MikroTik

DarkNate

It's likely your firewall misconfigured.

Use my firewall which I tried my best to conform to various IETF specs, built from scratch: viewtopic.php?f=2&t=172360

DarkNate

I have fully built IPv4 and IPv6 firewall with IETF spec in mind + CPU optimisation.

Check here: viewtopic.php?f=2&t=172360&p=842544#p842544
And here: https://www.reddit.com/r/mikrotik/comme ... rent_ietf/

DarkNate

BTW, the copyright needs to be updated for 2021... It still reads: MikroTik RouterOS 6.48.1 (c) 1999-2020 http://www.mikrotik.com/ (And when you are at it... How about changing the url to https?) They have enabled HTTPS overwrite on their domain, technically it wouldn't matter. But you'd expect a &...

DarkNate

MikroTik's IPv6 is lacking. Consider using VyOS instead. We can't even NPTv6 in MikroTik let alone go with advanced setups for an ISP.

DarkNate

and, no, i don't want any other answer straight one, meaning of word stable is ... Stable is don't be a pussy man! Stop complaining, you'll better send a bug report. Send a bug report? Are you new to MikroTik, users both home and professionals have been reporting various bugs for decades and MikroT...

DarkNate

BTW, the copyright needs to be updated for 2021... It still reads: MikroTik RouterOS 6.48.1 (c) 1999-2020 http://www.mikrotik.com/ (And when you are at it... How about changing the url to https?) They have enabled HTTPS overwrite on their domain, technically it wouldn't matter. But you'd expect a &...

DarkNate

This is why I'm going full x64 Zen3 in the near future with VyOS as my network OS choice. Slap some 10G NICs and it'll outperform RouterOS like eating a piece of cake.

DarkNate

EDIT: I have updated my post with new rules/changes based on the input I received here: https://www.reddit.com/r/mikrotik/comments/ld390x/is_my_firewall_config_uptodate_with_current_ietf/ So I referenced from MikroTik's new 2020 dated documentation domain/site and built the IPv4 and IPv6 firewall fr...

DarkNate

Problem also remains in this version. Edit by moderator: Please DO stop posting and quoting same set of quotes of quotes. You have been already warned. It is users' forum, not Mikrotik's stuff one. Send e-mails directly to support. I'm sorry, but I've no idea which moderator made this edit so I can...

DarkNate

Problem with DoH was not fixed ?! omg

Use a separate device. I use a Pi, with dnscrypt-proxy running for DoH and Pi-Hole as the DNS Sinkhole. Uptime more than 8 months excluding updates/firmware patches/reboots.

DarkNate

Great, thank you, this solved it for me I did: /ip firewall address-list add address=10.0.10.0/24 comment=RFC6890 list=rfc6890 add address=10.0.20.0/24 comment=RFC6890 list=rfc6890 add address=10.0.30.0/24 comment=RFC6890 list=rfc6890 add address=10.0.100.0/24 comment=RFC6890 list=rfc6890 add addre...

DarkNate

Create an RFC6890 based address list, then give a !rfc6890 dst-address-list in each of the mark connection mangle rules. Problem solved.

DarkNate

It runs from a browser exploit which has now been patched. I decided to leave the helpers on.

DarkNate

hAP ac lite is a weak device. I'd personally do a clean netinstall of the latest stable RouterOS and set up from scratch again with optimised firewall rules/hardware offloading/optimisation configurations.

DarkNate

RB450Gx4 can "just" do 1G routing. I'd suggest something like the RB3011UiAS-RM or the RB4011iGS+RM for some futureproofing.

DarkNate

This might help you: viewtopic.php?f=13&t=171044&p=836112#p836018

DarkNate

It's the last time I wrote about some quirks in the configs. An "Oh yeah we forgot about this since we set it like this ages ago, we'll maybe take a look on this to improve the behaviour since it might have not been the best call back then" would've been a little better than "set it ...

DarkNate

I know i am at dual nat state. From the ISP side is not possible for a pppoe connection. Also the CPE manages the Voip telephony so my only option is connecting with just an IP. Is there any way to manage or handle the dual nat problems? btw how does the above config distributes the connections? Is...

DarkNate

as far as I among other folks on this topic have checked recursive route for the purpose of failover does not come along with PCC load balancing if two or more route marks are being used.

I use PCC+Nth mangle load balancing + recursive routes just fine. I've shared the config in previous posts.

DarkNate

You're in a double NAT situation. Ask the ISP to bridge the CPE. Then establish PPPoE at the router level. That's is the right way to do it.

Double NAT will create all sorts of weird issues for obvious reasons.

DarkNate

Hi there, Wait, what? If ISP1 fails, all clients can still reach 8.8.8.8 & 1.0.0.1 via ISP2. The routing table will automatically drop those dead ISP1 routes including the custom route for 8.8.8.8 & 1.0.0.1 which is routed via ISP1's interface, the routing table would fall back to the "...

DarkNate

Ok, support response is: "RouterOS simply allocates 20 bytes headers. You can manually set the MTU and MRU values for the interface if other values are suitable. There is no need to increase the MTU on the ethernet interface." So they won't do anything about it. "What about the users...

DarkNate

What? IPv6 was designed with SLAAC in mind, there's absolutely no NAT or ugly hacks needed with a proper prefix delegation from the upstream provider. Unless you have an upstream provider like mine who blocks ICMPv6 and breaks MTU along with a garbage single /64 prefix. What "what"? :-) Y...

DarkNate

I fail to understand why some people choose to use IPv6 for internal networking, stick with IPv4 for internal networking (which includes the DNS stub resolver), I mean IPv6 was created to restore the end to end principle and not as an alternative to IPv4 internal networking. You got the right idea....

DarkNate

Caching proxies in 2021 with most websites running TLS nowadays, is... oxymoron.

Web Caching proxy tools still exist in 2021? Crazy.

DarkNate

Yeah, so really, there is no problem with RouterOS's approach to IPv6 DNS, you can use the stub resolver, or you can use direct public resolvers on a per-client basis Well, if the clients are IPv6 only, there will be no fallback to IPv4 DNS for them. or even like I do... Simply re-direct to a DNSSi...

