MikroTik

jaxed8

it using port 115 No, it's using IP protocol 115. ( Source .) Ports are a TCP or UDP abstraction, but you're speaking of L2TPv3 over IP. anyone can help me for forwarding that port in docker? You could try switching the container to one of the more advanced networking modes, such as host mode . Tha...

jaxed8

That's a neat trick. How?

You can find a lot of images for that in https://hub.docker.com/search?q=routeros

jaxed8

jaxed8

You should read this topic:

viewtopic.php?p=606832#p606832

Thanks man but I didn't get how to use it, would you be so kind and elaborate it?

jaxed8

You can literally add hostnames to address-list and they are will be resolved automatically.

Yeah that's totally right but in that case router is gonna query them every few minutes and spam up all my pi-hole query list.

jaxed8

Any idea/solution?

jaxed8

Why do you like to do that. To try to block some?
Google etc changes IP all time and gives different IP depending location etc.

Not blocking them but to bypass the traffic from VPN tunnel.
google was only an example, the list is full of websites that mostly have only 1 IP.

jaxed8

Hello everyone I was wondering if there is a script for resolving and adding all the IPs of the websites which are on a link (example: https://test.com/sitelist.txt) to a address-list and add the host name as comment to the first IP of each website. Example: Link/txt file is containing the following...

jaxed8

Greetings
Unfortunately RouterOS doesn't support such tunneling.

jaxed8

Any idea?

jaxed8

Hello everyone I got two mikrotik router and one internet connection that is connected to one of them. what I'm trying to achieve is that to share the internet (WAN) that is connected to the port 10 of the router number one (RB4011) to the port 1 of the router number two (Hap lite), in a way that th...

jaxed8

@Sindy
You said it is possible, any hint/guide for me on have to implement it?

jaxed8

I know but just stopping them from connecting to the VPN servers is enough that's why I'm looking for a solution.

jaxed8

Is it possible :) ? It is possible but useless. If you redirect any DNS queries towards port 53 on any IP address to the PiHole, the clients can still use DoH (DNS over HTTPS) to do their queries. @sindy Yeah, but not all of them know how to set it up. I use these set of rules to block them but I k...

jaxed8

Any idea?

jaxed8

I think it's better to just use Prometheus and Grafana for that (fancier).

jaxed8

I use pi-hole and unbound

jaxed8

It was a problem with Nord VPN network.
Thank you guys

jaxed8

Hello everyone So I have some clients in my network that they use VPNs like Psiphon which connect over ports like 443 and 80 which I cannot block and also their like of servers are a lot so I cannot monitor and block the server IPs one by one. So I was wondering if there is a way to block all the IP...

jaxed8

I think the more info we have about different sections, the easier it will be to debug the network when needed.

jaxed8

@gemesif 172.19.19.45 is the router I want to connect to. (was 192.168.5.6 but I change the VPN server so it's 172.19.19.45 now) Here you go: Screenshot 2022-06-23 010345.png with 172.19.19.45: Screenshot 2022-06-23 010426.png with Mikrotik /ip cloud DDNS: Screenshot 2022-06-23 010525.png with /ip c...

jaxed8

There is no difference even when using /ip cloud

jaxed8

@gamesif
No pinging the private IP address of the router on the VPN subnet is not working.
P.S. Both of my devices (router - windows) are clients of a VPN server that I don't have access to server (I think it's Nord).

jaxed8

Still the same even after adding the input rule for VPN interface.
Actually after adding the rule I got hit on the rule and packets count but still the same connection timed out error.

jaxed8

Anyone?

jaxed8

On /ip dhcp-server network you need to use your router address as a DNS server. like: /ip dhcp-server network add address=10.0.0.0/16 dns-server=10.0.0.1 domain=example.net gateway=10.0.0.1 netmask=16 If still not working, try this: /ip dns set allow-remote-requests=yes cache-max-ttl=1m servers=1.1....

jaxed8

Hello everyone I want to access my router through winbox over the internet, so I setup a L2TP VPN on the router and wrote down the local IP that the VPN server gave the router and on the other device (on the internet), which is connected to the same VPN server and is within the same subnet trying to...

jaxed8

Yeah there is like 6MB RAM left although for some reason it was around 8MB with 7.3.1 but the CPU is way less busy.
I think that was there because I was wanted only 10.10.5.134 to have access to the VPN, although I'm not very familiar with V7 and the way it's route things.

jaxed8

Thanks

jaxed8

Thanks @rextended now with V6.48.6 RB941-2nD is way more stable.
But the actual question is remain that which setup is the best and preferable one?

jaxed8

I did add those but no change.
But cause v7.3.1 was a bit heavy for RB941-2nD, I end up going back to v6.48.6.

jaxed8

Revet back to 6.48.6.

