Community discussions

MikroTik App

Search found 5470 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 19
by Sob
Fri May 29, 2020 12:16 am
Forum: General
Topic: Could not login to Mikrotik Routers through Winbox suddenly.
Replies: 3
Views: 534

Re: Could not login to Mikrotik Routers through Winbox suddenly.

And "can't login" means what exactly? It can't connect at all, or does it report wrong username or password, or something else? Is it the same when you connect to IP address and MAC address (the latter is possible only on same network segment)?
by Sob
Thu May 28, 2020 8:18 pm
Forum: General
Topic: Could not login to Mikrotik Routers through Winbox suddenly.
Replies: 3
Views: 534

Re: Could not login to Mikrotik Routers through Winbox suddenly.

That's very old RouterOS. Depending on how much accessible is WinBox port, one possibility is that router may have new admin, thanks to this:

https://blog.mikrotik.com/security/winb ... ility.html
by Sob
Thu May 28, 2020 12:22 pm
Forum: General
Topic: implicit firewal rules
Replies: 4
Views: 517

Re: implicit firewal rules

It's also best practice to add the last "drop all" rule. :) If you think that people fail to do that, why do you think that they would not fail to allow administrative access first? And while firewall is stateful, it doesn't allow established connections automatically, you need proper rule for that.
by Sob
Thu May 28, 2020 12:13 am
Forum: General
Topic: Having trouble with possible DNAT
Replies: 8
Views: 898

Re: Having trouble with possible DNAT

Ideally you want public address and have it directly on your router. Downside is that ISPs often charge extra for it. On top of that, many only reserve it for you and don't give it to you directly (NAT 1:1). It's not a problem when you need to forward some static ports, but probably won't work with ...
by Sob
Wed May 27, 2020 2:59 pm
Forum: General
Topic: Having trouble with possible DNAT
Replies: 8
Views: 898

Re: Having trouble with possible DNAT

About dstnat/UPnP, if 10.16.1.107 is your real WAN address, then it's no surprise that it doesn't work, because it's private one. So even if you configure everything correctly on your router, it still won't work, because it's not possible to reach this address from internet.
by Sob
Wed May 27, 2020 2:02 am
Forum: Scripting
Topic: Question related with ROS client ssh w/o Pass
Replies: 2
Views: 361

Re: Question related with ROS client ssh w/o Pass

I didn't test it, but quick search suggests that the keyword you're looking for is "dropbearconvert".
by Sob
Wed May 27, 2020 12:44 am
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 48
Views: 7981

Re: v6.47rc [testing] is released!

There's problem with SOCKS's bind command. It's supposed to return external address to which someone else can connect (e.g. if client wants to use active FTP with PORT command). Old SOCKS4 work correctly, it returns WAN address (192.168.80.183 in this example): socks4bind.png But new SOCKS5 doesn't:...
by Sob
Wed May 27, 2020 12:37 am
Forum: Beginner Basics
Topic: What's wrong with this NAT command ?
Replies: 5
Views: 676

Re: What's wrong with this NAT command ?

Because characters < and > shouldn't be there. It's just dst-address=172.16.175.0/24.
by Sob
Tue May 26, 2020 11:30 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 48
Views: 7981

Re: v6.47rc [testing] is released!

I have to join other DNS fans, I'm grateful for improvements, but it's like you stopped just few steps before finish line. If I have regular resolver in global config (/ip dns set servers=<...>), then all local overrides (/ip dns static add <...>) are preferred, whether it's single hostname or new F...
by Sob
Mon May 25, 2020 11:59 am
Forum: Beginner Basics
Topic: NAT, VLANs, and guest accessing internal services by router external IP [SOLVED]
Replies: 4
Views: 445

Re: NAT, VLANs, and guest accessing internal services by router external IP [SOLVED]

Quick fix should be (put before last rule):
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
by Sob
Sat May 23, 2020 2:31 pm
Forum: Wireless Networking
Topic: Adding a DNS CNAME for internal IP address?
Replies: 2
Views: 279

Re: Adding a DNS CNAME for internal IP address?

If you want BobsComputer pointing to 10.10.100.123, it's not CNAME record, it's A record and it's already possible in all versions: /ip dns static add address=10.10.100.123 name=BobsComputer Just be aware that when it's not FQDN (there's no dot in name), there may be problem with resolving, because ...
by Sob
Sat May 23, 2020 1:06 am
Forum: General
Topic: Hairpin nat issue [SOLVED]
Replies: 8
Views: 1564

Re: Hairpin nat issue [SOLVED]

I didn't think it through, it was just that the last rule for invalid packets blocked this, and a quick thought that maybe something else what was invalid before and blocked isn't now. But probably not.
by Sob
Sat May 23, 2020 12:50 am
Forum: General
Topic: Hairpin nat issue [SOLVED]
Replies: 8
Views: 1564

Re: Hairpin nat issue [SOLVED]

But now if you disabled it, you'll want to do something with firewall filter, because it allows pretty much anything to pass.
by Sob
Sat May 23, 2020 12:09 am
Forum: General
Topic: Hairpin nat issue [SOLVED]
Replies: 8
Views: 1564

Re: Hairpin nat issue [SOLVED]

The "out:(unknown 0)" is fine, because in dstnat it's not yet known where the packet will go, it's decided later. But I don't see anything clearly wrong either. If you have hits for dstnat and not for srcnat, then something should be blocking it in forward. But the only rule that could do this is th...
by Sob
Tue May 19, 2020 12:18 am
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3446

Re: namecheap.com dynamic dns

Bad news, even though the list of available TLDs have grown significantly in recent years, neither of your choices exists so far. There are only these:

http://data.iana.org/TLD/tlds-alpha-by-domain.txt

But it's probably best to go with good old com/net/org/<country tld> anyway.
by Sob
Tue May 19, 2020 12:08 am
Forum: Beginner Basics
Topic: Public IP Routing
Replies: 1
Views: 275

Re: Public IP Routing

Either that (although more correct would be to use bridge VLAN filtering to join WAN with VLAN), or you can use proxy ARP and route single address anywhere in your LAN.
by Sob
Tue May 19, 2020 12:02 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 28
Views: 8118

Re: Winbox v3.24 released!

