MikroTik

TheCat12

I would try with "Disable link-local address" off and "Auto link-local" on and see what the behavior of the parameter - does it remove the auto generated link-local address for the interface, do they coexist but one gets preferred over the other, etc.

TheCat12

It's the same principle as described in the OPNsense forum: add an .100.x address on the interface facing the modem and create a src-nat rule: /ip address add address=192.168.100.2/30 interface="modem_facing_int" /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.100.1

TheCat12

Doesn't the relatively new auto-link-local address option allow you to manually create one and override the dynamically created? At least that's how I interpret the description of the parameter in the docs

TheCat12

A full export is needed due to the multiple interconnections between the settings of the router:

/export file=anynameyouwish

(minus sensitive info like serial number, public IPs, passwords, etc.)

TheCat12

Try by changing the keepalive-timeout parameter in the PPPoE client settings to 150 seconds or greater

TheCat12

Do you have SIP NAT helper enabled?

TheCat12

The disconnection problem is probably on ISP's side. The last firewall rule "Drop all from WAN not DST-NATed" should apply to out-interface=pppoe-out1 and not ether1 . You're also missing a rule for dropping all input not from LAN, so again you're vulnerable. The default firewall should be...

TheCat12

Would you post your log with topics=ipsec,!debug and config here?

export file=anynameyouwish (minus sensitive info)

TheCat12

What I meant under default firewall is to implement additional rules which are present in the default configuration becuase now your connection to the internet is even more insecure! I don't have them at hand but they have been posted multiple times and can be found almost everywhere

TheCat12

Also, may I inquire what the purpose of the 255.255.255.0 route is?

And update your fiewall to the default one, as your router is insecure at the moment

TheCat12

Technically, the PTP should allow "foreign" networks to pass through it, so you would just need to disable the masquerade rule.

TheCat12

I'll have to disappoint you, but you'll need the use one command on the terminal to export the configuration and post it here for review: /export file=anynameyouwish This command will generate a file in the routers' files which you'll copy over to your computer, open with Notepad, remove any serial ...

TheCat12

If this is your whole configiration, you have missed to set up Bridge VLAN filtering. You need to define which ports in the bridge will be access for which VLAN and which port will be the trunk one (I assume that will be ether3). Suggest you read the following quite useful topic: https://forum.mikro...

TheCat12

3DES is considered insecure and it's deprecated: A CVE released in 2016, CVE-2016-2183, disclosed a major security vulnerability in the DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of 3DES, led to NIST deprecating 3DES in 2019 and disallowing all uses (except p...

TheCat12

Based on the following log entry:

09:39:50 ipsec 1.1.1.1 request for establishing IPsec-SA was queued due to no phase1 found.

I'm prone to conclude that the problem is with Phase 1, i.e. the Profile settings

TheCat12

Or any tunneling protocol in that manner - EoIP, IPIP, GRE

TheCat12

BTW, I think you confused "level" and "action" in your config:

My bad, you're right! Edited it accordingly. And after educating myself a bit more on the topic of mode-config, I made a small edit to point 2

TheCat12

The wifi2 interface should be out of any bridge and to do the masquerade:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wifi2

Also, if it's connected, the status of the interface should be R (running)

TheCat12

Yes, the old package is wireless and it can be installed but I don't know how well or if it works at all in conjunction with the new one. Best case you'll have to uninstall the new one and use the old one

TheCat12

I would temporarily connect one of the wifi interfaces to the given dimmer as a station, assign it an IP via DHCP or static (depending on the setup), and masquerade it

TheCat12

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN protocol=udp src-port=162 to-ports=162

Put the rule before any other masquerade one

TheCat12

The easiest way would be to set up DHCP on the hAP as you've already done, connect the mAP lite, put all of its ports and Wi-Fi interfaces in a bridge, give the bridge an IP from the hAP subnet and voila

TheCat12

1. L2TP and IKEv2 do not interfere with one another if configured properly. 2. For the site-to-site IKEv2 there is no need for split-include in the mode config. If you leave it as it is, dismiss point 4 3. Also no need for additional NAT and RAW rules 4. To enable routing between the two sites, a fu...

TheCat12

I'd be glad to provide it – but what menu level do you need me to [export]? A full one through the command we posted - you paste it in the CLI, download the resulting file on your computer and edit out sensitive info with Notepad As for the way I'm planning to identify the sites, it's mainly primev...

TheCat12

To work properly, the WAN ports should either stay as disabled members of the bridge or, even better, be removed from the bridge

TheCat12

Is this the default firewall rules? /ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain...

TheCat12

Try removing the src-address parameter from the output mangle rule and replacing it for a connection-mark=icmp-con

TheCat12

Before doing anything about the internet connection of the LAN devices, you need to implement a firewall ASAP! The default one is the bare minimum. After you urgently do that, you can remove the WAN port from the bridge, add it to the WAN interface list and check whether "Add default route"...

