Community discussions

Search found 3601 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 73
by Sob
Tue Feb 19, 2019 1:04 am
Forum: RouterBOARD hardware
Topic: RB4011 twin-tray 1U
Replies: 6
Views: 374

Re: RB4011 twin-tray 1U

You never know, I've seen third-party rack mounts for double RB450s, RB493s and RB2011s, so it could happen for RB4011 too.
by Sob
Tue Feb 19, 2019 1:00 am
Forum: General
Topic: redirect subdomain(NAT)
Replies: 6
Views: 197

Re: redirect subdomain(NAT)

It it's for udp, unless it's some special service that supports name-based virtual hosting (you could at least use external proxy server for that), then the only solution is own public IP address for each server. But they may be hard to get these days. It's what IPv6 was supposed to solve years ago,...
by Sob
Mon Feb 18, 2019 2:24 pm
Forum: General
Topic: WireGuard Released !
Replies: 8
Views: 448

Re: WireGuard Released !

@vecernik87: Sorry. :D But you should be looking for this much more interesting post.
by Sob
Mon Feb 18, 2019 12:54 pm
Forum: General
Topic: WireGuard Released !
Replies: 8
Views: 448

Re: WireGuard Released !

We didn't even got an OpenVPN over UTP yet. That's not true! I personally used MikroTik's OpenVPN over UTP... ... at least Cat 5E and Cat6, also S/FTP and possibly others, various 802.11something, even 10BASE2 coax, I think. And yes, I know it's childish joke. :) But on topic, once WireGuard makes ...
by Sob
Mon Feb 18, 2019 12:38 pm
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 325

Re: Firewall on Mikrotik box outbound connection?

And actually, when you check this image:
Image

The "routing adjustment" is there, which is used for policy routing, where you can route output packets somewhere else than they were supposed to go. So only the NAT part missing.
by Sob
Mon Feb 18, 2019 12:30 pm
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 325

Re: Firewall on Mikrotik box outbound connection?

RouterOS is (or at least started as) Linux with standard netfilter. So my guess is that it's probably still in there, just not exposed to us. Because usually it's not needed, so to leave it out didn't seem as a big deal.
by Sob
Mon Feb 18, 2019 3:00 am
Forum: General
Topic: MULTI PPPOE - PORT FORWARD
Replies: 1
Views: 93

Re: MULTI PPPOE - PORT FORWARD

Dstnat is exactly the same as with single address: /ip firewall nat add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=x protocol=tcp to-addresses=y.y.y.y to-ports=y The needed extra is a way how to send response packets back the same way from where the requests came. Mark new incoming con...
by Sob
Mon Feb 18, 2019 2:49 am
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 325

Re: Firewall on Mikrotik box outbound connection?

... they are already on their outgoing interface, and there is no turning back. Works in Linux, example: Default route is via eth0 and route to another network is via eth1 : # ip route 10.0.0.0/24 via 10.0.1.1 dev eth1 default via x.y.z.129 dev eth0 ... Initial test with ping: # ping 8.8.8.8 PING 8...
by Sob
Mon Feb 18, 2019 2:24 am
Forum: General
Topic: Port Forwarding without effecting Site to Site IPSEC Tunnel
Replies: 5
Views: 274

Re: Port Forwarding without effecting Site to Site IPSEC Tunnel

Let's start with the easy part. If everything you have in "/ip firewall filter" is the single rule you posted, it's as if you didn't have anything there at all. When you take in account implicit behaviour (which is to accept anything not matched previous rules), your whole firewall is: /ip firewall ...
by Sob
Sun Feb 17, 2019 6:55 pm
Forum: General
Topic: Portmap.io Ovpn Client config.
Replies: 4
Views: 233

Re: Portmap.io Ovpn Client config.

RouterOS suppors SSH port fowarding in its server, but there doesn't seem to be anything for client:

https://wiki.mikrotik.com/wiki/Manual:System/SSH_client
by Sob
Sun Feb 17, 2019 6:52 pm
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 325

Re: Firewall on Mikrotik box outbound connection?

Not for router's own connections, unfortunately:

Dstnat in output chain?

