mean the fact that most fasttracked packets skip mangle rules, that was the case ever since fasttracking has been introduced, if not in ROS 5 then in early ROS 6, as skipping part of packet processing steps is the very essence of fasttracking....
by sindy
Mon Dec 09, 2024 6:13 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

@Amm0, Yup, but a default route in main is sufficient to meet this requirement. Also, I'm pretty sure that statement in the documentation is a simplification the author has used to avoid the need to explain that this requirement (for some route to exist in main ) is only related to own outgoing traf...
by sindy
Mon Dec 09, 2024 2:28 pm
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

That's what I do not understand because such a configuration is so unusual that I have never tested it.
by sindy
Mon Dec 09, 2024 1:02 pm
Forum: General
Topic: Synchronizing Configurations on Multiple MikroTik Routers with VRRP (v7+)
Replies: 12
Views: 1343

Re: Synchronizing Configurations on Multiple MikroTik Routers with VRRP (v7+)

So far the best approach I have seen is that of @nathan1 - https://forum.mikrotik.com/viewtopic.php?p=569009#p569009 . There, VRRP is only used to detect the failure of the active router. As @wiseroute has pointed out, if you want the VRRP to work as designed, i.e. to only move the virtual gateways,...
by sindy
Mon Dec 09, 2024 12:35 pm
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

Indeed, that's the price to pay for load distribution using mangle rules. By changing that to connection-mark=!WAN2 you can have 50 % of the traffic fasttracked, but you cannot fasttrack all connections. Instead of PCC mangle rules, you can use ECMP to distribute the LAN->internet traffic, as fasttr...
by sindy
Mon Dec 09, 2024 11:54 am
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

1. What is the use of these two routes? /ip route add gateway=8.8.8.8 distance=1 check-gateway=ping /ip route add gateway=1.1.1.1 distance=2 check-gateway=ping As you took the effort to monitor the transparency of both uplinks using the recursive next-hop search for the routes you use for load dist...
by sindy
Mon Dec 09, 2024 10:56 am
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

OK, simple terms: /interface pppoe-client set [find] default-route-distance=10 /ip route add gateway=8.8.8.8 distance=1 check-gateway=ping /ip route add gateway=1.1.1.1 distance=2 check-gateway=ping To allow the Mikrotik itself to communicate, there must be routes in routing table main , there's no ...
by sindy
Mon Dec 09, 2024 10:35 am
Forum: General
Topic: Unable to restore bin backup file to AC2 [SOLVED]
Replies: 5
Views: 412

Re: Unable to restore bin backup file to AC2 [SOLVED]

"The same" including the fact that your enchanted configuration contained a huge amount of address list items and that's the only part that got restored?
by sindy
Mon Dec 09, 2024 10:27 am
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

As the configuration without any default route in table main is not very typical, I'm not sure whether this explains why you say that PCC works without it and doesn't without, but: the essence of fastpath & fasttrack handling of packets is skipping of some stages of packet processing, one of whi...
by sindy
Sun Dec 08, 2024 11:36 pm
Forum: General
Topic: Unable to restore bin backup file to AC2 [SOLVED]
Replies: 5
Views: 412

Re: Unable to restore bin backup file to AC2 [SOLVED]

I've just loaded (restored) a backup saved on a hAP ac² running 7.16.1 on a CHR running 7.16.2 that I have cloned for the purpose and equipped it with 5 Ethernet interfaces. To my surprise, /export shows even the configuration of the wifi interfaces that do not exist on the CHR. For even better resu...
by sindy
Sun Dec 08, 2024 8:04 pm
Forum: General
Topic: RouterOS cannot reach internet after PCC load balance two wan connection
Replies: 22
Views: 996

Re: RouterOS cannot reach internet after PCC load balance two wan connection

There are two distinct major issues - the routing of router's own outgoing traffic in general and the unique behavior of the Wireguard stack. The default route in table main is mandatory for the own traffic of the router to get sent due to the way how this locally originated traffic is treated. Any ...
by sindy
Sun Dec 08, 2024 4:50 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

Slow down, man :D Leaving aside that the topic title has become totally misleading already long ago, and that you have changed the objective all of a sudden, your bold rules are either incomplete or incorrect. The whole idea of using the recursive next-hop search to monitor route transparency is to ...
by sindy
Sun Dec 08, 2024 4:07 pm
Forum: General
Topic: DHCP server injects additional characters when using "DHCP Options"
Replies: 8
Views: 635

Re: DHCP server injects additional characters when using "DHCP Options"

I browsed available options and '72 HTTP server' seemed pretty harmless. But after adding it to Option Set, there is no change in packet structure - option 67 containing bootfile name is the last one and option 72 is not passed. According to the standard, a DHCP server only provides the options the...
by sindy
Sun Dec 08, 2024 3:58 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

Sorry @anav, but your wording is so advanced that it is confusing even for me, although I know what you actually intended to say. So let me try myself in a simpler language with more details: In most cases, we need to prevent the traffic towards local destinations from using other routing table than...
by sindy
Sun Dec 08, 2024 3:08 pm
Forum: General
Topic: [HELP] Mikrotik Multi WAN
Replies: 3
Views: 361

Re: [HELP] Mikrotik Multi WAN

In your configuration, LAN-1 to LAN-22 are not IP interfaces, they are just member ports of their respective bridges. If you look at the packet and byte counters of those mangle rules, you'll see that they stand at 0 because from the point of view of the IP firewall, there is no traffic that would m...
by sindy
Sun Dec 08, 2024 12:22 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

So it was a configuration after all. What min-prefix actually does is that it takes a look which route in the indicated table would be used for the packet, and if the length of the dst-address prefix of that route is smaller than or equal to the min-prefix value, the rule returns a non-match so the ...
by sindy
Sun Dec 08, 2024 11:46 am
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

So you did filter out some of the configuration previously, but it was indeed unrelated, OK. First I would change the action in the only routing rule from lookup to lookup-only-in-table and remove the min-prefix completely (but using remove and add , for the reason explained before). If that changes...
by sindy
Sat Dec 07, 2024 9:13 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

I'm not sure if it's affected by other configurations, but for policy routing, I only have the one strategy that we have discussed so far. This remark makes me cautious, but I assume you haven't removed any mangle rules from the export before posting it? I cannot imagine anything else to have an im...
by sindy
Sat Dec 07, 2024 7:16 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

Both pppoe-out1 and pppoe-out2 are attached to macvlan interfaces You are right, because I need to dial the same interface twice. That's OK, I've even tested that if the pppoe interface is attached to a macvlan, the pppoe-discover frames are indeed sent via the physical interface with the source MA...
by sindy
Sat Dec 07, 2024 6:29 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

the main routing table should be able to resolve the destination too.
Yup, but a default route in main is sufficient to meet this requirement.
by sindy
Sat Dec 07, 2024 6:17 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

I'm not sure purpose behind using the intermediate macvlan in the first place... It may be necessary to use a different MAC address for each PPPoE client connecting to the same ISP using the same physical interface, and macvlan is one of few ways to ensure this. I haven't tested yet, though, whethe...
by sindy
Sat Dec 07, 2024 5:57 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

Wow... it did not come to my mind to look that low into your config. Both pppoe-out1 and pppoe-out2 are attached to macvlan interfaces, which in turn are attached to ether5 , and ether5 is disabled (at least in the export you have posted). Disabling ether5 means that all traffic, not only IP one, th...
by sindy
Sat Dec 07, 2024 4:32 pm
Forum: General
Topic: ECMP doesn't work for Load balancing [SOLVED]
Replies: 28
Views: 1439

Re: ECMP doesn't work for Load balancing [SOLVED]

Your configuration export doesn't show any reason why 10.0.0.130 should use routing table main , however, as of current (7.16.x), there are issues with handling of the min-prefix value in configuration. So unless you have added the first routing rule already with that value specified, add the same r...
by sindy
Sat Dec 07, 2024 1:27 pm
Forum: General
Topic: Logs showing Public IP as gateway IP
Replies: 4
Views: 359

Re: Logs showing Public IP as gateway IP

This kind of looks like what you would get, if your gateway was also a Mikrotik, and it had hairpin nat enabled for a SSH port forward/dst-nat connection to the internal router. (With attempted logins from inside) Or even from the outside if that src-nat rule doesn't care. But indeed, some endpoint...
by sindy
Sat Dec 07, 2024 1:23 pm
Forum: General
Topic: How to Pass all traffic into WireGuard Cloudflare ?
Replies: 49
Views: 5354

Re: How to Pass all traffic into WireGuard Cloudflare ?

So time zones play little role and it is basically a random process, OK.

If you want to give it a try, follow the instructions in this post.
by sindy
Thu Dec 05, 2024 9:51 pm
Forum: General
Topic: IP Passthrough - RouterOS without Internet
Replies: 1
Views: 311

Re: IP Passthrough - RouterOS without Internet

You can attach VLAN interfaces to the Ethernet interfaces you use to connect the two routers together and create an interconnect subnet in that VLAN, so that the RBM33G could talk to the world via the other router. Of course that requires enough flexibility on the other router.
by sindy
Thu Dec 05, 2024 2:38 pm
Forum: General
Topic: RB912UAG-2HPnD - wifi interface is missing
Replies: 17
Views: 913

Re: RB912UAG-2HPnD - wifi interface is missing

Let me try again... on your first set of screenshots taken with 7.16.2, there was this:
wifi-wireless.png
For this device model, the wireless/wifi interfaces can only be managed using the "wireless" package.
by sindy
Wed Dec 04, 2024 10:18 pm
Forum: General
Topic: VPN Site to site ?
Replies: 11
Views: 792

Re: VPN Site to site ?

when restoring that configuration in the mikrotik hap ac3 in Venezuela it caused chaos You cannot use backup save and backup restore to copy configurations from one device to another. You can restore a backup file only on a device of the same model like the one where you saved it, otherwise many th...
by sindy
Wed Dec 04, 2024 9:56 pm
Forum: General
Topic: hAP ac2 after update doesn't work [SOLVED]
Replies: 3
Views: 454

Re: hAP ac2 after update doesn't work [SOLVED]

You can try to reset it to default configuration using the reset button during power-up, I had one or two cases where this helped recover the device after update. If that does not help, you can also try to netinstall the device, but if you never tried netinstall before, don't be surprised if it does...
by sindy
Wed Dec 04, 2024 9:49 pm
Forum: General
Topic: VPN Site to site ?
Replies: 11
Views: 792

Re: VPN Site to site ?