Why 6.48.6? why not 6.49.6?

jaxed8

I knew it

But what after that? which setup is preferable?

jaxed8

Hello everyone So here I'm a little skeptical about which setup would be best for me. I got a 16Mpbs ADSL2+ as my internet connection and there are gonna be like about 6 - 7 clients minimum (50/50 wired and wireless) and maybe need of vlan for TV (wired) and Guest wifi. I have a RB941-2nD and one As...

jaxed8

Hello everyone I recently updated my RB941-2nD to V7.3.1 from V6.49, with the same config when I connect to a VPN L2TP/PPTP from the increase in ping latency on network devices (the one that I route it's traffic inside the VPN) I know that the device traffic it's routing correctly but the mikrotik r...

jaxed8

Same here.
A guide for Grafana and Prometheus needed like the one we have for Splunk.

jaxed8

For those of you who will came here with the same problem, the solution is to add custom MTU value in /lib/systemd/system/docker.service file. (you can use nano to edit it) You need to change the line looking like this: ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock...

jaxed8

Thanks a lot man for all your time and effort.

jaxed8

The IP firewall only recognizes L3 interfaces (with an IP address attached to them). If an interface becomes a member port of a bridge, the bridge becomes the L3 interface (even if the IP configuration is attached to the member port, which is a configuration mistake that breaks some things). I'm so...

jaxed8

@sindy Thank you very much. I tried the rule that you said and because my server (which has Debian as a VM and docker inside) was connected to ether3 I selected out-interface=ether3 but gave the following error: Screenshot 2022-06-11 070524.png But after I changed it to bridge, even with 1380 it wor...

jaxed8

I tried to change the mss like you said but when trying to add "Couldn't add New Mangle Rule - tcp mss change works only on tcp syn packets (6)".
P.s. If it's a docker issue should I try to fix it at the docker level?

jaxed8

@sindy
Thanks for the answer man
It's exactly like you said, on the Debian level it's working as well but not on docker and I assume it's because docker have it's own network that all containers are behind it.

jaxed8

Anyone?

jaxed8

For PPTP there is an address list called "Individual Local VPN 2" and for L2TP we have "Individual Local VPN"

jaxed8

Hello every one I have an RB4011 that I connected to my ESXi server that I have Debian 11 as a VM on, which is hosting my docker/docker containers. everything is okay except that docker containers (not Debian itself) cannot transfer/upload (TX) to the internet but receiving/downloading (RX) is total...

jaxed8

Thank you @Ammo, but I want to send it with different interfaces. for example: like one with PPTP1 another one with PPTP2 and one with IPsec/IKEV2 and one with L2TP4.

jaxed8

Hello everyone I have few VPN clients (PPTPs and IKEV2) on my router which they are always working fine except when no user on the network send or receive any packet so their servers start to drop the connection and router will reconnect and this happens over and over again to solve this I want to u...

jaxed8

The problem was with ph1 or ph2 configurations on the server as @own3r1138 said, after changing the IKE and ESP suits on the /etc/ipsec.conf the problem solved.
Thanks @own3r1138 and Thanks @sindy for the tip.

jaxed8

would you send a full log? for the connection looks like the wrong ph1 or ph2 config.

What do you mean by full log? there is only this error in the logs.

jaxed8

What does this error means?

Screenshot 2022-01-05 212208.png

Screenshot 2022-01-05 212145.png

jaxed8

Hello everyone I recently setup a new IKEV2 server on Ubuntu and try to connect to it with RB4011 v6.49 but I got this error payload missing: SA . I connect to that server from my cellphone which is connected to that RB4011 so the internet connection and server are working (I guess). My question is ...

jaxed8

I started writing an explanation why I suspect it is a bug and how to check that, and during that writing I've realized what is the actual issue. So remove the src-address=128.0.0.0/1 from the action=mark-routing rule and instead place in-interface-list=LAN to it. Thanks a lot man, all working just...

jaxed8

Rules in chain output are only used for traffic originating on the Mikrotik itself; when you "visit sites", I assume you visit them from a PC, and traffic from PC to internet takes chains forward and prerouting (other ones as well, but not output ). Got it thanks. As you wrote Thanks man ...

jaxed8

Remove these two rules and it should be fine: /ip firewall filter add action=accept chain=forward comment="Test Http" dst-address=192.168.88.200 dst-port=8080 in-interface=ether1 protocol=tcp /ip firewall nat add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=192.168.8...