I mean using any sane way, what you can see in that thread doesn't qualify.
by Sob
Sun Feb 17, 2019 1:46 am
Forum: General
Topic: Portmap.io Ovpn Client config.
Replies: 4
Views: 233

Re: Portmap.io Ovpn Client config.

Start by looking in config file. If you don't see what you need, try showing the config to someone else who might see it. Only before you do, get rid of private stuff first. If there's embedded key <key>data</key>, remove it. If there's <tls-auth>data</tls-auth>, forget it, RouterOS doesn't support ...
by Sob
Sat Feb 16, 2019 6:42 am
Forum: Beginner Basics
Topic: Winbox for Router OS 5.20
Replies: 3
Views: 117

Re: Winbox for Router OS 5.20

3.12
by Sob
Sat Feb 16, 2019 1:04 am
Forum: General
Topic: Port Forwarding without effecting Site to Site IPSEC Tunnel
Replies: 5
Views: 274

Re: Port Forwarding without effecting Site to Site IPSEC Tunnel

It's better. So this is config from home router, it has LAN .89 and WAN 208.x, datacenter has LAN .88 and WAN 73.x, right? Other than your firewall filter being useless (default action is accept, so just one accept rule doesn't do anything useful and everything on router is wide open) and same for t...
by Sob
Sat Feb 16, 2019 12:19 am
Forum: Beginner Basics
Topic: No IPv6 Prefix showing on interface
Replies: 2
Views: 128

Re: No IPv6 Prefix showing on interface

Did you create the pool (in /ipv6 pool) manually? That would be wrong, DHCPv6 client does that.
by Sob
Fri Feb 15, 2019 10:07 pm
Forum: General
Topic: Port Forwarding without effecting Site to Site IPSEC Tunnel
Replies: 5
Views: 274

Re: Port Forwarding without effecting Site to Site IPSEC Tunnel

Don't be affraid to share more info (like clear description where each subnet is, how exactly is ipsec configured, or just your whole config to eliminate all need to guess things), it can only help.
by Sob
Fri Feb 15, 2019 12:24 am
Forum: General
Topic: Volatile domain connection in subnet
Replies: 3
Views: 374

Re: Volatile domain connection in subnet

The way i see it is that a client asks for an address from the router the router then either give an answer back if it has one or goes to the next dns/router to ask the same question. That's common misconception. If you ask DNS resolver something, it will always answer (except timeouts or when it's...
by Sob
Wed Feb 13, 2019 5:29 am
Forum: General
Topic: Config Review - Security Conscience Home User
Replies: 19
Views: 835

Re: Config Review - Security Conscience Home User

As it is right now, none of the bruteforce/scanning rules are showing any traffic anyway. What a surprise. ;) You created reasonable firewall for input chain with just those four rules at the beginning. Rule #4 is unconditional drop, nothing will ever get past that. So all following rules with chai...
by Sob
Wed Feb 13, 2019 5:09 am
Forum: Beginner Basics
Topic: DNS is not responding on all interfaces
Replies: 2
Views: 89

Re: DNS is not responding on all interfaces

It's not what you're missing but what you have extra. If you enable remote DNS requests, the server listens on all interfaces. If it works on some and doesn't on others it's probably blocked by your firewall.
by Sob
Wed Feb 13, 2019 5:02 am
Forum: Beginner Basics
Topic: NAT 1:1 Questions
Replies: 9
Views: 238

Re: NAT 1:1 Questions

In other words, if 192.168.128.226 uses 192.168.128.250 as its default gateway, and 192.168.128.226 will initiate connections to 192.168.150.44 (not the other way), then all you need is: /ip firewall nat add chain=srcnat out-interface=<interface connected to .150 network> action=masquerade In case e...
by Sob
Thu Feb 07, 2019 9:37 pm
Forum: General
Topic: Using RouterOS as a local DNS server?
Replies: 3
Views: 285

Re: Using RouterOS as a local DNS server?

