Community discussions

MikroTik App

Search found 82 matches

by 16again
Fri Feb 19, 2021 2:21 pm
Forum: General
Topic: DNS over IPSec tunnel
Replies: 3
Views: 309

Re: DNS over IPSec tunnel

You need a similar rule for local generated packets
/ip firewall mangle add action=mark-connection chain=output comment="VPN Routing" dst-address-list=OpenDNS new-connection-mark=VPN 
by 16again
Wed Feb 17, 2021 7:13 pm
Forum: General
Topic: DNS Flood
Replies: 8
Views: 2062

Re: DNS Flood

I would look at those dns requests in a sniffer , to see what is going on.
by 16again
Wed Feb 17, 2021 6:25 pm
Forum: General
Topic: CCR 1072 simple queues nstable bitrate
Replies: 2
Views: 261

Re: CCR 1072 simple queues nstable bitrate

2700 simple queues....
Does this mean, for every packet sent, 2700 rules are check to find matching rule? (on average , 1350 checks)
If this ends up on a single CPU core , it might become the bottle neck for.
PCQ might be more effective to divide BW equally amongst groups of IP addresses
by 16again
Wed Feb 17, 2021 6:11 pm
Forum: General
Topic: Routing traffic though VPN SSTP to Mikrotik from a client W10
Replies: 2
Views: 148

Re: Routing traffic though VPN SSTP to Mikrotik from a client W10

This 10.0.0.0/8 route isn't pushed. afaik, ppp only negotiates an address, the route comes from classfull routing. So better use 192.168.x.x for VPN clients, this will only use class C /24 route. Look into windows powershell Add-VpnConnectionRoute command. It can add route onto VPN connection entry.
by 16again
Sat Feb 13, 2021 12:28 pm
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 292

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

pppoe packets themself aren't routable, aren't IP and have no ttl. You can not see if they bridge pppoe to another device. (probably mac address they send changes) The encapsulated IP packet inside pppoe has a TTL set by to remote client, and is decremented by 1 for each routing hop in between. Brid...
by 16again
Sat Feb 13, 2021 12:08 pm
Forum: General
Topic: How to allow remote Wake on LAN through firewall without completely compromising security
Replies: 8
Views: 542

Re: How to allow remote Wake on LAN through firewall without completely compromising security

With or without VPN , this trick should work:
Send your wol packet to some unused LAN IP address (dNAT or vpn), add static ARP table for that address, containing LAN broadcast MAC ff-ff-ff-ff-ff-ff, and of your WOL client will receive the WOL packet
by 16again
Mon Feb 08, 2021 12:20 am
Forum: General
Topic: masquerade or src-nat to-addresses
Replies: 2
Views: 320

Re: masquerade or src-nat to-addresses

masquerade is a special case of source-nat, which is handy if WAN IP address can change and isn't known at forehand.

There are those who suggest to use src-nat whenever you can:
https://mum.mikrotik.com/presentations/ ... 948376.pdf
by 16again
Tue Feb 02, 2021 12:07 am
Forum: General
Topic: VPN IPSEC port change 500
Replies: 4
Views: 405

Re: VPN IPSEC port change 500

From wiki txt, the port option is only half of the solution: Sub-menu: /ip ipsec peer port (integer:0..65535; Default: 500) Communication port used (when router is initiator) to connect to remote peer in cases if remote peer uses non-default port. Seems to me RouterOS lacks the other half of solutio...
by 16again
Tue Feb 02, 2021 12:00 am
Forum: General
Topic: 3 Wan - 1 for Internet and 1 for VOIP only?
Replies: 2
Views: 251

Re: 3 Wan - 1 for Internet and 1 for VOIP only?

