MikroTik

erkexzcx

I have QoS in place and I'd like to set Steam downloads to have lower priority from the rest of the traffic. Now I am scratching my head trying figure it out how do I do it. One option would be to get list of Steam IPs. Another option - list of domains and add them to RouterOS addresses list. Has an...

erkexzcx

As my ISP once told me: Everything behind ISP converter (including converter itself) is ISP's responsibility . Everything that goes out of ISP converter (including the Ethernet cable) is your responsibility . So I guess you should really understand the meaning of ISP converter. In my case they even ...

erkexzcx

I haven't got any (useful) response from anyone, so I am gonna share my findings here. Goal My Mikrotik router has 5 interfaces: WAN interface LAN SFP+ interface (untagged) - network A VLAN 20 interface (tagged) on SFP+ port - network B VLAN 30 interface (tagged) on SFP+ port - network C VLAN 40 int...

erkexzcx

hello What is the "best practice" here? I've tried building something with the help of ChatGPT but I think I am going nowhere. I also do lack of knowledge of queues/QoS in general, so please be kind with me. 8) really? you have asked bots for your settings? 😂 I'm curious... what did the A...

erkexzcx

I have a router which has 100mbps up and 100mbps down internet. WAN port is ether10. Then I have 4 networks: A - This one should have at least 50% of internet throughput guaranteed. Maximum 100mbps. B - This one should have at least 25% of internet throughput guaranteed. Maximum 100mbps. C - This on...

erkexzcx

I've got it to work. Very confusing, but I guess it's always like that for a first timers lol. So today I learned: Untagged traffic in Mikrotik switch is considered as VLAN 0. You need to specify switch1-cpu (or whatever your switch has) to let the traffic reach the device itself, so you can access ...

erkexzcx

After a while I am back to this problem again. Let me upload a chart this time. What I am trying to achieve is quite simple: https://i.imgur.com/zcx2Km8.png For CRS3xx switches ( guide ) it's fairly easy and I got it working just fine, but I am using CRS1xx/2xx series switches ( guide ) and I need t...

erkexzcx

This does not answer the question. Show me which link shows how to pass both untagged and tagged traffic? :) Maybe this - https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_2_(Trunk_and_Hybrid_Ports) Nope, I've tried this already. This example shows 3 tagged VLANs via ether2 an...

erkexzcx

P. SWITCH CHIP VLANS https://help.mikrotik.com/docs/display/ ... p+Features https://help.mikrotik.com/docs/display/ ... switchchip other refs: https://www.youtube.com/watch?v=Rj9aPoyZOPo - Vlans using the Switch Chip https://www.youtube.com/watch?v=rvQ6o4RfnoU - Configure Vlan on Switch Chip https:...

erkexzcx

I'd like to configure VLANs using switch features (rather than bridge) for performance reasons. Configuration using bridge is pretty easy and straightforward, however, I find it extremelly difficult to configure using switch features. Here is switch ports description: eth1 - traffic ingoing from the...

erkexzcx

Also, setting up Windows 10 VPN Client can be greatly simplified. I do not know if that has something to do with different parameters in my Mikrotik setup (as described in previous post), but I was able to setup Windows VPN in more/less usual way, without re-exporting it or using PowerShell command...

erkexzcx

...and host/install a Mikrotik CHR on it.

CHR costs money and if you want it free - you are limited to 1mbps only.

erkexzcx

TL;DR Get a cloud VM with public IP, host wireguard server on it, connect to it from Mikrotik router, port forward everything from VM to Mikrotik via wireguard tunnel. Other notes: Linode provider offers cheapest instance for 5$/month and you get 4TB of monthly TX data. RX data is not counted (free...

erkexzcx

Hi. RB4011iGS+ model here with v7.1rc6 - today I wake up with internet not working. Turns out DNS not working everywhere, even in router (nslookup google.com). Querying manually on PC (nslookup google.com 1.1.1.1) also did not return anything. Like - there is no connectivity at all... But I was able...

erkexzcx

It's doable: viewtopic.php?t=169273

erkexzcx

Update device package(s) to the latest ROS7 (as well as routerboard & LET firmwares) and see if this occurs again. My Chateau 12 was unusable for about 6 months until latest update fixed configuration wipeout on each boot.

erkexzcx

If the device that is losing settings is running RouterOS 7.*, update to the latest version from the development branch. It has fixed my issue where config were completely wiped out during each restart.