jaxed8

/ip firewall mangle add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes I'm sorry I forgot this chain=output one. but it's never had a packet even I was visiting sites which are listed in "excluded-addresses" list: Sc...

jaxed8

So what does /ip firewall mangle print chain=output say?

nothing

Screenshot 2021-12-07 004825.jpg

jaxed8

Are you sure you haven't block any port, especially 8080? and can you send the /export hide-sensitive file=x here.

jaxed8

Is the action=fasttrack-connection rule in filter disabled? Yeah it's disabled. I added src-address=192.168.11.94 to the this rule add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no so it's now is add action=mark-routing chain=...

jaxed8

NP problem man, thanks for keeping up.
It's not pinging anymore now -.-' I don't know why

Screenshot 2021-12-06 203348.jpg

jaxed8

In your rules, the jump-target in the first rule is mark-connections -prerouting , whereas the last two rules are in chain mark-connections . Unify that one way or the other. Currently, both functionalities that depend on connection-mark should not work as no connection marks are assigned due to th...

jaxed8

/ip firewall mangle add chain=prerouting connection-state=new action=jump jump-target=mark-connections-prerouting add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no add chain=mark-connections-prerouting dst-address-list=exclude...

jaxed8

This means the explanation may have been nice but actually it wasn't clear enough. So again. Thank you very much, I change it all and all those excluded-addresses is working great but if the dynamically added one is at top (#=0) then the PPTP one is not working in order to make that work I have to ...

jaxed8

+100000000 for dark mode

jaxed8

Thanks guys way the go
If I use "wifiwave2" on RB4011 2.4 GHz will still be available, right?

jaxed8

Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec). :smile: Thanks for the nice explanation and sorry for the late reply. I added connection-mark=no-mark to IP IPsec Mode-config and also add a rule to I...

jaxed8

It's doable: viewtopic.php?t=169273

Thanks man I'm looking for a PPTP or L2TP solution.

jaxed8

Thanks for the replies I'm sorry couldn't answer sooner, Happy holiday and thanks giving everybody. Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to ...

jaxed8

Is it possible?

jaxed8

I added: /interface pptp-client add allow=mschap2 connect-to=XXXXXX name=PPTP_YD password=XXXXXX \ user=XXXXX /ip firewall mangle add action=mark-routing chain=prerouting comment=PPTP_YD disabled=no \ new-routing-mark=PPTP_YD passthrough=yes src-address=\ 192.168.11.94 /ip firewall nat add action=ma...

jaxed8

Hello everyone
Is it possible to route the traffic of one device (192.168.11.94) with VPN (PPTP client(I know it's not safe just for example)) while the whole router is connected to the IKEV2/IPSec?

jaxed8

Not really more secure, just small tweaks, for example in chain=input: - you allow ports 500, 4500 and 1701, which would be for incoming L2TP/IPSec, but you don't seem to have that, so it's probably not needed - if you need any such rule to allow something, it should be after the two rules that acc...

jaxed8

With so many bots out there, its a matter of when not if.................... I hope I am not exaggerating the risk. Thanks for the deep explanation. I called them and they gave me the access to the DMZ so I can turn it on and off. and I turn it off for now because I can't spend hours of time tighte...

jaxed8

So it should be on or off? (it's on right now (ISP said today))
I think it should be off

jaxed8

At least you got incoming connections out of it, that's nice to have thing. Yeah thanks to you guys. You can experiment further, if you want. For example, make proper VPN for users, so they could connect to your router, and then access 192.168.11.100 directly. It would be nice and secure. Only depe...

jaxed8

Yeah but IDK what was wrong I tried a lot but didn't worked and since there is no other client program for samba on windows I don't know what to do in this case.

jaxed8

Thanks a lot everyone especially @Sob
After port forwarding it's worked very good but turned out windows doesn't accept domain address (DDNS address) for samba

, so ended up with using it for forwarding port 3389 to another one to use for direct remote desktop (personal use only).

jaxed8

It doesn't mean anything, that's what server sees and it's always public address, no matter behind how many other routers you are. What matters is whether you can forward ports from that address to your router. Best case is that the address is "yours" and ISP is doing NAT 1:1, i.e. forwar...

jaxed8

It says that you are behind NAT, if your ISP provide to you a private IP, there is nothing to do. Only way is use ZeroTier or Tailscale.

Regards.

It's not a private IP

jaxed8

It shows the public ip (which is dynamic) if it's going to pop-up some hope.