DarkNate

Obviously. But again, what you are doing is not equivalent to what I am doing, is it? I totally agree that this is all a delicate trade-off balance. In your solution, if ISP1 fails, attached clients have no way to reach 8.8.8.8 or 1.0.0.1. This is avoided in my solution at the price of slightly mor...

DarkNate

If the "Advertise DNS" flag is disabled, the client devices will end up using the stub resolver on RouterOS. How would they know to use it? What do you mean "how"? If the flag is disabled, client devices will automatically fall back to the IPv4 DNS address that was originally ad...

DarkNate

Aaand hello again, I have been able to piece the puzzle together. So if I understand correctly (and at the very least, things seem to work on my router with this setup), this is what needs to be done to be able to have multiple canary hosts AND PPPoE. I'll use 1.1.1.1 and 9.9.9.9 as canaries here, ...

DarkNate

If the "Advertise DNS" flag is disabled, the client devices will end up using the stub resolver on RouterOS. How would they know to use it? What do you mean "how"? If the flag is disabled, client devices will automatically fall back to the IPv4 DNS address that was originally ad...

DarkNate

RouterOS does it a bit odd. If "Advertise DNS" flag is enabled in ND, it will advertise all/any IPv6 addresses set in the IP>DNS fields, whereby the client devices would directly be communicating with said addresses bypassing RouterOS's stub resolver completely. If the flag is disabled, th...

DarkNate

Hi again, also... A different question here... #Then create a separate route for each of the "gateway" themselves, in my case using the PPP profile hack I just realized I don't understand this hack. How do you "copy" a PPPoE profile? Cheers, Toby. https://forum.mikrotik.com/view...

DarkNate

Hi, Yep, generally that's how it works. If you need the router connectivity - you should either create a rule for its traffic to go to 'exit' table, or add default route(s) to 'main' table. Cool, THX. So then for the record this is my minimal working example that does failover with high-availabilit...

DarkNate

Load Balancing three WANs? Easy add action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=pppoe-out1 new-connection-mark=ISP1_conn passthrough=no add action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=pppoe-out2 new-connection-mark=ISP2_conn passt...

DarkNate

I'll wait from support, the behaviour ain't quite right.
Any user that has a pppoe-client as WAN out there is using a 12 bytes lower MTU than his provider supports, if everything is left to auto/defaults that is.

That is also correct. Do keep us updated.

DarkNate

Ok, I think I've figured it out where the bug might be, hope support confirms / fixes this. I've took some captures from the ethernet interface while connecting the pppoe-client and while watching them in Wireshark I saw something in an area to which I didn't pay much attention earlier (protocol re...

DarkNate

I wrote to support about this anyway, I had good results with support in the past, the issues reported were fixed. Let us know, 12 bytes going to thin air isn't possible. Someone suggested it's "padding" exclusive to MikroTik which happens to be undocumented. Perhaps you can help this gen...

DarkNate

It totally stinks and that's great. I hate these broken MTU promoters. My primary uplink provider still caps MTU at 1460 on their so-called "next-gen" fibre infrastructure. Some people never graduated 1500 ethernet MTU basics. If you have a better way given the conditions of reduced MTU a...

DarkNate

Regarding the MRU, no, here it shows only 1492 (max-mtu/mru both unset / auto) but I'll stay with 1520 in case the ISP decides to implement RFC4638 anyway. ppp-mtu.PNG So MRU is not always going to be supported @1500. We found here in my country that about 20+ different OLT/ONT brands have broken M...

DarkNate

That's the one I was reffering to, how and why are those 12 (apparently invisible since it works just fine with 1500 and manualy setting 1492 for the PPPoE client interface) bytes getting in the picture. I wasn't referring to the max-payload packet, I was just underlining the differences there. Mik...

DarkNate

Ah, you had another post above explaining the two ISP's, I've missed it, sorry. Did some tests here, is this realy a MikroTik PPPoE implementation bug? I'll post some logs with stripped irelevant (I hope) stuff. Ethernet MTU 1500: 13:20:05 pppoe,ppp,debug,packet pppoe-wan: sent LCP ConfReq id=0x20 ...

DarkNate

My english is not so good so i wiil try to explain my plain FTTH. I plug in my fibre direct in SFP in modem.No GPON interface in front of my modem. In our contry was deployed FTTH at first but then started GPON deployment beacuse of price. SFP is BiDi 1310/1550 That SFP module is your ISP's method ...

DarkNate

Your magic orb is probably better than mine, maybe he set it to the MTU negotiated by the PPPoE interface, like I wrote on the other topic :) PS: your screenshots kinda proove that your ISP has RFC4638 implemented, otherwise it wouldn't negotiate 1500 MTU on your PPPoE interface. Why do you state t...

DarkNate

Again, not even here he didn't went with 1280. Read: https://forum.mikrotik.com/viewtopic.php?f=2&t=169757#p831468 The marked "solution" which stinks was not applied. It totally stinks and that's great. I hate these broken MTU promoters. My primary uplink provider still caps MTU at 14...

DarkNate

How do you know that he forced 1280? This is how: https://forum.mikrotik.com/viewtopic.php?f=2&t=171390#p838047 Updated my post with screenshots: https://forum.mikrotik.com/viewtopic.php?f=2&t=171390&p=838089#p838089 Anyone with basic knowledge and fundamental understanding of MTU and M...

DarkNate

Set your IPv6 MTU to 1280 and see if that solves the issue as there are places on the internet that are still 1280 for IPv6. If that resolves it, you can slowly raise it until things break again to understand what your effective MTU is. https://blog.cloudflare.com/increasing-ipv6-mtu/ ICMPv6 is the...

DarkNate

Connection to ISP is fibre. It is not GPON. It is plain FTTH. Bruh, FTTH is Fibre to the home, what in the world is "plain" FTTH? Unless you live right next to AT&T's NOCs, it is a PON, no way your ISP can afford AON to millions of customers. It can be GPON or EPON or XG-PON or XGS-PO...