If you are RouterOS 6.*, please contact Mikrotik Support regarding this issue.

erkexzcx

OMG this beta release fixed SUP-44801 ( Chateau 12 loses configuration on each reboot ) issue!!!!!!!!!!!!!! Glad I did not return this device to the seller for warranty reasons:))) When did you have that issue? Only with firmwares v7.1*, I suppose... I've had this since "18/Mar/21 3:12 PM"...

erkexzcx

I was unable to upgrade LTE firmware on my Chateau 12 v7.1rc5 CLI (rebooted and like nothing happened). https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Modem_firmware_upgrade However, it succeeded when using WinBox GUI, clicking on interfaces -> lte1 -> upgrade firmware. So in other words, all g...

erkexzcx

OMG this beta release fixed SUP-44801 (Chateau 12 loses configuration on each reboot) issue!!!!!!!!!!!!!!

Glad I did not return this device to the seller for warranty reasons:)))

erkexzcx

This is classic example of what most of small business needed during the corona virus lockdown. There are few tips I can give you: Go with the easiest way (if possible) - simply setup any popular cloud storage service (Google Drive, OneDrive, DropBox, Mega etc). If above not possible, check if NextC...

erkexzcx

Hello, Basically I have zero knowledge about DSL (I live in a country where DSL is not used like at all), but I will be setting up the network where DSL is used. Can I purchase "DSL to Ethernet" adapter from Amazon/Ebay/AliExpress and it would simply work? How does router/modem, connected ...

erkexzcx

Why don't you setup CHR yourself in any cloud provider? It's simple.

I've been able to successfully setup CHR in Linode. https://wiki.mikrotik.com/wiki/Manual:CHR_Linode

erkexzcx

viewtopic.php?f=23&t=175656

You're welcome

erkexzcx

Out of curiosity - when does the Mikrotik is planning to release v7 as stable?

This is great that you are working on new features, but isn't it better to completely stop for now, focus on bug-fixes only and finally release v7 as stable?

erkexzcx

I am probably out of the loop and/or just struggling to understand why would someone need ACME on Mikrotik router? Using webUI to manage Mikrotik? Instead one could use WinBox. Do not trust included encryption of WinBox protocol? Just configure all remote Mikrotik routers to be reachable via VPN onl...

erkexzcx

Maybe something like this?

erkexzcx

My questions is: how can I pass ALL traffic through the tunnel, EXCEPT all traffic meant for 192.168.x.x? I would probably something like this: /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=unmarkable_nordvpn passthrough=yes src-address=192.168.x.x /ip firewall...

erkexzcx

Could this really be the only difference between the 2 methods? Basically both methods are the same and works the same. Except the killswitch - it cannot use connection marking therefore there is difference is between src/dst. If you ignore killswitch part, it should be practically the same (as lon...

erkexzcx

Noone mentioned my guide?

viewtopic.php?f=23&t=169273

The only reason why NordVPN could be slow is because MSS/MTU size issues. All mentioned in the guide.

erkexzcx

You are owning one of the shittiest VPNs now and crying that Mikrotik doesn't support specific VPN protocol? How about NordVPN/Surfshark? They do support lots of them, including OpenVPN TCP and IPSEC/IKE2 which works incredibly well and there is a guide too. https://forum.mikrotik.com/viewtopic.php?...

erkexzcx

Minecraft ... big ones

Try to telnet minecraft server's port. Is it connecting, rejecting or nothing happens (aka "dropping")? This might give you an idea which Mikrotik rule is rejecting traffic.

Also I am not sure about DNS servers. Tried using 1.1.1.1?

erkexzcx

I've done EoIP over IKE2. I've documented in here: viewtopic.php?f=23&t=169538

erkexzcx

split-config or like this.

erkexzcx

PureVPN doesn't even have IPSEC/IKE2 protocol...

OpenVPN is slow, PPTP is insecure, L2TP is okayish.

erkexzcx

/export hide-sensitive file=anynameyouwish As I'm a noob. it will be appreciated if you mention what your code does. In WinBox, there is "Terminal". You can also access terminal using SSH, Telnet, serial etc... After running this command, a new file called "anynameyouwish" would...

erkexzcx

These might help:

erkexzcx

Same steps for NordVPN: viewtopic.php?f=23&t=169273

erkexzcx

Create new network, setup connectivity from it as usually and use-case 1 from here.

erkexzcx

So basically you built ROS-based IPSEC/IKE2 VPN server like this: https://forum.mikrotik.com/viewtopic.php?f=23&t=175656 <-- proper implementation of Mikrotik IPSEC/IKE2 (certs-based) VPN server https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 <-- Mikrotik to Mikrotik connection, in th...

erkexzcx

https://forum.mikrotik.com/viewtopic.php?f=23&t=169273 Get NordVPN or any other trusted VPN provider subscription, then 2nd method (by destination) to Mikrotik ASN: For example, Mikrotik.com resolves to "159.148.147.196". Quick google revealed the Mikrotik has it's own ASN which contai...

erkexzcx

Are you sure those games are looking for other game servers/clients in L3 and not in L2 layer? If so, L2TP is operating only in L3. If you need L2 functionality, then you might need something like EoIP tunnel on top of it.

erkexzcx

Suffice to say this is a decent link

Thaaanks! :D

erkexzcx

Here are some of my written guides. Check all of them:)

erkexzcx

I've written a guide here. See if it helps. Might be not perfect, but it worked perfectly fine for me. :)

erkexzcx

Have a read here: viewtopic.php?f=23&t=169273&p=850595&#p829817

Yes! First time seeing someone recommending my guide. :)))

erkexzcx

Can you please help me to figure this out?