Screenshot 2021-11-20 232709.jpg

jaxed8

Thanks for your answer
I forward it and with VPN I was being able to connect to it but without vpn (with DDNS) not at all and I think it's because the router is behind nat and I should have another port forwarding for that but I don't know how and I need help for this part.

jaxed8

jaxed8

Thanks @rextended @msatter

jaxed8

jaxed8

jaxed8

if both sides are using ips of that country isps are going to route the connection in something like intranet which is very fast. I don't know from which IPs they are going to connect to the smb server. Uhm...... :-? The idea is to give that ddns address to a group of people (100~) in telegram (pri...

jaxed8

i have told you that add in address list Trusted IPs that are public/private in your remote locations. So if my house with public ip 20.10.9.8 want to access that smb, you will add in that address list that ip I don't know from which IPs they are going to connect to the smb server. I want it to be ...

jaxed8

It was working untill the SA rekey happened and after that instead of move the nat rule up it's move it down at the last position (13) and no matter how many time it's trying it's gonna be the same. untill I reboot the router

jaxed8

There are thousands of free file sharing services on the internet... You have to share something truly illegal to not want to use them. If you share them "zipped" with a 100-digit password, no one will decrypt them who does not know the password ... It's not about the actual content, it's...

jaxed8

Another host for the botnet...

It's gonna give very limited access based of username and password and only for one folder.

jaxed8

Screenshot 2021-11-18 205426.jpg

jaxed8

Router configuration :

gh.rsc

jaxed8

maybe something like this /ip cloud set ddns-enabled=yes /interface list add name=WAN /interface list member add interface=ISP-eth1 list=WAN add interface=ISP2-eth2 list=WAN /ip firewall address-list add address=TRUSTED_REMOTE_NETWORK list=Trusted /ip firewall nat add action=dst-nat chain=dstnat ds...

jaxed8

Having the same device and it's Wireless (Atheros AR9300) too in winbox.

jaxed8

No, do it properly via VPN.
SMB SHOULD NOT be exposed to the internet.

I want to host few files for some people that why I want to give them access but I don't want to give them access to my vpn because I run other things on that as well.

jaxed8

Hello every one I recently add a NAS to my network which is at 192.168.11.100 and it use the default SMB port which is 445. but the problem is the router is behind the NAT and also connected to IKEV2 IPsec vpn and the router don’t have a static ip (public ip). so, I want to have access to 192.168.11...

jaxed8

Well, this is their final anwser

Screenshot 2021-11-08 140020.jpg

jaxed8

Thanks it worked.

jaxed8

What is the dynamic Rule 0. IPsec IKEV2, mode-config cause it's use a src-address-list from add address list so that's why when tunnel is established it will put that dynamic nat rule. which I want it to be at position 1 instead of 0, so that's why I need a script to move the not delete or recreate...

jaxed8

IPsec IKEV2 mode-config

Screenshot 2021-10-28 221402.jpg

jaxed8

Hello every one I need a script to automatically check and keep a action=masquerade chain=srcnat rule at the top of the others because there is a action=src-nat chain=srcnat rule that is being dynamically generated that sits at the top (#=0), But I want to always have the action=masquerade chain=src...

jaxed8

Don't underestimate the impact from testing those tunnels each half hour. If you're on a volume-limited line, it eats away of your available volume ! And the fact that during switch-over, you WILL loose your connection for whatever you are running. What actually is missing here: what are you trying...

jaxed8

Can DOH3 and DOQ be added to the mikrotik?

jaxed8

I just sent a ticket to support.

jaxed8

Hi I have winbox 3.31 when I plug into my RB5009 on the first port, nothing happend..I must plug into port 3 and its ok...But previous I had on port 1. Is there any special port on winbox? Because I don't know, how to logg into routerboard from another port.. Thanks To add to what holvoetn said you...

jaxed8

"losing connection" does not activate autosave on close. That only works when you close the connection yourself by exiting winbox or closing the window. I have requested before to have an "autosave on disconnect", that would certainly be useful. and also the possibility to tweak...

jaxed8

Ping to the other end of the VPNs If it succeeds, the tunnels are up. Choose the fastest respons. Yeah that would be an option but what I'm looking for is a speedtest comparison like download speed and upload speed, so it will test the download and upload speed of each vpn to a btest server and com...

jaxed8

Now you didn't get me. It's not dst-address-list=79.127.127.21, it's just dst-address=79.127.127.21.

Yes

It worked, Thank you very much man. I highly appreciate your effort.

jaxed8

Show me /ip firewall nat print in the "manual" case while the tunnel is up. here you are: [@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade dst-address-list=79.127.127.21 log=no log-prefix="" 1 chain=srcnat action...

jaxed8

It's not "src-address-list in connection-mark". You can specify either or even both on the /ip ipsec mode-config row, and corresponding srcnat rules are created each time the IPsec "session" is established, one per each item. So if you specify both src-address-list=some-list and...

jaxed8

I think you misunderstood my question or I didn't understand your answer, I want to route some websites or at least their IPs out of my VPN, with my current configuration I believe all of the traffics would go trough VPN and I want to keep it this way except for few websites. Okay, yes, with my lim...

jaxed8

"Searched and thou shalt find"

viewtopic.php?t=140887

Thank you, how can it be modified to use for vpn?

jaxed8

What kind of VPN are you using ?