It sounds to me like the records are already added manually. If they didn't resolve from Windows clients, it could be explained easily, because Windows always try to add domain to bare hostnames. But it it's from RouterOS console, it should work, the resolver there asks exactly for what you give it.
by Sob
Thu Feb 07, 2019 3:57 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 55
Views: 9846

Re: [Feature request] Wireguard

So you already have new RouterOS with kernel 4.20, but that's too bad Wireguard isn't there, therefore it can't be in RouterOS yet. I'm wondering if I'm reading it right. ;)
by Sob
Thu Feb 07, 2019 3:46 pm
Forum: General
Topic: IPv6 on second VLAN
Replies: 18
Views: 745

Re: IPv6 on second VLAN

My ISP is small Czech local which apparently gives me one /64. Did you try to ask them for bigger prefix? There could be some hope with small company. Maybe they are just new to this and /64 is their honest mistake without an ill intent. If they are open to discussion, there are enough even local r...
by Sob
Thu Feb 07, 2019 6:37 am
Forum: General
Topic: Nat address from public ip to router adress
Replies: 12
Views: 450

Re: Nat address from public ip to router adress

You're ahead of me, I've seen that device only on pictures so far. And one small clarification of my previous post, for the record, because it may sound wrong and possibly confuse someone, with your two LAN subnets and client and server in different ones connecting via public address, it's not hairp...
by Sob
Thu Feb 07, 2019 5:13 am
Forum: General
Topic: Nat address from public ip to router adress
Replies: 12
Views: 450

Re: Nat address from public ip to router adress

@anav: Really? Do I end my strike for RouterOS v7 (*) and come back to this? :D Didn't you get your guru handbook? You can't ask questions like this anymore. You can't be perplexed by simple double NAT or basic routing and firewalling. You need to make a new incognito account for such questions (no,...
by Sob
Fri Oct 19, 2018 7:50 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature reguest: ip address alias
Replies: 2
Views: 770

Re: Feature reguest: ip address alias

For firewall rules, for some uses, current address list feature is good enough. But not for everything, e.g. srcnat's to-addresses can be only address. So possibility to have address aliases sounds interesting. Ideally as global thing, so that the alias could be used in every single place where rout...
by Sob
Fri Oct 19, 2018 7:32 pm
Forum: General
Topic: using VLAN interface as in interface for mangle rule
Replies: 1
Views: 406

Re: using VLAN interface as in interface for mangle rule

You didn't really provide any details to work with. But you can take your IP-based rule that works, set log=yes for it, examine what gets logged and you'll see what interface the router thinks it comes from.
by Sob
Fri Oct 19, 2018 5:15 am
Forum: Beginner Basics
Topic: 6in4 endpoint
Replies: 4
Views: 414

Re: 6in4 endpoint

It depends what addresses you use, but it's the same type of tunnel (IPv6 in protocol 41 IPv4). You can have either 6to4 with public IPv6 subnet from 2002::/16 derived from public IPv4 address, or just regular point to point tunnel as you want.
by Sob
Fri Oct 19, 2018 12:13 am
Forum: Beginner Basics
Topic: VPN
Replies: 2
Views: 276

Re: VPN

"Office" in that command is name of LAN interface, so just use yours (probably some bridge).
by Sob
Thu Oct 18, 2018 5:39 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 1067

Re: /ip dns servers= (cache) - how are multiple servers used?

So far I wasn't able to find when/if any kind of weight kicks in. If I make one server always dead, it's still asked when previous in line fails (and that adds delay). But I would need different method for controlling failures to properly test it. Random in-addr.arpa queries are not good for this, y...
by Sob
Thu Oct 18, 2018 3:15 am
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 1067

Re: /ip dns servers= (cache) - how are multiple servers used?