I understand that in order to simulate the connection as if it were in Venezuela, the "Server" must be created in Venezuela No. The roles of the two routers in the initial negotiation of the VPN tunnel have no effect on how you will use the tunnel. The device in Venezuela must indeed be t...
by sindy
Wed Dec 04, 2024 5:58 pm
Forum: General
Topic: RB912UAG-2HPnD - wifi interface is missing
Replies: 17
Views: 913

Re: RB912UAG-2HPnD - wifi interface is missing

You will never get a wifi interface, you can only get a wireless one - for a reason, the two driver packages use different names for the interfaces. But while running 7.16.2., what does /system package print show? If the package is installed and enabled, it should detect the hardware automatically a...
by sindy
Wed Dec 04, 2024 1:55 pm
Forum: General
Topic: Wireguard is blocked by ISP any other solution
Replies: 20
Views: 1425

Re: Wireguard is blocked by ISP any other solution

...without the disabled=yes of course.
by sindy
Wed Dec 04, 2024 12:14 pm
Forum: General
Topic: Dual Wan link to some isp router
Replies: 9
Views: 575

Re: Dual Wan link to some isp router

As for the opening of doors from the outside on the ISP router, do I have to address them indifferently to one of the two IPs of my 5009? A single port can usually be forwarded only to a single address, unless the ISP box has advanced possibilities like random matching etc. that would allow you to ...
by sindy
Wed Dec 04, 2024 12:08 pm
Forum: General
Topic: What do these packets mean
Replies: 21
Views: 1207

Re: What do these packets mean

What you've sniffed on ra0 is still just the Ethernet traffic. For real wireless sniffing, you would need to use a different sniffing mode on the UBNT (which may or may not exist, I don't use UBNT anywhere), or to place a Mikrotik *AP box next to it and run the wireless sniffer on it. Only that way ...
by sindy
Wed Dec 04, 2024 11:59 am
Forum: General
Topic: Dual WAN Failover no connection from VLANs
Replies: 4
Views: 457

Re: Dual WAN Failover no connection from VLANs

Is that a complete export of your configuration or have you removed some lines in whole, rather than obfuscating only the sensitive items on them, because you assumed they were not relevant? The reason why I am asking is that if this is the complete export, your firewall does not exist, as the defau...
by sindy
Wed Dec 04, 2024 12:20 am
Forum: General
Topic: Dual Wan link to some isp router
Replies: 9
Views: 575

Re: Dual Wan link to some isp router

Without any kind of link aggregation support on the ISP router, you can let the 5009 get two or even three addresses from it, each on another physical interface, and use the load sharing setup that has been describer here on the forum multiple times; the only unusual setting will be that you'll have...
by sindy
Tue Dec 03, 2024 9:58 pm
Forum: Beginner Basics
Topic: netback whit telegram topic groups
Replies: 2
Views: 416

Re: netback whit telegram topic groups

The sendMessage method has an optional parameter message_thread_id which indicates the topic the message belongs to.
by sindy
Tue Dec 03, 2024 9:44 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

Unless you have obfuscated the actual subnets involved and made a mistake in that process, the NAT rule that should exempt traffic matching the policy from getting masqueraded is wrong as it matches on src-address=192.168.0.0/24 whereas the policy has src-address=172.16.0.0/29 . Matching on ipsec-po...
by sindy
Tue Dec 03, 2024 9:26 pm
Forum: General
Topic: Doing VLANs properly
Replies: 2
Views: 338

Re: Doing VLANs properly

Your description is not clear, a configuration export would have been better. Anyway, if each of your VLAN interfaces is attached to a single underlying interface and you do not bridge traffic from one VLAN interface to another, there is no advantage in inserting a bridge between the physical interf...
by sindy
Tue Dec 03, 2024 1:45 pm
Forum: General
Topic: Forward multiple WANs inside LAN with VLANs [SOLVED]
Replies: 9
Views: 749

Re: Forward multiple WANs inside LAN with VLANs [SOLVED]

I have tagged on vlan10 ether1(where i get the ip 10.250.x.x) and ether4(connection to switch). It is still not able to receive ip from the isp1 router. Your descriptions are still confusing, what does "I have tagged on vlan10 ether1" mean? If R1 does not send and expect VLAN-tagged frame...
by sindy
Tue Dec 03, 2024 12:42 pm
Forum: General
Topic: Forward multiple WANs inside LAN with VLANs [SOLVED]
Replies: 9
Views: 749

Re: Forward multiple WANs inside LAN with VLANs [SOLVED]

That's not what I had in mind. Remove the two /interface vlan named vlan10 and vlan20 , these are IP interfaces allowing the router part of the hEX itself to access those VLANs which according to your drawing is not necessary. Under /interface bridge port , change the pvid for ether1 and ether5 to 1...
by sindy
Mon Dec 02, 2024 10:06 pm
Forum: General
Topic: How to Pass all traffic into WireGuard Cloudflare ?
Replies: 49
Views: 5354

Re: How to Pass all traffic into WireGuard Cloudflare ?

- I can't ping to default gateway and winbox can't access router via IP address. Here, by "default gateway" you mean the one from the point of view of the PC (or phone), i.e. the own address of the Mikrotik in the subnet from which the client has got its address via DHCP? - Sometimes Webs...
by sindy
Mon Dec 02, 2024 8:52 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

I've asked for prints "before" and "after" an attempt to connect from a device at your end to a device at the Fortigate end, you have only posted one. So: if what you have posted is "after", it means the firewall or routing at your end do not let the initial request thr...
by sindy
Mon Dec 02, 2024 8:41 pm
Forum: General
Topic: Question about LACP and bonding
Replies: 7
Views: 587

Re: Question about LACP and bonding

I don't have loop for redundancy and shouldn't had loop in the cabling, or I expect so... The point of protection against loops is that even if you don't "misuse" STP as a redundancy protocol, someone may "connect a loose cable" and create a loop by mistake. In a certain country...
by sindy
Mon Dec 02, 2024 6:29 pm
Forum: General
Topic: Hex REFRESH
Replies: 11
Views: 722

Re: Hex REFRESH

it’s possible to make all the device in 10.10.10.0/24 will have fair shared bandwidth? example i alllocated 100mbps in total for that subnet. then in that subnet have a 5 connected device, they will share fairly in 100mbps so 20mbps per device? For this, queues are used - https://help.mikrotik.com/...
by sindy
Mon Dec 02, 2024 6:23 pm
Forum: General
Topic: Question about LACP and bonding
Replies: 7
Views: 587

Re: Question about LACP and bonding

Most common indeed; most compatible not necessarily. E.g. on Cisco switches, it is not possible to enable VLAN-agnostic RSTP per se, it is only available as a fallback mode of MSTP (RSTP is used where the neighboring bridges are in different regions): STACK-C9200(config)#spanning-tree mode ? mst Mul...
by sindy
Mon Dec 02, 2024 5:11 pm
Forum: General
Topic: Forward multiple WANs inside LAN with VLANs [SOLVED]
Replies: 9
Views: 749

Re: Forward multiple WANs inside LAN with VLANs [SOLVED]

Your description is pretty confusing to be honest. Normally I'd say you just need to make the hEX a bridge that has ether1 as an access port to VLAN 10, ether5 as an access port to VLAN 20, and ether4 as a trunk where VLANs 10, 20, and 30 are all tagged, and you need to create an /interface vlan for...
by sindy
Mon Dec 02, 2024 5:03 pm
Forum: General
Topic: What do these packets mean
Replies: 21
Views: 1207

Re: What do these packets mean

Three possibilities: Ubiquiti management page doesn't show them because they are in some semi-connected state something else in the network is sending frames with source MAC addresses of those devices the sniffer shows non-existent packets To me, the first one seems the most likely to me, and the la...
by sindy
Mon Dec 02, 2024 4:47 pm
Forum: General
Topic: Question about LACP and bonding
Replies: 7
Views: 587

Re: Question about LACP and bonding

STP is originally designed as a protection against L2 loops caused by incorrect cabling, and it does make sense to use it for this purpose even though you use bonding for redundancy. Just check whether the STP flavors are compatible between the Mikrotik and the D-Links, in general, MSTP is the most ...
by sindy
Mon Dec 02, 2024 4:21 pm
Forum: General
Topic: Mikrotik + OpenVPN cert from templat = invalid date
Replies: 1
Views: 265

Re: Mikrotik + OpenVPN cert from templat = invalid date

You're not alone: viewtopic.php?t=212600

So far no one has provided any feedback regarding the workaround I've suggested there.
by sindy
Mon Dec 02, 2024 4:18 pm
Forum: General
Topic: Wireguard is blocked by ISP any other solution
Replies: 20
Views: 1425

Re: Wireguard is blocked by ISP any other solution

I do know people who run containers on CHRs running in the cloud, because it is simpler than to set up a separate virtual machine there. But keeping a CHR only as a host for a single container would make little sense so maybe spawning a dedicated Debian machine may be a better choice for you - I don...
by sindy
Mon Dec 02, 2024 4:15 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

Great, and has it changed anything? I suppose you did reboot the router again after the change? So show me the output of /ip ipsec active-peers print and /ip ipsec installed-sa print again, once taken before you attempt to connect from your location to the remote one and once after such an attempt.
by sindy
Mon Dec 02, 2024 3:57 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

It should have said src-address-type=!local - the exclamation mark is important (it is a logical "not"), and on the GUI (Winbox/Webfig), there is a rectangle like for a checkmark before the value; if you tick it, the exclamation mark appears there rather than the checkmark.
by sindy
Mon Dec 02, 2024 3:54 pm
Forum: General
Topic: Request for new feature (SNMP OIDs)
Replies: 3
Views: 382

Re: Request for new feature (SNMP OIDs)

What you mean by system notes? If you use a translator and you have in mind log, and if your hardware uses the flash memory as the only disk storage (some devices use a ramdisk for most files), then yes, you can configure logging in such a way that script events are logged to "memory" (so ...
by sindy
Mon Dec 02, 2024 3:37 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

Your action=masquerade in chain srcnat of table nat is not selective which probably causes additional issues. But for your purpose, place a rule chain=srcnat action=accept ipsec-policy=out,ipsec before (above) the action=masquerade one. I would also add out-interface=ether1 or out-interface-list=WAN...
by sindy
Mon Dec 02, 2024 2:45 pm
Forum: General
Topic: Wireguard is blocked by ISP any other solution
Replies: 20
Views: 1425

Re: Wireguard is blocked by ISP any other solution

SSTP looks almost like a normal HTTPS connection but it is relatively slow. The initial packets of all other VPN protocols are quite distinctive so easy to spot using DPI and therefore easy to block. AmneziaWG targets exactly this.
by sindy
Mon Dec 02, 2024 2:30 pm
Forum: General
Topic: Starlink and Mikrotik Router Problem
Replies: 8
Views: 6107

Re: Starlink and Mikrotik Router Problem

the same cable connected to Starling route works fine. Which cable are we talking about here? The original Starlink one with the USB-C in a proprietary shaped shielding or the RJ-45 between the "standard" side of the injector and the router? What is the current (amperes) rating of the pow...
by sindy
Mon Dec 02, 2024 1:56 pm
Forum: General
Topic: Wireguard is blocked by ISP any other solution
Replies: 20
Views: 1425

Re: Wireguard is blocked by ISP any other solution

Yup, it's not a matter of switching the ISP, it's a matter of switching the country. AmneziaWG seems to be successful in addressing this type of issue, but you need a Mikrotik that supports containers or a completely different hardware. Depending on the country, it may or may not be enough.
by sindy
Mon Dec 02, 2024 1:38 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