Yup. viewtopic.php?f=23&t=169273

erkexzcx

viewforum.php?f=23 CTRL+F "VPN". I've written at least 3 VPN guides, 1 of them is mostly what you are asking - connecting 2 mikrotik routers.

erkexzcx

2) Perhaps have some scripts on the Mikrotik running to "check" if your Pi-hole can still resolve ? Sort of a "backup" plan, unless you have perhaps 2 Pi-hole devices running on the network? There are several posts on the forum concerning this. Here is the code that automaticall...

erkexzcx

I changed this to a more secure passphrase when entering the command in the terminal for Home client 1. Is it necessary to be secure? Or can I just use what you have used as a passphrase? You can avoid having password at all, but I've heard rumors that it's impossible to import pkcs12 keystore into...

erkexzcx

When importing the cert. into the android device, it's asking for a password? Step 3. What password is it that I need to enter? /certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890 Note "export-passphrase=123456789...

erkexzcx

ipsec,error no policy found/generated Can you elaborate on your OS/vpn client? Did you perform client steps as per instructions? https://forum.mikrotik.com/viewtopic.php?f=23&t=175656 :) Maybe someone could comment on ROS part - I do have a feeling that it has something to do with either miscon...

erkexzcx

I've wrote several guides - you might find some guidance there. :)

erkexzcx

My PC can ping 10.0.0.1 and 90.90.90.1 but can't ping laptop. Router can ping both. It's because you have the following rule in your router that allows to ping it from literally any IP: /ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp OVpn pool - 10.0.0...

erkexzcx

So you have a VPS and you have a "MicroTik" router. What you specifically asking is VPN... :D Something like this, except you will be using Strongswan for IPSEC/IKE2 VPN protocol: https://forum.mikrotik.com/viewtopic.php?f=23&t=169273 https://forum.mikrotik.com/viewtopic.php?f=23&t...

erkexzcx

Consistency

erkexzcx

@shahjaufar Windows are unable to find the certificate that could be used to connect to your VPN. You either did not import P12 (cert+CA) to Windows certificate store, or imported to a wrong directory? Also, did you generate & export client certificate from Mikrotik router as per my instructions...

erkexzcx

Isn't this what you are basically trying to achieve? https://forum.mikrotik.com/viewtopic.php?f=23&t=169273 Regarding routes, I believe you need to use different routing tables. In Mikrotik the functionality can be achieved by using "routing mark" or something like that. Also there is ...

erkexzcx

Exactly what you are looking for: viewtopic.php?f=23&t=169273

Surfshark steps are almost identical. Link is also there.

erkexzcx

Does any of these help?

erkexzcx

Check if any of these helps:

erkexzcx

1. You're welcome: viewtopic.php?f=23&t=169273
2. You can have max 5 (or 6, can't recall) simultaneous connections to different NordVPN servers. It will not allow 2nd connection to the same server.

erkexzcx

Let me ask you something offtopic - why OpenVPN? It's slow...

I've wrote guide some time ago a tutorial of IPSEC/IKE2 VPN with certificates for remote access. Slightly slower than Wireguard, but very well supported VPN type.
viewtopic.php?f=23&t=175656

erkexzcx

There are few things that might confuse you: There are 2 types of PoE - one is passive , and the other is 802.3af/at . Passive PoE is 18-28v and 802.3af/at is 48-57v. Switch will automatically detect if device supports PoE. This switch/router comes with 28v power supply, so out of the box your 802.3...

erkexzcx

Few thoughts:

Isn't that suppossed to work only with HTTP traffic and not with HTTPS?
You did not port fotward 443 (HTTPS) traffic, only 80 (HTTP). Most sites use 80 to simply redirect to 443 and serve websites only on 443 port.

erkexzcx

Not really related, but If you have RPI or some Linux server in your network, you can try to to assert dominance for 22 port in the "is it vulnerable?" world - https://github.com/skeeto/endlessh.

erkexzcx

Added this note to the main post: Note 2: You might be able to route all traffic of the company, but you might end up routing 30-40% of the websites under NordVPN if company uses popular hosting, e.g. Amazon AWS or Linode. For example, Mikrotik.com resolves to "159.148.147.196". Quick goog...

erkexzcx

Let me introduce IPSEC/IKE2 protocol to the VPN zoo... :D Let's see what VPN companies say about IPSEC/IKE2?

