Community discussions

MikroTik App

Search found 45 matches

by icsterm
Sun May 03, 2020 1:12 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 85
Views: 21773

Re: Feature Request - Wireguard Protocol

+1 for Wireguard, it's the future of VPN, simplicity and high performance.
by icsterm
Wed Feb 19, 2020 12:58 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115754

Re: v6.47beta [testing] is released!

Latest TIK app indeed doesn't work with the latest ROS beta, constantly crashes after 'downloading plugins'. Using a hAP ac2. Also, we need the old way of displaying fonts, on smallest zoom on a 1080p monitor with 100% DPI scapping there is a lot of wasted space in the rows. We need a flag to enable...
by icsterm
Tue Jan 28, 2020 10:29 pm
Forum: Beginner Basics
Topic: USB LTE modem that supports cell lock
Replies: 1
Views: 932

USB LTE modem that supports cell lock

Hey, Someone please recommend me a USB modem that can lock cells. My ISP has a few cells in my area and only one is constantly fast, but the signal strength is not the best on this cell. Which USB modem supports cell locking? Would like to not buy a new router just for this silly thing. Using a hAP ...
by icsterm
Thu Jan 09, 2020 2:08 pm
Forum: General
Topic: Dynamic src-nat troubles
Replies: 0
Views: 765

Dynamic src-nat troubles

Here is my topology: - eth1 - 1 static public address W.X.Y.Z with default internet route - eth2 - 1 local gateway 192.168.0.1/24 - 1 IKEv2 tunnel running via eth1 There is an mangle rule that marks 192.168.0.128/25 (that's half of the primary local subnet) with "ipsec-hosts" conn-mark and an IPsec ...
by icsterm
Sun Jan 05, 2020 4:10 pm
Forum: General
Topic: Disable IKEv2 reconnection
Replies: 2
Views: 577

Re: Disable IKEv2 reconnection

Because I use a VPN provider, they allow L2TP/IPSec but that hammers my hap ac2 CPU while torrenting because of the additional encapsulation. I managed to do a script which kills connections if the peer uptime is less than 15 seconds and made the script loop every 10s and also connect to a different...
by icsterm
Sun Jan 05, 2020 2:59 pm
Forum: Beginner Basics
Topic: Two bridged vlans, same port, same L3 domain
Replies: 2
Views: 895

Re: Two bridged vlans, same port, same L3 domain

Solution is:
-create vlan interface, add it to the physical port to the PC
-add vlan interface in bridge
by icsterm
Sun Jan 05, 2020 1:52 pm
Forum: Beginner Basics
Topic: Two bridged vlans, same port, same L3 domain
Replies: 2
Views: 895

Two bridged vlans, same port, same L3 domain

Hi, I am trying to have a PC with trunk capabilities use on a single NIC : - the default untagged VID 1 - as 1st interface - tagged VID 999 - as 2nd interface (using different generated MAC address) - vlans should be bridged in the same L2 domain, L3 domain (same subnet and dhcp server) running on "...
by icsterm
Sat Jan 04, 2020 8:56 pm
Forum: General
Topic: Disable IKEv2 reconnection
Replies: 2
Views: 577

Disable IKEv2 reconnection

Hi, I would like to use a script that checks if PH2 state is established and if SA's are installed, and stop RouterOS from doing automatic reconnections, just like the way tunnels work with the "dial on-demand option'. I was thinking of a way to disable 'send initial contact' option but without drop...
by icsterm
Fri Jan 03, 2020 5:37 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4576

Re: blackhole/unreachable with IPSec policies [SOLVED]

So the mangle rule assigning the routing-mark activating the blackhole route must match on the connection-mark if you use it the above way, or it must match on the actual src-address, i.e. the one before the src-nat. Damn, my issue is that I also have a separate PPTP tunnel, and I wanted once the I...
by icsterm
Fri Jan 03, 2020 3:47 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 29
Views: 4576

Re: blackhole/unreachable with IPSec policies [SOLVED]

Can someone post the config with both srcnat and mangle mark-route commands for the bridge blackhole scenario? I've successfully implemented the src-nat to 127.0.0.1, which drops packets once the dynamic mode-config src-nat rule dissapears once the vpn is down, but if I try using src-nat to let's sa...
by icsterm
Thu Jan 02, 2020 3:14 pm
Forum: General
Topic: IPsec Kill switch when vpn is down
Replies: 6
Views: 1570

