Community discussions

Search found 4183 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 84
by Sob
Wed Jul 17, 2019 6:46 pm
Forum: Beginner Basics
Topic: Help with ikev2 ipsec psk mikrotik client - don't connect
Replies: 2
Views: 124

Re: Help with ikev2 ipsec psk mikrotik client - don't connect

I also encountered this. IKEv2 in RouterOS connects to port 4500 no matter what. I though that it could at least take in account the NAT Traversal option and use port 500 when it's disabled, but no. I was even looking through RFCs, but I don't remember finding straight answer if preferring port 4500...
by Sob
Wed Jul 17, 2019 5:42 am
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 7
Views: 461

Re: VLAN Bridge Filtering ALternative

Configuring switch chip using Switch menu is actually the old thing. I found it somehow unintuitive. But it's also true that it's very long time since I tried to use it, and I don't know if anything changed since then. I thought that bridge VLAN filtering would make Switch menu obsolete, i.e. that a...
by Sob
Wed Jul 17, 2019 2:26 am
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 753

Re: Two IPs each on separate port

If it's default config, then ether1 (WAN) should be separate port and the rest should be in bridge (as LAN). If the solution with server getting public address directly would work for you, you need to remove server port (ether3) from LAN bridge and add it together with current WAN (ether1) to new br...
by Sob
Tue Jul 16, 2019 6:19 pm
Forum: Beginner Basics
Topic: connection state question [SOLVED]
Replies: 13
Views: 828

Re: connection state question [SOLVED]

And what do you expect from DMZ (*)? Because what your rule does is opening unlimited access to all devices in 192.168.1.0/24 subnet to anyone (except BOGONS). Well, theoretically, random person from internet won't be able to connect to your private addresses, but any device connected to your router...
by Sob
Tue Jul 16, 2019 4:47 pm
Forum: Beginner Basics
Topic: connection state question [SOLVED]
Replies: 13
Views: 828

Re: connection state question [SOLVED]

This doesn't look like something you want to have: accept forward destination-address list: 192.168.1.0/24 in-interface:WAN Source-AddressList: !BOGONS It's basically that everything from WAN (including new connections) is allowed to access your LAN (except what's in BOGONS address list). You should...
by Sob
Tue Jul 16, 2019 2:38 am
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

It's true that IPv6 tends to be more dynamic, but static config is possible too. And it looks like it's what this ISP is doing. As a customer, I'd actually prefer this, it's just this one little detail about requiring specific link-local address on client's router that makes it problematic. But of c...
by Sob
Mon Jul 15, 2019 9:31 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

You can try writing to MikroTik support and asking them if they could support this, or if they have some good reason why not.
by Sob
Sun Jul 14, 2019 9:23 pm
Forum: Beginner Basics
Topic: After the upgrade - the port forwarding not working
Replies: 4
Views: 370

Re: After the upgrade - the port forwarding not working

My guess is that the problem is actually somewhere else, because it's highly unlikely that upgrade would break something as basic as this. And even if it did, there would be many more people complaining. Does the rule's counter increase? If not, either no such packets are coming to router or they ar...
by Sob
Sun Jul 14, 2019 7:18 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

I don't know, there's quite a lot of RFCs. I remember the old method where the right 64 bits are derived from MAC address (with ff:fe inserted in the middle). The random method clearly exists too, that's what Windows seem to be using. Realistically, as long as resulting link-local address is unique ...
by Sob
Sun Jul 14, 2019 4:13 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

On the other hand, it doesn't look as anything difficult that MikroTik couldn't support, if they wanted to. If ISPs do this, does it work with an average home router? I guess it must, otherwise ISPs wouldn't use it. And in that case, RouterOS needs it too.
by Sob
Sat Jul 13, 2019 7:17 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

Router's default gateway should be fe80::1, but it probably won't help you anyway (see my previous post).
by Sob
Sat Jul 13, 2019 4:47 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 3
Views: 313

Re: Feature request: connection nat mismatch detection

Please expose such "connection-nat-ipmismatch" function, so implementing such filtering doesn't have to go through roundabout way over mangling ... It does sound useful, but it's not always easy to tell what address is wrong. For example, with hairpin NAT, I usually use srcnat with to-addresses=<pu...
by Sob
Sat Jul 13, 2019 4:01 pm
Forum: Forwarding Protocols
Topic: VPN Prob
Replies: 3
Views: 307

Re: VPN Prob

Some more info about "now I run it in Mikrotik and some mangle and routing" could help. People had great successes in the past with posting their configs.
by Sob
Sat Jul 13, 2019 3:57 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 13
Views: 875