AES with 256-bit keys, which is recommended by the NSA for securing classified information, including the TOP SECRET level.

BOOM, clear winner.

erkexzcx

I've updated few steps and done general cleanup. /ip firewall raw add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic I cannot get this to work, even with simple "add action=notrack c...

erkexzcx

I wrote this today: viewtopic.php?f=23&t=175656

erkexzcx

Looks like Windows simply sucks. It is possible to indirectly point to which certificate for which profile to use. I've documented it here: viewtopic.php?f=23&t=175656

erkexzcx

Because I've spent hours trying to understand all the details I need to get this working perfectly, I've decided to share the information so you don't have to waste your time. Most common use I can think of: access your home network using the most secure (sort of), fastest and well supported method ...

erkexzcx

A bit non-Mikrotik question, but I can't understand why my Windows 10 PC is not using a correct certificate when connecting to my Mikrotik router. I have 2 identical Mikrotik routers at 2 different locations. They both have public IP and that's pretty great since once I get something to work on any ...

erkexzcx

Maybe someone could clarify this, but if I am not mistaken IPSEC is policy-based while OpenVPN is routing-based (has it's own interface and internal IP). I think you should start by looking into "/ip route" or OpenVPN routing settings. I never set up or used OpenVPN on Mikrotik routers, so...

erkexzcx

Check out my guide: viewtopic.php?f=23&t=169273

erkexzcx

My personal opinion - here is the best learning material I've found/used https://mynetworktraining.com/ (same guy has pretty much all courses in Udemy).

I don't like reading hundreds of pages books. :) I am visual learner.

erkexzcx

Hi, Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again. add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordV...

erkexzcx

Sounds like you want to create a bridge out of 2 ethernet ports - first one is WAN, second one is pfsense. Do not assign any IP for such bridge. If you don't use bridge firewall in Mikrotik, then Mikrotik will not analyze traffic at all. Your pfsense will become "main router". Correct me s...

erkexzcx

but what about multiple exceptions? Honestly I don't know. If I were you, I would just do something like this: /ip firewall mangle add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=novpn passthrough=yes protocol=tcp /ip firewall mangle add action=mark-connection chain=...

erkexzcx

Does something like this do the trick?

/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp

erkexzcx

viewtopic.php?f=23&t=169273

erkexzcx

Graphical scheme would be appreciated. :) I want to attribute the B1 to a server behind the rb4011 without nat Let's say you have ether1 port dedicated for WAN and ether2 dedicated for your server. Create bridge in your Mikrotik router and add eth1 and eth2 interfaces. Consider your created bridge a...

erkexzcx

Not sure what is exactly you are asking.

erkexzcx

Is this router meant to be this difficult to set up? I set up "a lot" of routers. To be honest, I don't really understand what's the point for Mikrotik to provide "Quick settings" in the first place. Remove all the default configuration (reset the router with "remove-defaul...

erkexzcx

but not really new in networking in general so to speak There is no need to ask here then :) Look at the price and at the specs in Mikrotik website and this is all you need to know. Also I am a fan of RouterOS, but that's just personal. EDIT: Even 16eur Mikrotik routers have full capabilities with ...

erkexzcx

Did you even port-forward your NVR ports? I don't see any dstnat rules in your config.

normal dynamic public ip

You are using "/ip cloud" instead of WAN IP, right?

erkexzcx

viewtopic.php?f=23&t=172380

erkexzcx

Can anyone elaborate how UFW blocks WinBox? You mean UFW also blocks OUTPUT chain too?

erkexzcx

Why not the other way around? Connecting to Mikrotik router to write/read config/data?

erkexzcx

Situation in Lithuania: Networking e-shop katalita.lt has the following: https://www.katalita.lt/info/search.html?q=hap+ac3 RBD53GR-5HacD2HnD&R11e-LTE6 - they have in stock RBD53iG-5HacD2HnD - they don't have in stock. Looking at centralized search (for lithuanian shops) there is only one result...

erkexzcx

TIL: I can close tabs in browser with a middle mouse button. Thanks, but this is totally not needed for WinBox.

erkexzcx

viewtopic.php?f=23&t=169273 thank me later :)

erkexzcx

Show your firewall filter rules.

erkexzcx

I wanted to do the same. Basically you need to do majority of steps from this while having this in mind. Finally I end up with this and can't get over it (works fine on Android phone using Strongswan client, but not from Windows PC native IPSEC/IKE2).

erkexzcx

Tried disabling EoIP keepalive (in EoIP interface settings) on both sides?

erkexzcx

or at least option to reverse colors of WinBox :D

erkexzcx

I've looked at that topic too, and unless I've missed something, the responder (server) must have a public IP or port-forwarding from a public IP must be possible. So not applicable for your case. User still has to purchase VPS with public IP in order to have public IP. Linode was just an example (...