^^^ If you do, please don't break it for default dpi, it's perfect there.
by Sob
Mon May 18, 2020 11:52 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3446

Re: namecheap.com dynamic dns

Masses can have own domain names too, if they want, it's simple and cheap. I need to give up six beers each year to afford one, and it's that many only because beer is really cheap here, otherwise it would be even less (not that I'm complaining :)). And it includes use of nameservers run by registra...
by Sob
Sat May 16, 2020 10:43 pm
Forum: General
Topic: No internet via non-main routing tables if missing default route on main [SOLVED]
Replies: 21
Views: 2215

Re: No internet via non-main routing tables if missing default route on main [SOLVED]

/ping address=8.8.8.8 routing-table=foo This works when you specify routing table. But it doesn't when you don't. It's known problem and it doesn't depend on RP filter. If you check routing diagram , you'll see that packets from local process (K) first go to "routing decision" and it works with mai...
by Sob
Sat May 16, 2020 10:05 pm
Forum: RouterOS v7 BETA
Topic: UI/UX On WinBox
Replies: 16
Views: 2467

Re: UI/UX On WinBox

It's not just looks vs. functionality, it's also what exactly you want to have. Before I discovered RouterOS and WinBox, I liked iptables because of the power, but command line interface wasn't pleasant at all, and all existing attempts for creating GUI were far from good. WinBox was dream come true...
by Sob
Fri May 15, 2020 9:39 pm
Forum: RouterBOARD hardware
Topic: Mikrotik Switch with 2,5G or 5G Ports.
Replies: 6
Views: 1047

Re: Mikrotik Switch with 2,5G or 5G Ports.

I hoped that 2.5G could become new baseline, it's not huge jump from 1G, but after all those years it would be nice. But if I can buy new managed 24-port 1G switch for ~$130 and the speed is still mostly ok for home use, there's no way I'm going to pay ten times more for 10G. It's simply not worth it.
by Sob
Fri May 15, 2020 8:52 pm
Forum: General
Topic: Feature request: rules groups or rules colors in WinBox
Replies: 4
Views: 794

Re: Feature request: rules groups or rules colors in WinBox

Some kind of grouping for firewall rules can be achieved using different chains. And then you can use filter to see only selected one. I'm sure it could be improved in some way, but I don't know how exactly. Because now it's the choice between seeing everything (which can be too much) or just one ch...
by Sob
Fri May 15, 2020 6:25 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Port Forwarding Wizard/Menu in GUI
Replies: 2
Views: 471

Re: Feature Request: Port Forwarding Wizard/Menu in GUI

Quick Set should probably get some simple interface for port forwarding, so that its users don't have to go elsewhere for this relatively common thing. But otherwise I don't see any need for it. If you add rules manually in WinBox/WebFig, then there's more fields than in your screenshot, but it's no...
by Sob
Thu May 14, 2020 7:30 pm
Forum: General
Topic: Override hostname in especific dhcp-client
Replies: 1
Views: 324

Re: Override hostname in especific dhcp-client

Each dhcp client allows to set own options (on Advanced tab), so just create another option with different hostname and use it.
by Sob
Thu May 14, 2020 6:26 am
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 965

Re: Static DNS best practice with dedicated server

Think about all device's DNS servers as equal (all need to have the same info), device can ask any of them at any time. It may not be strictly true, different systems may use different algorithms. But you can't rely on the first one being always asked first. And even if it would, it could be just a ...
by Sob
Wed May 13, 2020 8:13 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 85
Views: 21800

Re: Feature Request - Wireguard Protocol

It depends. It you need huge VPN server for many users, or have some special requirements, then dedicated machine makes sense. But if you need something for only handful of users, then anything external is overkill. Even if it would be the cheapest RasPi-like board, which would be ok price wise, it'...
by Sob
Wed May 06, 2020 2:45 pm
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

It's going to be 0.000nothing, because connection tracking happens anyway and that's the heavy part. I'm not even sure if srcnat actually does something, when the address was already the right one before. And it's not like the router itself has too many outgoing connections anyway.
by Sob
Wed May 06, 2020 5:05 am
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

For the record, I overlooked "!", so second paragraph in my previous post is nonsense. But in any case, you don't need to worry about excluding router from srcnat for its own connections to internet. Keeping it included can either help (in case it chooses wrong source address; although it's more oth...
by Sob
Tue May 05, 2020 2:23 pm
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

That's default NAT rule for accessing internet, which hides LAN behind address on WAN. I don't know what you have in "list-router" address list, but if it's public address, then if it's directly on this router, it can't happen, because packet with this destination will go to router itself and won't ...
by Sob
Tue May 05, 2020 5:56 am
Forum: General
Topic: port forwarding + reverse SNAT
Replies: 16
Views: 1983

Re: port forwarding + reverse SNAT

... then sob comes in and makes a bigger mess (or at least confusing the OP ...
Hey! I'm the one with endless patience, explaining all the details and followup questions. Especially to some ungrateful users. ;)
by Sob
Tue May 05, 2020 5:45 am
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

Fancy switch wouldn't help you anyway, because different subnets means routing. And yes, separate networks are more secure. Of course it's also a question, whether there's something worth protecting in the other subnet. :)
by Sob
Mon May 04, 2020 7:01 pm
Forum: General
Topic: RDP for server not working
Replies: 2
Views: 660

Re: RDP for server not working

You config is, erm... interesting. Just RDP rules: - #5 forwards port 3389 to 192.168.88.88:3389 - #6 forwards port 3390 to 192.168.88.126:3389 - #7 would forward port 3390 to 192.168.88.158:3391, but it never will, because #6 will take it first - #9 is useless duplicate of #5 with additional condit...
by Sob
Mon May 04, 2020 6:35 pm
Forum: Forwarding Protocols
Topic: Hairpin and SSL [SOLVED]
Replies: 2
Views: 820

Re: Hairpin and SSL [SOLVED]

Hairpin NAT doesn't care about SSL and anything on higher levels, it's completely transparent for that. The fact that you get 403 (assuming that you connected to the right server) means that hairpin NAT already did its job, otherwise you wouldn't be able to connect at all.
by Sob
Mon May 04, 2020 1:53 pm
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 2337

Re: Accessing my server outside of the LAN network

You know what's interesting? This rule: /ip firewall nat add action=dst-nat chain=dstnat comment="inbound port 80 goes to AC Dire" dst-port=80 log=yes log-prefix=task.dire protocol=tcp to-addresses=192.168.1.243 to-ports=80 takes all tcp connections to port 80, no matter what the destination address...
by Sob
Sun May 03, 2020 10:16 pm
Forum: Beginner Basics
Topic: Port forward from my WAN IP+port to another WAN ip+port [SOLVED]
Replies: 2
Views: 763

Re: Port forward from my WAN IP+port to another WAN ip+port [SOLVED]

You want this: https://wiki.mikrotik.com/wiki/Hairpin_NAT

It's typically used for something else, but it's the same problem with same solution.
by Sob
Sun May 03, 2020 5:43 pm
Forum: Scripting
Topic: Question regarding DHCP-DNS scripting
Replies: 2
Views: 649

