Community discussions

MikroTik App

Search found 287 matches

by vingjfg
Tue Apr 23, 2024 2:39 pm
Forum: General
Topic: Fasttrack, Wifi and VLAN
Replies: 0
Views: 86

Fasttrack, Wifi and VLAN

Recently, I played with the tls-host fields in the rules. I noticed that the connections were half-fasttracked - meaning only one of the counters is increasing. My setup is like this: boubou.drawio.png The wired connections are untagged, the wifi between the routers is tagged and defined as AP-BRIDG...
by vingjfg
Tue Apr 23, 2024 2:20 pm
Forum: Beginner Basics
Topic: Cannot access Apache server from the internet, only get as far as the routeros www server.
Replies: 8
Views: 404

Re: Cannot access Apache server from the internet, only get as far as the routeros www server.

Yo So, this rule - /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \ in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \ to-addresses=192.168.1.2 to-ports=80 It reads "When a packet comes from 192.168.1.253 to original IP address 192.168.1.2 o...
by vingjfg
Mon Apr 22, 2024 8:48 pm
Forum: Beginner Basics
Topic: Cannot access Apache server from the internet, only get as far as the routeros www server.
Replies: 8
Views: 404

Re: Cannot access Apache server from the internet, only get as far as the routeros www server.

Yes, I could, but I'm not fully sure what you mean by config and probably how to get it. Could you say how, please, pref via WinBox. Thanks In Winbox, click on the button "New Terminal". There, type the command /export file=myExportedConfig In the files section, you will have a new file c...
by vingjfg
Sun Apr 21, 2024 6:12 pm
Forum: Wireless Networking
Topic: Homepod Mini can't setup
Replies: 23
Views: 979

Re: Homepod Mini can't setup

Any chance you can capture some traffic?
by vingjfg
Sun Apr 21, 2024 12:01 pm
Forum: Wireless Networking
Topic: Homepod Mini can't setup
Replies: 23
Views: 979

Re: Homepod Mini can't setup

Good! The reason I asked is Mikrotik is notable for not repeating mDNS across subnets.

So, both the homepod and iPhone are connected to Wifi and both get an IP in the same subnet, correct?
by vingjfg
Sun Apr 21, 2024 10:16 am
Forum: Wireless Networking
Topic: Homepod Mini can't setup
Replies: 23
Views: 979

Re: Homepod Mini can't setup

OK. Are the Homepod and the iPhone on the same L2 network?
by vingjfg
Sun Apr 21, 2024 9:45 am
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 26
Views: 2177

Re: Help on applying advanced firewall rules

As pfturner said, you need to accept NDP advertisements on the WAN interface. Try adding the following and move them above the final deny /ipv6/firewall/raw add chain=icmp6 action=accept in-interface-list=WAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" \ protocol=icmpv6 h...
by vingjfg
Sun Apr 21, 2024 9:28 am
Forum: Wireless Networking
Topic: Homepod Mini can't setup
Replies: 23
Views: 979

Re: Homepod Mini can't setup

If I read this correctly, you are not setting the band 2ghz-n to your configuration. Try
/interface/wifi/configuration
set [where name=hidden_2G] channel="2G N"
//JF
by vingjfg
Fri Apr 19, 2024 6:02 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 26
Views: 2177

Re: Help on applying advanced firewall rules

OK! I was uncertain as you posted the ip firewall raw for IPv4 and information for IPv6 - but mentioned the issues related to connectivity so I went with IPv4. I saw a few things in the info you sent, namely that you use the interface-list name "VLAN" and not "LAN", keep in mind ...
by vingjfg
Fri Apr 19, 2024 11:33 am
Forum: Beginner Basics
Topic: Dhcp server static_only
Replies: 7
Views: 481

Re: Dhcp server static_only

So it is getting the right IP from the reservation in DHCP, so all good. If you set the IP on the server to static, DHCP will never see any request from the server and will thus never say that it is assigned: it will stay as "waiting" in the DHCP server. If you set the server to get the IP...
by vingjfg
Fri Apr 19, 2024 10:24 am
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 26
Views: 2177

Re: Help on applying advanced firewall rules

Hi there!

Then I am confused - you said you had issues when you added the ip firewall raw rules - do you mean you have issues when you do the same with the ipv6 firewall raw rules?
by vingjfg
Thu Apr 18, 2024 9:06 pm
Forum: Beginner Basics
Topic: Dhcp server static_only
Replies: 7
Views: 481

Re: Dhcp server static_only

Your /ip/dhcp-server/export is missing a few items. And you didn't send the output of ip link on the Debian box.

Regarding finding what IP a MAC is assigned (or tries to get), you can look in the logs
/log/print where topics~".*dhcp.*"
by vingjfg
Thu Apr 18, 2024 8:52 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 26
Views: 2177

Re: Help on applying advanced firewall rules

Well, it seems you sent me the ipv6 bits and not the ip(v4) ones - can you send again the ipv4 addresses and address-list?
by vingjfg
Thu Apr 18, 2024 9:08 am
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 26
Views: 2177

Re: Help on applying advanced firewall rules

Hi there!

Can you post the output of the following commands?
/ip/address/print
/ip/firewall/address-list/print
/interface/list/member/print
Also, when posting commands or outputs, consider using the code tag (the button is </> above). This presents the information in a nicer format.
by vingjfg
Thu Apr 18, 2024 8:06 am
Forum: Wireless Networking
Topic: Homepod Mini can't setup
Replies: 23
Views: 979

Re: Homepod Mini can't setup

Hi there.

I'd start by checking what wifi settings are negotiated between the pod and the fritzbox, and see whether that's available or configured on the cap/ax3.
by vingjfg
Thu Apr 18, 2024 7:48 am
Forum: Beginner Basics
Topic: Blank ARP failure (not displaying information) RouterOS 7 version
Replies: 5
Views: 493

Re: Blank ARP failure (not displaying information) RouterOS 7 version

Hi there.

Can you provide an expunged/sanitized config?

When you have the blank arp table, is all l3 connectivity lost? Or does everything works as usual?
by vingjfg
Wed Apr 17, 2024 4:51 pm
Forum: General
Topic: Mutliple IP on same interface
Replies: 5
Views: 328

Re: Mutliple IP on same interface

The following command should give you the information as local-address /ip/route/print detail where dst-address=192.168.1.0/24 Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H...
by vingjfg
Wed Apr 17, 2024 12:07 pm
Forum: Beginner Basics
Topic: Dhcp server static_only
Replies: 7
Views: 481

Re: Dhcp server static_only

Hi!

Can you post the output of the following command?
/ip/dhcp-server/export
Also, consider running "ip link" on your Debian server, so I have the MAC address.
by vingjfg
Wed Apr 17, 2024 11:54 am
Forum: Beginner Basics
Topic: Hide upstream DNS name server from clients [SOLVED]
Replies: 8
Views: 383

Re: Hide upstream DNS name server from clients [SOLVED]

Nope, I only see the local DNS resolver and not its upstream. resolver #1 nameserver[0] : 192.168.2.1 if_index : 4 (en0) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) Can you check on your Mac in the network settings, advanced settings, whether 1.1.1.1 was added...
by vingjfg
Wed Apr 17, 2024 11:41 am
Forum: Beginner Basics
Topic: Hide upstream DNS name server from clients [SOLVED]
Replies: 8
Views: 383

Re: Hide upstream DNS name server from clients [SOLVED]

Interesting. Let me fire up my old mac to see what scutil says.
by vingjfg
Wed Apr 17, 2024 11:16 am
Forum: Beginner Basics
Topic: Hide upstream DNS name server from clients [SOLVED]
Replies: 8
Views: 383

Re: Hide upstream DNS name server from clients [SOLVED]

Can you check that this DNS is not configured as an option in your DHCP?
> /ip/dhcp-server/network/export
...
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
by vingjfg
Wed Apr 17, 2024 11:13 am
Forum: General
Topic: Log entry warning "interface, warning <interface> excessive or late collission, link duplex mismatch?
Replies: 9
Views: 565

Re: Log entry warning "interface, warning <interface> excessive or late collission, link duplex mismatch?

Deadpete, You can restrict the advertised speeds on the link. For example to restrict ether1 to 100M/full or 1G/full, you may use the following. /interface/ethernet/set [find default-name=ether1] advertise=100M-baseT-full,1G-baseT-full This could be an alternative to forcing speed/duplex, as this wi...
by vingjfg
Wed Apr 17, 2024 10:50 am
Forum: General
Topic: Can't have OSPF over IPSEC/GRE
Replies: 4
Views: 511

Re: Can't have OSPF over IPSEC/GRE

If you're willing to give a second shot, here is my lab setup. Mikrotik: external 10.0.0.2, loopback 10.255.255.1/32, tunnel 10.255.254.1/30 Cisco: external 10.0.1.2, loopback 10.255.255.2/32, tunnel 10.255.254.2/30 Mikrotik configuration (relevant bits) /ip ipsec profile set [ find default=yes ] dh...
by vingjfg
Tue Apr 16, 2024 10:42 am
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

So the Pi may be a special case. Let's focus on the USB Server then. Currently, only destination NAT is defined - can you look what happens when you try to connect to it from a computer (not the Pi) on your WIFI: torch or packet capture on R1 and R2 - R1 should see 10.30.30.3 and 192.168.100.xx, R2 ...
by vingjfg
Tue Apr 16, 2024 9:29 am
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

OK. On the pi, can you send me the output of the following? ip neigh ip route ip link sudo ufw status In R1, when 192.168.88.254 (pi) accesses the Internet, do you see the connections from 192.168.88.254? Or from 10.30.30.2? From 192.168.88.253, there is no srcnat yet so you must see the original IP...
by vingjfg
Tue Apr 16, 2024 8:19 am
Forum: General
Topic: Limiting SMTP Port 25 on my Network
Replies: 1
Views: 234

Re: Limiting SMTP Port 25 on my Network

Hi there Can you send the command you created? /ip/firewall/raw/export /ip/firewall/address-list/export Regarding limiting the number of email per hour per IP, not that I know of in the default configuration. The Mikrotik has a pretty basic firewall and in no case something that does DPI/L7 inspecti...
by vingjfg
Tue Apr 16, 2024 8:16 am
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Almost there. Bridge bridge : interface sfp1 is part of the bridge while being used as a L3 interface later. Can lead to issues, especially that bridge and sfp1 are in different interface lists. Firewall chain forward : your natted traffic will go through the default rule and will not show in the st...
by vingjfg
Mon Apr 15, 2024 5:21 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Both the host route and the proxy-arp are needed if you don't add a secondary IP to the interface. Adding a secondary IP is not my preferred solution but that's one that works.