The world is full of misunderstandings. As you say that incoming connections to servers on your side from servers at their side are possible, I assume that the "nothing in the logs" is not related to establishing the IPsec communication channel but to the requests delivered via that channe...
by sindy
Mon Dec 02, 2024 1:21 pm
Forum: General
Topic: What do these packets mean
Replies: 21
Views: 1207

Re: What do these packets mean

I don't see anything identifyable and useful in these packets. The useful part is that these are definitely not DHCP packets - actually, not even IP ones. Another useful bit of information is that the wireless channel as such must be established (as in, the Ecobees did authenticate as STAtions to t...
by sindy
Mon Dec 02, 2024 12:34 pm
Forum: General
Topic: What do these packets mean
Replies: 21
Views: 1207

Re: What do these packets mean

Before sniffing again, add interface=bridge or interface=ether3 to the filtering conditions (for this particular case, in other cases the need may be different). Once you sniff enough packets, run /tool/sniffer/save file=something.pcap (or maybe there is a button in Winbox?). Then download the file ...
by sindy
Mon Dec 02, 2024 10:40 am
Forum: General
Topic: Dual WAN Failover no connection from VLANs
Replies: 4
Views: 457

Re: Dual WAN Failover no connection from VLANs

If all the LAN subnets can access internet via WAN1, tagging has nothing to do with the issue, it's most likely a misconfiguration of the firewall. Instead of screenshots, post an export of the configuration: on the command line (open a terminal window in Winbox or Webfig or connect to the router us...
by sindy
Sun Dec 01, 2024 10:53 pm
Forum: General
Topic: Wireguard problems [SOLVED]
Replies: 2
Views: 427

Re: Wireguard problems [SOLVED]

You haven't posted the Opnsense configuration, but by the symptoms I assume that you have set allowed-addresses on both peers to 10.200.0.0/24 or, in better case, 10.200.0.3/24 for the 5009 and 10.200.0.2/24 for the cAP ax. Each Wireguard interface works as a small virtual router - it receives packe...
by sindy
Sun Dec 01, 2024 10:12 pm
Forum: General
Topic: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970
Replies: 7
Views: 1950

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

I would appreciate any help or workaround.
Have you tried the procedure I have suggested in my previous post?
by sindy
Sun Dec 01, 2024 10:10 pm
Forum: General
Topic: What am I missing about Let's Encrypt support?
Replies: 5
Views: 528

Re: What am I missing about Let's Encrypt support?

The code that processes the HTTP requests is the same one regardless whether the requests arrive via plaintext HTTP on port 80 or TLS-encrypted (HTTPS) on port 443. So apart from protection against eavesdropping on the path between the client and the Mikrotik, the security provided by HTTPS boils do...
by sindy
Sun Dec 01, 2024 9:47 pm
Forum: General
Topic: Public IP High Availability
Replies: 7
Views: 1126

Re: Public IP High Availability

To minimize the total time of the outage, you must minimize both the detection time and the time needed for the actual failover. The faster you make a conclusion that the current connection is down, the sooner you can initiate the actual failover, but the higher the probability that you react too so...
by sindy
Sun Dec 01, 2024 9:02 pm
Forum: General
Topic: Wireguard + ProtonVPN Issue - Mobile clients won't connect [SOLVED]
Replies: 11
Views: 760

Re: Wireguard + ProtonVPN Issue - Mobile clients won't connect [SOLVED]

1. Schema : Please post drawings as direct attachments here - few people here would visit external sites fueled by advertising. 3. @sindy I must admit that I'm not sure I fully understood all the technical aspects of the proposed solution. ... - With the rule active: * Ping returns to ~8ms * The IP...
by sindy
Sun Dec 01, 2024 5:21 pm
Forum: General
Topic: Wireguard + ProtonVPN Issue - Mobile clients won't connect [SOLVED]
Replies: 11
Views: 760

Re: Wireguard + ProtonVPN Issue - Mobile clients won't connect [SOLVED]

There are two issues - one is the same regardless the VPN types and the other one is specific to Wireguard. Mobile clients connect from "random" public addresses, so the only route that can handle any of them is the default one. Given that the default route in the default routing table (ca...
by sindy
Sun Dec 01, 2024 4:08 pm
Forum: General
Topic: Request for new feature (SNMP OIDs)
Replies: 3
Views: 382

Re: Request for new feature (SNMP OIDs)

Are you aware of the possibility to use SNMP GET to run a script that returns any value you make it obtain and possibly post-process?
https://help.mikrotik.com/docs/spaces/R ... ptswithGET
by sindy
Sun Dec 01, 2024 3:12 pm
Forum: General
Topic: Passthrough WAN inside LAN in separate VLAN
Replies: 7
Views: 625

Re: Passthrough WAN inside LAN in separate VLAN

Yes, of course, it was done in another bridge just for test purposes. OK, but to avoid further tampering with the remote access, I'd now keep ether1 and VLAN 111 on bridge_EXT and migrate other ports from bridge_PVE to bridge_EXT, and once bridge_PVE becomes empty, remove it and rename bridge_EXT t...
by sindy
Sun Dec 01, 2024 12:55 pm
Forum: General
Topic: Passthrough WAN inside LAN in separate VLAN
Replies: 7
Views: 625

Re: Passthrough WAN inside LAN in separate VLAN

after the last command (/ip address set [find where interface=ether1] interface=vlan111 ; /interface bridge port add bridge=bridge_EXT interface=ether1 pvid=111) connectivity gets lost (Request timeout for ping). ... I have no idea why? If you use safe mode to prevent a complete loss of access shou...
by sindy
Sat Nov 30, 2024 8:24 pm
Forum: General
Topic: Starlink and Mikrotik Router Problem
Replies: 8
Views: 6107

Re: Starlink and Mikrotik Router Problem

Which one of the two distinct ones decribed above?
by sindy
Sat Nov 30, 2024 7:35 pm
Forum: General
Topic: Passthrough WAN inside LAN in separate VLAN
Replies: 7
Views: 625

Re: Passthrough WAN inside LAN in separate VLAN

The own IP address of the router cannot remain attached to ether1 as it becomes a member port of a bridge. So to make the WAN subnet available to the servers, you have to make the bridge VLAN-aware by setting vlan-filtering to yes , add an /interface vlan name=bridge.wan.111 interface=bridge vlan-id...
by sindy
Sat Nov 30, 2024 4:12 pm
Forum: General
Topic: Help with Extending WAN Physically with VLAN's.
Replies: 11
Views: 838

Re: Help with Extending WAN Physically with VLAN's.

I feel like learning networking goes from 0 - 100 real quick and suddenly you have to know everything to get something done. I'm fairly well understood on the VLAN side of things, subnets and routing however I fall short on. That is why I've suggested that you go in small steps - before touching an...
by sindy
Fri Nov 29, 2024 9:07 pm
Forum: General
Topic: Help with Extending WAN Physically with VLAN's.
Replies: 11
Views: 838

Re: Help with Extending WAN Physically with VLAN's.

You've misunderstood me so I must have not expressed myself clearly. I just said you can use the pair of VLAN-capable switches (non-Mikrotik ones, I suppose) to use an additional VLAN instead of the patchcord that was connecting ether1 of the 5009 to the LAN port of the ISP modem directly in the old...
by sindy
Fri Nov 29, 2024 5:13 pm
Forum: General
Topic: Help with Extending WAN Physically with VLAN's.
Replies: 11
Views: 838

Re: Help with Extending WAN Physically with VLAN's.

If you don't mind postponing the learning on the Mikrotik and using two cables instead of just one between the VLAN switch and the 5009, you can as well leave the configuration of the 5009 untouched and do all the magic using the VLAN switches alone. The port of the ISP modem that was connected to e...
by sindy
Fri Nov 29, 2024 3:07 pm
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

If "the fortigate side" means one of the two subnets you've mentioned in the OP and "our internal servers" means the other one of those two subnets, what you just wrote means that both the IPsec policy and the routing at your side are correct but firewall rules on your devices or...
by sindy
Fri Nov 29, 2024 12:14 am
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 32
Views: 5273

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

We've spent quite some time on a similar case, and the culprit turned out to be the ISP router and daily re-establishment of its uplink connection, see viewtopic.php?p=1110481#p1110481
by sindy
Thu Nov 28, 2024 6:11 pm
Forum: General
Topic: LTE Interface Problems in OS 7.16.1
Replies: 3
Views: 437

Re: LTE Interface Problems in OS 7.16.1

What kind of LTE modem do you have, and what means "since ROS 7" - are you saying you did run the same modem on the same LtAP mini while running ROS 6 without problems? The thing is I never had to create an LTE interface manually so far, be it ROS 6 or ROS 7 - if a supported hardware is co...
by sindy
Thu Nov 28, 2024 1:54 pm
Forum: General
Topic: Disabling system,error,critical login failure for user foobar from so.me.ip.num via ssh
Replies: 9
Views: 766

Re: Disabling system,error,critical login failure for user foobar from so.me.ip.num via ssh

I consider ssh safer, more reviewed and tested than VPN software, so prefer to expose ssh than VPN to public. If by "reviewed" you mean 3rd party review of source code, it will probably disappoint you that gentlemen in Riga have repeatedly stated here on the forum, in response to concerns...
by sindy
Thu Nov 28, 2024 12:31 pm
Forum: General
Topic: Disabling system,error,critical login failure for user foobar from so.me.ip.num via ssh
Replies: 9
Views: 766

Re: Disabling system,error,critical login failure for user foobar from so.me.ip.num via ssh

Allow VPN connections to router( from public internet)? Why would it be safer than secured ssh access? In theory, SSH is as secure as SSTP, which in turn is as secure as IPsec, as long as all of them use the same encryption and authentication algorithms. In practical use, it's all software written ...
by sindy
Wed Nov 27, 2024 11:14 am
Forum: General
Topic: VPN Type / PC with x Users
Replies: 17
Views: 858

Re: VPN Type / PC with x Users

i like more cert based auth. Anyway thanks fro sharing. Maybe its gonna be an option. The issue with client side certs for me is that Windows are unable to store the private key password-protected and ask for the password whenever you want to use the certificate. The fact that last time I've tried ...
by sindy
Tue Nov 26, 2024 6:50 pm
Forum: General
Topic: VPN Type / PC with x Users
Replies: 17
Views: 858

Re: VPN Type / PC with x Users

What I am using is the Windows embedded VPN client in IKEv2 mode with username&password authentication of the client. This requires RADIUS authentication on the server side, in my case provided by the Mikrotik's user manager package, which also offers the "poor man's MFA" where TOTP is...
by sindy
Tue Nov 26, 2024 6:38 pm
Forum: General
Topic: HEX Lite for routing between subnets [SOLVED]
Replies: 29
Views: 2422

Re: HEX Lite for routing between subnets [SOLVED]

I've wasted some energy to let the AI translate @anav's kind words into a drawing, and this is the winner:
OIG3.2jQeizJu7SGtsUV4riWy.jpg
by sindy
Tue Nov 26, 2024 6:28 pm
Forum: General
Topic: Bridge -> Bond -> 2x Ethernet MTU Setting?
Replies: 6
Views: 638

Re: Bridge -> Bond -> 2x Ethernet MTU Setting?