Re: Question regarding DHCP-DNS scripting

If possible, always look how old are examples you find. The linked one was last modified in 2011, which was way before support for lease scripts was added. In other words, old scripts or other configs are often unnecessarily complex from today's perspective.
by Sob
Sun May 03, 2020 3:39 am
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

If you want it direct, you don't have many options. Basically just static DNS records, with all disadvantages. If you're worried more about seeing source addresses than going through the router, you have one or two options: a) Map clients' source addresses in some virtual subnet. Instead of masquera...
by Sob
Sat May 02, 2020 10:15 pm
Forum: General
Topic: Closing a knocked port [SOLVED]
Replies: 9
Views: 1447

Re: Closing a knocked port [SOLVED]

That's just wrong. ;) It's nothing against you, desperate people do desperate things, I'm just saying that RouterOS should have better solution for this.
by Sob
Sat May 02, 2020 10:13 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 2681

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

@anav: I have the most humble requirements. Users should each have own password (or maybe certificate) and depending on that, they should be able to connect (and end up in correct VLAN if there are some), using both wired (optionally also with external managed switch) and wireless connections. Simpl...
by Sob
Sat May 02, 2020 7:05 pm
Forum: General
Topic: Closing a knocked port [SOLVED]
Replies: 9
Views: 1447

Re: Closing a knocked port [SOLVED]

I wonder why they didn't add action=remove-src/dst-from-address-list, I would do it.
by Sob
Sat May 02, 2020 7:00 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 2681

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

I don't know about buggy, but I'll sign "looks to me gigantic for my simple needs". When I install it, I end up with 350MB of dependencies and 1.4MB of stuff in /etc/freeradius in over 200 files. It doesn't necessarily mean anything, but the first impression is scary, it definitely doesn't promise q...
by Sob
Sat May 02, 2020 6:35 pm
Forum: General
Topic: Closing a knocked port [SOLVED]
Replies: 9
Views: 1447

Re: Closing a knocked port [SOLVED]

Problem is, this shortening doesn't work. I was excited (and slightly ashamed that I didn't try it before myself) to learn something new I missed. But no. It increases timeout for existing record when it's lower than timeout set in rule. But it doesn't decrease it when it's higher.
by Sob
Sat May 02, 2020 6:25 pm
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

As you already know, with hairpin NAT client sends packet to public address (which is on router, but client has no idea about that) and router sends it back to LAN to server's internal address. This part is still ok. But then server responds from its internal address and guess what? Your routing rul...
by Sob
Sat May 02, 2020 5:59 am
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

Well, you don't have to mark connections if the server should always use same WAN. In that case, this rule is ok: /ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=server passthrough=yes src-address-list=list-server Or another way would be to use routing rule (/ip route r...
by Sob
Fri May 01, 2020 3:10 am
Forum: Beginner Basics
Topic: multiple gateways & routing [SOLVED]
Replies: 18
Views: 2554

Re: multiple gateways & routing [SOLVED]

Study this: https://wiki.mikrotik.com/wiki/Manual:PCC It's primarily about load balancing, so ignore that part. In short, you can't mark routing directly like you tried, because routing marks are per-packet. And you actually want it only for outgoing packets. So first mark incoming connections and t...
by Sob
Wed Apr 29, 2020 10:04 pm
Forum: Beginner Basics
Topic: Forwarding Port Range results in internet issues
Replies: 3
Views: 891

Re: Forwarding Port Range results in internet issues

Slow down, just because it's a little longer than default, it doesn't mean that it's wrong. The problem here is using "port" in dstnat rules instead of correct "dst-port", so it matches also on source ports.
by Sob
Wed Apr 29, 2020 8:40 pm
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 1872

Re: Port forward with webserver

Is it even possible to not like it? :) Yes, it's a hack. But it's so simple, effective, almost foolproof (except nothing really is, because fools are very creative). If you are big company with proper DNS infrastructure, you have enough professional admins who can take care of things, you hate hacks...
by Sob
Wed Apr 29, 2020 7:15 pm
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 1872

Re: Port forward with webserver

Why hairpin NAT is the best thing in the world TL;DR: Hairpin NAT does not require any maintenance and transparently handles everything, even things that can't be done with DNS. And about cons, it's not too bad: - Packets going to router and back is disadvantage, but the idea is that you do not use...
by Sob
Tue Apr 28, 2020 9:57 pm
Forum: RouterOS v7 BETA
Topic: V7 questions?
Replies: 27
Views: 5255

Re: V7 questions?

No, it can't.

Out of curiosity, what would be the point? It doesn't make sense price wise, RouterOS license would cost you almost as much as the board. And all the things you can attach to board would be useless, because you'd have RouterOS and it doesn't allow to install any custom stuff.
by Sob
Mon Apr 27, 2020 5:00 pm
Forum: Beginner Basics
Topic: Can't ping between subnets
Replies: 11
Views: 1572

Re: Can't ping between subnets

There's not much in forward chain. Icmp could be affected (but echo request and reply is allowed) and tcp 25 or 587 could be blocked if there's too many connections. But everything else is wide open. So I'd first check firewall on target devices, if it's allowed there.
by Sob
Mon Apr 27, 2020 3:45 pm
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 1872

Re: Port forward with webserver

It depends, linked article does have rule for only one destination, so you would need to add more, but instead you can use universal one: /ip firewall nat add chain=srcnat src-address=<local subnet> dst-address=<local subnet> action=masquerade and it covers everything. Any number of internal servers...
by Sob
Mon Apr 27, 2020 2:28 pm
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 1872

Re: Port forward with webserver

Go for hairpin NAT, it's also simple and unlike static DNS entries, you won't need to touch it ever again, no matter how many hostnames you add/remove/change.
by Sob
Sun Apr 26, 2020 10:03 pm
Forum: Beginner Basics
Topic: 2 LAN Cables from Mikrotik to Switch
Replies: 24
Views: 3182

Re: 2 LAN Cables from Mikrotik to Switch

Depending on config, you'll end up with either:

a) one useless cable
b) loop (not good at all)
c) bonding (switch needs to support it)
by Sob
Sun Apr 26, 2020 9:44 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

I think such dual-purpose NS records would be wrong, confusing. One is static record to send as is, if client asks for it. And second is instruction for resolver itself. Two completely different things. I wouldn't even put them in same category, but it's ok with own FWD type, because it shows clearl...
by Sob
Sun Apr 26, 2020 4:43 pm
Forum: General
Topic: Routing 4 lans and 4 wans [SOLVED]
Replies: 21
Views: 4458

Re: Routing 4 lans and 4 wans [SOLVED]

