Community discussions

Search found 48 matches

by 16again
Sun Sep 15, 2019 10:31 am
Forum: General
Topic: Windows Device CAL for Mikrotik VPN [SOLVED]
Replies: 2
Views: 538

Re: Windows Device CAL for Mikrotik VPN [SOLVED]

MT vpn also uses a windows user login , so you could use user CAL instead
by 16again
Sat Sep 14, 2019 2:59 pm
Forum: General
Topic: Yet another GRE not working [SOLVED]
Replies: 7
Views: 1036

Re: Yet another GRE not working [SOLVED]

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2 As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly. A way aroun...
by 16again
Fri Sep 13, 2019 8:56 am
Forum: General
Topic: Access UDP port 47808 via PPTP VPN
Replies: 4
Views: 505

Re: Access UDP port 47808 via PPTP VPN

This rule looks suspicious: add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \ dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808 Drop the source port, as most protocols use a source port from a random pool Also , some endpoints don't have default gatew...
by 16again
Fri Sep 13, 2019 12:27 am
Forum: General
Topic: IPsec communication problems over VRRP configuration
Replies: 5
Views: 701

Re: IPsec communication problems over VRRP configuration

Review logs , to see if VRRP didn't hick-up. Also, I'd focus on src-nat rules. Exclude VRRP source address from ever being masqueraded or sNAT-ted. Or in filter-out chain , block IPSEC packets to peers, sourced from .14 20 minutes recovery time......conntrack timeout for ESP is 10 minutes. Look into...
by 16again
Thu Sep 12, 2019 12:46 am
Forum: General
Topic: GRE dont-fragment - inherit from where? [SOLVED]
Replies: 7
Views: 937

Re: GRE dont-fragment - inherit from where? [SOLVED]

afaik, inherent indeed means "use DF flag" of original packet. Note a GRE interface is unaware of its parent interface, all you specify is an IP local/remote addresses for the tunnel
by 16again
Sun Feb 04, 2018 3:49 pm
Forum: Beginner Basics
Topic: QOS for VoIP - Confirmation
Replies: 17
Views: 2963

Re: QOS for VoIP - Confirmation

@pe1chl
Who said anything about dropping packets? In download queue, we're shaping traffic, that's delaying and not dropping.
imho, this is an effective way to keep total tcp throughput under control, leaving room for VOIP traffic
by 16again
Fri Feb 02, 2018 2:29 pm
Forum: General
Topic: RB750Gr3 l2tp/ipsec unbearably slow
Replies: 19
Views: 3398

Re: RB750Gr3 l2tp/ipsec unbearably slow

with/without fastpath, the RB750Gr3 hardware should be able to do way more than this.
Check for full/half duplex mismatch settings and errors like collisions on 100Mb/s Ethernet interfaces
by 16again
Fri Feb 02, 2018 2:23 pm
Forum: General
Topic: hex router and 3cx
Replies: 6
Views: 642

Re: hex router and 3cx

On dNAT rules, set incoming interface=WAN interface
by 16again
Thu Feb 01, 2018 11:58 pm
Forum: General
Topic: tls-host no document [SOLVED]
Replies: 18
Views: 5699

Re: tls-host no document [SOLVED]

SNI is a server thingy.
Opening a https webpage, always a certificate with name of website FQDN is requested. (this takes place after tcp 3 way handshake at session start)
In my understanding, this tls-host thingy is just a dedicated L7 filter, targeting this certificate name in SSL handshake
by 16again
Thu Feb 01, 2018 11:35 pm
Forum: General
Topic: [Help] About Queue size (pfifo)
Replies: 4
Views: 1370

Re: [Help] About Queue size (pfifo)

For order of magnitude
Make the amount of data sent at set max speed fit for about 200milli seconds
by 16again
Thu Feb 01, 2018 11:28 pm
Forum: General
Topic: hex router and 3cx
Replies: 6
Views: 642