Sorry @🦊, non capisco. First, I cannot see how do you set actual-mtu as to me, it is a read-only value. Second, the MTU is basically an informative parameter, the interface informs the IP stack that it has to create packets smaller than that (and eventually transform it into an information for the r...
by sindy
Tue Nov 26, 2024 12:32 pm
Forum: General
Topic: WAN interface Passes more data than the LAN interface
Replies: 13
Views: 844

Re: WAN interface Passes more data than the LAN interface

That's still just a high-level description that says nothing about the actual bandwidth settings of the queues, so it does not help in finding out whether it's a configuration issue or a RouterOS bug that makes the 5009 drop part of the download traffic rather than forward it to the LAN side.
by sindy
Tue Nov 26, 2024 9:31 am
Forum: General
Topic: VPN IPSec Route
Replies: 16
Views: 1489

Re: VPN IPSec Route

A subnet matching to a policy need not be local, it is enough that there was a route to it. So the router X, on which subnet A is the src-address of the IPsec policy, must have a regular route to 172.16.0.0/29 via some gateway in its 192.168.0.0/24, and devices in 172.16.0.0/29 must have a route to ...
by sindy
Tue Nov 26, 2024 9:23 am
Forum: General
Topic: WAN interface Passes more data than the LAN interface
Replies: 13
Views: 844

Re: WAN interface Passes more data than the LAN interface

OK, so it seems the queues do their job - what is the configuration?
by sindy
Tue Nov 26, 2024 9:21 am
Forum: General
Topic: Bridge -> Bond -> 2x Ethernet MTU Setting?
Replies: 6
Views: 638

Re: Bridge -> Bond -> 2x Ethernet MTU Setting?

Bonding does not add any headers to the frames, it is just a dispatcher that chooses which physical path to use for a particular physical frame, based on the contents of the existing headers. So the L2MTU is the same like the one of its physical member interfaces (all of which must be identical). I....
by sindy
Mon Nov 25, 2024 10:43 pm
Forum: General
Topic: WAN interface Passes more data than the LAN interface
Replies: 13
Views: 844

Re: WAN interface Passes more data than the LAN interface

Well, the very goal of queues is to enforce bandwidth limits. So there are two possibilities - either the queues were actually doing their job and the remote sources were sending more traffic than the queue configuration permitted, so the drops were a correct behavior, or the router doesn't have eno...
by sindy
Mon Nov 25, 2024 10:37 pm
Forum: General
Topic: 2 LAN ranges on the same network
Replies: 1
Views: 341

Re: 2 LAN ranges on the same network

It is indeed possible to use multiple subnets in the same L2 segment (bridge, VLAN), but there are a few things that complicate this. The least critical one is that if you need the router itself to initiate any connections to the devices in the two subnets (such as pinging the devices from the route...
by sindy
Mon Nov 25, 2024 9:33 pm
Forum: General
Topic: HEX Lite for routing between subnets [SOLVED]
Replies: 29
Views: 2422

Re: HEX Lite for routing between subnets [SOLVED]

I strongly believe that answers to "why" questions are helpful to find the right answers to the "how" ones. So let me answer several questions you haven't asked. the difference between netmap and (src|dst)-nat actions is that in case of netmap , the to-addresses parameter holds a...
by sindy
Mon Nov 25, 2024 7:32 pm
Forum: General
Topic: WAN interface Passes more data than the LAN interface
Replies: 13
Views: 844

Re: WAN interface Passes more data than the LAN interface

:D indeed, right you are... I guess it is time for me to take a training in screenshot reading :D
by sindy
Mon Nov 25, 2024 6:50 pm
Forum: General
Topic: Disable Voice VLAN on specific Ports
Replies: 3
Views: 620

Re: Disable Voice VLAN on specific Ports

I would expect that the VLAN's are configured, specifically per port. I am afraid that the actual question in the OP is whether it is possible to remove of the LLDP-MED extension from the LLDP messages that RouterOS sends out via ports that are not members of the voice VLAN. Since RouterOS waits fo...
by sindy
Mon Nov 25, 2024 6:24 pm
Forum: General
Topic: WAN interface Passes more data than the LAN interface
Replies: 13
Views: 844

Re: WAN interface Passes more data than the LAN interface

Your firewall does take care of that, albeit in a way I do not like, but just for others eventually reading this in future: my first step would be to check that DNS requests from WAN are blocked in firewall, as sending very short DNS requests that generate very large answers is a popular way to use ...
by sindy
Sun Nov 24, 2024 9:34 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

I've thought I already did, but ok, in more detail then. Run /tool/sniffer/quick ip-address=ip.of.wg.server . Since persistent keepalive is not set on your wireguard peer, it doesn't matter if you see nothing yet (and it need not be set, as you don't expect any incoming connections via the WG tunnel...
by sindy
Sun Nov 24, 2024 7:40 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

32 kByte would be too much even for a jumbo frame, fragmentation is inevitable. I had in mind something between 400 and 1400 bytes - definitely smaller than the MTU of the Wireguard interface, just large enough to distinguish the transport Wireguard packets from the handshake and keepalive ones. And...
by sindy
Sun Nov 24, 2024 7:36 pm
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

Post the export of the configuration of both Mikrotik devices, after removing serial numbers, public addresses and eventual usernames to external services. And describe what is the overall network topology (at both ends of of the wireless link), as that determines what are tne requirements on the wi...
by sindy
Sun Nov 24, 2024 5:24 pm
Forum: General
Topic: Minimum requirement to be a official Mikrotik consultant
Replies: 14
Views: 990

Re: Minimum requirement to be a official Mikrotik consultant

I think @ToTheFull refers to the requirement that one has to be "active" on the forum in order to maintain their official consultant status. But the particular kind of activity is not specified. I guess it would be complicated to verify conformance to a more specific requirement, like &qu...
by sindy
Sun Nov 24, 2024 5:19 pm
Forum: General
Topic: Access from OpenVPN to VLAN [SOLVED]
Replies: 3
Views: 428

Re: Access from OpenVPN to VLAN [SOLVED]

Your export doesn't show any "forward rules"; as you said you have "added" some, does it mean that initially there were none? If so, your firewall is non-existent, as the default treatment of a packet that doesn't match to any rule is "accept". Always post the complete ...
by sindy
Sun Nov 24, 2024 5:10 pm
Forum: General
Topic: Wildcard in tool/sniffer/set filter-mac-address=?
Replies: 12
Views: 1456

Re: Wildcard in tool/sniffer/set filter-mac-address=?

The modus operandi of most of these IoT devices is the same - they establish a single TLS connection to one server from a pool in cloud and internally use this connection for all sorts of communication. I don't say it is not possible for them to temporarily establish some other connection ad hoc for...
by sindy
Sun Nov 24, 2024 2:32 pm
Forum: General
Topic: Bridge -> Bond -> 2x Ethernet MTU Setting?
Replies: 6
Views: 638

Re: Bridge -> Bond -> 2x Ethernet MTU Setting?

Please clarify what is the issue you encounter - I can see you have set the (L3) MTU to 3000 on all your Ethernet interfaces as well as the bond itself. Do you get an error when you try to set 9000, or do the packets not actually pass through when you set 9000? The L3 MTU must fit into the L2 MTU le...
by sindy
Sun Nov 24, 2024 1:40 pm
Forum: General
Topic: Wildcard in tool/sniffer/set filter-mac-address=?
Replies: 12
Views: 1456

Re: Wildcard in tool/sniffer/set filter-mac-address=?

Would the following mask allow 44:61:32:xx:xx:xx
FF:FF:FF:00:00:00
Indeed.
by sindy
Sat Nov 23, 2024 8:59 pm
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

arp is the parameter, proxy-arp is the value. The wireless interface of the remote Mikrotik is probably a member port of a bridge, and the arp setting on that bridge is important.
by sindy
Sat Nov 23, 2024 1:43 pm
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

Maybe I've misunderstood the original issue? From what I got you were seeing DHCP requests to come from the MAC address of the remote Mikrotik, with different Client-ID values to they were server with different IP addresses. Is that the case or something else was actually happening? After switching ...
by sindy
Fri Nov 22, 2024 7:55 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

What means "local machine"? The Mikrotik itself or a PC connected to it? And what means "no longer works" - if "local machine" means something connected to the Mikrotik in the 192.168.188.0/24 subnet, can you see pings to 8.8.8.8 to be routed out via the wg1 interface b...
by sindy
Fri Nov 22, 2024 6:33 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

Well, at this point, we know that there is indeed an issue when modifying routing rules, anyone willing to file a support ticket? the concept as such works The next question is whether you can get any answer whatsoever via the tunnel - if you ping e.g. 8.8.8.8 from a 192.168.188.x device, does a sni...
by sindy
Fri Nov 22, 2024 3:29 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

I tested with drop instead of accept and it works. After 11 minutes when rule got disabled, Wireguard and EOIP connection was reestablished. Sorry, so many mistakes in a single post... I was so concentrated on what to match to prevent dropping too much that I forgot to specify action=drop at all. C...
by sindy
Fri Nov 22, 2024 11:02 am
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

I mean https://help.mikrotik.com/docs/spaces/ROS/pages/122388518/Wireless+Station+Modes#WirelessStationModes-Modestation-bridge - on the AP side, you have to double-check that bridge-mode is set to yes . You can also switch the mode on the AP side from ap-bridge to just bridge as you only have a sin...
by sindy
Thu Nov 21, 2024 9:21 pm
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

Since both devices are Mikrotik ones, change the mode from station-pseudobridge to station-bridge and do the other required settings and the issue will be gone. The 802.11 standard did not anticipate there could be multiple devices behind a wireless station so the "sender MAC address" and ...
by sindy
Thu Nov 21, 2024 9:04 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

Ok, i added this in scheduler. I hope it is ok. add interval=23h59m59s name=Test1 on-event="on-event={/ip firewall/filter/enable [find chain=output]}" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-11-20 start-time=05:08:00 Sorry, it should have ...
by sindy
Thu Nov 21, 2024 11:39 am
Forum: General
Topic: Device will use IP from Server
Replies: 17
Views: 1014

Re: Device will use IP from Server

What is the wireless interface mode on the Mikrotik device that is not an AP?
by sindy
Wed Nov 20, 2024 10:34 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

If so, I suggest that you copy-paste the following: /routing rule remove [find] add action=lookup-only-in-table dst-address=192.168.188.0/24 table=main add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg and try the DNS query and sniffing using /tool sniffer quick ip-address=1...
by sindy
Wed Nov 20, 2024 8:44 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

I thought that when one leased a server for CHR, part of the deal was redundancy so that if the server failed, the CHR would automatically be migrated to another server etc....... ?? Indeed, if you run a machine in a 3rd party data center, this is exactly what you expect; however, the OP calls &quo...
by sindy
Wed Nov 20, 2024 8:34 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