Can you send a fresh export of the configuration on R2? There were a few changes and I lost track of which.
by vingjfg
Mon Apr 15, 2024 4:59 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Not needed, but check whether the Pi has a firewall set locally.
by vingjfg
Mon Apr 15, 2024 2:59 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

By the looks of it, this is from R2. Do you have an ARP entry on R1 for 10.30.30.2?
by vingjfg
Mon Apr 15, 2024 2:51 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Then on R2 you need to set the interface sfp for proxy-arp. You still need the route for 10.30.30.2/32 to 192.168.88.254.

Adapt the following line of code.
/interface/ethernet/set [find name=sfp1] arp=proxy-arp
Note that sfp1 is still present in the bridge, while being used as a L3 interface.
by vingjfg
Mon Apr 15, 2024 1:12 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

But do you have an ARP entry for 10.30.30.2 on R1?
by vingjfg
Mon Apr 15, 2024 12:48 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

No ARP entry.

On R2:
/ip/route/add dst-address=10.30.30.2/32 gateway=192.168.88.254
And try again
by vingjfg
Mon Apr 15, 2024 12:32 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

On R1.
/ip/arp/print
Do you have an entry for 10.30.30.2?

(If you posted it in the screenshot, can't see it, resolution is too low.)
by vingjfg
Mon Apr 15, 2024 7:39 am
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Sure thing.

If you look in r1, do you see an arp entry for 10.30.30.2?

If not, you need a route host in r2 for 10.30.30.2 that points to your pi. You may have to set proxy arp on the external interface as well, can't remember whether it 's needed.

If you need the commands, let me know.
by vingjfg
Sun Apr 14, 2024 8:55 pm
Forum: General
Topic: 1:1 NAT configuration
Replies: 28
Views: 1229

Re: 1:1 NAT configuration

Can you share the config for R1?

Also, you use action netmap instead of srcnat/dstnat. Be sure to understand how netmap works as it had some subtleties.
by vingjfg
Sun Apr 14, 2024 1:40 pm
Forum: Beginner Basics
Topic: Firewall NAT for DNS traffic not working [SOLVED]
Replies: 3
Views: 426

Re: Firewall NAT for DNS traffic not working [SOLVED]

Given that the server and the clients are on the same network, the initial packet goes through the router and is dst-natted to 10.0.0.10, but the response goes directly from the server 10.0.0.10 to the client, which expected a reply from 10.0.0.1. The client drops that datagram. If you *really* want...
by vingjfg
Sat Apr 13, 2024 9:00 pm
Forum: General
Topic: ROS7 forwarding drop packets
Replies: 2
Views: 694

Re: ROS7 forwarding drop packets

Seems like a mtu issue, see viewtopic.php?t=155014
by vingjfg
Fri Apr 12, 2024 8:35 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

Last one for today. If that doesn't work, I will make a lab tomorrow: can you give the 10.0.40.10 ip to your pc and check again?
by vingjfg
Fri Apr 12, 2024 7:27 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

That's uncanny. Can you post the whole config (remove the private bits)?
by vingjfg
Fri Apr 12, 2024 6:51 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

Well, paint me green and call me a pickle ... Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU # TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU 0 6.192 wifi8 192.168.2.6:35454 192.168.2.1:1234 udp 42 3 1 6.192 bridge 192.168.2.6:35454 192.168.2.1:1234 udp 46 3 ...
by vingjfg
Fri Apr 12, 2024 6:44 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

What might play is if the ethernet interface on the router (the one with IP 10.0.40.254) is itself down because of link-down. Can you connect something to it, like a mini-switch or anything that will make the link go up?

For the non-existent host, my gut feeling is no, but I am about to do a test.
by vingjfg
Fri Apr 12, 2024 5:42 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 10
Views: 661

Re: Very slow internet speed

Nope, you are right - my mistake.

You should upgrade to 7 first, then install the qcom driver.
by vingjfg
Fri Apr 12, 2024 5:39 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

That is ... weird. I created a test rule - Flags: X - disabled, I - invalid; D - dynamic 0 X ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 1 ;;; Test chain=dstnat action=dst-nat to-addresses=172.29.0.1 protocol=udp src-address=192.168.2.0/24 dst-...
by vingjfg
Fri Apr 12, 2024 5:23 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 10
Views: 661

Re: Very slow internet speed

From the configuration you sent, you have RouterOS 6.49.14. Try:

https://cdn.mikrotik.com/routeros/6.49. ... .49.14.zip
by vingjfg
Fri Apr 12, 2024 3:46 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

That is correct - the to-address will not affect the matching of the rule. If the counters are not incrementing, it means something is getting in the way earlier than the rule. To confirm, because you had an input rule that said 3260 and not 1234: The source address is 10.0.10.10 The destination add...
by vingjfg
Fri Apr 12, 2024 3:14 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 10
Views: 661

Re: Very slow internet speed

Hello there! Can you share the configuration of one of your wAP AC devices? do not forget to put the configuration between code tags (see: viewtopic.php?p=1051702&hilit=forum#p1051702 for more info).
by vingjfg
Fri Apr 12, 2024 2:24 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

Ha HA! You wrote initially: ... The machine IP address is 10.0.10.10 The machine does not have a gateway. The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages. The destination port is 1234 I can see the incoming traffic using the /tool/to...
by vingjfg
Fri Apr 12, 2024 2:08 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

Note that you can print all the rules for a given chain by using where=<chain to display> in your print statement. For example all the rules in the input chain: /ip/firewall/filter/print where chain=input The dst-nat arrives before the firewall - so as you change the destination for a non-local addr...
by vingjfg
Fri Apr 12, 2024 12:05 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1007

Re: forwarding incoming UPD traffic addressed to the router itself

Hi there! The nat rule you sent seems correct. What I cannot say is whether it is high enough to avoid the traffic being matched by another rule. Can you edit it to add the src-address so it looks like the following line, and move it above whatever other dstnat you may have in place. Also, consider ...
by vingjfg
Fri Apr 12, 2024 11:35 am
Forum: General
Topic: dst-address-list negation do not work in firewall rule
Replies: 3
Views: 374

Re: dst-address-list negation do not work in firewall rule

That should be the way. Just to be sure, the address-list exists, correct?

Can you provide the error message? And the version of ROS?
by vingjfg
Fri Apr 12, 2024 11:20 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 533

Re: Can't ping with firewall (nat)

As mkx said, you didn't really fix it, you simply changed it to something that happens to work most of the time. In the second packet capture you joined, you see something that will put you on the path: your PC send arp requests for 10.10.5.50 but gets no answer. Here is a discussion that should giv...
by vingjfg
Fri Apr 12, 2024 11:09 am
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 607

Re: LLDP broken?

Fixed in Observium. Thanks for your support.
Glad to hear it! Please mark this as solved if you get a chance.
by vingjfg
Thu Apr 11, 2024 11:37 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 533

Re: Can't ping with firewall (nat)

IP adress config from your Mikrotik router.

PCAP is a packet capture. You said you took one.

I am interested in seeing the icmp and arp packets.
by vingjfg
Thu Apr 11, 2024 7:11 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 533

Re: Can't ping with firewall (nat)

Can you share the ip address config?

Also, can you share a pcap?
by vingjfg
Wed Apr 10, 2024 8:45 pm
Forum: Beginner Basics
Topic: IP not present in lease table on RouterboardOS
Replies: 3
Views: 323

Re: IP not present in lease table on RouterboardOS

The MAC 00:00:00:00:00:00 indicates a conflict: likely the Mikrotik attempted to hand out the IP 192.168.80.222, but its check determined that IP is already on the network, so Mikrotik blocks it in the pool. As Holvoetn says, it could be a static IP on the Ruckus. Other possibilities I can see: The ...
by vingjfg
Wed Apr 10, 2024 5:12 pm
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 607

Re: LLDP broken?

I tried a snmpwalk with the top of the LLDP OID tree and I get the info.
snmpwalk [...] -m MIKROTIK-MIB -m LLDP-MIB 192.168.2.1 1.0.8802.1.1.2
If you haven't, can you download the Mikrotik MIB and add it to your tool?

https://mikrotik.com/download
by vingjfg
Tue Apr 09, 2024 9:47 pm
Forum: General
Topic: VPN LAN to LAN Help
Replies: 1
Views: 227

Re: VPN LAN to LAN Help

Wow, you didn't make it easy for you! The issue I see is that the packet goes in the VPN from the central site to the remote site, is put on the local network, arrives at the windows server .., which tries to reply to 192.168.1.0/24 on the local network. In order for this to work, you will have to p...
by vingjfg
Tue Apr 09, 2024 9:36 pm
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 607

Re: LLDP broken?