Re: hex router and 3cx

Hard to tell without seeing config.
Seems like you have a dNAT rule in place , that maps all traffic destined to udp port 5060 to 192.168.0.200.....but this rule is active for traffic entering LAN interface too !
by 16again
Thu Feb 01, 2018 11:16 pm
Forum: General
Topic: Bandwidth Share Equal
Replies: 3
Views: 380

Re: Bandwidth Share Equal

The mangle rules: Packets coming in on WAN are client download, and vice versa. Upload queue is attached to WAN interface. Masquerade has already taken place, so PCQ on source IP won't work Create parent queue on global interface, set BW at minimum equal to your VDSL up and down speed combined, then...
by 16again
Wed Jan 31, 2018 12:08 am
Forum: General
Topic: How to allow two devices with same IP access internet [SOLVED]
Replies: 21
Views: 2081

Re: How to allow two devices with same IP access internet [SOLVED]

I'm not sure how far you'll get with it....but this topic needs to have VRF mentioned in it.
by 16again
Sun Jan 28, 2018 10:12 pm
Forum: General
Topic: RSTP - Disable on one port
Replies: 5
Views: 1136

Re: RSTP - Disable on one port

afaik , the idea behind an edge port, is that it automatically blocks when BPDUs are received. This prevents against both loops and your STP root being overthrown.
by 16again
Sat Jan 27, 2018 1:40 pm
Forum: Beginner Basics
Topic: In what programming language was Winbox made? [SOLVED]
Replies: 8
Views: 1391

Re: In what programming language was Winbox made? [SOLVED]

"GCC: (GNU) 4.8.2" shows up multiple times in binary, so I guess GCC compiled it
by 16again
Thu Jan 25, 2018 8:07 pm
Forum: Beginner Basics
Topic: PPPOE problem with ip pool
Replies: 1
Views: 245

Re: PPPOE problem with ip pool

Getting the .10 address back...isn't a bad thing.
Real question: are the other IP addresses in pool still available for other pppoe clients?
by 16again
Thu Jan 25, 2018 2:56 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2760

Re: IPv6 router settings

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...
by 16again
Thu Jan 25, 2018 10:55 am
Forum: General
Topic: Huge delay during TCP Initial Handshake
Replies: 26
Views: 2553

Re: Huge delay during TCP Initial Handshake

SYN packets not being sent out, but answered locally....sounds to me like some SYN flood detection is enabled, and no longer working properly.

Normally, syn flood protects the other way around, protecting internal server from way too much half open sessions
by 16again
Thu Jan 25, 2018 10:45 am
Forum: General
Topic: decrease TX-Power
Replies: 8
Views: 3222

Re: decrease TX-Power

What is there to violate....when we want do decrease TX level. (which is good idea having multiple APs in "small" area)

If I want to violate regulations...what happens when I configure my antenna as if it does -20 dB gain?
by 16again
Wed Jan 17, 2018 8:52 pm
Forum: Beginner Basics
Topic: Query about default filter rules of RB750GR3
Replies: 11
Views: 941

Re: Query about default filter rules of RB750GR3

I guess these rules allow encrypted packets ("inner" VPN stuff) to pass, and probably translate into "iptables --pol ipsec" rules under the hood
by 16again
Sat Jan 13, 2018 2:13 pm
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 1148

Re: Need help with VPN and src-nat [SOLVED]

To get proper 1:1 nat relationship, I'd add a dst-nat rule as well.
Without it , sessions can only be set up in one direction
by 16again
Sat Jan 13, 2018 2:07 pm
Forum: General
Topic: SSL Certificate to Access Web server
Replies: 1
Views: 374

Re: SSL Certificate to Access Web server

Authentication between web server and web client ......should be done on the server and the client. Not on router in between.