TheCat12

Would you be so kind as to give more details on what VPN type is being deployed - Wireguard, IPsec? An export of the configuration would be most helpful:

/export file=anynameyouwish (minus sensitive info)

TheCat12

Additionally, in Location B, you're missing a masquerade rule for traffic going out ether1:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

TheCat12

That would be your explanation: MAC-based VLANs will only work properly between switch ports and not between switch ports and CPU. When a packet is being forwarded to the CPU, the pvid property for the bridge port will be always used instead of new-vlan-id from ACL rules. Quote is from the docs: htt...

TheCat12

I believe that in the NAT rule you need to use a concrete IP address and not the default masquerade because of the many addresses on the ether1 interface:

/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN to-addresses="specific_public_IP"

TheCat12

After a quick research, I found out that Miracast uses mDNS, so I believe that an mDNS repeater will do the job for you:

/ip dns
set mdns-repeater-ifaces="subnet_interfaces"

TheCat12

If we could see the exported configs of routers A, B and C, then we might be able to deduce what the problem is:

export file=anynameoyuwish (minus sensitive info like public IPs, passwords, etc.)

TheCat12

A public IP is a premise for every VPN server. However, if not acquirable and the setup is home/SOHO, there is this thing called BTH (Back To Home), which is basically Wireguard + Mikrotik relay server for public IP and hole punching if behind CGNAT. More info on them: https://mikrotikmasters.com/se...

TheCat12

It's because of the local address of the PPP secrets on the L2TP server - if you set it to be one and the same for both secrets (say 10.1.1.1), then there should be no need for the two routes. I don't expect it to make problems the way it is, so if you don't mind the routes, you can leave it as it is

TheCat12

Now that I think about it, the routes really are a bit odd... Would you mind posting an exported config of the VPN server as well as at least one of the clients?

export file=anynameyouwish (minus sensitive info like serial numbers, public IPs, etc.)

TheCat12

If the solution is the one you posted under the quote, it's the right one and the same as mine. I missed to mention that the routes I posted are additional to the ones that were to be seen on the network diagram

TheCat12

1. It depends on your budget and needs - I would personally go for a RB5009 but a hEX would also do a great job 2. Definitely yes 3. https://help.mikrotik.com/docs/spaces/ROS/pages/2031631/L2TP or https://mikrotikmasters.com/mikrotik-l2tp-vpn-server-with-ipsec/ 4. Why don't you use Wireguard? It's m...

TheCat12

No need to be sorry for "bad knowledge" - everyone has to start from somewhere after all :) As for the routes, luckily it's quite easy to set them up - on the 10.1 router you add a route that points to 20.1 with gateway the VPN and vice versa: # 192.168.10.x router /ip route add dst-addres...

TheCat12

Sorry to dissapoint but your firewall is still a giant mess. You still don't have sufficient forward rules to block malicious traffic. I don't see how rules 1, 2 and 3 "whitelist" certain IPs and you still haven't allowed proper access for the VPN to work (I don't know how it hasn't broken...

TheCat12

Made an edit accordingly

TheCat12

In short, you need to implement the following default rules: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connec...

TheCat12

I'm thinking of a nifty trick which hypothetically should work, but practically not so sure. However, you would need to shift the L2TP pool range to somewhere after the .151 address. To the PPP profile you would add an address list name and then use it in the following NAT rule: /ip firewall nat add...

TheCat12

To diagnose the issue, a full exported config would be needed:

export file=anynameyouwish (minus sensitive info like serial number, passwords, etc.)

If you paste it as plain text, make sure to surround it with code tags

TheCat12

If you define everything manually, no, you won't turn it off completely

TheCat12

Suggest adding the WG interface to the WAN interface list:

/interface list member
add interface=MullvadWG_1 list=WAN

TheCat12

You would untick the use-ipsec option in the L2TP server settings and create the IPsec configuration manually - you have already defined profile and proposal, all that is left is a policy template, a peer and an identity

TheCat12

Try removing the src-port parameter from the NAT rules

TheCat12

Always glad to help! If you have remaining questions/problems, don't hesitate to write

TheCat12

I'm starting to think the following rule is the culprit:

add action=accept chain=input comment=\
    "VPN | WireGuard Port vom WAN aus erlauben" dst-port=13231 \
    in-interface-list=WAN protocol=udp

Try removing the in-interface-list and see if anything changes

TheCat12

Use the following command then:

/ip address
set 0 interface=lan

TheCat12

Here is the thing you couldn't find from above:

/ip address
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0

Change the interface=sfp-sfpplus1 to interface=lan

TheCat12

Probably the ISPs are to blame if the WAN IPs aren't public or their devices aren't in bridge mode

TheCat12

This should be removed:

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

This should be changed to interface=lan:

add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0

And the recommendations from my previous post

TheCat12

I'll copy off anav and say the same: post your latest full config for review

TheCat12

I concur. Default firewall rules: /ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" add chai...

