Community discussions

Search found 4621 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 16
by Sob
Mon Oct 14, 2019 6:42 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 156
Views: 45290

Re: Feature request - DNSCrypt support...

Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).
by Sob
Mon Oct 14, 2019 6:37 pm
Forum: Beginner Basics
Topic: Dual Wan config on my router
Replies: 17
Views: 1868

Re: Dual Wan config on my router

It means that I already posted a link to what should be the answer you're looking for, but for some reason you seemed to miss it.
by Sob
Mon Oct 14, 2019 4:41 am
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

The goal is to have all, flawlessly running system, knowing why it does that (it's very helpful), and good feeling from doing it yourself. It could take a while, but it's possible. :) Another way to do it is: /ip route rule add action=lookup-only-in-table dst-address=10.11.12.0/24 table=main You bas...
by Sob
Mon Oct 14, 2019 3:01 am
Forum: General
Topic: DualWAN - route for specific dest IP / port
Replies: 1
Views: 119

Re: DualWAN - route for specific dest IP / port

For start, do something with fasttrack, either disable it or make it apply only to connections using default routing table. It's your main problem. Then for the mangle rule, I'd move it up and make it mark connections (wan2_conn) instead of marking routing directly. What you have now should work too...
by Sob
Fri Oct 11, 2019 3:00 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 7
Views: 942

Re: IPv6 how to use it right

That's what I mentioned as second option. :)
by Sob
Fri Oct 11, 2019 2:55 pm
Forum: Beginner Basics
Topic: Dual Wan config on my router
Replies: 17
Views: 1868

Re: Dual Wan config on my router

Just reminding, there's also this post in this very thread, linking to another thread which describes exactly what you say you want to have.
by Sob
Fri Oct 11, 2019 2:45 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 7
Views: 942

Re: IPv6 how to use it right

But how does TP-Link get prefix from upstream?
by Sob
Thu Oct 10, 2019 8:37 pm
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

I like your approach. Some trial & error, exploring dead ends, things like that, it's great way how to learn something.
by Sob
Thu Oct 10, 2019 5:18 pm
Forum: RouterOS v7 BETA
Topic: OpenVPN .ovpn
Replies: 5
Views: 1463

Re: OpenVPN .ovpn

They could have done that in last 10+ years. And they still implemented first tcp, and now (after finding suicide-proof developers) even udp themselves. So my guess would be probably not for official OpenVPN.
by Sob
Thu Oct 10, 2019 5:06 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 7
Views: 942

Re: IPv6 how to use it right

If you need to connect other routers with additional networks behind them, you need DHCPv6 server to give them prefixes to use (the one in RouterOS can do this). Other way is to use static config for everything, manually configure subnets on routers and add routes to them on main one.
by Sob
Thu Oct 10, 2019 5:02 pm
Forum: General
Topic: can mikrotik router be a voip\sip server?
Replies: 6
Views: 1249

Re: can mikrotik router be a voip\sip server?

You're here long enough to know official answer, there's no voip server package from MikroTik and no support for custom packages or any other way how to install you own stuff. Other than that, RouterOS has Linux inside, so if you find a way how to put your stuff in, it could work. There were some ex...
by Sob
Thu Oct 10, 2019 4:21 pm
Forum: RouterOS v7 BETA
Topic: OpenVPN .ovpn
Replies: 5
Views: 1463

Re: OpenVPN .ovpn

I'd rather implement functionality of all those options first, and then I'd think about config importer. ;)
by Sob
Thu Oct 10, 2019 5:48 am
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

Hint: Just be careful about how you mark your connections and be sure you don't change some existing marks that should stay unchanged.

Or, if you want to miss all the fun you can have while finding the solution yourself, you can post your exported config and maybe someone will tell you what's wrong.
by Sob
Thu Oct 10, 2019 5:40 am
Forum: General
Topic: TLS 1.3 + dual WAN session drops
Replies: 7
Views: 1080

Re: TLS 1.3 + dual WAN session drops

You can leave out per-connection-classifier=both-addresses:1/0, it matches everything and doesn't do anything useful. The connection-mark=no-mark is enough to make sure that only packets not marked by any previous rule will be marked by this one.
by Sob
Thu Oct 10, 2019 5:36 am
Forum: General
Topic: No internet if there is not a route whiout a routing mark
Replies: 2
Views: 494

Re: No internet if there is not a route whiout a routing mark

You do need default route in main routing table for router itself, even if you don't actually use it and set routing for all output to use different routing table. The route doesn't even have to be real, it can point for example to empty bridge, it just needs to exist. If you check the pretty pictur...
by Sob
Thu Oct 10, 2019 5:00 am
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

It's not right. The masquerade rule you posted doesn't have any condition, it means it will apply to every connection going through router. So for example, if you'd have some forwarded ports to internal server, you wouldn't be able to see real addresses of clients.
by Sob
Wed Oct 09, 2019 4:54 pm
Forum: General
Topic: IIS cannot see the external IP when NAT
Replies: 11
Views: 1087

Re: IIS cannot see the external IP when NAT

Except in-interface matching is not possible in srcnat, it needs to be done using src-address. I'm not sure why, connection tracking must know from where the packet came. But that's how it is.
by Sob
Wed Oct 09, 2019 6:15 am
Forum: General
Topic: TLS 1.3 + dual WAN session drops
Replies: 7
Views: 1080

Re: TLS 1.3 + dual WAN session drops

Don't worry, it's not exactly true. First, equal streams is more theoretical, maybe for longer term average it would be that way, but that's with any connection-based load balancing. But, which is more interesting for you, you can always have something like ten "equal streams" and send one to WAN1, ...
by Sob
Wed Oct 09, 2019 1:34 am
Forum: Beginner Basics
Topic: DDNS does not let me access my Router [SOLVED]
Replies: 15
Views: 2091

Re: DDNS does not let me access my Router [SOLVED]

DDNS just updates hostname to whatever public IP address your router uses, but it otherwise doesn't help with incoming connections. For those to work, you need to either have public IP address directly on your router, or have forwarded ports from router with public address to yours without one. If y...
by Sob
Tue Oct 08, 2019 10:05 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 2848

Re: Why (not) use Hairpin NAT

That will unnecessarily apply srcnat also to connections between different subnets where it could work without it. And one more point for hairpin NAT (edit: actually, this is not exactly hairpin NAT itself, because srcnat would not be required; but it's related): Let's say you do have larger LAN wit...
by Sob
Tue Oct 08, 2019 9:39 pm
Forum: Beginner Basics
Topic: Dual Wan config on my router
Replies: 17
Views: 1868

Re: Dual Wan config on my router

There could be some reason why WAN should be selectable by device in LAN simply by using different gateways.

And yes, it's possible: Switching WANs by Host Gateway Selection
by Sob
Tue Oct 08, 2019 9:33 pm
Forum: General
Topic: VPN PPTP [SOLVED]
Replies: 3
Views: 589

Re: VPN PPTP [SOLVED]

It's because all response packets from 192.168.7.0/24 get routing mark R7 and they are routed back to "BR - DHCP" interface instead of to VPN client. At first sight the whole part with routing marks seems completely useless, so unless you have some good reason to have it, just get rid of it and ever...
by Sob
Tue Oct 08, 2019 9:22 pm
Forum: General
Topic: TLS 1.3 + dual WAN session drops
Replies: 7
Views: 1080

Re: TLS 1.3 + dual WAN session drops

What about something a little more advanced than nth, like PCC (https://wiki.mikrotik.com/wiki/Manual:PCC)?
by Sob
Tue Oct 08, 2019 9:17 pm
Forum: Scripting
Topic: Recursive Failover with public IP check
Replies: 2
Views: 459

Re: Recursive Failover with public IP check

check-gateway (arp | ping; Default: "") - Periodically (every 10 seconds) check gateway by sending either ICMP echo request (ping) or ARP request (arp). If no response from gateway is received for 10 seconds, request times out. After two timeouts gateway is considered unreachable. After receiving r...
by Sob
Tue Oct 08, 2019 9:13 pm
Forum: Forwarding Protocols
Topic: IPSec/L2TP
Replies: 3
Views: 581

Re: IPSec/L2TP

What you're looking for is ipsec-policy matcher:
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=1701 ipsec-policy=in,ipsec
And remove 1701 from the other rule, because that would allow also unencrypted L2TP.
by Sob
Tue Oct 08, 2019 9:08 pm
Forum: General
Topic: Best VPN for Mikrotik Router
Replies: 13
Views: 2063

Re: Best VPN for Mikrotik Router

I wouldn't celebrate yet, there's udp in v7, but it wasn't the only missing feature. So it's great step for own use, but not much changed for interoperability with someone else's service using standard OpenVPN.
by Sob
Tue Oct 08, 2019 3:09 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 28
Views: 2848

Re: Why (not) use Hairpin NAT

If you have publicly accessible service and thousand remote computers connect to it, it's possible that you will see just one source address, if they happen to be behind same remote NAT. If you can live with this, why you should be bothered when accesses from your LAN will be hidden behind one commo...
by Sob
Tue Oct 08, 2019 3:22 am
Forum: Beginner Basics
Topic: Forwarding port 443 causes internet problems to anyone else?
Replies: 4
Views: 511

Re: Forwarding port 443 causes internet problems to anyone else?

Let me fix it:
Https uses port 443... so by incorrectly forwarding this port you can create problems...!
And whether it's the case, probably yes, but it's hard to tell exactly if you don't show your config.
by Sob
Mon Oct 07, 2019 3:12 pm
Forum: General
Topic: Questions regarding Hairpinning
Replies: 7
Views: 1301

Re: Questions regarding Hairpinning

1) It would be good to decide what addresses you have. You know, if you want traffic forwarded to 10.0.17.2, dstnat rules with to-addresses=192.168.1.2 won't do it. 2) You don't need duplicate rules. These two do the same thing: /ip firewall nat add action=dst-nat chain=dstnat comment="http hairpin"...
by Sob
Mon Oct 07, 2019 2:51 pm
Forum: General
Topic: can mikrotik router be a voip\sip server?
Replies: 6
Views: 1249

Re: can mikrotik router be a voip\sip server?

There's KVM in x86, but I never used it myself.
by Sob
Mon Oct 07, 2019 5:22 am
Forum: General
Topic: Questions regarding Hairpinning
Replies: 7
Views: 1301

Re: Questions regarding Hairpinning

It would be best to export and post what you actually have (whole firewall). In first post you just copied rules from wiki, second shows only part of your NAT rules, and nobody can know what other rules you have.
by Sob
Mon Oct 07, 2019 4:46 am
Forum: General
Topic: Questions regarding Hairpinning
Replies: 7
Views: 1301

Re: Questions regarding Hairpinning

If connections from LAN to public address work, but hairpin rule does not have any hits, it means that you already have another rule with the same effect higher in srcnat chain. And no, hairpin rule (srcnat) does not replace port forwarding rule (dstnat), you need both. Edit: And you don't need mult...
by Sob
Fri Oct 04, 2019 8:02 pm
Forum: Beginner Basics
Topic: CBS All Access cant pass through my RB3011 UiAS
Replies: 5
Views: 760

Re: CBS All Access cant pass through my RB3011 UiAS

You're paranoid. ;) I mean, statistically it helps. Block 10% of internet and you'll have 10% less addresses that could be potentially dangerous. Block 50% and it will be even safer. Block all and you'll be completely safe. But it's also very easy to block something you don't want to block. It's not...
by Sob
Fri Oct 04, 2019 7:52 pm
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

No, it's just a name, it doesn't have any special meaning. I don't see much of your config, but original post contains three distinct routing marks:

mr_vpn
to_WAN1, mr_vpn
to_WAN2

Mangle rule sets the first one, but there's no routing table for it.
by Sob
Fri Oct 04, 2019 3:44 pm
Forum: General
Topic: VPN over Balancing PCC
Replies: 33
Views: 3262

Re: VPN over Balancing PCC

Quick note, routing-mark="to_WAN1, mr_vpn" means one routing mark named "to_WAN1, mr_vpn", NOT two routing marks "to_WAN1" and "mr_vpn".
by Sob
Thu Oct 03, 2019 10:33 pm
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

But the software works, so all that's needed are some small tweaks to make it work with current OpenWRT and get installable package. It's easier said than done for me or you, but someone familiar with OpenWRT should have it in no time. Don't they have some friendly support forum like this one, where...
by Sob
Thu Oct 03, 2019 8:50 pm
Forum: General
Topic: can mikrotik router be a voip\sip server?
Replies: 6
Views: 1249

Re: can mikrotik router be a voip\sip server?