So on the WAN interface we would use a private IP address to each router. VRRP2 RTR 1 = 192.168.1.40 RTR 2 = 192.168.1.50 VRRP Address = x.x.60.100 (WAN address for my internet connection) In this setup the VRRP packets travel the .40 and .50 IPs to check keepalive. If the primary routers goes offi...
by sindy
Wed Nov 20, 2024 7:58 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

Does this gives us any insight why connection keeps failing? Rather a hint than an insight, but there is another thing you can arm for tomorrow morning. Instead of changing the port, add the following rule: /ip firewall filter add chain=output protocol=udp dst-port=13231 disabled=yes Then, set the ...
by sindy
Wed Nov 20, 2024 6:47 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

The application to open the file with is Wireshark. The file contains quite a lot of public addresses of yours, I assume you do not mind as you've posted it anyway. In Wireshark, set the display filter to udp.port == 13231 ; you will see that until 5:04:12 (packets 2837 and 2838), the communication ...
by sindy
Tue Nov 19, 2024 11:01 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

The sniffing shows that the routing rules do not work as expected - the source address 192.168.188.4 and destination address 10.255.255.3 do not match the first rule below and do match the second, yet the packet leaves via ether1: /routing rule add action=lookup-only-in-table disabled=no dst-address...
by sindy
Tue Nov 19, 2024 9:49 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

Here is some results from /tool sniffer quick interface=wg1 port=53 . Do i understand right that i dont get any responses? wg1 35.822 108 -> 100.72.7.16:5678 (discovery) 8.8.8.8:53 (dns) ip:udp 64 3 wg1 36.383 109 -> 100.72.7.16:5678 (discovery) 8.8.4.4:53 (dns) ip:udp 64 3 wg1 36.814 110 -> 100.72...
by sindy
Tue Nov 19, 2024 9:35 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

Step 1, configure the sniffer manually: /tool/sniffer/set file-name=vinograd.pcap file-limit=32000 filter-interface=ether1 (I hope 32 MBytes are free on the disk) Step 2, add the start and stop scheduled events: /system/scheduler/add name=sniffer-start start-date=2024-11-20 start-time=05:00:00 on-ev...
by sindy
Tue Nov 19, 2024 12:02 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

The idea of scheduled change was based on the assumption that the issue happens after some time of operation. If it is actually an instant reaction to some external event, the idea of "clearing the table" in advance, at a time when it doesn't bother anyone, will not work. Hence it would ma...
by sindy
Mon Nov 18, 2024 11:16 am
Forum: General
Topic: Connect and Disconnect (continuing)
Replies: 8
Views: 653

Re: Connect and Disconnect (continuing)

Only in case that the Emporia Vue is the only device to connect to the wifi2ghz interface, the following command might help: /interface bridge port set [find where bridge=bridge interface=wifi2ghz] edge=yes The background is the following: if no station (client) is associated to an AP, the "et...
by sindy
Sun Nov 17, 2024 9:27 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

I think that the largest benefit is what can be categorized as "security" whereby access to certain devices by certain other devices is controlled by way of VLAN assignment. It is not controlled by VLANs themselves. VLANs just give you the possibility to prevent direct communication among...
by sindy
Sun Nov 17, 2024 8:28 pm
Forum: General
Topic: How to Pass all traffic into WireGuard Cloudflare ?
Replies: 49
Views: 5354

Re: How to Pass all traffic into WireGuard Cloudflare ?

The newest export posted here is more than two weeks old. If you still haven't resolved it, please post a current one.
by sindy
Sun Nov 17, 2024 8:12 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

It was provided in WG config, and i didnt find any other place to put it. Well, you have actually put it to two places, that's what I was concerned about. In the /ip dhcp-server network , it has to be the 10.255.255.3 because that's what the clients should use; in /ip dns , it must be a public DNS ...
by sindy
Sun Nov 17, 2024 7:57 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

Well, how the heck does that fit in with the cute animated models of creating virtual networks to reduce broadcast traffic and provide flexible security features? Exactly the same way like totally isolated physical LANs would. The only thing that VLANs themselves provide is this kind of isolation w...
by sindy
Sun Nov 17, 2024 7:42 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

So my guess is something wrong with DNS. That, or an MTU issue, or the VPN playing games with TTL to prevent people from using routers instead of individual devices. So first, from where does the 10.255.255.3 DNS server address come? Because you use it both for the router itself, which needs to be ...
by sindy
Sun Nov 17, 2024 4:33 pm
Forum: General
Topic: Public IP High Availability
Replies: 7
Views: 1126

Re: Public IP High Availability

I am not sure I understand properly what you want to achieve. From what you wrote I gather that those addresses are assigned to your provider by the authority responsible for address allocation in your area, i.e. you do not have any public prefix and a public ASN number assigned directly to you, so ...
by sindy
Sun Nov 17, 2024 3:18 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

...and the same issue has to be corrected also in the firewall rule: out-interface=*A
by sindy
Sun Nov 17, 2024 11:51 am
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

Two things regarding this export: at some point, you have removed and recreated the Wireguard interface. Even though you've used the same name for it, for the system, it is nevertheless another interface, the old one is gone. But RouterOS incorporates no crystal ball so the route keeps referring to ...
by sindy
Sun Nov 17, 2024 11:38 am
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

DHCP expires in 15:17. Current time is 22 PM. 5:00 in the morning is much faster, almost half faster. Maybe ISP is reconnecting at 5 AM in the morning. The thing is that I've got Wireguard "links" between Mikrotiks myself that have been up for weeks and the forum also doesn't overflow wit...
by sindy
Sat Nov 16, 2024 9:46 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

This realy makes me wonder what is causing problems in Mikrotik's direct implementation in this exact case. My curent working hypothesis is that the Wireguard stack may go nuts if the DHCP lease is lost for a while and thus no route exists to send an outgoing packet. I have seen cases where the ren...
by sindy
Sat Nov 16, 2024 8:24 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

It's impossible to check this, because at the same time Zerotier and AmneziaWG are still running between those interfaces and ip adresses, so log is completly bloated with their connections. And if i disable Zerotier i loose acess to the client 500 km away. You can filter on port=!xxxxx, but wherea...
by sindy
Sat Nov 16, 2024 7:50 pm
Forum: General
Topic: SSTP VPN Server questions and best practices? [SOLVED]
Replies: 3
Views: 477

Re: SSTP VPN Server questions and best practices? [SOLVED]

1. I was able to log in with a username and password I configured under /ppp secret . How can I disable password authentication and only use certificates? The only SSTP client that can authenticate itself using a certificate is the Mikrotik one. So for non-Mikrotik clients, the best available pract...
by sindy
Sat Nov 16, 2024 7:21 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

The vernacular is indeed confusing and varies between vendors. For me, a TAGGED port is just an unusual name for a TRUNK port. And the ACCESS and TRUNK really only express the behaviors as you've summarized them. I can't even begin to comprehend the ingress filtering active, multiple VLAN IDs, untag...
by sindy
Sat Nov 16, 2024 7:09 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

How it's written correctly?
ip-address
by sindy
Sat Nov 16, 2024 5:25 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

If you mean the routing rule with min-prefix=0, it is indeed not the reason why the whole thing does not work. But I'd not hurry to revert to that approach, let's wait for confirmation that the removal of the check-gateway indeed helped.
by sindy
Sat Nov 16, 2024 4:36 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

"Egress" means a frame exiting the router or switch, right? Correct. Do I understand correctly then that an "access" port on a router only allows frames to leave that have a VLAN tag that matches certain specifications (and then strips the tag)? Indeed. The "certain specifi...
by sindy
Sat Nov 16, 2024 4:03 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

how to think about an environment like mine with multiple locations each with its own /24 subnet and how VLANs would be best utilized. Since all the interconnections between your locations/sites are L3 ones, and since there is only a single subnet on each site, there is no useful place for VLANs. V...
by sindy
Sat Nov 16, 2024 3:39 pm
Forum: General
Topic: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970
Replies: 7
Views: 1950

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

It indeed looks like a bug to me. I am also signing the client certificates using a CA on Mikrotik, but using the "correct" way where the private key is generated on the client itself along with a certificate signing request, the request alone is then transferred to the CA Mikrotik and sig...
by sindy
Sat Nov 16, 2024 3:16 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

I do not understand the implications of VLAN's purpose "to create a virtually separated logical L2 network." Before VLANs, devices connected to the same switch could all receive frames from each other - the switch only took care about the destination MAC address of each frame. If you want...
by sindy
Sat Nov 16, 2024 2:20 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

My suggestion is the following. Once that happens again, sniff on the ax³ while filtering just on protocol=udp ip-address=public.ip.of.ax² , and also at the ax² filtering on just protocol=udp ip-address=public.ip.of.ax³ . Provided that there is no other direct communication between the two devices, ...
by sindy
Sat Nov 16, 2024 1:54 pm
Forum: General
Topic: VLAN confusion
Replies: 19
Views: 985

Re: VLAN confusion

The way you describe your network suggests that you may lack some bits of information. VLANs are intended to create virtually separated logical L2 networks on a physical L2 infrastructure (leaving L2 tunnels aside for a moment). The fact that people freely interchange the terms "VLAN" and ...
by sindy
Sat Nov 16, 2024 11:53 am
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

I'm not sure where to even start with this. The name of this parameter in Linux is suppress_prefixlength , which is pythic enough too but at least it is not outright misleading like min-prefix , since the latter suggests that the condition matches for prefixes of N bits or longer, whereas it actuall...
by sindy
Fri Nov 15, 2024 11:09 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

It's the check-gateway setting on the only manually configured route via wireguard1 that breaks things. There is no way to ping an interface, you can only ping an IP address. But apparently there is a bug in RouterOS that indeed makes the route inactive in this situation rather than ignoring this in...
by sindy
Fri Nov 15, 2024 8:48 pm
Forum: General
Topic: IPSEC PH2 stop working - Fortigate
Replies: 2
Views: 1088

Re: IPSEC PH2 stop working - Fortigate

Not sure whether @robertbisom is still interested in any response almost a year later, but @d3mo, a similar behavior may have a completely different root cause, plus yours is quite different from his one. If there is no NAT on the path between your IPsec peers, the most frequent reason why Phase2 SA...
by sindy
Fri Nov 15, 2024 7:09 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

At least in RouterOS 6, it was indeed possible that the address attached to the VRRP interface was totally unrelated to the address attached to the underlying "physical" one, so you could e.g. use private or APIPA addresses (169.254.x.y) to let the two devices talk VRRP to each other and a...
by sindy
Fri Nov 15, 2024 5:51 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

After moving the connection to the new ports, which made it work again, how much time did you give "the packet-eating monster" to forget the conection between the old ports before switching back to using them? Seconds, minutes, hours?
by sindy
Fri Nov 15, 2024 5:49 pm
Forum: General
Topic: Static route to dynamic IP?
Replies: 14
Views: 1224

Re: Static route to dynamic IP?

