Community discussions

MikroTik App

Search found 6095 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by Sob
Sat Oct 24, 2020 5:43 pm
Forum: General
Topic: Open Winbox from web page [SOLVED]
Replies: 4
Views: 198

Re: Open Winbox from web page [SOLVED]

It would be nice to share what you did, someone else can find it useful too.
by Sob
Sat Oct 24, 2020 1:01 am
Forum: General
Topic: Open Winbox from web page [SOLVED]
Replies: 4
Views: 198

Re: Open Winbox from web page [SOLVED]

WinBox supports parameters:
winbox [<server> [<username> [<password>]]]
I also remember creating this, but it's probably not needed, I assume it's possible to pass parameters directly using protocol handler, but I've never worked with those.
by Sob
Sat Oct 24, 2020 12:45 am
Forum: General
Topic: IP neighbor discovery-settings missing properties
Replies: 1
Views: 247

Re: IP neighbor discovery-settings missing properties

What's new in 6.48beta35 (2020-Sep-02 07:50):

Changes in this release:

...
*) discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID (CLI only);
*) discovery - allow choosing which discovery protocol is used (CLI only);
...
by Sob
Sat Oct 24, 2020 12:14 am
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 424

Re: Add to address list and nat rule

Bridging diagram applies only when there's bridge involved and it actually does some bridging. So for example bridge as incoming interface (when you have few ports bridged together as LAN) doesn't count.
by Sob
Fri Oct 23, 2020 10:53 pm
Forum: General
Topic: Address List Group???
Replies: 3
Views: 287

Re: Address List Group???

I think it's one of those things that will eventually get added. It can be useful and if it already exists inside, there's no good reason to not add it. It's just that there are many other useful things too and not all can be first.
by Sob
Fri Oct 23, 2020 10:38 pm
Forum: General
Topic: Wildcard DNS
Replies: 15
Views: 666

Re: Wildcard DNS

Wildcards do work with regular servers. If there are records for a.example.com, *.example.com and nothing else under example.com, then queries for a.example.com get data from that and queries for <anything_else>.example.com get data from wildcard record. I'd agree that it made some things more diffi...
by Sob
Fri Oct 23, 2020 7:42 pm
Forum: General
Topic: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface
Replies: 6
Views: 275

Re: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface

I forgot about routing filters, they can be used to modify dynamic routes, but in this case you'd still be missing the pref. source address to set.
by Sob
Fri Oct 23, 2020 6:22 pm
Forum: General
Topic: Wildcard DNS
Replies: 15
Views: 666

Re: Wildcard DNS

I didn't mean it like that, it was just additional example of lack of input validation.
by Sob
Fri Oct 23, 2020 5:41 pm
Forum: General
Topic: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface
Replies: 6
Views: 275

Re: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface

You could run the script periodically from scheduler, but it's not exactly nice solution.
by Sob
Fri Oct 23, 2020 5:29 pm
Forum: General
Topic: Basic NAT Questions
Replies: 2
Views: 127

Re: Basic NAT Questions

No, it does something useful. It accepts matching connections and stops futher processing in same chain, i.e. skips all following rules. In this case it looks like clear attempt to exclude some traffic from srcnat.
by Sob
Fri Oct 23, 2020 5:25 pm
Forum: Forwarding Protocols
Topic: VPN routes
Replies: 1
Views: 128

Re: VPN routes

So, on Site A, what's 192.168.1.240 and why do you dstnat IPSec traffic to it, when you need it for this router?
by Sob
Fri Oct 23, 2020 5:15 pm
Forum: General
Topic: SRC NAT for output chain??
Replies: 4
Views: 1271

Re: SRC NAT for output chain??

That srcnat needs only one condition (connection-mark=<your mark>), so that's hard to mess up. Also don't forget that order of rules matters, they are processed from top to bottom and first matching one is used.
by Sob
Fri Oct 23, 2020 5:09 pm
Forum: General
Topic: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface
Replies: 6
Views: 275

Re: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface

I don't have any LTE to test with, but does it have an equivalent of DHCP's lease script? If so, you can update anything you want from there.
by Sob
Fri Oct 23, 2020 5:05 pm
Forum: Beginner Basics
Topic: View from local pc images upload in Mikrotik directory
Replies: 2
Views: 120

Re: View from local pc images upload in Mikrotik directory

RouterOS can't be used as webserver for your own files. It would be simple to add for MikroTik, because there obviously is webserver already, but you'd have to convince them first that it's good idea. Until then, your only chance is to try to find some way how to misuse hotspot, but I don't know if ...
by Sob
Fri Oct 23, 2020 1:33 am
Forum: General
Topic: VPN Client couldn't get into private server through public ip address
Replies: 1
Views: 68

Re: VPN Client couldn't get into private server through public ip address

So you see client's IP address, as if it didn't use VPN at all? In that case, the simplest explanation is that it really doesn't. And it makes sense, if VPN server and web server share same IP address, and if client uses VPN as default gateway, it adds dynamic route to VPN server's address via its I...
by Sob
Fri Oct 23, 2020 12:57 am
Forum: General
Topic: Wildcard DNS
Replies: 15
Views: 666

Re: Wildcard DNS

There's no support for wildcard records in RouterOS (not counting regexps, but it has own problems), it's just the lack of input validation. If you add static record for *.example.com, it understands it as single hostname (literally "*.example.com"), and if you manage to send such query, you'll get ...
by Sob
Thu Oct 22, 2020 4:58 pm
Forum: Beginner Basics
Topic: FTP Problems
Replies: 1
Views: 83

Re: FTP Problems

If the client has any logs, check those. If not, catch some packets and examine them (you can use Tools->Packet Sniffer on router, filter by client's IP address, save to file and then open it in Wireshark).
by Sob
Wed Oct 21, 2020 3:56 pm
Forum: Beginner Basics
Topic: Mikrotik as VPN Server in existing network
Replies: 3
Views: 169

Re: Mikrotik as VPN Server in existing network

It depends. If you need it for accessing LAN (not just routing traffic thought it to internet), you need to make sure that other devices will know how to reach VPN clients. If you want to put clients in different subnet, you need route to it from main router. If you want to use same subnet, then pro...
by Sob
Wed Oct 21, 2020 6:43 am
Forum: Beginner Basics
Topic: Does "Detect Internet" actually do anything?
Replies: 5
Views: 232

Re: Does "Detect Internet" actually do anything?

Same interface can be in multiple lists. And yes, you can use these lists in firewall rules. Question is, what useful thing can you actually do with it? I wonder about that myself. It's quite understandable to treat LAN and WAN differently, typically to have access from WAN more limited. But assignm...
by Sob
Mon Oct 19, 2020 12:28 am
Forum: Beginner Basics
Topic: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?
Replies: 8
Views: 339

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

That's what the route on main router is for. If main router receives packet width destination address 192.168.2.x, is has route telling it to send such packets to RB (192.168.0.251). RB gets packet with source 192.168.0.x and destination 192.168.2.x, it matches policy, so it's encrypted and sent out...
by Sob
Mon Oct 19, 2020 12:05 am
Forum: General
Topic: OpenVPN connection as client failed - Help needed
Replies: 2
Views: 217

Re: OpenVPN connection as client failed - Help needed

You have sha512 in ovpn config, but sha1 on RB (which doesn't seem to support anything better).
by Sob
Sun Oct 18, 2020 7:38 pm
Forum: Scripting
Topic: Need help by php api
Replies: 6
Views: 207

Re: Need help by php api

No, but it should use the same structure as config export.
by Sob
Sat Oct 17, 2020 8:38 pm
Forum: Scripting
Topic: Need help by php api
Replies: 6
Views: 207

Re: Need help by php api

I can show you piece of code for listing firewall rules and disabling/enabling them, that should be enough to get you going. $api = new routeros_api(); $api->debug = false; $api->attempts = 2; if($api->connect('192.168.88.1', 'username', 'password')) { $api->write('/ip/firewall/filter/print', false)...
by Sob
Sat Oct 17, 2020 8:24 pm
Forum: Beginner Basics
Topic: how to configure https for my websites
Replies: 6
Views: 260

Re: how to configure https for my websites

Do you test it from LAN? Rule for port 80 has in-interface-list=all (which is useless, because it always matches, so you don't need to add it at all), but for 443 you have in-interface-list=WAN, so it will work only from internet.
by Sob
Sat Oct 17, 2020 8:15 pm
Forum: Virtualization
Topic: CHR/The Dude Server on Raspberry Pi 3B or 4
Replies: 4
Views: 800

Re: CHR/The Dude Server on Raspberry Pi 3B or 4

Interesting, could you share any more details? I don't mean step by step guide, although I suppose someone would appreciate that. Just some pointers for start, like what do you use? I most likely won't be trying it myself, I'm just curious. I keep finding some software named ExaGear, but it seems de...
by Sob
Sat Oct 17, 2020 6:49 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

I'm no Android expert, but right after you connect, there's immediatelly "Sign in to Wi-Fi network" on top of screen, which sounds very much like hotspot detection. You can test if you see the same thing when you connect to unlimited network. For example here: https://android.stackexchange.com/quest...
by Sob
Sat Oct 17, 2020 2:13 am
Forum: Beginner Basics
Topic: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?
Replies: 8
Views: 339

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

There's nothing to it, if you start with blank config, then: /ip address add address=192.168.0.251/24 interface=ether1 /ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1 /ip ipsec peer add address=<site2address> name=site2 /ip ipsec identity add peer=site2 secret=<something> /ip ipsec policy ad...
by Sob
Sat Oct 17, 2020 1:44 am
Forum: Beginner Basics
Topic: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)
Replies: 47
Views: 914

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

The device must be able to resolve hostnames, that's why it need DNS server. And it needs to know how to reach internet, and that's done using default gateway. So you need this:
/ip dns
set servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
by Sob
Fri Oct 16, 2020 10:45 pm
Forum: Beginner Basics
Topic: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?
Replies: 8
Views: 339

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Do I see it correctly that everything on the left is same 192.168.0.0/24 and everything on the right is same 192.168.2.0/24? And in both cases you somehow connect the same network to RB twice? That's ... unusual. Also probably somewhere between unnecessary and wrong.
by Sob
Fri Oct 16, 2020 10:28 pm
Forum: General
Topic: Port forward not working [SOLVED]
Replies: 4
Views: 259

Re: Port forward not working [SOLVED]

Dstnat rule is fine and if it logs something, it means that it's reachable from outside. You are testing it from outside, right? Check target device (192.168.14.209): - is there something listening in port 443? - are connections to port 443 from anywhere allowed in device's firewall? - does the devi...
by Sob
Fri Oct 16, 2020 10:16 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

I'm not re-reading the whole thread again to find out if it was already mentioned in some way, but do you have any statistics how much are ports other than 80 and 443 actually used? In other words, if all your effort is really worth it. Because if you are developer and your application needs to acce...
by Sob
Fri Oct 16, 2020 6:54 pm
Forum: General
Topic: How to route from OVPN client to specific IPSEC tunel ? [SOLVED]
Replies: 3
Views: 215