If you don't want to stretch *any* way too much, then probably just MetaROUTER, if your device supports it.
by Sob
Thu Oct 03, 2019 8:28 pm
Forum: Beginner Basics
Topic: openssl certificate
Replies: 12
Views: 776

Re: openssl certificate

Before you start buying anything, check also my answer in your other thread (and next time maybe keep everything in one). Just to be sure that the certificate will actually help you.

Btw, quick Google search suggests that dynamic no-ip hostnames should work just fine with LE.
by Sob
Thu Oct 03, 2019 8:12 pm
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

You have to accept that even "simple NAT case" is something unusual. Everything is made for client device connected directly to router (in same subnet) where it wants to open ports. Another router in the way breaks the thing. Out of curiosity, I tested the program I found previously (https://github....
by Sob
Thu Oct 03, 2019 3:57 am
Forum: General
Topic: SSH access to default Gateway (Mikrotik) thru secondary gateway (non Mikrotik) port forwarding
Replies: 6
Views: 630

Re: SSH access to default Gateway (Mikrotik) thru secondary gateway (non Mikrotik) port forwarding

Port forwarding works but i think that replay to the traffic goes to default gateway and not to secondary, It needs a little help from you. You need another default route via second gateway, in different routing table. Then you have to mark incoming connections from there. Either by incoming interf...
by Sob
Thu Oct 03, 2019 3:47 am
Forum: Beginner Basics
Topic: Open a limited time port
Replies: 9
Views: 828

Re: Open a limited time port

Well, it could be doable... First step is easy, you can allow new connections with mentioned time parameter only between 8 and 17. Next is cutting them off after 10 minutes. I didn't test how much access to connections table scripts have, but if it's possible to work with it, you could make a script...
by Sob
Thu Oct 03, 2019 3:11 am
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

I don't think I'll be able to tell you anything new.
by Sob
Wed Oct 02, 2019 4:01 pm
Forum: Beginner Basics
Topic: can i use LetsEncrypt certificates for the Hotspot?
Replies: 1
Views: 266

Re: can i use LetsEncrypt certificates for the Hotspot?

In short, no.

You can use LE certificate for your login page, but it needs to have valid public hostname, otherwise LE won't give you certificate for it. But it still will not help you with users having some https website as their homepage and getting errors when redirected to your hotspot.
by Sob
Wed Oct 02, 2019 3:55 pm
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

The simplest explanation is that OpenWRT isn't sending anything to MT, and it would not be surprising at all, because that's normal behaviour.

What you're looking for is some special kind of UPnP server, something like I found last time. I knew your name was familiar. ;)
by Sob
Wed Oct 02, 2019 5:27 am
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

And what exactly do you see? If PS3 talks to OpenWRT's UPnP, you will see something there, some forwarded ports from OpenWRT to PS3. But there would have to be something on OpenWRT that would actively talk to MT. Do you have something like that? Because it's not default function of UPnP.
by Sob
Tue Oct 01, 2019 10:41 pm
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

But are there any UPnP requests from OpenWRT to MT? UPnP is just a way how device connected to router can automatically open ports (= set up port forwarding). It's for the router the device talks to, it doesn't send anything to upstream router, at least not by default. Such proxy/relay/whatever mode...
by Sob
Tue Oct 01, 2019 10:06 pm
Forum: General
Topic: OpenWRT + RouterOS to have UPnP? [Advise needed]
Replies: 14
Views: 1072

Re: OpenWRT + RouterOS to have UPnP? [Advise needed]

Either OpenWRT acts as transparent AP (simple bridge), then it shouldn't do anything with UPnP (it should be disabled) and all requests from PS3 will go directly to MT's UPnP. Or OpenWRT acts as router (PS3 is in different subnet) and then you'd need UPnP on OpenWRT act as proxy and forward requests...
by Sob
Tue Oct 01, 2019 10:00 pm
Forum: Beginner Basics
Topic: mikrotik port forwarding
Replies: 3
Views: 408

Re: mikrotik port forwarding

Short answer: It's not possible. Long answer: There are two problems. First is that you'd need to take incoming packets, duplicate them and then send them to different destinations. Router doesn't do such things, you'd need specialized server. Second problem, even then it would not work for everyth...
by Sob
Tue Oct 01, 2019 12:44 am
Forum: Beginner Basics
Topic: help i have routerboard RB951Ui-2HnD need Cache web proxy
Replies: 11
Views: 1083

Re: help i have routerboard RB951Ui-2HnD need Cache web proxy

MikroTik (or anyone else) can't help you, it's not possible to see inside https. And if router can't see inside, it can't cache it.

In video it's all http:// urls, NOT https://.
by Sob
Tue Oct 01, 2019 12:12 am
Forum: Beginner Basics
Topic: help i have routerboard RB951Ui-2HnD need Cache web proxy
Replies: 11
Views: 1083

Re: help i have routerboard RB951Ui-2HnD need Cache web proxy

Sorry, I don't undestand a single word in those videos.

But it's simple. Most webservers now use https. Web proxy in RouterOS can cache only http (not https).
by Sob
Mon Sep 30, 2019 10:27 pm
Forum: Beginner Basics
Topic: Static DNS server replies not handled as "related" by firewall
Replies: 12
Views: 868

Re: Static DNS server replies not handled as "related" by firewall

Btw, for OP, this <my external IP>:5678 everywhere looks very suspicious, DNS queries should have random source port.
by Sob
Mon Sep 30, 2019 10:20 pm
Forum: Beginner Basics
Topic: Static DNS server replies not handled as "related" by firewall
Replies: 12
Views: 868

Re: Static DNS server replies not handled as "related" by firewall

With these rules: /ip firewall filter add action=log chain=output dst-address=8.8.8.8 log-prefix=request add action=log chain=input connection-state=established log-prefix="response established" src-address=8.8.8.8 add action=log chain=input connection-state=invalid log-prefix="response invalid" src...
by Sob
Mon Sep 30, 2019 10:02 pm
Forum: Beginner Basics
Topic: help i have routerboard RB951Ui-2HnD need Cache web proxy
Replies: 11
Views: 1083

Re: help i have routerboard RB951Ui-2HnD need Cache web proxy

You clearly did not understand what I was trying to tell you.
by Sob
Mon Sep 30, 2019 9:36 pm
Forum: Beginner Basics
Topic: Static DNS server replies not handled as "related" by firewall
Replies: 12
Views: 868

Re: Static DNS server replies not handled as "related" by firewall

Udp can have connection-state=established too. The protocol doesn't have any connection as tcp does, but connection tracking sees it that way when there are packets with matching source and destination addresses and ports.
by Sob
Mon Sep 30, 2019 9:14 pm
Forum: Beginner Basics
Topic: help i have routerboard RB951Ui-2HnD need Cache web proxy
Replies: 11
Views: 1083

Re: help i have routerboard RB951Ui-2HnD need Cache web proxy

You won't save anything, because almost everything now uses https and proxy won't cache that.
by Sob
Sun Sep 29, 2019 6:47 pm
Forum: General
Topic: How exactly this works? dstnat to external ip
Replies: 3
Views: 412

Re: How exactly this works? dstnat to external ip

It's simple, dstnat changes destination address, so when they connect to you, their packets are redirected to target server. And since you also have srcnat/masquerade on WAN interface, and it's clearly not limited only to connection from your LAN, you created a variant of hairpin NAT config. So from...
by Sob
Fri Sep 27, 2019 7:52 pm
Forum: General
Topic: New LHG XL 5 ac cant find wireless interface after licence trial [SOLVED]
Replies: 2
Views: 396

Re: New LHG XL 5 ac cant find wireless interface after licence trial [SOLVED]

Looks like you followed wrong tutorial. If you need point to point link, L3 is enough. You'd need L4 for point to multipoint. And L5 doesn't make sense, it doesn't add anything for wireless over L4. One way to get original L3 back would be to restore license key you should have exported from router,...
by Sob
Fri Sep 27, 2019 7:09 pm
Forum: Beginner Basics
Topic: Open a limited time port
Replies: 9
Views: 828

Re: Open a limited time port

You know there's this "time" parameter for firewall, right? time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) Allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date Only problem I see is the 10 minutes per conn...
by Sob
Fri Sep 27, 2019 6:59 pm
Forum: Scripting
Topic: Script email and char accents [SOLVED]
Replies: 9
Views: 814

Re: Script email and char accents [SOLVED]

Check the final mails in e-mail client. Look at headers if perhaps something about encoding was added on the way. If not and there's nothing about encoding, it can be some autodetection in e-mail client and it can have different result if it sees only one é character or two é è.
by Sob
Fri Sep 27, 2019 4:51 am
Forum: Scripting
Topic: Script email and char accents [SOLVED]
Replies: 9
Views: 814

Re: Script email and char accents [SOLVED]

I'll recycle an older post of mine: RouterOS has zero support for anything above basic 7-bit ASCII. It just stores and reads those bytes as they are, but has no understanding of any character sets. So e.g. comment "ěščřžýáíé" saved in WinBox will be ok in same WinBox, but even WebFig will mess it up...
by Sob
Thu Sep 26, 2019 4:31 pm
Forum: Beginner Basics
Topic: License renewal
Replies: 4
Views: 586

Re: License renewal

I'm not aware of any official documentation regarding this. I also don't know on what exactly CHR's software ID depends (for regular RouterOS it's disk, both hw info and some data on it), but it does seem wrong that it would be changing on reboot. My first reaction would be to blame hoster for doing...
by Sob
Thu Sep 26, 2019 4:17 pm
Forum: Scripting
Topic: L7 RegExp - bug
Replies: 3
Views: 380

Re: L7 RegExp - bug

Post more details, what works, what doesn't, maybe it can be improved.
by Sob
Thu Sep 26, 2019 12:04 am
Forum: Beginner Basics
Topic: Host a domain's zone in Mikrotik
Replies: 1
Views: 211

Re: Host a domain's zone in Mikrotik

Short answer: You can't. Long answer: It depends on what you mean by "implement it in my Mikrotik router" and how much you're willing to compromise on functionality. If you'd like to replace Linux DNS server with RouterOS DNS server, it's not possible. Only if it would be enough to have just A/AAAA ...
by Sob
Wed Sep 25, 2019 7:15 pm
Forum: RouterOS v7 BETA
Topic: Torrent client
Replies: 25
Views: 3978

Re: Torrent client

If RouterOS will have a variety of separate packages to choose from, I wonder if it would be possible to have an option to install them in a "task-based" manner? Until there's hundereds of packages, this is non-existent problem. And current plan seems to go in opposite direction . We'll see if "hat...
by Sob
Wed Sep 25, 2019 6:34 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

You can have address reservation in DHCP and wrong gateway at the same time, it's two different things. Fix it and there should be happy end.
by Sob
Wed Sep 25, 2019 6:23 pm
Forum: General
Topic: Alias/Duplicate network [SOLVED]
Replies: 2
Views: 281

Re: Alias/Duplicate network [SOLVED]

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

The keyword you're looking for is "netmap".
by Sob
Wed Sep 25, 2019 5:52 pm
Forum: Scripting
Topic: L7 RegExp - bug
Replies: 3
Views: 380

Re: L7 RegExp - bug

What you actually need is this , but unfortunatelly it's not available in RouterOS. Anyway, your regexp is too complicated and basically all wrong. Browse this thread for some helpful tips, make it work for single TLD first and then continue to expand it. And remember, it will only ever work for udp...
by Sob
Wed Sep 25, 2019 5:34 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

The first rule looks like it should accept everything. So if it's not firewall, another explanation would be wrong default gateway on server. It needs to be this router.
by Sob
Wed Sep 25, 2019 3:02 pm
Forum: Beginner Basics
Topic: how to deny traffic in one direction ?
Replies: 3
Views: 330

Re: how to deny traffic in one direction ?