I tried RouterOS 6.44beta20 and /ip dns with 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1 with counter for each resolver (using firewall rules) and: 1) Queries for 100% working records My own domain where authoritative servers have "*.<my_domain> A <IP address>". Script sends stream of queries for <random>.<m...
by Sob
Wed Oct 17, 2018 7:53 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 338
Views: 42923

Re: RB4011

How would I change the WAN interface without redoing my entire config (dstnat, IPv6-PD, default firewalls for both IPv4 and IPv6)? Can I simply switch it using QuickSet? If you made any changes outside of Quick Set, then stay away from it. There's no built-in way how to change everything from one i...
by Sob
Wed Oct 17, 2018 3:37 pm
Forum: Beginner Basics
Topic: Additional routing rules with load balancing
Replies: 6
Views: 399

Re: Additional routing rules with load balancing

Either that, or let it fit with the rest:
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge1 protocol=22 new-connection-mark=BTLeased_conn passthrough=yes
I don't think you really meant protocol=22 though.
by Sob
Wed Oct 17, 2018 4:39 am
Forum: General
Topic: CONFIGURE IPV6 DNS CORRECTLY
Replies: 1
Views: 281

Re: CONFIGURE IPV6 DNS CORRECTLY

If you have dual-stack clients, you don't really need to worry about IPv6 DNS resolvers, because IPv4 ones will work for AAAA queries just fine. If you want to give IPv6 resolvers to clients, you need to decide if you want them to use DNS cache on router (scenario a), or bypass it and go to remote r...
by Sob
Wed Oct 17, 2018 4:24 am
Forum: Beginner Basics
Topic: (Question) Block ips with addresses list in firewall nat
Replies: 2
Views: 300

Re: (Question) Block ips with addresses list in firewall nat

Your best choice in this case should be raw prerouting.
by Sob
Tue Oct 16, 2018 4:47 am
Forum: General
Topic: Dynamic DNS inside a LAN
Replies: 35
Views: 2986

Re: Dynamic DNS inside a LAN

Are you sure it's not just the internet connection? And not only yours, it depends also on VPN server's connection. Specifically, both your download and upload through VPN are limited by whatever is slower on server (download or upload).
by Sob
Tue Oct 16, 2018 2:07 am
Forum: General
Topic: Jailbreak for RouterOS 6.43.2 released [SOLVED]
Replies: 16
Views: 1958

Re: Jailbreak for RouterOS 6.43.2 released [SOLVED]

Ok, so the "magic" USB is filesystem with simple symlink to root, and it goes from there, right? That's neat trick. But there's probably also some simple way how MikroTik can block it. And even if they don't, you're completely on your own, any upgrade can ruin what you build there, etc. So yeah, it'...
by Sob
Mon Oct 15, 2018 2:47 am
Forum: General
Topic: How to realise NAT redirect to LAN client from VPN?
Replies: 47
Views: 1755

Re: How to realise NAT redirect to LAN client from VPN?

He's psychic, he knows everything! (Or maybe it could have something to do with your writing, the order of words, ... :)) But back to main topic, rules seem to be ok, so find out what exactly happens. You can add some logging rules, e.g: /ip firewall mangle add chain=prerouting protocol=tcp dst-addr...
by Sob
Sun Oct 14, 2018 10:14 pm
Forum: General
Topic: How to realise NAT redirect to LAN client from VPN?
Replies: 47
Views: 1755

Re: How to realise NAT redirect to LAN client from VPN?

Almost there, you want prerouting instead of output:
/ip firewall mangle
chain=prerouting in-interface=<server LAN> action=mark-routing new-routing-mark=to_VPN1 connection-mark=int_to_3641
by Sob
Sun Oct 14, 2018 9:45 pm
Forum: General
Topic: Unable to get full gigabit speed on RB750Gr3
Replies: 28
Views: 2012

Re: Unable to get full gigabit speed on RB750Gr3

@sindy: You're probably drinking beer not very far from me. But shh, we don't want anyone to know that we're slowly taking over the forum (maybe we can accept @CZFan as honorary member, he could be useful, he's not as much into motorcycles as I initially thought, but other things). :) Correct about ...
by Sob
Sun Oct 14, 2018 7:44 pm
Forum: General
Topic: Unable to get full gigabit speed on RB750Gr3
Replies: 28
Views: 2012

Re: Unable to get full gigabit speed on RB750Gr3

@sindy: For the record, my name is not the popular acronym, it has the same unimaginative origin as yours (judging by your e-mail you leaked here in the past). :) And to not make double OT, I'll add to your original OT that the reason why forward and input are together is because there can also be s...
by Sob
Sun Oct 14, 2018 7:23 pm
Forum: General
Topic: How to realise NAT redirect to LAN client from VPN?
Replies: 47
Views: 1755

Re: How to realise NAT redirect to LAN client from VPN?

