MikroTik

haris013

any ideas where to start searching the issue?

haris013

Hello, this is another wireguard performance thread, i have a strange problem when connecting from my laptop wireguard peer, to my rb5009 at the office. I use my laptop which is connect with ethernet cable on a Chateau lte18 using lte connection (~100mbps down / 70~ mbps up) I connect with wireguard...

haris013

hello guys, using the default config on wireless, ax3 gives me very poor performance on wifi 5 ghz (wifi 6 ) My phone samsung s23 on iperf has 20 mb/s transfer rate at 2meters distance from router (without obstacles) My laptop having an intel AX card, gives me the same performace. I am using skip df...

haris013

Thanks for the reply.

Do you know how I can ensure that traffic enters and exists from the ipsec tunnel?

There is no interface at the ipsec tunnel and there no static or dynamic routes. The routing is based through ipsec policy.

Is there any way to point the wg interface at the opposite subnet ?

haris013

Hello, I have the bellow topology, 2 routers connected Site to Site with IPSEC policy based. Each router's LAN have access the opposite LAN and everything works fine. https://i.imgur.com/XcbP6rP.png I have a wireguard server at ROUTER 1 and I have 1 road warrior WG client for managing. Is it possibl...

haris013

Hello, i have router A with 2 WAN as failover (when WAN1 is down automatically route to internet goes through WAN2) and i have a router B with the exact same setup (2 WAN as failover) If i create a vpn ipsec tunnel between router A and B and use the mikrotik ddns as remote addresses, is it possible ...

haris013

Yes to your questions, but I have to see the current configs of both to provide advice.......... i am posting the configs: CHR /interface ethernet set [ find default-name=ether1 ] disable-running-check=no /interface wireguard add listen-port=13231 mtu=1420 name=WG-CHR /interface list add name=LAN a...

haris013

From the third paragraph of original post. my problem is that the port 8080 which runs a web service at my home server, is not accessible through the public ip of CHR. I cannot access the web UI from that public IP. The CHR is the used as Wiregaurd server, the Home Server is acting as Wiregaurd cli...

haris013

(1) No friggen NO....... add address=91.XXX.XXX.XXX list= authorised /ip firewall filter add action=accept chain=input comment="Access CHR from WG" in-interface=\ WG-CHR src-address-list= authorised[ /i] This rule is intended for people coming in through wireguard to be able to config the...

haris013

Bullocks! You dont need any such rules sourcenat or destination NAT on the CHR.......... The firewall rules are fine with the one addition already recommended. The single rule you have for the standard WAN is fine....... The wireguard client will establish the connection with the CHR. Since your al...

haris013

Hello, thank for the info! the server is having the CHRs public ip and it connects perfectly! my problem now is that i cannot "see" my service port 8080 from the internet. CHR has a masquearade rule and i created a src-nat rule with destination port 8080 and to addresses the lan ip of my s...

haris013

So why didnt you post your CHR config?? /export file=anynameyouwish ( minus chr serial number and any public WANIP information) bellow is the chr config: /interface ethernet set [ find default-name=ether1 ] disable-running-check=no /interface wireguard add listen-port=13231 mtu=1420 name=WG-CHR /in...

haris013

hello, i have a cloud hosted CHR with a static public IP and a nat masquerade rule for having internet. The chr runs a wireguard server only, few firewall filter rules for security and that's all. I have a linux server at home running a web service at port tcp 8080, the server runs wireguard and has...

haris013

Fixed the horrible firewall settings!! However you have to make sure you can reach the CHR for configuration purposes, assuming you have something set up ??? If not how do you reach it. I am hoping something smart like Wireguard. By the way you have no LAN of any sort on the CHR right?? To reach wi...

haris013

So, what is this rule suppose to do ? add action= accept chain= input comment="bruteforce ssh&winbox" disabled=yes \ dst-port=1026,8292 protocol=tcp src-address-list= !bruteforce_blacklist So you ARE allowing SSH + Winbox to your router if they are NOT the bruteforce_blacklist. Why no...