Hi there, There is a support portal: Support portal. Regarding lldp and the sending interface, that should be the property interface-name . [admin@********] > /ip/neighbor/print detail 0 interface=wifi3,bridge mac-address=XX:XX:XX:XX:XX:XX identity="*****" platform="" version=&qu...
by vingjfg
Sun Feb 11, 2024 10:19 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 855

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

No worries. Regarding your NAT rule, taking one at random: /ip firewall nat ... add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\ 172.x.x.11 log=yes log-prefix=ISW src-address=105.x.x.19 ... This means "For connections coming from a.b.c.19 and going to 172.x.x.11, do not change...
by vingjfg
Sun Feb 11, 2024 9:39 am
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 992

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

It looks like the two certificates from letsencrypt actually have different key size: Screenshot from 2024-02-10 21-13-28.png 2048 (MT) vs 4096 (pfsense) I don't know - in the logs with the failure, the certificate status is found as "good", which would indicate that the certificate is ac...
by vingjfg
Sat Feb 10, 2024 8:32 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 992

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

My mistake, I missed the sha256 in the config. Your pfsense has pfs in phase 1, the MT config says none. Can you try setting one?

Nope, nothing obvious I see.
by vingjfg
Sat Feb 10, 2024 7:35 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 992

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

If I read this correctly, your ikev2 p1 has only sha1 defined. Can you add sha256?
by vingjfg
Sat Feb 10, 2024 4:47 pm
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 855

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

For the formatting, please enclose the configuration or config statements between code tags. Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of...
by vingjfg
Sat Feb 10, 2024 1:48 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 992

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

Can you check the IKE p1 proposal on the MT? From the last excerpt, it works with SHA-2 384.
by vingjfg
Sat Feb 10, 2024 10:52 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 855

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

Sure, add the /32 to the tunnel domain on both sides and a nat rule on the server side.

Send the anonymity configs if you want.
by vingjfg
Sat Feb 10, 2024 9:46 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 855

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

Could you post a diagram with this?

X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?
by vingjfg
Wed Feb 07, 2024 1:16 pm
Forum: General
Topic: Ways to change NAS-Identifier in RADIUS requests?
Replies: 8
Views: 655

Re: Ways to change NAS-Identifier in RADIUS requests?

Would changing the Radius server be possible?
by vingjfg
Wed Feb 07, 2024 12:23 pm
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 748

Re: Bonding disconnect every 1 min

This is a bit of a feature that is becoming a bug: "protocol-mode=none" not only disables spanning-tree but results in all L2 multicast frames being forwarded to all ports as well. As a result, the switch was forwarding the LACPDU from one ethernet port to another, resulting in the Cisco s...
by vingjfg
Tue Feb 06, 2024 9:54 am
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1925

Re: Bridge filter rules not working

Hmm... a summary read of your logs shows only broadcasts and multicasts.
by vingjfg
Tue Feb 06, 2024 7:29 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 748

Re: Bonding disconnect every 1 min

For the bridge, could you change the "protocol-mode" to "rstp" and see if it changes something?
by vingjfg
Mon Feb 05, 2024 9:06 pm
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 748

Re: Bonding disconnect every 1 min

No worries.

Can you send the output of the following commands?
/interface/bonding/print
/interface/bridge/port print
/interface/bridge/print detail
by vingjfg
Mon Feb 05, 2024 9:02 pm
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 589

Re: Apache on public IP ( Forwarding )

As @mesquite and @mkx said plus:

Let's check from the server out.

On the server, can you get the output of the following?
ip addr
ip route list
by vingjfg
Mon Feb 05, 2024 12:32 pm
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 589

Re: Apache on public IP ( Forwarding )

Thanks for posting here. Note that you haven't posted all I asked. Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT. For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with you...
by vingjfg
Mon Feb 05, 2024 11:32 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 748

Re: Bonding disconnect every 1 min

If I understand you correctly: if you pick two ports that don't include gi7 on the Cisco it works fine?
by vingjfg
Sun Feb 04, 2024 10:03 am
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 589

Re: Apache on public IP ( Forwarding )

First, please post the images here instead of on an external site. The rule states an inbound interface whose name is "all wire..." - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of "pppoe-...", I suspect the in...
by vingjfg
Sun Feb 04, 2024 9:31 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 748

Re: Bonding disconnect every 1 min

Hi there! As far as I know and unless you changed the defaults, the LACPDUs are sent every 30s, so that could be something else. However! What LACP mode did you set on the Cisco side? Did you enforce the same load-balancing algo on both ends? Still on the Cisco side, can you look at the interface co...
by vingjfg
Fri Feb 02, 2024 7:50 am
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 621

Re: VLANs Not Talking

Glad to hear you figured it out! Regarding spanning tree prio, your itnetwrk-core01 looks like a good candidate for getting prio 0.
by vingjfg
Thu Feb 01, 2024 2:20 pm
Forum: Beginner Basics
Topic: VLAN tagged/untagged on same router
Replies: 6
Views: 618

Re: VLAN tagged/untagged on same router

Ok, so supposing your bridge is called "bridge" and: ether0: tagged port on vlan 10 ether1: tagged port on vlan 20 ether2: untagged port on vlan 10 ether3: untagged port on vlan 20 ether4: trunk port with vlan 10,20 The following should be close to what is needed. /interface bridge set [br...
by vingjfg
Thu Feb 01, 2024 1:59 pm
Forum: Beginner Basics
Topic: VLAN tagged/untagged on same router
Replies: 6
Views: 618

Re: VLAN tagged/untagged on same router

Can you send the output of
/interface bridge export
by vingjfg
Thu Feb 01, 2024 1:56 pm
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 621

Re: VLANs Not Talking

Here are a few corrections. WARNING WARNING WARNING Potential for cutting yourself out of the network. Consider taking one of the interfaces out of the bridges and assigning it an IP directly should you need to rescue the device without too much trouble. WARNING WARNING WARNING # Mikrotik side # Fix...
by vingjfg
Thu Feb 01, 2024 12:37 pm
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 621

Re: VLANs Not Talking

A few things - Bridge vlan-bridge is not set for vlan-filtering but you are using 802.1q (vlan) subinterfaces on it Bridge br0 , vlan 25, you are using service-tags. Any reason? The Cisco config you sent has the wrong name (CISCO-SW04) and not what should be ITNETWRK-SW-02. The IP is correct but is ...
by vingjfg
Thu Feb 01, 2024 12:10 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1621

Re: Mikrotik with Pfsense firewall [SOLVED]

Now we are getting somewhere. Add this to your running Mikrotik. This will permit access from the internet to your server on TCP/8080. Of course replace <your public IP> with the actual IP address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 dst-p...
by vingjfg
Wed Jan 31, 2024 9:24 pm
Forum: Beginner Basics
Topic: Find Mc Address modem bridge
Replies: 1
Views: 296

Re: Find Mc Address modem bridge

It depends. If that's a pure modem, i.e. your Mikrotik is getting a public IP, you may have some chance sniffing the traffic and finding some RFC1918 (aka "private") IP addresses that may be the modem management interface. If the Voo device is also a wifi router and things, then you may ha...
by vingjfg
Wed Jan 31, 2024 9:15 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1621

Re: Mikrotik with Pfsense firewall [SOLVED]

So we ironed out the 70.54/70.254 one - one to go.

Yes for the password. Do that as soon as you can.

Can you send me the NAT rules from the PFSense?
by vingjfg
Wed Jan 31, 2024 11:46 am
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1621

Re: Mikrotik with Pfsense firewall [SOLVED]

I redrew the schematic with the information you gave. Let me know if that matches. The switch has been removed as it is L2 and won't change a thing (for now). mt-pfsense.drawio.png Note that you wrote the default gateway on the PFSense is 192.168.70.254 and that the MT has 192.168.70.54. So you alre...
by vingjfg
Tue Jan 30, 2024 2:21 pm
Forum: Wireless Networking
Topic: Hotpspot Connected But No Internet
Replies: 4
Views: 466

Re: Hotpspot Connected But No Internet

The point is that having two bridges is not needed and creates unneeded complexity. However that is not the problem. At least not the main one. Or ones. One of the problems is ... that you have twice the same IP on different interfaces. /ip address add address=192.168.88.1/24 comment=defconf interfa...
by vingjfg
Tue Jan 30, 2024 1:57 pm
Forum: Wireless Networking
Topic: Hotpspot Connected But No Internet
Replies: 4
Views: 466

Re: Hotpspot Connected But No Internet

You have two bridges, could you rework the configuration to have a single bridge with vlan-filtering and VLANs to separate the hotspot?
by vingjfg
Tue Jan 30, 2024 12:49 pm
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 857

Re: access-list + radius not working.

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication RADIUS MAC authentication Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless int...
by vingjfg
Tue Jan 30, 2024 11:49 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 857

Re: access-list + radius not working.

Can you modify your ACL to the following? This means that the clients with signal -65..0 are accepted but when the signal dips under -65, they are disconnected. /interface wireless access-list add signal-range=-65..0 add authentication=no forwarding=no signal-range=-120..-66 The way your ACL was wri...
by vingjfg
Tue Jan 30, 2024 11:13 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 857

Re: access-list + radius not working.

That's ... not a lot.

Is your ACL set to reject the clients with signal in the range -85..-120?