Re: How to route from OVPN client to specific IPSEC tunel ? [SOLVED]

All IPSec cares about is that source is in 10.10.110.0/24. It can be router's own address, or you can dedicate some other for this. It doesn't even have to be assigned anywhere.
by Sob
Fri Oct 16, 2020 6:50 pm
Forum: Beginner Basics
Topic: How to use vpn only for incoming connexion ? [SOLVED]
Replies: 5
Views: 263

Re: How to use vpn only for incoming connexion ? [SOLVED]

In WinBox it's currently a little unfinished, it's known problem.
by Sob
Fri Oct 16, 2020 6:05 pm
Forum: General
Topic: How to route from OVPN client to specific IPSEC tunel ? [SOLVED]
Replies: 3
Views: 215

Re: How to route from OVPN client to specific IPSEC tunel ? [SOLVED]

Don't use masquerade, use src-nat and then you can set any address you want. IPSec doesn't use routes, it checks if source and destination matches existing policy. Once you add correct srcnat rule, it will.
by Sob
Fri Oct 16, 2020 5:41 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

The last config, it's still the same one, isn't it? It was already explained by @sindy, but once more, in the form of simple example: - device in LAN wants to connect to 1.2.3.4:666 in internet - PCC rules won't touch initial packet to port 666, because they are only for 80 and 443 - Nth marks packe...
by Sob
Fri Oct 16, 2020 5:18 pm
Forum: Beginner Basics
Topic: About VPN automatic (?) routes
Replies: 4
Views: 228

Re: About VPN automatic (?) routes

Routes are added automatically, otherwise it wouldn't work, router needs routes to know where to send packets. You can see it yourself. E.g. if SSTP client connects to server, it will get new route to server's address and new default route, if you have that option enabled. Same on server side, its r...
by Sob
Fri Oct 16, 2020 5:06 pm
Forum: General
Topic: PHP APi Connection
Replies: 15
Views: 420

Re: PHP APi Connection

I don't know what that is, but maybe some problem with permissions for used username?
by Sob
Fri Oct 16, 2020 4:35 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

You're missing few details. For start, your original config that you thought does per-packet Nth didn't really do that, and when @sindy explained in detail what happens, you didn't get it at all. You also misundertood his other suggestion . And his interest in your native language is not to make fun...
by Sob
Fri Oct 16, 2020 4:25 pm
Forum: General
Topic: PHP APi Connection
Replies: 15
Views: 420

Re: PHP APi Connection

The class I linked to works fine for me, so I don't know what can be wrong. Add some more debug output in connect(), just simple "echo" is fine, to see what exactly fails. Dumping $RESPONSE is good start.
by Sob
Fri Oct 16, 2020 4:19 pm
Forum: Wireless Networking
Topic: Unlock Audience Frequencies - EU Version
Replies: 4
Views: 191

Re: Unlock Audience Frequencies - EU Version

By the way, i am using the 4.9Ghz network indoors only so i guess it's not a problem. I guess it gives you better chance to not get caught and punished, compared to if you'd be using it outside. :) But it would still be wise to check local regulations, how much (il)legal it is and how big trouble i...
by Sob
Fri Oct 16, 2020 3:50 pm
Forum: General
Topic: PHP APi Connection
Replies: 15
Views: 420

Re: PHP APi Connection

If you can see connection attempt in router's log, then it clearly passed through firewall, otherwise it wouldn't be there at all.
by Sob
Fri Oct 16, 2020 3:41 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

There's definitely some misunderstanding. Because if it's regular dual WAN config, i.e. two independent ISPs, then per-packet load balancing will work great with single-packet exchanges like DNS queries, but everything else will be absolutely terrible, if it will work at all.
by Sob
Fri Oct 16, 2020 3:19 pm
Forum: General
Topic: PHP APi Connection
Replies: 15
Views: 420

Re: PHP APi Connection

by Sob
Fri Oct 16, 2020 2:42 pm
Forum: Beginner Basics
Topic: How to use vpn only for incoming connexion ? [SOLVED]
Replies: 5
Views: 263

Re: How to use vpn only for incoming connexion ? [SOLVED]

This should be it: /routing table add fib name=vpn /ip route add dst-address=0.0.0.0/0 gateway=212.58.77.1 routing-table=vpn /ip firewall mangle add chain=prerouting in-interface=ovpn-out1 connection-state=new action=mark-connection new-connection-mark=VPN-CONN passthrough=no add chain=output connec...
by Sob
Fri Oct 16, 2020 2:16 pm
Forum: Beginner Basics
Topic: About VPN automatic (?) routes
Replies: 4
Views: 228

Re: About VPN automatic (?) routes

It's the opposite, everything adds routes (and you can see them in IP->Routes), except IPSec, which works on slightly different level controlled by policies (viewtopic.php?f=13&t=164534).
by Sob
Fri Oct 16, 2020 3:20 am
Forum: Beginner Basics
Topic: How to use vpn only for incoming connexion ? [SOLVED]
Replies: 5
Views: 263

Re: How to use vpn only for incoming connexion ? [SOLVED]

It's basically like dual-WAN config. VPN is secondary, but default route uses LTE, so if new connection comes in via VPN, response is send out via LTE and it doesn't work. To fix it, router need a little help. Add new default route that uses VPN interface and put it in separate routing table (parame...
by Sob
Fri Oct 16, 2020 3:07 am
Forum: Beginner Basics
Topic: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)
Replies: 47
Views: 914

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.
It's because it's not there and that's the problem. hAP-lite is missing default route and dns. And you can't blame it on too many bridges, because that device has only one. :)
by Sob
Fri Oct 16, 2020 2:48 am
Forum: General
Topic: SSTP Cert key usage
Replies: 1
Views: 267

Re: SSTP Cert key usage

For client, you probably want certificate with key usage "tls client". And not just certificate, but also its private key.
by Sob
Fri Oct 16, 2020 2:43 am
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

If you want to make sure that you have everything "right" for testing, then temporarily disable these two rules: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1_conn passthrough=no add action=mark-connection cha...
by Sob
Thu Oct 15, 2020 11:11 pm
Forum: General
Topic: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.
Replies: 5
Views: 209

Re: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.

I add unreachable routes to all private subnets (whole 10.0.0.0/8, etc) as a simple default way how to prevent leaks. Then if some subnet exists (either static or from VPN) and should be reachable, there's more specific route to it and it works nicely. Except with IPSec, because it doesn't add any r...
by Sob
Thu Oct 15, 2020 10:25 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

It's not so easy. First, there's not just one PCC, you have different options. If you use both-addresses, it's good for compatibility with servers that don't like clients changing their addresses all the time, but distribution will be worse, because each combination of client-server will always use ...
by Sob
Thu Oct 15, 2020 10:08 pm
Forum: Beginner Basics
Topic: Why do most firewalls have Input rules first?
Replies: 7
Views: 330

Re: Why do most firewalls have Input rules first?

@anav: It depends. When it's something more important that deserves "proper" config, then yes, with the main motivation being leaking private subnets. Home config? Who cares. If there's packet with spoofed source from internet to router, it gets dropped anyway, because nothing is open on router. If ...
by Sob
Thu Oct 15, 2020 9:20 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

OT: (Correct, you can quote anything you want, it was just suggestion, because I don't think it has any added value whatsoever. But if you feel otherwise...)
by Sob
Thu Oct 15, 2020 8:47 pm
Forum: General
Topic: OpenVpn connected but no lan neither internet [SOLVED]
Replies: 9
Views: 495

Re: OpenVpn connected but no lan neither internet [SOLVED]

Once more:
PPTP probably uses tunnel as default gateway, do you have the same for OpenVPN?
by Sob
Thu Oct 15, 2020 7:38 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1598

Re: NTH load balancing

I can't bother to quote everything cleanly, so I'll reply in paragraph wise.
You don't have to quote at all, I suggest you try it sometimes.
by Sob
Thu Oct 15, 2020 7:19 pm
Forum: Beginner Basics
Topic: Why do most firewalls have Input rules first?
Replies: 7
Views: 330

Re: Why do most firewalls have Input rules first?

1) It doesn't matter, forward and input are shown together, because it's all filter rules (you can also add additional chains and they will be shown too), but one packet will always go only in input or forward, never both. 2) Not everything can be fasttracked, but you still want it to pass. Plus I t...
by Sob
Thu Oct 15, 2020 6:56 pm
Forum: Beginner Basics
Topic: Using hAP lite as a dumb WISP device? [SOLVED]
Replies: 7
Views: 315

Re: Using hAP lite as a dumb WISP device? [SOLVED]

If you're connecting to non-MikroTik AP, here's some suggested reading:

https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes
by Sob
Thu Oct 15, 2020 5:39 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

Ok, so here you have quick start: Each certificate is valid only for listed names. It can be just one (www.example.net), multiple (www.example.net and www.example.com) or any subdomain (*.example.net; that's wildcard certificate). When browser tries to connect to server X, it requires that certifica...
by Sob
Thu Oct 15, 2020 4:55 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

I'll still doubt your words, because there simply isn't any such mechanism in https (specifically in tls part, which handles the encryption) that would allow server to tell client "hey, forget about connecting to X and connect to Y instead". :) I'm sure the checkbox for redirecting https has some pu...
by Sob
Thu Oct 15, 2020 4:36 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

Congratulations, in that case creators of UniFi Controller have successfully broken https. Or the other explanation is that there's something else you don't see.
by Sob
Thu Oct 15, 2020 4:00 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

There are two parts: When user tries to connect to https://something, browser won't accept anything else than valid certificate for "something". It's impossible to redirect this request without user seeing warning about invalid certificate. That's solved by hotspot check described in previous post. ...
by Sob
Thu Oct 15, 2020 3:17 pm
Forum: Beginner Basics
Topic: How to send PM to other user (ie. privately contacting a user)? [SOLVED]
Replies: 17
Views: 2820

Re: How to send PM to other user (ie. privately contacting a user)? [SOLVED]

@anav: There could be many reasons. You haven't been sending too many "fan mail" PMs to @normis, were you? ;)
by Sob
Thu Oct 15, 2020 3:13 pm
Forum: Beginner Basics
Topic: Redirect specific domains to specific interface
Replies: 3
Views: 165

Re: Redirect specific domains to specific interface

I'd say the request was for outgoing connections to internet. It's possible if it's exact hostname (www.example.net). You can add it in IP firewall's address list and router will resolve it to IP address and also refresh it when TTL expires. You can then mark routing for packets with destination con...
by Sob
Thu Oct 15, 2020 3:07 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 421

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

If the problem is: ... user's attempt to reach out a website via https protocol would be considered as insecure and a browser will drop the connection (i.e. a redirect). i.e. when user tries to connect to e.g. https ://google.com, then unless you buy certificate valid for google.com, there will be e...
by Sob
Thu Oct 15, 2020 2:50 pm
Forum: Beginner Basics
Topic: how to configure https for my websites
Replies: 6
Views: 260