Re: help to set ipv6 / 48

It's the WAN address starting with fe80 you'll have problem with, it's link-local address and so far RouterOS doesn't support adding these manually.
by Sob
Fri Jul 12, 2019 3:56 pm
Forum: Beginner Basics
Topic: 3 WAN ECMP and force several IP's to specific WAN
Replies: 1
Views: 156

Re: 3 WAN ECMP and force several IP's to specific WAN

/ip firewall mangle
add chain=prerouting connection-mark=no-mark src-address-list=<use_wan3_list> action=mark-connection new-connection-mark=wan3_conn passthrough=yes
add chain=prerouting connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3
...
by Sob
Fri Jul 12, 2019 2:53 pm
Forum: General
Topic: SSTP VPN + port forwarding with multiple WAN ipv4 addresses
Replies: 4
Views: 274

Re: SSTP VPN + port forwarding with multiple WAN ipv4 addresses

You can't exactly bind SSTP server to specific address, but since dstnat (port forwarding) "wins" over local service (it redirects packets before they can reach it), there's no problem.
by Sob
Sat Jul 06, 2019 11:58 pm
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 753

Re: Two IPs each on separate port

It doesn't look like same thing. The problem in other thread is when router itself should get multiple addresses from ISP's DHCP server. In this case, if server should get the other address, simply bridging ether1 and ether3 should do the trick. Newly created bridge will serve as new WAN interface f...
by Sob
Sat Jul 06, 2019 10:16 pm
Forum: General
Topic: Make ICMP replies from ingress interface
Replies: 3
Views: 369

Re: Make ICMP replies from ingress interface

Official excuse is that this is only user forum and MikroTik employees don't necessarily read every topic here. If you want to be sure that they see it, you need to write to support.
by Sob
Sat Jul 06, 2019 1:32 am
Forum: General
Topic: ISP assigns Static IP addresses via DHCP
Replies: 6
Views: 378

Re: ISP assigns Static IP addresses via DHCP

Hmm, bridging VRRP interfaces with their parent interface (I hope I got it right) sounds somehow dangerous. Did you test it? I'd be affraid that it would mess up the whole thing. But speaking about crazy ideas, I had one, inspired by loop trick. Create local EoIP tunnel, put one end in bridge with u...
by Sob
Thu Jul 04, 2019 5:32 pm
Forum: Beginner Basics
Topic: routing between IPIP interfaces [SOLVED]
Replies: 2
Views: 214

Re: routing between IPIP interfaces [SOLVED]

Don't just accept those packets, log them, to be sure what exactly they are. In theory, there could be dstnat rule catching packets from first site, sending them back to first site and it would behave exactly as you describe it. Incoming packets in first tunnel, no outgoing in second, counter for fo...
by Sob
Thu Jul 04, 2019 12:32 am
Forum: General
Topic: Winbox to IPv6 to port 8295 - How do you do this ?
Replies: 2
Views: 173

Re: Winbox to IPv6 to port 8295 - How do you do this ?

Works for me. Not your address (I guess you don't allow access from outside), but mine with non-standard port, exactly as you enter it, is ok.
by Sob
Wed Jul 03, 2019 11:45 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Hairpin NAT not working as expected
Replies: 5
Views: 490

Re: Hairpin NAT not working as expected

No, you can't specify in-interface for dstnat rule, because then it won't match packets coming from LAN. It's really simple. If router has static public address (best case), do e.g.: /ip firewall nat add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=1...
by Sob
Wed Jul 03, 2019 5:34 pm
Forum: General
Topic: IKEv2 with EAP-MSCHAPv2 mobile VPN [SOLVED]
Replies: 1
Views: 188

Re: IKEv2 with EAP-MSCHAPv2 mobile VPN [SOLVED]

They only released client part in stable channel two days ago. Server side is not supported yet. AFAIK nothing have been promised, but since it's obvious thing to add next, I'd say it's just matter of time.
by Sob
Fri Jun 28, 2019 4:08 am
Forum: General
Topic: How to create NAT for multi device software update [SOLVED]
Replies: 8
Views: 1345

Re: How to create NAT for multi device software update [SOLVED]

Mangle rules should be different (wrong chain in second one was my fault): /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=p1 new-connection-mark=dev-in-mc-1.1 passthrough=yes add action=mark-routing chain=prerouting src-address=192.168.1.9 connec...
by Sob
Fri Jun 28, 2019 3:47 am
Forum: General
Topic: Routing a Block of Public IP Addresses
Replies: 37
Views: 1901

Re: Routing a Block of Public IP Addresses

By fixing your srcnat/masquerade rule(s), you need to exclude routed public subnet from that.
by Sob
Mon Jun 24, 2019 7:24 pm
Forum: Beginner Basics
Topic: hairpin nat/routing [SOLVED]
Replies: 9
Views: 913