I created one (using wifi, not wireless) - here is what it looks like.
/interface wifi access-list
add action=reject disabled=no signal-range=-85..120
The second "add", is it an ACL?
by vingjfg
Tue Jan 30, 2024 10:58 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 857

Re: access-list + radius not working.

Can you post your ACL configuration?
by vingjfg
Mon Jan 29, 2024 10:13 pm
Forum: General
Topic: To xSTP...or not [SOLVED]
Replies: 4
Views: 677

Re: To xSTP...or not [SOLVED]

The short answer is "unless you really have something against it, it costs nothing to enable it." I would make the case that in a Mikrotik environment, it is actually better to have something rather than "none": during a recent troubleshooting (LLDP), someone pointed that protoco...
by vingjfg
Mon Jan 29, 2024 9:12 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

That's interesting. Adding a private key is one of the tests I did and I did not lose the password access to the Linux machine. It could be that I did not log off from my session when I added the key. Could be. I will try when I get my test equipment. That aside, glad you made it work. And yeah, it ...
by vingjfg
Mon Jan 29, 2024 11:53 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 706

Re: currently-untagged contradicts untagged [SOLVED]

Can you post the output of the following command?
/interface/bridge/port/print where interface=ether3-green
by vingjfg
Mon Jan 29, 2024 9:08 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Well, I was using AES 256 CBC SHA1 for w long time with no issues on mikrotik routers, including this device. But, considering depreciated CBC cipher in OpenVPN Community and much much faster connection time using AES GCM, with ROS v7 I can use this cipher. As I already mentioned, I don't have prob...
by vingjfg
Sun Jan 28, 2024 11:46 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Before diving into the guts of the openvpn server, I want to make sure that there is no network issue. From the page you sent, the RB850Gx2 platform supports AES in CBC mode, at least for the devices whose SN starts with 5 or 7. It may be worth giving it a try and see whether that solves the issue -...
by vingjfg
Sun Jan 28, 2024 9:34 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Regarding your input rules, can you send the full set? There is some reorganization possible that may help with the issue. With the rules related to the interface WAN you sent, I would reorder in the following way. Note that without having the full input chain, I may just be duplicating existing ent...
by vingjfg
Sat Jan 27, 2024 11:03 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Because anyone sending udp datagrams with source port 53 or 123 can reach any udp port on your device.

Nat rule is ok. I will have a closer look tomorrow.
by vingjfg
Sat Jan 27, 2024 10:41 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Are these all your input rules? Also, no nat that would interfere?

If ok, can you export all the input and nat rules?

I will have a closer look tomorrow. First thing is your dns_ntp rule is dangerous.
by vingjfg
Sat Jan 27, 2024 9:30 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Can you check that your input rules allow traffic to tcp and udp 1194 on your Mikrotik?
by vingjfg
Sat Jan 27, 2024 7:18 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 965

Re: OpenVPN DCO problem with ROS v7.13.1

Can you add
disable-dco
To the client config?
by vingjfg
Sat Jan 27, 2024 11:21 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Here is my defaults for /ip/ssh (7.13.2):. always-allow-password-login is already "no". forwarding-enabled: no always-allow-password-login: no strong-crypto: no allow-none-crypto: no host-key-size: 2048 host-key-type: rsa Changing "strong-crypto" doesn't prevent me from ssh-ing o...
by vingjfg
Fri Jan 26, 2024 7:48 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Seems so. I will try tomorrow.

BTW, what's your version?
by vingjfg
Fri Jan 26, 2024 8:30 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Yes and we now know that the server is not sending the client packing but the client disconnects (type 1) after a message "USERAUTH FAILURE" (type 51) ( https://www.ietf.org/rfc/rfc4250.txt ) The stanza to debug SSH is the following. Be warned: that's verbose. /system/logging/add topics=ss...
by vingjfg
Fri Jan 26, 2024 12:00 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

OK. Let's try LogLevel at DEBUG3. I will have a look tomorrow morning.

That is weird.
by vingjfg
Thu Jan 25, 2024 11:56 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Hmmm ...
Jan 25 15:28:49 zoidberg sshd[275510]: debug2: input_userauth_request: try method none [preauth]
After this one it should try another method - do you have "PasswordAuthentication yes" in /etc/ssh/sshd_config ?
by vingjfg
Thu Jan 25, 2024 11:25 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

ok ... can you set the loglevel to DEBUG2, restart the daemon and try another connection?

Stupid question: clocks synchronized on both devices?
by vingjfg
Thu Jan 25, 2024 10:08 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

OK, that's the general "something went wrong somewhere" type of messages. Could be a number of things: If your server is a bit dated and the client a lot more recent, it may disconnect as it doesn't find something in common (but usually it says so) Are you trying key authentication? If so,...
by vingjfg
Thu Jan 25, 2024 9:50 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Ok. That was worth a shot.

On the linux server - can you get the SSH entries?
sudo journalctl -xr -u ssh
by vingjfg
Thu Jan 25, 2024 9:38 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1540

Re: Can't ssh from router to LInux server?

Hi there!

Can you try the following?
/system ssh user=<some non root user on the linux server> 192.168.4.5
by vingjfg
Thu Jan 25, 2024 1:50 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

:thumb up:

I saw the other post, if you haven't already, I will create a bug report.
by vingjfg
Thu Jan 25, 2024 1:34 pm
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1154

Re: NTP Time server

That is why I think you can just remove it and it will use bc address for local subnet, eks 178.118.85.255 (if its a c net) I just tried: if you set broadcast=yes without specifying any broadcast-addresses , nothing happens. It doesn't work with 255.255.255.255 . My local subnet is 192.168.2.0/24, ...
by vingjfg
Thu Jan 25, 2024 11:56 am
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1154

Re: NTP Time server

Also and to check, what is the IP of your RBM11G on that network? You mention the .2 but that would make it right in your DHCP pool.
by vingjfg
Thu Jan 25, 2024 10:59 am
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1154

Re: NTP Time server

/system/ntp/server> print enabled: yes broadcast: yes multicast: yes manycast: yes broadcast-addresses: 178.118.85.2 vrf: main use-local-clock: yes local-clock-stratum: 3 auth-key: none Can you double check the broadcast-address? It doesn't look like a broadcast address at all.
by vingjfg
Wed Jan 24, 2024 9:42 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1621

Re: Mikrotik with Pfsense firewall [SOLVED]

The easiest, as far as I can see is something along the lines of the following. This simply takes whatever arrives to the interfaces in the WAN list and translates it to the PFSense's address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 By default...
by vingjfg
Tue Jan 23, 2024 10:24 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I can confirm, enabling RSTP or MSTP stop link layer MAC addresses to be forwarded. One issue down, 99 to go! As a side note, i loose connectivity with my switches if i enable STP (this is strange, i have no loops), but i was able to test using RSTP and MSTP. I guess the first thing to look would b...
by vingjfg
Tue Jan 23, 2024 5:13 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

Some observations might be explained with disabled (R/M)STP on the bridge. It is expected to forward reserved multicast MACs 01:80:C2:00:00:0X (LLDP, BPDU, etc.) when using " protocol-mode=none " setting. Wow, yup! I tested and that's indeed the case. As FIPTech said that its bridge had S...
by vingjfg
Tue Jan 23, 2024 2:02 pm
Forum: Wireless Networking
Topic: Wifi WPA-PSK with MAC auth over radius
Replies: 9
Views: 1343

Re: Wifi WPA-PSK with MAC auth over radius

Thanks! Yes, I have defined Radius for wireless. It works for WPA-EAP, in the logs I see the radius requests go out and the reply come back. I am not using capsman yet. I can try with capsman, but shouldn't it work without as well? I guess that's the $2^20 question - should it work without a /capsm...
by vingjfg
Tue Jan 23, 2024 1:44 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I connected another auxiliary router for packet capture, and i did first discover something abnormal : LLDP announcement from every devices connected to the ports of the other router bridge are visible. This indicates that LLDP is switched and broadcasted between ports. I suspect that it's a bug. N...
by vingjfg
Mon Jan 22, 2024 8:29 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

OK. So you see the same when you change the VLAN of the port as I do when I set the discovery on the VLAN interface. I have the feeling that there is something I am missing but I can't quite point it. Can we do the following? With the discovery as it is, port with PVID1 and additional VLAN (4000) ta...
by vingjfg
Mon Jan 22, 2024 6:38 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

Nope, not working. Ticket open: SUP-141451.
by vingjfg
Mon Jan 22, 2024 6:22 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I configured LLDPD on my computer with a network policy, which got advertised immediately. The fact that my Mikrotik is not advertising the MED extension kind of tells me there could be a bug. As a last try, I will reboot my device and see if that changes something. I found a post from mid-2023 that...
by vingjfg
Mon Jan 22, 2024 5:24 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I got curious and tried with my workstation on VLAN1 and VLAN10 - same result, I do not get an advertisement for LLDP-MED, but my workstation doesn't advertise itself as Voice or Phone. I think I may have an app somewhere for that.
by vingjfg
Mon Jan 22, 2024 5:01 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I do. I will test later today with VLAN1 and VLAN10 to see if there is a difference.

Meanwhile, if you issue "/ip/neighbor/print" to check that you see neighbors?
by vingjfg
Mon Jan 22, 2024 12:44 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

Knock on wood!

I suspect that the device tried to tag the LLDP traffic ... which cannot be encapsulated, so while the physical interfaces received and sent the LLDPDU, the LLDP process itself did not receive them.