Sure, more routing rules:
/ip route rule
add action=lookup-only-in-table dst-address=<local subnet 1> table=main
add action=lookup-only-in-table dst-address=<local subnet 2> table=main
And order matters, so these need to be first.
by Sob
Sun Apr 26, 2020 4:37 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

Two things about conditional DNS forwarding (aside from big thanks): 1) IMHO the most common use case is to forward all queries for some local domain, i.e. <anything>.domain.tld to selected server. But unless I missed something, it's now possible only using regexp (regexp="(.+\\.)\?domain\\.tld\$" a...
by Sob
Thu Apr 02, 2020 8:02 pm
Forum: General
Topic: Dual WAN VPN SSTP - second certificate, backup link
Replies: 2
Views: 1239

Re: Dual WAN VPN SSTP - second certificate, backup link

Right, so far it's not possible to have multiple certificates. But it could be good feature request, allow to select multiple certificates and use SNI to present correct one to client. Sounds relatively simple to implement. And while we're at it, multiple independent servers, each with own config, u...
by Sob
Wed Apr 01, 2020 6:07 pm
Forum: Beginner Basics
Topic: Two WANs to one bridge
Replies: 13
Views: 2459

Re: Two WANs to one bridge

Now I see it. When you want to use 192.168.2.2 as gateway on upstream router, it's not the best idea to assign the same address to this router.
by Sob
Wed Apr 01, 2020 5:46 pm
Forum: Beginner Basics
Topic: Hairpin NAT - but what if there are multiple interfaces!!
Replies: 9
Views: 2138

Re: Hairpin NAT - but what if there are multiple interfaces!!

Just that addresses on your router are local, and all other addresses on whole internet are not local, so dst-address-type=!local will match for all of them.
by Sob
Wed Apr 01, 2020 5:42 pm
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 5674

Re: VLAN setup help

OP's last post suggests that it's wanted. And linked config has all dstnat rules in-interface-list=WAN. So I thought it wouldn't hurt to mention in.
by Sob
Wed Apr 01, 2020 12:35 am
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 5674

Re: VLAN setup help

Why does everyone keep making the same mistake? Hairpin NAT means that connections will be coming from LAN. Guess what will happen when dstnat rule has in-interface-list=WAN. Right, nothing.
by Sob
Wed Apr 01, 2020 12:29 am
Forum: Beginner Basics
Topic: firewall setup for SVN
Replies: 3
Views: 1566

Re: firewall setup for SVN

If it's unknown hostname, then DNS doesn't work as it should. What does the machine use as DNS server? If it's router, you need to allow port 53 in input chain, and you also need: /ip dns set allow-remote-requests=yes servers=<some working DNS servers> If it's some other server, you need to allow co...
by Sob
Wed Apr 01, 2020 12:18 am
Forum: Beginner Basics
Topic: OpenVPN VS Mikrotik VPN quick setup
Replies: 5
Views: 1672

Re: OpenVPN VS Mikrotik VPN quick setup

"Anything" includes OpenVPN. I can't say how reliable it is. I tested it and it worked, but I have no long time experience with it. I remember some outages reported here once or twice. If your life doesn't depend on it, it should be ok.
by Sob
Wed Apr 01, 2020 12:14 am
Forum: Beginner Basics
Topic: How to properly use detect-internet for ISP failover
Replies: 1
Views: 1228

Re: How to properly use detect-internet for ISP failover

That's a question, if it can be used for that. According to manual, you give it a list of interfaces and you get back three lists with interfaces sorted by status. You can use them to e.g. allow or block something in firewall. But to influence routing, maybe it's just sudden lack of imagination on m...
by Sob
Wed Apr 01, 2020 12:07 am
Forum: General
Topic: Issue with Nat issue
Replies: 11
Views: 2208

Re: Issue with Nat issue

Hint: You're connecting to public address from LAN. Do you think that rule with in-interface-list=WAN will pay attention to this connection?
by Sob
Tue Mar 31, 2020 11:53 pm
Forum: Beginner Basics
Topic: Hairpin NAT - but what if there are multiple interfaces!!
Replies: 9
Views: 2138

Re: Hairpin NAT - but what if there are multiple interfaces!!

If you mean dst-address-type=!local, I wouldn't recommend that. On the upside, if you tried it with ports like 80 or 443, you'd realize your mistake very quickly. ;) But you're right, if the public address is on upstream router and dstnatted to this one (whether it's called NAT 1:1, DMZ or whatever)...
by Sob
Tue Mar 31, 2020 7:48 pm
Forum: Beginner Basics
Topic: Hairpin NAT - but what if there are multiple interfaces!!
Replies: 9
Views: 2138

Re: Hairpin NAT - but what if there are multiple interfaces!!

Except chain=dstnat and action=src-nat together, you can use address list, I even mentioned that already.
by Sob
Tue Mar 31, 2020 7:39 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

@MarkoB: Because for that you'd need full recursive resolver and RouterOS doesn't have it.
by Sob
Tue Mar 31, 2020 7:03 pm
Forum: RouterOS v7 BETA
Topic: forget about OpenVPN give us WIREGUARD
Replies: 11
Views: 6196

Re: forget about OpenVPN give us WIREGUARD

Arguments against WG in that article are, in short: 1) Big vendors like Cisco won't support it 2) It's not dynamic enough for road warriors 3) It's not easy, at least not easier than IPSec 4) It's tied to one set of algorithms, so future upgrades will be problematic 5) If you want fancy new cryptogr...
by Sob
Tue Mar 31, 2020 5:17 pm
Forum: Beginner Basics
Topic: Hairpin NAT - but what if there are multiple interfaces!!
Replies: 9
Views: 2138

Re: Hairpin NAT - but what if there are multiple interfaces!!

And for actual hairpin NAT (srcnat rule), as you already know, it's needed only when client and server are in same subnet. So if you want as little NAT as possible, you'll need three rules: /ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade add ...
by Sob
Tue Mar 31, 2020 5:11 pm
Forum: Beginner Basics
Topic: Hairpin NAT - but what if there are multiple interfaces!!
Replies: 9
Views: 2138

Re: Hairpin NAT - but what if there are multiple interfaces!!

Basic dstnat rule is: /ip firewall nat add chain=dstnat dst-address=<public address> protocol=<protocol> dst-port=<port> action=dst-nat to-addresses=<internal server> But there's a problem with dynamic addresses, you can't use static dst-address=<public address> for them, because it wouldn't work if...
by Sob
Tue Mar 31, 2020 4:41 am
Forum: Beginner Basics
Topic: [SOLVED] Port Forwarding issue - some works, some doesn't.
Replies: 23
Views: 3574

Re: [ASK] Port Forwarding issue - some works, some doesn't.