Re: how to configure https for my websites

You can see that the rule has some hits. So if it's just a copy of rule for port 80 (which I assume works) and only the number is different, then this one must work too and the problem is probably elsewhere (server's own firewall for example).
by Sob
Wed Oct 14, 2020 10:23 pm
Forum: General
Topic: OVPN can not connect
Replies: 3
Views: 244

Re: OVPN can not connect

I don't know what it was exactly, but Windows OpenVPN had some limitation related to addressing, it was something about subnet used for local and remote address. Try to find info about the error on the end of client log and you should find it. Other than that, posting logs is fine, but posting also ...
by Sob
Wed Oct 14, 2020 6:17 pm
Forum: General
Topic: Multiple hotspot profiles on multiple VLAN interfaces on a bridge
Replies: 17
Views: 603

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

It's still not completely clear to me how everything is connected. But just the part with bridged vlans, if assigning everything from each apartment in own vlan is already handled, should probably work. Bridge them, set horizon on all ports, happy end (hopefully). But to be honest, I only used horiz...
by Sob
Wed Oct 14, 2020 5:31 pm
Forum: Beginner Basics
Topic: VPN IPSec
Replies: 4
Views: 248

Re: VPN IPSec

Now it looks like there are only outgoing requests, but not a single response coming back. As if it couldn't connect at all.
by Sob
Wed Oct 14, 2020 5:26 pm
Forum: General
Topic: Secondary Public Ip Problem
Replies: 5
Views: 620

Re: Secondary Public Ip Problem

The correct solution is to talk with ISP and come up with with different config where /25 is routed to you as whole. If you get that many addresses, you're not just some unimportant residential customer and they should want to make you happy. And it's not like routing subnet to you would be any diff...
by Sob
Wed Oct 14, 2020 5:23 am
Forum: General
Topic: Multiple hotspot profiles on multiple VLAN interfaces on a bridge
Replies: 17
Views: 603

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

I'm affraid you have too many keywords that are not at all my things (hotspot, freeradius).
by Sob
Wed Oct 14, 2020 3:32 am
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Yes, it looks like you'll need two rules and they have to be before the one that allows everything from LAN. Edit: Or maybe not, if you can live without accepting everything else from LAN and only accept what's really needed (maybe DNS could be enough). Established & related, most packets belong to ...
by Sob
Wed Oct 14, 2020 3:07 am
Forum: General
Topic: lost admin password
Replies: 1
Views: 177

Re: lost admin password

Did you have such relaxed approach also with upgrades? If you did, and your RouterOS is the "right" version, you can use this security hole to get the password:

https://blog.mikrotik.com/security/winb ... ility.html
by Sob
Wed Oct 14, 2020 3:00 am
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

@sindy: DHCPv6 server in RouterOS does that, when it gives prefix to client, it adds route to it with gateway=<client's LL address>%<interface>. I've never used other DHCPv6 servers for PD, but I assume it's standard behaviour.
by Sob
Tue Oct 13, 2020 10:08 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

But according to OP, DHCPv6 client receives prefix and when it's assigned on WAN interface, it works, but when on LAN, it doesn't. Nothing against the first part, it should work, even on "wrong" interface, because router got it and upstream router should know where it is. But the expected and most l...
by Sob
Tue Oct 13, 2020 8:59 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

I can't say that I understand what exactly you did. It would probably require some diagram showing how everything is connected, plus the working config.
by Sob
Tue Oct 13, 2020 8:51 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

As suggested by the flaming animal, the order should be: - accept established & related (and you can add untracked too), it's because it will match majority of packets, so it saves some processing - drop invalid (now everything is only new, nothing else will get here) - allow what you want - block e...
by Sob
Tue Oct 13, 2020 6:36 pm
Forum: General
Topic: IPsec rsa keys transfer to another router
Replies: 2
Views: 207

Re: IPsec rsa keys transfer to another router

It's long-standing problem. If you want to backup your config, you can use backup , but you get one big unreadable binary file, which is not meant for transferring to other devices. I thought it would survive with same device models, but maybe not even that. To fix some shortcomings of backup , you ...
by Sob
Tue Oct 13, 2020 4:44 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

Keep it simple. If you are supposed to get prefix using DHCPv6, then use that, don't experiment too much with static addresses. If it works without accept-router-advertisements when you put prefix on WAN, then disable it (it's default config). Then put the prefix on LAN where it should be. And then ...
by Sob
Tue Oct 13, 2020 3:41 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

It depends also on the rest of your rules. Without seeing them, I can only guess. But if you have something resembling default firewall, it blocks new connections from WAN. So accept rule allowing access from given addresses would override this, but drop rule disallowing access would do that, but it...
by Sob
Tue Oct 13, 2020 4:15 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 523

Re: Vlan not working for me,

Do you know what vlan on ethernet inteface does?
/interface vlan add interface=etherX name=vlanY vlan-id=Y
So that, but on all bridged ports at once.
by Sob
Tue Oct 13, 2020 4:11 am
Forum: General
Topic: Possible to Torch firewall rule [SOLVED]
Replies: 4
Views: 304

Re: Possible to Torch firewall rule [SOLVED]

You can enable logging for any rule (log=yes, Log checkbox on Action tab in WinBox).
by Sob
Tue Oct 13, 2020 2:07 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 523

Re: Vlan not working for me,

Maybe you know more, but this: ... the network is not stable at all sometimes it connects and sometime it does not. can mean anything. What I learned so far (generally) is that I can't believe users anything, except maybe that they do have router and it's turned on. Typical example is something like...
by Sob
Tue Oct 13, 2020 1:39 am
Forum: Beginner Basics
Topic: need help with VLAN guest wireless on router and ap
Replies: 7
Views: 328

Re: need help with VLAN guest wireless on router and ap

IP address on ether2 instead of bridge (which has it as member port) is common mistake, maybe it's there after upgrade from master port in old versions.

DHCP server uses raw sockets, IP firewall doesn't block it.
by Sob
Tue Oct 13, 2020 1:30 am
Forum: General
Topic: Updating from 6.28
Replies: 4
Views: 205

Re: Updating from 6.28

I'm always nervous when I'm doing remote updates. But so far everything survived, and that was even with much bigger version jumps. It also depends on the config. If access to device needs just ethernet, it's simple and there are no major changes in that, so it shouldn't break in any case. If it dep...
by Sob
Tue Oct 13, 2020 1:04 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 523

Re: Vlan not working for me,

Small flaw of that list is that it doesn't include THE problem: 1) Just because the name confuses you, it's not wrong. 2) It looks like simple pre-'bridge vlan filtering' style config and it should work. 3&4) See 2) 5) Hybrid trunk & untagged, nothing clearly wrong. 6) Obvious and also harmless. Tha...
by Sob
Mon Oct 12, 2020 10:14 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

It looks very similar to https://forum.mikrotik.com/viewtopic.php?f=13&t=167414 So as in that other thread: - try if disabling accept-router-advertisements breaks previously working connectivity from router - if it does, turn it back on and try another ping/traceroute with manually specified source ...
by Sob
Mon Oct 12, 2020 10:05 pm
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 446

Re: routerboard as TFTP server

It looks like I got a little carried away with testing what's possible. But if you want to use whole file name without any advanced changes and only read it from some directory, then if you leave req-filename blank, it seems to work like this: /ip tftp add ip-addresses=192.168.7.0/24 real-filename="...
by Sob
Mon Oct 12, 2020 7:57 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 651

Re: single ipv6 /64 range

There's nothing obviously wrong in your description, but perhaps there could be something wrong in your config. If I was you, I'd try to export it and show it to someone.
by Sob
Mon Oct 12, 2020 7:51 pm
Forum: Beginner Basics
Topic: RouterOS - public subnet - NAT 1:1 - good practices
Replies: 9
Views: 439

Re: RouterOS - public subnet - NAT 1:1 - good practices

IP addresses should not have network=192.168.0.254, omit that parameter completely when adding them. With it you created point to point config and it breaks things. Otherwise you can use /29 too, /32 was to allow you to use all addresses, even those that are normally wasted on network address and br...
by Sob
Mon Oct 12, 2020 7:33 pm
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 446

Re: routerboard as TFTP server

It's really weird. I have file test/6863i.st on router. If I add this: /ip tftp add real-filename="test/6863i.st" req-filename="6863i\\.st" and request "6863i.st", I get the file. So it's there, router can read it, and everything is ok. If instead I use this: /ip tftp add real-filename="test/\\0" re...
by Sob
Mon Oct 12, 2020 5:18 pm
Forum: Beginner Basics
Topic: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]
Replies: 15
Views: 512

Re: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]

You should know by now that there's often more than one way how to do something. :) Address lists belong to IP firewall. In Linux, which is where RouterOS internals come from, it's related to netfilter/iptables. So I guess it's not so easy to connect it with routing, which is different part of syste...
by Sob
Mon Oct 12, 2020 5:06 pm
Forum: General
Topic: OpenVpn connected but no lan neither internet [SOLVED]
Replies: 9
Views: 495

Re: OpenVpn connected but no lan neither internet [SOLVED]

It doesn't look like anything in router's config. Check the client side. PPTP probably uses tunnel as default gateway, do you have the same for OpenVPN?
by Sob
Mon Oct 12, 2020 4:37 pm
Forum: General
Topic: Strange Tracking Problem on Mikrotik Filter rules
Replies: 4
Views: 203

Re: Strange Tracking Problem on Mikrotik Filter rules

The return traffic from VlanB in response to a query from VlanA, is supposed to be allowed
It would with default firewall. But there can be something completely different now.
by Sob
Mon Oct 12, 2020 4:32 pm
Forum: Beginner Basics
Topic: RouterOS - public subnet - NAT 1:1 - good practices
Replies: 9
Views: 439

Re: RouterOS - public subnet - NAT 1:1 - good practices

- If you want to have all addresses assigned to router (instead of routing them somewhere else), you need to add them all. Unless you'd choose to not add them at all . - You do need extra hairpin NAT rule with your other current rules, but with a small change you can get rid of it. See below. - Adva...
by Sob
Mon Oct 12, 2020 1:47 pm
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 446

Re: routerboard as TFTP server

No, leading slash seems to be fine, e.g. this works:
/ip tftp
add real-filename=/x.txt req-filename=x.txt
Problem is with regexp, I haven't found a way how to do anything with references. And honestly, I don't understand the description of real-filename. Does it make any sense to you?
by Sob
Mon Oct 12, 2020 4:01 am
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 446

Re: routerboard as TFTP server

At first, manual sounds very promising: req-filename - requested filename as regular expression (regex) if field is left empty it defaults to .* There's regexp, so usual thing you can do with those is to match some part and use it. But then there's this: real-filename - if req-filename and real-file...
by Sob
Sun Oct 11, 2020 7:45 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

If destination is not found using any manually added routing rules, default processing still applies, so you don't have to add rules for something that would happen anyway. But again, it depends what's more clear to you, sometimes it may be better to add something useless if it makes things more obv...
by Sob
Sun Oct 11, 2020 6:57 pm
Forum: Beginner Basics
Topic: Understanding VLAN Interfaces, Bridge VLAN Filtering etc.
Replies: 3
Views: 245

Re: Understanding VLAN Interfaces, Bridge VLAN Filtering etc.