PPTP - L2TP

jaxed8

Once the "normal" routing and firewall processing including NAT is done and the last thing to do is to send the packet out the chosen interface, the IPsec processing compares the source and destination IP address, IP protocol (TCP, UDP, ...), and source and destination port of the packet ...

jaxed8

Figured out the problem. The “Syn Flood” rules in the firewall are picking up DoH as a flood attack and blocking all packets from whoever your DoH provider is. Disable the “syn” firewall rules and DoH will work. In my router settings /ip settings set tcp-syncookies=no is disable but still i got the...

jaxed8

IPsec traffic matching only works on IP address, protocol and port number matching and supersedes the result regular routing. So you cannot use IPsec's own means to match on in-interface , you'd have to match using src-address on the subnet linked to each interface, which could be added to the addr...

jaxed8

As you use the first approach

Thank you very much for your help i will check this to see how I can use it for Vlan and virtual.
Is this normal?:

Screenshot 2021-10-25 215340.jpg

jaxed8

I was checking the server and just reboot it (server) and then vpn on router start working: Screenshot 2021-10-25 022958.jpg But two question to ask: 1. how can I route an ip or ips out of that vpn? for example: 107.154.106.114 2. how can I route an interface (VLAN or Ether port or Virtual) traffic ...

jaxed8

You are kind of mixing things together (or maybe you don't but it is hard to find out because elements related to both ways are disabled in the config you've posted). I disabled them cause when they are enable I don't have internet on my devices and I simply forgot to turn them back on when I was e...

jaxed8

jaxed8

My router configurations:

configuration.txt

jaxed8

Any idea?

jaxed8

I tried setting the address list and set it for mode configs as been said in manual but no difference.

jaxed8

Hello everyone After spending a lot of hours trying to config the server (Ubuntu) and client (Router 4011 (behind NAT-dynamic ip)) it's finally established the tunnel and it's automatically create a NAT rule and there is no internet on devices (I tested the vpn on android client and it's working fin...

jaxed8

Is it a problem with mikrotik? should I contact mikrotik support?

jaxed8

Hello everyone Today suddenly without any change in my routers configurations all of them (v6.48.3 and v6.48.4 and v6.48.4) got "DoH server connection error: SSL: handshake timed out (6)" in log, all starting at the same time and DNS stopped working which was working fine for few month. I ...

jaxed8

So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way? That's a complex topic. First, you can choose whether to establish a connection via VPN or directly depending on the destination IP address, but multiple sites apparently unrel...

jaxed8

Is it even possible?

jaxed8

up up

jaxed8

up up

jaxed8

Winbox dark mode

jaxed8

up up

jaxed8

It's because Ilir probably hasn't noticed that you've got no srcnat rule except the one for out-interface=L2TP_XXXX . So you can e.g. copy that rule and change out-interface=L2TP_XXXX to out-interface=ether10 in the copy. Or instead you can just remove the matching on out-interface , as the rule on...

jaxed8

Hello everyone I got vpn (PPTP1) on the router that the whole traffic route thorough that, now I want to keep it the same way but only route all /ip firewall nat add action=dst-nat chain=dstnat dst-port=XXXX protocol=tcp to-addresses=192.168.XX.XX to-ports=XX thorough an other vpn (PPTP2). So two ac...

jaxed8

Add a new rule at mangle with action accept and set destination IP and put those rules at top of others! Those are mine: /ip firewall mangle add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.1.0/24 add action=accept chain=prerouting dst-address=public-ip-of-website a...

jaxed8

Hello everyone
I want to route some websites or at least their IPs out of my VPN, with my current configuration I believe all of the traffics would go trough VPN and I want to keep it this way except for few websites.
This is my configuration:

config export.txt

jaxed8

@normis @emils
I didn't knew where to send this but could you add night mode to winbox.

jaxed8

Any idea?

jaxed8

Okay... let's do another thing then, set the port parameter on the /ip ipsec peer row at the client to 500 , and sniff at both the server and the client with port=500 (still with IKEv2, not L2TP/IPsec). What's the result? I managed to screw the server firewall rules so it's not accessible anymore. ...

jaxed8

When you enable the peer & identity at the client and run the same /tool sniffer quick port=4500 on it, can you see the attempts there?