The idea behing mangle rules is to use them instead of Torch, because there you can miss a packet, but mangle rules will log all.
by Sob
Tue Mar 31, 2020 4:38 am
Forum: Beginner Basics
Topic: Multiple IP Addresses
Replies: 1
Views: 1182

Re: Multiple IP Addresses

If I understand it correctly, you want to be able to tell whether 192.168.0.3 or 10.1.1.3 was used as gateway. But they are both on same interface and ARP resolves to same MAC address. Correct? If that's so, you need another MAC address, which can be done with VRRP: https://forum.mikrotik.com/viewto...
by Sob
Tue Mar 31, 2020 4:28 am
Forum: Beginner Basics
Topic: OpenVPN VS Mikrotik VPN quick setup
Replies: 5
Views: 1672

Re: OpenVPN VS Mikrotik VPN quick setup

Quick Set creates some VPN config, I'm not really sure what exactly. But you can create anything else manually if you want. And DDNS and VPN are not related, it's not like you'd have to use MikroTik's DDNS only with Quick Set VPN. MikroTik's DDNS just gives you hostname pointing to your router's add...
by Sob
Tue Mar 31, 2020 4:20 am
Forum: Beginner Basics
Topic: Hairpin nat configuration
Replies: 6
Views: 1721

Re: Hairpin nat configuration

About this: /ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \ src-address=5.0.20.0/24 What do you have in routing table "vpn"? Because if it doesn't have route to 5.0.20.182, then even though dstnat changes destination for connections from client to ...
by Sob
Mon Mar 30, 2020 5:05 pm
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 5674

Re: VLAN setup help

It depends on order of rules. If you allow all dstnatted ports first and then block access between vlans, it will work. If you swap these rules, then it won't.
by Sob
Mon Mar 30, 2020 1:32 pm
Forum: General
Topic: SSL certificate for mynetname domain
Replies: 10
Views: 2183

Re: SSL certificate for mynetname domain

No, server means your "oodoo server".
by Sob
Mon Mar 30, 2020 4:00 am
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

Funny thing is that you had the simple basic config with public addresses on router the whole time. :) For the record, the NAT-less way I had in mind was to give public addresses directly to devices that need them. You could connect them to ONT directly, using either external switch, or you could sw...
by Sob
Mon Mar 30, 2020 3:53 am
Forum: General
Topic: Correction request : Authority flag for Import CA Certificate Autority in RouterOS
Replies: 9
Views: 2104

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Certificates is one thing in RouterOS that I never found intuitive, unlike other parts. I'm not sure what exactly it is. Now it's slightly better, because I got used to it, but still... When combined with backup problems (the all or nothing approach of current binary backup is simply not convenient)...
by Sob
Sun Mar 29, 2020 10:07 pm
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

Ok, so directly on your router you have the following? /ip address add interface=<WAN interface> address=<public address 1>/27 ... add interface=<WAN interface> address=<public address 5>/27 /ip route add dst-address=0.0.0.0/0 gateway=<another address from same /27> If that's so, you can probably ma...
by Sob
Sun Mar 29, 2020 9:56 pm
Forum: Beginner Basics
Topic: Two WANs to one bridge
Replies: 13
Views: 2459

Re: Two WANs to one bridge

Disable fastttrack rule, it doesn't go well with mangling. But I don't think it should completely break everything.
by Sob
Sun Mar 29, 2020 8:46 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 44776

Re: Winbox v3.22 released!

Tools->Legacy Mode
by Sob
Sun Mar 29, 2020 8:26 pm
Forum: General
Topic: DNS Issue
Replies: 4
Views: 1414

Re: DNS Issue

Windows always append connection's DNS suffix when you enter bare hostname without any dot. You can use "sqlserver.", but it's almost guaranteed that you'll be forgetting that, if you type it manually and don't have it saved somewhere. There's option in IPv4 properties where you can put DNS suffixes...
by Sob
Sun Mar 29, 2020 8:07 pm
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

So you do have 5 public addresses on your router? Or does ONT also work as router, public addresses are there and it does 1:1 NAT to your router and other devices? And you're in fact not connecting back to same LAN, but to another device connected behind ONT? I'm affraid I got lost in it. Maybe a di...
by Sob
Sun Mar 29, 2020 7:54 pm
Forum: General
Topic: Multi device routing question
Replies: 9
Views: 1830

Re: Multi device routing question

Is is possible that same router has both 192.168.199.247 and 192.168.199.3? Further hops depend on following routers, either they must have route to source address (I guess they don't), or you must use srcnat on the last one that does have it. VPN client and server can see each other. Then client ca...
by Sob
Sun Mar 29, 2020 7:42 pm
Forum: General
Topic: SSL certificate for mynetname domain
Replies: 10
Views: 2183

Re: SSL certificate for mynetname domain

I'm not exactly sure about required key-usage, but this worked for me: /certificate add name=ca common-name=MyCA key-usage=key-cert-sign days-valid=3650 sign ca name=MyCA add name=server common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-usage=tls-server days-valid=3650 s...
by Sob
Sun Mar 29, 2020 4:44 am
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

There's definitely some misundestanding. When you wrote that you have 1:1 NAT, I thought that ISP is doing that, but now it looks like you're the one who's doing it? What I was describing is: - ISP's router (which you don't have any access to) has public IP address, e.g. 2.2.2.2 - Your router's WAN ...
by Sob
Sun Mar 29, 2020 4:31 am
Forum: General
Topic: why
Replies: 4
Views: 1234

Re: why

Your complaint is not clear at all.
by Sob
Sun Mar 29, 2020 1:28 am
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

I was going for really simple and easy to understand description. :D You can describe what you do undestand, and I'm willing to try again. Or maybe there's some misundestanding. You can draw a diagram how is everything connected, where are what addresses, etc. Perhaps it could be something different...
by Sob
Sun Mar 29, 2020 1:14 am
Forum: General
Topic: Winbox Quick Set strange Local network IP
Replies: 3
Views: 1201

Re: Winbox Quick Set strange Local network IP

Even better, then just ignore it completely and live happily ever after. :)
by Sob
Sun Mar 29, 2020 1:13 am
Forum: General
Topic: Multi device routing question
Replies: 9
Views: 1830

Re: Multi device routing question

1) Yes.
2) Short aswer is no. Long answer is that it depends on config, some VPNs can push routes to clients (so clients can reach subnets behind server), and some may have configuration for multiple subnets behind client. You have to ask whoever is in control of D, what exactly is there.
by Sob
Sun Mar 29, 2020 12:24 am
Forum: General
Topic: Multi device routing question
Replies: 9
Views: 1830