DarkNate

Set underlying ethernet interface actual MTU to 1520 (value is this high because MikroTik seems to require undocumented padding for PPPoE on layer 2.5, in normal cases of course 1508 is sufficient) and L2 value must be greater than that to ensure VLANs works well, 1598 is good enough. Now in the PPP...

DarkNate

we are waiting for 6.48.5 .. stable release is beta channel Agree, The "stable" channel should be called Beta. Although v6.48 is perfectly stable for my RB450Gx4. I agree with you and the other members here. Eventually, I will be forced to move to a different vendor with a more reliable &...

DarkNate

Add these at the top of the rules but below the WAN rules (marks for incoming connections through WAN) add action=mark-connection chain=prerouting comment="Force aslanbdb's iPhone X to ISP2" connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface=brid...

DarkNate

First, what is "Fibre modem"? Check here: https://networkengineering.stackexchange.com/questions/64456/is-an-ont-a-modem/64461#64461 Second, make the WAN interface as null in the ONT/ONU. It will automatically turn into a simple layer 2 forwarding device aka bridge mode. Assuming your ISP ...

DarkNate

Depends on your ISP, ML IIRC uses AWS. Many ISPs aren't peered with AWS. A VPN provider may fix the latency, only if the latency from your ISP to said VPN is low + VPN host is peered with AWS via their own upstream provider. A lot of factors are involved.

Just ask your ISP to peer with AWS instead.

DarkNate

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap. I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time. That would be too complex for most retail ...

DarkNate

You are probably running OpenVPN or some other server. That's not a security hole if the firewall is properly configured, it's just an attempted TCP connection from those IPs. They can be bots/human attackers or researchers like Censys. I regularly get attempted "hacks" from Censys (which ...

DarkNate

Hi DarkNate, unfortunately the ISP device does not support bridge mode. I am hoping for some creative solution that will allow me to get rid of the double NAT given the plenty limitations of the ISP device. Is it PON? GPON/EPON? DOCSIS? DSL? One method to bridge is either to use an explicit "b...

DarkNate

Is NAT66 the same as NPTv6, though? I believe they are a different concept, different RFCs even. You're right: NAT66 is not the same thing as NPTv6. The Opening Post originally asked for NAT66 six years ago, but many people in this thread have asked for NPT instead. NAT66 is the stateful port trans...

DarkNate

DDoS protection at ISP level shouldn't be relying on "drop" rules, that's what we do at home.

ISPs should use more pro-grade solutions: https://security.stackexchange.com/a/134770

DarkNate

No, ROS (for now) supports only usage of /64 subnets. Ask your ISP to stop being jerks and to start to deliver at least /60 prefixes. https://www.ripe.net/publications/docs/ripe-690 : A single network at a customer site will be a /64. At present, RIR policies permit assignment of a /48 per site, so...

DarkNate

Bridge the ISP device, that will make it a simple layer 2 forwarding device. Bridge mode depends on make and model aka Transparent bridging.

DarkNate

Is your ISP using CGNAT? If they are, obviously you can't port forward. If they are not, then something like this will work: add action=dst-nat chain=dstnat comment="Port Forwarding for Local Web Server to WAN" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.8.9 to-port...

DarkNate

I have experience with this. PPPoE over IPv6 via SLAAC aka true IPv6 aka stateless aka your ISP did their IPv6 101 right. Run the DHCPv6 client to request prefix, add that to a pool, then advertise a /64 in IPv6>Address on a per-interface/VLAN basis (since you get a true /48 unlike my useless ISP wi...

DarkNate

...many thanks for your fast response! Looks like that RB450 variant comes with the same CPU and performance test results as the hap-ac2, but with much more RAM...which, economically doubles its retail price in comparison (adding enclosure and power supply). Go for the RB450Gx4, 1GB RAM + 512MB Fla...

DarkNate

Bare minimum I highly suggest this: https://mikrotik.com/product/rb450gx4#fndtn-testresults

Plenty of RAM and storage with powerful enough CPU to hit 1G as per those specs/results.

DarkNate

Same as yours:
5 sec and 1514 bytes

I wonder if those values need tweaking to give a potentially better outcome.

DarkNate

What values do you guys use for default SFQ here?

DarkNate

RB450Gx4. Smooth upgrade, no problems, no errors, nothing. Perfect.

DarkNate

On IPv6 I generally avoid NAT but see the need for NPT. However, I do actually agree that in a few corner cases NAT66 can be helpful. I would never use it to NAT users, but in one case I am using NAT66 port forward for a RADIUS IP to avoid having to manually add dozens of clients as RADIUS clients....

DarkNate

Once again, I had to change all IPv6 addresses for services on my local network because Comcast changed my /60 for what seems like the sixth time. I am quite tired of this, so this time, I defined a ULA for my local network instead of changing all of my servers' addresses and reverse DNS zones to t...

DarkNate

You can try, if it's the only l2tp connection originated by the router. Mangle output and srcnat chains are at your service. But I don't see in what way is it simpler. Yeah, so I went with the null-bridge method, it works! Basically, I created a null-bridge, then in IP>Address List I added a non-ex...

DarkNate

Two possibilities: 1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work. 2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes. Anyway, try to make it work with you current dynamiс...

DarkNate

src-address :) Just what exactly do I use for the src-address in LT2P client? Both my WANs are dynamic IPs over PPPoE. I tried using something random/unused like "192.168.3.1" but that resulted in errors phase1 negotiation failed due to send error. 192.168.3.1[500]<=>45.56.157.40[500] 2bf...

DarkNate

1) Fill the src-address field in l2tp-client. 2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table. ExpressVPN does not support static server IPs. They use DDNS based hostnames and the IPs change in every session. It is a commercial VPN ...

DarkNate

So I have two ISPs, both are a member of "WAN" interface lists in Interface>List. I have ExpressVPN configured with LT2P+IPSec with NAT/Policy Routing for LAN and it works as expected. But by default RouterOS picks the shortest route to establish the tunnel and that's WAN1. I've tried with...