haris013

Hello, i have installed a chr on cloud vm and i am trying to create some firewall rules in order to secure my router. my problem is that my rules doesn't work, it seems like they get bypass!! for example ssh and winbox are allowed while i have an input rule to drop everything from wan. also my brute...

haris013

If you were in like Iran that would be entirely possible. In general, if you can port forward you can do wireguard. In other words there is no set WG port, you can choose to use any port 15533 for example or 45454. you won't believe this but i used port 51820 on WG interface and it worked. The defa...

haris013

How are you attempting to connect. Pinging only or trying to reach a MT lan subnet device or trying to go out MT internet??? Okay Post your latest MT config and the client config settings please. Is there anyway the ISP blocks wireguard? I am connected direct with a WAN IP i got from my ISP and the...

haris013

it is crazy, i can see the keep alive packets both from server and client side, still the tunnel is not established. How is that possible?

it is not a firewall issue and i can't find the real problem. Is it a bug?

haris013

Grasping at straws here but looking at anything I dont use................ and out of the norm....... (1) Disable this for testing........ /ip settings set tcp-syncookies=yes (2) Disable this for testing /ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \ l...

haris013

Ios, android or windows client ??

I have tried from windows client using my home Wi-Fi and I tried with my android phone using 5g. Both devices the same error.

haris013

(1) Client - Ensure the client devices DNS entry is 172.16.10.1 ( just to ensure its not some weird DNS issue). - For the allowed IPs put 172.16.10. 0/24 vice 10.1/32 the other entry is fine as you intend to visit LAN devices on the server!! AllowedIPs = 172.16.10. 1/32, 10.0.0.0/24 persistent keep...

haris013

Hello, I have a WG server running on a 5009 ROS 7.5 and i have a WG road warrior client. I am trying to connect from my road warrior client to mikrotik and i get this error: Sending initiation handshake to peer1 did not complete after 5 sec mikrotik is not behind CGNAT. Also i want to mention that i...

haris013

The simple answer is yes; a more in-depth answer must take into account whether you use or not a stateful firewall and if you do, whether it is an issue if some existing client sessions get dropped when the traffic fails over to another router. Synchronization of connection tracking state between t...

haris013

Hello, I have a CCR2004 running 1 WAN and 3 VLANs using bridge VLAN filtering method. There are no trunk ports, only access ports. VLANs are running by the bellow: ether2 is VLAN10 access port ether3 is VLAN20 access port ether4 is VLAN30 access port Ether2,3&4 are connected to an individual unm...

haris013

Hello, I have 2 ccr2004 and i want high availability. I have setup VRRP between the 2 routers and i have identical setup at addresses, dhcp, bridge VLAN fitering etc etc. I have 10 roadwarrior VPNs using wireguard. I have setup the wireguard at router 1. When router 1 becomes passive and router 2 be...

haris013

Hello, I had a routerboard and i was using it as VPN server with several ipsec vpns with other routers. My wan has static public IP but all the vpns we used mikrtotik cloud (sn.mynetname.net domain) Now we have to replace this specific routerboard with a CCR router and the mikrotik cloud has changed...

haris013

Hello ,

I have already checked that. It is a valid domain with an existing tld

haris013

Hello, at default hotspot setup, the captive portal doesn't work on iOS devices. When I config the hotspot and try to connect with an iphone, it doesn't pop up the login page, the user has to manually open a web browser in order to see the login page. at android devices i don't have this kind of pro...

haris013

Hi, it mainly protects an exposed server, but at the same time it tries to save resources, as attacking sources will be dropped in the prerouting chain, which saves resources on the router. #this is jumping for all connections to the chain detect-ddos, I think you should just extend this rule, so t...

haris013

Hello, on router OS7 i followed this guide https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504 in order to check the ddos protection rules. I don't understand at which connections this rule applies and what is protecting from DDoS( it protects the router from WAN?, it protects an ex...

haris013

Same behaviour in 7.1.3. I found an additional inconsistency as well. If you leave the remote gateway route as the default, Scope=30 Target Scope=10, then the default route works with Target Scope=30. So once again an inconsistency, where its happy with Target Scope equal to Scope, and doesn't requ...

