MikroTik

vas

I meant it was the ISP not doing it, not that you don't have to...

If they declare IPv6 pin-holing support in their documentation, I doubt it means just the absence of any IPv6 ingress filtering

vas

Or simply do not firewall IPv6 traffic....

I don't think it is a good idea. Maybe it is not as bad as not filtering incoming IPv4 traffic but still not good.

vas

If you invested time into assigning static IPv6 to a machine, then you can add a hole in IPv6 firewall. I usually don't do that on an IPv6 LAN. But even if the addresses are static, listening ports can still be dynamic. If the client machine is using address based on RAs, then indeed one would need...

vas

UPnP work with NAT, IPv6 usually do not support NAT, since each machine has it's own IPv6. This is pretty obvious. In fact, that is the reason I created the topic as "pin-holing" and not "UPnP". Simply leave open the port on firewall vs that IPv6.... Manual firewall configuratio...

vas

Dear Colleagues,

Does MikroTik support IPv6 pin-holing or something like UPnP for IPv6?

vas

Dear Colleagues, My hAP ac3 has two antennas included. I have some questions about them: 1. Are the two antennas / antenna outputs different (like one is 2.4GHz and the other 5GHz) or are they identical? 2. If I replace one of the included antennas with an external dual-band WiFi antenna on a 5-10m ...

vas

Some times the HE tunnel falls into _not running_ state too, with keep alive enabled. But in most time HE is _running_ with keep alive enabled unlike the NTS case. So, somehow it works. We can dig it deeper. But I don't see a reason. An official comment from the MikroTik team is due here. What kind...

vas

Only nulls. And I didn't find any replies.

Very odd. Who will reply to such packets? There should be a "Next Header" and some other important fields.

vas

Mikrotik keepalive packets:

OMG, what is it? Can you please expand the IPv6 header?

vas

For production networks I would prefer BGP in this case. Do you mean to obtain Provider Independent ip v6 addresses and AS? I do. I don't know however if it has become easier or harder to obtain a PI block as compared to IPv4. If you have to become a LIR to get your own block of addresses (de facto...

vas

Ok. I do this solution for a home network. Two, not so critical, 6to4 tunnels. I adjusted 10 min preferred lifetime. Win 10 Laptop works normal via Wifi with this time. For production networks I would be prefer IPv6-to-IPv6 Network Prefix Translation. For production networks I would prefer BGP in t...

vas

Have you been able to figure out how the keepalive feature on sit* interfaces works under the hood? The 6in4 protocol (RFC4213) does not seem to define any keepalive mechanisms. I can only guess. I think the same like in IPIP tunnel: "Tunnel keepalive parameter sets the time interval in which ...

vas

No clear for me why and when interface state is changed. With Hurricane Electric tunnel enabling option _keep alive_ works better (not ideal so), but with the other provider this option turns tunnel into the _not running_ state. Have you been able to figure out how the keepalive feature on sit* int...

vas

But still some questions about Mikrotik 6to4 interface _running_ state. How adequate is this property?

Do you enable the "Check Gateway" (ping) feature of your 2000::/3 routes? Do you think you can check the presence of a route in your script, instead of interface state?

vas

m.2 adapter key B
uFL <> mhf4 pigtails
and you can install new modems like Quectel EM12-G, EM160 or EM502Q .. what give you big change

This is great but I'm mostly concerned about which modems sold by Russian cellular operators I can safely buy and use. They all come with USB interfaces.

vas

The list looks a bit dated though. For example, Beeline offers the ZTE MF833R and Alcatel Link Key IK41VE1 modems, but only earlier models of ZTE and Alcatel are on the list.

vas

https://wiki.mikrotik.com/wiki/Manual:Peripherals

Thanks, a great list. However if someone responds with "this particular model XXX works fine for me personally" I'd be grateful.

vas

Dear Colleagues, I'd like to set up a backup outgoing Internet connection via one of the Russian cellular operators (MTS, Beeline, Megafon). Can you please advise me a cellular USB modem for hAP ac3 (OS v6.48.2)? Especially useful if you already have one and it's working OK. The operators sell a num...

vas

NTP? OSPF hellos from the hq. I wonder if I filter them out with the firewall, will they stop keeping the link up? UPD. Hmm, this filter rule below should be already dropping them. correct? Is there anything else I can do (other than to persuade the hq admin to disable OSPF on the PPTP server inter...

vas

One way to find out what is keeping the connection up ise to use /tool/sniffer/quick interface=<myvpn> for a while to understand what is keeping it alive. Thanks for the very useful advice about the packet sniffer. I've directed a TZSP stream of traffic to Wireshark and found out that it's OSPF hel...

vas

Dear Colleagues, I have a PPTP client configured with dial-on-demand and idle timeout (see below). Dial-on-demand works, but for some reason the pptp-client interface does not go down when there is no traffic to the hq. I expect it to go down after 10 minutes of inactivity. What am I missing? I can ...

vas

Do you have to disable and then re-enable this setting each time you reboot your router? Or does disabling/re-enabling change something magically in the configuration? You can try it on your device - I was helping somebody remotely with this issue who was having it on several devices and disabling/...

vas

I just encountered this same issue for the first time. The problem is not the default interface=all - it is not incorrect. In fact, disabling the default "interface=all" and re-enabling it causes the prefix to become valid. It is happening in RouterOS 6.48.2 in my case with hap ac2 device...

vas

/log print where message~"AppleWatch"

Thanks. Somehow I missed the "message" word.

vas

Dear Colleagues,

I cannot figure out how I can filter the "log print" output by patterns. For example, if I want to grep the log entries for "AppleWatch", what should be the "grep" command?