Re: Multi device routing question

Obviously, you need some routes. Both A and B must know where to find D's subnet (behind C is the answer). And then it depends if you need to be able to connect (initiate new connections) also from D to A and B, or if from A and B to D is enough. In first case, D needs to have routes to B and C. If ...
by Sob
Sun Mar 29, 2020 12:09 am
Forum: General
Topic: Winbox Quick Set strange Local network IP
Replies: 3
Views: 1201

Re: Winbox Quick Set strange Local network IP

Simple rule is that once you do any change outside of Quick Set, you should forget that it exists and not use it again. If you do, it can break your config, because it can't support all possible changes you do elsewhere.
by Sob
Sun Mar 29, 2020 12:04 am
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

Normal configuration, when you have public address on your router, has default NAT rule to access internet: /ip firewall nat add chain=srcnat out-interface=<WAN> action=srcnat to-addresses=<public address> or: /ip firewall nat add chain=srcnat out-interface=<WAN> action=masquerade Then you forward p...
by Sob
Sat Mar 28, 2020 11:45 pm
Forum: Beginner Basics
Topic: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks
Replies: 7
Views: 1694

Re: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks

If you can ping devices in LAN, then routing is ok. I'd check firewall of target devices.
by Sob
Sat Mar 28, 2020 11:42 pm
Forum: General
Topic: MAC alias for WAN Eth1
Replies: 15
Views: 3683

Re: MAC alias for WAN Eth1

Routes #4-7 are default routes from dhcp. You could get rid of them if you disable option to add default route. But you do need some default route in main routing table, so if you do that, you'd have to add it manually (just one with same gateway, but without %WANx suffix and routing-mark option). R...
by Sob
Sat Mar 28, 2020 11:20 pm
Forum: Beginner Basics
Topic: [SOLVED] Port Forwarding issue - some works, some doesn't.
Replies: 23
Views: 3574

Re: [ASK] Port Forwarding issue - some works, some doesn't.

About the test with Torch, the fact that you see traffic to forwarded ports on LAN interface means that port forwarding is working, because packets already passed through router. Only rx & tx can be confusing, because testing needs just single packet, so there's non-zero number for a moment and it i...
by Sob
Sat Mar 28, 2020 10:06 pm
Forum: General
Topic: Can't access 1:1 natted public IP from LAN
Replies: 31
Views: 4428

Re: Can't access 1:1 natted public IP from LAN

Main problem is dstnat rule, you can't have in-interface="ether1 Gateway-2-Metro" (which I assume is WAN interface), because all connections from LAN will be coming from - no surprise - LAN. Using in-interface for dstnat rule is just a quick hack when you don't have static address, otherwise it's no...
by Sob
Fri Mar 27, 2020 7:30 pm
Forum: Beginner Basics
Topic: [SOLVED] Port Forwarding issue - some works, some doesn't.
Replies: 23
Views: 3574

Re: [ASK] Port Forwarding issue - some works, some doesn't.

If port should show as open, target device must be actually listening on it. Are you sure it's the case? Plus udp ports are tricky, because if device listens on it, but doesn't send any response for incoming packets, you can't tell the difference from blocked port (where firewall silently drops pack...
by Sob
Fri Mar 27, 2020 7:20 pm
Forum: General
Topic: Correction request : Authority flag for Import CA Certificate Autority in RouterOS
Replies: 9
Views: 2104

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

I wouldn't worry too much about RouterOS CA without key. It's a corner case. It can only happen when you transfer RouterOS CA from one device to another. And when you need that, you should know what you're doing and tranfer it with private key. Then as I already wrote, it would be nice for all CA ce...
by Sob
Fri Mar 27, 2020 6:50 pm
Forum: General
Topic: EoIP over L2TP and NAT
Replies: 3
Views: 1157

Re: EoIP over L2TP and NAT

If it's really over L2TP, then I don't see any reason why it shouldn't work, you don't have NAT there, it's below L2TP and it already crossed it.
by Sob
Fri Mar 27, 2020 6:48 pm
Forum: Beginner Basics
Topic: Routing multiple VPN networks same subnet HOW?
Replies: 4
Views: 1507

Re: Routing multiple VPN networks same subnet HOW?

If I understand it correctly: - Your own HQ network is not 192.168.1.0/24 - Remote routers are not main routers (default gateway) for remote sites, they are just devices in their LAN, connected behind another router Then what exactly you need? - Connect from HQ to remote networks - yes - Connect fro...
by Sob
Fri Mar 27, 2020 6:24 pm
Forum: General
Topic: Site to Site VPN
Replies: 9
Views: 2001

Re: Site to Site VPN

You wrote that "Tunnel is established and working", so I thought that device (not router) in LAN 1 can communicate with device in LAN 2 (other direction too), and only problem is when source device is router. That's common problem, so that's what my advice was about. I didn't examine whole config in...
by Sob
Fri Mar 27, 2020 1:13 am
Forum: General
Topic: Correction request : Authority flag for Import CA Certificate Autority in RouterOS
Replies: 9
Views: 2104

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

I agree that it would be useful to see the difference between (external) CA and regular certificate without opening certificate properties, but current behaviour doesn't really break anything, right?
by Sob
Fri Mar 27, 2020 1:09 am
Forum: General
Topic: [SOLVED] UPnP seems not working with PPPoE
Replies: 10
Views: 5161

Re: [SOLVED] UPnP seems not working with PPPoE

There's no UPnP chaining in RouterOS. So if client is connected to router which doesn't have public address itself (or NAT 1:1 from upstream router, but then client can't ask router for public address and needs to find it elsewhere), UPnP is useless.
by Sob
Fri Mar 27, 2020 1:05 am
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 41
Views: 7030

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

making something more intuitive - good, and RouterOS is doing well (of course it's relative, beginners may not agree) making it simpler - depends, but probably good if it doesn't limit possibilities dumbing down - bad This could be the second case, some of it could be good as part of future more cap...
by Sob
Thu Mar 26, 2020 9:44 pm
Forum: General
Topic: Homeoffice - VPN
Replies: 7
Views: 1545

Re: Homeoffice - VPN

That's the problem with blind guesses, sometimes they succeed and sometimes they don't. But without anything specific, exported config for example, it's difficult to do more.
by Sob
Thu Mar 26, 2020 7:49 pm
Forum: General
Topic: Site to Site VPN
Replies: 9
Views: 2001

Re: Site to Site VPN

It can be also firewall. You allow icmp in chain=input in the config you posted, so ping from other router to this one should work. Do you have the same on the other one?
by Sob
Thu Mar 26, 2020 7:39 pm
Forum: General
Topic: Correction request : Authority flag for Import CA Certificate Autority in RouterOS
Replies: 9
Views: 2104

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

It looks like MikroTik reserves "Authority" for own CAs capable of issuing certificates. I guess it could be better if they had some other flag for it, and "Authority" would be for all CAs, so you would be able to quickly tell them from regular certificates. But it's just a cosmetic thing. Or do you...
by Sob
Thu Mar 26, 2020 7:24 pm
Forum: Beginner Basics
Topic: Routing multiple VPN networks same subnet HOW?
Replies: 4
Views: 1507

Re: Routing multiple VPN networks same subnet HOW?