DarkNate

Mikrotik cannot be used in enterprise. Its only for home with low-speed wan. Its too bugged and have very poor support. For example - see CCR\GRE\IPSEC saga: https://forum.mikrotik.com/viewtopic.php?t=84465 https://forum.mikrotik.com/viewtopic.php?t=87892 https://forum.mikrotik.com/viewtopic.php?t=...

DarkNate

Is 192.168.88.1/24 meant as the gateway address? It is your router's own address. The router can have multiple own addresses (usually in different subnets, and usually each subnet is attached to a different interface). And it is quite typical that router's own addresses are used as gateway addresse...

DarkNate

Wow, it's even worse - if you open the /ip address table in Winbox via IP -> Addresses, the window title really reads Address List . Shame on you, Winbox developers, for confusing people. Well, it is not wrong, but it confused me at first. Interface address list makes more sense as that section sho...

DarkNate

Check the forums, DoH on MikroTik is buggy. I stopped using it completely, plus DoH is dead anyway, we have ODoH now which is coming soon to popular stub/forwarders and you can already use some beta options: https://blog.cloudflare.com/oblivious-dns/ I use Pi-Hole for DNS Sinkholing with dnscrypt-pr...

DarkNate

Re-Check Actual MTU and L2 MTU on all ethernet interfaces/bridges/VLANs. Make sure all are the same.

DarkNate

This FailOver was public at MikroTik WIKI, now it's moved/re-write here: https://help.mikrotik.com/docs/display/ ... upOverview

@SiB

Great, now I know they reworked my article without even mentioning me... That's a bit depressing :)

DarkNate

Thanks =) I'm a bit out of networking/ISP for a couple of years already, but still doing my best to support the community :D Some of the core crucial core topics/issues are better documented by individuals like yourself than the networking company/vendor themselves. Which is funny considering they ...

DarkNate

If you're going x64, go for VyOS instead of RouterOS. RouterOS doesn't have many basic features such as NPTv6, Routing Marks for IPv6 etc and the fact that RouterOS v7 has been in development for a decade if not more. VyOS is enterprise-ready (go through their documentation and confirm yourself) an...

DarkNate

@TomjNorthIdaho was testing multi-threaded (30+), you may have seen requests for up to 200 threads (tested the same with public iPerf3 servers to detect if my ISP throttles per thread, which they do), in case your setup/logs thought it was an attacker, + have two ISPs (testing it out). My ISP's ASN:...

DarkNate

If you're going x64, go for VyOS instead of RouterOS. RouterOS doesn't have many basic features such as NPTv6, Routing Marks for IPv6 etc and the fact that RouterOS v7 has been in development for a decade if not more. VyOS is enterprise-ready (go through their documentation and confirm yourself) and...

DarkNate

I ended up ditching Queue Tree/Advanced QoS like https://forum.mikrotik.com/viewtopic.php?f=23&t=73214 completely. I use Simple queues like the following: /queue simple add bucket-size=0.01/0.01 burst-time=1s/1s dst=pppoe-out1 max-limit=205M/205M name=ISP1-QoS priority=1/1 queue=default/default ...

DarkNate

I don't remember what RB model and how fast internet connections you have, and I'm not re-reading whole thread to find out if you mentioned it or not. But generally, you want the router to do some work, so it needs some resources to do it. Dynamic routing works like this. Whether it's too much or n...

DarkNate

OP is CGNATted or double NATted themselves by not bridging the CPE.

DarkNate

Routing marks are per-packet. If you want them routed the right way, you have to keep marking them. So high CPU usage all the way through and through, at the most, I set passthrough=no for all routing mark rules. So no work-around I guess to reduce CPU usage? Overall my tweaked rules over the month...

DarkNate

Well if you were using this as a guide... (and that guy is brilliant)........ https://www.youtube.com/watch?v=67Dna_ffCvc your outgoing mangle rules are not correct. Other than that, above my head. The video is of bandwidth-based load balancing, per interface. I ain't doing that. I use PCC+Nth comb...

DarkNate

@Sob hopefully you can see this. So after months-long testing, I have come to one conclusion, the following rules are constantly "marking the route" even for already marked/routed connections and hence leads to increase CPU usage, over 50% CPU usage when I'm downloading/uploading with 30 T...

DarkNate

It's simple, like this:

add action=mark-connection chain=prerouting comment="Force Pi to ISP1" disabled=yes dst-address-type=!local dst-address-list=!not_in_internet in-interface=LAN new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.88.91

DarkNate

If you're behind a CGNAT. The only way would be to use NAT punching with TCP/UDP (unreliable on some ISPs due to short timeout of UDP streams) from the end-customer's side. Example ngrok, OpenVPN etc. Any protocol that needs a real public IP address port forwarding will never work: https://en.wikipe...

DarkNate

So inside each PPP profile there's a "On Up" and "On Down" field to write a script. So I have two ISPs, both PPPoE clients. So I use the "On Down" field to send an email when the link is down like this: /tool e-mail send to=example@gmail.com subject="MikroTik"...

DarkNate

You're Indian, I'm Indian, so I can be of more help in the context of Indian ISPs. Did you bridge ACT's ONT/Router if any? Did you bridge Airtel's ONT/Router if any? Is your Tik handling both ISPs completely? That is you have two PPPoE clients? If above is yes then you got it 99% done. There are so...

DarkNate

Hello @Darknate , If I disable conntrack, the packet will go into slowpath. I have enabled fasttrack and the CPU is about 20% with ~5Gbit traffic. What? Check the official documentation by MikroTik. Fast Path will continue to work with conntrack disabled and only works if conntrack is disabled. Giv...

DarkNate

hello In our network we use NAT for our end users. Some gamers have public IPs. The ip firewall settings, are all defaults, except for TCP Established that is set to 5 minutes. I have no issues at all in the network. Seldom appears Call of Duty disconnects, the client suddenly disconnects from serv...

DarkNate

Your ISP puts you behind a CGNAT and they've not implement port control protocol.