erkexzcx

Sites blocking is never going to work. At some point user will start using VPN provider and there is no way to block it (e.g. NordVPN can use 443 over TCP as well as obfuscated traffic).

erkexzcx

Just wondering what is the state of SwitchOS of Mikrotik? The last update was from 2020, and when I purchased CRS112-8P-4S-IN it came only with ROS. No option to dual boot.

erkexzcx

Did you check this? viewtopic.php?f=23&t=169538 I've got it working perfectly fine.

erkexzcx

How about going to actual official Mikrotik wiki and using guides from there? Also users in Mikrotik forum posted few as well. e.g. I created this: https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 + https://forum.mikrotik.com/viewtopic.php?t=151188#p839793 One of the best guides online I f...

erkexzcx

Thanks for the solution. I'm thinking about this in a whole month. And you are right Vultr is the cheapest VPS I found so far Have you tried OpenVPN Cloud? or AWS free tier + OpenVPN Just FYI - Mikrotik ROS can be installed on x86_64 hardware, and I mean virtual machine. What I am trying to say tha...

erkexzcx

I think Windows 10 built-in VPN client still doesn't understand sha256 when doing phase 2 and modp2048 when doing phase 1. Change or add profiles dh-group to modp1024 and proposals auth-algorithms to sha1. I haven't tested it for myself, but you should try this. It logs you can see that VPN connect...

erkexzcx

See my post here.

Nothing that could help me there

erkexzcx

Let's talk about NordVPN - it allows you to unblock websites & get around throttling on any crappy ISP. :) And you can't block it.

Blocking websites is not going to work.

erkexzcx

This is what I would do: 1. Use "nslookup speedtest.net" to resolve to IP address. 2. Take a single IP address and google it. Find "ipinfo.io" website in results and check it. Find "ASHandle" value and check it. In this case I've ended up with this link https://ipinfo.i...

erkexzcx

I just created another thread in here. I've shared the configuration that works for me: https://forum.mikrotik.com/viewtopic.php?f=2&t=172558 On the other hand, I've written few guides there and there, so you can take a look too: https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 https:/...

erkexzcx

I've setup IPSEC/IKE2 VPN server on my Mikrotik router. This is how I set it up: # Generate CA /certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign # Generate client and server certs /certificate add name="My client...

erkexzcx

viewtopic.php?f=23&t=169273 I think Mikrotik should pin this thread so more people can see.

erkexzcx

Decided to write a simple guide on Hairpin NAT, because quite a lot of users struggle to understand how to set it up. I am not a networking professional and I am open to any criticism on how to implement it in a better way. Official wiki page by Mikrotik regarding Hairpin NAT: https://wiki.mikrotik....

erkexzcx

I am not sure what you are asking, but you should clean it up and rebuild as per instructions here: https://help.mikrotik.com/docs/display/ ... t+Firewall

Also use this to secure your router https://help.mikrotik.com/docs/display/ ... our+router

erkexzcx

I have a very strange issue - for some reason I am no longer able access any Mikrotik websites, such as mikrotik.com, forum.mikrotik.com and help.mikrotik.com. I am also unable to fetch any updates directly from Mikrotik routers too. All other websites are loading fine, except Mikrotik's websites. O...

erkexzcx

Perform ping test from Mikrotik to 1.1.1.1. Then perform the same from your PC. Is the result almost identical?

We can't say what's wrong, unless you share your configuration with us.

erkexzcx

Your router is not mentioned here: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration So it means that you will get terrible performance. I would also suggest bypassing fasttrack (either by using "notrack" or "allowing" traffic before fastrack rule) and tuning M...

erkexzcx

After i configured the port as a access port in the switch chip , that particular port can not access the router using by winbox.

Thanks for sharing!

erkexzcx

What?

But what else is required in order for IPSEC to establish a tunnel between these two drayteks when my mikrotik is feeding one of them internet?

erkexzcx

Do you even realise what and why you are asking?

erkexzcx

You can't access Mikrotik router if it's behind NAT (which is owned by ISP).

But you can open the tunnel from your Mikrotik to VPN server, especially if you have another Mikrotik router with public IP. And I mean this: viewtopic.php?f=23&t=169538

erkexzcx

I am probably blind. Where does it say that it fails?

From my own experience - you should check logs on both sides. They might not say anything in one side, but will specify where is the issue on the other side.

EDIT: Your blurred IP is still readable :D

erkexzcx

So to clarify things up for everyone - Strongswan app on Android has no option to force ignore this constraint. In order to fix it, you must generate a new certificate for your VPN server, but this time with correct subject-alt-name . E.g. I am always using "/ip cloud" DNS to connect to a ...

erkexzcx

+1 Android strongswan client. WTF How to get rid of it.

erkexzcx

Please tell me how to correctly forward the port for example for torrent in this configuration?