Hopefully, this will solve it. Let me know how it goes.
by vingjfg
Mon Jan 22, 2024 11:02 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I think I found something - setting the list to LAN, I got LLDP announcements on my workstation but the router did not get my announcements. Nor did I get the VLAN. > /ip/neighbor/print I then configured a second list that has the bridge member interface > /interface/list/member/print Columns: LIST,...
by vingjfg
Mon Jan 22, 2024 10:46 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I still see LLDPDU. I will install an LLDP responder on my computer to see that I can get the Voice VLAN. > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: 11 protocol: cdp,lldp,mndp mode: tx-and-rx 20240122 LLDP Wireshark 2.png
by vingjfg
Mon Jan 22, 2024 10:14 am
Forum: Forwarding Protocols
Topic: BGP connecting but not forwarding after ros6 to ros7 update
Replies: 5
Views: 1166

Re: BGP connecting but not forwarding after ros6 to ros7 update

Hi Macosoft, You already asked that question in https://forum.mikrotik.com/viewtopic.php?t=203438 . Can you provide the output of the following commands? I may need a larger subset of the configuration later but I want to start with the minimum. /routing/export /ip/firewall/address-list/export /ip/r...
by vingjfg
Mon Jan 22, 2024 10:00 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

I did some tests with my equipment (7.13.2 on ARM), here is my configuration > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: disabled protocol: cdp,lldp,mndp mode: tx-and-rx > /interface/list/member/print Columns: LIST, INTERFACE # LIST INTERFACE 0 LAN ...
by vingjfg
Sun Jan 21, 2024 11:18 pm
Forum: Wireless Networking
Topic: Wifi WPA-PSK with MAC auth over radius
Replies: 9
Views: 1343

Re: Wifi WPA-PSK with MAC auth over radius

Yo. I will try to help. There is more in two heads and stuff.

Radius server - you have set it for wireless service as well, correct? https://help.mikrotik.com/docs/display/ROS/RADIUS

Capsman aaa - you have a definition? https://help.mikrotik.com/docs/display/ROS/CAPsMAN
by vingjfg
Sun Jan 21, 2024 10:45 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1879

Re: LLDP MED not working if port PVID is not 1

Hi FIPTech,

That's strange. Can you send your discovery settings and the interface lists members?

Also and to confirm - your bridge is configured with vlan-filtering=yes, correct?
/ip/neighbor/discovery-settings/print
/interface/list/member/print
by vingjfg
Sun Jan 21, 2024 4:01 pm
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 730

Re: Need some config help

Here is. Let me know if you have any questions. Comments: If the Public IP One to Five are in the same network, then the addresses with the netmask /32 are to be fixed. Or replace the additional addresses by host routes (my preferred version but that's personal). For the NAT configuration, there are...
by vingjfg
Sun Jan 21, 2024 10:05 am
Forum: Scripting
Topic: Questions about generating valid random MAC? [SOLVED]
Replies: 17
Views: 1561

Re: Questions about generating valid random MAC? [SOLVED]

Thank you for your answer. The script I am currently using is fixed 0E: 11:22:33:44:55 at the first byte, with 0E at the beginning and random generation at the end. However, I think the range is still not large enough Hi Rosa, I don't know how you generate the MAC addresses but if you feel that the...
by vingjfg
Sat Jan 20, 2024 5:58 pm
Forum: Scripting
Topic: Questions about generating valid random MAC? [SOLVED]
Replies: 17
Views: 1561

Re: Questions about generating valid random MAC? [SOLVED]

Hi Rosa, Regarding the structure of a MAC address, the 2 constraints are: The LSB ("bit 0") of the first byte is 0 for a unicast address, 1 for a multicast address The next bit ("bit 1") of the first byte is 0 for a globally unique address and 1 for a locally administered address...
by vingjfg
Sat Jan 20, 2024 4:35 pm
Forum: General
Topic: /ip/firewall/filter/export - discrepancy with the where clause
Replies: 3
Views: 598

/ip/firewall/filter/export - discrepancy with the where clause

Hi all, I noticed that when I use /ip/firewall/filter/export where chain=... I get only one rule, and when I use /ip/firewall/filter/export , I have several rule in the chain. For example: > /ip/firewall/filter/export where chain=input # 2024-01-20 15:31:51 by RouterOS 7.13.2 ... /ip firewall filter...
by vingjfg
Sat Jan 20, 2024 10:18 am
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 730

Re: Need some config help

Hi there!

Can you post here the output of the following commands after having replaced the public IP (for example by public1 ... public4)?
/ip/address/export verbose
/ip/firewall/nat/export
/ip/firewall/filter/export
by vingjfg
Sat Jan 20, 2024 9:20 am
Forum: Beginner Basics
Topic: Slow network speeds with Pi-Hole as DNS
Replies: 9
Views: 1019

Re: Slow network speeds with Pi-Hole as DNS

Something to check: you wrote that with the old switch (1Gb/s), it was fine. The new one has 2.5Gb/s capability, so I am wondering whether that could wreak havoc. Could you replace the ether1 with the name of the interface on the CRS310-8G+2S+IN that goes to the deco and see the rates advertised and...
by vingjfg
Thu Jan 18, 2024 10:24 pm
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 1081

Re: Help me - make script change ip adress every rto

Something like this should do the job. Please review before running as it hasn't been fully tested. Also, know that you are using it under your own responsibility. /system script add name=change-ip-on-rto source={ # Is google pingable? :local pingResult [/ping 8.8.8.8 count=3]; if ($pingResult = 0 )...
by vingjfg
Thu Jan 18, 2024 4:42 pm
Forum: Forwarding Protocols
Topic: BGP Filters translate from ros6 to ros7 not working
Replies: 9
Views: 1476

Re: BGP Filters translate from ros6 to ros7 not working

Macosoft, I think your last 3 rules should be: ... I tried with your modified rules but with no luck. When I disable this rule: chain=from_telekom disabled=no rule="if (dst == 0.0.0.0/0) { set bgp-weight 100; set bgp-local-pref 120; accept; }" I dont have internet on the router either. Se...
by vingjfg
Wed Jan 17, 2024 10:26 pm
Forum: Beginner Basics
Topic: Vpn ikeV2
Replies: 3
Views: 615

Re: Vpn ikeV2

For mikrotik, did you enable the logging with the following command?
/system/logging/ add action=memory prefix=ipsec topics=ipsec
If so, can you share the output when you try?

Reading the site you sent (translated in English, as I can read some Czech but not Polish, unfortunately).
by vingjfg
Wed Jan 17, 2024 10:18 pm
Forum: Scripting
Topic: Variable not being referenced by ":find" command? [SOLVED]
Replies: 3
Views: 788

Re: Variable not being referenced by ":find" command? [SOLVED]

Hi @ghostinthenet, I got it working - in my case the issue was that the variable immediateGateway was an array. Here is my code: { :local immediateGateway [/ip/route get [/ip route find where 8.8.8.8 in dst-address and active and routing-table=main] value-name=immediate-gw] :put [:typeof $immediateG...
by vingjfg
Wed Jan 17, 2024 9:19 pm
Forum: Beginner Basics
Topic: Vpn ikeV2
Replies: 3
Views: 615

Re: Vpn ikeV2

Hi @pasin, The x.509 alternative name is an extension field to indicate other possible names or identities for the machine, for example if it has multiple names or if you want to be able to address the machine by name or by IP. Regarding the issue you have, here is a link for you to review: https://...
by vingjfg
Wed Jan 17, 2024 9:13 pm
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 1081

Re: Help me - make script change ip adress every rto

Hi @ johndol, I am not entirely sure what you are asking, for example I do not understand what you want to change. Your ISP assigns the external interface of your router an IP address, in the range 10.130.0.0/17, and that IP changes quite often. When the IP changes. what do you want to modify? You m...
by vingjfg
Wed Jan 17, 2024 8:57 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2422

Re: Brute Force Attacks

Perhaps the vodka market is drying out and they want to get into chocolate or beer :lol: I could throw in a couple of Belgian Waffles :D :D It will be below -15°C tomorrow so I could do with waffles (des gaufres de Liège s.v.p!) and some hot chocolate. Beer? In het stoofvlees! The following IP addr...
by vingjfg
Tue Jan 16, 2024 10:53 pm
Forum: Beginner Basics
Topic: Firewall jump rules - for better performance?
Replies: 2
Views: 563

Re: Firewall jump rules - for better performance?