DarkNate

It depends on the optical delivery and type of SFP. For GPON a dumb SFP will not work, but an active SFP which contains ONT functionality and presents a 1000Base-X electrical interface should. There are also some ISPs who use point-to-point 1000Base-LX or 1000Base-BX optics rather than GPON. A true...

DarkNate

@Darknate, I am planning on using the SFP interface to eliminate the ACT ONT. The ONT is labelled Acton 1000W2A(SM-10) and some googling suggests that this is a single-mode 1310nm device. I was unable to find any documentation that says so definitely. Do you have any advice on where to buy such a m...

DarkNate

You're Indian, I'm Indian, so I can be of more help in the context of Indian ISPs. Did you bridge ACT's ONT/Router if any? Did you bridge Airtel's ONT/Router if any? Is your Tik handling both ISPs completely? That is you have two PPPoE clients? If above is yes then you got it 99% done. There are som...

DarkNate

Regarding Flash memory, in the long run, running this script every minute isn't the wisest thing I think? I will write an update for the script and we will test it. I hope that changes from UPNP will not be frequent and, accordingly, the load on the flash memory will be small, and it will be the no...

DarkNate

Enable UPnP on the Tik.

DarkNate

viewtopic.php?f=21&t=167932#p824357

DarkNate

In the LAN behind the router 192.168.88.1 is an LAN-connected device PC with the address 192.168.88.254.

Is there a way to check whether port 502 is open on PC by RouterOS means?

Check in IP>Firewall>NAT

DarkNate

Hello @DarkNate i follow your advise but i find a small problem with mangle i can not connect to internet when i enable add action=drop chain=forward comment="DENY-ALL" if i disable this DENY-ALL rule, internet is working this my mangle configuration : /interface pppoe-client add interfac...

DarkNate

I have two ISPs. I connect to them via two modems and they give ip from the same ip block 192.168.1.xxx. I can make mikrotik connect via two seperate dhcp clients. I can not change the ip blocks. The only setting i can change is the router ip. So i can make router ip different. I can see that this ...

DarkNate

Regarding Flash memory, in the long run, running this script every minute isn't the wisest thing I think? I will write an update for the script and we will test it. I hope that changes from UPNP will not be frequent and, accordingly, the load on the flash memory will be small, and it will be the no...

DarkNate

RB450Gx4, everything worked great for months until I updated to 6.47.6. Wireless package installed since forever but is obviously disabled.

Edit: I found this on the 6.48 thread, however: viewtopic.php?t=163308#p811799

DarkNate

https://www.medo64.com/2016/12/simple-o ... -mikrotik/

And just use the Cloud DDNS you get from IP>Cloud in the OpenVPN client profile, that's it.

DarkNate

Go check Shodan for your public IP space to see what they've discovered.
Enter your public IP into the search form field and press the magnifying glass.

Does absolutely nothing. "No results found" in 0.1ms

DarkNate

Is there a way to make your script do this: 1. Clone WAN1 dynamic rules to WAN2 and also clone WAN2 to WAN1 because that's the original problem with UPnP anyway 2. Of course, while avoiding cloning already existing clones on either WAN interfaces. I think yes The original article said: 1. Make the ...

DarkNate

Hello! I tried to write "FUTURE VERSION" but cannot test. And i use "in-interface" matcher instead of "dst-address=<WAN 2 IP>". :local wan2InterfName "ether2" :local RuleComment "UPnP_Cloned" :local I :local J :local NeedTo #if rules identical - fun...

DarkNate

maybe a separate soho.npk that includes the torrent client, kid-control and SMB server.. :)
... and Quick Set

I disagree with this. Quick Set is very useful to get online in 5 seconds after a clean install/first time install to get up and running.

DarkNate

I was thinking the server address should be in the same subnet as the pool, but it doesn't seem to care. It doesn't have to be. VPNs are point-to-point tunnels with a /32 address at either end, they can be pretty much anything. I'm about to add an OpenVPN server, as well, mainly to overcome the lac...

DarkNate

Bump... Anyone?

DarkNate

Give the Pi a static IP from DHCP>Leases

Then use static IP as DNS inside DHCP>Network

I'm using Pi-Hole myself.

DarkNate

Seems like my only way out is to make two different subnets. One for general usage and other for gaming customers only. Your only way out is to peer with the major CDNs. I fail to understand why local ISPs and BSNL in India avoids peering and proper routing like the plague. Your customers will suff...

DarkNate

Probably the only way. A. group ports for rules, (maintain a list in MS Works, separated by commas) and just copy and paste into dst-port for rules) B. Conversely use a NOT rule (apply rules NOT using any port, and put in the ports that folks use that are not gaming ports 80,443 and others for exam...

DarkNate

So if I put the pi-hole on its own VLAN give it a fixed IP. I then put that IP address for each of my vlan dhcp-server-network entries? Do I need firewall rules to allow the pi-hole anything specific on teh input chain? Do I need firewall rules to allow users from all other vlans to the pi-hole vla...

DarkNate

Hi Darknate, I am interested in how you added the pi-hole to the MT Router for this functionality. Is it on its own subnet for example. How do you point users to pi-hole. How do you point pi-hole to the external servers you wish to use What firewall rules are germane to the setup for the pihole and...

DarkNate

Both ISPs are PPPoE clients and have UPnP enabled, but since this is a load balancing setup, sometimes traffic is routed to ISP1, but UPnP opens up for ISP 2 and vice versa. I'm no good at scripting, to begin with. So I found this: https://forum.mikrotik.com/viewtopic.php?p=426711#p426711 Set it to ...

DarkNate

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever. DoH on ROS was and still is broken. can u tell me the step to do this? https://docs.pi-hole.net/main/prerequisites/ https://docs.pi-hole.net/guid...

DarkNate

Weird problem. I have been using Detect-internet for months and never disabled it, works fine without problems.

DarkNate

What do you think is the proper way to use Nth for per-connection distribution (implying mark connection)? The way I did originally? Yes, that way was fine for per-connection distribution. All that confusion came just from the fact that you declared that it does per-packet distribution. Earlier you...