Firewall is statefull if you use it that way (that means working with connection-state). I'd change posted rules a little: /ip firewall filter add chain=forward connection-state=established,related,untracked action=accept add chain=forward connection-state=invalid action=drop add chain=forward in-in...
by Sob
Tue Sep 24, 2019 3:01 am
Forum: General
Topic: EoIP interface do not accept IPv6 address
Replies: 4
Views: 1308

Re: EoIP interface do not accept IPv6 address

We also have EoIPv6. I'm not sure since when exactly, but it's few years at least.
by Sob
Tue Sep 24, 2019 2:56 am
Forum: Beginner Basics
Topic: VLAN on WAN(Ether1) port
Replies: 3
Views: 608

Re: VLAN on WAN(Ether1) port

1) If you configure clients to use VPN as default gateway, everything from them will go to router, so it's just a matter of allowing access from them to 192.168.200.0/24. If you don't use VPN as default gateway, you'll need add route on clients. 2) Easily with VPN as default gateway. Allow access fr...
by Sob
Tue Sep 24, 2019 2:08 am
Forum: Beginner Basics
Topic: Better VLAN?
Replies: 25
Views: 1941

Re: Better VLAN?

by Sob
Mon Sep 23, 2019 10:17 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

Re: "pure" ipsec, how to deal with MTU?

Can't it be your srcnat rules touching something they should not? Because unless I'm lost in what's connected where, if the icmp response should go to 192.168.21.251, then 192.168.90.253 as source doesn't look right.
by Sob
Mon Sep 23, 2019 9:31 pm
Forum: General
Topic: "pure" ipsec, how to deal with MTU?
Replies: 6
Views: 534

Re: "pure" ipsec, how to deal with MTU?

Check what the router really sends or not directly on router, add logging rule in output for icmp and destination address of client, and you'll see. I'd expect the opposite for split-include configs, i.e. that 0.0.0.0/0 would work, but selected subnets would not. Because if the router sends icmp pac...
by Sob
Mon Sep 23, 2019 9:05 pm
Forum: General
Topic: IPV6 only network
Replies: 12
Views: 714

Re: IPV6 only network

Few notes: - Newer versions of Windows 10 can get DNS from RA (it came out about a year ago, I guess) - RA in RouterOS takes DNS addresses only from IP->DNS and currently you can't do anything about it - DHCPv6 does the same, but you can override it with manually created option - You need 'other con...
by Sob
Mon Sep 23, 2019 8:54 pm
Forum: Beginner Basics
Topic: Router settings for same IP range at each port
Replies: 3
Views: 279

Re: Router settings for same IP range at each port

You can find some inspiration here: viewtopic.php?f=13&t=107142
by Sob
Sat Sep 21, 2019 7:05 pm
Forum: RouterBOARD hardware
Topic: RB953GS-5HnT locked out
Replies: 8
Views: 1317

Re: RB953GS-5HnT locked out

If you just turn it on without doing anything with reset button and get two beeps, RouterOS should be running. And with blank config it should show in WinBox under Neighbors tab. If it doesn't, first easy thing to try is to install Wireshark and have a look if there's any sign of life from RB on int...
by Sob
Fri Sep 20, 2019 4:53 pm
Forum: Forwarding Protocols
Topic: IPV6 Firewall allow specific port on specific ip only
Replies: 6
Views: 965

Re: IPV6 Firewall allow specific port on specific ip only

Drop just discards packets, reject sends extra packets back, so it's more expensive. On the other hand, you'll hardly see any difference, maybe if someone will be DDoSing you, but not otherwise. But reject is cleaner solution and makes debugging easier, because if something is blocked by mistake, yo...
by Sob
Fri Sep 20, 2019 4:42 pm
Forum: General
Topic: Feature Request: OpenSource AddOn Function...
Replies: 4
Views: 1571

Re: Feature Request: OpenSource AddOn Function...

Hey, I see my five years old post. Oh how the time flies... :)

Anyway, I still think it would be useful, but mainly for really exotic stuff where demand is too low for MikroTik to add that. Mainstream things should better get official support.
by Sob
Thu Sep 19, 2019 9:57 pm
Forum: General
Topic: Port forwarding
Replies: 4
Views: 508

Re: Port forwarding

If you don't need to have those ports open to whole world, you can add src-address(-list) parameter and have them open only for selected client(s). If that's not possible, you could try port knocking, so they would be closed, but you'd be able to open them from anywhere you need.
by Sob
Thu Sep 19, 2019 9:51 pm
Forum: Forwarding Protocols
Topic: IPV6 Firewall allow specific port on specific ip only
Replies: 6
Views: 965

Re: IPV6 Firewall allow specific port on specific ip only

It's action=drop, it silently discards packets and ports will show as filtered. If you use action=reject instead, router will send back info about closed ports. By default, if you don't have any firewall, closed ports send back either tcp reset or icmp port unreachable. There are also other icmp mes...
by Sob
Thu Sep 19, 2019 6:22 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

Actually, it means something different. If there was already this: add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24 and it made connections from inside work (it should, because it's correct hairpin NAT rule), but connections from outside ...
by Sob
Thu Sep 19, 2019 11:45 am
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

What if you temporarily add this rule? /ip firewall nat add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203 It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connecti...
by Sob
Wed Sep 18, 2019 8:45 pm
Forum: General
Topic: winbox Dark Mode
Replies: 9
Views: 1063

Re: winbox Dark Mode

It's just too different, it's not only colors, but also spacing and the whole structure. You can do different things when it is (or at least looks like) simple webpage, and when it's complex application with child windows. Before MikroTik does something, you can avoid getting blinded by too much whi...
by Sob
Wed Sep 18, 2019 8:05 pm
Forum: Forwarding Protocols
Topic: IPV6 Firewall allow specific port on specific ip only
Replies: 6
Views: 965

Re: IPV6 Firewall allow specific port on specific ip only

Think about it, it can't be easier:
/ipv6 firewall filter
add chain=forward dst-addres=2a00:ee2:900:e700:5c47:2365:b1d2:67d protocol=tcp dst-port=80 action=accept
...
And of course it needs to be before the last drop rule.
by Sob
Wed Sep 18, 2019 7:56 pm
Forum: General
Topic: winbox Dark Mode
Replies: 9
Views: 1063

Re: winbox Dark Mode

Anything, as long as the option to use system colors remains. If it's not clear to anyone, the pink hell above is not PhotoShop, it actually works now. It works reasonably well with light colors, dark ones don't look good, because contrast with some derived colors is too big. But it wouldn't be too ...
by Sob
Wed Sep 18, 2019 7:33 pm
Forum: General
Topic: winbox Dark Mode
Replies: 9
Views: 1063

Re: winbox Dark Mode

For the record:
pinkbox.png
And no, that's not what I normally use. :D
by Sob
Wed Sep 18, 2019 7:24 pm
Forum: General
Topic: winbox Dark Mode
Replies: 9
Views: 1063

Re: winbox Dark Mode

I remember the days when users could choose colors from 24-bit RGB and whole system was supposed to respect that. Light windows, dark windows, pink windows, anything was possible. Today's big hit is two options to choose from, and it's supposed to be progress. :roll: I just want to say that if/when ...
by Sob
Wed Sep 18, 2019 6:57 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

Everything looks like it should work. I'd do some things differently, but that's not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the ori...
by Sob
Wed Sep 18, 2019 6:42 pm
Forum: General
Topic: Firewall filter
Replies: 1
Views: 415

Re: Firewall filter

One guess, it's not random and internet in fact works, only DNS doesn't. More specifically, those computers that don't work use router as DNS resolver (it's probably configured in DHCP server) and those that do work use something else. You can try to add (before the last rule): /ip firewall filter a...
by Sob
Wed Sep 18, 2019 2:31 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

The public address routerWAN_IP is directly on this router (you'd see it in IP->Addresses), not on some other router, modem or whatever, right?
by Sob
Tue Sep 17, 2019 2:02 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 371
Views: 70244

Re: RB4011

I don't see why mPCIe card wouldn't be replaceable, as long as the new one will be supported by RouterOS. You can't just buy first card you see, because RouterOS definitely doesn't support all chipsets, but once some mPCIe ax card from MikroTik comes out, it must work.
by Sob
Tue Sep 17, 2019 12:50 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

Trace the packets, you need to see what exactly happens. Add something like (at the top): /ip firewall mangle add chain=prerouting protocol=tcp dst-port=2222 action=log log-prefix=step1 add chain=postrouting protocol=tcp dst-port=2222 action=log log-prefix=step2 add chain=prerouting protocol=tcp src...
by Sob
Tue Sep 17, 2019 11:10 am
Forum: Beginner Basics
Topic: Unable to open port forwarding
Replies: 4
Views: 521

Re: Unable to open port forwarding

What's with the in-interface=all-ethernet? It doesn't look like anything you need.
by Sob
Fri Sep 13, 2019 5:30 pm
Forum: Beginner Basics
Topic: Hairpin not working
Replies: 30
Views: 2903

Re: Hairpin not working

Even your original config should work (if you enable first rule). So make sure that packets are really passing through router (you can add logging rules in prerouting and postrouting) and if not, see where they are blocked.
by Sob
Fri Sep 13, 2019 5:19 pm
Forum: General
Topic: IPsec communication problems over VRRP configuration
Replies: 5
Views: 699

Re: IPsec communication problems over VRRP configuration

I think it's possible that I was wrong and dstnat rules are innocent. If the log is for response packet for connection initiated from this router, it can be srcnat.
by Sob
Fri Sep 13, 2019 4:52 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35520

Re: RouterOS v7.0beta1 (ARM)

@doneware: I wouldn't go into how consumers can or can not handle RouterOS. You can't solve that, either we can have nice and configurable system as we know it, or it can be user friendly for them. But hardly both at the same time. It's for different discussion. For packages, IMHO bundle was a mista...
by Sob
Fri Sep 13, 2019 4:04 pm
Forum: Beginner Basics
Topic: clarification about ways to use additional subnet provided by the ISP
Replies: 7
Views: 869

Re: clarification about ways to use additional subnet provided by the ISP

To be clear, I meant to use the public address routed to internal device (/ip route add dst-address=<public>/32 gateway=<device's internal address>) where it will be on some loopback interface. I wouldn't assign whole subnet to internal interface (as address yyy.yyy.yyy.x/29). It's the correct (or m...
by Sob
Fri Sep 13, 2019 2:11 pm
Forum: Beginner Basics
Topic: clarification about ways to use additional subnet provided by the ISP
Replies: 7
Views: 869

Re: clarification about ways to use additional subnet provided by the ISP

Subnet yyy.yyy.yyy.yyy/29 is static, right? So you can assign those addresses to router and other devices even if PPPoE is not up, only they won't have access to internet before PPPoE is connected. Don't try to find anything complicated about this, it's the simplest thing, exactly the same type of c...
by Sob
Fri Sep 13, 2019 6:48 am
Forum: Beginner Basics
Topic: clarification about ways to use additional subnet provided by the ISP
Replies: 7
Views: 869