TheCat12

Or, since we're dealing with VLANs, arp=proxy-arp on the VLAN interfaces but just a wild guess

TheCat12

There is a discrepancy between the addresses on the MT <-> Server link - they're not in the same subnet

TheCat12

I'll use the bestowed upon me freedom to give a few more suggestions :wink: 1. Disable detect-internet because it is almost always a pain in the behind: /interface detect-internet set detect-interface-list=all to /interface detect-internet set detect-interface-list=none 2. Instead of listing out all...

TheCat12

Silly me, forgot the www service: /ip service set www address=10.3.9.0/24,192.168.100.0/24 Of course, if you need access through the other protocols via WG, you should add its subnet to every IP service needed. Also, the firewall rules have duplicated themselves. You should remove one of two sets. L...

TheCat12

Your firewall is hazardous for yourself! Unplug from the internet and add the following default rules: /ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" add chain=input action=drop connec...

TheCat12

A posted config would be much appreciated.

The command to export one is:

export file=anynameyouwish

After that, you copy it from the Files menu to your local machine and open it with Notepad to edit out some sensitive info like serial number, passwords, etc.

TheCat12

Could you post your config here beforehand because this shouldn't be the case

export file=anynameyouwish (minus sensitive info)

And to answer your question, IKEv2 can work alongside L2TP if configured properly

TheCat12

A simple firewall rule:

/ip firewall filter
add action=drop chain=forward in-interface=eth2-lan out-interface=eth1-wan src-address=!a.a.a.a

where a.a.a.a is the IP of the specific host that needs to reach the internet

TheCat12

Since you haven't posted the full config, you have to make sure the WG interface is part of the LAN interface list. And the hairpin NAT rule should be the first one because rules are evaluated from top to bottom And the AllowedIPs of the peer should be set to 0.0.0.0/0 to send all traffic through th...

TheCat12

Quite sure that would suffice. The first routing rule you quote, as I said in a previous post, ensures that local traffic dosn't get routed through the WG tunnel. The second one is the policy based routing and if the failover is configured correctly, there should be no need for additional routes in ...

TheCat12

It'll make your life easier, so yes

TheCat12

Or better yet, just use the default firewall rule "Drop all not coming from LAN" as the last of the chain:

/ip firewall filter
add action=drop chain=input in-interface-list=!LAN

TheCat12

A.k.a the hairpin NAT rule

TheCat12

I saw my mistake, forgot to add the routing table parameter, thank you!

TheCat12

Here you can find details about the reset/Netinstall process for hAP lite: https://help.mikrotik.com/docs/spaces/UM/pages/16351380/hAP+lite And here more about them generally: https://help.mikrotik.com/docs/spaces/ROS/pages/24805498/Reset+Button Technically I think they don't need to be on the same ...

TheCat12

@TheCat12 <- you created a to_WAN_pppoe2 table that doesn't have a default gateway It has a gateway - the failover PPPoE interface can act as one since we're talking about a PtP protocol He wrote that failover was working properly, I believe that the main table is ok. The main table routing rule, i...

TheCat12

An edited version of @panisk0's short version will do the job because his is a bit overcomplicated and there are some things whose logic I don't understand (for example the use of routing marks): /routing table add fib name=to_WAN_pppoe2 /ip route add dst-address=0.0.0.0/0 gateway="backup_PPPoE...

TheCat12

Your config is understandable but a network diagram with trunk and access ports is highly advisable because on some ports which claim to be access ones there aren't any visible PVIDs

TheCat12

Since the local MT would need to access the internet through WG, I would put allowed-addresses=0.0.0.0/0 on the peer for starters. After that, I would add the following routing rule before the one you created: /routing rule add action=lookup-only-in-table dst-address=10.0.0.0/24 table=main Since the...

TheCat12

For the spare hAP lite, I would suggest resetting it by pushing the small RES button on bootup and then trying to connect to it. If it fails, may Netinstall be on your side. For the bare minimum to access internet and such through the office LAN, you would use the DHCP subnet of the VM router by set...

TheCat12

Or better yet, export the config of the router and post it here since I'm expecting to see some firewall/NAT rules added to the hotspot chain system by the integrator that affect the VPN

/export file=anynameyouwish (minus sensitive info like public IPs, serial number, passwords, etc.)