1. How is it related to this thread?
2. Why would you need port forward for...torrents?

erkexzcx

Any chance to get ROS6 working on Chateau 12 router? I know this router is ROS7 only. But let's be honest - this is a bit too aggressive approach from Mikrotik to force users to use beta software in order to get it more tested and more bugs fixed in the long run. Because of some bugs that affects co...

erkexzcx

Wait until they figure out how to change MAC address. Seems they should not worry about VPNs in this case:)

Can you be more specific on what is missing in Mikrotik routers? You want to enable/disable internet access, throttle bandwidth or block certain websites?

erkexzcx

Correct regarding bridges - they are like separate interfaces. They have nothing common between them so no L2 routing between them is possible if you did not setup any exotic configurations. Instead you should probably use this: add action=drop chain=forward in-interface=bridge1 out-interface=bridge...

erkexzcx

Talking about WPA3 security: https://arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/ As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-...

erkexzcx

What is not working is I cant access my server ip 192.168.1.10 internally but server have internet.

what?

erkexzcx

Sometimes hardware fails. What about lights on router?

erkexzcx

Try filling feature request: https://mikrotik.com/support

erkexzcx

Sorry to answer so rarely, but I can only answer in the evenings. Not everyone has all day to spend on this forum :D I can't tell what is wrong from the logs. Unless someone else has anything to add, I would say - Android's native VPN is "faulty". I've had a colleague who was having simil...

erkexzcx

That's something I learnt too. :)

erkexzcx

Seems your target destination (of your static route) is part of existing bridge. I once had similar issue and all was fixed when I enabled bridge firewall:

/interface bridge settings set use-ip-firewall=yes

It just fixed it for me. Maybe someone has better ways to fix this kind of issue.

erkexzcx

What does field "Actual MTU" shows for lte1 interface? What would happen if you set MTU to 1550 for lte1?

erkexzcx

How is Mikrotik related here?

erkexzcx

I want device in REMOTE to be on the same subnet as those in CENTRAL. I also want the device from REMOTE to go through CENTRAL to access the internet, so the last NAT is done at CENTRAL. Correct me if I am wrong, but all you want is to add EoIP interface to a LAN bridge on each router, mark it as &...

erkexzcx

On the positive side, everyone who purchased Chateau12 is stuck with ROS7 only. To be honest, for home or small office, ROS7 is perfectly fine.

Netinstall should still work tho.

erkexzcx

I suspect your Android device and Mikrotik does not have overlapping ciphers. Anyway, enable "ipsec" logging in Mikrotik settings. Then try to connect using Android phone to VPN on Mikrotik router. Provide us logs. You should be able to see additional tag "debug" next to "ip...

erkexzcx

You should learn how to write your questions in a more organized way. Code formatting is also a thing (useful for displaying a logs). If you want different policies for specific clients, then you should properly setup remote-id matching as well as specific mode configs and policies. I've done simila...

erkexzcx

Did you check threads like this? viewtopic.php?t=153546

erkexzcx

Looks like either RouterOS crashed and rebooted (not sure if router reboots in this case, probably due to watchdog), or there was power issues. Maybe PSU is having issues, or your power supply had issues. I closed all the IP services except Winbox Did you whitelist access to router? Hopefully winbox...

erkexzcx

A bit hard to recommend. 5G is not supported by Mikrotik, so LTE is the only option. Also Mikrotik support for OpenVPN is kind of "meh" (OpenVPN UDP is only supported in ROS7 which is beta, only TCP mode in ROS6). Would highly recommend sticking to L2TP/IPSEC or IPSEC/IKE2 instead. If you ...

erkexzcx

Does your VPN provider support IPSEC/IKE2? If so, you can configure using this guide: viewtopic.php?f=23&t=169273

I haven't got a chance to play much with PPTP and not sure if I ever will because this protocol is very unsafe.

erkexzcx

Using same certificate might work..? If you ignore remote-id if I am not mistaken. Then VPN server cannot identity any of your client who is who, so just assigns random IP from the pool. Anyway, it's better to generate a separate certificate for each client and select "match-by=certificate"...

erkexzcx

Few ideas on what's wrong: Netflix detects when you are running through VPN server. It detects when you are using non-residential IP. Netflix has more domains. Not just "netflix.net". You need to route all such traffic using VPN. Not sure, but I think "content" parameter in Mikro...

erkexzcx

Not sure if you know anything about networking.

Just get a VPN subscription from a VPN provider, like NordVPN. See if it fixes the issue.

erkexzcx

ipip tunnel still not working wihout disable keepalive When I wrote https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 I was using ROS7 as a VPN client to ROS6 VPN server. EoIP did work, but was silently flapping leading to random disconnects from online multiplayer games. Disabling keepali...

erkexzcx

Can you use netwatch as a workaround for this (using any internal IP of wireguard)?

erkexzcx

This router is so good, I'm really glad I bought it despite of my initial concerns.