Conceptually, that is correct: your first jump rule would match everything going to vlan10, if not, it would skip directly to the second jump rule ... etc, adding one evaluation for the rules to vlan10, 2 evaluations but removing a 100 evaluations for the rules to vlan20, and 3 evaluations but remov...
by vingjfg
Tue Jan 16, 2024 11:44 am
Forum: Beginner Basics
Topic: Help i couldn't Login page
Replies: 4
Views: 979

Re: Help i couldn't Login page

Peayeon, Are you saying you suspect that someone broke into your device and made unauthorized changes? If you have evidence of that or suspect that, I would suggest you immediately factory-reset the device, reinstall the updates, and reapply your last known-good configuration as you don't know what ...
by vingjfg
Tue Jan 16, 2024 11:10 am
Forum: Forwarding Protocols
Topic: BGP Filters translate from ros6 to ros7 not working
Replies: 9
Views: 1476

Re: BGP Filters translate from ros6 to ros7 not working

Macosoft, I think your last 3 rules should be: add chain=from_rds disabled=no rule="if (dst-len>-1) {set distance 50; accept}" add chain=to_rds disabled=no rule="if (dst-len>-1) {reject}" comment="Should not be needed - default is to reject" add chain=to_telekom disable...
by vingjfg
Tue Jan 16, 2024 10:39 am
Forum: Scripting
Topic: Can the content written to the file be added? [SOLVED]
Replies: 17
Views: 1836

Re: Can the content written to the file be added? [SOLVED]

/file print file=result.txt /file set [find name="result.txt"] contents=[/interface pppoe-client get [find name=pppoe-out1] password] ------------------------------------------------------------------------------------------------------------------------------------------------------- A s...
by vingjfg
Mon Jan 15, 2024 12:00 am
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

Interesting that it was missing the last rule. Do you see it when you use winbox or webfig? Do you have the same missing last rule for /ip firewall filter/print chain=forward?
by vingjfg
Sun Jan 14, 2024 11:55 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

OK. For wireguard, I suggest you open a different thread as this will fork off this discussion. My experience - purely on Linux as the client and server - is that even if the UDP datagrams don't go through, the client will still report that everything is fine. It's just that it will never receive a ...
by vingjfg
Sun Jan 14, 2024 11:08 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

Actually, can you post here the output of the following command? That will show if any rule have been dynamically inserted.
/ip/firewall/filter/print chain=input
by vingjfg
Sun Jan 14, 2024 10:58 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

Reading the configuration. For Wireguard, not certain: I see in your rules you have it in two places, the input and the raw/prerouting chains. Does the counter of the input chain increment when you connect? For the traffic not going through, you likely need to set a firewall rule in the forward chai...
by vingjfg
Sun Jan 14, 2024 5:19 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

I hope things are slowly getting back to normal. If you'd like, can you post the export of your config after all the changes?
by vingjfg
Sun Jan 14, 2024 3:10 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1569

Re: Communication between VLANs [SOLVED]

Let's say it is an educated guess ... OP's posts might show complete config but they also might (more likely) show only what he deems relevant for the problem (and thus all the default firewall rules might follow in which case the whole problem might be solved by properly reordering the rules). Tha...
by vingjfg
Sun Jan 14, 2024 2:38 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1569

Re: Communication between VLANs [SOLVED]

Let's say it is an educated guess ...
I tried adding another rule so now it becomes:
#0: Chain: forward, Action: accept, In Interface: vlan20, Out Interface: vlan30
#1: Chain: forward, Action: drop, In Interface: vlan30, Out Interface: vlan20
by vingjfg
Sun Jan 14, 2024 12:58 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1569

Re: Communication between VLANs [SOLVED]

I was about to say that it seems he removed all the rules.
by vingjfg
Sun Jan 14, 2024 12:12 pm
Forum: RouterOS beta
Topic: BGP problem after updating from V6.49 to 7.6
Replies: 10
Views: 3445

Re: BGP problem after updating from V6.49 to 7.6

Same for rule 1.
by vingjfg
Sun Jan 14, 2024 12:09 pm
Forum: RouterOS beta
Topic: BGP problem after updating from V6.49 to 7.6
Replies: 10
Views: 3445

Re: BGP problem after updating from V6.49 to 7.6

Rule 3 in the screenshot should be in the form

If (condition) {actions;}
by vingjfg
Sat Jan 13, 2024 9:26 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

Then the last rule of the input chain I suggested will take care of it.

Btw, are things getting better?
by vingjfg
Sat Jan 13, 2024 8:35 pm
Forum: General
Topic: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel
Replies: 9
Views: 904

Re: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel

Bridging over your tunnel, a pair of openwrt with a tunnel and mdns reflectors, or a container with the mdns reflector.

Don't think pim will help, mdns is a link-local multicast.
by vingjfg
Sat Jan 13, 2024 6:46 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

The chain=input rulebase misses all the bits for fasttrack, established, invalid, related and so forth, and doesn't have a global drop for the WAN. This drops anything coming directly at the router from the identified DDoSers. Likely redundant with the ACL in the raw prerouting, but could catch stuf...
by vingjfg
Sat Jan 13, 2024 6:33 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

My comments: The fasttrack , invalid , and established in the chain=forward should come on top, then the rules for the new packets. The rule with the connection-nat-state=dstnat accepts everything coming from any network, as long as a dstnat was done. Consider changing it to reflect the NAT (source,...
by vingjfg
Sat Jan 13, 2024 5:42 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

I saw you posted earlier. Having a look.
by vingjfg
Sat Jan 13, 2024 5:41 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

Can you post you ip firewall config, with the sensitive bits removed?
by vingjfg
Sat Jan 13, 2024 11:03 am
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2752

Re: DDoS help

T-Mobile has indeed a feature for DDoS protection. A paid feature. Their reluctance is simply that they don't want to provide it for free, even if that means that you are being disconnected due to the attack. Yes, ISP have a nasty tendency to leave people in a lurch. One issue I see is that port tcp...
by vingjfg
Sat Jan 13, 2024 10:44 am
Forum: Beginner Basics
Topic: Difference between Native vs explicit VLAN while interVLAN routing? [SOLVED]
Replies: 1
Views: 818

Re: Difference between Native vs explicit VLAN while interVLAN routing? [SOLVED]

Hello, I cannot talk about the Mikrotik internal specifics as I don't know them. For another vendor whose name starts with C, VLAN 1 is the default VLAN for the management protocols and you can't change or delete it. Note that VID 0 is a special case and means "no tagging information, just a pr...
by vingjfg
Sat Jan 13, 2024 10:20 am
Forum: General
Topic: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel
Replies: 9
Views: 904

Re: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel

Alas, mDNS is a link-local multicast ( RFC6762 ), this means that routers are not supposed to pass them across subnets. This includes not passing over GRE tunnels. To pass them across subnets, you need a mDNS reflector: it basically takes the advertisements on one subnet and republish them on a diff...
by vingjfg
Fri Jan 12, 2024 11:20 am
Forum: General
Topic: Mikrotik rb750gr3 internet speed is slow
Replies: 11
Views: 1059

Re: Mikrotik rb750gr3 internet speed is slow

Please redo the test from a wired client AND share the details on how your wifi connects to your router.
by vingjfg
Fri Jan 12, 2024 7:45 am
Forum: Beginner Basics
Topic: Issue getting IP Address
Replies: 3
Views: 699

Re: Issue getting IP Address

Can you share the Mikrotik config?
by vingjfg
Thu Jan 11, 2024 8:32 pm
Forum: General
Topic: dst-nat port forwarding not working
Replies: 8
Views: 1353

Re: dst-nat port forwarding not working

Is the source also on 192.168.10.0/24? By the look of your config, it seems so.
by vingjfg
Wed Jan 10, 2024 10:38 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1750

Re: Mikrotik + Pfsense as captive portal

Aren't the 2 subnets supposed to be served by the pfense to make mDNS work. Your system sounds like router behind router. Well, they are, and not in the way the OP thinks of it. I redrew slightly based on the explanation, the OP's diagram being wrong and misleading. So technically, once Avahi is in...
by vingjfg
Tue Jan 09, 2024 7:01 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1750

Re: Mikrotik + Pfsense as captive portal

Pfsense has an mdns reflector, in the package avahi.
by vingjfg
Tue Jan 09, 2024 6:59 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1750

Re: Mikrotik + Pfsense as captive portal

First issue is the local routing: from 192.168.0/24, you likely go to the default gateway before going to the pfsense in order to reach 192.168.50.0/24. That works but depending on rules and conn tracking and things, this can result in delays. To try, add a route to 192.168.50.0/24 via the pfsense 1...
by vingjfg
Tue Jan 09, 2024 4:14 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1750

Re: Mikrotik + Pfsense as captive portal

Can you post a network diagram and your MT config?

Regarding network discovery, what protocol is used?
by vingjfg
Sun Jan 07, 2024 3:31 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

Interestingly, there seems to be some variance between the replies from 9.9.9.9 <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19722 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORIT...
by vingjfg
Sun Jan 07, 2024 3:17 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

8.8.8.8 and 9.9.9.9 respond, see below for the full response which is identical between 8.8.8.8 and 9.9.9.9. The other 3 I tried don't respond (1.1.1.1, 208.67.222.222, 193.110.81.9). As you correctly indicated in your earlier message, the error is "NOTIMP." All of these are public resolve...
by vingjfg
Sun Jan 07, 2024 2:33 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

Ticket open - SUP-139658
by vingjfg
Sun Jan 07, 2024 2:21 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

Yup, I agree: lots of negativity. On the other hand, the forum is full of messages of people demanding help and of "consultants" asking for help but really having the members of the forum doing their jobs . Nothing more pleasant than seeing a guy whose credentials are obviously "was a...
by vingjfg
Sun Jan 07, 2024 1:00 pm
Forum: General
Topic: Recommended for IPS/IDS
Replies: 6
Views: 3264

Re: Recommended for IPS/IDS

Ha! Deep packet inspection, application awareness, L7 inspection, whatever name it has today. The hallmark of the modern firewall. But that's not a function Mikrotik devices have natively. In essence, you are paying someone to maintain a database of IP addresses, domain names and signatures that ena...
by vingjfg
Sun Jan 07, 2024 12:47 pm
Forum: General
Topic: Under DNS Amplification attack, network unusable with Mikrotik routers
Replies: 12
Views: 2457

Re: Under DNS Amplification attack, network unusable with Mikrotik routers

So, I assume (maybe I shouldn't) that you already rebooted the device. What you may see is the effect of the ongoing attack plus some return traffic. Has it died off? If not you may try to ask the ISP to drop all traffic going to then external address, destination port 53. As you had left an open re...
by vingjfg
Fri Jan 05, 2024 6:47 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1766

Re: Simple hairpin not working

I think you meant SERVER!
Correct, server not router.
by vingjfg
Fri Jan 05, 2024 2:14 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1766

Re: Simple hairpin not working

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" log-prefix="Hairpin NAT Masquerade" add action=masquerade chain=srcnat comment="Default NAT Masquerade" out-interface=ether1.12 (VLAN for my ONT) add actio...
by vingjfg
Fri Jan 05, 2024 1:44 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2284

Re: Local IP Addressed leased but no internet.