Re: IPsec Kill switch when vpn is down

I've improved the killswitch by moving the filter in the output chain: 2 ;;; killswitch chain=output action=drop src-address=192.168.88.0/24 connection-mark=no-mark log=no log-prefix="" Because I mark both ipsec and non-ipsec using mangle in the forward chain, the non-ipsec traffic gets dropped once...
by icsterm
Wed Jan 01, 2020 5:28 pm
Forum: General
Topic: IPsec Kill switch when vpn is down
Replies: 6
Views: 1570

Re: IPsec Kill switch when vpn is down

After digging for a solution I found one that works: 1 ;;; fasttrack-no-ipsec chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark log=no log-prefix="" 2 ;;; killswitch chain=forward action=drop connection-state=established,related src-address=192.16...
by icsterm
Tue Dec 31, 2019 10:43 pm
Forum: General
Topic: IPsec Kill switch when vpn is down
Replies: 6
Views: 1570

Re: IPsec Kill switch when vpn is down

I'm also interested in a rule that blocks non-ipsec traffic once the IKEv2 tunnel drops. Using an exclude connection mark like the way we do fasttrack except ipsec seems to not work at all under firewall - filter rules, all traffic is blocked lol: mangle: 4 ;;; mark-ipsec chain=forward action=mark-c...
by icsterm
Thu Nov 28, 2019 9:59 pm
Forum: General
Topic: Adding firewall rules in a certain position without move command
Replies: 2
Views: 504

Adding firewall rules in a certain position without move command

Hi, How can I add filter or nat rules without adding the rule in the last position then using 'move' to change the sequence? Should be able to squeeze a new rule in-between other rules without using 2 commands instead of just one. I want to use a script to regenerate 2 NAT rules once a tunnel goes u...
by icsterm
Wed Nov 20, 2019 7:50 pm
Forum: General
Topic: Simple script to export address list into routing table?
Replies: 0
Views: 389

Simple script to export address list into routing table?

Hi,


I would like to make a script that looks up the address list, such as " > /ip firewall address-list print where list="ifconfig.co";" and writes the result in the routing table using a custom gateway.
Anyone knows how?
by icsterm
Sat Nov 16, 2019 9:35 pm
Forum: General
Topic: Fasttracking using filter vs mangle
Replies: 0
Views: 538

Fasttracking using filter vs mangle

Hi, Can someone tell me what is the difference between: /ip firewall mangle chain=prerouting action=fasttrack-connection log=no log-prefix="" vs /ip firewall filter chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" Also, I can mangle all 4 chains usi...
by icsterm
Sat Nov 16, 2019 3:07 pm
Forum: General
Topic: Fastpath on L2TP client only working for RX
Replies: 1
Views: 767

Re: Fastpath on L2TP client only working for RX

does anyone have a clue?
by icsterm
Fri Oct 18, 2019 2:33 pm
Forum: General
Topic: Fastpath on L2TP client only working for RX
Replies: 1
Views: 767

Fastpath on L2TP client only working for RX

Hi, I'm using a PIA VPN L2TP connection without ipsec, I've enabled NAT (masquerade), fasttrack & accept filter rules & no other settings that might affect Fastpath. Why is my L2tp client connection only doing Fastpath on TX packets? Am I missing something? I've also messed with lowering MSS to avoi...
by icsterm
Thu Aug 01, 2019 4:05 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 654

Re: DHCP error message [SOLVED]

Indeed, I was too lazy removing the dhcp client config. I only use static WAN ip addresses.
Thx a lot !
by icsterm
Thu Aug 01, 2019 3:58 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 654

Re: DHCP error message [SOLVED]

I actually have the dhcp server on the bridge, which has all ethernet ports included in it (except sfp-plus). [admin@MikroTik] > /ip dhcp-server print detail Flags: D - dynamic, X - disabled, I - invalid 0 name="dhcp" interface=bridge lease-time=7h address-pool=default-dhcp bootp-support=dynamic boo...
by icsterm
Thu Aug 01, 2019 3:53 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 654

DHCP error message [SOLVED]

Hi,

How can I fix this DHCP error message?


"dhcp, error temporary moving client ether1 from slave to master port, update your config !!!"