TheCat12

Perhaps you could do something else but that would require a second (preferably MT) router - put the Virgin Media router into bridge/modem mode and add your router behind it with more capabilities. That way you'll also be partially independent from the VM router

TheCat12

1. Better fixed IPs, since you'll have only four devices in the subnet and you'll need static routing 2. You could give it whatever IP range you want. The only requirement is that it doesn't clash with any other preexisting subnet. You could do the following: 1. Add an address to ether5: /ip address...

TheCat12

Perhaps you have inadvertently enabled it through the QuickSet settings? That aside, you can disable the L2TP server if you're not using it: /interface l2tp-server server set enabled=no You should also blacklist the IPs which seem to have gained access to your subnet as well as change username and p...

TheCat12

Basically whatever is coming from 192.168.88.0/24 goes out the default route. (the spectrum main dhcp'd ip) Anything that comes over the l2tp connection say 216.146.17.128/29 goes out of the route of the l2tp connection but is another subnet on the bridgeLocal interface. That's the part where it ge...

TheCat12

Wait a second... Do you just want the LAN to go out to the internet through a public WAN IP and/or the other way around? If that's the case, it could be achieved with policy routing: /ip address add address=216.146.17.129/29 interface=lo /routing table add fib name=thr_l2tp /routing rule add action=...

TheCat12

You still haven't answered my question - why do public IPs and local ones need to be on the same interface? Do you want a specific device to have a public IP? Does it need to access the internet from it? Do you want to forward the addresses to another router?

TheCat12

Add the following NAT rule before the default masquerade one:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.12.8 src-address=192.168.12.0/24

TheCat12

I still cannot comprehend the purpose of having local and public IPs on the same interface. Kindly clarify it

TheCat12

A network diagram as well as stating your requirements in the form "which users are part of what network and what should they be able to reach from where" would be quite helpful

TheCat12

You added it as the first rule, right? Because rules are evaluated from top to bottom

TheCat12

I personally don't see any errors in the log so the most likely culprit is the Windows 11 machine

TheCat12

It's probably the NAT that's messing things up, so try adding the following rule on the top:

/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.1.1 out-interface=sfp-sfpplus1 to-addresses=192.168.1.2

TheCat12

It is hard to work with snippets since everything is interconnected, so kindly attach a full exported config of the router:

export file=anynameyouwish (minus sensitive info like serial numbers, public IPs, etc.)

TheCat12

I don't know if it would make any change but try using src-address directly instead of src-address-list in the mangle rules

TheCat12

With an address list and some mangling, it's possible to route through the VPN. But first, an exported config to see the type of VPN, if there are other active routing rules and/or mangling, etc., would be appreciated:

export file=anynameyouwish (minus sensitive info)

TheCat12

It should be possible with the appropriate script but I'm no expert in scripting

TheCat12

Exported configs of both router are needed:

export file=anynameyouwish (minus sensitive info like serial numbers, passwords, public IPs, etc.)

TheCat12

Without a config we can't tell anything:

/export file=anynameyouwish (minus sensitive info)

TheCat12

Per your example from a previous post, to port forward 192.168.88.50:80, you would need to add the following NAT rule: /ip firewall nat add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.50 Before adding it, you would need to consider whether you h...

TheCat12

May I suggest a simpler approach for policy routing in this case? Instead of mangling, use routing rules:

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup src-address=192.168.88.5 table=vpn_mark

Order of rules is important

TheCat12

Bridge is required for switching, aka if you have multiple ports attached to it, which share the same VLAN. In this case, when there is just one single interface running VLANs, you can just attach VLAN interfaces directly to eth4. I mean it will work either way, but in this case, bridge part looks ...

TheCat12

I also have a question for @anav regarding PCC: shouldn't the PCC part of mangling take place in the prerouting chain instead of the forward one since routing decisions are taken after the prerouting and before the forward?

TheCat12

Typo of the poster, it should be srcnat

TheCat12

A route can still be marked as blackhole by just writing blackhole but for the BGP communities probably addtional filter rules would be needed, something like append or I don't know

TheCat12

A. OK B. and C. The port forwarding and the VPN would be a bit tricky if you don't have public IPs and on top of that there were some issues between Wireguard and mangle I think D. Shouldn't the third PPPoE client be on ether3 judging by the mangle rules? E. The output mark-routing rules were a good...

TheCat12

7) The whole bridge config and VLANs: looks like you've made a duplicate. At one hand you've created VLAN interfaces associated with eth4, at the other hand, you've put eth4 into bridge and set VLANs there as well. Generally, you configure VLANs over the bridge while doing switch-like config, and p...

TheCat12

I personally find them unnecessary because they don't have any relevant function. However, if you need to access resources that are in the subnets of the PPPoE interfaces, you could transform them to something like: add action=accept chain=prerouting dst-address="PPPoE_1_subnet" in-interfa...