haris013

New RouterOS 7 is more compliant and requires rule as "less" and not "less or equal" for scope / target-scope option. The logic in ROS 7 is inconsistent. Look at this for example (also answers your previous question) ... ROS 7.1.1 Recursive OR Screenshot_62.png Your logic applie...

haris013

New RouterOS 7 is more compliant and requires rule as "less" and not "less or equal" for scope / target-scope option. Do you have working example on RouterOS 7 with monitoring multiple destinations (like 8.8.8.8 , 1.1.1.1 ) ? Thank you if that's true, then why it is not document...

haris013

Hello again, the code posted above with 1 recursive route with target scope 11 it worked like a charm. When adsl is down it detects it. So from RoS6 to ROS7 they changed the static routes? Is it documented what is going on with the target scopes? I still can't understand why need 11 and not 10 like ...

haris013

When your ADSL is down, is that IP address 91.138.169.237 still reachable, and still responding to ping? If so then Mikrotik doesn't know your ADSL is down so the route will remain in place. That is what the remote gateway is for, to actually test that the route via the local gateway actually works...

haris013

I suspect those mangle rules are not doing anything very useful. The egress interface is not determined until after the routing decision has been made, to use ADSL or LTE So a mangle rule matching on egress interface is effectively too late. I can't see what action you have set for those rules eith...

haris013

So you have an active route to each ISP, both with Distance=1, and a standby route also to each ISP both with Distance=2. No wonder your router is confused! And I didn't notice, or maybe you didn't say, that you are also using separate routing tables. Are you marking or classifying your traffic so ...

haris013

Can you describe your network in a bit more detail? Your screenshot shows two next-hop gateways, one 91.138.169.236 via ether5, is that your DSL gateway. And one 192.168.88.1 via ether1, is that LTE via a separate router? Once you changed the scope settings, and all your routes were up then if it w...

haris013

but my recursive routes are invalid for some reason. Can someone help me figure out what is going on? At ROS6 didn't had problems with mangle and static routing. In my opinion it is buggy in 7.1.1 in that the values needed for Scope and Target Scope seem inconsistent between one configuration and a...

haris013

Hello, I followed this guide to setup wan failover https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608 but my recursive routes are invalid for some reason. Can someone help me figure out what is going on? At ROS6 didn't had problems with mangle and static routing. https://i.imgur.co...

haris013

Silly question, the devices you are trying to access are using 192.168.2.1 as their gateway? yes that's right And you definitely waited the 3 minutes or so after disabling the nat rule, to allow the firewall connection tracking to release the nat connection? i waited more than an hour after disabli...

haris013

Hello, thank for the replies, still the same problem, it is insane. I configured the switch cpus, when i disable the action=masquerade chain=srcnat disabled=no dst-address=192.168.2.0/24 \ src-address=192.168.2.0/24 rule, i cannot see remote LAN. When i enable the nat rule everything is fine. I can'...

haris013

ok bellow is the latest config. # model = RB2011UiAS # serial number = E1480D55D33C /interface bridge add admin-mac=08:55:31:7D:23:84 arp=proxy-arp auto-mac=no comment=defconf \ name=bridge /interface ethernet switch port set 0 vlan-header=always-strip vlan-mode=fallback set 1 vlan-header=always-str...

haris013

Hello again, I have not mentioned something that maybe is important!! I got the 2011, 2 WANs connected, VPN server configured. The thing is that all my LAN devices are connected to a CRS328 switch AND NOT direct at the rb2011. The crs is working only as a switch, i haven't configured anything on in ...

haris013

In mikrotik the default untagged vlan is 0 anyway. But the other settings will need changed. vlan-header=always-strip vlan-mode=fallback i changed the settings vlan-header=always-strip and vlan-mode=fallback at all switch ports but still the i cannot "see" the remote LAN if i close the ma...