DarkNate

Then, you don't know up-front how much traffic will go over a marked connection. I could look in NAT which connection, had not much traffic yet and then prefer that link. In real time, that is only possible if Mikrotik implement a distribution by clean switching of the source port. Maybe that is al...

DarkNate

If there's no difference between PCC and Nth in per-connection distribution, then what exactly is this paper talking about? https://www.ijcnis.org/index.php/ijcnis/article/view/4340 Let me quote myself from post #16: "the apparently best dynamic load distribution method (nth) gives astounding ...

DarkNate

I'm not re-reading the whole thread again to find out if it was already mentioned in some way, but do you have any statistics how much are ports other than 80 and 443 actually used? In other words, if all your effort is really worth it. Because if you are developer and your application needs to acc...

DarkNate

I've edited my post reacting to your edited one accordingly. I've expressed my opinion earlier - in an environment with NAT, the impact of per-packet traffic distribution is always negative (except connections which consist of a single request packet and a single response one as @Sob has pointed ou...

DarkNate

It should, but it's always better to check than to just hope. If everything is set correctly, the rules translating the packet-mark into routing-mark must count exactly the same amount of packets as the rules which assign the packet-mark . Reset counters at all five of them using a single command s...

DarkNate

The last paragraph of post #32 suggests multiple ways how to do that. Any of them is sufficient. So I did the following, so far nothing breaks (80/443 obviously will never go beyond the following), I'll test it for a few hours with gaming, VoIP, Banking. My thumb of rule is, if banking works everyt...

DarkNate

So to conclude: with a single-threaded transfer and per-connection distribution, you cannot get aggregate bandwidth the fact that you do get an aggregate bandwidth for a multi-threaded transfer provides no information regarding the type of traffic distribution with a single-threaded transfer and pe...

DarkNate

OK, so let me present another idea how to explain it. When I say "per connection distribution of traffic", it does not mean the same as "traffic distribution controlled by per-connection-classifier ". It simply means that all packets of the same connection use the same WAN, no m...

DarkNate

You're missing few details. For start, your original config that you thought does per-packet Nth didn't really do that, and when @sindy explained in detail what happens, you didn't get it at all. You also misundertood his other suggestion . And his interest in your native language is not to make fu...

DarkNate

Yeah, the packet counters are a good idea by the way. Reset the counters on both the nth rules which assign packet-marks and the rules which translate packet-mark into routing-mark , then run some traffic eligible for nth handling, and compare the counters after that. They should be equal (every pa...

DarkNate

What is your native language? I feel as if you do not attempt to understand what I write. You believe you only use connection-mark for 80 and 443, but the reality is that you use it for all connections, most likely because you still can't understand how the connection-mark actually works. With the ...

DarkNate

There's definitely some misunderstanding. Because if it's regular dual WAN config, i.e. two independent ISPs, then per-packet load balancing will work great with single-packet exchanges like DNS queries, but everything else will be absolutely terrible, if it will work at all. Sob my dude, I never o...

DarkNate

I wonder which part of the firewall handling you are missing or misunderstand that prevents you from seeing the logic: do you realize that once you assign a connection-mark to a connection while handling any of that connection's packets, regardless the direction, this connection-mark is then automa...

DarkNate

If you want to make sure that you have everything "right" for testing, then temporarily disable these two rules: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1_conn passthrough=no add action=mark-con...

DarkNate

So how do we make it per-packet when I'm already using mark-parket+Nth? Since it is only needed for a test, just add dst-port=80,443 or packet-mark=no-mark to the two rules which assign a routing-mark based on connection-mark - i.e. the action=mark-routing chain=prerouting connection-mark=ISPx_conn...

DarkNate

So how does the above give aggregated bandwidth in downloads/uploads? I see doubled bandwidth across the board. Like any other dynamic load distribution method. If you make a throughput test using a single session (=connection), it will show a single uplink bandwidth. speedtest.net, as well as othe...

DarkNate

So I'm still confused as to how there's no packet-loss, broken config. Even traceroutes from LAN to remote sites works fine and shows their corresponding routes based on whichever ISP was assigned. I use MTR and see 0 packet loss. And gaming, works!? What? So what happens is the following (tracking...

DarkNate

I can't bother to quote everything cleanly, so I'll reply in paragraph wise.
You don't have to quote at all, I suggest you try it sometimes.

No forum rule is violated by quoting anything dude

DarkNate

Regarding the Nth everywhere thing, well I'm not suggesting the whole world to use it, now am I? Did I? Ever? No I did not. I've announced in advance I'm going to be a bit emotional ;) So the neutral form of the same statement would have been that the results haven't proven any significant advantag...

DarkNate

Well, as this topic was a bit emotional throughout its history, let me be a bit emotional too. Yes, this other paper is much better, but still there are two points: the apparently best dynamic load distribution method ( nth ) gives astounding 101.5% of the download throughput of the apparently wors...

DarkNate

@DarkNate, I'm afraid there may be just some confusion of terms. First, know your audience - many people here deal only with the typical "home router with two ISPs" case, where the ultimate public IP on each WAN is different, so a real per-packet (means per- mid-connection -packet) load d...

DarkNate

Why are you agressive? This is a forum for help and interaction. I only see this code from you: add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local dst-address-list=!not_in_internet in-interface=bridge new-connection-mark=ISP1_conn passthrough=yes nth=2,1 add...

DarkNate

Dude, did you even bother to read the research paper I linked above? It's already been proven that Nth does a better job of bandwidth distribution than PCC due to the obvious reason that Nth is Per Packet whereas PCC is Per Connection . https://help.mikrotik.com/docs/display/ROS/Load+Balancing If y...

DarkNate

Hi Darknate, Can you post a generic config with the useful bits to show that split personality config on bandwidth load balancing........ add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local dst-address-list=!not_in_internet in-interface=bridge new-connection-...

DarkNate

What kind of device do you have (model)?
How did you remove the interface ?

Is that even possible Normis? To remove the ethernet interface itself?