TheCat12

It's not impossible but an exported config would be helpful to determine the type of VPN, subnets, etc.:

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)

TheCat12

Suggest eliding the public key of the Wireguard peer from the config In the LAN interface list, instead of ether4 you should reference the VLAN interfaces because technically they become the L3 interfaces Would you elaborate on the usage of the first three mangle rules? The last three mangle rules ...

TheCat12

You need to disconnect from the internet and implement at least the default firewall ASAP because now you're an open door to the world. After that we can talk about port forwarding (allowing access to internal service through public IP)

TheCat12

Only problem I see is that the bridge is not a tagged member of the VLAN1000

/interface bridge vlan
add bridge="All Ports Bridge" tagged="All Ports Bridge",bond_sfpplus1-sfpplus2 disabled=yes vlan-ids=1000

TheCat12

The first list determines whether there is already an entry for the computer on the other DHCP server so it doesn't get duplicated. If the variable is empty (nil) and the compiter that is trying to connect is the desired one, a DHCP server blocking lease will be added on the other one. Although ther...

TheCat12

You could write the following lease script on the DHCP servers (sorry that it's a little bit lengthy): :local var [/ip dhcp-server lease get [ find server=*second_server* && mac-address=\$leaseActMAC ]] :if (\$lease-hostname = "desired_hostname" && \$var = nil) do={ [/ip dh...

TheCat12

If it's the unacceptable credentials error, you can try this:

viewtopic.php?t=178377

TheCat12

If the default bridge config is the exported one, remove ether1 from the bridge, set the DHCP client on ether1 and add some firewall rules Default ones: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,re...

TheCat12

add action=dst-nat chain=dstnat dst-address=Public-IP-2 dst-port=500 \ protocol=udp to-addresses=192.168.10.11 to-ports=500 add action=dst-nat chain=dstnat dst-address=Public-IP-2 dst-port=4500 \ protocol=udp to-addresses=192.168.10.11 to-ports=4500 add action=dst-nat chain=dstnat dst-address=Publi...

TheCat12

Could you surround the config with code blocks, pretty please? You select the config and press the </> button. That way it will be more readable

TheCat12

Perhaps also a policy template is advisable alongside the tunnel one you've created which would be added to the identity: /ip ipsec policy group add name=socitrans-policy-group /ip ipsec policy add group=socitrans-policy-group proposal=socitrans-proposal template=yes /ip ipsec identity set policy-te...

TheCat12

Maybe it's the first NAT rule that is src-natting before a packet gets encrypted, after which it cannot be encrypted because the src-address mismatches that of the policy: /ip firewall nat add action=src-nat chain=srcnat out-interface=ether1-WAN-MAIN-DSL-MODEM ipsec-policy=out,none to-addresses=yyy....

TheCat12

Ok, for starters you would have to download ISRG ROOT X1 and R10 and R11 as .pem, add them to the router's files ajd import them /certificate import isrgrootx1.pem import r10.pem import r11.pem After that, you would create an IPsec profile and proposal: /ip ipsec profile add name=TheSafety_VPN /ip i...

TheCat12

I think the "problem" is in the router because it hasn't got a wireless chip

TheCat12

If the VPN provider is the one you've posted, then you're out of luck because IKEv2 with username and password means that they're using an EAP method of authentication, which means that you neeed the whole certificate chain of trust. If you kindly ask them which are their root CA and intermediate ce...

TheCat12

Maybe I'm blind but I don't see anything irregular in the configuration you have provided besides the following thing: /interface bridge add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=\ "LAN bridge" dhcp-snooping=yes name=bridge1 It's probably best to remove it s...

TheCat12

introduction, there are two devices on the Internet with public IPv4, no NAT and masquerading, no local subnets, A masquerade is always needed to access the internet: /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN ipsec-policy=out,none And no local subnets sounds impossi...

TheCat12

For the firewall it's easy - you add two rules allowing input from UDP 500 and 4500 and IPsec ESP on the IPsec server. For the policies it depends what subnets you want to route through the tunnel

TheCat12

The aforementioned policies should be added as additional ones to the template. As to why does the Wireguard get affected, I can't really tell

TheCat12

I forgot that you wanted to route all traffic through IKEv2. Luckily, it's a matter of a few small changes on Router B: /ip ipsec policy add action=none src-address=192.168.95.0/24 dst-address=192.168.95.0/24 add action=encrypt level=unique proposal=ikev2 srx-address=192.168.95.0/24 dst-address=0.0....