Re: clarification about ways to use additional subnet provided by the ISP

It's simple. Let's say you got yyy.yyy.yyy.0/29. So ISP did on their side, expressed as RouterOS config: /ip route add dst-address=yyy.yyy.yyy.0/29 gateway=xxx.xxx.xxx.xxx And all eight addresses are routed to you. With traditional subnetting, you'd take one address and assign it to some internal in...
by Sob
Fri Sep 13, 2019 6:10 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

Sometimes you need to use multiple rules to achieve desired result. If you have something like: add action=deny dst-address=192.168.100.1 src-address=!10.50.10.120 add action=deny dst-address=192.168.100.1 src-address=!10.50.10.121 and expect access to be allowed from both addresses, then of course ...
by Sob
Fri Sep 13, 2019 6:02 am
Forum: General
Topic: ROS losing inbound packets from VPN
Replies: 2
Views: 442

Re: ROS losing inbound packets from VPN

If disabling fasttrack rule solves the problem, then you just need to add some additional conditions to it. I'm too lazy to think about specific addresses right now, but some examples would be connection-mark=no-mark to skip marked connections, dst-address=!<VPN subnet> or dst-address-list=!<more VP...
by Sob
Fri Sep 13, 2019 5:48 am
Forum: General
Topic: How do I get dot1x back for smips? [SOLVED]
Replies: 3
Views: 589

Re: How do I get dot1x back for smips? [SOLVED]

It looks like currently you're out of luck. It could perhaps return in v7, where the main package is supposed to be smaller, so it could fit again. But it will take a while. Separate package could be possible too, but MikroTik probably won't be too eager to make it. I don't need this myself, but I h...
by Sob
Fri Sep 13, 2019 5:37 am
Forum: Beginner Basics
Topic: Port forwarding connection refused
Replies: 3
Views: 549

Re: Port forwarding connection refused

I don't see anything wrong. What if you add this and try to connect, does it log anything?
/ip firewall mangle
add chain=prerouting connection-state=new dst-address=***.126.***.68 protocol=tcp dst-port=8080 action=log log-prefix="port8080"
by Sob
Fri Sep 13, 2019 12:43 am
Forum: General
Topic: IPsec communication problems over VRRP configuration
Replies: 5
Views: 699

Re: IPsec communication problems over VRRP configuration

<srcaddress> -> <xxx.xxx.xxx. 14 >, NAT <srcaddress> -> (<xxx.xxx.xxx. 13 > -> <xxx.xxx.xxx. 14 >). In short: the destination address is not the .13 (the IP wich the tunnel was established), it's being nated to the LAN IP of the router, and I have no idea why. I have already created all the accept ...
by Sob
Thu Sep 12, 2019 3:20 pm
Forum: General
Topic: Feature request: Static DNS NXDOMAIN
Replies: 8
Views: 1446

Re: Feature request: Static DNS NXDOMAIN

@davidg: AAAA works already, just enter IPv6 address:
/ip dns static
add address=2001:db8::1 name=aaaa.test
by Sob
Thu Sep 12, 2019 3:17 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1451

Re: Policy to block website in Mikrotik increase CPU

Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you're checking the list for every single packet. So of course it's going to be slow. You need to check the list only for new connections, mark them and don't check the list again, someth...
by Sob
Thu Sep 12, 2019 3:02 pm
Forum: Beginner Basics
Topic: How to enable Webfig access from internet?
Replies: 7
Views: 586

Re: How to enable Webfig access from internet?

If you use VPN, then you shouldn't be connecting to xxx.sn.mynetname.net in WinBox, that address is only for VPN client. In WinBox you should use whatever private address the server uses in tunnel (I don't know what Quick Set configures), after you connect to VPN.
by Sob
Thu Sep 12, 2019 2:47 pm
Forum: Beginner Basics
Topic: Can I block a proram from accessing internet
Replies: 4
Views: 410

Re: Can I block a proram from accessing internet

You need to add certain rules to block specific traffic used by the program, if such exists. And yes, it's useless answer, but so was your question. How do you expect to get anything useful, when you don't provide any info? It's like asking how to prevent animals from ruining your garden - it's impo...
by Sob
Thu Sep 12, 2019 2:37 pm
Forum: Beginner Basics
Topic: NTP servers [SOLVED]
Replies: 1
Views: 274

Re: NTP servers [SOLVED]

You can use "Server DNS Names" field and insert as many hostnames as you need, e.g. 0.pool.ntp.org, 1.pool.ntp.org, or anything else.
by Sob
Wed Sep 11, 2019 6:08 pm
Forum: Beginner Basics
Topic: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]
Replies: 8
Views: 1055

Re: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]

Don't worry about it, there's plenty of beer here. :)
by Sob
Wed Sep 11, 2019 6:07 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35520

Re: RouterOS v7.0beta1 (ARM)

Wait, torrent wasn't a joke? I'm usually for everything so no hard complaints from me, but that seems ... unexpected. :D

Otherwise agree with packages, merging some basic ones into one would definitely make sense, but some could still stay separate.
by Sob
Wed Sep 11, 2019 4:28 pm
Forum: Beginner Basics
Topic: How to enable Webfig access from internet?
Replies: 7
Views: 586

Re: How to enable Webfig access from internet?

If you're accessing service on router itself, you only need to open port on router (using accept rule in input chain). Port forwarding rule won't do anything useful.
by Sob
Tue Sep 10, 2019 10:23 pm
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

You can take a hint and choose what you like better, either: a) Try with proxy config. I don't use it much, but this should work: /ip proxy access add action=deny dst-address=192.168.100.1 b) Re-evaluate if the proxy really does anything useful for you. And in case you find it doesn't, remove it and...
by Sob
Tue Sep 10, 2019 10:04 pm
Forum: General
Topic: Wan balance by ports number (protocol)
Replies: 11
Views: 1303

Re: Wan balance by ports number (protocol)

Your old rule forces everything from 192.168.0.0/24 to use wan1. So it directly conflicts with your new requirement to balance traffic from same 192.168.0.0/24 by port. You can't have both. Mark incoming connections based on WAN interface and port forwarding will work from both WANs: /ip firewall ma...
by Sob
Tue Sep 10, 2019 9:47 pm
Forum: General
Topic: Feature Request: Add LTE to WAN Interface List by default
Replies: 4
Views: 520

Re: Feature Request: Add LTE to WAN Interface List by default

Currently the interface list named "WAN" is only part of default config. But it doesn't have to exist at all, and if it does, it may not necessarily mean WAN (why would someone do that is another question, but it's possible). So either the list would have to be selectable, or it would have to be har...
by Sob
Tue Sep 10, 2019 6:41 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1451

Re: Policy to block website in Mikrotik increase CPU

What's the rest of your firewall rules?
by Sob
Tue Sep 10, 2019 1:36 am
Forum: Beginner Basics
Topic: Public ip adress behind mikrotik
Replies: 1
Views: 304

Re: Public ip adress behind mikrotik

No rules = everything is allowed.
Something is blocked => you must have some blocking rule (or the problem is elsewhere).

So it's good idea to start with telling us what you have now.
by Sob
Tue Sep 10, 2019 1:33 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

I think I see it. You're connecting to http://192.168.100.1, i.e. to default port 80, right? Then it's this rule, it redirects those connections to local web proxy and they are no longer going through forward chain: /ip firewall nat add action=redirect chain=dstnat comment="Web Cache Redirection" ds...
by Sob
Mon Sep 09, 2019 10:52 pm
Forum: General
Topic: Wan balance by ports number (protocol)
Replies: 11
Views: 1303

Re: Wan balance by ports number (protocol)

By open ports you mean dstnat from internet? If you have the usual config where you mark incoming connections based on interface, it should work with this just fine. These new rules won't override connection marks for already marked incoming connections.
by Sob
Mon Sep 09, 2019 9:16 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 16
Views: 6934

Re: Add DNS over HTTPS (DoH) support

"Funny" thing is that implementation in browser (as Mozilla is pushing now; or generally per-application) makes the least sense of all. Either I want to protect whole network, so I need it on router. Or I want to protect computer (better for mobile devices, because with them I don't always have cont...
by Sob
Mon Sep 09, 2019 3:01 am
Forum: Beginner Basics
Topic: Dual wan Lan 2 Port Forwading
Replies: 2
Views: 377

Re: Dual wan Lan 2 Port Forwading

You should mark new incoming connections from each WAN and then mark routing for responses, to make them go back the same way.

You can find some inspiration here (the article is primarily about load balancing, so just ignore that part):
https://wiki.mikrotik.com/wiki/Manual:PCC
by Sob
Mon Sep 09, 2019 2:45 am
Forum: Scripting
Topic: OVPN + policy routing issue
Replies: 2
Views: 392

Re: OVPN + policy routing issue

Either make this your first mangle rule, so connections to 10.0.0.3 won't get marked by PCC: /ip firewall mangle add action=accept chain=prerouting in-interface=bridge dst-address=10.0.0.3 Or tell the router that 10.0.0.3 should be only looked up in main routing table, no matter what routing mark wi...
by Sob
Mon Sep 09, 2019 2:36 am
Forum: Beginner Basics
Topic: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]
Replies: 8
Views: 1055

Re: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]

1) ARP changes (DHCP's add-arp=yes, static entry for 192.168.88.251). If the goal was to prevent devices with manually assigned IP addresses from connecting through this router, it's fine. If it was done to help with RDP problem, it's useless. 2) When ether2 is part of bridge, 192.168.88.1/24 should...
by Sob
Sun Sep 08, 2019 8:33 pm
Forum: General
Topic: Port Forwarding on ECMP Balancing
Replies: 10
Views: 1122

Re: Port Forwarding on ECMP Balancing

It looks like you don't need original connection marks at all, the rules are re-marking connections with every packet, always switching between rx-con and tx-con, depending on direction. And all you really use those connection marks for is to avoid repeating in-interface-list condition for futher ru...
by Sob
Sun Sep 08, 2019 6:51 pm
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

I missed one more: 4) Output of "/ip route print" from RB. But it doesn't look like there can be anything more than routes to connected subnets and then default route (to 0.0.0.0/0) with gateway IP address on "WAN1 PoE" interface. Traceroute clearly shows that first hop is 10.50.10.1 (so this router...
by Sob
Sun Sep 08, 2019 6:57 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

Still not helpful. Let's try this: 1) What's the IP address of device you test it from? I mean some that should not be allowed to access the modem? 2) Can you show the output "/ip address print" from RB? You can censor public addresses if there are any, but keep the private ones untouched. 3) Can yo...
by Sob
Sun Sep 08, 2019 4:52 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

It doesn't really tell me where the modem is. It's connected to this router, right? To which port? Does the router get some address (I'd assume some other 192.168.100.x) from it using dhcp? Try to describe everything in a way that even someone who doesn't see it can understand it.
by Sob
Sun Sep 08, 2019 3:33 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

So where exactly is 192.168.100.1? I assumed connected to WAN1 PoE, but it doesn't seem to be the case.
by Sob
Sun Sep 08, 2019 1:23 am
Forum: General
Topic: Multiples Web Servers - Public ip adress
Replies: 4
Views: 640

Re: Multiples Web Servers - Public ip adress

Then the header should be present.
by Sob
Sat Sep 07, 2019 11:39 pm
Forum: General
Topic: Multiples Web Servers - Public ip adress
Replies: 4
Views: 640

Re: Multiples Web Servers - Public ip adress

If you don't enable web proxy's anonymous option, it will send client's IP address to server in X-Forwarded-For header. The server won't see it on network level, because the connection really comes from proxy, but something can take it from the header (scripting language, webserver module, ...).
by Sob
Sat Sep 07, 2019 7:23 pm
Forum: General
Topic: [Feature Request] split DNS
Replies: 5
Views: 933