Kinda the same here. Thanks to my previous job I had to deal with Mikrotik routers. They significantly boosted my understanding of networking. :)

erkexzcx

Drops every 2nd packet when user pings to 95.217.228.176:

/ip firewall filter add action=drop chain=forward dst-address=95.217.228.176 nth=2,1

erkexzcx

Not what you are asking, but it might give you some hints: viewtopic.php?f=23&t=169538

erkexzcx

Thanks for all the input! I've updated instructions accordingly.

erkexzcx

This sounds like a Telia router in Lithuania, isn't it?

erkexzcx

I would say the opposite - better focus on other, more imporant things and release a stable ROS7. OpenVPN should start to die. It's one of the slowest VPN protocols. Instead, pick L2TP/IPSEC, IPSEC/IKE2 or Wireguard as an alternative as these are industry standard VPN protocols. OpenVPN has insanely...

erkexzcx

@msatter - thanks for your input. I don't actually see it as a improvement to my given guide. I mean it does work, but using simple a mangle rule is a more dynamic way of dealing with VPN traffic. e.g. in address-list I gave domain which is being resolved by Mikrotik router. If it's updated, then it...

erkexzcx

No, it does not depend...

You need to configure your router the same way you configured previously for your current ISP.

erkexzcx

Try following this guide: viewtopic.php?f=23&t=169273

EDIT: You may need to reduce MSS size and exclude such traffic from fasttrack. Everything is mentioned in the above guide.

erkexzcx

With use case #2, how to killswitch websites like youtube.com that with multiple IP address? You can't, because: Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. In...

erkexzcx

How about this? # Add both WAN interfaces to interfaces list. /interface list add name=WAN /interface list member add interface=ether1 list=WAN /interface list member add interface=ether2 list=WAN # Add this script to your Mikrotik router. /system script add name=dhcp_client_script source=":if ...

erkexzcx

if you enable "ipsec" debug logging in both Mikrotik and OpenWRT, what does the log says?

erkexzcx

viewtopic.php?f=23&t=169273

You're welcome.

erkexzcx

Post a movie

Done. I've updated initial comment.

erkexzcx

1. on both Router A and Router B, you have a NAT rule, like below, why we need this rule: /ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0 Ping to internal IP (10.22.22.2) from Router A did not work without this rule, so I added it. 2. I...

erkexzcx

Since this router does not have beeper and you can't play songs on it, but it does have controllable LEDs, so you can give it some Christmas vibes. Video: https://i.imgur.com/8380H4K.mp4 ( imgur post ). WARNING - High amount of sector writes. It will eventually kill your flash storage with the time....

erkexzcx

Backup & Restore always sucked for me. Always use export & restore. Most of the config appears to take except there's no DHCP server set and the network settings appear to be missing I would say remove such lines from the exported config try again? Then connect using MAC address. /tool bandw...

erkexzcx

Sob he already had the default rule in place........ (but I much prefer the cleaner rule you suggested) add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT Why would...

erkexzcx

A bit offtopic, but you should all be aware of this: https://stackoverflow.com/questions/149 ... -with-zero

erkexzcx

Before someone helps you, i will give you some hints on where to look at. I've written few guidelines here and here on how to connect Mikrotik router using IPSEC/IKEv2. You have have an idea how configuration looks like and what steps you should take (e.g. exclude from fasttrack, add NAT, optionally...

erkexzcx

Aren't traffic, which is coming from the VPN clients, picked by these rules? Technically, connections are coming from WAN interfaces. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN /ip firewall filter add action=drop ch...

erkexzcx

if anyone can shed some light or some thoughts on this that would be great. Either you enterred incorrect username/password, or someone has changed username/password which means someone else managed to access Mikrotik device. Instead of creating a new account, put a stronger password for "admi...

erkexzcx

Is it possible that user when connects with remote access VPN to access network resources on remote site?

Yes

erkexzcx

This might help: viewtopic.php?f=23&t=169538

erkexzcx

They have many servers, some of them gets DDOS'ed, some of them get's reconfigured or decommissioned. You likely need to switch to any other server. I've written more complete guide for NordVPN because some steps were missing in official guides: https://forum.mikrotik.com/viewtopic.php?f=23&t=16...

erkexzcx

So what is the question?

erkexzcx

but will the wireless device automatically switch to the strongest signal?