Yes

jaxed8

Should I tell the guy for netinstall or just do it myself, I mean cause it's on the vmware after resetting am I gonna be able to access it? If it's on a VMware you can manage, just delete the VM and deploy it again from the template, but do not connect the internet-facing interface before you set u...

jaxed8

Nevertheless, in such a case, if you enable the IKEv2 peer and the identity associated to it on the client, you should see packets to arrive to 5.x.x.x:4500 if you run /tool sniffer quick port=4500 . If you don't, something is rotten somewhere outside the server side router. right now when I run /t...

jaxed8

Should I tell the guy for netinstall or just do it myself, I mean cause it's on the vmware after resetting am I gonna be able to access it?

jaxed8

OK, so I have swapped the roles of the routers when checking the configurations, and the one without a firewall is actually the server one, with the public IP directly on itself. Great. The right thing to do would be to disconnect it from the internet, netinstall it with the default configuration, ...

jaxed8

Now wait - the server has a public IP on itself after all? If so, no port-forwarding is necessary at its side. Sorry, too many similar topics. L2TP client should send packets to port 500 on the server's address; IKEv2 initiator should send packets to port 4500. Both should be shown by the sniffer. ...

jaxed8

Client side:

Screenshot 2021-09-27 200858.jpg

Server side:

jaxed8

Also with the client (home) I can connect to another L2TP server without any problem (even before adding those two firewall rules) (don't have the access to the server) so maybe both UDP port 500 and UDP port 4500 are forwarding correctly on the client side and we got a problem with server side or e...

jaxed8

OK, the title says IKEv2 but we've silently moved to L2TP. Never mind, just run /tool sniffer quick port=500 on the server, and try connecting from the client. If it shows nothing, the problem is not in the server-side Mikrotik but most likely on the router(s?) standing between that Mikrotik and th...

jaxed8

OK, the title says IKEv2 but we've silently moved to L2TP.

I know I thought since I had problem with that bringing that up might help with the actual topic of the subject.

jaxed8

I know this one is not related to the topic subject but this is my another router configurations, if you got time take look it and tell me if there is anything like a problem or something with it (firewall) that can be fix.

Other router configurations (with static IP).txt

jaxed8

On the server, run /tool sniffer quick port=4500 while trying to connect from the client. If you can see something to come, the port forwading outside the Mikrotik works fine. Thanks man, but it didn't show anything. Screenshot 2021-09-27 185725.jpg After and before adding the firewall rules the re...

jaxed8

The group value default is wrong at both, unless you've changed also the policy template group on the identity row to default . According to the configurations you've posted, it should be My group NAT as such doesn't constitute a problem if there is sufficient port-forwarding (UDP port 4500) at all...

jaxed8

So I'd say set template=yes for the policy at both devices (which will make the peer and tunnel properties irrelevant) and you should be good - both peers will generate the policy from this template. I've done this but no change. Screenshot 2021-09-27 162051.jpg Screenshot 2021-09-27 161957.jpg may...

jaxed8

Any idea?

jaxed8

This one @sindy @erkexzcx Thanks man, But it didn't worked with this on you send the link and I tried This one but didn't worked as well. So I thought maybe I'm setting something wrong, This is the configurations for both routers and xy.xy.xy.xy is the static IP of the server. Server configuration ...

jaxed8

Hello everyone I'm looking for a script that can check the speed and ping of different multiple VPN clients every half an hour or so (maybe with multiple speedtest server) and select the one that has the most speed and lowest ping and change it automatically. If such a thing is possible. I will appr...

jaxed8

The safer authentification method you use, the less you have to care about the address of the remote peer. With properly generated certificates (CSR generated at the device that will use the certificate to authentify itself to others, signing the CSR by a CA, and importing the signed certificate to...

jaxed8

Set them exactly as you would if both had a static public IP, using the site to site example from the manual, but set passive=yes address=0.0.0.0/0 in the peer properties at the one with static IP. And set exchange-mode to ike2 rather than main at both. That's all. Thanks man, I will try this one a...

jaxed8

If you've got a static public IP at at least one peer, just make that one a responder only ( passive=yes ) and that's it. You only need to use dynamic DNS if none of the peers has a static public IP. And if none of them has a public IP, not even a dynamic one, it's yet another challenge which may o...

jaxed8

yes, I think you could activate DDNS
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
/ip cloud set ddns-enabled=yes
and then use the dns-name instead of static IP

Thank you, but how to set it up for IKEV2?

jaxed8

Maybe something like this?