Re: [Feature Request] split DNS

That seems like a horrible idea. Thumbs up for privacy, but sending all users' DNS queries to some other party chosen by browser makers is much less exciting. Now I can have independent DNS resolver in my network, don't rely on any other parties than I have to, be sure that I validate DNSSEC, etc. T...
by Sob
Sat Sep 07, 2019 6:52 pm
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

I don't see it. If the traffic goes through this router, the rule must catch it (when you enable it, but I assume you did that; and when you don't make a mistake to test it only from 10.50.10.252, which would not be blocked). You can add this before the reject rule as a test and see if it logs somet...
by Sob
Sat Sep 07, 2019 4:56 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

Then you need to provide more info about your config. Exported configuration with some description (like what's connected where) is good way.
by Sob
Sat Sep 07, 2019 4:25 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

You can choose if you identify source by interface or subnet. So either: /ip firewall filter add chain=forward action=reject dst-address=192.168.100.1 reject-with=icmp-admin-prohibited in-interface=<LAN> or: /ip firewall filter add chain=forward action=reject dst-address=192.168.100.1 reject-with=ic...
by Sob
Sat Sep 07, 2019 4:20 am
Forum: General
Topic: Port Forwarding on ECMP Balancing
Replies: 10
Views: 1122

Re: Port Forwarding on ECMP Balancing

Are there any other marking rules that could interfere with these?
by Sob
Sat Sep 07, 2019 3:10 am
Forum: General
Topic: Port Forwarding on ECMP Balancing
Replies: 10
Views: 1122

Re: Port Forwarding on ECMP Balancing

Yes, those should work. And I'd keep those you had in chain=output too.
by Sob
Sat Sep 07, 2019 3:07 am
Forum: General
Topic: Rejecting or Dropping [Help]
Replies: 24
Views: 2548

Re: Rejecting or Dropping [Help]

What about simply blocking access from LAN subnet to 192.168.100.1?
by Sob
Sat Sep 07, 2019 3:05 am
Forum: General
Topic: Feature Request: USB CH340 usb-to-serial support.
Replies: 4
Views: 1061

Re: Feature Request: USB CH340 usb-to-serial support.

It may be possibly different for other architectures, but my usb-to-serial cable that reports as CH340 in Windows, works fine with CHR 6.45 (it's a little unusual to test it there, but right now I don't have physical RB with usb port here). I was able to connect from another PC over serial cable, so...
by Sob
Sat Sep 07, 2019 2:08 am
Forum: General
Topic: Port Forwarding on ECMP Balancing
Replies: 10
Views: 1122

Re: Port Forwarding on ECMP Balancing

Mangle rules (for marking connections) would be fine in input, if you were dealing only with connections to router itself. But if I'm not mistaken, you want to connect to service behind router. So you want them in prerouting (they would work in forward too, but in prerouting they will work for both ...
by Sob
Sat Sep 07, 2019 1:59 am
Forum: General
Topic: Wan balance by ports number (protocol)
Replies: 11
Views: 1303

Re: Wan balance by ports number (protocol)

If you used this exact config, then all outgoing connections from 192.168.0.0/24 should get marked, there wouldn't be any unmarked ones, so it looks like there's something different, perhaps some other rules are interfering.
by Sob
Sat Sep 07, 2019 1:43 am
Forum: General
Topic: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of the c
Replies: 17
Views: 1583

Re: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of t

Inside doesn't matter (much). It's like saying that you can get in fridge when you're in house, but you can't get in fridge when you're outside and house is locked. It's two different things.
by Sob
Sat Sep 07, 2019 1:38 am
Forum: Beginner Basics
Topic: Open VPN Client - LAN routing
Replies: 2
Views: 404

Re: Open VPN Client - LAN routing

MikroTik's OpenVPN server doesn't push routes to clients, you need to add them to client's config file like this:

route 10.10.10.0 255.255.255.0
route 10.10.20.0 255.255.255.0
...
by Sob
Sat Sep 07, 2019 1:36 am
Forum: General
Topic: Load Balance and IP Public
Replies: 2
Views: 440

Re: Load Balance and IP Public

If you want help, you can describe in more detail what exactly you did, or post your config, so someone can try to spot what's wrong. Not many people will watch long Youtube videos, because it doesn't really say anything useful, even if the instructions are correct (not always the case), there's no ...
by Sob
Sat Sep 07, 2019 1:22 am
Forum: Beginner Basics
Topic: NAT problems - Xbox One and Nintendo Switch
Replies: 31
Views: 3389

Re: NAT problems - Xbox One and Nintendo Switch

@RodrigoBrito: I'm affraid there's no easy solution for you. It's probably the "too many NATs" problem. For best chance for success, you'd have to change a lot. You'd need to convince ISP to deliver public addresses directly to your main router. Then you'd probably have to get rid of TP-Links and re...
by Sob
Sat Sep 07, 2019 12:47 am
Forum: Beginner Basics
Topic: Dual dynamic ISP WAN, dual LAN setup
Replies: 13
Views: 1191

Re: Dual dynamic ISP WAN, dual LAN setup

Two things: - JohnTRIVOLTA's solution is fine, except that running the script from scheduler every 10 seconds is waste of resources. It's better to move it to DHCP's lease script, where it will be run only when address (and possibly gateway) actually changes. - I'm not trying to ruin MikroTik's sale...
by Sob
Sat Sep 07, 2019 12:32 am
Forum: Beginner Basics
Topic: Network Making for (almost) Beginners
Replies: 10
Views: 1197

Re: Network Making for (almost) Beginners

Based on your description, I'm not sure what exactly you did. These things are better expressed as config. RouterOS has very useful command: /export hide-sensitive file=myconfig And then you can take resulting myconfig.rsc and share it with someone. You can censor some additional stuff like public I...
by Sob
Fri Sep 06, 2019 2:08 pm
Forum: General
Topic: Issues about detecting ip addresses of people nearby.
Replies: 1
Views: 209

Re: Issues about detecting ip addresses of people nearby.

Not just in future, even in present and not so distant past. In other words, it's already there.
by Sob
Fri Sep 06, 2019 3:59 am
Forum: General
Topic: Remote Access & Port Forward Over L2TP [SOLVED]
Replies: 4
Views: 495

Re: Remote Access & Port Forward Over L2TP [SOLVED]

Or that. But unless R2 is something limited (so not with RouterOS or any other advanced enough system), it can be done without it.
by Sob
Fri Sep 06, 2019 1:24 am
Forum: General
Topic: Remote Access & Port Forward Over L2TP [SOLVED]
Replies: 4
Views: 495

Re: Remote Access & Port Forward Over L2TP [SOLVED]

If you configure everything properly, it should work. The main part is making sure that R2 routes response packets from CCTV back to R1 via tunnel, and doesn't try to send them directly to client's address. So mark incoming connections from tunnel and then mark routing for replies to go back to tunn...
by Sob
Fri Sep 06, 2019 1:13 am
Forum: Beginner Basics
Topic: Where do you report a bug?
Replies: 12
Views: 1176

Re: Where do you report a bug?

It clearly says to contact the seller, or email support@mikrotik.com with detailed steps on what to send. I'm not sure, to me the second part of https://mikrotik.com/support looks as follow-up to first one, i.e. if I bought directly from you in last 30 days, then I have right to ask your support (a...
by Sob
Thu Sep 05, 2019 3:26 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23093

Re: OpenVPN SHA256 + UDP

Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN. If I have to manage whole OpenWRT in MetaROUTER (assuming that my device supports it at all), I might as well get some Raspi-like device and use that instead. And it will be even easier, I will have more OS ...
by Sob
Thu Sep 05, 2019 2:44 pm
Forum: General
Topic: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of the c
Replies: 17
Views: 1583

Re: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of t

When connecting from internet, it doesn't work with: a) Only Windows 7 device(s), others work correctly b) All devices (or this one with Windows 7 was the only one you really tried) ? If it's b), then check the basics, if the connectivity works at all, you have correctly configured firewall, etc. If...
by Sob
Thu Sep 05, 2019 2:36 pm
Forum: Beginner Basics
Topic: Where do you report a bug?
Replies: 12
Views: 1176

Re: Where do you report a bug?

@normis: IMHO it could use some improvements. Let's say I found a bug in RouterOS, but not a vulnerability. It's for real, I know it's bug and not my mistake, something is clearly misbehaving in RouterOS, even in latest beta. Now what? I didn't buy RouterBoard directly from MikroTik, like >99% of us...
by Sob
Thu Sep 05, 2019 2:16 pm
Forum: General
Topic: Winbox data usage
Replies: 1
Views: 289

Re: Winbox data usage

I don't know how long it took to transfer almost 10GB, but a lot of stuff is updated in UI, firewall counters for example, I guess it can add up if you keep it open.
by Sob
Thu Sep 05, 2019 3:34 am
Forum: Beginner Basics
Topic: Dual dynamic ISP WAN, dual LAN setup
Replies: 13
Views: 1191

Re: Dual dynamic ISP WAN, dual LAN setup

I'm not sure if you're referring to the same thing, but the example lease script from wiki only handles the gateway (add/update/remove) for given connection, it doesn't check connection status or reboot anything. For that, you have different options. You can use recursive routes (see the linked arti...
by Sob
Thu Sep 05, 2019 3:15 am
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2166

Re: Unstopable DSTNAT

Oh yeah, RouterOS is great. Regular home routers support only few predefined scenarios, and when you need anything else, you're out of luck. With RouterOS, you can configure almost anything. But it's also easier to make mistakes. Great freedom, great responsibility. And IPv6 is cool, don't disable t...
by Sob
Thu Sep 05, 2019 3:10 am
Forum: General
Topic: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of the c
Replies: 17
Views: 1583

Re: Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of t

It's not like anyone remembers what all possible error codes mean (apologies to anyone who does, if such person exists). What I do is asking Google, in this case 0x8007274C and SSTP would be good keywords. I usually find mostly other people with the same problem, but if I'm lucky, I eventually find ...
by Sob
Thu Sep 05, 2019 2:51 am
Forum: Beginner Basics
Topic: Network Making for (almost) Beginners
Replies: 10
Views: 1197

Re: Network Making for (almost) Beginners

- I'm wondering about the Sob method, because this: Different wireless and wired DHCP addresses: If it should be one network 192.168.101.0/24 and addresses should be given out based on bridge interface, I'm not sure if it's even possible in RouterOS doesn't sound like solution to me. :) - Routing sp...
by Sob
Wed Sep 04, 2019 5:07 am
Forum: Beginner Basics
Topic: Dual dynamic ISP WAN, dual LAN setup
Replies: 13
Views: 1191

Re: Dual dynamic ISP WAN, dual LAN setup

To be honest, I was just saying that if you find some nice dual-WAN config you like, and it's made with static addresses, it's not a deal breaker, because you can use lease scripts to change config dynamically. Otherwise I don't enjoy multi-WAN configs very much and I tend to stay away. I also don't...
by Sob
Wed Sep 04, 2019 4:35 am
Forum: General
Topic: Wan balance by ports number (protocol)
Replies: 11
Views: 1303

Re: Wan balance by ports number (protocol)

This should work: /ip firewall mangle add action=jump chain=prerouting connection-state=new jump-target=balance src-address=192.168.0.0/24 add action=mark-connection chain=balance dst-port=0-1024,8000-9000,4244,5222-5223,5228,5242 new-connection-mark=wan1_conn passthrough=yes protocol=tcp add action...
by Sob
Wed Sep 04, 2019 4:21 am
Forum: Beginner Basics
Topic: IPv6 PD
Replies: 1
Views: 290

Re: IPv6 PD

It's not automatic, you need to configure it. Use DHCPv6 client to get prefix from upstream server, save it into pool, and then you can have DHCPv6 server delegating prefixes from that pool downstream. It would be best if you could take everything from modem a get whole /48 directly on RB. And /80 i...
by Sob
Wed Sep 04, 2019 4:15 am
Forum: General
Topic: [Feature Request] firewall-mangle, connection route mark
Replies: 2
Views: 409

Re: [Feature Request] firewall-mangle, connection route mark

You mean to stick routing mark to connection mark, to save rules that assign routing marks based on connection marks? It does sound useful, but if I understand it correctly, you'd need to have packet-based routing marks and then different connection-based routing marks, which could be a little "conf...
by Sob
Wed Sep 04, 2019 4:06 am
Forum: Beginner Basics
Topic: License renewal
Replies: 4
Views: 586

Re: License renewal

If you read what it says, it seems that there's some limit how many times you can change System ID on CHR, and you reached it. Solution, again based on what's written, should be to create new CHR instance, transfer config from the old one and then transfer license to it. It doesn't make much sense t...
by Sob
Wed Sep 04, 2019 3:32 am
Forum: Beginner Basics
Topic: Where do you report a bug?
Replies: 12
Views: 1176

Re: Where do you report a bug?