Microsoft IIS can do this, pretty sure other decent webservers also will have this functionality
by 16again
Sat Jan 13, 2018 2:00 pm
Forum: General
Topic: Poor performance with GRE tunnel
Replies: 7
Views: 1725

Re: Poor performance with GRE tunnel

Remote endpoints aren't aware of the GRE tunnel in between them , and its MTU. So they'll negotiate a too big packet size on tcp session setup. And routers will start fragmenting oversized tcp packets (ie most packets). When DontFragment bit was set, router will sent back "fragmentation needed" icmp...
by 16again
Thu Jan 11, 2018 8:01 pm
Forum: Scripting
Topic: Layer7 code
Replies: 3
Views: 1038

Re: Layer7 code

for bittorrent , try:

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
by 16again
Thu Jan 11, 2018 7:55 pm
Forum: Beginner Basics
Topic: Router time and date
Replies: 9
Views: 827

Re: Router time and date

sntp client is all that is needed to time-sync the device.....but it still needs access to external ntp server.
Since there's no external connection, do you have internal devices acting as ntp server? A windows AD controller already does this job
by 16again
Thu Jan 11, 2018 7:52 pm
Forum: General
Topic: SNTP client get unauthorized NTP requests
Replies: 4
Views: 523

Re: SNTP client get unauthorized NTP requests

no firewall rules in forward chain for fastpath ....is sort of OK
But this shouldn't rule out firewall rules in in-chain (which isn't fst-pathed to begin with)

@ pe1chl
The 1st UDP packet is in my definition the request, I we block it in in-chain, there will be no reply
by 16again
Thu Jan 11, 2018 1:25 pm
Forum: Beginner Basics
Topic: Layer 7 protocol filter did't work for me
Replies: 1
Views: 852

Re: Layer 7 protocol filter did't work for me

Most downloads are https, and L7 filter won't see filename.

Try matching on:
^..+\.(exe|iso|mp3|EXE|ISO|MP3).*$
by 16again
Thu Jan 11, 2018 12:03 am
Forum: Beginner Basics
Topic: Mikrotik Can't Resolve Some URLs
Replies: 2
Views: 353

Re: Mikrotik Can't Resolve Some URLs

Not resolving (=dns) ....or not opening the website?
Since you're using pppoe, prime suspect is mss-clamp. Make sure to enable it
by 16again
Wed Jan 10, 2018 11:58 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 623

Re: Rule order for established

Best example of related:
MT router listens in on ftp-control channel, and notices an active ftp download is about to take place, and opens the required ftp-data port (=related) automatically.
by 16again
Wed Jan 10, 2018 11:51 pm
Forum: General
Topic: Bandwidth Problems
Replies: 3
Views: 657

Re: Bandwidth Problems

Most likely Ethernet duplex mismatch
Play around with Ethernet speed and duplex settings
by 16again
Wed Jan 10, 2018 8:39 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 623

Re: Rule order for established

established = state tracking has seen traffic in both directions.
I'd define it as: has passed traffic in one direction.

In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !)
by 16again
Wed Jan 10, 2018 8:28 pm
Forum: General
Topic: Huge delay during TCP Initial Handshake
Replies: 26
Views: 2553

Re: Huge delay during TCP Initial Handshake

When you specify an interface as the gateway for a route: On point-to-multpoint links like ethernet, other router brands just start ARPing for the destination address, even if that address in NOT on the subnet. This will only work if other router has proxy-ARP enabled. This will result in huge ARP ...
by 16again
Tue Jan 09, 2018 9:55 pm
Forum: General
Topic: expired certificates
Replies: 3
Views: 1340

Re: expired certificates

Only the CA itself has private key (K) , you don't need this on endpoints.
The local certificate for router itself is the only certificate that does require private key being included.
by 16again
Tue Jan 09, 2018 9:47 pm
Forum: General
Topic: Timeout problem RouterOS 6.41
Replies: 2
Views: 290

Re: Timeout problem RouterOS 6.41

Probably, counter is reset to 5:00 when new packet hits the "add src to address list" rule
by 16again
Tue Jan 09, 2018 9:40 pm
Forum: Forwarding Protocols
Topic: Best option for transparent L2 tunnel
Replies: 3
Views: 1341

Re: Best option for transparent L2 tunnel

As you mention MTU=1500: Are customer packets passed being fragmented? The extra processing involved slows things down
by 16again
Mon Jan 08, 2018 10:27 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 1489

