Community discussions

Search found 3858 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 78
by Sob
Sat Apr 20, 2019 6:10 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 12
Views: 450

Re: /tool sniffer Code: 3 (Port unreachable)

I vaguely remember trafr, but looking at it now, it's only Linux binary, so not useful for me on Windows. Tzsp2pcap looks like it can work under Cygwin, so that would be better. They both qualify as proper solution too. Bittwiste looks interesting, but probably not the right tool for this. But to be...
by Sob
Sat Apr 20, 2019 3:24 am
Forum: Beginner Basics
Topic: Need quick and east non-payment redirect for a single customer
Replies: 6
Views: 236

Re: Need quick and east non-payment redirect for a single customer

I kind of hoped that you have it all figured out and you only missed the part how to match against MAC address instead of IP address. ;) In other words, that you'd only exchange src-address=1.2.3.4 for src-mac-address=01:02:03:04:05:06 in your solution. But your request as whole is not exactly easy....
by Sob
Sat Apr 20, 2019 2:51 am
Forum: Beginner Basics
Topic: Need quick and east non-payment redirect for a single customer
Replies: 6
Views: 236

Re: Need quick and east non-payment redirect for a single customer

There's src-mac-address matcher, so you can use that on directly connected router.
by Sob
Sat Apr 20, 2019 2:24 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 12
Views: 450

Re: /tool sniffer Code: 3 (Port unreachable)

I played with it a little more and made a proof-of-concept of what I consider proper solution. Wireshark supports plugin interface called extcap. It's external executables or scripts that acquire data and feed them to Wireshark. And it's exactly what's needed here, something that receives TZSP packe...
by Sob
Fri Apr 19, 2019 6:33 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 12
Views: 450

Re: /tool sniffer Code: 3 (Port unreachable)

If closed udp port (= no process is listening on it) receives packet, system generates icmp port unreachable and sends it to client. That's normal behaviour. This does not happen when the port is firewalled and incoming packet is silently dropped before it can reach the closed port. I don't know abo...
by Sob
Fri Apr 19, 2019 5:43 pm
Forum: General
Topic: Make external IP address accessible on secondary port
Replies: 6
Views: 215

Re: Make external IP address accessible on secondary port

Dumb switch and both routers being independent won't go well with the requirement to control other router's bandwidth (on first router, as I undertand it).
by Sob
Fri Apr 19, 2019 4:14 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 12
Views: 450

Re: /tool sniffer Code: 3 (Port unreachable)

Capture filter in Wireshark doesn't change the fact that RouterOS is sending packets to closed port. So if target computer sends back "port unreachable" and you're capturing traffic on same interface where it's connected, you will see it in captured data (if there's not a filter that excludes it). B...
by Sob
Fri Apr 19, 2019 3:57 am
Forum: General
Topic: DNS Failover
Replies: 4
Views: 320

Re: DNS Failover

Generally, DNS resolvers are not meant to function like this. You can have multiple for redundancy, but it's assumed that all are equal and client can use any of them. But it doesn't work for this use case, where you need a special one that knows something that others don't and you want to only use ...
by Sob
Fri Apr 19, 2019 3:46 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 20
Views: 4142

Re: Feature Request: 802.1X over ethernet

It does something, I somehow managed to set up a test with RouterOS, external FreeRADIUS and Windows as client. But I don't really know what I'm doing, it's my first time playing with 802.1x and almost first time with FreeRADIUS, which is terrible starting point and everything seems too complicated....
by Sob
Fri Apr 19, 2019 2:46 am
Forum: General
Topic: How to redirect DNS request for just 1 LAN of 2 [SOLVED]
Replies: 2
Views: 115

Re: How to redirect DNS request for just 1 LAN of 2 [SOLVED]

Use what you found, only with additional src-address=<network>/<mask>.
by Sob
Fri Apr 19, 2019 12:18 am
Forum: Beginner Basics
Topic: IPSec tunnel failing
Replies: 2
Views: 127

