MikroTik

16again

You need a similar rule for local generated packets

/ip firewall mangle add action=mark-connection chain=output comment="VPN Routing" dst-address-list=OpenDNS new-connection-mark=VPN

16again

I would look at those dns requests in a sniffer , to see what is going on.

16again

2700 simple queues....
Does this mean, for every packet sent, 2700 rules are check to find matching rule? (on average , 1350 checks)
If this ends up on a single CPU core , it might become the bottle neck for.
PCQ might be more effective to divide BW equally amongst groups of IP addresses

16again

This 10.0.0.0/8 route isn't pushed. afaik, ppp only negotiates an address, the route comes from classfull routing. So better use 192.168.x.x for VPN clients, this will only use class C /24 route. Look into windows powershell Add-VpnConnectionRoute command. It can add route onto VPN connection entry.

16again

pppoe packets themself aren't routable, aren't IP and have no ttl. You can not see if they bridge pppoe to another device. (probably mac address they send changes) The encapsulated IP packet inside pppoe has a TTL set by to remote client, and is decremented by 1 for each routing hop in between. Brid...

16again

With or without VPN , this trick should work:
Send your wol packet to some unused LAN IP address (dNAT or vpn), add static ARP table for that address, containing LAN broadcast MAC ff-ff-ff-ff-ff-ff, and of your WOL client will receive the WOL packet

16again

masquerade is a special case of source-nat, which is handy if WAN IP address can change and isn't known at forehand.

There are those who suggest to use src-nat whenever you can:
https://mum.mikrotik.com/presentations/ ... 948376.pdf

16again

From wiki txt, the port option is only half of the solution: Sub-menu: /ip ipsec peer port (integer:0..65535; Default: 500) Communication port used (when router is initiator) to connect to remote peer in cases if remote peer uses non-default port. Seems to me RouterOS lacks the other half of solutio...

16again

Routing can be easy: ISP1 gets default route ISP2 gets /32 route towards SIP server, distance 10 ISP3 gets /32 route towards SIP server, distance 20 Your biggest problem: On transition of voip between isp2 and isp3 , you need to flush NAT connections. So you probably need a script to check health of...

16again

afaik, matching on most properties you mentioned might be done using single step using hash function
ototh: It does pay off having extra filter rules (like dest port 80,443) on costly L7 inspect rules. Those extra matches will be matched first, before spending CPU time on L7 matching

16again

Why the need for 2 tunnels? If EoIP tunnel has IP addresses on both ends, route over this interface

16again

Then set max-limit to 10Mb (or just below it), and pcq-rate to 0
This limits total combined to 10Mb. A single client can get full speed, but when multiple clients content for BW, each get their own fair share.

16again

Maybe the latency is forming the bottleneck. Can you test having both devices direct connected?

16again

Obvious question...did you compare current config to previous versions in config archive?

16again

afaik, after fragmentation, the receiving end point re-assembles, not the routers in between. Maybe you can get around this, by first encapsulating the 1600 bytes packet into something like GRE. This will result in 1620 bytes gre packet. Your sending router will fragment the GRE packet, to sent it o...

16again

As src MAC isn't usable, go for alternatives that do work. Like source IP address. If thats dynamic, port knocking or access VPN

16again

I you mark a packet before it is tunneled/encapsulated in EoIP, this marking might still be present on encapsulated EoIP. If so, use it in normal PBR rules Your 4 different gateways.....are those 4 different devices on different WAN links? If they all have the same MAC address.......these efforts ar...

16again

The ISP device, does it have such pptp helper checkbox?
Use sniffer tool on both ends to see which side sends/receives GRE protocol packets. They might get blocked somewhere in between , probably on ISP router

16again

Forward ports udp500 and 4500
On drayteks, find a checkbox that enables NAT-traversal. This make sure udp4500 is used instead of ESP

16again

eoip suggest tunneling. And tcp fragmentation.
Find out max mtu on tunnel, and setup mssclamp accordingly

16again

Either filter on ICMP specifics, as suggested above (ICMP-request and ICMP-response can be handled differently)
Better:
Dive into statefull firewalling. This way you can allow return traffic for a packet sent out earlier.