1) Reboot shouldn't be necessary. The only thing in RouterOS which I'm sure has problems with online changes is RP filter in IP setting. On the other hand, I haven't tried everything, so it's not impossible that something with vlans could get stuck too. 2) If you mean on different interfaces, you sh...
by Sob
Sun Oct 11, 2020 5:19 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Yes, my mistake.

There are implicit (and invisible) rules that when packet has some routing mark, router uses the same routing table to look up destination. So normally you don't need to add rules like this. But your last two rules break (or override) this default behaviour.
by Sob
Sun Oct 11, 2020 4:32 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

You don't need to mark connections in input, it's already covered by marking in prerouting, which happens before input. When you mark routing in output, it's compatible with dynamic addresses. Also, for the purpose of responding back to same WAN, this is enough and you don't need routing rules for W...
by Sob
Sun Oct 11, 2020 4:07 pm
Forum: Beginner Basics
Topic: IPv6 setup problems
Replies: 8
Views: 384

Re: IPv6 setup problems

I guess it's possible, because unlike with IPv4, DHCPv6 does not get gateway from server and device is supposed to get it from RA. I'm not sure if there's some exception for prefix delegation and I'm not in the mood to read through RFCs. If accepting RAs helps, keep it that way. Small problem is tha...
by Sob
Sun Oct 11, 2020 3:42 pm
Forum: Beginner Basics
Topic: IPv6 setup problems
Replies: 8
Views: 384

Re: IPv6 setup problems

I don't see any obvious problem. Try to examine what exactly happens. Start ping from client to internet and keep it going (there's option -t for that) and check using Tools->Torch on ether1 that those packets passed through router. They should. Next thing you can try is to ping client's address fro...
by Sob
Sun Oct 11, 2020 3:26 pm
Forum: Beginner Basics
Topic: Understanding VLAN Interfaces, Bridge VLAN Filtering etc.
Replies: 3
Views: 245

Re: Understanding VLAN Interfaces, Bridge VLAN Filtering etc.

I think the main source of confusion is that there are two different layers mixed together. You have vlans in bridge config and they are used to configure hardware switch or bridge as software variant. It's low level stuff, like on a regular managed switch. If you have only these vlans, they are not...
by Sob
Sun Oct 11, 2020 2:59 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

First important thing to understand is that there isn't the perfect universal solution. There can be various differences in setups and each may require something slightly different (e.g things like static or dynamic address can influence a lot). Even when it's same, it's often possible to use differ...
by Sob
Sun Oct 11, 2020 12:52 pm
Forum: Beginner Basics
Topic: need help with VLAN guest wireless on router and ap
Replies: 7
Views: 328

Re: need help with VLAN guest wireless on router and ap

It's best router, relatively speaking, because compared to many other routers it's much more flexible. But it can be more demanding and also gives more options to user how to mess it up. And yes, there's helpful forum, where many people get help. Not all, for various reasons. Some questions are too ...
by Sob
Sun Oct 11, 2020 12:02 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Routing rules for WAN addresses are not useless, they will work. It's just that if you already mark connections for port forwarding, then you can use same marks for this and it will be two mangle rules, or you can have two routing rules. So no difference in amount of config and some may find it bett...
by Sob
Sun Oct 11, 2020 2:26 am
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Routing rules work great for access to router itself (or generally with public addresses). Problem with port forwarding is that response packets from internal server have server's internal address as source. It gets changed to public address, but it happens *after* routing decision.
by Sob
Sun Oct 11, 2020 1:01 am
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

Short answer: No Long answer: Not directly. If RouterOS doesn't support hostnames in some field, you can't force it to accept them. But you can use script to update numeric address. For example, you can add your record like this: /ip dns static add address=127.0.0.1 comment=myrecord name=anything T...
by Sob
Sat Oct 10, 2020 11:10 pm
Forum: Beginner Basics
Topic: RouterOS - public subnet - NAT 1:1 - good practices
Replies: 9
Views: 439

Re: RouterOS - public subnet - NAT 1:1 - good practices

If in the end you add all addresses from given subnet to router, I don't think it matters what mask you use, it's still the same amount of addresses. Or maybe you meant something else? I don't see good reason for multiple separate hairpin rules. The universal one will cover everything and since norm...
by Sob
Sat Oct 10, 2020 10:52 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Step 1 can have passthrough=no, because all you need to do for incoming packets is to mark connection. Step 2, if you mean packet mark, is not needed at all, you can go directly from connection mark to routing mark. Check my favourite example, it's all there: https://wiki.mikrotik.com/wiki/Manual:PC...
by Sob
Sat Oct 10, 2020 10:41 pm
Forum: Beginner Basics
Topic: IPv6 setup problems
Replies: 8
Views: 384

Re: IPv6 setup problems

If it works from router, but it doesn't work from device behind router, even though it seems to have address and everything, it looks like something wrong on router. Firewall would be good candidate, but I assume you didn't touch it, or did you? You can try to export your config: /export hide-sensit...
by Sob
Sat Oct 10, 2020 10:26 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Because incoming packet (from internet to server) has only one way to go, from router (where it currently is) to server. But if it's outgoing packet (response) from server to client, router has to decide to which ISP it should send it. The whole thing is: 1) Packet from internet client comes to rout...
by Sob
Sat Oct 10, 2020 9:43 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

It's useless to mark routing for incoming packets, you need it for outgoing ones. Also, routing mark is per-packet, if you want something to stick to whole connection (you do), you need connection mark. You don't need packet marks for this, just connections marks and then mark routing based on those...
by Sob
Sat Oct 10, 2020 9:29 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

I'm sorry, I don't get it. First you wrote about "static dns route ", so I assumed something like: /ip route add dst-address=xxx.abc.com gateway=x.x.x.x Then you wrote that it's: /ip dns static add address=x.x.x.x name=anything And you'd like to do: /ip dns static add address=xxx.abc.com name=anythi...
by Sob
Sat Oct 10, 2020 9:11 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

Sure, it works fine when incoming request comes from ISP which is primary for server, because it will send responses there. But if you want forwarded ports working from both ISPs, that's what the connection and route marking is for.
by Sob
Sat Oct 10, 2020 9:06 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

Then just assume that I'm complete idiot and try to explain to me in detail what exactly are you trying to do. Because this: /ip dns static add address=1.2.3.4 name=host.example.net adds static record host.example.net which points to IP address 1.2.3.4. If you then send dns query to router and ask f...
by Sob
Sat Oct 10, 2020 8:56 pm
Forum: General
Topic: What is the right way to do port forward with multiple WANs and LANs
Replies: 32
Views: 933

Re: What is the right way to do port forward with multiple WANs and LANs

If LAN-1 is hardcoded to use only ISP-1, then if you forward port from ISP-2 to server in LAN-1, it will send response via ISP-1 and it can't work.
by Sob
Sat Oct 10, 2020 8:49 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

As I understand it (correct me where I'm wrong), you have some server with dynamic IP address and you have existing DDNS hostname xxx.abc.com. You'd like to add "/ip dns static add address=xxx.abc.com name=someotherhostname", but what you get is "/ip dns static add address=1.2.3.4 name=someotherhost...
by Sob
Sat Oct 10, 2020 8:40 pm
Forum: Beginner Basics
Topic: Port forwarding issues (SYN not getting acked)
Replies: 7
Views: 795

Re: Port forwarding issues (SYN not getting acked)

All devices care about gateway. If you have device with 192.168.90.x/24 and no gateway, then it's just other 192.168.90.y addresses that are accessible to it. It needs another device (router) to access anything else. And it must know where to find this router. This would work without gateway if you ...
by Sob
Sat Oct 10, 2020 8:32 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

And what's the point of that? If there's already hostname for server, why you want to use another pointing to it? Why not simply use the existing one?

In theory, you could use CNAME record. RouterOS 6.47+ allows to add it as static record, but the whole thing doesn't really work in any usable way.
by Sob
Sat Oct 10, 2020 7:13 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 376

Re: Static DNS Route with Dynamic Address

I thought you meant /ip route add dst-address=<hostname>, which is not supported, but it also completely refuses it, it doesn't resolve it, so maybe you mean something else? In any case, the answer is probably some script that can resolve hostname and update any field you want.
by Sob
Sat Oct 10, 2020 7:01 pm
Forum: Beginner Basics
Topic: RouterOS - public subnet - NAT 1:1 - good practices
Replies: 9
Views: 439

Re: RouterOS - public subnet - NAT 1:1 - good practices

For start, if whole /29 is routed to you, I wouldn't assign those addresses to router like you do. If you want to go with NAT (you don't have to, it's also possible to give those addresses directly to target machines), add them with /32 mask and you can use all eight of them, including the first and...
by Sob
Sat Oct 10, 2020 6:22 pm
Forum: Beginner Basics
Topic: IPv6 setup problems
Replies: 8
Views: 384

Re: IPv6 setup problems

You shouldn't need "/ipv6 settings set accept-router-advertisements=yes", you'll get default route added by DHCPv6 client. It's slightly non-standard, but when DHCPv6 server is same as gateway (which in this case should be), it's ok. In DHCPv6 client, request=prefix should be enough, upstream connec...
by Sob
Sat Oct 10, 2020 1:17 pm
Forum: Beginner Basics
Topic: Port forwarding issues (SYN not getting acked)
Replies: 7
Views: 795

Re: Port forwarding issues (SYN not getting acked)

If you don't want to miss any packet, you can use logging rules like: /ip firewall mangle add action=log chain=postrouting dst-address=192.168.90.2 add action=log chain=prerouting src-address=192.168.90.2 and you'll be able to see all requests and responses (or lack of them). Adding in-interface won...
by Sob
Sat Oct 10, 2020 3:42 am
Forum: Beginner Basics
Topic: Port forwarding issues (SYN not getting acked)
Replies: 7
Views: 795

Re: Port forwarding issues (SYN not getting acked)

Last dstnat rule doesn't look right, you probably want dst-port=8080 and not src-port=8080. There's nothing wrong with other two, but as they are going to different address, maybe it's problem with that device. It could be missing default gateway via this router or firewall on device.
by Sob
Fri Oct 09, 2020 10:09 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

It's related to stateful firewall. Icmp doesn't have connections as such, but firewall sees it that way. The initial ping packet (icmp echo request) has connection-state=new, so first rule for established & friends doesn't match and it continues futher until it reaches rule allowing icmpv6 and is ac...
by Sob
Fri Oct 09, 2020 8:52 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

If you want more selective logging: /ipv6 firewall mangle add action=jump chain=prerouting jump-target=icmp protocol=icmpv6 add action=jump chain=postrouting jump-target=icmp protocol=icmpv6 add action=jump chain=input jump-target=icmp protocol=icmpv6 add action=jump chain=output jump-target=icmp pr...
by Sob
Fri Oct 09, 2020 7:53 pm
Forum: Beginner Basics
Topic: VPN IPSec
Replies: 4
Views: 248