If you're sure it's bug, support shouldn't be offended by it. It will probably be nice change from all those "I don't know what I'm doing, but I'm sure your software is broken!" they are probably getting tons of. If you're less sure, you can always post it here and someone else can confirm or dispro...
by Sob
Tue Sep 03, 2019 11:30 pm
Forum: Beginner Basics
Topic: NAT problems - Xbox One and Nintendo Switch
Replies: 31
Views: 3389

Re: NAT problems - Xbox One and Nintendo Switch

VLANs by themselves won't help you, the problem is incoming traffic and NAT. In ideal world, each device would have own public address and they would be able to connect to each other directly. But there are not enough public IPv4 addresses for everyone, you need to hide multiple devices behind one c...
by Sob
Tue Sep 03, 2019 10:16 pm
Forum: General
Topic: [Feature Request] split DNS
Replies: 5
Views: 933

Re: [Feature Request] split DNS

For the record, failover with L7 should be doable. If you give two or more different resolvers to clients, you can do L7 and forward each address to different internal resolver. If one fails, there will be regular timeout and client will try another. It's of course not an argument against proper sup...
by Sob
Tue Sep 03, 2019 8:48 pm
Forum: General
Topic: Feature Request: IPerf
Replies: 50
Views: 10988

Re: Feature Request: IPerf

don't put development effort in tools that do not belong on a router ! Nah, let's make it useful and comfortable. You've already lost the fight for pure router anyway. Existing BTest, CAPsMAN, Dude, GPS, Graphing, KVM or MetaROUTER, NTP server, User manager, Web proxy, ... and if you're real purist...
by Sob
Tue Sep 03, 2019 8:35 pm
Forum: Beginner Basics
Topic: Help with SSTP & HTTPS Webserver Routing on Multi IP WAN Gateway
Replies: 1
Views: 318

Re: Help with SSTP & HTTPS Webserver Routing on Multi IP WAN Gateway

You don't have any problem, dstnat always wins over local service. It happens in prerouting stage, so if the packet was originally destined for public address on router, after dstnat its new destination is what you specified in to-addresses, which is no longer router's address. And that's what follo...
by Sob
Tue Sep 03, 2019 2:14 pm
Forum: Beginner Basics
Topic: Incoming Masquerade?
Replies: 2
Views: 365

Re: Incoming Masquerade?

People usually ask for the opposite, after they misconfigure their srcnat rules. :) So yes, it's definitely possible, just add new srcnat/masquerade rule for packets going to server. You can use either "to-addresses=192.168.100.191 to-ports=8080" condition, or just address, or out-interface=<where s...
by Sob
Tue Sep 03, 2019 5:22 am
Forum: General
Topic: Wan balance by ports number (protocol)
Replies: 11
Views: 1303

Re: Wan balance by ports number (protocol)

Don't mark routing directly. Mark connections first and then mark routing based on connection marks. It will be less work for router and it won't break incoming forwarded ports, if you have any. And I don't know how much experience you have with multi-WAN configs, but ethernet interface as gateway u...
by Sob
Tue Sep 03, 2019 5:12 am
Forum: General
Topic: SSH tunnel and port redirect
Replies: 1
Views: 368

Re: SSH tunnel and port redirect

It's remote forwarding described in manual: https://wiki.mikrotik.com/wiki/Manual:IP/SSH In PuTTY it's in Connection->SSH->Tunnels. Enable Remote ports do the same (SSH-2 only) , add Source port 80, Destination 127.0.0.1:80 and select type Remote . It won't work if the remote port is already used by...
by Sob
Tue Sep 03, 2019 4:03 am
Forum: Beginner Basics
Topic: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]
Replies: 8
Views: 1055

Re: Beginner: SSTP Server on MikroTik behind Linksys router [SOLVED]

Order of firewall rules matters. They are processed from top to bottom, so you need to have this:
add action=accept chain=input dst-port=443 protocol=tcp
before this:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
by Sob
Tue Sep 03, 2019 3:47 am
Forum: Beginner Basics
Topic: Dual dynamic ISP WAN, dual LAN setup
Replies: 13
Views: 1191

Re: Dual dynamic ISP WAN, dual LAN setup

I don't have step by step instructions, but one hint, dynamic config is not a problem. DHCP client can run script when it gets address, so you can use that to update any otherwise static config. See the manual: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client#Lease_script_example. PPPoE has simi...
by Sob
Tue Sep 03, 2019 3:39 am
Forum: Beginner Basics
Topic: NAT problems - Xbox One and Nintendo Switch
Replies: 31
Views: 3389

Re: NAT problems - Xbox One and Nintendo Switch

Sorry, I sometimes put some topics aside, to have a better look when I have more time, but sometimes it happens that they get lost among other browser tabs. I see two possible problems: 1) Too many NATs. You have at least three and no easy way to get rid of them. With some luck, the one at ISP may b...
by Sob
Mon Sep 02, 2019 8:09 pm
Forum: Beginner Basics
Topic: IPv6 DHCP Client can't get prefix
Replies: 8
Views: 1623

Re: IPv6 DHCP Client can't get prefix

That's what happens when you set Accept Router Advertisements to yes, router will get autoconfigured SLAAC address (if the other router advertises it) . Only the catch is that current RouterOS doesn't show that address in UI. It has it, uses it, but you don't see it.
by Sob
Mon Sep 02, 2019 8:04 pm
Forum: Beginner Basics
Topic: Forwar VPN through specific Dynamic Wan [SOLVED]
Replies: 5
Views: 741

Re: Forwar VPN through specific Dynamic Wan [SOLVED]

That's it. Only instead of using rule number directly, you may want to give the route some unique comment and use that to find it, i.e.: /ip route set [/ip route find comment="my-route"] dst-address=$RemoteIp That way it will work even if you make some changes in routes and this one will no longer b...
by Sob
Sun Sep 01, 2019 8:33 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Correct, it's the same problem as before, which is not a surprise, because I took the previous rules as template and I already forgot about missing action.
by Sob
Sun Sep 01, 2019 6:55 pm
Forum: General
Topic: Can not log into RB750 with WinBox
Replies: 3
Views: 355

Re: Can not log into RB750 with WinBox

Firewall rule block access only from ether1-WAN-TILKOBLING, it should work from any other interface. Also connecting to MAC address should work from anywhere, because it's enabled by default and this config doesn't disable it.
by Sob
Sun Sep 01, 2019 12:11 am
Forum: General
Topic: Quick Set
Replies: 6
Views: 897

Re: Quick Set

Someone else will see it, make the same mistake and learn from that. I guess it has to be that way. ;) Of course MikroTik could add some warning to make it more clear what Quick Set does and what are its limitations. The thing itself is not bad, simple interface for beginners is useful, but there's ...
by Sob
Sun Sep 01, 2019 12:02 am
Forum: Beginner Basics
Topic: Forwar VPN through specific Dynamic Wan [SOLVED]
Replies: 5
Views: 741

Re: Forwar VPN through specific Dynamic Wan [SOLVED]

PPPoE can run scripts when it connects or disconnects, you can configure routes from there.

Manual (look for on-up and on-down): https://wiki.mikrotik.com/wiki/Manual:P ... r_Profiles
by Sob
Sat Aug 31, 2019 11:49 pm
Forum: General
Topic: /ip/firewall/nat - srcnat masquerade [SOLVED]
Replies: 5
Views: 889

Re: /ip/firewall/nat - srcnat masquerade [SOLVED]

Btw, I wouldn't worry about two rules instead of one. NAT rules are processed only once for each connection, right at the beginning. For all further packets it's connection tracking that handles things, and it happens in any case.
by Sob
Sat Aug 31, 2019 7:01 pm
Forum: General
Topic: Quick Set
Replies: 6
Views: 897

Re: Quick Set

The secret of Quick Set (well, it's not really a secret) is that you either use it exclusively and forget that anything outside of it exists, or you use it once to create initial config and then forget that Quick Set exists. Seeing wrong addresses in Quick Set is a sign that you made some changes ou...
by Sob
Sat Aug 31, 2019 6:54 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Ok, let's clean it up. Get rid of everything in "/ip firewall mangle", it was only for debugging. Then remove (or just only disable at first and remove later when everything works) these: /ip firewall nat ... add action=dst-nat chain=dstnat dst-address=192.168.1.250 dst-port=5050 protocol=udp to-add...
by Sob
Sat Aug 31, 2019 6:15 pm
Forum: General
Topic: /ip/firewall/nat - srcnat masquerade [SOLVED]
Replies: 5
Views: 889

Re: /ip/firewall/nat - srcnat masquerade [SOLVED]

- does the hairpin nat thingy, so i can reach my server from in and outside my home network by its domain name (which resolves to my public address) And have you checked your server's log, from where all the visitors seem to be coming from? With this beauty, every single one of them, even those fro...
by Sob
Fri Aug 30, 2019 5:59 am
Forum: General
Topic: Can't get IPv6 Address via DHCP Client on MikroTik
Replies: 5
Views: 650

Re: Can't get IPv6 Address via DHCP Client on MikroTik

Google says that Macs can do DHCPv6. Of course you need to have the server first. For RouterOS as SLAAC client, I wouldn't hold my breath. It's something you don't normally need for router. It can make sense for non-router use, e.g. as management address for AP. But most people don't really need glo...
by Sob
Thu Aug 29, 2019 6:50 pm
Forum: Beginner Basics
Topic: VLAN between two routers. Can it work!? If so how?
Replies: 9
Views: 844

Re: VLAN between two routers. Can it work!? If so how?