Routing can be easy: ISP1 gets default route ISP2 gets /32 route towards SIP server, distance 10 ISP3 gets /32 route towards SIP server, distance 20 Your biggest problem: On transition of voip between isp2 and isp3 , you need to flush NAT connections. So you probably need a script to check health of...
by 16again
Sun Jan 31, 2021 3:32 pm
Forum: General
Topic: Processing order of properties in firewall rules
Replies: 1
Views: 196

Re: Processing order of properties in firewall rules

afaik, matching on most properties you mentioned might be done using single step using hash function
ototh: It does pay off having extra filter rules (like dest port 80,443) on costly L7 inspect rules. Those extra matches will be matched first, before spending CPU time on L7 matching
by 16again
Sat Jan 30, 2021 12:15 am
Forum: General
Topic: Two tunnels between two routers? EoIP + IPIP
Replies: 5
Views: 523

Re: Two tunnels between two routers? EoIP + IPIP

Why the need for 2 tunnels? If EoIP tunnel has IP addresses on both ends, route over this interface
by 16again
Sat Jan 30, 2021 12:11 am
Forum: General
Topic: Fair bandwidth distribution
Replies: 2
Views: 276

Re: Fair bandwidth distribution

Then set max-limit to 10Mb (or just below it), and pcq-rate to 0
This limits total combined to 10Mb. A single client can get full speed, but when multiple clients content for BW, each get their own fair share.
by 16again
Sat Jan 30, 2021 12:03 am
Forum: General
Topic: Slow VPN performance?
Replies: 9
Views: 686

Re: Slow VPN performance?

Maybe the latency is forming the bottleneck. Can you test having both devices direct connected?
by 16again
Fri Jan 29, 2021 11:48 pm
Forum: General
Topic: Constantly changing SSH keys and missing users
Replies: 4
Views: 365

Re: Constantly changing SSH keys and missing users

Obvious question...did you compare current config to previous versions in config archive?
by 16again
Fri Jan 29, 2021 10:47 pm
Forum: General
Topic: How to Hide MTU Fragmentation / Higher MTU Issue
Replies: 1
Views: 231

Re: How to Hide MTU Fragmentation / Higher MTU Issue

afaik, after fragmentation, the receiving end point re-assembles, not the routers in between. Maybe you can get around this, by first encapsulating the 1600 bytes packet into something like GRE. This will result in 1620 bytes gre packet. Your sending router will fragment the GRE packet, to sent it o...
by 16again
Wed Jan 27, 2021 12:27 pm
Forum: General
Topic: IP Firewall Nat
Replies: 8
Views: 1140

Re: IP Firewall Nat

As src MAC isn't usable, go for alternatives that do work. Like source IP address. If thats dynamic, port knocking or access VPN
by 16again
Tue Jan 26, 2021 11:23 pm
Forum: General
Topic: Multiple EoIP Tunnels On Single WAN But With Multiple IPs
Replies: 4
Views: 296

Re: Multiple EoIP Tunnels On Single WAN But With Multiple IPs

I you mark a packet before it is tunneled/encapsulated in EoIP, this marking might still be present on encapsulated EoIP. If so, use it in normal PBR rules Your 4 different gateways.....are those 4 different devices on different WAN links? If they all have the same MAC address.......these efforts ar...
by 16again
Mon Jan 25, 2021 9:11 pm
Forum: General
Topic: PPTP server behind 1:1 nat
Replies: 4
Views: 401

Re: PPTP server behind 1:1 nat

The ISP device, does it have such pptp helper checkbox?
Use sniffer tool on both ends to see which side sends/receives GRE protocol packets. They might get blocked somewhere in between , probably on ISP router
by 16again
Mon Jan 25, 2021 9:01 pm
Forum: General
Topic: IPSEC Forwarding
Replies: 4
Views: 353

Re: IPSEC Forwarding

Forward ports udp500 and 4500
On drayteks, find a checkbox that enables NAT-traversal. This make sure udp4500 is used instead of ESP
by 16again
Sun Jan 24, 2021 3:22 pm
Forum: General
Topic: CCR1009-8G-1S-1S+ height cpu 1 management
Replies: 2
Views: 253

Re: CCR1009-8G-1S-1S+ height cpu 1 management

eoip suggest tunneling. And tcp fragmentation.
Find out max mtu on tunnel, and setup mssclamp accordingly
by 16again
Sun Jan 24, 2021 2:40 pm
Forum: General
Topic: Firewall Filtering ICMP Packet [SOLVED]
Replies: 5
Views: 465

Re: Firewall Filtering ICMP Packet [SOLVED]

Either filter on ICMP specifics, as suggested above (ICMP-request and ICMP-response can be handled differently)
Better:
Dive into statefull firewalling. This way you can allow return traffic for a packet sent out earlier.
by 16again
Sun Jan 24, 2021 2:35 pm
Forum: General
Topic: Port Forwarding: Modem -> Router -> AP -> Server
Replies: 2
Views: 241