DarkNate

Hi Darknate, Can you post a generic config with the useful bits to show that split personality config on bandwidth load balancing........ I have been using this config for more than a month now. PayPal works, GPay, App Store, Play Store and full aggregated bandwidth when downloading/uploading (50/5...

DarkNate

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.

DarkNate

"How to understand"?

You start by reading before posting here, you start by searching:

https://help.mikrotik.com/docs/display/ ... col+Status

https://help.mikrotik.com/docs/display/ ... g+Examples

DarkNate

My ISP gives me nothing but a pretty useless cable modem router. This thing can’t even be switched into bridge mode. On top of that, I don’t know much about what they are doing. It’s consumer grade internet. Honestly, I’m not very good at those things. Not a network guy, just a Cloud Architect. But...

DarkNate

LAN network should be standard 1500 on all ethernet interfaces and software-defined bridges including the wireless bridge unless you know what you're doing and require jumbo frames. WAN MTU depends on your ISP, if it's PPPoE you need to set ethernet MTU to 1520 on the port which is running the PPPoE...

DarkNate

Using Nth does give a more "even" bandwidth distribution as per this research paper: https://www.researchgate.net/publication/332831075_Application_of_Load_Balancing_with_the_Nth_Method_on_Multiple_Gateway_Internet_Networks But you'll need to take of the "sticky connections" for ...

DarkNate

Just force phone/TV to use same WAN like this

add action=mark-connection chain=prerouting comment="Force my laptop to ISP2" dst-address-type=!local disabled=yes dst-address-list=!not_in_internet in-interface=LAN new-connection-mark=ISP2_conn passthrough=yes src-address=192.168.88.103

DarkNate

There's a dedicated guide for this: viewtopic.php?f=23&t=73214

DarkNate

Ok this is the response from the ISP.. "Just to reiterate, the circuit that we provide is a raw circuit and neither us nor the line provider has any equipment onsite that will be blocking any traffic. The NTU onsite is only there to terminate the fibres coming into the building. Based on your ...

DarkNate

Sorry, my knowledge has some limits. I never studied how exactly conntrack works with related connections. I'm sure that multiple tcp connections are not seen as related (except ftp). They may be related from application's perspective, but router has no way of knowing that. But I can't tell you all...

DarkNate

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same c...

DarkNate

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same c...

DarkNate

1. If I use webfig (all Linux machines here, so no WinBox) What do you mean "no Winbox"? Winbox runs just fine on Linux and was designed to work with WINE straight out the box: https://techsoftcenter.com/how-to-run-winbox-mikrotik-on-linux-mint-ubuntu-etc/ As the other member suggested, p...

DarkNate

If you have rules with connection-mark=no-mark, it has similar effect; connection-state=new may be a bit more efficient, but it's again just a guess and you'd have to come with some reliable testing and measure it. 'Related' is how conntrack sees it. For example ftp's data connection is related to ...

DarkNate

Do you get a full house if you test on www.ipv6-test.com ? It is possible to get full house, I get it on one of my hosts ... but that's linux server with statically assigned IPv6 address and properly configured DNS records. For LAN host which gets IPv6 address via SLAAC, I only get 17/20. It says &...

DarkNate

You have packet from device in LAN going to some public address, so it gets connection mark (and later also routing mark based on connection mark). But this packet has low ttl and it expires while passing through router, so router sends icmp ttl exceeded packet to inform client about it. This new p...

DarkNate

I don't think you want anything with src/dst-address-type here. If it's dst-address-type=!local, it's useless, because it matches almost all packets, except some rare ones sent by router to itself. And src-address-type=!local would break the main purpose of these rules, because everything in output...

DarkNate

It should be: connmark-out output: in:(unknown 0) out:<interface>, proto ICMP (type 11, code 0), <router's LAN address>-><clients's LAN address>, len <x> And number of logged packets depends on how many are sent with each TTL. My traceroute uses three and mtr keeps sending them until stopped. Routi...

DarkNate

Rule for testing: /ip firewall mangle add chain=output protocol=icmp connection-mark=!no-mark action=log log-prefix=connmark-out It should log three packets when you do traceroute. It logs two with normal trace route. It logs n number of icmp packets with MTR. What I was referring to is MTR which d...

DarkNate

I don't remember this exactly and I don't have time to play with it now, but I think that icmp packets for exceeded TTL may inherit either connection or routing mark from original packet. Which does have it, because it's outgoing packet to some external address, so PCC rules applied to it. You can ...

DarkNate

Well, that's a question. I can skip some conditions in mangle rules, so that may lower CPU usage a bit (or may not, it depends on the order in which conditions are evaluated). Routing rules will undoubtedly add some processing, but routing should be the most optimized part of system, so it shouldn'...

DarkNate

Never mind.

I created a static OVPN Server Binding in PPP>Interface
Then I placed the Binding in LAN inside IP>Interface List and now it's able to essentially "load balance" the VPN client.

Problem solved.

DarkNate

Cheers Guys Sob: It is weird tbh, as looking at the ipv6 connections, there is nothing at all for protocol 58. However, if i run the test on ios, i get a connection at port 58, but it shows a connection to icmpv6 but with a source port & destination port as 0? Dark: I am running a leased line a...

DarkNate

So basically I followed this for OpenServer config and for the client except that the VPN client shares the same subnet as the LAN clients: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/ Internet and LAN access works fine through the VPN tunnel with arp-proxy on the bridge. But in...

DarkNate

Thanks. Just checked those and all seems to be set up properly. I tried another test site and got this, so i have no idea whats going on. https://thumbsnap.com/t/VwwDSZxf.jpg Also, there doesn't seem to be any packets at all recorded across most of the rules... https://thumbsnap.com/t/QuLiUEL8.jpg ...

DarkNate

I also see that some users instead load OpenWRT - is there a comparison of issues or features somewhere?

RouterOS is enterprise-grade. OpenWRT is consumer-grade. Why would people ever want to use OpenWRT over RouterOS?

DarkNate

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;) Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive. There's ...

DarkNate

No, this "local" means only addresses on router, nothing with subnets. I don't think there's one perfect config, there may be some as good starting point, but different people need different things. Most important is to understand what it does, why and how. MikroTik's example tries to exp...