If you set passthrough-subnet-size in the interface lte apn profile on the wAP to 32 , the DHCP server that gets created on the wAP in LTE passthrough mode will assign the address provided by the mobile network as a /32 one to the client, and will choose an address from 10.177.0.0/something as the g...
by sindy
Wed Nov 13, 2024 9:34 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

So I've made a test on 7.16.1 and no, the rule with action=lookup-only-in-table table=main min-prefix=0 does not remove the default routing table choice, so if the packet whose destination address only matches the default route in main does not match to the second rule and thus it doesn't get routed...
by sindy
Wed Nov 13, 2024 5:32 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

BTW I have torched the wan interface in the past and packets do arrive on that port and no handshake is done. The fact that @dcavni has stated he did not see the packets from the client to arrive to the server, whilst he did see other UDP packets to arrive from the client, is what made me conclude ...
by sindy
Wed Nov 13, 2024 2:15 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

It is indeed necessary to set the scheduler interval to 1d, sorry, I forgot to state that. But if you have removed the connection manually and it did not help (provided that the server side port was 13231 at that time, as otherwise the "manual removal" may not have succeeded), chances are ...
by sindy
Wed Nov 13, 2024 10:57 am
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

RTR 1 Flags: X - DISABLED; F - FAILURE Columns: NAME, INTERFACE, MAC-ADDRESS, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTOCOL, SYNC-CONNECTION-TRACKING # NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL SYNC-CONNECTION-TRACKING ;;; LAN 0 F vrrp1 ether1 00:00:5E:00:01:31 49 254 1...
by sindy
Wed Nov 13, 2024 10:44 am
Forum: General
Topic: Help with NAT [SOLVED]
Replies: 8
Views: 976

Re: Help with NAT [SOLVED]

on the Judah MK, the meter of 10.116.12.134/22 will be plugged directly into ether2 and 10.116.12.135/22 will be plugged directly into ether3. OK. So the 10.116.12.0/22 is not known to the Judah hEX yet, but for some reasons, you want the two flowmeters you plan to ultimately place in Judah to have...
by sindy
Tue Nov 12, 2024 11:14 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

Here are the two test routers I have set up.
OK, no firewall filter rules at all so VRRP packets from the other router can definitely get in if they make it through the LAN.

With these configurations, what does /interface/vrrp/print where name=vrrp1 show at both test routers?
by sindy
Tue Nov 12, 2024 10:40 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

No. When I say the new rule should be added as a third one, I mean it literally. The description before gives the reasons.
by sindy
Tue Nov 12, 2024 10:37 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 101
Views: 18836

Re: Multi-WAN Load Balancing Starlink issue

How did it end up going?
We finally made it work. What's your current issue with that setup, and what do you need to achieve besides the basic load distribution?
by sindy
Tue Nov 12, 2024 10:32 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 50
Views: 3692

Re: Cant get Wireguard client to work

At some point, Mikrotik has added the min-prefix parameter to routing rules, but the explanation in Mikrotik manual just refers to the name of the feature as used in general Linux, and references I could find are also not very verbose regarding "side effects" (putting that in quotes as tho...
by sindy
Tue Nov 12, 2024 9:36 pm
Forum: General
Topic: Help with NAT [SOLVED]
Replies: 8
Views: 976

Re: Help with NAT [SOLVED]

If some specific conditions are met, you can, but here both ends happen to have one.
by sindy
Tue Nov 12, 2024 8:21 pm
Forum: General
Topic: Help with NAT [SOLVED]
Replies: 8
Views: 976

Re: Help with NAT [SOLVED]

I must admit I am a bit confused. You state that the LAN subnets on the two sites overlap, but it's actually not the case - in Judah configuration, there is address=10.118.1.2/28 so the subnet spans 10.118.1.0-10.118.1.15, whilst in Stebbins, there's address=10.116.12.6/22 , so the range is 10.116.1...
by sindy
Tue Nov 12, 2024 7:23 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

Sorry the existing router I took the export from is the Live router that is currently handling the traffic. ... Hope that clarifies things some more. Sorry if I am not explaining things very well. That's the point - you have experienced the issue on the test pair of CHRs but you have posted an expo...
by sindy
Tue Nov 12, 2024 6:46 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

The datacenters are Cisco UCS/FI stacks being uplinked to our MPLS network through a pair of Cisco Nexus 9k and ASR 9ks for the MPLS ring. Ah, for me a "datacenter" normally means something provided by a 3rd party :D So I figure the two ASRs use BGP to advertise the public subnet where th...
by sindy
Mon Nov 11, 2024 9:11 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

I have a problem to wrap my head around a scenario where you've got two georedundant datacenters between which a single IP address may freely migrate on an L2 segment (presumably a VxLAN) - in my understanding of networking, it would mean that there is a router in each of the datacenters that is abl...
by sindy
Mon Nov 11, 2024 6:42 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2244

Re: VRRP with single WAN and Single LAN Address

I do not understand what a "mirrored datacenter" means. VRRP uses specific MAC addresses so the physical machines running the CHRs have to be interconnected on L2 level so that a single public address could migrate between them using VRRP (there are L3 methods that do not require L2 interc...
by sindy
Sun Nov 10, 2024 10:03 pm
Forum: General
Topic: IPv6 WAN (LTE USB stick) troubles
Replies: 4
Views: 427

Re: IPv6 WAN (LTE USB stick) troubles

Hehe. Did you tell the DHCPv6 client to ask for both a prefix and an address and got neither?
by sindy
Sun Nov 10, 2024 6:54 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

More than that - as far as the Wireguard stack on the client can tell, the local port it is bound to does not change at all :) Initial state - no tracked connection exists, the server is idle, the client is disabled. No connection exists in our connection tracking. The ISP doesn't see any connection...
by sindy
Sun Nov 10, 2024 5:21 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

if I understand things correct, if L3 hashing policy is used by them, the problem depends on Winbox having single or multiple simultaneous connections Even if there are simultaneous connections, each of them is a separate TCP session, and within the same TCP session, even L3+L4 hashing always choos...
by sindy
Sun Nov 10, 2024 5:06 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

are we sourcenatting the source port, the destination port and what are we changing the uknown port TO???? Since we cannot change the dst-port I am assuming that we changed the src port from 15678 to some random port betweeen 40000 and 59999 Indeed, a src -nat rule changes the source address and/or...
by sindy
Sun Nov 10, 2024 1:52 pm
Forum: General
Topic: Any issues in this config? SIP phone problems :(
Replies: 2
Views: 1288

Re: Any issues in this config? SIP phone problems :(

Have you resolved this?
by sindy
Sun Nov 10, 2024 12:35 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 7396

Re: Datasheet for new improved hEX?

do any of ARM devices have IPsec acceleration working yet? It's not just a matter of the CPU architecture. There are ARM devices that do (hAP ac²) and that don't (CRS310-8G+2S+IN, wAP ax), and there are ARM64 devices that do (hAP ax²) and that don't (CRS304-4XG-IN). So as you said the particular So...
by sindy
Sun Nov 10, 2024 11:17 am
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 7396

Re: Datasheet for new improved hEX?

Then why are ipsec features listed as being tied to mt7621 on MT Help pages related to IPSEC ? Because back in the days MT7621 was referring to a single SoC with a single particular switch block and a single particular CPU. Now, for lack or anything more distinctive, it is used also to refer to the...
by sindy
Sun Nov 10, 2024 10:52 am
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

Wow. 25 0.593357 IPs Removed TCP 396 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=64256 Len=342 26 0.593360 IPs Removed TCP 396 [TCP Retransmission] 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=64256 Len=342 27 0.839975 IPs Removed TCP 396 [TCP Retransmission] 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=...
by sindy
Sun Nov 10, 2024 10:29 am
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

So Sindy are you saying that its not a problem with either Router but something at the ISP end. Indeed (save a 0.5 % margin that the client somehow starts calculating one of the checksums wrong after the time, causing the packet to get dropped due to that, but then why hasn't anyone else fallen to ...
by sindy
Sun Nov 10, 2024 9:55 am
Forum: General
Topic: IPv6 WAN (LTE USB stick) troubles
Replies: 4
Views: 427

Re: IPv6 WAN (LTE USB stick) troubles

My idea is that IPv6 can be made to work on the Mikrotik with that modem and SIM but that won't give you access to the whole internet as not all web sites support IPv6, so you might need to set up a tunnel to some device that has both IPv6 and IPv4 connectivity. Does it still make sense to you to de...
by sindy
Sun Nov 10, 2024 9:46 am
Forum: General
Topic: RB5009 - IPSEC Help
Replies: 2
Views: 388

Re: RB5009 - IPSEC Help

It is hard to guess which settings are missing if we don't know which are already present, but the way you describe it, a rule chain=input protocol=ipsec-esp src-address=public.ip.of.zyxel action=accept seems to be missing in /ip firewall filter on the 5009. But since the mutual order of the rules i...
by sindy
Sat Nov 09, 2024 11:13 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

I'm not using any mangling on CHR side tho
I forgot again that you cannot set MSS in prerouting or input, so yes, might make sense to set it in output on the CHR as well. The most likely bottleneck is the ISP end of the PPPoE tunnel so it should not be necessary to do that, but who knows.
by sindy
Sat Nov 09, 2024 10:40 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

I am pretty sure that if you sniff at both ends filtering on ip-protocol=tcp ip-address=ip.of.the.other.device, you'll see the CHR to try sending several times a large packet that will not reach the physical Tik.
by sindy
Sat Nov 09, 2024 10:35 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

This sniffing part already exceeds my capabilities. You've already managed to sniff on the client and server Mikrotiks themselves, so you can sniff on yet another Mikrotik configured as bridge with hardware switching disabled as well. You can store the results of sniffing to a file on the router (a...
by sindy
Sat Nov 09, 2024 10:03 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

Well, IPv6 may be routed totally differently than IPv4 so you can't base conclusions regarding IPv4 on IPv6 behavior (and vice versa). As you already have the MSS clamping rules in place, try adjusting them to force something really defensive, like 1380 bytes, in both directions and see whether that...
by sindy
Sat Nov 09, 2024 9:25 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 914

Re: Periodic connectivity issues to external WinBox

In cases like this the first thing to check are MTU issues - as the CHR shows a successful login, the communication must have been bi-directional at least for a while. Only one of the multiple possible paths between your home router and the CHR may be affected, which would explain why it only happen...
by sindy
Sat Nov 09, 2024 9:11 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

The same behavior on different telecom operators. ... Also client behind double NAT. Completly different devices, different operators and the same behaviour. Since you can see the client to send the packets to the server but cannot see them to arrive (the source port may get changed by the NAT at c...
by sindy
Sat Nov 09, 2024 8:47 pm
Forum: General
Topic: qinq
Replies: 7
Views: 665

Re: qinq

Sorry, I did not understand from your OP that the link between the two 4011 was an active one, i.e. that the two 4011s are not connected just by dark fiber but there is some other equipment between them. If so, it depends on your contract with the service provider what type of traffic you can send t...
by sindy
Sat Nov 09, 2024 6:43 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

I tried with sniffer and i see, that client is sending packets to correct ip adress but server never responds or recieves anything. If i try with sniffer on server, nothing shows up. [daniel@MikroTik] > /tool sniffer quick port=13231 Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS...
by sindy
Sat Nov 09, 2024 6:08 pm
Forum: General
Topic: qinq
Replies: 7
Views: 665

Re: qinq

Are there multiple VLANs on the bridges currently interconnected using EoIP? If yes, it indeed does make sense to use an additional VLAN tag instead of EoIP, as that requires less overhead than EoIP both byte-wise and CPU-wise. If the "access" ports of the routers that are interconnected u...
by sindy
Sat Nov 09, 2024 3:13 pm
Forum: General
Topic: Why DNS servers are knocking port 5678 of pppoe-out1 interface?
Replies: 8
Views: 1341

Re: Why DNS servers are knocking port 5678 of pppoe-out1 interface?