Re: Port Forwarding: Modem -> Router -> AP -> Server

Seems like NAT behind NAT
MT SRC address should be empty.
DST address is MT WAN IP.
To address should (in double NAT case) be AP WAN IP , something like 192.168.88.111
by 16again
Sat Jan 23, 2021 7:22 pm
Forum: General
Topic: Is it possible to use one of our assigned Public IPs on external router connected to another ISP?
Replies: 3
Views: 301

Re: Is it possible to use one of our assigned Public IPs on external router connected to another ISP?

If routers aren't directly connected, it won't work. They are unaware of your eBGP session, and a single /32 isn't advertised to them
To be able to use your IP address elsewhere, encapsulate this IP in GRE tunnel between vultr and your on prem CCR
by 16again
Sat Jan 23, 2021 5:58 pm
Forum: General
Topic: Problem with IP/address and IP/route pref-source need some help
Replies: 2
Views: 207

Re: Problem with IP/address and IP/route pref-source need some help

On the connecting device, add interface IP address in same subnet, and add masquerade rule.
Then the remote device doesn't need its GW properly set
by 16again
Sat Jan 23, 2021 12:55 pm
Forum: General
Topic: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]
Replies: 13
Views: 1167

Re: Is RouterOS and (routing in general) still faster on routers than on dedicated computer ? [SOLVED]

Mikrotik routers are generic CPUs like a PC would be, ASICs you will find in higher end gear like Cisco.
imho, a PC CPU is way more powerful than (lower end) MT CPUs. Hardware tricks like fast-path make up for that and this resembles ASIC
by 16again
Sat Jan 23, 2021 12:44 pm
Forum: General
Topic: IPSec ESP over UDP without NAT
Replies: 5
Views: 446

Re: IPSec ESP over UDP without NAT

If you can't force encapsulation, adding nat to the picture makes sense as a workaround.
Make sure to add dNAT rules, so connection can also be initiated from remote. And you probably already have masquerade
by 16again
Wed Jan 20, 2021 9:42 pm
Forum: General
Topic: Why is not blocking an ip adress
Replies: 6
Views: 420

Re: Why is not blocking an ip adress

Your rule blocks traffic to router itself (ping winbox, webfig....) but not traffic going through the router, like port forwards.

Or does another allow rule come before block rule?
by 16again
Wed Jan 20, 2021 9:39 pm
Forum: General
Topic: IPSec ESP over UDP without NAT
Replies: 5
Views: 446

Re: IPSec ESP over UDP without NAT

Could be as simple as checking "NAT Traversal" on your IPSEC profile
by 16again
Sun Jan 17, 2021 2:17 pm
Forum: General
Topic: Configure OpenVPN + Mikrotik connection before user login
Replies: 1
Views: 191

Re: Configure OpenVPN + Mikrotik connection before user login

Seems to me like it's more a windows than MT issue.
openvpn client should run using machine account, not user account.
https://superuser.com/questions/1166026 ... windows-10
by 16again
Sun Jan 17, 2021 2:09 pm
Forum: General
Topic: How to send multiples routes to L2TP client
Replies: 3
Views: 319

Re: How to send multiples routes to L2TP client

Try powershell:
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix "10.0.0.0/8"
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix "172.16.0.0/12"
by 16again
Sun Jan 17, 2021 2:01 pm
Forum: General
Topic: FTP Server w/ Small MTU
Replies: 5
Views: 431

Re: FTP Server w/ Small MTU

Your mangle rule is in chain forward, but a router is hosting the files. So I'd put mangle rule in output.
Also, as you mention ftp: active ftp has data connection which is opened by server, whereas passiv ftp only uses tcp connections opened by client
by 16again
Fri Jan 15, 2021 8:20 pm
Forum: General
Topic: FTP Server w/ Small MTU
Replies: 5
Views: 431

Re: FTP Server w/ Small MTU

If files are transferred using TCP, use firewall-mangle rules to clamp MSS to your desired value
by 16again
Fri Jan 15, 2021 8:07 pm
Forum: General
Topic: Mikrotik and Cisco Router GRE Tunnel Problem
Replies: 18
Views: 1117