Re: IPSec tunnel failing

Take a moment, read your post and imagine yourself as someone else who wants to help you. There isn't much to work with, is it?
by Sob
Thu Apr 18, 2019 11:36 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 12
Views: 450

Re: /tool sniffer Code: 3 (Port unreachable)

That's sort of correct, because TZSP used by packet sniffer for streaming sends packets to udp port 37008. But on target computer, nothing listens on that port, Wireshark certainly doesn't. And if it's not blocked by firewall, your computer sending back icmp port unreachable is exactly what should h...
by Sob
Thu Apr 18, 2019 10:31 pm
Forum: General
Topic: Dstnat in output chain?
Replies: 14
Views: 2415

Re: Dstnat in output chain?

Actually, the loop trick is really dirty trick, but if you're really desperate, it could be used. Simpler solution would be to make dstnat in output available in RouterOS. It shouldn't need new kernel, I found it mentioned in articles about Linux 2.4 and RouterOS has some 3.x, if I remember correctl...
by Sob
Thu Apr 18, 2019 10:09 pm
Forum: General
Topic: Make external IP address accessible on secondary port
Replies: 6
Views: 215

Re: Make external IP address accessible on secondary port

^^^^ This works, but: 1) Use the same /32 addressing on second router too, only with swapped addresses. Because the whole /29 won't be available at that port. 2) You also need on first router: /ip arp add address=xx.xx.xx.99 interface=<WAN> published=yes 3) Make sure that you will allow forwarding t...
by Sob
Thu Apr 18, 2019 2:58 am
Forum: Beginner Basics
Topic: DHCP Server with specific gateway for specific gateway
Replies: 2
Views: 137

Re: DHCP Server with specific gateway for specific gateway

You can add IP address reservations for MAC addresses. And then you can add different config for addresses/subnets in "/ip dhcp-server network".
by Sob
Thu Apr 18, 2019 2:55 am
Forum: General
Topic: OpenVPN server - remote client can't ping internal network
Replies: 8
Views: 272

Re: OpenVPN server - remote client can't ping internal network

I meant routes on remote PC (VPN client). It needs to know that 192.168.1.0/24 is reachable via VPN. So check that. And I thought the previous 192.168.2.232 was a typo, I don't see that address or subnet anywhere in config you posted. If you changed VPN pool to different subnet, it removes the need ...
by Sob
Wed Apr 17, 2019 6:36 pm
Forum: Beginner Basics
Topic: Remote access from the Internet (WAN side)
Replies: 28
Views: 177654

Re: Remote access from the Internet (WAN side)

You're responding to post from 2012. That was long before the most ugly WinBox bug. It's possible that WinBox was completely secure back then, but it's hard to tell, since changelogs from that time were a little sparse.
by Sob
Wed Apr 17, 2019 4:55 pm
Forum: General
Topic: OpenVPN server - remote client can't ping internal network
Replies: 8
Views: 272

Re: OpenVPN server - remote client can't ping internal network

So now you have:
/interface bridge
add name=LAN protocol-mode=none arp=proxy-arp
Correct? If so, it should work. It's not your firewall, it doesn't block anything. It could be problem on client side, check if it has proper route to 192.168.1.0/24.
by Sob
Wed Apr 17, 2019 3:04 pm
Forum: General
Topic: IPSec tunnel OK but Mikrotik Routers can't ping each others
Replies: 2
Views: 113

Re: IPSec tunnel OK but Mikrotik Routers can't ping each others

If it's pure IPSec tunnel, it's most likely problem with policy and used addresses. If you'd have e.g. 192.168.0.0/24 on one side and 10.0.0.0/24 on the other (and policy for these two networks), there's no problem when any machine other than router tries to connect to another subnet (192.168.0.x to...
by Sob
Wed Apr 17, 2019 4:27 am
Forum: General
Topic: OpenVPN server - remote client can't ping internal network
Replies: 8
Views: 272