vas

Dear Colleagues, Can you please clarify configuration for this use case: A MikroTik DHCP server is bound to interface "bridge" and is servicing clients in this broadcast segment. There is also another Router B in the segment which is in fact a DHCP relay forwarding DHCP requests to the Mik...

vas

Few points: - IPv6 is supposed to eventually replace IPv4, so IPv6-only networks make sense. Only when you do it now, you may be a little bit too ahead. Most of the internet is still IPv4-only, so you need NAT64 + DNS64, which is not exactly nice (mainly the DNS64 part). That said, it's not wrong, ...

vas

Putting the router itself into IP->DNS is a bad idea - I expect so. Who is suggesting such a strange thing? My suggestion was different. If a DNS server is running on the router, the router should choose one of its own IPv6 interfaces and put its address into RA rdnss field. Maybe the IPv6 address ...

vas

IPv6 internal networking = Killing SLAAC as you implied with your "IPv6 only clients", What? I'm afraid you don't understand what you are talking about. Or maybe your definition of "internal" is unconventional. why wouldn't they have IPv4 internal addresses aka RFC1918? Dude wit...

vas

What? IPv6 was designed with SLAAC in mind, there's absolutely no NAT or ugly hacks needed with a proper prefix delegation from the upstream provider. Unless you have an upstream provider like mine who blocks ICMPv6 and breaks MTU along with a garbage single /64 prefix. What "what"? :-) Y...

vas

I fail to understand why some people choose to use IPv6 for internal networking, stick with IPv4 for internal networking (which includes the DNS stub resolver), I mean IPv6 was created to restore the end to end principle and not as an alternative to IPv4 internal networking. You got the right idea....

vas

Yeah, so really, there is no problem with RouterOS's approach to IPv6 DNS, you can use the stub resolver, or you can use direct public resolvers on a per-client basis Well, if the clients are IPv6 only, there will be no fallback to IPv4 DNS for them. or even like I do... Simply re-direct to a DNSSi...

vas

If the "Advertise DNS" flag is disabled, the client devices will end up using the stub resolver on RouterOS. How would they know to use it? What do you mean "how"? If the flag is disabled, client devices will automatically fall back to the IPv4 DNS address that was originally ad...

vas

If the "Advertise DNS" flag is disabled, the client devices will end up using the stub resolver on RouterOS.

How would they know to use it?

vas

@vas: viewtopic.php?p=831091#p831091

Can I both have DHCPv6 server enabled and keep advertise-dns=yes in "/ipv6 nd"? Is this a supported configuration?

vas

DNS servers are simply taken from "/ip dns", but you don't want to add router's own address there.

Sure I don't want to, but putting the router's own IPv6 address into router advertisements (if a DNS server is enabled on the router of course) would be a good idea, don't you think?

vas

You can combine it with DHCPv6. If you add server without pool, it will function in stateless mode and only provide info (you'll have to enable "Other Configuration" in "/ipv6 nd" for clients to use it). There you can add any option you like. Can you kindly provide an example, w...

vas

I would like to put more information into the IPv6 router advertisement packets: several DNS servers (and especially the IP of the router itself) into the rdnss field, several domain names into the dnssl field etc. Where do I edit and add those fields?

vas

The problem was in IPv6 -> ND -> Interfaces. When I changed interface=all to interface=bridge, the prefix in IPv6 -> ND -> Prefixes became valid and started to be announced.

I don't know why the initial setup had configured interface=all, but it was obviously incorrect.

vas

Just tried on Ubuntu and conntrack -L shows nothing when there are no rules. Presumably, then, "auto" and "on" are from Linux, and CentOS uses the equivalent of the MikroTik "on" setting while Debian and Ubuntu use "auto". Looks like it. Now we have the compl...

vas

It isn't. This is just Linux iptables.
(there are other firewall systems in Linux)

It is strange however, that on Debian 10, when `iptables -L` has no rules (default configuration after installation), the output of `conntrack -L` is empty.

vas

Actually, connection tracking entries are not created by those filter chains, that happens elsewhere. When you need to avoid a tracking entry, you have to do that in the raw chains (prerouting and output), that is the only one that is "early enough" to drop packets or to pass them but not...

vas

Remember that there are different chains in the firewall. Your example with "input" might indicate that you think that all traffic incoming to your network is passing the "input" chain. That is not true! The "input" chain is only for traffic incoming to and processed b...

vas

I have created firewall rules for IPv6 based on recommendations in https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router. The rules work fine (permit outgoing traffic and return traffic, block incoming traffic) but there is one thing I cannot understand (maybe because I have an ipfw and pf bac...

vas

Thank you mducharme for your very informative replies.

vas

Connection state tracking happens by default on "auto" when there is at least one firewall or NAT rule. It doesn't matter what the rule is, as long as long as at least one rule exists, all connections will be tracked. So because you have at least one IPv4 or IPv6 firewall or NAT rule, con...

vas

I always make the ruleset so that it ends in a "drop" rule OK, let's consider this simplified but working example: /ipv6 firewall filter add action=accept chain=input comment="Allow established and related" connection-state=established,related add action=drop chain=input comment...

vas

In the ruleset above, where is the rule which actually creates connection states from egress traffic? Is connection state tracking enabled implicitly? How does this work?

vas

Dear Colleagues, I've configured a static IPv6 address on the bridge interface and enabled the "Advertise" checkbox: /ipv6 address add address=2001:470:ecba:3::1 interface=bridge add address=2001:470:35:7af::2 advertise=no interface=sit1 [admin@MikroTik] > /ipv6 nd prefix print Flags: X - ...

vas

Dear Colleagues, I have created firewall rules for IPv6 based on recommendations in https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router. The rules work fine (permit outgoing traffic and return traffic, block incoming traffic) but there is one thing I cannot understand (maybe because I have an...

Search found 50 matches