Re: Mikrotik and Cisco Router GRE Tunnel Problem

At the device which has received the keepalive request, the "pre-cooked" keepalive response extracted from the request is forwarded from its in-interface , which is the GRE tunnel beeing keepalived itself, to some out-interface , which is the gateway interface facing towards the remote GR...
by 16again
Fri Jan 15, 2021 10:08 am
Forum: General
Topic: Mikrotik and Cisco Router GRE Tunnel Problem
Replies: 18
Views: 1117

Re: Mikrotik and Cisco Router GRE Tunnel Problem

So whereas the keepalive request packet is handled by chain output, the keepalive response packet is handled by chain forward.
Forward to what? I'd expect keep-alive response ending up in input chain
by 16again
Sun Sep 15, 2019 10:31 am
Forum: General
Topic: Windows Device CAL for Mikrotik VPN [SOLVED]
Replies: 2
Views: 1038

Re: Windows Device CAL for Mikrotik VPN [SOLVED]

MT vpn also uses a windows user login , so you could use user CAL instead
by 16again
Sat Sep 14, 2019 2:59 pm
Forum: General
Topic: Yet another GRE not working [SOLVED]
Replies: 7
Views: 3210

Re: Yet another GRE not working [SOLVED]

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2 As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly. A way aroun...
by 16again
Fri Sep 13, 2019 8:56 am
Forum: General
Topic: Access UDP port 47808 via PPTP VPN
Replies: 4
Views: 1032

Re: Access UDP port 47808 via PPTP VPN

This rule looks suspicious: add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \ dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808 Drop the source port, as most protocols use a source port from a random pool Also , some endpoints don't have def...
by 16again
Fri Sep 13, 2019 12:27 am
Forum: General
Topic: IPsec communication problems over VRRP configuration
Replies: 5
Views: 1404

Re: IPsec communication problems over VRRP configuration

Review logs , to see if VRRP didn't hick-up. Also, I'd focus on src-nat rules. Exclude VRRP source address from ever being masqueraded or sNAT-ted. Or in filter-out chain , block IPSEC packets to peers, sourced from .14 20 minutes recovery time......conntrack timeout for ESP is 10 minutes. Look into...
by 16again
Thu Sep 12, 2019 12:46 am
Forum: General
Topic: GRE dont-fragment - inherit from where? [SOLVED]
Replies: 7
Views: 2595

Re: GRE dont-fragment - inherit from where? [SOLVED]

afaik, inherent indeed means "use DF flag" of original packet. Note a GRE interface is unaware of its parent interface, all you specify is an IP local/remote addresses for the tunnel
by 16again
Sun Feb 04, 2018 3:49 pm
Forum: Beginner Basics
Topic: QOS for VoIP - Confirmation
Replies: 17
Views: 6487

Re: QOS for VoIP - Confirmation

@pe1chl
Who said anything about dropping packets? In download queue, we're shaping traffic, that's delaying and not dropping.
imho, this is an effective way to keep total tcp throughput under control, leaving room for VOIP traffic
by 16again
Fri Feb 02, 2018 2:29 pm
Forum: General
Topic: RB750Gr3 l2tp/ipsec unbearably slow
Replies: 22
Views: 7447

Re: RB750Gr3 l2tp/ipsec unbearably slow

with/without fastpath, the RB750Gr3 hardware should be able to do way more than this.
Check for full/half duplex mismatch settings and errors like collisions on 100Mb/s Ethernet interfaces
by 16again
Fri Feb 02, 2018 2:23 pm
Forum: General
Topic: hex router and 3cx
Replies: 6
Views: 1139

Re: hex router and 3cx

On dNAT rules, set incoming interface=WAN interface
by 16again
Thu Feb 01, 2018 11:58 pm
Forum: General
Topic: tls-host no document [SOLVED]
Replies: 18
Views: 7719

Re: tls-host no document [SOLVED]

SNI is a server thingy.
Opening a https webpage, always a certificate with name of website FQDN is requested. (this takes place after tcp 3 way handshake at session start)
In my understanding, this tls-host thingy is just a dedicated L7 filter, targeting this certificate name in SSL handshake
by 16again
Thu Feb 01, 2018 11:35 pm
Forum: General
Topic: [Help] About Queue size (pfifo)
Replies: 4
Views: 2779