Re: OpenVPN server - remote client can't ping internal network

Take your LAN interface (in your case bridge named "LAN") and change its default arp=enabled to arp=proxy-arp. That's it.
by Sob
Wed Apr 17, 2019 4:12 am
Forum: General
Topic: Need help setting up a one port router with vlan
Replies: 1
Views: 101

Re: Need help setting up a one port router with vlan

I hate watching long videos about subjects that can be explained on few lines in written form. But it sounds like you just need a tagged vlan or two. Check the manual, jump directly to examples and I think they are relatively easy to understand. The first one looks like it could help you. Let's say ...
by Sob
Wed Apr 17, 2019 3:06 am
Forum: General
Topic: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]
Replies: 7
Views: 249

Re: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]

Those srcnat rules look ok. If they don't help, check the exact config of Windows firewall. It's possible that it doesn't allow access at all. If I remember correctly, it depends on active network profile. Private allowed access from local subnet and public didn't allow access from anywhere. And it ...
by Sob
Wed Apr 17, 2019 2:50 am
Forum: General
Topic: OpenVPN server - remote client can't ping internal network
Replies: 8
Views: 272

Re: OpenVPN server - remote client can't ping internal network

If IP addresses given to VPN clients overlap with LAN subnet, you need to enable proxy ARP on LAN interface. To other LAN devices, they looks as part of local subnet, so they send ARP request and get no reply. With proxy ARP enabled, router will answer on behalf of VPN client. If you want to route t...
by Sob
Tue Apr 16, 2019 9:17 pm
Forum: General
Topic: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]
Replies: 7
Views: 249

Re: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]

Firewalls on computers are different thing. I don't know about other systems, but on Windows they by default allow only connections from same subnet. So you can either change that (on each device and it's clean solution), or you'd have to play with srcnat and make connections to other subnets look a...
by Sob
Tue Apr 16, 2019 6:39 pm
Forum: Beginner Basics
Topic: One website blocked
Replies: 4
Views: 191

Re: One website blocked

The internet side (isp) is 192.168.2.2 Netmask 255.0.0.0/8 Gateway 192.168.2.254
Netmask is wrong. With /8, 192.104.67.65 is part of local subnet, which it definitely isn't. Correct mask is most likely /24.
by Sob
Tue Apr 16, 2019 6:36 pm
Forum: General
Topic: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]
Replies: 7
Views: 249

Re: How to route 2 internal interfaces (so that they ping each other)? [SOLVED]

It's the usual problem, you mark routing and once you do it, destination will be looked up only in given routing table. And only route you have there is default one, so even packets to other local subnets will be sent to internet. You have two options: a) Don't mark routing then destination is local...
by Sob
Mon Apr 15, 2019 8:13 pm
Forum: Beginner Basics
Topic: check and protect smb from outside
Replies: 2
Views: 174

Re: check and protect smb from outside

You can use some online port scanner (ask Google, there are several).

And you can block stuff selectively, depending on where it comes from (e.g. with in-interface). If you have default firewall, it blocks incoming connections from internet. If you have own firewall, you have it in your hands. :)
by Sob
Mon Apr 15, 2019 8:10 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 798

Re: Preventing IPSec-less L2TP [SOLVED]

About the policy, probably not. I'm not exactly sure about behaviour of policies for unconnected peers without testing it, maybe there's a chance to do something with it that way, but IMHO it would be a dirty trick. If you want to make sure that home computer won't be able to use bare L2TP, blocking...
by Sob
Mon Apr 15, 2019 8:02 pm
Forum: Beginner Basics
Topic: Dual WAN failover
Replies: 1
Views: 142

Re: Dual WAN failover

I think the message is self-explanatory, you can't use in/out-bridge-port (meant for ports in bridge) if interface is not part of bridge (that sounds right for WAN interface). I guess you probably want in/out-interface instead.
by Sob
Sun Apr 14, 2019 5:56 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 798

Re: Preventing IPSec-less L2TP [SOLVED]