Definitely think about renumbering, it's correct long-term solution. But it you really can't, NAT is your friend. You need to choose new "virtual" subnets and use netmap for incoming and outgoing traffic. When connecting to remote subnet, use its virtual range. Example: Site A: 192.168.1.0/24 (real)...
by Sob
Thu Mar 26, 2020 7:14 pm
Forum: General
Topic: TLS Host glob format?
Replies: 2
Views: 987

Re: TLS Host glob format?

It's not regexp, and TAB doesn't show anything here. These work: /ip firewall mangle add action=log chain=prerouting dst-port=443 log-prefix=tls-forum protocol=tcp tls-host=forum.mikrotik.com add action=log chain=prerouting dst-port=443 log-prefix=tls-any protocol=tcp tls-host=*.mikrotik.com add act...
by Sob
Thu Mar 26, 2020 10:42 am
Forum: Beginner Basics
Topic: Understanding IPSec packet flow
Replies: 11
Views: 1980

Re: Understanding IPSec packet flow

Second routing decision between steps 7 and 8 wouldn't make sense if the packet still had original addresses. You can always do an experiment, add some logging rules in postrouting and see how many times it will pass through there.
by Sob
Thu Mar 26, 2020 10:31 am
Forum: General
Topic: Site to Site VPN
Replies: 9
Views: 2001

Re: Site to Site VPN

It's the source address, router by default chooses the one from WAN. If you just want to ping remote router, you can manually set source address. Another way is to add route to remote subnet and set router's local address (covered by policy) as preferred source, that will fix also traceroute (route ...
by Sob
Thu Mar 26, 2020 5:02 am
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1365

Re: IPV6 novice question....

I did a quick test and L2TP server in RouterOS doesn't seem to listen on IPv6.
by Sob
Thu Mar 26, 2020 1:32 am
Forum: General
Topic: L2TP VPN issue
Replies: 1
Views: 824

Re: L2TP VPN issue

I've seen random problems with IPSec, either with L2TP or without, clients not being able to connect at times, but working later without any changes on either side. So far most reliable for me were OpenVPN or SSTP. Unfortunately, they are both relatively hard to set up. OpenVPN requires to install c...
by Sob
Thu Mar 26, 2020 1:16 am
Forum: Beginner Basics
Topic: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks
Replies: 7
Views: 1694

Re: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks

Access from VPN should be allowed already. When you torch on <l2tp-Lyzeille>, do you see anything from client to LAN? If not, then it's the client you need to fix. What is it, Windows, something else? Check what routes it has, if it knows where your LAN is.
by Sob
Thu Mar 26, 2020 12:52 am
Forum: Beginner Basics
Topic: Understanding IPSec packet flow
Replies: 11
Views: 1980

Re: Understanding IPSec packet flow

Yes. Look at images in first post, they show all steps. Green is non-encrypted, yellowish is encrypted.
by Sob
Thu Mar 26, 2020 12:47 am
Forum: Beginner Basics
Topic: Winbox connection behind DSL modem of ISP2 [SOLVED]
Replies: 3
Views: 1293

Re: Winbox connection behind DSL modem of ISP2 [SOLVED]

If DSL modem has public address and can forward ports to RB, it's no problem. If not, you're out of luck.
by Sob
Thu Mar 26, 2020 12:44 am
Forum: General
Topic: IPV6 novice question....
Replies: 7
Views: 1365

Re: IPV6 novice question....

IPv4 and IPv6 are two distinct protocols. Similar, but not the same. You can't have IPv6 addresses in IPv4 firewall. And since you ask about something so basic, I should point out that most important first step is to have IPv6 connectivity, which is not automatic, your ISP must provide it and many (...
by Sob
Thu Mar 26, 2020 12:23 am
Forum: Beginner Basics
Topic: Understanding IPSec packet flow
Replies: 11
Views: 1980

Re: Understanding IPSec packet flow

There's this very nice thread with interesting details:

Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Don't take the warning at the beginning lightly. :)
by Sob
Wed Mar 25, 2020 11:50 pm
Forum: Beginner Basics
Topic: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks
Replies: 7
Views: 1694

Re: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks

There's nothing wrong (*) in what you posted, unless your WAN list contains something it shouldn't. For example in another thread, user had problem with detect internet adding L2TP interface to WAN list, but I don't think it's enabled by default and it would block ping too. Check what exactly happen...
by Sob
Wed Mar 25, 2020 11:28 pm
Forum: General
Topic: RoadWarrior L2TP VPN Split Tunnel Routing Issue
Replies: 10
Views: 1873

Re: RoadWarrior L2TP VPN Split Tunnel Routing Issue

No wonder that everyone wants OpenVPN and other non-standard solutions that WORK.
Yep, that's why so many people fell in love with OpenVPN. It had everything and there were no interoperability problems. I mean until MikroTik joined in with their implementation. ;)
by Sob
Wed Mar 25, 2020 11:22 pm
Forum: General
Topic: Homeoffice - VPN
Replies: 7
Views: 1545

Re: Homeoffice - VPN

Likely solution: /ip firewall nat add chain=srcnat out-interface=<your VPN interface> action=masquerade And then to limit access (assuming you have default firewall or other with standard rules to allow established connections): /ip firewall filter add chain=forward src-address=<your PC in LAN> out-...
by Sob
Wed Mar 25, 2020 11:00 pm
Forum: Beginner Basics
Topic: Winbox connection behind DSL modem of ISP2 [SOLVED]
Replies: 3
Views: 1293

Re: Winbox connection behind DSL modem of ISP2 [SOLVED]

VPN is generally good thing, but you don't have to use it, you can keep using WinBox directly, if you like it that way. You just need to make sure that when request comes from ISP2, router sends response there. So mark new incoming connections from internet based on interface and then mark routing f...
by Sob
Wed Mar 25, 2020 10:49 pm
Forum: Beginner Basics
Topic: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks
Replies: 7
Views: 1694

Re: 2 issues Firewall rule defconf: drop all not coming from LAN stops L2PT traffic, different subnet masks

You don't need to care about input, it's traffic to router itself and client doesn't really need anything there. Your problem is forward. It can't be completely broken when ping works. But nobody will be able to tell you much without seeing your config, it would have to be only lucky guess.
by Sob
Wed Mar 25, 2020 10:41 pm
Forum: Beginner Basics
Topic: I can't port forward my hexS MikroTik router. Help [SOLVED]
Replies: 30
Views: 4072

Re: I can't port forward my hexS MikroTik router. Help [SOLVED]

I think you may be mixing two things together. One is whether ISP gives you dedicated public address or not. And second one, if they do, where exactly the address is. Worst case is when there's no public address for you. You still use one (or even more) to access internet (it wouldn't work without i...
by Sob
Wed Mar 25, 2020 10:22 pm
Forum: General
Topic: SSL certificate for mynetname domain
Replies: 10
Views: 2183

Re: SSL certificate for mynetname domain

Create CA, then create certificate for server and sign it with CA. Install certificate on server. Each client then needs CA certificate (without private key) and add it as trusted.
by Sob
Wed Mar 25, 2020 10:20 pm
Forum: General
Topic: give access to local network from the internet?
Replies: 8
Views: 1264

Re: give access to local network from the internet?

