Try to match the "Allowed Data Encryption Algorithm" in the PFSense side to a cipher that is supported by Mikrotik, and reflect that changes on the config in client side.

I liked the implementation idea by pe1chl, it's llike doing a tail -f on the log. Pass each and every line to a string/topic matcher and you got an event trigger.

I think as per https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Rate_limiting the only supported way to have dynamic queue is only on a static lease (by making the lease static and setting /ip dhcp-server lease [n] rate-limit= which poses unnecessary wear/tear on the NAND flash especially in a h...

If both were behind NAT and otherwise inaccessible due to private IPs, I think you need another server with public IP as a gateway. What kind of traffic passes through the LAN between clients? If its not remarkably high-throughput maybe you can get away with cheap VPS in your region. That way you ca...

Hello, I have a trouble accessing my uplink router from VPN through Mikrotik. I'm using OpenVPN. The Topology is: [my local IP 192.168.1.x] -> [router gateway 192.168.1.1 {A} ] -> Public IP from ISP -> VPN to Mikrotik -> Endpoint Public IP from ISP -> [uplink router in Mikrotik side, gateway 192.168...

Any way to incorporate the bucket size option in hotspot? I don't think /ip/hotspot/profile rate-limit had this option implemented.

The first reset will be matched and and dropped in a period of 5 seconds. The next four will be accepted or accepted because the address-list entry has timed out. By adding more nth you can filter more reset replies. Underneath the first two reset replies are dropped within 5 seconds. /ip firewall ...

Think about it you sitting, and waiting for the correct bus. one, is take the first bus and if you not get on that bus you have to wait again for bus six or then eleven.... two, get on the second bus and if you don't catch that one, take bus seven or even twelve.... It is not timing out, you hide (...

I'm on the client side. Yes, it's possible to filter said RST packet but only globally, hence the unexpected problem on other sites due to legitimate RST packet being dropped. What makes you think that, if you somehow manage to filter the injected RST packets, connection would continue? If I'd be i...

this is the last part from your referenced link above. To help protect the router from TCP RST and SYN DoS attacks: Issue the tcp ack-rst-and-syn command in Global Configuration mode. host1(config)#tcp ack-rst-and-syn Use the no version to disable this protection (the default mode). and I don't kno...

first, any isp (read : routers) are mitm - in terms of traffic routing. second, not necessarily because of those chrome or Firefox throw reset error literally means your isp doing dpi/spi (although they are permissible by law). it could be target server itself doing the rst. third, have you ever th...

how do you know that? Any attempts to open blocked domain will be thrown into ERR_CONNECTION_RESET in Chrome and PR_CONNECT_RESET_ERROR in Firefox (see https://help.mulesoft.com/s/article/HTTPS-connection-fails-due-to-DPI-Deep-Packet-Inspection and https://superuser.com/a/916086/1820323). This indi...

My ISP employs DPI and as one of its strategy is to use TCP Reset Attack (https://en.wikipedia.org/wiki/TCP_reset_attack). This can be mitigated by adding a firewall filter: /ip firewall filter add comment="tcp attack mitigation" chain=forward protocol=tcp in-interface=ether1 tcp-flags=rst...

I'm currently running a hotspot based access point using RB750r2, recently there's a lot of complaints regarding the hotspot availability. I did a few troubleshooting and found out that encrypted dns request is the culprit here. For example, user using Android device use Intra and tunnel their DNS r...

Bumping this topic, I recently had strange DNS leak issue and was able to pinpoint it to NordVPN's dynamic server in /ip dns
Skimming through, I don't think there's a simple solution (yet) to ignore the dynamic dns set by Nord's IKEv2 tunnel

Hi, is it possible to apply firewall rule to Mikrotik's own outbound connection?

My goal is to redirect the DNS port to another port, the DNS will be set in IP/DNS to use Mikrotik's DNS proxy/cache

So
Thank you for your help.

Ability to swap the rx/tx representation in the graphing setting.

Normal : In -> green, Out -> blue
Swapped: In -> blue, Out -> green

The title says it all. I cannot connect to the internet with block-outside-dns option on the OpenVPN client. Without it, I can browse just fine but it's leaking DNS request. 1 name="VPN-PROFILE" local-address=192.168.252.1 remote-address=VPN-POOL use-mpls=default use-compression=default us...

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 192.168.1.1 1 1 ADC 1.0.0.1/32 10.000.1.000 SSTP-DNS 0 SSTP-DNS-2 As you can see, there are two SSTP interfaces that show 1.0.0.1/32 as their remote address, what I want to achieve is that so each of them had a unique remote IP address. Changi...

Is this not possible to achieve? I'm honestly at lost here, I've tried setting a route rule with the VPN as a gateway but the IP is still not routing the traffic to the VPN

So, I've got two ipsec VPN up and running on my Mikrotik VPN A: remote addr=1.0.0.1, local addr=dynamic VPN B: remote addr=1.0.0.1, local addr=dynamic I'm somewhat confused because in /ip routes, those two vpn interface share the same remote addr (1.0.0.1), so what I want to achieve is set an IP add...

So, I've got two ipsec VPN up and running on my Mikrotik VPN A: remote addr=1.0.0.1, local addr=dynamic VPN B: remote addr=1.0.0.1, local addr=dynamic I'm somewhat confused because in /ip routes, those two vpn interface share the same remote addr, so what I want to achieve is set an IP address for e...

So I've got two APs set as a DHCP client, with their address(es) that I set in the DHCP lease. The problem is, while those two APs are connected (to ether2 & ether3) and I was able to connect and surf the internet through them, the DHCP status keeps in "waiting" state. This made settin...

Basically I want to set two VAPs

• Guest with PVID = 100
• Office with PVID = 200

Assuming the PVID tagging are working correctly, how do I route the traffic so that PVID100 goes to HotspotServer_A and PVID200 goes to HotspotServer_B?

I'm using RB750r2 and the AP is connected to ether3

Thanks!

I personally think its much better security wise to have total control over what comes in and out of the router to devices behind the router. Double NAT means that the IP the modem/gateway gives you is a private IP already and thus if you want to have the ability for outside users to gain access to...

Why would you use the ISPs modem and router for anything and you have given the ISP direct access to your traffic coming from wirelessly connected devices? In addition you will suffer from double nat. Can you put the gateway in bridge mode and thus give the Hex router a public IP and thus keep the ...

This is the planned network topology, I'm not really certain on how to set this one. For now, what's working is: [*]I can connect to the internet from Home_AP [*]Hotspot service is running and the users are able to log in [*]BW management for home/office/guest is ok As for these, I do not know how t...