+1 also interested.

erkexzcx

Try following this instead: viewtopic.php?f=23&t=169273

erkexzcx

Version is latest on both devices. There are RouterOS 7 beta, and RouterOS 6 stable... Anyway, I assume you are using ROS6. What would be the correct way to transfer all configuration This way: # 1. Export configuration from old router: /export file=myfile # 2. Download myfile.rsc to your computer....

erkexzcx

I am still wondering given all the options of the OS why this should be so hard to do. I am trying to be helpful, but you clearly did not do enough research on your own. This is very wide topic on the internet, especially on the pi-hole forums. See https://discourse.pi-hole.net/t/how-do-i-block-ads...

erkexzcx

I transferred all the settings that was on Ac2 5 ghz wifi to Ac3 5 ghz wifi but this thing simply don't work ok Just a question: How did you transfer those settings and what RouterOS version you are using? Did you transfer configuration by a backup or export? I've had issues with backup&restore...

erkexzcx

Stupid question, but how does router know to which IP address to resolve cloudflare-dns.com domain, if you use only DoH?

erkexzcx

Allow access to 172.18.0.1 in Mikrotik firewall from your LAN. This means you need to edit existing firewall rules. Add DST-NAT rule in Mikrotik so when reaching 172.18.0.1 your src-ip is rewritten to 172.18.0.3. Also your configuration is questionable in overall, but above solution should work.

erkexzcx

How would I do this best and with as simple as possible a solution?

Buy Youtube premium.

What you are asking is not possible and totally unrelated to Mikrotik.

erkexzcx

Aren't you supposed to specify out interface for it?

/ip firewall nat
...
add action=masquerade chain=srcnat

erkexzcx

Could it be related to software installed on the PC (virtualization systems, etc.)?

How each virtual machine gets IP addresses? From the router?

erkexzcx

According to your issue(s) description - you are not having any issues.

erkexzcx

How did you import certificates? Do you have CA? Did Mikrotik import private key? Double check:

/certificate print

erkexzcx

Enable ipsec logging and show full log when attempting to connect from smartphone:

/system logging add topics=ipsec action=memory

erkexzcx

Answer is: No I did not manage to send directly from Mikrotik, because "fetch" tool does not support sending files. I managed to send using Raspberry Pi: Generate SSH keys on raspberry Pi and its upload public key to each router. Then pretty much use this bash script: #!/bin/bash ROUTER=$1...

erkexzcx

Your device is fine. It will work. Since you want encrypted tunnel to your home, I would suggest picking a router with IPSEC hardware acceleration, something like HAP AC2 would be great because it's cheap and supports both 5ghz/2.4ghz wifi. Everything else that you mentioned is possible. Even if you...

erkexzcx

Since you've tried already (I assume), which part do you think is failing/not working?

When I started learning about IPSEC the only way to move forward was to enable ipsec logs in both Mikrotik routers and see what is actually failing or happening.

Can you show us some logs/configuration exports?

erkexzcx

So how can I do to make the two microtiks communicate directly without NAT.
I need to connect the two VLANs as well.
There's a way?

I've done this. In both ends EoIP interface is added to main LAN bridges and basically LANs are connected.

erkexzcx

Maybe this could help? Not really what you are asking, but you might get some hints.

erkexzcx

Sorry for hijacking thread, but for those who use PWR-LINE PRO - do you get additional latency? I've never used EoP devices before.

I've heard stories that when using such devices you might get somewhat 30ms latency, even tho internet connectivity is rock stable. Just want to hear if it's true.

erkexzcx

Should I want to reverse this, what would be the code? You should not copy/paste code given by the stranger to your Mikrotik router and expect it to work. This means you should understand what those commands do and how to undo them. Hopefully you are using Winbox. WebFix is also an option, but I fi...

erkexzcx

I would also like to add that Mikrotik is not that messy. Obviously not perfect, but it isn't that buggy as users say. Pretty much sums up to this: Users: I want to do something with Mikrotik that I barely understand. Also users: Mikrotik is buggy I mean you are dealing with enterprise-grade equipme...

erkexzcx

I confirm that beta3 fixes this issue.

erkexzcx

+1 interested in more information about it. From my understanding, queues are great when there is constantly not enough bandwidth for everyone, so someone always has to wait for other users to finish transmitting data. Queues would help because everyone will get fair amount of time to transmit data,...

erkexzcx

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Either ask something more specific, or that's all we could help.

erkexzcx

Yes, they are called virtual machines and CHR images.

There are some other options as well.

Hopefully your router has already arrived. :)

erkexzcx

First, you need to realise the networks you specified. The range "157.175.0.0-157.175.255.255" is the same as network "157.175.0.0/16". On the other hand, Mikrotik does support ranges (just do not use spaces). Make address list out of them: /ip firewall address-list add address=1...

erkexzcx

Please use this for code. Helps if you want to receive help faster: [code] my code goes here [//code] I have few questions: Why would you need Mikrotik router for your setup in the first place? You are using modem, which means you don't have public IP (aka "direct access"), right? Why is y...

Search found 263 matches