You're missing something obvious: 1) The chain=output is for packets from router itself (process running on router). Packets from home computer to server will go through chain=forward. 2) The ipsec-policy matcher also works only for IPSec configured on router itself. Router has no way of knowing tha...
by Sob
Sat Apr 13, 2019 3:03 pm
Forum: General
Topic: Can not ping WAN interface IP address from LAN interface
Replies: 4
Views: 220

Re: Can not ping WAN interface IP address from LAN interface

I thought you meant 172.16.188.253 as exact address, but maybe you mean "Wan interface IP address" as any other adddress connected to WAN? If that's the case, you also need either route to 172.16.144.1/20 on those devices (will work for communication established both ways), or srcnat on router (allo...
by Sob
Sat Apr 13, 2019 4:51 am
Forum: General
Topic: Can't access NVR from outside office subnet [SOLVED]
Replies: 7
Views: 304

Re: Can't access NVR from outside office subnet [SOLVED]

Yes, there's probably some mistake. Maybe in that config of yours, which we don't see, so it's hard to comment on it.
by Sob
Sat Apr 13, 2019 4:49 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 20
Views: 4142

Re: Feature Request: 802.1X over ethernet

And before anyone (like myself) wastes time searching where it is:
Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
by Sob
Sat Apr 13, 2019 4:44 am
Forum: General
Topic: Mikrotik IP Cloud vs P2P
Replies: 8
Views: 382

Re: Mikrotik IP Cloud vs P2P

ISP who would give you IPv6, but not public addresses, would be really unusual. They would have to do extra work to give you worse service. It would have to be really evil ISP. If you ever meet ISP like that, run away. :) IPv4 is different, it simply doesn't have enough addresses for everyone. I agr...
by Sob
Sat Apr 13, 2019 4:16 am
Forum: General
Topic: Can not ping WAN interface IP address from LAN interface
Replies: 4
Views: 220

Re: Can not ping WAN interface IP address from LAN interface

1) Route #3 looks like nonsense and I don't think it's doing anything (useful or not).

2) Does client 172.16.144.6 have correct netmask (/20) and gateway (172.16.144.1)?
by Sob
Fri Apr 12, 2019 2:52 pm
Forum: General
Topic: Regarding Windows File Share (SMB) between 2 networks (Interfaces) [SOLVED]
Replies: 5
Views: 250

Re: Regarding Windows File Share (SMB) between 2 networks (Interfaces) [SOLVED]

Default Windows firewall allows access only from same subnet. Clean solution is to allow access from the other one (on target machine). Lazy solution is to add srcnat rule, which will make all connection from other subnet look as is they come from router, which is in same subnet.
by Sob
Fri Apr 12, 2019 12:44 am
Forum: Beginner Basics
Topic: External ip in lan network redirect to the router
Replies: 3
Views: 186

Re: External ip in lan network redirect to the router

This must the the most popular question here.

https://wiki.mikrotik.com/wiki/Hairpin_NAT
by Sob
Thu Apr 11, 2019 5:38 pm
Forum: The Dude
Topic: The Dude - Acknowledge once
Replies: 1
Views: 119

Re: The Dude - Acknowledge once

Currently not possible. It was requested in the past and that's where it ended for now. And since development doesn't seem to be very alive again, who knows when/if it will be possible.
by Sob
Thu Apr 11, 2019 5:36 pm
Forum: General
Topic: How to manual set IPv6 link-local address on interface?
Replies: 4
Views: 211

Re: How to manual set IPv6 link-local address on interface?