Re: VPN IPSec

Proposal in RouterOS = phase 2 elsewhere, so make sure you have matching parameters.
by Sob
Fri Oct 09, 2020 7:47 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

If you want to see packets in input, you have to communicate with address on router (ping it, connect to it). And if you want to see what router does with icmp, then you can use e.g.: /ipv6 firewall mangle add chain=prerouting protocol=icmpv6 action=log add chain=postrouting protocol=icmpv6 action=l...
by Sob
Fri Oct 09, 2020 7:38 pm
Forum: Beginner Basics
Topic: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]
Replies: 15
Views: 512

Re: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]

In this case it doesn't matter, because it's default route to 0.0.0.0/0, which covers every possible address, so lookup will always succeed in this table and router won't be looking elsewhere.
by Sob
Fri Oct 09, 2020 4:36 pm
Forum: Beginner Basics
Topic: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]
Replies: 15
Views: 512

Re: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]

My understanding, possibly incorrect, was that if you'd create vlan for this, it would be e.g. one port on switch, where if you'd plug in some device, it would use ISP2 to access internet. So there would be another subnet in this vlan, and anything coming from there would use ISP2's routing table. W...
by Sob
Fri Oct 09, 2020 4:16 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

Sorry, my knowledge has some limits. I never studied how exactly conntrack works with related connections. I'm sure that multiple tcp connections are not seen as related (except ftp). They may be related from application's perspective, but router has no way of knowing that. But I can't tell you all ...
by Sob
Fri Oct 09, 2020 4:05 pm
Forum: Beginner Basics
Topic: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]
Replies: 15
Views: 512

Re: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]

Yes. But @anav didn't want mangle rules. Aside from that, I don't like action=route much, it feels like kind of rough shortcut to me. There's nothing wrong with, but there's no flexibility, it's just one hardcoded gateway and that's it. If you'd want e.g. failover, you can't have it with this. I lik...
by Sob
Fri Oct 09, 2020 4:26 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

If you have rules with connection-mark=no-mark, it has similar effect; connection-state=new may be a bit more efficient, but it's again just a guess and you'd have to come with some reliable testing and measure it. 'Related' is how conntrack sees it. For example ftp's data connection is related to c...
by Sob
Fri Oct 09, 2020 2:19 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

You have packet from device in LAN going to some public address, so it gets connection mark (and later also routing mark based on connection mark). But this packet has low ttl and it expires while passing through router, so router sends icmp ttl exceeded packet to inform client about it. This new pa...
by Sob
Fri Oct 09, 2020 1:25 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

I don't think you want anything with src/dst-address-type here. If it's dst-address-type=!local, it's useless, because it matches almost all packets, except some rare ones sent by router to itself. And src-address-type=!local would break the main purpose of these rules, because everything in output ...
by Sob
Fri Oct 09, 2020 12:58 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

It should be: connmark-out output: in:(unknown 0) out:<interface>, proto ICMP (type 11, code 0), <router's LAN address>-><clients's LAN address>, len <x> And number of logged packets depends on how many are sent with each TTL. My traceroute uses three and mtr keeps sending them until stopped. Routin...
by Sob
Fri Oct 09, 2020 12:24 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

Rule for testing:
/ip firewall mangle
add chain=output protocol=icmp connection-mark=!no-mark action=log log-prefix=connmark-out
It should log three packets when you do traceroute.
by Sob
Fri Oct 09, 2020 12:09 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

... when the ICMP DST is to the router itself ... It's not. When doing traceroute to x.x.x.x, destination is always x.x.x.x. Only TTL differs, it starts at 1 and increases. You get responses from routers on the way, informing you that TTL expired. One way to solve this is routing rules I mentioned,...
by Sob
Thu Oct 08, 2020 11:05 pm
Forum: Beginner Basics
Topic: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]
Replies: 15
Views: 512

Re: Dual ISP - Need One PC on the Secondary FailOver [SOLVED]

Something like this should do the trick:
/ip route rule
add action=lookup interface=<your new special vlan> table=<routing table containing default route to secondary ISP>
by Sob
Thu Oct 08, 2020 8:41 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

I don't remember this exactly and I don't have time to play with it now, but I think that icmp packets for exceeded TTL may inherit either connection or routing mark from original packet. Which does have it, because it's outgoing packet to some external address, so PCC rules applied to it. You can t...
by Sob
Thu Oct 08, 2020 8:21 pm
Forum: Beginner Basics
Topic: Access mikrotik router behind a modem
Replies: 6
Views: 269

Re: Access mikrotik router behind a modem

- You're connecting to address on router's WAN port, i.e. 192.168.1.2 and not some 192.168.20.x, right?
- Can you ping this address from PC 192.168.1.3?
- Order of rules matters, they are processed from top to bottom, so did you put the new one somewhere before the one that blocks access from WAN?
by Sob
Thu Oct 08, 2020 1:19 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

Input is traffic to router itself, and all responses to outgoing connections initiated by router are accepted by first rule with connection-state=established,related,untracked (if you fixed it like I wrote). So it's quite normal to not have much traffic for others. Ping router's address and you'll g...
by Sob
Thu Oct 08, 2020 1:01 pm
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 602

Re: DoH config ignores local static entries

You're right, I confused it with FWD records. Simple ones should work (and do work for me).

Followup post with additional description: viewtopic.php?p=798048#p798048
by Sob
Thu Oct 08, 2020 2:18 am
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

Try ping to your address from outside. If you don't have any device from which you can test it, there are various websites that offer pings from their servers. DNS doesn't have to do anything with transport protocol used by server. Client device asks for A or AAAA records depending on what protocol ...
by Sob
Thu Oct 08, 2020 2:04 am
Forum: General
Topic: Mikrotik routers - Firewall?
Replies: 9
Views: 410

Re: Mikrotik routers - Firewall?

Consumer, enterprise, it doesn't mean much. And it's not like there's consensus about what product is what grade anyway. RouterOS is nice and very flexible, at least when compared to many other routers. But it's still closed system, it doesn't have everything, so if you're missing some feature, you'...
by Sob
Thu Oct 08, 2020 12:36 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

Well, that's a question. I can skip some conditions in mangle rules, so that may lower CPU usage a bit (or may not, it depends on the order in which conditions are evaluated). Routing rules will undoubtedly add some processing, but routing should be the most optimized part of system, so it shouldn't...
by Sob
Thu Oct 08, 2020 12:23 am
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

The rules are same for all devices, so if one works and another doesn't, I'd focus on that device. Packet sniffer is your friend, you can verify what is coming to device, if it responds to it, etc.
by Sob
Thu Oct 08, 2020 12:16 am
Forum: Beginner Basics
Topic: Noob to Mikrotek -Need some assistance [SOLVED]
Replies: 2
Views: 206

Re: Noob to Mikrotek -Need some assistance [SOLVED]

You may be slightly disappointed there (and that's optimistic view). It's possible to watch interfaces in real time. Then there are bandwidth graphs for interfaces, but nothing really exciting. And that's it, no built-in detailed per-device/IP monitoring. It would be possible to get similar graphs f...
by Sob
Wed Oct 07, 2020 11:52 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

No, this "local" means only addresses on router, nothing with subnets. I don't think there's one perfect config, there may be some as good starting point, but different people need different things. Most important is to understand what it does, why and how. MikroTik's example tries to explain that a...
by Sob
Wed Oct 07, 2020 10:17 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

It depends where those public addresses are. If they are directly on your router, they are already excluded from marking, if you kept PCC rules with dst-address-type=!local from example. If it's NAT 1:1 and they are in fact elsewhere, you'd need to exclude them too, and additionally add routes to th...
by Sob
Wed Oct 07, 2020 6:42 am
Forum: General
Topic: Firewall rule base on connection
Replies: 2
Views: 167

Re: Firewall rule base on connection

You're looking for connection-state option. Simplified example: /ip firewall filter add chain=forward connection-state=established,related,untracked action=accept add chain=forward connection-state=invalid action=drop add chain=forward in-interface=ether1 out-interface=ether2 action=accept add chain...
by Sob
Wed Oct 07, 2020 2:43 am
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 602

Re: DoH config ignores local static entries

It's definitely known. In my opinion it either bug or weird feature. I don't remember any official comment from MikroTik, how do they see it.
by Sob
Wed Oct 07, 2020 12:51 am
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

Then also check firewall on those devices. I don't know about Mac, but if the testing site sends echo request (ping), then Windows block it by default.
by Sob
Wed Oct 07, 2020 12:37 am
Forum: General
Topic: DNAT is changing the src IP to look like the Router's LAN IP
Replies: 12
Views: 425

Re: DNAT is changing the src IP to look like the Router's LAN IP

It should be possible, you can find PASV command in RFC 765 from 1980. So if the client doesn't support it, vendor definitely did something wrong. :)
by Sob
Wed Oct 07, 2020 12:29 am
Forum: General
Topic: Is it possible to create pure L2 ovpn tunnel?
Replies: 2
Views: 410

Re: Is it possible to create pure L2 ovpn tunnel?

I'm not sure if it's just RouterOS. I remember (well, vaguely, it was very long time ago, so I can be mistaken) that I had problem with getting rid of addresses even with original OpenVPN. You can test if it's possible with that and only RouterOS is doing something unexpected, or if perhaps addresse...
by Sob
Wed Oct 07, 2020 12:23 am
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

With original config, router accepted *all* traffic to itself, it didn't block anything at all. And forwarded traffic could be affected only by: /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid So you can try to temporarily disable this rul...
by Sob
Wed Oct 07, 2020 12:16 am
Forum: General
Topic: DNAT is changing the src IP to look like the Router's LAN IP
Replies: 12
Views: 425

Re: DNAT is changing the src IP to look like the Router's LAN IP

Active mode (with PORT command) means that client tells server to what address and port it should connect for data connection. The thing in its original form is completely incompatible with NAT, because client knows only about own local address and sends that to server. And of course server can't co...
by Sob
Wed Oct 07, 2020 12:03 am
Forum: Beginner Basics
Topic: Mikrotik hAP mini as l2tp ipsec client behind nat
Replies: 7
Views: 344

Re: Mikrotik hAP mini as l2tp ipsec client behind nat

NAT on VPN client is one way. Other is proper routing, on server you'd add route to client's LAN ("Routes" in PPP secret).
by Sob
Tue Oct 06, 2020 10:51 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

I missed a thing, you broke default config. This rule:
/ipv6 firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=established,related,untracked
should have action=accept (and comment is wrong too).
by Sob
Tue Oct 06, 2020 10:40 pm
Forum: Beginner Basics
Topic: Mikrotik hAP mini as l2tp ipsec client behind nat
Replies: 7
Views: 344