TheCat12

On Router A:

/ip ipsec policy
add action=encrypt tunnel=yes proposal=ikev2 src-address=10.0.88.0/24 dst-address=192.168.95.0/24

On Router B:

/ip ipsec policy
add action=encrypt tunnel=yes proposal=ikev2 dst-address=10.0.88.0/24 src-address=192.168.95.0/24

TheCat12

It is possible to route traffic without EoIP with the appropriate policies but an exported config is advisable:

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)

TheCat12

I think the two default routes that are with direct gateways to the ISPs, i.e. the ones without comment, are messing around with the failover. Disable them and try tripping the ISP into switching over again

TheCat12

Looking at the diagram, the following setup would suffice - bridge ether1 with ether4, ether2 with ether5, ether3 with ether6, create an interface list for the bridges and add them to it accordingly and then create the following firewall rule: /ip firewall filter add action=accept chain=forward in-i...

TheCat12

The image of the diagram is a bit broken. Could you repost it somehow? Also, it would be nice to answer @anav's questions whether a fallback scenario (one modem stops functioning) would be needed and whether there'll be incoming VPNs

TheCat12

My suspicions were confirmed: you added on both sides in the allowed-address field a /32 instead of the whole subnet: On Router A: /interface wireguard peers add allowed-address=10.2.200.2/30, 192.168.201.1/32 endpoint-address=\ <code> endpoint-port=59123 interface=wg-fs name=\ fs persistent-keepali...

TheCat12

I think you need a router with more ports or possibly you would have to configure VLANs but would still need an additional switch

TheCat12

Without config there's nothing we can tell...

export file=anynameyouwish (minus sensitive info)

My guess would be that you haven't configured allowed addresses and routes properly but that's just a guess

TheCat12

Since we can't see your configuration through a crystal ball, please post it here:

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)

TheCat12

That is because of the following rule on the AP: /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN If you disable it, you should be able to access wireless devices from...

TheCat12

Instead of using the "IPsec secret" option in the GRE menu, you can add a custom identity which would be configured with the custom IPsec configuration

TheCat12

Looking at the config, most probably an ISP problem. Only one tip for the firewall: the fasttrack connection rule is a bit too forward for my liking, better put it somewehere after, for example, the "Accept established, related" one

TheCat12

Before suggesting anything, I would like to have a look at the exported config of the server:

export file=anynameyouwish (minus sensitive info like serial numbers, passwords, public IPs etc.)

TheCat12

Maybe I'll have to see the configurations of at least the two L2TP servers just to check what the situation is:

export file=anynameyouwish (minus sensitive info like public IPs, passwords etc.)

TheCat12

Back to the main point, I'll write down a list of all the possible route combinations for each and every router, so that everything is accessible through anything. The OP will decide what is needed and what not # 192.168.98.0/24 router /ip route add dst-address=192.168.99.0/24 gateway=192.168.100.1 ...

TheCat12

It is possible with the help of staric routes but more details are needed - which router(s) is/are L2TP server(s)? How exactly are all the routers connected with each other? A simple diagram would be best

TheCat12

If no MikroTik solution to your problem pops up, may I suggest printing out a QR code instead of an URL?

TheCat12

The default firewall covers security pretty good, but if you want to strengthen it:

https://help.mikrotik.com/docs/spaces/R ... d+Firewall

TheCat12

You're lucky that the addresses are being routed to you because you can manage them however you desire: For the pfsense firewalls you can add public IPs directly on the ports facing them. For the unraid server you can add a route with dst-address=public IP and gateway=natted subnet as well as add th...

TheCat12

It means that if you set a bridge as the interface, on which the hotspot should be running, no WAN ports should be members of the bridge, only LAN ones

TheCat12

These are the default firewall rules which you should have present in the order in which they are posted, i.e. input rules at the top, after that forward rules whereby these three rules: add action=accept chain=forward comment=FTP dst-port=21 protocol=tcp add action=accept chain=forward dst-port=500...

TheCat12

If this router is not behind a stronger firewall, then my condolences to you (revert to a default firewall filter because your network is as open as a door in a field). Then we will discuss the matter of the VPNs

TheCat12

https://youtu.be/nlb7XAv57tw?si=4tymKSCFltpFtxRV

TheCat12

Looking at the error - wrong username/password or the PPPoE server has a problem

TheCat12

Without seeing the config I can't tell nothing, so:

export file=anynameyouwish (minus sensitive info)

TheCat12

I'd say quite fast: add a L2TP client with "Use IPsec" enabled: https://help.mikrotik.com/docs/display/ROS/L2TP After that, create a routing table, add a default route pointing to the L2TP interface on both main and newly created routing tables and use routing rules to specify which client...

TheCat12

I'd suggest using src- and dst-nat rules in order to translate all addresses to corresponding VPN ones 1:1 : /ip firewall nat add action=dst-nat chain=dstnat dst-address=99.99.99.6 to-addresses=11.11.11.3 add action=src-nat chain=srcnat to-addresses=99.99.99.6 src-address=11.11.11.3 and so on. Maybe...