viewtopic.php?f=23&t=169538

viewtopic.php?f=23&t=175656

Thanks man, The server got static IP but not the client is this a same situation as your first given link?

jaxed8

Hello everyone I want to make a router to router iKEV2 tunnel but one of the router got dynamic IP. I was wondering how I can manage to do this in this case, maybe using DDNS provided by MicroTik on routers? I heard with some script it will be doable but I'm a bigginner so maybe you guys can help wi...

jaxed8

jaxed8 write:
Screenshot 2021-09-06 023232.jpg
This software is like TeraCopy ? What it's ?

sorry for the late reply. It's IDM (Internet Download Manager) https://www.internetdownloadmanager.com/

jaxed8

It depends. If you are in mainland France, you may be able to choose an ISP for your home that has a better connection to OVH's network. If you are overseas, so there is a satellite link somewhere in the path, it's very likely that all ISPs will have the same issue.

Thank you very much

jaxed8

Those pictures show that most of the delay is between your ISP and the VPN provider's network. The first one shows that the responses from the last private IP in the ISP's network arrive in 15 ms on average, whereas the responses from the first responding OVH server arrive in 116 ms on average. The...

jaxed8

I've done that but didn't understand the results that much The results show you (or not) IP addresses of the routers between your home and the destination, and the total round-trip delay (i.e. including the previous hops) to each of them. Can you paste the result here, hiding the actual addresses o...

jaxed8

You can try to disable them and see whether it affects the performance or not. Given that the overall performance is not stable, you may have to do several tests in each state to make a reliable conclusion. I would say no difference after I disabled them so I will keep it this way Screenshot 2021-0...

jaxed8

Yes, Wireguard is available in ROS 7, and it is pretty fast as such on a 4011. However, TCP and ~120 ms round trip delay may mean lower throughput even if encryption and decryption alone works very fast. The only VPN protocol to be hardware accelerated on some Mikrotik devices (including the 4011) ...

jaxed8

Solution was at #26 by disable fasttrack-connection and this #26 should be marked as SOLVED tag..

Yeah you are right I test this by disabling those mangles and disable fasttrack-connection and it works pretty fine.
Thank you very much
P.S. I really like your avatar

jaxed8

Also once I got this speed but after it was mostly 17Mbps - 28Mbps which I think it's because of the VPN connection, maybe with SSTP it will be better. Screenshot 2021-09-06 014845.jpg I found very very interesting thing. So let's say the speed drop to about 17Mbps - 28Mbps (17Mbps when downloading...

jaxed8

Is there a way to completely cover the VPN so ISP never understand I'm using one? Definitely not with PPTP, whose encryption is so weak that it actually hides nothing; IPsec or something-over-IPsec is also obvious, so you'd have to use an SSTP VPN which looks like a normal HTTPS session, except tha...

jaxed8

Also once I got this speed but after it was mostly 17Mbps - 28Mbps which I think it's because of the VPN connection, maybe with SSTP it will be better.

Screenshot 2021-09-06 014845.jpg

jaxed8

Grrr... I forgot the obvious... disable the action=fasttrack-connection rule in /ip firewall filter and try again. Oh man o man it worked it workeddddddddddddddddddddd Thank you so so much Screenshot 2021-09-06 004355.jpg I called the ISP they said there is a technical difficulty that's might be th...

jaxed8

OK, so try just the mangle rules.

After I add those it's still the same

Screenshot 2021-09-05 235601.jpg

Screenshot 2021-09-05 235905.jpg

jaxed8

Is there a way to completely cover the VPN so ISP never understand I'm using one? To your speed issue - the default max-mtu and max-mru settings of PPTP client interface, 1450 bytes, assume that the PPTP transport packets will be sent over an Ethernet interface with MTU of 1500 bytes. However, your...

jaxed8

Is there a way to completely cover the VPN so ISP never understand I'm using one? your WAN interface is a PPPoE one No that PPPOE is disabled and it was for ADSL from past, right now the wan is just a Ethernet cable to port 10 of the rb4011 and no need any configuration. Screenshot 2021-09-05 23364...

jaxed8

Is there a way to completely cover the VPN so ISP never understand I'm using one?

jaxed8

No it's just VPN client on windows. the PC is always connect to the rb4011. If so, the MAC address of the 4011 plays no role in the VPN throughput, because the VPN provider can never see a MAC address, whereas the ISP can always see the MAC address of the 4011's WAN, no matter where the VPN client ...

jaxed8

Also it's worth mentioning that sometimes the speed with VPN on the PC or phone got also slow to about 13Mbps but without VPN it's more than 40Mbps. but it's just sometimes and I'm sure it's not about VPN server bandwidth cause it's 10Gbps and the 1Mbps speed I got when I have the VPN on the router ...

jaxed8

My internet connection is: 40Mbps download - 8Mbps upload

jaxed8

Given the awful upload performance, are you sure you have MTU / MSS set properly?