Re: hairpin nat/routing [SOLVED]

And if you don't have static WAN address, you can use dst-address-type=local. If additionally it's for a port that might be used on router too (e.g. 80 for WebFig), also add dst-address=!<router's LAN address> (don't forget the "!", it means "not") to exclude router's LAN address.
by Sob
Fri Jun 21, 2019 12:43 am
Forum: General
Topic: Public IP fwd question
Replies: 1
Views: 189

Re: Public IP fwd question

I converted the above command into Routeros command.
But he doesn't work. Maybe I made the wrong transition.
It would be good idea to show us what you did, and then someone could tell you if it was correct or not.
by Sob
Fri Jun 21, 2019 12:25 am
Forum: General
Topic: Local advertised IPv6 DNS cache server
Replies: 7
Views: 366

Re: Local advertised IPv6 DNS cache server

If it works for Windows, the problem probably isn't on router. I don't use Linux as dynamic client, but what I saw in the past, it wasn't as tightly integrated as Windows. Unless something changed, getting addresses from RA is handled by kernel itself, it just works by default. But to get additional...
by Sob
Thu Jun 20, 2019 2:48 am
Forum: Beginner Basics
Topic: Mikrotik RB2011 in "Router" Mode
Replies: 12
Views: 783

Re: Mikrotik RB2011 in "Router" Mode

Yes, DHCP client does add address.

And I don't understand the part about static leases. They are in same list as dynamic ones. So if you defined them and they work, they can't be there more than they already are. There's probably some misundestanding here.
by Sob
Thu Jun 20, 2019 2:37 am
Forum: General
Topic: connecting firewall through routerboard keeping public ip address
Replies: 17
Views: 726

Re: connecting firewall through routerboard keeping public ip address

Short answer: no Long answer: Maybe with loop hack (IPIP tunnel from router back to router), but you don't want that. My head hurts every time I think about it. And you'd still have problems with same addresses being both local and remote at the same time, router doesn't like that. About the previou...
by Sob
Thu Jun 20, 2019 2:16 am
Forum: Beginner Basics
Topic: Simple L7 Regex Question
Replies: 1
Views: 199

Re: Simple L7 Regex Question

Some regexp variants can do that , but I don't think it's possible in RouterOS, it doesn't support even much simpler constructs. It's not ideal, because the less L7 filters you have the better, but you can create another for vpn.domain.tld and either stop processing when it matches, or do the other ...
by Sob
Wed Jun 19, 2019 9:58 pm
Forum: General
Topic: How to create NAT for multi device software update [SOLVED]
Replies: 8
Views: 1345

Re: How to create NAT for multi device software update [SOLVED]

You need some connection marking. In prerouting, check for new incoming connections on px interfaces. Give them unique connections marks. And then in output, mark routing for connections with these marks.
by Sob
Sat Jun 15, 2019 5:23 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3533

Re: firewall src add and dst add

Regarding your previous reply, your problem is not with clients, the only resolver they should get is 192.168.88.1:53 (or whatever local address your router has, but still with standard port). It's the router that needs to talk to upstream resolver on non-standard port. It's exactly what the ugly ha...
by Sob
Fri Jun 14, 2019 10:51 pm
Forum: General
Topic: Web Proxy Restrict
Replies: 3
Views: 212

Re: Web Proxy Restrict

Traffic to router itself goes in chain=input. Traffic through router (both outgoing and incoming, forwarded ports included) goes in chain=forward. I don't know what you have now, but simple firewall that only allows access from internet to forwarded ports can look like this: /ip firewall filter add ...
by Sob
Fri Jun 14, 2019 10:24 pm
Forum: General
Topic: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range
Replies: 8
Views: 400

Re: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range

1) Don't enable dynamic leases:
/ip dhcp-server
add address-pool=static-only <other parameters>
2) Select dynamic pool for server and create static leases from another subnet as you need.
by Sob
Fri Jun 14, 2019 3:21 pm
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 892

Re: My first Mikrotik Router - Firewall Help

Nah, only when I have to get out of bed too soon, then I feel like twice my age. :) It's just that I've been playing with RouterOS for several years and most of the time interface lists didn't exist. They are great when you need to quickly add another LAN/WAN and make them use common rules. Not exac...
by Sob
Fri Jun 14, 2019 2:15 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3533