TheCat12

One way is the aforementioned one, another way is to create a backup file through the Files menu whose content you cannot view, edit, etc. because it's a binary file

TheCat12

We need to have a look at the configuration because that doesn't sound like normal port forwarding behavior

export file=anynameyouwish (minus sensitive info like serial number, public IPs, passwords, etc.)

TheCat12

Looking at the screenshot, you're trying to add the pool to a secret, not to the profile which is, as correctly suggested by most internet resources, located in the PPP –> Profile section

TheCat12

Then I guess that is the problem since the first address of a subnet is mostly reserved for the gateway, i.e. the GPON

TheCat12

/ip address
[...]
add address=192.168.1.1/24 interface=sfp1 network=192.168.1.0

Shouldn't the address be something other than 192.168.1.1? Maybe .2?

TheCat12

It should also be possible with a RADIUS server (or User Manager for that matter): It is also possible to hand out leases for DHCP clients using the RADIUS server; the supported parameters for a RADIUS server are as follows: Access-Request: NAS-Identifier - router identity NAS-IP-Address - IP addres...

TheCat12

First off, your firewall is a mess to say the very least - misordered rules, redundant rules, etc.

Secondly, I suspect you're missing some NAT port forwardings like 80,443,554

TheCat12

https://en.akinator.com/

or

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)

TheCat12

If you're configuring L2TP over IPsec (which you probably should be) there's an option in the mode configurations named "split-include" but for you to be able to use it you would have to configure the whole IPsec part by yourself instead of just adding IPsec secret under the PPP profile wh...

TheCat12

Probably because the VLAN should also be src-natted:

/ip firewall nat
add action=src-nat chain=srcnat src-address=10.0.100.0/24 to-addresses=188.213.95.249

TheCat12

That is the more fortunate situation because you can do the following: For the server you can add one of the addresses directly on the Ethernet port facing it. For the VLANs and other NATted subnets you could add routes pointing to their gateways with dst-address being a public IP: /ip route add dst...

TheCat12

If that's really the first usable address, it could be that they're routing the /29 block to you and they're using different addresses for the PPPoE link?

TheCat12

Is your ISP the gateway (they have the first usable address of the subnet for their router) or do they route the /29 block to you?

TheCat12

Without an exported config it would be very hard to diagnose the problem: export file=anynameyouwish (minus sensitive info like serial numbers, passwords, etc.) Nevertheless, I'll have a shot in the dark and guess misconfigured NAT masquerading, e.g. the PPPoE interface is not added to the WAN inter...

TheCat12

Does the LTE interface add a default route?

Aside from that, mixing VLAN and non-VLAN traffic on the same interface never leads to anything good. Keep that in mind

TheCat12

Would it not be for the second bit...... ???? /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP1_interface" distance=1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP2_interface" distance=2 add dst-address=0.0.0.0/0 gateway...

TheCat12

you cant as far as im awear run two isp in to the mikrotik at the same time As a matter of fact you can, but since both ISPs provide addresses from the same address space, the routing part would be a bit tricky. First, the creation of routing tables and mangling which is typical load balancing, sho...

TheCat12

I did this, but I had no luck and how can I grant access only to the printer IP?

May we then have a look at the exported config of the router?

export file=anynameyouwish (minus sensitive info like passwords, etc.)

TheCat12

You still have to answer my question whether both sides of the L2TP tunnel are MikroTik routers because routing will be made on the router with the public IPs

TheCat12

No need for the last two NAT rules, most probably you're missing a route:

/ip route
add dst-address=192.168.18.0/23 gateway=192.168.18.1

TheCat12

You can create address lists and block traffic using only the "forward" chain but you have to enable "Use IP Firewall" and "Use IP Firewall for VLAN" from the bridge settings

TheCat12

The SFP port should be part of the WAN interface list in order for the NAT masquerade rule to work properly:

/interface list member
add interface=sfp1 list=WAN

TheCat12

i want to create a pptp vpn server

Better create a L2TP server here too, because PPTP is deprected.

Aside from that, are both sides of the existing L2TP tunnel MikroTik? What do you mean by "distribute the public IPs to clients"? Maybe you meant PPPoE instead of PPTP?

TheCat12

For such a simple setup VLANs would be a pushover in my opinion. Appropriate firewall rules and assigning the wlan1 interface to a bridge to be used for DHCP so that it doesn't show red should be enough

TheCat12

This would be done with the help of firewall rules, of course: /ip firewall filter add action=accept chain=forward connection-state=established,related,untracked add action=drop chain=forward in-interface=bridge1 out-interface=wlan1 add action=accept chain=forward protocol=tcp dst-port=80,443 in-int...