The ISP given maximum upload speed is 8Mbps

jaxed8

hi, what @rextended trying to say most ISP capped your connection if they determined you put a router in between by observing the TTL and decremented by 1 and triggered them to reduced your bandwidth, since you try to reset the TTL to 65 the ISP shouldn't notice you put a router and in theory shoul...

jaxed8

When you say "VPN on the PC" vs. "VPN on the router", does that really mean only where you run the VPN client, or do you also connect the PC directly to the ISP's modem (excluding the 4011 from the path)? No it's just VPN client on windows. the PC is always connect to the rb4011.

jaxed8

https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Avoiding_tethering_speed_throttling Ping result without VPN: Reply from 1.1.1.1: bytes=32 time=114ms TTL=52 Ping result with VPN on PC: Reply from 1.1.1.1: bytes=32 time=123ms TTL=56 Ping result with VPN on router: Reply from 1.1.1.1: bytes=32 tim...

jaxed8

I change the TTL but no difference. I tried different numbers and test with those but all same thing, not sure my configuration is right though. Screenshot 2021-09-04 224722.jpg Screenshot 2021-09-04 225229.jpg Screenshot 2021-09-04 225257.jpg Screenshot 2021-09-04 225335.jpg Screenshot 2021-09-04 2...

jaxed8

They do not check device, but ttl time, see other topic already open about that. If you use the pc, you are directly connected, and is ok, But if you put between the router, the ttl is decreased by one (device) and the provider understand than you share the connection. Oh is that so, Thank you for ...

jaxed8

Hello everyone My problem is with VPN speed when I config it on the MikroTik router (RB4011IGS+5HacQ2HnD-IN) as the client the speed drop drastically compare to when I connect to the same VPN server on the windows, on both I use PPTP. I think the problem is with the MikroTik mac address because here...

jaxed8

If you not have already broken the modem forcing PoE with 24V from RB4011, you can try to power the RB4011 with 15V and using a sufficent Watts power source for power both 4011 and modem. If the modem use 500mA @15V, if you decrase the voltage the mA needed are more, and the 4011 can't release more...

jaxed8

If you not have already broken the modem forcing PoE with 24V from RB4011, you can try to power the RB4011 with 15V and using a sufficent Watts power source for power both 4011 and modem. No it's still working :D If the modem use 500mA @15V, if you decrase the voltage the mA needed are more, and th...

jaxed8

I do not find much information about ZLT P19H But is 15V device, probably do not work with 24V poe as 4011 have. About ZLT P19H it's very similar to YF-P11 and about this it said Power Range 5V---18V In this page: https://yifanwireless.com/outdoor-4g-cpe/yeacomm-yf-p11-ip66-4g-lte-outdoor-cpe-with-...

jaxed8

Image: are shorted blu and brown pairs.

So I got to change the cable? or sockets?
Can be a 568a or 568b wiring problem?
What do you suggest?

What device is the "modem"?

ZLT P19H

jaxed8

I recently bought RB4011IGS+5HacQ2HnD-IN which comes with POE out on ether10, but when I connect my modem to this port I got no link and modem does not get any power which is working fine with external POE adapter and with pressing Cable test it will show the cable is shorted 28m (cable length is ab...

jaxed8

jaxed8

4a) If is intended use VLAN for provide connection trough VLAN to the all device on LAN, is possible 4b) Other strange meanings: NO Thanks for your reply 1) failover will do fine, but how much time it will take to detect and change? 2) sorry about the typo. 3) what I meant is no data without VPN to...

jaxed8

WARNING for other users: I reply without considering bonding or similar... As for the SMIPS devices, for me do not have any sufficient use power What I want is 1) to add second WAN to connect and simultaneously work with WAN 1 2) so if any of them goes down none of the packages packet dropped 3) Al...

jaxed8

haplite is underpowered for vpn work and there is no way to recover packets when you change WANs if one goes down.

What models do you suggest?

jaxed8

Because nobody moderates the forum 24/7. Your post was approved when one of the moderators had time to do that.

I'm sorry, I thought the post had issue.

jaxed8

Why it's not been approved?

jaxed8

Hey everybody, I'm very new to Mikrotik world so I really appreciate simple explanations maybe with some screenshots of Winbox. Recently I bought HAP lite for my ASIC miners to have VPN always up and running but WAN 1 (ADSL) got a lot of downtime recently and also the guy that setup and config this ...

Search found 198 matches