From what you observe, I would assume that the detect internet sends the DNS requests it uses for the detection directly from the PPPoE interface, bypassing the firewall rules, whereas it lets the responses of the DNS servers reach the firewall; since the connection tracking has not seen the queries...
by sindy
Sat Nov 09, 2024 2:45 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 72
Views: 4330

Re: Mikrotik as Wireguard client behind NAT, loosing connection

Nothing seems plainly wrong in your config, but I have spotted complaints here on the forum regarding what happens (or rather does not happen) if the peer address changes - not sure whether they are still relevant for 7.16.1. So apart from a mere implementation bug (as in "something does not wo...
by sindy
Sat Nov 09, 2024 11:44 am
Forum: General
Topic: letsencrypt on port 1115 RouterOS v7
Replies: 3
Views: 420

Re: letsencrypt on port 1115 RouterOS v7

Let's use the approach of the character from "A guide to boating for Ofelia" and decompose the problem into sub-problems so tiny that they are no problems at all. For DuckDNS, you have to use a script to update the record once the address changes, whereas RouterOS itself takes care of that...
by sindy
Thu Nov 07, 2024 10:45 pm
Forum: General
Topic: Configured remote access via VPS does not work for some things [SOLVED]
Replies: 5
Views: 897

Re: Configured remote access via VPS does not work for some things [SOLVED]

As I have assumed, there is no policy routing on your Mikrotik, so what I've described before is the most likely reason why it doesn't work. If it is the case, you can fix that multiple ways: using a -j SNAT --to-source=12.10.0.2 rule at the right place on the Linux box. This way is the simplest one...
by sindy
Thu Nov 07, 2024 8:51 pm
Forum: General
Topic: Configured remote access via VPS does not work for some things [SOLVED]
Replies: 5
Views: 897

Re: Configured remote access via VPS does not work for some things [SOLVED]

but I feel that there is still something I don't know about Mikrotik... You're not alone - we also do not know enough about your Mikrotik as you forgot to post an anonymized export of its configuration. Also, if the iptables rules you have shown are the only ones, the initial packet from x.x.x.x:X ...
by sindy
Thu Nov 07, 2024 11:47 am
Forum: General
Topic: how to block youtube shorts?
Replies: 12
Views: 1299

Re: how to block youtube shorts?

Still want the regular youtube but block the yourtube shorts. RouterOS can only classify traffic using IP addresses and ports. This is not sufficient to distinguish between normal videos and shorts - to tell them from one another, you have to analyse the traffic on application level. Since youtube ...
by sindy
Wed Nov 06, 2024 8:28 pm
Forum: General
Topic: 1 Packet over Multiple Routs?
Replies: 14
Views: 1521

Re: 1 Packet over Multiple Routs?

OK, so let's take it more seriously. The broadcast mode of bonding indeed works well as for multiplication of the packets, but it does nothing at all regarding "tossing the late ones". The reason is that while broadcasting, the sending end does not add any information to the packets that w...
by sindy
Wed Nov 06, 2024 11:33 am
Forum: General
Topic: GPS is not override on VPN tunnel (iphone and android)
Replies: 2
Views: 312

Re: GPS is not override on VPN tunnel (iphone and android)

There are applications for Android that allow to imitate any geolocation you wish, not only per GPS data but also the WiFi list. You have to enable developer mode and allow this imitation there. Google it up, I could find it earlier this year, and it indeed worked.
by sindy
Sun Nov 03, 2024 9:42 pm
Forum: General
Topic: TiVo => EoIP => TiVo ... fail
Replies: 15
Views: 1542

Re: TiVo => EoIP => TiVo ... fail

I'm not sure TTL be changed since bridged... Rest assured it is not, bridging does not touch the contents of the Ethernet frame being transported. But another point, what is the value of dont-fragment in the EoIP settings? Does Wireshark show any packets between the devices that has this IP header ...
by sindy
Sun Nov 03, 2024 1:04 am
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 1053

Re: IPv6 propagate address to clients behind router

Your export says /ipv6 address add from-pool=IPv6-pool interface=bridge This means that you have set address=:: , so the resulting address is a "subnet router anycast address", which I believe cannot be assigned as an individual unicast address of an interface. So try changing that to the ...
by sindy
Sat Nov 02, 2024 9:05 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 1053

Re: IPv6 propagate address to clients behind router

Please post the complete export of your configuration (minus all the passwords and usernames, public addresses etc.). If you have indeed sniffed on the bridge, not on the ethernet interface, it looks really weird, as if you had some bridge filter rule there or an IPsec policy.
by sindy
Sat Nov 02, 2024 6:06 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 1053

Re: IPv6 propagate address to clients behind router

The only rule I've added was add action=accept chain=input in-interface-list=LAN protocol=udp to accept UDP coming from LAN. Since the default behavior of the firewall filter in Mikrotik is accept, your rule will not change the overall behavior of the filter, as the "drop everything else"...
by sindy
Sat Nov 02, 2024 3:22 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 1053

Re: IPv6 propagate address to clients behind router

What should I do make my MT propagate IPv6 addresses to clients? Strictly speaking nothing as MT does not propagate them. It just reveals its own address upon request, which is enough for the host to create its own address, combining the prefix provided by the router and locally provided suffix - s...
by sindy
Sat Nov 02, 2024 12:16 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

As said I have zero experience with Unifi's internals, but in general purpose Linux distributions, things are done as simple as possible - the TLS stack is too lazy to look for the intermediate certificates here and there, and wants you to merge the own certificate and all the intermediate ones (mor...
by sindy
Sat Nov 02, 2024 11:41 am
Forum: General
Topic: Static route to dynamic IP?
Replies: 14
Views: 1224

Re: Static route to dynamic IP?

It's not so much of a performance issue as a memory issue as the router has to store thousands of 12-byte values indexed by 4-byte ones, probably in some b-tree to facilitate a fast search-through. As for a static ARP record, I've thought about it too and I did test it in some weird scenarios, but t...
by sindy
Sat Nov 02, 2024 1:12 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

I try it on my Mikrotik router using your script:
The thing is that the choice between R10 and R11 is random, so the fact that your certificate is signed using R10 doesn't mean that @josephny's one will be too; actually, it even doesn't mean that your next one will be signed using R10.
by sindy
Sat Nov 02, 2024 12:30 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

@Lokamaya, how do you know it is r10 in particular and not r11? I can't see that in the error message.
by sindy
Fri Nov 01, 2024 11:13 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

We call it "best practices," as in 'we're doing our best and practicing until we get it right'. Nice, I'll use that if you don't mind :) One little detail, GlenR has earned the status, respect, and reputation on the UI forums similar to what you, Amm0, anav, jaclaz, holvoetn, and a handfu...
by sindy
Fri Nov 01, 2024 10:57 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 121
Views: 24637

Re: Split traffic then merge [SOLVED]

I'm no cryptoanalyst, so I must trust those who are and say it is secure. But somehow all cryptographic algorithms used to be perceived as safe until someone broke them; that's why all other security-related protocols (SSH, TLS, OpenVPN, IPsec) include a possibility to relatively easily plug in new ...
by sindy
Fri Nov 01, 2024 9:35 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

And the message is due the certificates YOUR computer is lacking the "root" certificate authority for your connection. Couldn't it be caused simply by the fact that the UDM did not send the certificate of the intermediate CA, probably because the magic script does not add it to the .crt f...
by sindy
Fri Nov 01, 2024 9:32 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

OK, I finally got it. From your description I have understood that you had trouble accessing Mikrotik from the UDM. The script is huge, but what makes it even more special is that it downloads other scripts from the author's web. No wonder the bad guys are so successful - you've literally just downl...
by sindy
Fri Nov 01, 2024 5:39 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

Do I need to allow 443 to the router to have a working cert? No, currently only port 80 is used to renew the certificate. Other than that - not just on Mikrotik, the very same code processes the contents of the HTTP requests that come to port 80 and of those that come to port 443. The security of H...
by sindy
Fri Nov 01, 2024 3:57 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

Looks like only 1 certificate: That's what I have suspected, which means that only the certificate requested using the last /certificate enable-ssl-certificate command will be updated automatically, and that the web server will present only that certificate (and its corresponding chain of trust) to...
by sindy
Fri Nov 01, 2024 12:07 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

Is this correct now? Looks fine to me. I have never tried to request two certificates for the same machine, what does /ip/service/print detail where name=www-ssl show? I previously watched a video and there was no mention of needing an intermediate CA cert. It depends on a lot of factors. The backg...
by sindy
Fri Nov 01, 2024 8:53 am
Forum: General
Topic: Static route to dynamic IP?
Replies: 14
Views: 1224

Re: Static route to dynamic IP?

the proxy arp trick is not seeming like it wants to work. I've set it on ether2 and then changed my route to point to "ether2" but I then get host unreachable from my WAN IP (currently 41.145.2.219) You would have to activate proxy-arp on the LTE router connected to ether2, not on ether2 ...
by sindy
Fri Nov 01, 2024 8:48 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

I don't know what the "R10 and R11 intermediate CA certificates" are or how to install them. I assume that is not done with the /certificate enable-ssl-certificate dns-name=XXXXXXXXX.dyndns.org command? Indeed this command only applies for and installs the own certificate. The intermediat...
by sindy
Fri Nov 01, 2024 12:09 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

Or does the code above provide the necessary security? The mangle rule in the code above adds the WAN address of the MT for a minute to an address list named acme-client whenever said MT router sends a packet to an IP address to which acme-v02.api.letsencrypt.org resolves. This happens when said ro...
by sindy
Thu Oct 31, 2024 11:00 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 2148

Re: Lets Encrypt

While not perfect, this might work if the MT device were connected to the Internet. There is a setup that "will work until it stops", which is based on the fact that the certificate renewal requests are currently sent to acme-v02.api.letsencrypt.org ; as RouterOS sends them automatically,...
by sindy
Thu Oct 31, 2024 10:45 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 493

Re: Significantly higher latency between GRE tunnels

It cannot be excluded that GRE takes another path between the public addresses than ICMP, ISPs sometimes have funny ideas on their own, and if some government requirements get added to the mix, weird things may happen. Out of curiosity, is the behavior about the same if you use IPIP instead of GRE? ...
by sindy
Thu Oct 31, 2024 9:21 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 493

Re: Significantly higher latency between GRE tunnels

Honestly I don't understand the output. Both time and numbers columns increase by 1 integer on each polling: I have picked only the interesting groups of packets and removed the MAC address columns for easier reading. INTERFACE TIME NUM DIR SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU GRE_TO_BRANCH 33...
by sindy
Thu Oct 31, 2024 6:46 pm
Forum: General
Topic: Static route to dynamic IP?
Replies: 14
Views: 1224

Re: Static route to dynamic IP?