Re: Block WinBox discovery from specific address

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn't blocked by your rules
by 16again
Mon Jan 08, 2018 10:22 pm
Forum: General
Topic: expired certificates
Replies: 3
Views: 1340

Re: expired certificates

since CA is also expired, restart from scratch generating all certificates
by 16again
Mon Jan 08, 2018 9:29 pm
Forum: Forwarding Protocols
Topic: Changing bridget network to RIP
Replies: 5
Views: 595

Re: Changing bridget network to RIP

On routed network, MAC addresses don't propagate: each router strips the original MAC address, and uses its own MAC address when sending out the packet
by 16again
Sun Jan 07, 2018 10:00 am
Forum: Beginner Basics
Topic: Port Forwarding Issues
Replies: 3
Views: 422

Re: Port Forwarding Issues

afaik, you need to have a firewall rule alongside the dNAT rule, to actually allow the traffic in
by 16again
Fri Jan 05, 2018 12:22 am
Forum: General
Topic: DSL pppoe - how to assign public static IP?
Replies: 5
Views: 1125

Re: DSL pppoe - how to assign public static IP?

If those /29 address range is fixed (and it has to be as it isn't pushed on pppoe login), you can use all of these 8 addresses in NAT rules without assigning them to any interface !
You can use them in both src and dst NAT rules.
by 16again
Fri Jan 05, 2018 12:05 am
Forum: Forwarding Protocols
Topic: PBR and Packet lost somewhere
Replies: 2
Views: 424

Re: PBR and Packet lost somewhere

1st thing that comes to mind:
Both LAN router and "firewall" need to have route back to 10.104.17.x network
by 16again
Fri Jan 05, 2018 12:02 am
Forum: Forwarding Protocols
Topic: Changing bridget network to RIP
Replies: 5
Views: 595

Re: Changing bridget network to RIP

Judging by IP addresses, this already is a routed network.
You can trade in static IP routing for routing protocol. OSPF is always preferred.
On small network like this, you can use rip instead, it has advantage of easier route manipulation (filtering summarizing etc)
by 16again
Tue Jan 02, 2018 11:36 pm
Forum: General
Topic: Connection marking and queues management doubts
Replies: 5
Views: 513

Re: Connection marking and queues management doubts

How did you implement "1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field) ?"

Is iptable --restore-mark done automatically on return traffic? Under actions, I don't see option to do it manually.
by 16again
Tue Jan 02, 2018 11:14 pm
Forum: General
Topic: Streaming Sniffed Packets from External interface
Replies: 2
Views: 301

Re: Streaming Sniffed Packets from External interface

To see internal addresses, I'd try sniffing on LAN interface, and use external private IP to stream it to.
by 16again
Tue Jan 02, 2018 11:11 pm
Forum: General
Topic: QoS questions.
Replies: 2
Views: 430

Re: QoS questions.

For starters, ignore the black part, it is only about burst behavior.

Focus on blue part , where packets are enqueued and dequeued. Dequeue speed is limited by speed tokens arrive, the orange part
by 16again
Tue Jan 02, 2018 10:57 pm
Forum: Forwarding Protocols
Topic: h323 problem one way audio
Replies: 2
Views: 454

Re: h323 problem one way audio

Are you using (or can you configure) symmetric RTP ports?
This way audio in and audio out will use same port-pair, so it can traverse statefull firewalls without h323 helper.
by 16again
Tue Jan 02, 2018 12:15 pm
Forum: General
Topic: I broke TCP with dst-nat and can't connect to router
Replies: 13
Views: 886

Re: I broke TCP with dst-nat and can't connect to router

New here....but maybe you can use ipv6 link local address to connect SSH to the box.
link local address can be derived from MAC address, still visible in arp table of your computer
by 16again
Fri Dec 29, 2017 1:33 pm
Forum: General
Topic: How to disconnect active SSH or Winbox or TCP session
Replies: 7
Views: 2406

Re: How to disconnect active SSH or Winbox or TCP session

Add black-hole /32 route for unauthorized source IP .