Re: Mikrotik hAP mini as l2tp ipsec client behind nat

If you don't use VPN as gateway, internet traffic uses client's default connection, the same one that's used to connect to VPN server. If you want to route everything through VPN, select "Add Default Route" in client's VPN config. And then you have to configure server to allow it to go out to intern...
by Sob
Tue Oct 06, 2020 10:14 pm
Forum: General
Topic: DNAT is changing the src IP to look like the Router's LAN IP
Replies: 12
Views: 425

Re: DNAT is changing the src IP to look like the Router's LAN IP

Not enough info. Ilegal PORT command is most likely private address in it. No sane client should be using active mode (PORT) in the first place. Routers (in this case it would be client's router) usually transparently deal with it, but it requires plaintext unencrypted FTP on standard port 21. It's ...
by Sob
Tue Oct 06, 2020 8:45 pm
Forum: General
Topic: DNAT is changing the src IP to look like the Router's LAN IP
Replies: 12
Views: 425

Re: DNAT is changing the src IP to look like the Router's LAN IP

Then for outgoing connections you want: /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 And if you need hairpin NAT (to be able to connect from LAN to service on one of your public addresses, e.g. to 1.2.3.61:22), you need additional: /ip firewall nat add action=masquerade c...
by Sob
Tue Oct 06, 2020 8:40 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 1680

Re: IPV6 Firewall [SOLVED]

I don't see anything breaking icmpv6. But the very first rule makes all other chain=input rules useless, because it accept everything. And second last rule allows incoming connections to LAN, which you may or may not want, but if you do, then last rule is useless.
by Sob
Tue Oct 06, 2020 8:19 pm
Forum: General
Topic: DNAT is changing the src IP to look like the Router's LAN IP
Replies: 12
Views: 425

Re: DNAT is changing the src IP to look like the Router's LAN IP

And what do you think this does?
/ip firewall nat
add action=masquerade chain=srcnat
It's not dstnat, it's this rule masquerading every single connection, which wasn't matched by any previous srcnat rule.
by Sob
Tue Oct 06, 2020 7:55 pm
Forum: General
Topic: NFS connection
Replies: 1
Views: 154

Re: NFS connection

If there's NFS support in RouterOS, then it's extremely well hidden, I haven't seen anything like that in last more than ten years. So for me the more likely explanation is that it isn't there.
by Sob
Tue Oct 06, 2020 6:17 am
Forum: General
Topic: Connect to router winbox over ssh tunnel [SOLVED]
Replies: 2
Views: 378

Re: Connect to router winbox over ssh tunnel [SOLVED]

Works for me. RouterOS accepts WinBox connections by default, so if you didn't limit access in "/ip services", didn't block it using firewall, or aren't doing some mistake on client side, it should work for you too. Make this your first mangle rule and you'll see if any connection attempt reaches th...
by Sob
Mon Oct 05, 2020 7:28 pm
Forum: General
Topic: Hiarpin NAT
Replies: 10
Views: 442

Re: Hiarpin NAT

I did something similar somewhere, in prerouting I marked connections to router (dst-address-type=local) and when they appeared in srcnat, I knew that they didn't really go to router, which must have been caused by dstnat (or ghosts :). But as you write, connection marks are too valuable for this, p...
by Sob
Mon Oct 05, 2020 7:05 pm
Forum: Scripting
Topic: Force router to reboot in 5 or 10 minutes from now [SOLVED]
Replies: 6
Views: 393

Re: Force router to reboot in 5 or 10 minutes from now [SOLVED]

You can put "/system reboot" in scheduler and select start time ten minutes in future.
by Sob
Mon Oct 05, 2020 7:01 pm
Forum: General
Topic: Hiarpin NAT
Replies: 10
Views: 442

Re: Hiarpin NAT

Normally you can live without it, because router won't send such packets anywhere else. But it doesn't hurt when it's there and in some cases (e.g. overlapping subnet for VPN clients) you'd want it. Ideally I'd want to use connection-nat-state=dstnat, to match only dstnatted connections, but it's no...
by Sob
Mon Oct 05, 2020 12:03 pm
Forum: Forwarding Protocols
Topic: Plex Server Firewall Rules
Replies: 11
Views: 443

Re: Plex Server Firewall Rules

Take anav's "flaming ass" avatar as hint/warning. :)
by Sob
Mon Oct 05, 2020 1:00 am
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 508

Re: Strange DNS queries over PPTP VPN

I'm still not sure what's the point of this feature. At first, when you just read the name and don't know what it does, it sounds interesting. My idea was that it could be used as a simple way how to detect what WAN port actually has working internet access, and replace other solutions like recursiv...
by Sob
Sun Oct 04, 2020 10:02 pm
Forum: Forwarding Protocols
Topic: Plex Server Firewall Rules
Replies: 11
Views: 443

Re: Plex Server Firewall Rules

It means that no packet from internet (to this port) reached your router. That public address, is it directly on your router or somewhere else, e.g. some modem from which you're forwarding ports to router? If the latter, is that configured correctly? Is "1wan" really your WAN interface? Can't there ...
by Sob
Sun Oct 04, 2020 8:45 pm
Forum: Forwarding Protocols
Topic: Plex Server Firewall Rules
Replies: 11
Views: 443

Re: Plex Server Firewall Rules

If your WAN interface (connection to internet) is named "1wan", then it should work. Does the rule have any hits (look at its packet counter)?
by Sob
Sun Oct 04, 2020 7:57 pm
Forum: General
Topic: Dark places in the RBcAPGi-5acD2nD / cAP ac rescue [SOLVED]
Replies: 5
Views: 538

Re: Dark places in the RBcAPGi-5acD2nD / cAP ac rescue [SOLVED]

I don't use Safe Mode often, but it definitely has button in WinBox and it worked when I tried it. You still have to be careful when using it, because if you enable it and forget to disable it, you can lose quite a lot of changes when you finally cut yourself off. :)
by Sob
Sun Oct 04, 2020 7:46 pm
Forum: Forwarding Protocols
Topic: Plex Server Firewall Rules
Replies: 11
Views: 443

Re: Plex Server Firewall Rules

At first sight it look like default config with one added simple dstnat rule, nothing clearly wrong. Does your router have public address? Not 192.168.x.x, 10.x.x.x, 172.16-31.x.x, 100.64-127.x.x, and with incoming connections not blocked by ISP?
by Sob
Sun Oct 04, 2020 7:33 pm
Forum: General
Topic: Hiarpin NAT
Replies: 10
Views: 442

Re: Hiarpin NAT

You could also use DDNS (RouterOS has it built-in in IP->Cloud) and add hostname to list instead of address. That way you won't have to do anything even when it changes. Although if it happens that rarely, what you have now is probably good enough too. Maybe even safer, in case there's some problem ...
by Sob
Sun Oct 04, 2020 12:50 am
Forum: Wireless Networking
Topic: ACCESS LIST vs CONNECT LIST
Replies: 11
Views: 436

Re: ACCESS LIST vs CONNECT LIST

Yes (I never did anything with signal strength myself, but I guess it probably does what you want).
by Sob
Sat Oct 03, 2020 9:39 pm
Forum: General
Topic: Hiarpin NAT
Replies: 10
Views: 442

Re: Hiarpin NAT

You're mixing different things. You don't need any extra dstnat rules, just fix original ones, in this case replace them with the new ones you added. Using in-interface-list=WAN is ugly shortcut, and it's self-explanatory, it only works for connections from WAN. Rules with dst-address=1.1.1.1 work f...
by Sob
Sat Oct 03, 2020 8:19 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

If your "not_in_internet" list contains 10.0.0.0/8, then it's already solved by that. If you ping ISP's gateway 10.x.x.x from LAN, it won't get marked and router will use main routing table. About combination of PCC and Nth, there's probably no reason why it wouldn't work, but whether it does anythi...
by Sob
Sat Oct 03, 2020 7:11 pm
Forum: Wireless Networking
Topic: ACCESS LIST vs CONNECT LIST
Replies: 11
Views: 436

Re: ACCESS LIST vs CONNECT LIST

Access list = when wireless interface is AP, what clients are allowed to connect
Connect list = when wireless interface is client, to what APs it should connect
by Sob
Sat Oct 03, 2020 7:05 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

I meant traceroute to ISP's gateway, which should always have only two hops, first your router and then ISP's gateway right behind it. But even if you have it wrong, you still have 50% chance that it will work correctly, because it will get mark for right ISP. I'm sure you can live without these rul...
by Sob
Sat Oct 03, 2020 6:41 pm
Forum: General
Topic: ipv6 issue behind modem router.
Replies: 23
Views: 837

Re: ipv6 issue behind modem router.

You also seem to keep inventing semi-random prefixes. You can't do that, you have to use only what ISP gives you. And unless you got some static prefix (they would tell you about it), you can't manually configure any prefix or address anywhere.
by Sob
Sat Oct 03, 2020 4:56 am
Forum: General
Topic: Dark places in the RBcAPGi-5acD2nD / cAP ac rescue [SOLVED]
Replies: 5
Views: 538

Re: Dark places in the RBcAPGi-5acD2nD / cAP ac rescue [SOLVED]

I don't know specifically about cAP, but default config usually uses ether1 as WAN port. So it will get address from DHCP, default route will point there, and it won't accept any incoming connections, because you don't want evil hackers from internet playing with your router. If you are making dange...
by Sob
Sat Oct 03, 2020 4:43 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

1) I don't know what exactly you have, but it's also possible that ping is taking a little longer path. Check what traceroute shows. Let's say the gateway for ISP1 is public address and you try to ping it from device in LAN. If you mark this outgoing ping with ISP2 mark and you don't exclude it in a...
by Sob
Sat Oct 03, 2020 2:17 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

1) It's to allow devices in LAN to access anything in those subnets. Ping ISP's gateway, access modem configuration, if you're connected behind one, etc. If you don't need any of that, you can live without these rules. 1.1) PPPoE has equivalent of lease script in PPP profile. 2) Yes. You can test it...
by Sob
Sat Oct 03, 2020 1:15 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 32
Views: 1377

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

1) "local" means any address assigned to router, it does not cover anything else, so if you don't want to break routing between other subnets, you have to deal with them too. 1.1) You can update rules from dhcp lease script. 2) Prerouting is for traffic from other devices. Output is for traffic from...
by Sob
Fri Oct 02, 2020 8:59 pm
Forum: General
Topic: ipv6 issue behind modem router.
Replies: 23
Views: 837

Re: ipv6 issue behind modem router.

And people say that RouterOS is confusing... yeah, right, compared to this it's clear as day. I found manual (https://www.wind.gr/files/1/Wind_v2/statheri/epipleon_ypiresies/devices/ZXHN_H108N(V2.5)_Home_Gateway_Maintenance_Management_Manual.pdf) and it's not very helpful either. It seems that this...
by Sob
Fri Oct 02, 2020 8:34 pm
Forum: General
Topic: ipv6 issue behind modem router.
Replies: 23
Views: 837

Re: ipv6 issue behind modem router.