Running v6.44.5 long-term on a RB4011, other than having dhcp server on the bridge interface directly, I can't figure out what is the problem.
by icsterm
Sat Feb 09, 2019 6:42 pm
Forum: Scripting
Topic: If e-mail is sent, true/false variable
Replies: 1
Views: 450

If e-mail is sent, true/false variable

Hello, Can someone cook me a quick script that does the following: If "/tool e-mail send to=me@me.com body="$strName Logs for $strDate" subject="$strName Logs for $strDate $strTime" file=log" is sent successfully, then do: /file remove log log info message="Logs successfully sent via e-mail!" else l...
by icsterm
Fri Feb 08, 2019 11:20 am
Forum: General
Topic: Allow tracert to work, without ICMP hole in firewall?
Replies: 4
Views: 2541

Re: Allow tracert to work, without ICMP hole in firewall?

For anyone wondering, creating input rules for both echo reply and time exceeded allow both ping and traceroute to work fine, while ping and traceroute from internet will be denied.
This is strictly for traffic originating from the router itself.
by icsterm
Thu Jan 24, 2019 3:26 pm
Forum: General
Topic: Srcnat and WAN fallover
Replies: 2
Views: 410

Re: Srcnat and WAN fallover

Judging by how many src-nat rules I use for WAN1 (I have 29 ip interfaces for the /27 provided by the WAN1 ISP), the check-gateway option on routes is not a solution. Checking the Mikrotik wiki I came around Netwatch which can run scripts when a target host is up/down. I will use that to swap around...
by icsterm
Thu Jan 24, 2019 2:30 pm
Forum: General
Topic: Srcnat and WAN fallover
Replies: 2
Views: 410

Srcnat and WAN fallover

I have an RB4011, 2 WAN connections and one private subnet which gets NATed for internet access. WAN1 has a /27 range alocated from ISP, while the secondary WAN2 is mainly for backup, just one IP. WAN1 uses srcnat 'one-to-one' NAT: add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1....
by icsterm
Thu Nov 15, 2018 12:15 pm
Forum: General
Topic: IP Neighbor Discovery
Replies: 12
Views: 3685

Re: IP Neighbor Discovery

Just filter out UDP broadcast packets with destination 255.255.255.255 & port 5678 on the devices you don't want taking part in MNDP.
by icsterm
Fri Aug 24, 2018 12:26 am
Forum: General
Topic: hAP ac² bridge graphing not working properly
Replies: 3
Views: 661

Re: hAP ac² bridge graphing not working properly

Still, no one?
by icsterm
Tue Aug 21, 2018 10:14 am
Forum: General
Topic: hAP ac² bridge graphing not working properly
Replies: 3
Views: 661

Re: hAP ac² bridge graphing not working properly

No one has ever activated graphs on the bridge on this board??
by icsterm
Mon Aug 20, 2018 6:50 pm
Forum: General
Topic: hAP ac² bridge graphing not working properly
Replies: 3
Views: 661

hAP ac² bridge graphing not working properly

Hi, Is there any limitation in ROS graphing with hAP ac²(ARM) devices? I'm running v6.42.7 ROS version on all my MKT devices. I have one hAP ac² with fastpath+fastforward enabled on a single bridge, all interfaces in the same bridge, and the bridge graph shows less(or almost none at all) traffic tha...
by icsterm
Tue Jun 19, 2018 8:52 pm
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 20937

Re: v6.42.4 [current]

Just script it just be the new Mikrotik slogan :)
by icsterm
Tue Jun 19, 2018 6:14 pm
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 20937

Re: v6.42.4 [current]

It's tested & working just fine on 2 ROS devices I own. It's not my script but I find it usefull. The only bootloop possible is one caused by the new bootloader not being properly written. Which didn't happen to me on 30-40 RC updates. If bootloop happens, just netinstall the router again and make s...
by icsterm
Tue Jun 19, 2018 5:58 pm
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 20937

Re: v6.42.4 [current]

Can anybody make me a solution / script so after the ROS upgrade the unit either in the same reboot, or thereafter reboots again to update the fw version? Now each and every unit has to be rebooted twice. which is a pain if you have to do big amounts.... here you go :log info "Checking firmware..."...
by icsterm
Sat May 26, 2018 4:27 pm
Forum: General
Topic: Search inside the log
Replies: 7
Views: 7226

Re: Search inside the log

This feature is such a pain in the ass, if it's not available under winbox maybe it's available under CLI?
Does anyone know a log filter command?
by icsterm
Wed Apr 25, 2018 11:45 am
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 54625

Re: v6.42.1 [current]

RouterOS version 6.42.1 has been released in public "current" channel!