Why would it do that? The thing is that if you make an L2 port a gateway of a route, the router sends an ARP request down that port, asking for the MAC address of the actual destination IP address. Some routers (like Cisco by default) respond to such an ARP request with their own MAC address if the...
by sindy
Thu Oct 31, 2024 4:55 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 493

Re: Significantly higher latency between GRE tunnels

What does /tool sniffer quick ip-protocol=icmp,gre ip-address=public.ip.of.remote,gre.ip.of.remote show on both routers while pinging with default size (hence small) packets?
by sindy
Thu Oct 31, 2024 3:31 pm
Forum: General
Topic: Static route to dynamic IP?
Replies: 14
Views: 1224

Re: Static route to dynamic IP?

From what I read I am confused - in Mikrotik configuration, an interface name is perfectly fine as a gateway of a route, except that it depends on additional factors whether such a route actually works or not, but that's apparently not the issue you deal with as you say " it does not like it&qu...
by sindy
Thu Oct 31, 2024 11:18 am
Forum: General
Topic: Cannot ping default gateway on one of WAN interfaces [SOLVED]
Replies: 10
Views: 905

Re: Cannot ping default gateway on one of WAN interfaces [SOLVED]

Why have you configured the MAC address for ether2 manually? Does it not clash with another MAC address in the system? What is its first byte?

When you make ether2 a member port of the bridge, the MAC address of the bridge is used for IP traffic that goes via ether2.
by sindy
Thu Oct 31, 2024 10:42 am
Forum: General
Topic: Cannot ping default gateway on one of WAN interfaces [SOLVED]
Replies: 10
Views: 905

Re: Cannot ping default gateway on one of WAN interfaces [SOLVED]

The fact that you cannot ping the default gateway 192.168.11.1 may be caused by some funny setting of the TP-link, so first of all, what does /ip arp print where address=192.168.11.1 show? If nothing, run :ping 192.168.11.1 arp-ping=yes interface=ether2 and if you get responses, run the previous com...
by sindy
Thu Oct 31, 2024 10:00 am
Forum: General
Topic: TiVo => EoIP => TiVo ... fail
Replies: 15
Views: 1542

Re: TiVo => EoIP => TiVo ... fail

Q: Can I use Torch to see what is going on in my remote NE location? A: You can but I'd strongly advise against that. /tool sniffer is much more useful in terms that it both shows the actual direction of individual packets if used alone like Torch and it saves the captured packets in pcap format in...
by sindy
Thu Oct 31, 2024 8:51 am
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 707

Re: DUAL WAN into one connection use

I would not mind trying to get that to work, but cost-wise, and where would such a router be placed, per say? It should be placed in some VPS provider datacenter "netwographically" close to your ISP (as in "the one with shortest ping response time from your on-site router no matter t...
by sindy
Wed Oct 30, 2024 9:38 pm
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 707

Re: DUAL WAN into one connection use

I thought the Mikrotik router in the middle could do something like packet splitting between the two active links to and from the ISPS and then merge them all together when sent to my local network for consumption. First, a packet cannot be split in terms that its first half would use one link and ...
by sindy
Wed Oct 30, 2024 8:03 pm
Forum: General
Topic: Wi-fi endpoint is not accessible
Replies: 2
Views: 301

Re: Wi-fi endpoint is not accessible

i - catch non-running state in wifi1 interface Not sure what exactly you test. If no wireless client is connected, it is normal that an AP wireless interface is shown (and treated by routing) as not running, could it be as simple as that? when i change location (plug in/out to different ethernet ho...
by sindy
Wed Oct 30, 2024 5:05 pm
Forum: General
Topic: RouterOS 7 VLAN access problem on PPC architecture
Replies: 15
Views: 4273

Re: RouterOS 7 VLAN access problem on PPC architecture

Have supout bug reports been sent to MT, on these issues??
Look at viewtopic.php?p=980927#p980927
by sindy
Wed Oct 30, 2024 5:02 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 1012

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

I would suggest to avoid doing too many changes at a time. So my course of action would be to reset the router to defaults change the LAN addresses to match the existing ones set up the single port forwarding rule you need to make OpenVPN work again try connecting to the L2TP server in the company (...
by sindy
Wed Oct 30, 2024 4:33 pm
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 707

Re: DUAL WAN into one connection use

This is theoretically possible, but with a lot of "ifs" and "provided thats". The key is that any remote server in the internet will send its response to any incoming request to the address from which the request has arrived. So if two physical paths are available, the sending si...
by sindy
Tue Oct 29, 2024 10:11 pm
Forum: General
Topic: Load Balancing and High Availability Setup Without NAT via L2TP
Replies: 1
Views: 848

Re: Load Balancing and High Availability Setup Without NAT via L2TP

Is this still a thing almost two months later?
by sindy
Tue Oct 29, 2024 5:20 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

You can put a list of two peers to a policy. If you do that, you only need scripting if you want to make sure that the traffic returns to the primary peer once it recovers. But I agree that a separate topic is a better place to discuss that should it prove necessary.
by sindy
Tue Oct 29, 2024 4:08 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

Please do, although the way you describe it, you did it correctly. Other than that, do you intend to use the Axis tunnel to connect to the whole internet or "only" to a bunch of subnets on their end? And will initiators/clients on the remote end of the tunnel connect to responders/servers ...
by sindy
Tue Oct 29, 2024 3:48 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

That makes no sense to me :shock: A policy with action=none just prevents any subsequent policy from picking the packet, so connections that do not need IPsec should not be affected. Maybe I have misunderstood something in your requirements? Or maybe you had dst-address and src-address right but the...
by sindy
Tue Oct 29, 2024 3:07 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

Sorry, I have missed that the dst-address and src-address of the added action=none policy for the public IP were swapped. 0.0.0.0/0 must be dst-address and xxx.xxx.xxx.147/32 must be src-address.
by sindy
Tue Oct 29, 2024 2:21 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 1012

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

The existing firewall rules only deal with the traffic the router forwards between WAN and LAN, but they allow anyone to connect to the router itself. It has to be fixed ASAP, but it has nothing to do with the L2TP/IPsec issue. However, I don't understand the purpose of the following rule in NAT: ac...
by sindy
Mon Oct 28, 2024 7:03 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 1012

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

My setup is almost identical to the video, but if more specific information is needed, Indeed, only the actual configuration is helpful - mistakes happen, differences considered negligible may actually have an impact etc. is there a guide on how to export a configuration file from my router while k...
by sindy
Mon Oct 28, 2024 6:31 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

That's strange. Please post the complete config export, obfuscating the public addresses by replacing their first three bytes using find&replace to prevent losing the consistence of the information. Don't forget to obfuscate also serial numbers, MAC addresses, and usernames for external services...
by sindy
Mon Oct 28, 2024 4:52 pm
Forum: General
Topic: 2 x Mikrotik CRS326-24G-2S+RM, one as router, other as a switch
Replies: 8
Views: 575

Re: 2 x Mikrotik CRS326-24G-2S+RM, one as router, other as a switch

Do they support the IEEE 1905.1 protocol? They don't, but that should not matter for your use case, as the topology the switches will form up will not provide multiple paths to choose from (or, if you use two DAC cables, it will provide just a plain ring where the length of both paths from a port o...
by sindy
Mon Oct 28, 2024 4:07 pm
Forum: General
Topic: IKE2 IPSec VPN: Windows11 shows disconnected?
Replies: 4
Views: 419

Re: IKE2 IPSec VPN: Windows11 shows disconnected?

Defining some local IP ranges in split-include results my Android client not reaching anything else than those IP ranges. Is this intended/known? Shall I create different mode-configs, profiles, etc for Android and Windows in case this type of split-tunnel is needed? Unfortunately, each IPsec imple...
by sindy
Mon Oct 28, 2024 1:47 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

they don't support split tunneling, so it's everything or nothing There is still some manoeuvring space between split tunneling and 0.0.0.0/0<->0.0.0.0/0, but not knowing what you actually need to tunnel them it is hard to guess whether you can actually use that space. In any case, policy based tra...
by sindy
Mon Oct 28, 2024 1:27 pm
Forum: General
Topic: prerouting & forwarding rule
Replies: 2
Views: 310

Re: prerouting & forwarding rule

On Mikrotik, the PREROUTING and POSTROUTING chains in table nat have been renamed to dstnat and srcnat , respectively. So using the Mikrotik syntax, your iptables commands look as follows: /ip firewall nat add chain=dstnat in-interface=lan protocol=tcp dst-port=8001 action=dst-nat to-addresses=1.2.3...
by sindy
Mon Oct 28, 2024 1:06 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 801

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

1. I've tried using Mode Configs to specify certain devices to route through this IPSec Tunnel, however when I add a Mode Config to the Identity the Profile never completes Phase2 The purpose of Mode Config is similar to DHCP - the initiator may ask the responder to assign it an IP address and a li...
by sindy
Mon Oct 28, 2024 12:09 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 825

Re: IPv6 issues with Telegram [SOLVED]

I am however not willing to dig deeper into this honestly. That's alright, it's a legitimate approach of a seasoned support technician who doesn't have enough time to care about the artistic impact of the fix, knowing that it has no substantial side effect. In your particular case, the only thing t...
by sindy
Mon Oct 28, 2024 11:44 am
Forum: General
Topic: IKE2 IPSec VPN: Windows11 shows disconnected?
Replies: 4
Views: 419

Re: IKE2 IPSec VPN: Windows11 shows disconnected?

There are two directions to dig in. First, the operating systems check reachability of internet by sending requests that can only be responded if internet is reachable, such as DNS requests to servers running on public addresses, but I've never managed to find any details. So the question is whether...
by sindy
Sun Oct 27, 2024 11:54 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 825

Re: IPv6 issues with Telegram [SOLVED]

Setting this manually on the Linux box to 1492 makes the curl succeed every time. As @eworm has stated, this should not be necessary if everything worked the way it should. There is that thing called Path MTU Discovery (PMTUD) that allows the sender of a packet to get notified that at some place on...
by sindy
Sun Oct 27, 2024 7:19 pm
Forum: General
Topic: Port Forwarding FROM CHR [SOLVED]
Replies: 9
Views: 735

Re: Port Forwarding FROM CHR [SOLVED]

I apologize if I expressed myself badly, but what Sindy indicated made the difference. With so many occurrences of "the X/Y problem" phenomenon, @anav prefers to have a complete description of the functional requirements from the user perspective and then offer the simplest solution from ...
by sindy
Sun Oct 27, 2024 6:59 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 57
Views: 17281

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

First, it makes the posts better readable if you post the configurations between [ code] and [ /code] tags (one way to get them is to press the </> button in the editing toolbar). Next, what you posted is not a complete export of the actual configuration but rather a recording of the configuration s...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 37