16again

Seems like NAT behind NAT
MT SRC address should be empty.
DST address is MT WAN IP.
To address should (in double NAT case) be AP WAN IP , something like 192.168.88.111

16again

If routers aren't directly connected, it won't work. They are unaware of your eBGP session, and a single /32 isn't advertised to them
To be able to use your IP address elsewhere, encapsulate this IP in GRE tunnel between vultr and your on prem CCR

16again

On the connecting device, add interface IP address in same subnet, and add masquerade rule.
Then the remote device doesn't need its GW properly set

16again

Mikrotik routers are generic CPUs like a PC would be, ASICs you will find in higher end gear like Cisco.

imho, a PC CPU is way more powerful than (lower end) MT CPUs. Hardware tricks like fast-path make up for that and this resembles ASIC

16again

If you can't force encapsulation, adding nat to the picture makes sense as a workaround.
Make sure to add dNAT rules, so connection can also be initiated from remote. And you probably already have masquerade

16again

Your rule blocks traffic to router itself (ping winbox, webfig....) but not traffic going through the router, like port forwards.

Or does another allow rule come before block rule?

16again

Could be as simple as checking "NAT Traversal" on your IPSEC profile

16again

Seems to me like it's more a windows than MT issue.
openvpn client should run using machine account, not user account.
https://superuser.com/questions/1166026 ... windows-10

16again

Try powershell:
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix "10.0.0.0/8"
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix "172.16.0.0/12"

16again

Your mangle rule is in chain forward, but a router is hosting the files. So I'd put mangle rule in output.
Also, as you mention ftp: active ftp has data connection which is opened by server, whereas passiv ftp only uses tcp connections opened by client

16again

If files are transferred using TCP, use firewall-mangle rules to clamp MSS to your desired value

16again

At the device which has received the keepalive request, the "pre-cooked" keepalive response extracted from the request is forwarded from its in-interface , which is the GRE tunnel beeing keepalived itself, to some out-interface , which is the gateway interface facing towards the remote GR...

16again

So whereas the keepalive request packet is handled by chain output, the keepalive response packet is handled by chain forward.

Forward to what? I'd expect keep-alive response ending up in input chain

16again

MT vpn also uses a windows user login , so you could use user CAL instead

16again

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2 As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly. A way aroun...

16again

This rule looks suspicious: add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \ dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808 Drop the source port, as most protocols use a source port from a random pool Also , some endpoints don't have def...

16again

Review logs , to see if VRRP didn't hick-up. Also, I'd focus on src-nat rules. Exclude VRRP source address from ever being masqueraded or sNAT-ted. Or in filter-out chain , block IPSEC packets to peers, sourced from .14 20 minutes recovery time......conntrack timeout for ESP is 10 minutes. Look into...

16again

afaik, inherent indeed means "use DF flag" of original packet. Note a GRE interface is unaware of its parent interface, all you specify is an IP local/remote addresses for the tunnel

16again

@pe1chl
Who said anything about dropping packets? In download queue, we're shaping traffic, that's delaying and not dropping.
imho, this is an effective way to keep total tcp throughput under control, leaving room for VOIP traffic

16again

with/without fastpath, the RB750Gr3 hardware should be able to do way more than this.
Check for full/half duplex mismatch settings and errors like collisions on 100Mb/s Ethernet interfaces

16again

On dNAT rules, set incoming interface=WAN interface

16again

SNI is a server thingy.
Opening a https webpage, always a certificate with name of website FQDN is requested. (this takes place after tcp 3 way handshake at session start)
In my understanding, this tls-host thingy is just a dedicated L7 filter, targeting this certificate name in SSL handshake

16again

For order of magnitude
Make the amount of data sent at set max speed fit for about 200milli seconds

16again

Hard to tell without seeing config.
Seems like you have a dNAT rule in place , that maps all traffic destined to udp port 5060 to 192.168.0.200.....but this rule is active for traffic entering LAN interface too !

16again

The mangle rules: Packets coming in on WAN are client download, and vice versa. Upload queue is attached to WAN interface. Masquerade has already taken place, so PCQ on source IP won't work Create parent queue on global interface, set BW at minimum equal to your VDSL up and down speed combined, then...

16again

I'm not sure how far you'll get with it....but this topic needs to have VRF mentioned in it.

16again

afaik , the idea behind an edge port, is that it automatically blocks when BPDUs are received. This prevents against both loops and your STP root being overthrown.

16again

"GCC: (GNU) 4.8.2" shows up multiple times in binary, so I guess GCC compiled it

16again

Getting the .10 address back...isn't a bad thing.
Real question: are the other IP addresses in pool still available for other pppoe clients?

16again

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...