haris013

In winbox you can click the up arrow. I think the other changes are more important though. I think the reason this is necessary is because of how the bridge processes the dynamic (vpn) traffic.

winbox.png

take a look, it doesn't allow me

haris013

You can manually set each in winbox so you can be sure the default vlan id goes away. Depending on how you are accessing the router, you may drop connectivity briefly, but it should come back after winbox closes. If its remote, safemode may be worth utilizing. Mikrotik doesn't allow me to remove th...

haris013

You'll still need proxy-arp on the remote bridge if your VPN pool ips are in the same subnet as the remote Lan subnet. But I think you will be able to make this installation like your others. If your other installations are revision 1 routers I think the default switch chip settings worked fine. Wh...

haris013

this is the switch default settings on 2011, should i change anything?

haris013

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now? Probably rajo was right, and this is related to ARP reques...

haris013

Hello again. Something very interesting, I added a nat rule : add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\ 192.168.2.0/24 I masquerade my own LAN and now I have access to my remote LAN!! My problem is why the masquerade rule works and I can reach the remote LAN? Why is...

haris013

Okay, please try the following: 1. Open Properties of VPN connection 2. Go to Networking tab 3. Open Properties of Internet Protocol Version 4 (TCP/IPv4) (and unckeck TCP/IPv6) 4. Click Advanced... button 5. Change to IP Settings tab Then do this: * Uncheck "Use default gateway on remote netwo...

haris013

Out of curiosity, you describe this as a "Road Warrior" setup and you mention "local arp proxy works." By "local," are you referring to proxy ARP configured on the client side LAN or the VPN gateway/responder side? If you take the Windows 10 PC or Android tablet to a n...

haris013

As you can see from the screenshot, with the adapter changes made, your 192.168.2.0/24 network is properly installed. I suspect the reason it's still not working is because the IPSec client is being assigned an IP address in the same network as the LAN you're trying to reach. Because of that, the c...

haris013

tried the settings again i cannot access remote LAN. I tried connecting with android, again i cannot see anything from the remote LAN network. It is like i am not connected at the VPN/remote LAN. What does your Windows route table [screenshot] look like after you connect? Also, does the connection ...

haris013

Oh, so his problem was that he could not access the local LAN? I thought he could not access the remote LAN. :-) The second thing I wrote was this: You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip s...

haris013

tried the settings again i cannot access remote LAN. I tried connecting with android, again i cannot see anything from the remote LAN network. It is like i am not connected at the VPN/remote LAN.

haris013

To get split-include working with your Windows 10 clients, follow the instructions here: https://forum.mikrotik.com/viewtopic.php?f=2&t=177314&p=872552#p872552 Hello, i don't need split tunneling. I need to access my remote LAN via VPN. I don't care if the whole traffic is transfered inside...

haris013

I'm comparing your config with mine. I don't have bridge=bridge on /ppp profile in my configs. Also, I don't have arp=proxy-arp in my bridge. The problem might be that these packets are not routed, because your ppp interface is added to your bridge as a port. One more thing to try: remove bridge=br...

haris013

Disclaimer: I'm just guessing now. I don't know what is wrong. But it seems that your accept rule's counter is almost zero. Please try to add a more specific route, as administrator: route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185 I doubt that it will help but let's try. Hello, tried addi...

haris013

Hello, still nothing.

take a look at the screenshot

I tried to rdp our servers, ping our devices, still nothing, seems like i am "out"

haris013

Thanks for the replies, I tried disabling all filter rules, added l2tpuser at lan, tried the ppp profile interface list, still the same result. I cannot reach lan devices. Also the same firewall setup and VPN settings, i use at other installations without problems. Is there any chance that ISP is th...

haris013

the first PPP profile is not in use right now, also i am not using the vpn pool at the moment. When the client is connected, i can ping the gateway. Also when i run a network scan/ip scan i can only "see" the gateway and my client(self). I have allowed the ping and still cannot reach the o...

haris013

Hello, i have a strange problem, with road warrior VPN, I have the exact setup with other mikrotik routers and is working perfectly but the specific mentioned bellow, can't access other LAN devices. Clients are connecting without problem with the VPN but somehow cannot "see" the other devi...