You wrote long description, but still nobody can have any idea (except guesses), what you actually did on CRS. I'll borrow a signature from one other user, as it fits perfectly here: Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematica...
by Sob
Thu Aug 29, 2019 6:40 pm
Forum: General
Topic: Can't get IPv6 Address via DHCP Client on MikroTik
Replies: 5
Views: 650

Re: Can't get IPv6 Address via DHCP Client on MikroTik

And what happens when you change other device's "Configure IPv6" option to "only DHCPv6" (if such option exists there)? Does it still get address? In other words, are you sure that you have DHCPv6 server in your network? Because IPv6 can also use simpler SLAAC (autoconfiguration). RouterOS sort of s...
by Sob
Thu Aug 29, 2019 6:32 pm
Forum: Beginner Basics
Topic: IPv6 DHCP Client can't get prefix
Replies: 8
Views: 1623

Re: IPv6 DHCP Client can't get prefix

Are you sure that other devices use DHCPv6 to get addresses and not SLAAC (autoconfiguration)?
by Sob
Thu Aug 29, 2019 6:31 pm
Forum: Forwarding Protocols
Topic: RDP to multiple servers on a different Subnet [SOLVED]
Replies: 4
Views: 603

Re: RDP to multiple servers on a different Subnet [SOLVED]

If I understand you correctly, then on Router 1 you need: /ip route add dst-address=192.168.20.0/24 gateway=10.0.10.2 And then you don't need any NAT on Router 2. The rest depends on firewall rules. If you would have none, everything would be allowed. If you don't want that, you need to add proper r...
by Sob
Thu Aug 29, 2019 6:20 pm
Forum: Beginner Basics
Topic: Enable Firewall Rule receiving UDP-Packet with content "ONF"
Replies: 1
Views: 310

Re: Enable Firewall Rule receiving UDP-Packet with content "ONF"

Something is possible. If you want "ON" (case-sensitive) anywhere in packet, you can use this: /ip firewall filter add action=accept chain=forward content=ON dst-port=9999 protocol=udp For whole packet containing only "ON" and nothing else (but case-insentitive, so even "on", "On" or "oN" will match...
by Sob
Thu Aug 29, 2019 6:00 pm
Forum: Beginner Basics
Topic: Winbox remotely acccess conection only syn sent but not established
Replies: 1
Views: 264

Re: Winbox remotely acccess conection only syn sent but not established

WinBox shouldn't need anything more. It works for me with just tcp/8291 open. But you can add log=yes to last drop rule and see what happens there.
by Sob
Thu Aug 29, 2019 3:36 am
Forum: General
Topic: Issue when add the certificate for hotspot "https"
Replies: 3
Views: 488

Re: Issue when add the certificate for hotspot "https"

I can give you tips, but unfortunately not any step by step guide. First you need to decide how much free you want it. Certificate is no problem, Let's Encrypt issues them for free, but you do need a real domain name. Best case that gives you most options is to register/buy one (.com, .net, whatever...
by Sob
Wed Aug 28, 2019 6:48 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Try posting your nat rules again, maybe there's something left that shouldn't be there.
by Sob
Wed Aug 28, 2019 12:00 am
Forum: General
Topic: Issue when add the certificate for hotspot "https"
Replies: 3
Views: 488

Re: Issue when add the certificate for hotspot "https"

It's a little more difficult than this. Regular browser contains built-in list of trusted certificate authorities. If you get certificate from any of them, browser is able to verify that truted CA signed it. Another step is who the certificate is for, the most common is specific hostname. So if you ...
by Sob
Tue Aug 27, 2019 12:33 am
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Well, if for whole time the mistake was using udp instead of tcp, you can go back before we started playing with logging rules and only fix the protocol: /ip firewall nat add chain=dstnat dst-address=192.168.1.250 protocol=tcp dst-port=5050 to-addresses=172.16.1.30 add chain=dstnat dst-address=xxx.x...
by Sob
Tue Aug 27, 2019 12:19 am
Forum: General
Topic: ICMP Firewall Potential Bug
Replies: 13
Views: 1152

Re: ICMP Firewall Potential Bug

Your whole forward chain is: /ip firewall filter add action=accept chain=forward ipv4-options=any protocol=icmp add action=accept chain=forward comment="Iona Server" dst-address=X.X.X.X dst-port=80,443,8443 protocol=tcp add action=accept chain=forward <-- implicit default action (not shown as part o...
by Sob
Mon Aug 26, 2019 4:31 pm
Forum: Beginner Basics
Topic: NAT problems - Xbox One and Nintendo Switch
Replies: 31
Views: 3389

Re: NAT problems - Xbox One and Nintendo Switch

I won't lie to you, "how do I recognize public IP address?" is not good start. And following steps are more difficult. Anyway, look in IP->Addresses and check what's on uplink intefaces (internet connections). If it's 10.x.x.x, 192.168.x.x, 172.16-31.x.x or 100.64-127.x.x, it's not public. Next, it ...
by Sob
Mon Aug 26, 2019 3:44 pm
Forum: General
Topic: how to display a message to all requests ?
Replies: 3
Views: 294

Re: how to display a message to all requests ?

It's somewhere between difficult and impossible. Now that https is almost everywhere, you can't intercept traffic like it was possible before. You can try to either play with hotspot, or just redirect port 80 traffic to your web server, make it send redirection to your info page, and hope that capti...
by Sob
Mon Aug 26, 2019 3:34 pm
Forum: General
Topic: ICMP Firewall Potential Bug
Replies: 13
Views: 1152

Re: ICMP Firewall Potential Bug

You want this instead of your rule: /ip firewall filter add action=accept chain=input comment="Allow ICMP - all" protocol=icmp No need to watch for connection-state, because at position where the rule is, everything is either new or untracked , all other states are already handled by previous rules....
by Sob
Mon Aug 26, 2019 4:44 am
Forum: General
Topic: Downgrade from 6.43.2 to 6.42.x
Replies: 4
Views: 565

Re: Downgrade from 6.43.2 to 6.42.x

The idea behing lowest supported version is that sometimes there may be small hardware changes, requiring also software support. If you'd downgrade to older version, it wouldn't work correctly. So now you can't. Regular upgrade/downgrade is done by currently installed system, and if it checks minimu...
by Sob
Sun Aug 25, 2019 10:53 pm
Forum: General
Topic: Network Configuration Help
Replies: 3
Views: 383

Re: Network Configuration Help

The part about the rule doesn't make sense, passthrough is basically a "do nothing" action. According to manual:
passthrough - if packet is matched by the rule, increase counter and go to next rule (useful for statistics).
by Sob
Sun Aug 25, 2019 10:42 pm
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 846

Re: IPSec - duplicate entry and weird log

Is this all from one peer? I see four parts (by starting time): 14:17:54 - incoming phase 1, fails with "no identity suits proposal" 14:17:59 - same as previous 14:18:01 - outgoing phase 1 & 2, succeeds 14:18:03 - incoming phase 1, authentication succeeds, router sends response, but peer resends the...
by Sob
Sun Aug 25, 2019 10:01 pm
Forum: Beginner Basics
Topic: NAT problems - Xbox One and Nintendo Switch
Replies: 31
Views: 3389

Re: NAT problems - Xbox One and Nintendo Switch

So to sum it up, everything works well, except few devices and who knows what crazy things they are doing. We know close to nothing about your config. There's one RB with four connections to internet. Then there are several switches and you do something with PPPoE in LAN. No exact config. We even ha...
by Sob
Sun Aug 25, 2019 9:28 pm
Forum: General
Topic: Network Configuration Help
Replies: 3
Views: 383

Re: Network Configuration Help

So there's another router actually connecting the whole network to internet? Then the solution should be simple, on that router add new static route to 192.168.60.0/24 with gateway 192.168.20.X where X is whatever the RB has.
by Sob
Sun Aug 25, 2019 8:52 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

This is some already established connection from elsewhere. Let's try slightly different config: /ip firewall mangle add action=mark-connection chain=prerouting connection-state=new dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=new new-connection-mark=debug passthrough=yes protocol=udp src-ad...
by Sob
Sun Aug 25, 2019 7:33 pm
Forum: General
Topic: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT
Replies: 21
Views: 3581

Re: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT

Normally when compiler supports both 32 and 64 bits, source code is very similar, only some data types are different, and for newer stuff it's handled transparently with proper definitions. Older sources need adjustments, but it's still mostly the same. Of course with older and larger sources, it co...
by Sob
Sun Aug 25, 2019 7:22 pm
Forum: Beginner Basics
Topic: Alternate DNS for one domain
Replies: 4
Views: 476

Re: Alternate DNS for one domain

Here's some reading for you: viewtopic.php?f=2&t=133767
by Sob
Sun Aug 25, 2019 7:15 pm
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2166

Re: Unstopable DSTNAT

You need to check and possibly adjust server config. As I wrote, server can see difference between direct connection in LAN and connection from internet, and can behave diferently for them. If the webserver is some pre-made appliance and you didn't install and configure it yourself, it's probably so...
by Sob
Sat Aug 24, 2019 2:02 pm
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 846

Re: IPSec - duplicate entry and weird log

For these new error messages, try more verbose logging:
/system logging
add topics=ipsec,!packet
There's often some useful info that's not shown by default.

And sorry for hijacking your thread, I thought it could be the same thing, but maybe not.
by Sob
Sat Aug 24, 2019 1:26 am
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 846

Re: IPSec - duplicate entry and weird log

Before OP returns with some more info, I can say that firewall problem is unlikely in my case. When my router is initiator, it works, so remote peer must accept new connections. The problem occurs when remote peer is initiator, but since the packet arrived to my router and IPSec sees it, my firewall...
by Sob
Sat Aug 24, 2019 12:44 am
Forum: Beginner Basics
Topic: Forward port 9081 [SOLVED]
Replies: 7
Views: 881

Re: Forward port 9081 [SOLVED]

It's still the same principle, you need correct routing between both ends. If some radios get addresses from PPPoE, maybe you need to route it through PPPoE server. Adding addresses to router could help too, but I'm not sure about all configuration details, so I can't guarantee that it won't break s...
by Sob
Sat Aug 24, 2019 12:31 am
Forum: Beginner Basics
Topic: Loab Balance Failover
Replies: 8
Views: 819

Re: Loab Balance Failover

The usual trick is to use address (and other config) provided by ISP or whoever you get the connection from. So I guess there was perhaps some miscommunication in this regard? But important is that it works.
by Sob
Fri Aug 23, 2019 11:27 pm
Forum: General
Topic: ICMP Firewall Potential Bug
Replies: 13
Views: 1152

Re: ICMP Firewall Potential Bug

It's possible. But it's also possible that your firewall is not configured exactly as you think it is. But since nobody here knows what you have there...
by Sob
Fri Aug 23, 2019 6:55 pm
Forum: General
Topic: New RB450G☓4 Breaks Google and its Services (Solved)
Replies: 13
Views: 1105

Re: New RB450G☓4 Breaks Google and its Services

You need to fix the mask, because it explains your problem, quite a few of Google's networks are in 172.0.0.0/8.
by Sob
Fri Aug 23, 2019 6:39 pm
Forum: Beginner Basics
Topic: Simplifying my forward chain? [SOLVED]
Replies: 6
Views: 665

Re: Simplifying my forward chain? [SOLVED]

1) Fasttrack doesn't work for everything. I don't use it, so I'm not very good with it, but I read somewhere that even fasttracked connections need to let some packets take the normal path. 2) Yes. And if source address is 192.168.0.0/24, so no spoofing from LAN will be possible. There's no referenc...
by Sob
Fri Aug 23, 2019 5:21 pm
Forum: General
Topic: Fail-over WAN Monitoring
Replies: 2
Views: 344

Re: Fail-over WAN Monitoring

The good one where you can see how to mark incoming connections and outgoing responses is https://wiki.mikrotik.com/wiki/Manual:PCC. Just ignore two rules with per-connection-classifier option, those are for load balancing, which the article is primarily about.
by Sob
Fri Aug 23, 2019 5:16 pm
Forum: Beginner Basics
Topic: Simplifying my forward chain? [SOLVED]
Replies: 6
Views: 665

Re: Simplifying my forward chain? [SOLVED]

- fasttrack established,related - accept established,related,untracked - drop invalid - accept from LAN interface and 192.168.0.0/24 to WAN interface and not to NotPublic - jump to vlan80>LAN (where you allow what should pass) - jump to vlan70>LAN (same as previous) - accept dstnatted if not from No...
by Sob
Fri Aug 23, 2019 2:55 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

"Not working" is not very useful info, it needs more details. Look at rules' counters, do they increase when you try to connect? Use either Tools->Torch and look for udp/5050 packets, or add logging rules to prerouting and postrouting, e.g.: /ip firewall mangle add chain=prerouting protocol=udp dst-...
by Sob
Fri Aug 23, 2019 2:35 pm
Forum: Forwarding Protocols
Topic: RDP to multiple servers on a different Subnet [SOLVED]
Replies: 4
Views: 603