Re: firewall src add and dst add

..., so obviously my ISP is using dst-nat to redirect all request on port 53 to their own servers, ... - router has 208.67.222.222 (on port 53) as a resolver from the router dns settings(obviously not dst-nated) so it connect to 208.67.222.222 directly through the 53 port So the question is, does r...
by Sob
Fri Jun 14, 2019 2:12 pm
Forum: General
Topic: one dhcp server, static leases two diffent gateway addresses
Replies: 4
Views: 286

Re: one dhcp server, static leases two diffent gateway addresses

Where does 192.168.2.5 suddenly comes from? You didn't write what netmask you have, but in case it's the most common /24, 192.168.2.x can't be default gateway for 192.168.1.x. Or do you mean two upstream routers and routing traffic from some addresses to one and from other addresses to another?
by Sob
Fri Jun 14, 2019 2:07 pm
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 892

Re: My first Mikrotik Router - Firewall Help

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long. Just to make it clear.
by Sob
Fri Jun 14, 2019 2:55 am
Forum: RouterOS v7
Topic: Feature request for v7.x
Replies: 257
Views: 59674

Re: Feature request for v7.x

1) You posted in wrong thread 2) I'm not sure if I'm getting the part about same names, but no such requirement exists. In some cases, it should be possible to skip connection marking completely, but it would only work if you'd have outgoing connections only, no incoming. And even then marking conne...
by Sob
Fri Jun 14, 2019 1:24 am
Forum: General
Topic: DNS unable to resolve host
Replies: 8
Views: 440

Re: DNS unable to resolve host

It's actually: 0000 04 74 65 73 74 03 6c 61 6e 00 00 01 00 01 .test.lan..... ^^ null byte ^^ ^^ record type (16 bits) ^^ ^^ class (16 bits) So a foolproof way (from two posts later in same referenced thread) should be: \0x03lan...?.?$ Which means ".lan" followed by 2-4 non-zero bytes at the end of p...
by Sob
Fri Jun 14, 2019 1:07 am
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3533

Re: firewall src add and dst add

I'm not a fan of that hack either. :) But what I'm trying to say is that as it is now:

- client doesn't use router as resolver
- router doesn't use the same resolver as client

So getting different addresses for same hostname (which uses CDN) is very possible.
by Sob
Fri Jun 14, 2019 1:02 am
Forum: General
Topic: Web Proxy Restrict
Replies: 3
Views: 212

Re: Web Proxy Restrict

Filter rule sounds right, you probably don't want anything external connecting to your proxy. Even more, you probably don't want anything external connecting to your router at all, so it's usually better to block everything and only add exceptions for what you want to have open, which shouldn't be m...
by Sob
Fri Jun 14, 2019 12:45 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 892

Re: My first Mikrotik Router - Firewall Help

It's not too bad. Firewall blocks all incoming requests from internet. They would be only accepted if someone spoofed the source address, but that's very unlikely. You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.
by Sob
Fri Jun 14, 2019 12:35 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1097
Views: 192090

Re: Feature requests

Both proxies are disabled by default, so they just take space in menu and little bit on disk, but that's it. Ability to uninstall them completely wouldn't change much, they already don't do anything if you don't enable them. I can understand that seeing some things in menu can annoy people for whate...
by Sob
Thu Jun 13, 2019 4:41 am
Forum: Virtualization
Topic: 951Ui-2nD MetaRouter [SOLVED]
Replies: 5
Views: 484

Re: 951Ui-2nD MetaRouter [SOLVED]

There's no help. You can either buy some other supported device with larger storage, or you'd need to have really small metarouter. The latter could be theoretically possible if you are assembler guru, but realistically, I don't think there's any chance to create anything useful like this.
by Sob
Thu Jun 13, 2019 4:31 am
Forum: General
Topic: DNS unable to resolve host
Replies: 8
Views: 440

Re: DNS unable to resolve host

Use regexp="\\x03lan.\\x01" instead (3 = length of "lan"). Just the "." alone means any character, so if there would be TLD .<something>lan, your regexp would match too.
by Sob
Wed Jun 12, 2019 10:25 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3533

Re: firewall src add and dst add

Problem is, it doesn't do what you think. You need the router to use the right resolver (i.e. not ISP's) and client to use router (default is 192.168.88.1; you can have different config) as resolver. What actually happens is that when client gets 192.168.88.1 and tries to use it, dstnat forwards all...
by Sob
Wed Jun 12, 2019 8:55 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for ...
by Sob
Wed Jun 12, 2019 12:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3533

Re: firewall src add and dst add

I'm using the router as a DNS resolver and have a Dst-nat rule to redirect all traffic to the opendns servers, and still i get different IPs Sounds contradictory to me. Either the laptop uses router as resolver, i.e. it has router's address as its only resolver, and there's no dstnat. Or you redire...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 84