DarkNate

It depends where those public addresses are. If they are directly on your router, they are already excluded from marking, if you kept PCC rules with dst-address-type=!local from example. If it's NAT 1:1 and they are in fact elsewhere, you'd need to exclude them too, and additionally add routes to t...

DarkNate

If your "not_in_internet" list contains 10.0.0.0/8, then it's already solved by that. If you ping ISP's gateway 10.x.x.x from LAN, it won't get marked and router will use main routing table. Although I can ping the "gateway" IP of both ISPs as expected, I can't ping the actual p...

DarkNate

If your "not_in_internet" list contains 10.0.0.0/8, then it's already solved by that. If you ping ISP's gateway 10.x.x.x from LAN, it won't get marked and router will use main routing table. About combination of PCC and Nth, there's probably no reason why it wouldn't work, but whether it ...

DarkNate

I meant traceroute to ISP's gateway, which should always have only two hops, first your router and then ISP's gateway right behind it. But even if you have it wrong, you still have 50% chance that it will work correctly, because it will get mark for right ISP. I'm sure you can live without these ru...

DarkNate

1) I don't know what exactly you have, but it's also possible that ping is taking a little longer path. Check what traceroute shows. Let's say the gateway for ISP1 is public address and you try to ping it from device in LAN. If you mark this outgoing ping with ISP2 mark and you don't exclude it in ...

DarkNate

1) It's to allow devices in LAN to access anything in those subnets. Ping ISP's gateway, access modem configuration, if you're connected behind one, etc. If you don't need any of that, you can live without these rules. 1.1) PPPoE has equivalent of lease script in PPP profile. 2) Yes. You can test i...

DarkNate

1) "local" means any address assigned to router, it does not cover anything else, so if you don't want to break routing between other subnets, you have to deal with them too. 1.1) You can update rules from dhcp lease script. 2) Prerouting is for traffic from other devices. Output is for t...

DarkNate

So in this: https://help.mikrotik.com/docs/display/ROS/Firewall+Marking#FirewallMarking-DetailedSectionOverview.2 We can see a solid and stable method to implement PCC. But I have some doubts. 1. The first rules had this statement "With policy routing, it is possible to force all traffic to the...

DarkNate

Or the whole MikroTik team was hacked :D

Seems likely, it coincides with IP>Cloud issues people were facing including me along with the forum timing out just about a week ago hahaha...

DarkNate

Believe me Normis " clearly labeled INTERNET " is not enough for tipical residential Customers ;-D Is some cases they are even not able to find out an electrical plug... ;-D Rgds Deployed a FTTh solution in a golf estate, first question sked when customers calls in and say they have no in...

DarkNate

Lol mikrotik barely have Wifi 5 and you want them to start doing FXS

Exactly, like MikroTik markets itself towards WISPs and ISPs, not Wi-Fi.

I honestly don't understand why people buy MikroTik routers for the Wi-Fi. I would just use MikroTik only for routing/switching, that's pretty much it.

DarkNate

Hello @DarkNate Thank you very much for your precious share. You are right , i want to avoid double NAT So, i will implement PPPoe client on routeur Mikrotik : / interface set ether3 name=WAN-09-ADAPTER set ether4 name=WAN-12-ADAPTER /interface pppoe-client add interface=WAN-09-ADAPTER name=pppoe-o...

DarkNate

There's no harm in leaving it enabled, it simply protects your network from looping.

DarkNate

Did you use the default firewall filter rules at the least? Because the router could be DDoSed from WAN/External network (such as a PON link if the ISP is stupid enough to not isolate clients like it is in my case).

DarkNate

I would just buy an RB450Gx4 for routing and consumer-grade APs for Wi-Fi instead.

Currently using a TP-Link Archer A10 for AP, getting 400Mbps wireless bandwidth performance without a hitch on the 5GHz band, 100Mbps straight on the 2.4GHz band.

DarkNate

First, why is the ISPs' CPE's not put in bridge mode? You're supposed to let the MikroTik router handle both WAN interfaces which is PPPoE as you have mentioned. You have put yourself in a double NAT situation, why would you want that? D-Link DSL-2890AL should be very easy to bridge, unlike some of ...

DarkNate

Hello,

could you please share your configuration to try understand :)

Best regards

I have two PPPoE clients from two different ISPs, whereby I use PCC to load balance. The issue is widely known, ROS's UPnP implementation does not work with multi-WAN setup.

DarkNate

Status Report: so far the "sluggishness" of the network is gone.

Thanks for all hints.

Mauricio

Also be sure to configure the "cable modem" in bridge mode, to allow the MikroTik to handle WAN interface completely.

DarkNate

So I have two ISPs, both PPPoE clients, load-balanced via PCC with failover. Everything works great except for UPnP. Both ISPs are dynamic IPs that change frequently from the providers. Inside IP>UPnP I have indeed added two external interfaces for each of the ISP and a single internal interface for...

DarkNate

Use Pi-Hole, problem solved.

Beautiful ain't it?

DarkNate

You should be more worried about other UPnP devices. For example, I tried the test and it says that TV has UPnP and is vulnerable. And since it's a little older, it's unlikely that manufacturer will update anything. How do we block a specific client device with static IP from using UPnP on RouterOS?

DarkNate

Why do you require DHCPv6 server to begin with? Are you an ISP or Service Provider? What is the prefix size you got from your ISP? IPv6 is generally meant to be stateless for the end user. I'm sure you have Android devices, right? Well read this: https://www.nullzero.co.uk/android-does-not-support-d...

DarkNate

So there is a vulnerability CVE-2020-12695 dubbed "CallStranger" that so far is not mentioned anywhere on the MikroTik forum. The patch required for vendors is described here: https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf More information on the vul...

DarkNate

Yeah, you can just use simple queue directly without the mangle rules, something like this: viewtopic.php?f=13&t=165945&p=815923&hi ... ue#p815933

Your goal is simple bandwidth limitation not advanced QoS.

Search found 292 matches