16again

SYN packets not being sent out, but answered locally....sounds to me like some SYN flood detection is enabled, and no longer working properly.

Normally, syn flood protects the other way around, protecting internal server from way too much half open sessions

16again

What is there to violate....when we want do decrease TX level. (which is good idea having multiple APs in "small" area)

If I want to violate regulations...what happens when I configure my antenna as if it does -20 dB gain?

16again

I guess these rules allow encrypted packets ("inner" VPN stuff) to pass, and probably translate into "iptables --pol ipsec" rules under the hood

16again

To get proper 1:1 nat relationship, I'd add a dst-nat rule as well.
Without it , sessions can only be set up in one direction

16again

Authentication between web server and web client ......should be done on the server and the client. Not on router in between.

Microsoft IIS can do this, pretty sure other decent webservers also will have this functionality

16again

Remote endpoints aren't aware of the GRE tunnel in between them , and its MTU. So they'll negotiate a too big packet size on tcp session setup. And routers will start fragmenting oversized tcp packets (ie most packets). When DontFragment bit was set, router will sent back "fragmentation needed&...

16again

16again

sntp client is all that is needed to time-sync the device.....but it still needs access to external ntp server.
Since there's no external connection, do you have internal devices acting as ntp server? A windows AD controller already does this job

16again

no firewall rules in forward chain for fastpath ....is sort of OK
But this shouldn't rule out firewall rules in in-chain (which isn't fst-pathed to begin with)

@ pe1chl
The 1st UDP packet is in my definition the request, I we block it in in-chain, there will be no reply

16again

Most downloads are https, and L7 filter won't see filename.

Try matching on:
^..+\.(exe|iso|mp3|EXE|ISO|MP3).*$

16again

Not resolving (=dns) ....or not opening the website?
Since you're using pppoe, prime suspect is mss-clamp. Make sure to enable it

16again

Best example of related:
MT router listens in on ftp-control channel, and notices an active ftp download is about to take place, and opens the required ftp-data port (=related) automatically.

16again

Most likely Ethernet duplex mismatch
Play around with Ethernet speed and duplex settings

16again

established = state tracking has seen traffic in both directions.

I'd define it as: has passed traffic in one direction.

In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !)

16again

When you specify an interface as the gateway for a route: On point-to-multpoint links like ethernet, other router brands just start ARPing for the destination address, even if that address in NOT on the subnet. This will only work if other router has proxy-ARP enabled. This will result in huge ARP ...

16again

Only the CA itself has private key (K) , you don't need this on endpoints.
The local certificate for router itself is the only certificate that does require private key being included.

16again

Probably, counter is reset to 5:00 when new packet hits the "add src to address list" rule

16again

As you mention MTU=1500: Are customer packets passed being fragmented? The extra processing involved slows things down

16again

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn't blocked by your rules

16again

since CA is also expired, restart from scratch generating all certificates

16again

On routed network, MAC addresses don't propagate: each router strips the original MAC address, and uses its own MAC address when sending out the packet

16again

afaik, you need to have a firewall rule alongside the dNAT rule, to actually allow the traffic in

16again

If those /29 address range is fixed (and it has to be as it isn't pushed on pppoe login), you can use all of these 8 addresses in NAT rules without assigning them to any interface !
You can use them in both src and dst NAT rules.

16again

1st thing that comes to mind:
Both LAN router and "firewall" need to have route back to 10.104.17.x network

16again

Judging by IP addresses, this already is a routed network.
You can trade in static IP routing for routing protocol. OSPF is always preferred.
On small network like this, you can use rip instead, it has advantage of easier route manipulation (filtering summarizing etc)

16again

How did you implement "1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field) ?"

Is iptable --restore-mark done automatically on return traffic? Under actions, I don't see option to do it manually.

16again

To see internal addresses, I'd try sniffing on LAN interface, and use external private IP to stream it to.

16again

For starters, ignore the black part, it is only about burst behavior.

Focus on blue part , where packets are enqueued and dequeued. Dequeue speed is limited by speed tokens arrive, the orange part

16again

Are you using (or can you configure) symmetric RTP ports?
This way audio in and audio out will use same port-pair, so it can traverse statefull firewalls without h323 helper.

16again

New here....but maybe you can use ipv6 link local address to connect SSH to the box.
link local address can be derived from MAC address, still visible in arp table of your computer

16again

Add black-hole /32 route for unauthorized source IP .

Search found 82 matches