TheCat12

and when I create IP addresses that collide with the upstream router's default VLAN gateway (10.60.0.1) Why do you create addresses that are the same as the DHCP servers' if I understand your lexicon correctly? Since you're running DHCP, why don't let the servers assign such: /ip dhcp-client add in...

TheCat12

Am I missing a reference in the main table for 192.168.9.9, even though it's brought in by the wireguard interface as being reachable on REMOTE1? Possibly, better add the route to roll it out as a probable cause. It could also be of higher distance if ECMP is not desired and one gateway is to be pr...

TheCat12

I have noticed this train of thought on the forum recently and I don't get it. Why presence of a route to a given destination (or even less logically, of a default route) in the main table should be a mandatory pre-requisite for a route to that destination to work in another table? For the followin...

TheCat12

Could it be that they are missing the default route from the custom routing table in the main one?

TheCat12

There is a small detail from the default firewall I forgot about - the rule "Drop all input not coming from LAN". If you edit it, for example, to also allow your main network as src-address, then you should start accessing the RB5009 from behind the hEX S

TheCat12

To be able to use check-gateway you have to disable add-default-route on the primary WAN DHCP client and add a static route pointing to the its gateway manually: /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway="Primary_WAN_gateway" If you want your failover to be even more r...

TheCat12

Is the bandwidth symmetrical (equal download and upload)? Should only download be allocated or both?

TheCat12

Source NAT, as the name suggests, applies for packets that originate from the NAT-ted network, i.e. your network, whose source address should be change/translate to one specified in the according rule. That's why src-nat rules will apply only on out-interface - the interface from which packets will ...

TheCat12

If everything should be interconnected, then adding a separate DHCP server per interface would be the solution

TheCat12

@TheCat12, your rules rewrite the connection mark (even twice) when handling each packet, what's the point? The very idea of using connection marks when dealing with QoS is to translate complex match conditions into a connection mark only once, when handling the initial packet of a connection, or m...

TheCat12

Something like this should work: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!LAN_conn new-connection-mark=Other_conn add action=mark-connection chain=prerouting src-address=*LAN_IP* new-connection-mark=LAN_conn add action=mark-connection chain=prerouting dst-addr...

TheCat12

You're missing a NAT rule on each router to bypass masquerading packets before being encrypted. It should be placed as the first one # Router 1 /ip firewall nat add action=accept chain=srcnat place-before=0 dst-address=192.168.3.0/24 src-address=10.53.2.0/24 # Router 2 /ip firewall nat add action=ac...

TheCat12

That should be quite achievable:

/interface ethernet switch rule
add new-dst-ports=etherx,ethery src-address=x.x.x.x ports=ethera,etherb

TheCat12

Perhaps firewall blocking traffic? If Office A router is also MikroTik, consider exporting its config and posting it here

TheCat12

I can configure VLAN in three places: 1. In the Interface configuration (vlan-mode and vlan-id): [admin@hAP-bedroom] > /interface/wireless/print Flags: X - disabled; R - running 0 R name="telekom-guest" mtu=1500 l2mtu=1600 mac-address=DE:2C:6E:25:88:49 arp=enabled interface-type=virtual m...

TheCat12

Apparently I read your OP too diagonally and didn't see the obvious problems - the bridges. For VLAN to work properly, you need one bridge with all of the ports on which traffic will be tagged/untagged. Also, the VLAN interfaces shouldn't be members of the bridge(s). That's why before we continue, t...

TheCat12

That I'll contribute to address space overlapping - a very broad route which could apply to the remote subnet and to the L2TP one. If you change one of them and add appropriate static routes or use a more specific route (e.g. 192.168.100.0/24 instead of 192.168.0.0/16), it should start working as ex...

TheCat12

Wait a minute, have you added a route pointing to the L2TP subnet on Office A router?

TheCat12

Would you export your config and post it here because it seems that my local fortune teller is on vacation:

export file=anynameyouwish (minus sensitive info)

TheCat12

This part of suggested configuration did not worked: /interface bridge vlan add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10 add bridge=bridge tagged=ether1,wlan3 vlan-ids=20 What is the point behind adding WLAN* interface as tagged? If I understand well, tagging interface means that the in...

TheCat12

Precisely. Only the 88E6393X is capable of mirroring to multiple ports:

https://help.mikrotik.com/docs/display/ ... tMirroring

TheCat12

Since no problems are visible, the full configuration of both routers would be needed: export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.) Also, would you elaborate on the following quote from your original post: I have a problem with site to site IKEV/IPSEC vpn that I...

TheCat12

If the real source addresses of those who access Office A aren't of importance, add a masquerade rule for all traffic leaving out of the SSTP tunnel. Otherwise, you might want to look into policy based routing and mangling

Search found 553 matches