Look in ZTE's Network->LAN->Prefix Delegation (or Static Prefix) menu, it could be the way how to delegate prefixes to LAN, and then RB's DHCPv6 client could get one.
by Sob
Thu Oct 01, 2020 7:25 pm
Forum: Beginner Basics
Topic: TP-Link router behind a MikroTik
Replies: 5
Views: 2268

Re: TP-Link router behind a MikroTik

Not troll, spammers, all three, spam links hidden behind pictures of RB. Sneaky bastards. :)
by Sob
Wed Sep 30, 2020 6:10 pm
Forum: Beginner Basics
Topic: L2tp/IPsec up but can't reach subnet (windows 10 client)
Replies: 3
Views: 172

Re: L2tp/IPsec up but can't reach subnet (windows 10 client)

I wouldn't say that it's too bad, but I'm leaning towards no. But don't think too much about it, it can work like this too (with the help of proxy ARP). The advantage is that if VPN client is connecting to devices in LAN, you don't need to worry about their firewalls, e.g. Windows by default allow a...
by Sob
Wed Sep 30, 2020 5:50 pm
Forum: Beginner Basics
Topic: CHR Router - 2 ISP Hetzner
Replies: 8
Views: 413

Re: CHR Router - 2 ISP Hetzner

If you want to route between the two subnets, you need to either exclude them from marking, add route(s) to them in other routing table(s), or use simple and foolproof (before all others): /ip route rule add action=lookup-only-in-table dst-address=116.202.xxx.xxx/29 table=main add action=lookup-only...
by Sob
Wed Sep 30, 2020 5:31 pm
Forum: Beginner Basics
Topic: L2tp/IPsec up but can't reach subnet (windows 10 client)
Replies: 3
Views: 172

Re: L2tp/IPsec up but can't reach subnet (windows 10 client)

It depends. In case the client gets IP address from LAN subnet, you need proxy ARP on LAN interface. Firewall can also be the cause.
by Sob
Wed Sep 30, 2020 5:28 pm
Forum: Beginner Basics
Topic: 2 ISP without Failover or LB
Replies: 3
Views: 182

Re: 2 ISP without Failover or LB

For start, decide how exactly you want to use them, you didn't write that.
by Sob
Wed Sep 30, 2020 5:19 pm
Forum: General
Topic: Reverse proxy (like nginx) in Mikrotik
Replies: 2
Views: 451

Re: Reverse proxy (like nginx) in Mikrotik

I wouldn't do, except maybe for some light hobby use, but it's possible to misuse built-in web proxy (only for http, not https):

https://wiki.mikrotik.com/wiki/Multiple_Web_Servers
by Sob
Wed Sep 30, 2020 5:08 pm
Forum: General
Topic: Mikrotik router authoritative DNS server
Replies: 2
Views: 277

Re: Mikrotik router authoritative DNS server

And what exactly are you trying to do? RouterOS itself can't be authoritative DNS server. But you can run one on another machine in LAN and forward ports to it from router (port 53, both tcp and udp).
by Sob
Sat Sep 26, 2020 10:50 pm
Forum: Beginner Basics
Topic: CHR Router - 2 ISP Hetzner
Replies: 8
Views: 413

Re: CHR Router - 2 ISP Hetzner

If it's all static, you can use routing rules, e.g.: /ip route rule add src-address=116.x.x.x/xx table=ISP2 Other way is to use firewall mangle: /ip firewall mangle add chain=prerouting src-address=116.x.x.x/xx action=mark-routing new-routing-mark=ISP2 The latter gives you more control, you can for ...
by Sob
Sat Sep 26, 2020 10:38 pm
Forum: RouterOS v7 BETA
Topic: Possible Feature Request Output NAT Reconnect
Replies: 3
Views: 356

Re: Possible Feature Request Output NAT Reconnect

Such behaviour could happen if R1 would try to send something to client as not part of established connection. So it can't happen with SSTP or TCP OpenVPN, because they use actual connection established from client to server. It could happen with UDP (with both OpenVPN and Wireguard), if conntrack's...
by Sob
Sat Sep 26, 2020 9:52 pm
Forum: RouterOS v7 BETA
Topic: Recovery from backup fails
Replies: 4
Views: 374

Re: Recovery from backup fails

It won't help you, but i's not completely and unconditionally broken in whole v7, I tried CHR and it worked with both encrypted and unencrypted backups. Just a simple config, but that shouldn't matter, it should simply restore all router's data files.
by Sob
Sat Sep 26, 2020 9:36 pm
Forum: Beginner Basics
Topic: A routing conundrum
Replies: 10
Views: 532

Re: A routing conundrum

Decide if you want to: a) route everything from client to vpn server (use it as default gateway) - for RouterOS change primary default route's distance to 2, then when vpn adds new one with distance 1, it will be active instead - you already have that on Windows b) use vpn to only access selected re...
by Sob
Sat Sep 26, 2020 9:12 pm
Forum: Beginner Basics
Topic: Port fowarding to unraid openvpn
Replies: 15
Views: 513

Re: Port fowarding to unraid openvpn

My IP is dynamic WANIP
Is it also public? I.e. not 192.168.x.x, 10.x.x.x, 172.16-31.x.x, 100.64-127.x.x.

When you're trying to connect from outside, is dstnat rule's packet counter increasing?
by Sob
Sat Sep 26, 2020 9:03 pm
Forum: General
Topic: Request for Temporary Mitigation Guide/Official Patch for CVE-2020-12695
Replies: 3
Views: 512

Re: Request for Temporary Mitigation Guide/Official Patch for CVE-2020-12695

It seems that there's some mechanism in UPnP, where client can subscribe to some events and specify callback url that will be called by server. And this url can be anything. It doesn't seem to be necessarily related to port forwarding, which is why you'd use UPnP on router. So the trouble is not jus...
by Sob
Sat Sep 26, 2020 7:04 pm
Forum: Beginner Basics
Topic: A routing conundrum
Replies: 10
Views: 532

Re: A routing conundrum

Few things: - clients' 10.2.0.x are only point to point /32 addresses, so other 10.2.0.y are not automatically reachable as part of same subnet, they are routed via B - client A has default route via VPN and it's ok - client C has it too, but it's not active, everything uses 10.81.91.33 as gateway -...
by Sob
Sat Sep 26, 2020 6:18 pm
Forum: Beginner Basics
Topic: 80 port and others [SOLVED]
Replies: 5
Views: 430

Re: 80 port and others [SOLVED]

If you have: /ip firewall nat add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=<server IP> to-ports=80 then it's what I described, the condition is only for tcp and port 80 and it matches also outgoing traffic from LAN to internet. You need to limit it a little more. If you have...
by Sob
Fri Sep 25, 2020 10:05 pm
Forum: Forwarding Protocols
Topic: Winbox ports [SOLVED]
Replies: 3
Views: 236

Re: Winbox ports [SOLVED]

If you didn't change it (in IP->Services), default for WinBox is tcp port 8291.
by Sob
Fri Sep 25, 2020 9:59 pm
Forum: Beginner Basics
Topic: 80 port and others [SOLVED]
Replies: 5
Views: 430

Re: 80 port and others [SOLVED]

Start with posting what exactly you have now. Common problem is missing condition for original destination and dstnat rule then applies not only to incoming, but also to outgoing traffic. But RouterOS offers many ways how you can misconfigure something, so it's better to see what exactly it is, rath...
by Sob
Thu Sep 24, 2020 4:41 pm
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 1061

Re: hAP ac³ switch chip?

(maybe it could be done by clever software that uses VLAN numbers you are not using yourself...) Or have optional "VLAN-only mode", where I'd lose individual ports and all access would be done using VLANs, i.e. the same thing that's done now internally, but controlled by user. The difference would ...
by Sob
Thu Sep 24, 2020 4:32 pm
Forum: General
Topic: Change Request DHCP Client: Assign Dynamic Route to Interface
Replies: 3
Views: 353

Re: Change Request DHCP Client: Assign Dynamic Route to Interface

The request makes sense if you need such thing, which may be common for notebooks, but not so much for routers, they tend to have more static config. And even when they don't, being connected to same network using ethernet and wifi at the same time seems quite unusual for router. So I'm not sure if ...
by Sob
Thu Sep 24, 2020 4:16 pm
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 1061

Re: hAP ac³ switch chip?

It's been suggested several times that these switches are actually quite capable, and it's just MikroTik not squeezing out the maximum from them. It's hard to tell for me if it's true or not. According to datasheets I can find on internet, it does seem so, but I don't know if perhaps there are some ...
by Sob
Thu Sep 24, 2020 5:29 am
Forum: General
Topic: DNS server selection based on Layer7 - viable?
Replies: 9
Views: 595

Re: DNS server selection based on Layer7 - viable?

@neutronlaser: It doesn't work that way, RouterOS will switch between multiple servers all the time.
by Sob
Thu Sep 24, 2020 5:27 am
Forum: General
Topic: DNS server selection based on Layer7 - viable?
Replies: 9
Views: 595

Re: DNS server selection based on Layer7 - viable?

Your regexp can have tons of false positives, it will basically match any packet containing "testdomain" anywhere. For start, when you have dots in name, they are not dots in packets, but it's a number containing length of following part, e.g. <10>testdomain<5>local<0>, and last one is null byte, bu...
by Sob
Thu Sep 24, 2020 5:00 am
Forum: General
Topic: DNS server selection based on Layer7 - viable?
Replies: 9
Views: 595

Re: DNS server selection based on Layer7 - viable?

I can't make the MikroTik the DNS server because it isn't part of the Active Directory domain, ... Wouldn't the new (6.47+) forwarding work for you? Make RB DNS server, but forward selected stuff elsewhere: /ip dns static add forward-to=<AD DNS server> regexp="\\.ad\\.domain\\.tld\$" type=FWD And e...
by Sob
Wed Sep 23, 2020 4:19 pm
Forum: RouterOS v7 BETA
Topic: Possible Feature Request Output NAT Reconnect
Replies: 3
Views: 356

Re: Possible Feature Request Output NAT Reconnect

You should probably explain in more details what's the problem. I'm trying to understand it, but no luck so far.
by Sob
Wed Sep 23, 2020 4:15 pm
Forum: General
Topic: [FEATURE REQUEST] User Interface Overhaul?
Replies: 10
Views: 639

Re: [FEATURE REQUEST] User Interface Overhaul?