Yes I do not use vlan filtering on the router, all vlan process on the switch CRS326, only tagged traffic to eth10 sent to the switch and it will process it all. The connection most of the PC is ok but sometime for some reason it decide not to go online even local IP has been leased. Then you may c...
by vingjfg
Thu Jan 04, 2024 5:54 pm
Forum: Beginner Basics
Topic: Problem NAT Server, Client's Public IP Not Show in log [SOLVED]
Replies: 4
Views: 1700

Re: Problem NAT Server, Client's Public IP Not Show in log [SOLVED]

This is the cause:
/ip firewall nat
chain=srcnat action=masquerade log=no log-prefix="" 
Everything that crosses the firewall has its source IP changed to the router's exit interface.
by vingjfg
Thu Jan 04, 2024 12:17 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1766

Re: Simple hairpin not working

Hi, Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port) add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443 instead of using in-interface-list=WAN, perhaps use dst-address-type=local Be caref...
by vingjfg
Wed Jan 03, 2024 11:02 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2284

Re: Local IP Addressed leased but no internet.

Your rules are seriously messed up and do not contain the usual elements (established, fasttrack...) however they don't end in drop all so everything is accepted (hint: bad). Reading your configurations: I do not see any definition for the vlans in the bridge (/interface bridge vlan) of your RB4011,...
by vingjfg
Tue Jan 02, 2024 10:34 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

I hardly think that RFC1918 IP addresses are a security problem. Keep these where they are and remove the public ones, as well as the keys, usernames and hashes, and serial numbers when you post the full config. What is the problem in the excerpt you posted is that the query is received from 255.255...
by vingjfg
Tue Jan 02, 2024 9:46 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3488

Re: Wireguard Peers can't access IPs on VLANs

The RSC configuration the OP attached. Did not even look at the recommended changes as the OP's design is fundamentally bad.
by vingjfg
Tue Jan 02, 2024 9:18 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2918

Re: DNS not resolving some domains

If 192.168.1.1 is your Mikrotik, what is this then?
/ip address add address=192.1.1.1/24 interface=bridge network=192.1.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.1.1.0/24 list=intern
by vingjfg
Tue Jan 02, 2024 8:57 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3488

Re: Wireguard Peers can't access IPs on VLANs

If I understand your configuration, and that's a real pig's breakfast, your issue is that the hosts on 192.168.2.0/24 have no idea where to forward the return packets for your wireguard network. A possible workaround would be to NAT all that subnet behind the Hex's IP. I'm afraid that it would just ...
by vingjfg
Tue Jan 02, 2024 12:32 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2284

Re: Local IP Addressed leased but no internet.

Do you have an input rule from your LAN to the Mikrotik? Looking at your rule base, that doesn't seem to be the case. Can you post the outputs of the following commands? /ip firewall/filter/print where chain=input /ip firewall/filter/print where chain=forward /ip firewall/filter/print where chain=ou...
by vingjfg
Tue Jan 02, 2024 7:45 am
Forum: Beginner Basics
Topic: Loadbalancing issues
Replies: 3
Views: 1065

Re: Loadbalancing issues

Please export your config, remove the sensitive bits, and post here.
by vingjfg
Sun Dec 31, 2023 7:20 pm
Forum: Beginner Basics
Topic: still same problem and same issue please help!
Replies: 8
Views: 2485

Re: still same problem and same issue please help!

Please export and post your config.
by vingjfg
Fri Dec 22, 2023 4:55 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Thanks, same to you.

You still have several things to fix on this Mikrotik thouhg. Don't forget about them.
by vingjfg
Fri Dec 22, 2023 3:48 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Sorry, I found the issue. I couldn't use the command that switched the position: /ip firewall nat/move numbers=1 destination=0 It shows: expected command name (line 1 column 17) So, I made the change manually, putting the accept rule first and then the masquerade rule. By reversing the sequence, th...
by vingjfg
Fri Dec 22, 2023 2:35 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

You are running version 6, I am checking against version 7 so some things are a bit different. I do not understand what you mean by: When I removed that old rule, the specific websites that weren't working before stopped working again. I didn't quite understand the 'add the permit at the bottom' par...
by vingjfg
Fri Dec 22, 2023 9:57 am
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

And as usual, when you have the changes implemented, send an updated configuration. I will need to know how you connect to this device, whether that is from the LAN or from the WAN.
by vingjfg
Thu Dec 21, 2023 10:35 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Are you certain you issued all the commands? Some are not showing in the config you sent and some of the items that should have been removed are still there. No idea what the issue with the phone system can be. Blocked where? 1060 is not a standard port for SIP. Anyway, third wave of config changes....
by vingjfg
Thu Dec 21, 2023 7:33 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Here is the second wave. More optional stuff but still important.
# Set the identity
/system identity
set name=mtrouter01

# Configure NTP to update the time
/system ntp client
set enabled=yes
/system ntp client servers
add address=br.pool.ntp.org
by vingjfg
Thu Dec 21, 2023 7:22 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Here is the first wave. Review, implement and provide the export once you are done. Please also provide the output of "/ip/firewall/filter export" and "/ip/firewall/nat export" # New addressing scheme # 192.168.0.1 - 19 - static IP and leases # 192.168.0.20 - 254 - dynamic IP # F...
by vingjfg
Thu Dec 21, 2023 5:10 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

I will have a look at the configuration you posted later. Please learn how to use the /export function.
by vingjfg
Thu Dec 21, 2023 9:51 am
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

You didn't need to speak so poorly; I know the settings are terrible. I wouldn't be doing this if I weren't forced to. It's outside my area of expertise, but it was requested, and I need to deliver because support won't be called this year. I made these settings based on videos I watched. I'm also ...
by vingjfg
Wed Dec 20, 2023 4:10 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1828

Re: Some websites don't work [SOLVED]

Your configuration makes my eyes bleed - some chosen bits: add name=dhcp_pool3 ranges=\ 192.0.0.1-192.168.0.12,192.168.0.14-192.255.255.254 /ip address add address=192.168.0.13/8 interface=ether5 network=192.0.0.0 /ip firewall filter add action=accept chain=input src-address="" Not to ment...
by vingjfg
Wed Dec 20, 2023 1:53 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1189

Re: RouterOS 7.13 DNS issue

The A record is for the canonical name. Actually, the only requirement is that the last CNAME be resolvable. For example, this is contrived but valid: /ip dns static add cname=foo.example.com name=bar.example.com ttl=1w type=CNAME add cname=stuff.example.com name=foo.example.com ttl=1w type=CNAME ad...
by vingjfg
Wed Dec 20, 2023 12:42 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1189

Re: RouterOS 7.13 DNS issue

For the the A record for the CNAME, the canonical entry needs to be resolvable: Resolvable canonical name: /ip/dns/static/add name=bar.example.com type=CNAME ttl=1w cname=www.google.com $ dig @192.168.2.1 bar.example.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.2.1 bar.example.com ; ...
by vingjfg
Wed Dec 20, 2023 12:35 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1189

Re: RouterOS 7.13 DNS issue

Could you check the last example? It seems you interrogated 192.168.2.1 instead of 192.168.1.1.
by vingjfg
Wed Dec 20, 2023 11:54 am
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1189

Re: RouterOS 7.13 DNS issue

You need a A record for the CNAME. On Mikrotik: /ip/dns/static/add name=bar.example.com type=CNAME ttl=1w cname=foo.example.com Resolution: $ dig @192.168.2.1 bar.example.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.2.1 bar.example.com ; (1 server found) ;; global options: +cmd ;; Go...
by vingjfg
Wed Dec 20, 2023 10:11 am
Forum: Scripting
Topic: Environment in Script List [SOLVED]
Replies: 3
Views: 1257

Re: Environment in Script List [SOLVED]

Likely because MT considers "7.1", "7.0.1" and "7.0.0.1" to be IP addresses.

Remember, there is no float in the scripting language.
by vingjfg
Wed Dec 20, 2023 9:36 am
Forum: Beginner Basics
Topic: Bridge: 100 Mb or 1 G?
Replies: 8
Views: 2284

Re: Bridge: 100 Mb or 1 G?

Can you do the following: Disconnect ether5. Remove ether5 from the bridge. Connect ether5. Wait 2-3 seconds Issue the following commands: "/interface/ethernet/print detail", "/interface/ethernet/print stats-detail", and "/interface/ethernet/monitor ether5 once". Discon...
by vingjfg
Tue Dec 19, 2023 8:44 pm
Forum: Beginner Basics
Topic: Bridge: 100 Mb or 1 G?
Replies: 8
Views: 2284

Re: Bridge: 100 Mb or 1 G?

It is better to leave it in auto-negotiate on both sides: for 10 and 100Mb/s you would end in half-duplex and most of the time with more errors than frames. But the most important is that if you disable auto-negotiate on any side, you also disable the MDI-X, the detection of cross/non-cross connecti...
by vingjfg
Tue Dec 19, 2023 5:15 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

Yup, forgot that it was the original setting.

At this point, I think this would be worth creating a support ticket for, as it seems to be a bug.
by vingjfg
Tue Dec 19, 2023 2:47 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

OK.