haris013

Hello, I have a question, I have an AC^3 at the office and i have configured l2tp ipesec vpn. The local subnet is 192.168.1.x . My problem is when i connect to the vpn from a remote network using the same subnet 192.168.1.x, i got some strange connectivity issues like packet loses, i can't reach my ...

haris013

Hello, nice guide, just a question as a newbie, why on down tree we use as parent the LAN (bridge) interface and on UP tree we use the WAN interface? If both down and up tree is WAN, what is the difference?

haris013

PCC divides all connections into groups, it has nothing to do with WANs. In your case, you need 3 groups, one of them to be sent to WAN1 and another two - to WAN2 (so that it gets more traffic). f you have 3 WANs and want traffic equally distributed, you still use 3/0, 3/1 and 3/2. If you need to s...

haris013

can you explain me why 3? I though after several readings that the first part of PCC is the number of the WANs, 2 means 2 wan, is that wrong? Please help me to understand better the classifier algorithm. Do I need more or other mangle rules? Is there any document to read more about PCC loadbalancing...

haris013

Hello, I have the following setup with 2 WAN and I have a strange problem, I want to distribute more traffic at WAN2, So I have created one more PCC rule. The setup is: interface bridge add admin-mac=08:55:31:04:D2:14 auto-mac=no comment=defconf name=bridge /interface wireless set [ find default-nam...

haris013

I have a strange problem, I want to distrubute more traffic at WAN2, I have created one more PCC rule https://i.imgur.com/eEwMLAc.png https://i.imgur.com/sZZJ1Jv.png So we have 3 PCC rules, 2/0 ISP1, 2/1 ISP2, 2/2 ISP2, but it seems there is no traffic at my last rule 2/2 ISP2. Also connections seem...

haris013

I cannot figure why my router can't reach mikrotik's cloud and update my public address. these are my routes https://i.imgur.com/Jf785z0.png I don't see 0.0.0.0/0 route in your 'main' table (the one that is used by the router's processes like Cloud for initial route lookup) - that can be the reason...

haris013

You're in a double NAT situation. Ask the ISP to bridge the CPE. Then establish PPPoE at the router level. That's is the right way to do it. Double NAT will create all sorts of weird issues for obvious reasons. I know i am at dual nat state. From the ISP side is not possible for a pppoe connection....

haris013

Hello, I have 2 wan with static private IP (192.168.1.100 wan 1 and 192.168.0.100 wan 2) I am using the first's post routing rules but i have a strange problem, the Cloud DDNS does not update when these rules are applied. The balancing and failover seems to work fine. I cannot figure why my router c...

haris013

Hello again everyone. After reading a little bit i gave a try to configure my mikrotik. I will paste my config, can you take a look and correct me if i have anything wrong? The plan is to setup the router according my first post. What else do i need to setup in order to run everything smoothly and s...

haris013

Thank you very much, I will give a try and post further questions if I need.

For now just one question, why nas should go to a bridge and now just a plain lan? What are the benefits of a bridge?

thanks

haris013

You don't want to play with MTU settings unless you know what you're doing.

Ok got it. About the setup settings, can you guide around the menus I should do my settings?

haris013

As every port on your RB will belong to different IP network, all traffic between any network device and your NAS will flow through RB's CPU. Expect high CPU load and less than desired throughput. Default setup will be of little help when trying to achieve your final setup. However, if you're new a...

haris013

The higher load subnet would be the Lan 2 192.168.1.0/24 . I am planning to connect a nas server at the 8 port switch and is gonna be a lot of traffic due to incremental backups from clients at the the nas server. I don’t want all users to see all users, only 2 users must see the other networks.

haris013

Hello everyone! I just bought a mikrotik rb750gr3 (Hex). I am newbie student and i would like to learn more about computer networks, so i thought a mikrotik would be a good idea to start playing around. I have downloaded winbox and i have plugged my MT on my PC. It seems that it has a default config...

Search found 80 matches