Re: [Help] About Queue size (pfifo)

For order of magnitude
Make the amount of data sent at set max speed fit for about 200milli seconds
by 16again
Thu Feb 01, 2018 11:28 pm
Forum: General
Topic: hex router and 3cx
Replies: 6
Views: 1139

Re: hex router and 3cx

Hard to tell without seeing config.
Seems like you have a dNAT rule in place , that maps all traffic destined to udp port 5060 to 192.168.0.200.....but this rule is active for traffic entering LAN interface too !
by 16again
Thu Feb 01, 2018 11:16 pm
Forum: General
Topic: Bandwidth Share Equal
Replies: 3
Views: 701

Re: Bandwidth Share Equal

The mangle rules: Packets coming in on WAN are client download, and vice versa. Upload queue is attached to WAN interface. Masquerade has already taken place, so PCQ on source IP won't work Create parent queue on global interface, set BW at minimum equal to your VDSL up and down speed combined, then...
by 16again
Wed Jan 31, 2018 12:08 am
Forum: General
Topic: How to allow two devices with same IP access internet [SOLVED]
Replies: 21
Views: 3660

Re: How to allow two devices with same IP access internet [SOLVED]

I'm not sure how far you'll get with it....but this topic needs to have VRF mentioned in it.
by 16again
Sun Jan 28, 2018 10:12 pm
Forum: General
Topic: RSTP - Disable on one port
Replies: 6
Views: 2751

Re: RSTP - Disable on one port

afaik , the idea behind an edge port, is that it automatically blocks when BPDUs are received. This prevents against both loops and your STP root being overthrown.
by 16again
Sat Jan 27, 2018 1:40 pm
Forum: Beginner Basics
Topic: In what programming language was Winbox made? [SOLVED]
Replies: 8
Views: 2430

Re: In what programming language was Winbox made? [SOLVED]

"GCC: (GNU) 4.8.2" shows up multiple times in binary, so I guess GCC compiled it
by 16again
Thu Jan 25, 2018 8:07 pm
Forum: Beginner Basics
Topic: PPPOE problem with ip pool
Replies: 1
Views: 437

Re: PPPOE problem with ip pool

Getting the .10 address back...isn't a bad thing.
Real question: are the other IP addresses in pool still available for other pppoe clients?
by 16again
Thu Jan 25, 2018 2:56 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 4480

Re: IPv6 router settings

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...
by 16again
Thu Jan 25, 2018 10:55 am
Forum: General
Topic: Huge delay during TCP Initial Handshake
Replies: 26
Views: 4159

Re: Huge delay during TCP Initial Handshake

SYN packets not being sent out, but answered locally....sounds to me like some SYN flood detection is enabled, and no longer working properly.

Normally, syn flood protects the other way around, protecting internal server from way too much half open sessions
by 16again
Thu Jan 25, 2018 10:45 am
Forum: General
Topic: decrease TX-Power
Replies: 13
Views: 7588

Re: decrease TX-Power

What is there to violate....when we want do decrease TX level. (which is good idea having multiple APs in "small" area)

If I want to violate regulations...what happens when I configure my antenna as if it does -20 dB gain?
by 16again
Wed Jan 17, 2018 8:52 pm
Forum: Beginner Basics
Topic: Query about default filter rules of RB750GR3
Replies: 11
Views: 1646

Re: Query about default filter rules of RB750GR3

I guess these rules allow encrypted packets ("inner" VPN stuff) to pass, and probably translate into "iptables --pol ipsec" rules under the hood
by 16again
Sat Jan 13, 2018 2:13 pm
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 2005

Re: Need help with VPN and src-nat [SOLVED]

To get proper 1:1 nat relationship, I'd add a dst-nat rule as well.
Without it , sessions can only be set up in one direction
by 16again
Sat Jan 13, 2018 2:07 pm
Forum: General
Topic: SSL Certificate to Access Web server
Replies: 1
Views: 676

Re: SSL Certificate to Access Web server

Authentication between web server and web client ......should be done on the server and the client. Not on router in between.