Other way around: can you set the TTL to 4 hours?
by vingjfg
Tue Dec 19, 2023 2:14 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

Just to test, can you try to set the TTL for the FWD entry to 1s?
by vingjfg
Tue Dec 19, 2023 12:14 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

/ip/firewall/nat add action=masquerade chain=srcnat comment="To management server" out-interface-list=VPN src-address=172.1.2.0/24
by vingjfg
Tue Dec 19, 2023 12:03 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Your question was about routing, everything until now was about routing and you have not mentioned NAT before.

If you want NAT, create a NAT rule:
/ip/firewall/nat add action=masquerade chain=srcnat comment="To management server" out-interface-list=VPN in-interface-list=LAN
by vingjfg
Tue Dec 19, 2023 11:51 am
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

The Wireshark capture, can you do it server side to see if the server always replies correctly? I made different test: set DNS server - AD DNS And always get full response With mikrotik - not That I guessed. My question is whether it works when MT is querying the DNS, and not working when MT is res...
by vingjfg
Tue Dec 19, 2023 10:36 am
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

The Wireshark capture, can you do it server side to see if the server always replies correctly?
by vingjfg
Tue Dec 19, 2023 10:27 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

If the nain-router doesn't know where 172.1.2.0/24 is, it can't reply.

So fix that, prove me you fixed it and we can continue.
by vingjfg
Tue Dec 19, 2023 9:14 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Reading the zerotier documentation, you need a ZT managed route.
by vingjfg
Tue Dec 19, 2023 7:39 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Main-router has no return route for 172.1.2.0/24.

On main-router, add a route for 172.1.2.0/24 via 10.147.18.4. You also need to check your zerotier and make sure that network is defined.
by vingjfg
Mon Dec 18, 2023 10:46 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Send me the routing table from both router. That will be easier. "/ip/route/print detail"
by vingjfg
Mon Dec 18, 2023 10:01 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Not what I said: I said that it seems you do not have a route for 172.1.2.0/24 on the main-router/router2.

main-router/router2, post here the output of the following command.
/ip/route/print detail
by vingjfg
Mon Dec 18, 2023 9:20 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1102

Re: RouterOS 6.49.10 DNS issue

There is an issue in the regexp - regexp="*\\.example\\.com" -> regexp=".*\\.example\\.com"
by vingjfg
Mon Dec 18, 2023 9:03 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Seems you don't have a route back for 172.1.2.0/24 in main-router/router2.

Can't tell if your ZeroTier is correctly configured.
by vingjfg
Mon Dec 18, 2023 3:43 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

That's because you have to do an export, not a backup.

In the terminal/CLI, issue the following. You have to do it on each router.
/export file=<whatever name>
And download the file using winbox or webfig.

Remove all the sensitive information and post here.
by vingjfg
Mon Dec 18, 2023 2:33 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Then that's pretty easy: Proxmox : trunk your VLANs to the interface connecting to your Mikrotik switch Mikrotik : enable vlan-filtering (careful not to cut yourself off), add the relevant ports as pvid 1, create all the VLANs and add all the relevant ports as "tagged", edit VLAN1 and add ...
by vingjfg
Mon Dec 18, 2023 2:27 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Can you post the exports here, instead of on an external site?

Thank you
by vingjfg
Mon Dec 18, 2023 7:21 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Have you checked the firewall rules? The routing on the second router?

Please, config.
by vingjfg
Sun Dec 17, 2023 10:12 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2207

Re: Help with simple static routing [SOLVED]

Can be a number of things.

Can you send the configurations for both routers?
by vingjfg
Sun Dec 17, 2023 6:17 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Can you use draw.io to make a diagram of what you plan to have, with for each link what vlan are present?
by vingjfg
Sun Dec 17, 2023 5:14 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Exactly: without vlan-filtering , all VLANs defined on the bridge are passed to all attached ports as these VLANs exist on the switch: pvid for the bridge in untagged, everything else is tagged. No. Without vlan-filtering there is no such thing as pvid. Period. You are right, I misexpressed myself:...
by vingjfg
Sun Dec 17, 2023 4:32 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Not at all, but a few things. Without VLAN-filtering each port gets VLAN 1 untagged and all the other VLANs tagged. Without vlan-filtering enabled ROS device doesn't touch 802.1q (a.k.a. VLAN) headers ... and that includes those with VLAN ID 1. It'd hard to figure VLAN 1 as most vendors treat VLAN ...
by vingjfg
Sun Dec 17, 2023 4:19 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Exactly that: an interface that is not part of any bridge and has an IP address directly assigned to it. Don't forget to adapt the firewall rules. Just realized my "won't" became "want" in the post. Why shouldn't the interface be part of any bridge ? To prevent "backfeed&qu...
by vingjfg
Sun Dec 17, 2023 10:33 am
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

[...] Shouldn't I just add the "bridge" (AKA "Management Interface" or "CPU") ONLY to the Management VLAN as "Tagged" rather ? And ALL other Interfaces (sfp-sfpplus1...16 etc) TAGGING ALL other VLANs as well ? I do not know the exact details yet - I am now us...
by vingjfg
Sun Dec 17, 2023 9:51 am
Forum: General
Topic: Security of ptp links
Replies: 3
Views: 1137

Re: Security of ptp links

I'll start by saying that if your manager said that "anyone can guess it", this likely means your manager is used to picking weak passwords such as "yourcompanyname01!" or "Winter2023!". If the PSK is or are really random, for example you generated them with a password ...
by vingjfg
Sun Dec 17, 2023 9:24 am
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2625

Re: Confused about VLANs

Not at all, but a few things. Without VLAN-filtering each port gets VLAN 1 untagged and all the other VLANs tagged. I know, this is weird, but I learned the hard way. Do not forget to add the bridge as a tagged member of all the VLANs other than 1. The test you did with eno1/eno1.100 (Is this the co...
by vingjfg
Sun Dec 17, 2023 7:45 am
Forum: General
Topic: Some Linux Disros interference the network
Replies: 6
Views: 1712

Re: Some Linux Disros interference the network

Can you give some more info? The config? The IP of the linux host when you got the issue? A packet capture?
by vingjfg
Sun Dec 17, 2023 7:28 am
Forum: Forwarding Protocols
Topic: Set pref-src on ospf in ROS 7.12.1 [SOLVED]
Replies: 3
Views: 2002

Re: Set pref-src on ospf in ROS 7.12.1 [SOLVED]

What happens if you invert accept and set prf-src in the rule?
/routing filter rule
add chain=ospf-IN disabled=no rule=\
"if(dst in 0.0.0.0/0){set pref-src 10.10.100.1; accept;}"
by vingjfg
Sat Dec 16, 2023 4:31 pm
Forum: General
Topic: HAIRPIN NAT NOT WORK
Replies: 1
Views: 1094

Re: HAIRPIN NAT NOT WORK

My apologies, the export in your original message did not show when I read it first. This one is almost correct - remove the to-addresses . You do not need to masquerade behind the public IP, just behind the local IP of the router. /ip firewall nat add action=masquerade chain=srcnat comment=TEST-HAI...
by vingjfg
Sat Dec 16, 2023 1:03 pm
Forum: General
Topic: HAIRPIN NAT NOT WORK
Replies: 1
Views: 1094

Re: HAIRPIN NAT NOT WORK

Config export, please.
by vingjfg
Wed Dec 13, 2023 9:21 am
Forum: Beginner Basics
Topic: Need help with NAT for home server(s)
Replies: 12
Views: 2724

Re: Need help with NAT for home server(s)

Some rules that I find strange - add action=src-nat chain=srcnat comment="SMTP za Monolith" dst-address=192.168.88.112 dst-port=25 protocol=tcp to-addresses=192.168.88.1 to-ports=0-65535 to-ports is not needed Trying from the Internet, I see the following. Can you check on the server that ...
by vingjfg
Wed Dec 13, 2023 8:55 am
Forum: Beginner Basics
Topic: Need help with NAT for home server(s)
Replies: 12
Views: 2724

Re: Need help with NAT for home server(s)

You are doing hairpin NAT, that's often an issue but a casual review shows this is fine. I see that the HTTPS rule for Monolith is disabled. DId you enable it when you had disabled the other rules? The test you mention, does it run from the inside or from the outside? I will read the config in detai...
by vingjfg
Sun Dec 10, 2023 9:14 am
Forum: Beginner Basics
Topic: Blocking DNS traffic
Replies: 6
Views: 2033

Re: Blocking DNS traffic

And remove the dns rules from the output chain. The only thing you achieved is preventing the router itself from being able to resolve anything. And for reference, the documentation on the firewall: https://help.mikrotik.com/docs/display/ROS/Filter Key elements: input is for connection to the device...
by vingjfg
Sat Dec 09, 2023 11:23 pm
Forum: Beginner Basics
Topic: Blocking DNS traffic
Replies: 6
Views: 2033

Re: Blocking DNS traffic

Second input rule.
by vingjfg
Sat Dec 09, 2023 10:38 am
Forum: General
Topic: WireGuard access
Replies: 13
Views: 2407

Re: WireGuard access

@andrew162, Can you post a diagram with the L3 information? Currently, it is impossible to tell what goes where. Also, can you post a status of wireguard on the client and the routing table just after the connection? On Linux that is achieved with the following. sudo wg show ip route Lastly, what ar...
by vingjfg
Fri Dec 08, 2023 12:27 pm
Forum: General
Topic: RDP not working in lan
Replies: 7
Views: 2052

Re: RDP not working in lan

Please post the output of the following commands on the notebook
netsh advfirewall firewall show rule name=all
netstat -an