You need only one, masquerade OR routing. And if you choose routing, check PCC example . It's primarily about load balancing, so ignore that and only focus on the connection and route marking part. I really have to find some better example, but all I keep remembering is this one. And I'm too lazy to...
by Sob
Sun Oct 14, 2018 5:38 am
Forum: Beginner Basics
Topic: "Smart Device" Initial Connection Woes
Replies: 19
Views: 879

Re: "Smart Device" Initial Connection Woes

There's not much difference. It's still asking for srv.myskybell.com and for some reason sends always two queries in less than one millisecond, which doesn't make sense to me. If they were to two different servers, then maybe, it could be trying to speed things up. Interestingly, even with two queri...
by Sob
Sun Oct 14, 2018 3:36 am
Forum: Beginner Basics
Topic: "Smart Device" Initial Connection Woes
Replies: 19
Views: 879

Re: "Smart Device" Initial Connection Woes

You didn't do your homework, did you? :) You previously wrote that you don't block outgoing traffic, so connection to port 443 should succeed. If device tries to connect to external servers, then input chain is irrelevant, that traffic goes to forward. Ok, unless you force it to input using dstnat, ...
by Sob
Sun Oct 14, 2018 3:17 am
Forum: General
Topic: How to realise NAT redirect to LAN client from VPN?
Replies: 47
Views: 1755

Re: How to realise NAT redirect to LAN client from VPN?

You have the masquerade for incoming connections in wrong place, it's useless on VPN client, it needs to be on VPN server. The problem is when client is e.g. 1.2.3.4, router won't send replies back via VPN, because as it sees it, route to 1.2.3.4 leads via default route. If you masquerade connection...
by Sob
Sun Oct 14, 2018 3:02 am
Forum: General
Topic: VPN issues - Accessing Map Network Drive
Replies: 4
Views: 349

Re: VPN issues - Accessing Map Network Drive

You shouldn't need any dstnat for this. If you use other subnet for VPN users (not the same as LAN), you need to check firewall on those Windows devices and allow access from VPN subnet, because by default, only access from local subnet is allowed.
by Sob
Sun Oct 14, 2018 2:51 am
Forum: General
Topic: optimize FW rule by using connection-state=new ?
Replies: 6
Views: 474

Re: optimize FW rule by using connection-state=new ?

It would be interesting to know, what were those not new packets in your test. Because if you're testing with WAN interface and you don't really allow any connections from internet to router, then aside from few invalid packets, everything else coming from there can be only new. Also e.g. some icmp...
by Sob
Sun Oct 14, 2018 1:46 am
Forum: Beginner Basics
Topic: "Smart Device" Initial Connection Woes
Replies: 19
Views: 879

Re: "Smart Device" Initial Connection Woes

RouterOS blocks only what you tell it to block. The capture is strange. When you look at it, there's query for srv.myskybell.com, reply for A record comes back, but device doesn't connect there, instead it sends the same query again and again. It would probably be good idea to let it try unlimited a...
by Sob
Sun Oct 14, 2018 1:21 am
Forum: Beginner Basics
Topic: WPA2 preshared key brute force attack
Replies: 2
Views: 281

Re: WPA2 preshared key brute force attack

@BartoszP: Whole post is copy & paste from WPA2 preshared key brute force attack (which is also almost identical to content of your link). Could be just another spammer moving in.
by Sob
Sat Oct 13, 2018 11:07 pm
Forum: Beginner Basics
Topic: "Smart Device" Initial Connection Woes
Replies: 19
Views: 879

Re: "Smart Device" Initial Connection Woes

First image gives 404. Second shows that your plan from other thread (to give device only 8.8.8.8 to use as dns) for some reason didn't happen, because the device is still using router as dns resolver. It's not possible to tell from this if it's because of dhcp config or your redirect rules in dstna...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 73