Microsoft IIS can do this, pretty sure other decent webservers also will have this functionality
by 16again
Sat Jan 13, 2018 2:00 pm
Forum: General
Topic: Poor performance with GRE tunnel
Replies: 7
Views: 3149

Re: Poor performance with GRE tunnel

Remote endpoints aren't aware of the GRE tunnel in between them , and its MTU. So they'll negotiate a too big packet size on tcp session setup. And routers will start fragmenting oversized tcp packets (ie most packets). When DontFragment bit was set, router will sent back "fragmentation needed&...
by 16again
Thu Jan 11, 2018 8:01 pm
Forum: Scripting
Topic: Layer7 code
Replies: 3
Views: 1509

Re: Layer7 code

for bittorrent , try:

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
by 16again
Thu Jan 11, 2018 7:55 pm
Forum: Beginner Basics
Topic: Router time and date
Replies: 9
Views: 1452

Re: Router time and date

sntp client is all that is needed to time-sync the device.....but it still needs access to external ntp server.
Since there's no external connection, do you have internal devices acting as ntp server? A windows AD controller already does this job
by 16again
Thu Jan 11, 2018 7:52 pm
Forum: General
Topic: SNTP client get unauthorized NTP requests
Replies: 4
Views: 894

Re: SNTP client get unauthorized NTP requests

no firewall rules in forward chain for fastpath ....is sort of OK
But this shouldn't rule out firewall rules in in-chain (which isn't fst-pathed to begin with)

@ pe1chl
The 1st UDP packet is in my definition the request, I we block it in in-chain, there will be no reply
by 16again
Thu Jan 11, 2018 1:25 pm
Forum: Beginner Basics
Topic: Layer 7 protocol filter did't work for me
Replies: 1
Views: 1488

Re: Layer 7 protocol filter did't work for me

Most downloads are https, and L7 filter won't see filename.

Try matching on:
^..+\.(exe|iso|mp3|EXE|ISO|MP3).*$
by 16again
Thu Jan 11, 2018 12:03 am
Forum: Beginner Basics
Topic: Mikrotik Can't Resolve Some URLs
Replies: 2
Views: 606

Re: Mikrotik Can't Resolve Some URLs

Not resolving (=dns) ....or not opening the website?
Since you're using pppoe, prime suspect is mss-clamp. Make sure to enable it
by 16again
Wed Jan 10, 2018 11:58 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 1322

Re: Rule order for established

Best example of related:
MT router listens in on ftp-control channel, and notices an active ftp download is about to take place, and opens the required ftp-data port (=related) automatically.
by 16again
Wed Jan 10, 2018 11:51 pm
Forum: General
Topic: Bandwidth Problems
Replies: 3
Views: 1077

Re: Bandwidth Problems

Most likely Ethernet duplex mismatch
Play around with Ethernet speed and duplex settings
by 16again
Wed Jan 10, 2018 8:39 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 1322

Re: Rule order for established

established = state tracking has seen traffic in both directions.
I'd define it as: has passed traffic in one direction.

In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !)
by 16again
Wed Jan 10, 2018 8:28 pm
Forum: General
Topic: Huge delay during TCP Initial Handshake
Replies: 26
Views: 4159

Re: Huge delay during TCP Initial Handshake

When you specify an interface as the gateway for a route: On point-to-multpoint links like ethernet, other router brands just start ARPing for the destination address, even if that address in NOT on the subnet. This will only work if other router has proxy-ARP enabled. This will result in huge ARP ...
by 16again
Tue Jan 09, 2018 9:55 pm
Forum: General
Topic: expired certificates
Replies: 3
Views: 2902

Re: expired certificates

Only the CA itself has private key (K) , you don't need this on endpoints.
The local certificate for router itself is the only certificate that does require private key being included.
by 16again
Tue Jan 09, 2018 9:47 pm
Forum: General
Topic: Timeout problem RouterOS 6.41
Replies: 2
Views: 544

Re: Timeout problem RouterOS 6.41

Probably, counter is reset to 5:00 when new packet hits the "add src to address list" rule
by 16again
Tue Jan 09, 2018 9:40 pm
Forum: Forwarding Protocols
Topic: Best option for transparent L2 tunnel
Replies: 3
Views: 1893