Re: RDP to multiple servers on a different Subnet [SOLVED]

If it's all your network, you shouldn't need any NAT at all. Just make sure you have proper routes (i.e. device in 192.168.1.0/24 knows where to send packets for 192.168.2.10, and also 192.168.2.10 knows where 192.168.1.x is) and your firewall doesn't block these packets. That's all.
by Sob
Thu Aug 22, 2019 11:34 pm
Forum: General
Topic: IPV6 "no Route to Host"
Replies: 1
Views: 263

Re: IPV6 "no Route to Host"

Not enough info. What exactly did ISP give you (config), how is everything connected, to what ports, what ports are in bridge, etc?
by Sob
Thu Aug 22, 2019 11:13 pm
Forum: Beginner Basics
Topic: How to change source IP to destination network
Replies: 8
Views: 1019

Re: How to change source IP to destination network

If 172.21.x.x means that target network includes all addresses with any last two numbers, then the correct mask is /16. Other than that, the rule does exactly what you described it should do. If it doesn't work, there may be something else missing. Try to describe in more detail how the whole thing ...
by Sob
Thu Aug 22, 2019 7:15 pm
Forum: Beginner Basics
Topic: Forward port 9081 [SOLVED]
Replies: 7
Views: 881

Re: Forward port 9081 [SOLVED]

Do the radios have route to 192.168.88.88? They need either route to this address (or larger subnet like 192.168.88.0/24) or default route, both with gateway being whatever address from their subnet you added to router. For example, radio with address in 192.168.5.0/24 subnet needs route with gatewa...
by Sob
Thu Aug 22, 2019 6:13 pm
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 846

Re: IPSec - duplicate entry and weird log

It won't help you, but you're not alone, I also see this on one router. I also have two tunnels with two different peers and only one does this. I don't know when it started, but I first saw it happening on older RouterOS that worked fine before. I don't remember exact version, I think something a l...
by Sob
Thu Aug 22, 2019 5:05 pm
Forum: Beginner Basics
Topic: Loab Balance Failover
Replies: 8
Views: 819

Re: Loab Balance Failover

Activity on interface doesn't necessarily mean that there's access to internet. What if you disconnect the router and instead plug the cable into computer with statically configured 192.168.1.2/24 and gateway 192.168.1.10?
by Sob
Thu Aug 22, 2019 4:51 pm
Forum: General
Topic: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT
Replies: 21
Views: 3581

Re: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT

It's still the same old problem. Having to write something several times for different OSes sucks. It's extra work, so it costs more, the code is different, there will be different bugs, etc. It's logical that there were always attempts to have solution that would allow to write the thing only once ...
by Sob
Thu Aug 22, 2019 3:05 pm
Forum: Beginner Basics
Topic: Network Making for (almost) Beginners
Replies: 10
Views: 1197

Re: Network Making for (almost) Beginners

I for one think that to play with something until you get it right is great method. But it works best when you have lot of time and don't play with something that will make people mad if you mess it up. ;) About the things you're looking for: Captive portal: https://wiki.mikrotik.com/wiki/Manual:IP/...
by Sob
Thu Aug 22, 2019 2:40 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Oops, my bad, the rules I posted should have action=dst-nat, but they had no action, so it turned into default action=accept. And when you change it, you don't need the last two rules anymore.
by Sob
Thu Aug 22, 2019 2:30 pm
Forum: General
Topic: Issue with L2TP/IPSec VPN, Clients cant access LAN devices
Replies: 4
Views: 506

Re: Issue with L2TP/IPSec VPN, Clients cant access LAN devices

It can, if you do your config right. But it's hard to suggest anything, when nobody knows what exactly you have now.
by Sob
Thu Aug 22, 2019 12:59 am
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2166

Re: Unstopable DSTNAT

After you're redirected, do you actually see https://192.168.0.X:54321 in browser's address bar, including the port? If you do, it's definitely not done by router. And again, if you check server requests in browser developer console, you'd see the redirection sent by server on http level there.
by Sob
Thu Aug 22, 2019 12:55 am
Forum: General
Topic: Discord question
Replies: 7
Views: 901

Re: Discord question

IP->Firewall->Raw, it's similar to IP->Firewall->Filter. Just use prerouting chain instead of forward. But remember, maybe it won't work either.
by Sob
Thu Aug 22, 2019 12:37 am
Forum: Beginner Basics
Topic: How to set up IPv6 on my router?
Replies: 4
Views: 657

Re: How to set up IPv6 on my router?

It's simple: /ipv6 route add dst-address=2a00:XXXX:XX11::/48 type=unreachable The reason for this, if you look at existing routes, there's only default one and then connected route for /64 used on bridge (probably 2a00:XXX:XX11:0000::/64, or something else instead of 0000). So if a packet from inter...
by Sob
Thu Aug 22, 2019 12:17 am
Forum: General
Topic: New RB450G☓4 Breaks Google and its Services (Solved)
Replies: 13
Views: 1105

Re: New RB450G☓4 Breaks Google and its Services

Try to stretch "breaks" a little, into few sentences maybe... There's lot of ways how something can break, it would be good to understand what exactly is happening here. Try to describe it in a way that someone who doesn't see it can understand.
by Sob
Thu Aug 22, 2019 12:08 am
Forum: General
Topic: Discord question
Replies: 7
Views: 901

Re: Discord question

No. It's not exactly as I thought. The first one is not real rule, you can't disable it. But it shows that you have fasttrack enabled and I don't know if there's a way to close fasttracked connection. One way would be to permanently disable the whole thing, but it's useful, so it's not the best solu...
by Sob
Wed Aug 21, 2019 10:48 pm
Forum: General
Topic: Discord question
Replies: 7
Views: 901

Re: Discord question

It sounds like you don't drop everything, but only new connections. Rules are processed in order from top to bottom, so if you'd have standard "accept established & related" before you drop rule, it would allow existing connections to survive.
by Sob
Wed Aug 21, 2019 9:19 pm
Forum: Beginner Basics
Topic: Forward VPN traffic through SSH Tunnel SOCKS5
Replies: 1
Views: 366

Re: Forward VPN traffic through SSH Tunnel SOCKS5

I don't have much experience with ssh tunnels, especially in RouterOS, but aren't those only for tcp? That wouldn't work for L2TP or PPTP without some additional tunnel, but SSTP or OpenVPN would be possible. With those, you should be able to simply forward port to server through ssh and run the VPN...
by Sob
Wed Aug 21, 2019 9:08 pm
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2166

Re: Unstopable DSTNAT

Http is more complex. If you enter https://192.168.1.77 in browser and then you try https://exemple.com:54321 (taken from your WP post), for web server it's not the same, those are requests for two distinct virtual hosts. And what happens depends on server or web application. As I wrote, check in br...
by Sob
Wed Aug 21, 2019 8:58 pm
Forum: Beginner Basics
Topic: Loab Balance Failover
Replies: 8
Views: 819

Re: Loab Balance Failover

Stupid question, are you sure that WAN2 works at all? Config seems ok.

Edit: Are WAN2 routes active? You can also try arp instead of ping for check-gateway.
by Sob
Wed Aug 21, 2019 8:44 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

Ok, I think I mixed up your LAN and the link between modem and router. And I also forgot to ask if you have NAT on RB, or if you have proper routing to LAN from modem. So if 172.16.1.0/24 is LAN and 192.168.1.250/24 is on router's WAN (link to modem), then you can either have two rules: /ip firewall...
by Sob
Wed Aug 21, 2019 8:31 pm
Forum: Beginner Basics
Topic: Forward port 9081 [SOLVED]
Replies: 7
Views: 881

Re: Forward port 9081 [SOLVED]

I don't know what you're missing, but we're missing more info. - Radios are connected to eth1-eth5, I guess? - What's their IP config, addresses, routes? - To what address are they connecting? I'd guess 192.168.88.88, but then you wouldn't need dstnat. - What's the IP config on router's bridge1? - W...
by Sob
Wed Aug 21, 2019 8:22 pm
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2166

Re: Unstopable DSTNAT

The router is fine, is doesn't contain any kind of creative module that would do anything not told it to do by config. Disabled rules are not active, period. Your linked post at WP suggests that it's something with WP config. Check http requests in browser's developer console (for example in Firefox...
by Sob
Wed Aug 21, 2019 8:01 pm
Forum: General
Topic: Access Port From Lan With Wan IP
Replies: 21
Views: 2152

Re: Access Port From Lan With Wan IP

What destination you specify, that's what the rule will look for. If it's only dst-port, it will match all connections to that port, incoming, outgoing, anything, no matter what the destination address is. Your setup is a little bit more complex than usual, so let's take it step by step. First part ...
by Sob
Wed Aug 21, 2019 6:04 pm
Forum: General
Topic: S2S tunnel up, all can ping except mikrotik [SOLVED]
Replies: 4
Views: 661

Re: S2S tunnel up, all can ping except mikrotik [SOLVED]

Your rule excludes traffic between subnets from main srcnat, it's correct. But this is different problem. Let's say your router's WAN address is 1.2.3.4, then it's exactly the address that will be used as source. Neither the posted srcnat rule nor IPSec policy will touch those packets, they will be ...
by Sob
Wed Aug 21, 2019 5:32 pm
Forum: General
Topic: S2S tunnel up, all can ping except mikrotik [SOLVED]
Replies: 4
Views: 661

Re: S2S tunnel up, all can ping except mikrotik [SOLVED]

If the tunnel is plain IPSec, the usual problem is wrong source address used by router. When policy is for traffic between networks A and B, it works when devices in these networks connect to each other. But when the router tries to connect to remote network, it won't use its local address as source...
by Sob
Wed Aug 21, 2019 4:11 am
Forum: General
Topic: How to increase ping time on some IP address for testing purpose?
Replies: 3
Views: 442

Re: How to increase ping time on some IP address for testing purpose?

Interesting question. I found this for Linux:

https://wiki.linuxfoundation.org/networking/netem

But I don't remember seeing anything like that in RouterOS.
by Sob
Wed Aug 21, 2019 4:02 am
Forum: General
Topic: RB450G to RB450G☓4 How to Transfer State
Replies: 10
Views: 1035

Re: RB450G to RB450G☓4 How to Transfer State

I can't really say that I understand your disappointment. There's nothing special about cached DNS records, router will get new and fresh ones from upstream resolvers. It does that all the time anyway, when old ones time out.
by Sob
Wed Aug 21, 2019 3:25 am
Forum: General
Topic: RB450G to RB450G☓4 How to Transfer State
Replies: 10
Views: 1035

Re: RB450G to RB450G☓4 How to Transfer State

Not really. DNS cache does hold records requested by clients, but how long depends on their TTL. So some will be there for hours or even days, but others only for seconds. Oh and reboot also clears it.
by Sob
Wed Aug 21, 2019 2:33 am
Forum: Beginner Basics
Topic: RDP BruteForce not working when RDP Port Forwarding
Replies: 3
Views: 570

Re: RDP BruteForce not working when RDP Port Forwarding

Let's try once more. Packet to <your public address>: 3391 comes to router and is processed by this rule: add action=dst-nat chain=dstnat dst-port=3391 protocol=tcp to-addresses=192.168.16.10 to-ports=3389 Its destination gets changed, now it's 192.168.16.10: 3389 . Next is this rule: add action=add...
by Sob
Wed Aug 21, 2019 12:44 am
Forum: Beginner Basics
Topic: RDP BruteForce not working when RDP Port Forwarding
Replies: 3
Views: 570

Re: RDP BruteForce not working when RDP Port Forwarding

Forward chain is after dstnat which changes destination port => you need to be looking for new destination port (= 3389), even if the original was different.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 16