Only if ISP agrees to route prefix to that address. Which they might not be too eager to do, if they already have established system with link-local addresses.
by Sob
Thu Apr 11, 2019 5:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1063
Views: 181078

Re: Feature requests

Yeah, about that "solved"... If Let's Encrypt support is solved by the solution (workaround is better word (*) ) presented in that thread, then we can magically solve all other RouterOS shortcomings right away. Why didn't we think about it before, it's so simple, just add Linux machine to your route...
by Sob
Thu Apr 11, 2019 11:15 am
Forum: General
Topic: Domain resolution + local services
Replies: 5
Views: 229

Re: Domain resolution + local services

RouterOS doesn't do some things automatically. You need srcnat rule for packets going from LAN back to LAN: /ip firewall nat add chain=srcnat src-address=<your LAN subnet> dst-address=<your LAN subnet> action=masquerade Explanation what it does and why it's necessary is at https://wiki.mikrotik.com/...
by Sob
Thu Apr 11, 2019 1:49 am
Forum: Beginner Basics
Topic: How can I make a point to point subnet, and access the hosts inside it?
Replies: 2
Views: 127

Re: How can I make a point to point subnet, and access the hosts inside it?

RouterOS doesn't support /31 subnets, but it can use point-to-point with two completely different /32 addresses. I think it may even work with device that can only do /31, I read something like that in this forum, but I never had an opportunity to test it with such device. Default gateway depends on...
by Sob
Thu Apr 11, 2019 1:31 am
Forum: General
Topic: Telnet function not working anymore since several versions
Replies: 5
Views: 242

Re: Telnet function not working anymore since several versions

It's broken in latest 6.45beta27 too. Both Telnet and MAC Telnet. You can report bugs to MikroTik by sending e-mail to their support. They might notice it here in forum, but it's not guaranteed.
by Sob
Thu Apr 11, 2019 1:25 am
Forum: Beginner Basics
Topic: routers sends back local IP instead of external
Replies: 4
Views: 220

Re: routers sends back local IP instead of external

That's how ftp works, every transfer (download, upload, directory listing) means new connection. Either client connects to server (passive mode) or server connects to client (active mode). And both work by sending the exact address that should be used, which is nightmare when combined with firewalls...
by Sob
Wed Apr 10, 2019 11:28 pm
Forum: General
Topic: Mikrotik IP Cloud vs P2P
Replies: 8
Views: 382

Re: Mikrotik IP Cloud vs P2P

Well, yes. With the address shortage now worse than ever (and it won't get better), maybe it wouldn't be the worst idea to start using this thing that was invented more than twenty years ago, to solve exactly this problem. Especially when it's really good at it. With IPv4, most people get one public...
by Sob
Wed Apr 10, 2019 6:12 pm
Forum: General
Topic: How to manual set IPv6 link-local address on interface?
Replies: 4
Views: 211

Re: How to manual set IPv6 link-local address on interface?

... assign the link-local address "fe80::<prefix>" to my wan interface ...
Unfortunately for you, current RouterOS doesn't allow manually assigned link-local addresses.
by Sob
Wed Apr 10, 2019 5:39 pm
Forum: General
Topic: Hotspot https redirect feature
Replies: 4
Views: 253

Re: Hotspot https redirect feature

I don't use hotspot, but doesn't it do what it should, as described in manual? Whether to redirect unauthenticated user to hotspot login page, if he is visiting a https:// url. Since certificate domain name will mismatch, often this leads to errors, so you can set this parameter to "no" and all http...
by Sob
Wed Apr 10, 2019 5:09 pm
Forum: General
Topic: Mikrotik IP Cloud vs P2P
Replies: 8
Views: 382

Re: Mikrotik IP Cloud vs P2P

They should not. It takes users' minds from the right question they should be asking:

Why don't I have even a single public address for myself, when millions(*) of available public addresses exist for every single person and device on the planet?

(*) Actually even much much more
by Sob
Wed Apr 10, 2019 4:54 pm
Forum: Beginner Basics
Topic: Help with HEX S Firewall
Replies: 2
Views: 149

Re: Help with HEX S Firewall

No, everything is allowed by default in factory firewall. Only new incoming connections from WAN are blocked. So you can either reverse the firewall logic with unconditional drop rule at the end (and allow what you need allowed before that), or you can add blocking rule at the end, something like: /...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 78