in that particular case, the chain forward or postrouting doesn't matter that much. The post was more about non-functional parameter clamp-tcp-mss=yes on 6to4 interface. if it is not something that is not supposed to inject automatic mangle rules, then probably it should be documented somehow?

Some time ago I started to notice some strange "tls timeouts" to some sites hosted at AWS or e.g. GitHub when connection is done over IPv6. I didn't pay attention to that for a while, as those were rare occasions, but recently got curious and tried to debug. To my surprise, I've noticed th...

I have interface, let's say ve1. This interface has both ipv4 and ipv6 addresses (10.81.81.0/24 and fd66:107::/64). bgp session is done on ipv4 addresses The best what I've come up with is something like below. It works, but I don't like this manual setup of nexthop. If I don't do it, it announces f...

Good day.

Anyone have minimal example of ROSv7 BGP connection between two routers over ethernet/vxlan with both ipv4 and ipv6?
From my trials I'm not able to control properly ipv6 address of nexthop if bgp connection is established over ipv4 and afi=ip,ipv6.

You are right, it is behaving like a masquerade. It's a bug for sure. But also I recommend you avoid NAT66 crap and use NPTv6 instead via mangle, it will preserve the end-to-end princple which NAT of any kind cannot. NPTv6 unfortunately is also buggy. In my experiments it is matching the firewall r...

ipv6 netmap seems to be still broken in this release It's probably your configuration. Works fine for me, including NPTv6 via mangle which is better than netmap as it is stateless. Please double check what you really getting on network side. right now netmap behaves like masquerade. /ipv6 firewall ...

ipv6 netmap seems to be still broken in this release

You can update rules for dynamic prefix from lease script.

Thanks for idea, will try. I was trying to avoid hardcoding addresses in the rules.
One idea that I had was to mark-connection on forward chain in mangle, but that seems not working, at least in 7.7rc2.

Hi. Setup that I have: - two ipv6 tunnels, one from HE.net, another from local ISP via 6rd. - /48 block from HE.net (statically allocated), /56 block from local ISP 6rd (dynamic) - bunch of hosts in "DMZ" and "LAN" that have native IPv6 connectivity on ethernet or wifi. what I'm ...

Well, unfortunately that is not that easy. DHCP option comes as raw byte array inside string type, not as hex string representation. Format of option 212 is like this (values are a bit changed, but should be good enough to get the idea): :local v212 "\0E\26\20\01\22\02\F0\00\00\00\00\00\00\00\0...

Good day. I'm relatively new to mikrotik scripting, so haven't found myself good answer and asking for pointers to right direction. I'm trying to parse as part of dhcp-client lease script variable in lease-options array. Specifically the option 212 (6rd dhcp info). It is present there as type string...

For l2tp issue in 7.2.x, I've noticed it also became broken, and after some investigation noticed that default ipsec policy got modified somehow. So, if you have in your config after upgrade something like /ip ipsec policy set 0 dst-address=2001:xxxx/128 src-address=2001:yyyy/128 reset it back to de...

Small fix/suggestion for default configs: if l2tp vpn enabled, those rules are generated. However, this will not work if IPSec enabled for l2tp, the other mikrotik l2tp-clients can't establish connections with it. /ip firewall filter add action=accept chain=input comment="allow IPsec NAT" ...

Tried to upgrade to 6.49.x on my CRS112-8P-4S. Two SFP-RJ45 adapters stopped to work ("no link") that were previously worked great for almost 4 years. Reverting back to 6.48.6 solved the issue. :( SFP info: marked as "juniper networks": Vendor Name Methode Elec. Vendor Part Numbe...

webfig - show "Interfaces" menu by default after logging in;

for me this became broken recently on one of devices (hap ac), and not solved with 6.48.2: when logged in to webfig, it shows "quickset". Is there way to disable quickset alltogether?

+1 for supporting rfc5969. it will help a lot with using ipv6.

*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);

would be great to get this fix also to stable 6.44. Very annoying.

*) defconf - fixed IPv6 link-local address range in firewall rules;

a bit more details on this change? Those default rules are not upgraded automatically, so it would be good to see what exactly changed.
And in overall, it would be good to keep on wiki defconfs for each big releases.