Re: Best option for transparent L2 tunnel

As you mention MTU=1500: Are customer packets passed being fragmented? The extra processing involved slows things down
by 16again
Mon Jan 08, 2018 10:27 pm
Forum: General
Topic: Block WinBox discovery from specific address
Replies: 7
Views: 3016

Re: Block WinBox discovery from specific address

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn't blocked by your rules
by 16again
Mon Jan 08, 2018 10:22 pm
Forum: General
Topic: expired certificates
Replies: 3
Views: 2902

Re: expired certificates

since CA is also expired, restart from scratch generating all certificates
by 16again
Mon Jan 08, 2018 9:29 pm
Forum: Forwarding Protocols
Topic: Changing bridget network to RIP
Replies: 5
Views: 1029

Re: Changing bridget network to RIP

On routed network, MAC addresses don't propagate: each router strips the original MAC address, and uses its own MAC address when sending out the packet
by 16again
Sun Jan 07, 2018 10:00 am
Forum: Beginner Basics
Topic: Port Forwarding Issues
Replies: 3
Views: 762

Re: Port Forwarding Issues

afaik, you need to have a firewall rule alongside the dNAT rule, to actually allow the traffic in
by 16again
Fri Jan 05, 2018 12:22 am
Forum: General
Topic: DSL pppoe - how to assign public static IP?
Replies: 5
Views: 1977

Re: DSL pppoe - how to assign public static IP?

If those /29 address range is fixed (and it has to be as it isn't pushed on pppoe login), you can use all of these 8 addresses in NAT rules without assigning them to any interface !
You can use them in both src and dst NAT rules.
by 16again
Fri Jan 05, 2018 12:05 am
Forum: Forwarding Protocols
Topic: PBR and Packet lost somewhere
Replies: 2
Views: 769

Re: PBR and Packet lost somewhere

1st thing that comes to mind:
Both LAN router and "firewall" need to have route back to 10.104.17.x network
by 16again
Fri Jan 05, 2018 12:02 am
Forum: Forwarding Protocols
Topic: Changing bridget network to RIP
Replies: 5
Views: 1029

Re: Changing bridget network to RIP

Judging by IP addresses, this already is a routed network.
You can trade in static IP routing for routing protocol. OSPF is always preferred.
On small network like this, you can use rip instead, it has advantage of easier route manipulation (filtering summarizing etc)
by 16again
Tue Jan 02, 2018 11:36 pm
Forum: General
Topic: Connection marking and queues management doubts
Replies: 5
Views: 989

Re: Connection marking and queues management doubts

How did you implement "1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field) ?"

Is iptable --restore-mark done automatically on return traffic? Under actions, I don't see option to do it manually.
by 16again
Tue Jan 02, 2018 11:14 pm
Forum: General
Topic: Streaming Sniffed Packets from External interface
Replies: 2
Views: 544

Re: Streaming Sniffed Packets from External interface

To see internal addresses, I'd try sniffing on LAN interface, and use external private IP to stream it to.
by 16again
Tue Jan 02, 2018 11:11 pm
Forum: General
Topic: QoS questions.
Replies: 2
Views: 664

Re: QoS questions.

For starters, ignore the black part, it is only about burst behavior.

Focus on blue part , where packets are enqueued and dequeued. Dequeue speed is limited by speed tokens arrive, the orange part
by 16again
Tue Jan 02, 2018 10:57 pm
Forum: Forwarding Protocols
Topic: h323 problem one way audio
Replies: 2
Views: 825

Re: h323 problem one way audio

Are you using (or can you configure) symmetric RTP ports?
This way audio in and audio out will use same port-pair, so it can traverse statefull firewalls without h323 helper.
by 16again
Tue Jan 02, 2018 12:15 pm
Forum: General
Topic: I broke TCP with dst-nat and can't connect to router
Replies: 13
Views: 1532

Re: I broke TCP with dst-nat and can't connect to router

New here....but maybe you can use ipv6 link local address to connect SSH to the box.
link local address can be derived from MAC address, still visible in arp table of your computer
by 16again
Fri Dec 29, 2017 1:33 pm
Forum: General
Topic: How to disconnect active SSH or Winbox or TCP session
Replies: 7
Views: 5294

Re: How to disconnect active SSH or Winbox or TCP session

Add black-hole /32 route for unauthorized source IP .