*) led - added "dark-mode" functionality for hAP ac and hAP ac^2 devices;

Still can't turn off the port led indicators in the hap ac2, winbox returns error that the board doesn't have this functionality.
by icsterm
Fri Apr 20, 2018 10:11 pm
Forum: RouterBOARD hardware
Topic: HAP ac2 vs rb750gr3 cpu power
Replies: 3
Views: 3660

Re: HAP ac2 vs rb750gr3 cpu power

i have both, the hap ac2 is faster by a substantial amount.
on a 1gbit pppoe link, the rb750gr3 loads the cpu at max ~50% while the hap ac2 loads the cpu at 25-30%.
can't tell about the encryption, according to mikrotik the ipsec acceleration is also faster.
by icsterm
Tue Apr 17, 2018 11:59 am
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 61
Views: 31752

Re: OpenVPN SHA256 + UDP

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance. OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never. SHA256 is supported on the mentioned prot...
by icsterm
Tue Apr 17, 2018 10:18 am
Forum: General
Topic: L2TP VPN set up on MT so that they cannot detect it's a VPN
Replies: 2
Views: 888

Re: L2TP VPN set up on MT so that they cannot detect it's a VPN

1. Try changing MTU so MSS is changed also accordingly to some random uncommon value. 2. Test with http://witch.valdikss.org.ru/ and https://ipleak.net/ If it fails, maybe your external ip is probed for common vpn ports and the vpn provider app uses some other ip that doesn't expose those ports. Or ...
by icsterm
Wed Apr 11, 2018 8:33 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 294
Views: 78079

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

I find the same poor performance in 5G on the hAP ac^2, I have 1Gbps WAN connection but the 5G connection on AC/80MHz at one metter from the router only throughputs at about 220Mbps download and 270Mbps upload. If I connect a similar priced Asus RT-AC1200G+, use same wireless settings as on the hAP ...
by icsterm
Wed Mar 21, 2018 2:45 pm
Forum: Beginner Basics
Topic: Block web site with Firewall
Replies: 10
Views: 19792

Re: Block web site with Firewall

I would just add all the facebook and youtube prefix list in the routing table with type unreachable, keeping fasttrack and call it a day. But it seems a lot of youtube servers share the same subnet with google.com, so it's hard to do. One way around is to block youtube and facebook domains in the m...
by icsterm
Wed Mar 21, 2018 2:13 pm
Forum: Beginner Basics
Topic: Bypass VPN for Netflix?
Replies: 15
Views: 9194

Re: Bypass VPN for Netflix?

Here is the config for bypassing netflix on VPN. It includes all Netflix + Amazon CDN aggregated prefixed worldwide (326 summarized routes instead of ~1.2K routes). Don't forget to add default route through VPN too. Tested and working 100%, netflix bypasses VPN by CIDR matching in the route table. I...
by icsterm
Tue Mar 20, 2018 11:38 pm
Forum: General
Topic: L2TP VPN selective routing using mangle filters
Replies: 1
Views: 553

L2TP VPN selective routing using mangle filters

Hi, Here is my setup: RB750Gr3 running 6.42rc46, PPPoE WAN connection, NAT with fasttrack enabled, and a L2TP client for selective NAT routing. Config: /ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack non-vpn" connection-state=established,related \ in-interface=!l...
by icsterm
Mon Mar 19, 2018 2:52 pm
Forum: General
Topic: 6.42rc43 breaks fasttrack [SOLVED]
Replies: 3
Views: 1321

Re: 6.42rc43 breaks fasttrack [SOLVED]

I'm having some sort of similar scenario on my RB750Gr3, after the same RC update I get some mixed bag of performance, despite "IP -> firewall -> Connections" show my IP sessions with the fasttrack flag, I can only saturate 70% of my gigabit pppoe line, before it was saturating just fine at over 90%...
by icsterm
Mon Mar 19, 2018 2:45 pm
Forum: General
Topic: RB750Gr3 SSH
Replies: 4
Views: 1219

Re: RB750Gr3 SSH

indeed, i had security package disabled that's why ssh was missing.
thanks guys !
by icsterm
Sun Mar 11, 2018 11:13 pm
Forum: General
Topic: RB750Gr3 SSH
Replies: 4
Views: 1219

RB750Gr3 SSH

Hello,

I decided to enable SSH server on the RB750Gr3 router, using 6.42rc39 build, but the /system ssh and /ip ssh commands are not accepted. Before buying this router the spec sheet of this model stated SSH on most websites that sold it.
Does it support SSH server/client at all?