If you have at least basic understanding of network stuff, then WinBox is intuitive, the structure is mostly logical and you can configure almost anything you want. Some things can be improved (like already mentioned bridge vlans), but otherwise it's perfect, sitting nicely between all-powerfull raw...
by Sob
Sat Sep 19, 2020 5:54 pm
Forum: Beginner Basics
Topic: Port fowarding to unraid openvpn
Replies: 15
Views: 513

Re: Port fowarding to unraid openvpn

Ok, I need bigger glasses, of course it should be dst-port=1194 in dstnat rule. On the other hand, posted rule should forward all ports to 1194, so connection to OpenVPN server should still work, even if it's wrong. @anav: Suggestion, when pointing out mistakes, it's good to tell if it's related to ...
by Sob
Sat Sep 19, 2020 5:14 pm
Forum: Beginner Basics
Topic: Port fowarding to unraid openvpn
Replies: 15
Views: 513

Re: Port fowarding to unraid openvpn

Ok, I checked the rest, but I don't see anything wrong, it's just default config. So if you have public IP address, either directly on router, or at least somewhere else (modem or another ISP's router) with port(s) forwarded to your router, it should work. As a first step, check if your dstnat rule ...
by Sob
Sat Sep 19, 2020 3:33 pm
Forum: Beginner Basics
Topic: Port fowarding to unraid openvpn
Replies: 15
Views: 513

Re: Port fowarding to unraid openvpn

I didn't examine the rest, but remove dst-address=0.0.0.0 from dstnat rule, that's clearly wrong.
by Sob
Fri Sep 18, 2020 8:43 pm
Forum: Beginner Basics
Topic: Mikrotik hAP mini as l2tp ipsec client behind nat
Replies: 7
Views: 344

Re: Mikrotik hAP mini as l2tp ipsec client behind nat

Of course not, L2TP/IPSec works behind NAT. It's just missing route. If you don't use VPN as gateway, you need route to remote network: /ip route add dst-address=192.168.40.0/24 gateway=l2tp-out1 Because by default you get only point to point route between client and server. Btw, that thing with rou...
by Sob
Fri Sep 18, 2020 2:55 pm
Forum: General
Topic: DNS forward based on domain name
Replies: 29
Views: 8563

Re: DNS forward based on domain name

Yes, that's the one.
by Sob
Fri Sep 18, 2020 1:47 pm
Forum: General
Topic: DNS forward based on domain name
Replies: 29
Views: 8563

Re: DNS forward based on domain name

The one in wiki is ok, it will forward queries for <anything>.example.com to 10.0.0.1, assuming that you don't have another matching regexp before this, and if you don't use DoH (because for some strange unexplained reason RouterOS ignores FWD when DoH is used).
by Sob
Thu Sep 17, 2020 6:03 pm
Forum: Beginner Basics
Topic: Can I use single word to resolve to IP address with Static DNS?
Replies: 5
Views: 315

Re: Can I use single word to resolve to IP address with Static DNS?

It's not RouterOS. If client asks for "nas", RouterOS will be happy to answer. Problem is, client is probably asking for nas.<somedomain>, as described in previous post. You can set that domain for LAN in DHCP server, then add static addresses under this domain, and it will work, because client will...
by Sob
Thu Sep 17, 2020 5:44 pm
Forum: General
Topic: SRC-NAT With IP Pool without configure IP on WAN Interface
Replies: 4
Views: 205

Re: SRC-NAT With IP Pool without configure IP on WAN Interface

The arp=proxy-arp works only when router has route to requested IP address pointing elsewhere (e.g. when it's assigned to PPPoE client), but as I understand it, it's not the case here. With arp=local-proxy-arp it will answer also for other addresses on same local subnet.
by Sob
Thu Sep 17, 2020 2:02 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

The interface should just send and receive packets, no matter if it's LTE, ethernet, or anything else. Whether port forwarding works correctly or not, that should be decided on another level and interface type should have nothing to do with it. It's not impossible, some bugs may be weird and unexpec...
by Sob
Wed Sep 16, 2020 3:54 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

I'm out of ideas. - TP-Link with LTE works => LTE is ok - Chateau with ethernet works => Chateau is ok - Chateau with LTE does not work => ???, but why, when both should be ok? It would be interesting if someone else could test it with their Chateau and LTE, but so far there isn't anyone else. I ass...
by Sob
Mon Sep 14, 2020 4:18 pm
Forum: Forwarding Protocols
Topic: Adding routing mark weird behaviour.
Replies: 6
Views: 254

Re: Adding routing mark weird behaviour.

Do not change original routes you had before. Add copies in different routing tables, i.e. have both:
/ip route
add dst-address=0.0.0.0/0 gateway=10.32.65.29 distance=20
add dst-address=0.0.0.0/0 gateway=10.32.65.29 routing-mark=bgp_xxx
by Sob
Mon Sep 14, 2020 4:11 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

It's difficult. Your packet captures showed that responses are being sent by device B and they also seemed to successfully pass through device A and continue to internet and client. But with LTE connection you can't verify this last part. If it was regular ethernet, you could add another device betw...
by Sob
Mon Sep 14, 2020 3:28 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

The 'broken port forwarding' theory. So no change for device B, but I also used 7.1beta2 on device A.
by Sob
Sun Sep 13, 2020 9:43 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

I didn't expect that it would change anything, but I tested device A with 7.1beta2 and no problem at all, everything works.
by Sob
Sun Sep 13, 2020 2:53 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

Or try dns as the first easy test. It's just one packet with request and one with response, but since with WG not even first response made it back to client, it could be enough.
by Sob
Sun Sep 13, 2020 1:21 am
Forum: General
Topic: Bridge VLAN IP assignment behavior [SOLVED]
Replies: 6
Views: 253

Re: Bridge VLAN IP assignment behavior [SOLVED]

Address is on the switch, so it's for the switch, switch owns it, other devices wanting to connect to service on the switch will connect to this addres, ... all good, I got this part. But I still don't know what you're asking about. It can be me, maybe someone else will get it. Or if you feel like i...
by Sob
Sat Sep 12, 2020 11:56 pm
Forum: General
Topic: Bridge VLAN IP assignment behavior [SOLVED]
Replies: 6
Views: 253

Re: Bridge VLAN IP assignment behavior [SOLVED]

You may need to try once more. I don't know what you mean by (1), the address is where it is, it doesn't get assigned to any specific port. It's like if you'd split the config between two devices, one with bridge and vlan config, but no address or vlan interface, and another with just address and si...
by Sob
Sat Sep 12, 2020 9:17 pm
Forum: General
Topic: Bridge VLAN IP assignment behavior [SOLVED]
Replies: 6
Views: 253

Re: Bridge VLAN IP assignment behavior [SOLVED]

I'm not completely sure what you're after, but the address belongs to MGMT876 interface, it doesn't go anywhere else. Other interfaces (bridge ports) are on another level below. Bridge is like switch, it's transparent for IP. Your 10.10.1.5 is reachable on all those ports you defined in /interface b...
by Sob
Sat Sep 12, 2020 9:02 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

Not that it would be completely impossible, but dstnat is simple thing, it's there for years, everyone uses it, ... it's not likely that it would get broken and not noticed by many other people. On the other hand, it is beta version, so maybe the chance is slightly higher. You can test another servi...
by Sob
Fri Sep 11, 2020 11:56 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 28
Views: 576

Re: Routing mark bug?

Do you have other mangle rules that could assign different routing mark to same packets, or don't let them get to this rule?
by Sob
Fri Sep 11, 2020 10:22 pm
Forum: Beginner Basics
Topic: New to RouterOS and need some beginner's help.
Replies: 8
Views: 372

Re: New to RouterOS and need some beginner's help.

That's still quite impractical. Not only it would not be the dream job, but with users being all over the world, it would take a lot of effort to examine them. Maybe if MikroTik paid for the travel and other expenses, ... :) But more seriously, there's no way to easily detect this, unless you'd run ...
by Sob
Fri Sep 11, 2020 10:13 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

It's still the same thing. There are requests coming from client to server, and on your routers you can see responses from server to client. But for some reason, none of them reaches the client, so it's no suprise that connection fails. It doesn't look like you can do anything on your routers. I'd b...
by Sob
Fri Sep 11, 2020 7:23 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

That transfer.sh server is semi-dead for me, it was slow before, but now I managed to download only client_connect.pcap and it took two hours. The obvious problem is that it contains only initial requests, there's not a single response. It was the same in previous combined capture as well. All non-T...
by Sob
Fri Sep 11, 2020 5:35 am
Forum: General
Topic: Ampache & RouterOS web server on hAP ac2
Replies: 9
Views: 469

Re: Ampache & RouterOS web server on hAP ac2

Your only chance to ever see this in RouterOS is if MikroTik added support for custom (third-party) packages and someone else then created one for this software. But don't be holding your breath for it, so far they didn't show any interest in such thing.
by Sob
Fri Sep 11, 2020 2:55 am
Forum: Beginner Basics
Topic: New to RouterOS and need some beginner's help.
Replies: 8
Views: 372

Re: New to RouterOS and need some beginner's help.

Spammers are getting more clever, or at least less stupid. You can still spot many of them, even with this copy & paste method (they come back later and edit the post to add spam links). When user's first post is something generic, which may be related to networks or even RouterOS, but you keep thin...
by Sob
Fri Sep 11, 2020 2:42 am
Forum: General
Topic: Ampache & RouterOS web server on hAP ac2
Replies: 9
Views: 469

Re: Ampache & RouterOS web server on hAP ac2

Small difference is that OpenWRT is open (it's relatively normal Linux distribution) but RouterOS is not (you can't install anything yourself).
by Sob
Thu Sep 10, 2020 11:31 pm
Forum: Beginner Basics
Topic: New to RouterOS and need some beginner's help.
Replies: 8
Views: 372

Re: New to RouterOS and need some beginner's help.

Just another useless copy & paste (original) as a spam base.
by Sob
Thu Sep 10, 2020 10:58 pm
Forum: General
Topic: what is the state of open source router OS/firmware?
Replies: 3
Views: 300

Re: what is the state of open source router OS/firmware?

Don't bother, it's just another copy & paste of old post from elsewhere, nobody is waiting for answer. Let it sit for a day or two and it will be edited and have spam links added.
by Sob
Thu Sep 10, 2020 9:13 pm
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

And how exactly did you capture this? It looks like strange mix. Some packets are wrapped in TZSP, from 192.168.10.5 to 192.168.200.11 (what's that?), while others look like direct capture from interface. But if it's captured using packet sniffer on 192.168.10.5, as TZSP suggests, then it shouldn't ...
by Sob
Thu Sep 10, 2020 8:51 pm
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 4241

Re: Expected down time for this forum SEPT 11

Hope you will not break anything.
Like the optional "prosilver" style, it's extremely important to have that! :)
by Sob
Thu Sep 10, 2020 8:35 pm
Forum: Beginner Basics
Topic: ddns or vpn to get static ip How to
Replies: 6
Views: 428

Re: ddns or vpn to get static ip How to

It doesn't depend on connection type, but whether ISP provides public IP address or not.
by Sob
Thu Sep 10, 2020 9:59 am
Forum: Beginner Basics
Topic: ddns or vpn to get static ip How to
Replies: 6
Views: 428

Re: ddns or vpn to get static ip How to

See previous questions... ^^^ It's not very likely to get help without providing more info.
by Sob
Thu Sep 10, 2020 6:47 am
Forum: RouterOS v7 BETA
Topic: Wireguard not working behind internet facing router with DSTNAT v7.1beta2
Replies: 50
Views: 2834

Re: Wireguard not working when behind internet facing router with DSTNAT

But there's one thing I noticed now, you have 192.168.201.0/24 as address on wireguard1 interface. But it's not correct address, with .0 at the end it's subnet address. Change it to something else, e.g. .1.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21