If you have proxy_pass with 127.0.0.1, it means the proxy would connect to same machine it's running on. Use the address of internal server (e.g. proxy_pass http://10.0.0.1, or with included port if it's not 80). I don't use proxy with subdirectory like you, it should work, but I'm not sure about ex...
by Sob
Wed Mar 25, 2020 9:57 pm
Forum: General
Topic: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]
Replies: 11
Views: 2520

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]

Dynamic L2TP interface ended up in WAN interface list, added there by detect internet. And default firewall blocks access from WAN.
by Sob
Wed Mar 25, 2020 5:01 am
Forum: General
Topic: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]
Replies: 11
Views: 2520

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]

That's because of this: https://wiki.mikrotik.com/wiki/Manual:Detect_internet I've never used it myself yet, so I missed it in your config. Firewall rule is good, you want to keep it. But it you really need detect internet feature (I'm not sure you do), you should tweak its detect-interface-list opt...
by Sob
Wed Mar 25, 2020 1:57 am
Forum: Beginner Basics
Topic: I can't port forward my hexS MikroTik router. Help [SOLVED]
Replies: 30
Views: 4072

Re: I can't port forward my hexS MikroTik router. Help [SOLVED]

I'd ask ISP first, maybe you'll be lucky. My home ISP provides public address at request at no extra cost. When I asked if I'd be too spoiled if I wanted two, the answer was that it's no problem and second address is free too. Sometimes I wonder how far I could push it. ;) The usual experience with ...
by Sob
Wed Mar 25, 2020 1:34 am
Forum: General
Topic: MAC alias for WAN Eth1
Replies: 15
Views: 3683

Re: MAC alias for WAN Eth1

1) You have wrong routes, gateway=WANx won't work with ethernet, use gateway=154.5.66.1%WANx (I assume the address of gateway stays same; if not, you'd have to use lease script to update it). 2) You currently mark connections from internet in chain=input, but it covers only connections to router its...
by Sob
Tue Mar 24, 2020 8:27 pm
Forum: Beginner Basics
Topic: I can't port forward my hexS MikroTik router. Help [SOLVED]
Replies: 30
Views: 4072

Re: I can't port forward my hexS MikroTik router. Help [SOLVED]

And you'll have to hope that they will be willing to do that. Not all are. Or you can ask for own public address, but not all ISPs have enough to be able to give you one. And when they do, they often want extra money for it.
by Sob
Tue Mar 24, 2020 8:08 pm
Forum: General
Topic: Whitelisting whole domain
Replies: 12
Views: 1624

Re: Whitelisting whole domain

Current SOCKS in non-beta RouterOS supports only ancient SOCKS4, which works with IP addresses and not hostnames, so it wouldn't be useful for this.
by Sob
Tue Mar 24, 2020 8:03 pm
Forum: General
Topic: RoadWarrior L2TP VPN Split Tunnel Routing Issue
Replies: 10
Views: 1873

Re: RoadWarrior L2TP VPN Split Tunnel Routing Issue

I don't know about any documentation, but client should be switched from machine certificate to EAP (EAP-MSCHAPv2 for user/pass), and RouterOS server needs RADIUS where it will forward this, because it doesn't directly support it. I never tried it, because RADIUS is external component which I'm not ...
by Sob
Tue Mar 24, 2020 7:37 pm
Forum: General
Topic: RoadWarrior L2TP VPN Split Tunnel Routing Issue
Replies: 10
Views: 1873

Re: RoadWarrior L2TP VPN Split Tunnel Routing Issue

It's not there yet for other protocols, my guess is that IKEv2 got it first, because there was already existing list of subnets/routes in mode config. Other VPNs would need new UI for it. Or maybe not, you could create needed option manually, even if it wouldn't be user friendly. But so far you can'...
by Sob
Tue Mar 24, 2020 6:47 pm
Forum: General
Topic: give access to local network from the internet?
Replies: 8
Views: 1264

Re: give access to local network from the internet?

You can't access internal servers directly, because no 10.x.x.x address is reachable from internet. If you have reverse proxy, you need distinct hostname for each internal server and clients must use these hostnames. They will all point to same 82.156.x.x, but proxy will see what hostname client wan...
by Sob
Tue Mar 24, 2020 6:31 pm
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

It depends how much you need HW offload. New bridge VLAN filtering works with all devices, difference is only whether it will use HW switch or do everything in software. So if you have VLANs only to separate some networks, but you don't need much throughput, because e.g. all their traffic through ro...
by Sob
Tue Mar 24, 2020 6:07 pm
Forum: General
Topic: RoadWarrior L2TP VPN Split Tunnel Routing Issue
Replies: 10
Views: 1873

Re: RoadWarrior L2TP VPN Split Tunnel Routing Issue

AFAIK it's supported only for IKEv2, where it takes routes from split-include and if client (Windows do that) sends DHCP requests, it will get these routes in I don't know which DHCP option. But I wasn't able to make it work, I see DHCP request being sent, but router sends nothing back. It's on my T...
by Sob
Tue Mar 24, 2020 5:57 pm
Forum: Beginner Basics
Topic: Understanding IPSec packet flow
Replies: 11
Views: 1980

Re: Understanding IPSec packet flow

It depends on what the remote side is sending. If you have transport mode IPSec (e.g. for L2TP/IPSec), decrypted packet (L2TP) will have same addresses as encrypted (unless it's changed by NAT). If you have tunnel mode IPSec (e.g. LAN to LAN tunnel), decrypted packet will have the source address of ...
by Sob
Tue Mar 24, 2020 5:51 pm
Forum: General
Topic: Whitelisting whole domain
Replies: 12
Views: 1624

Re: Whitelisting whole domain

I don't have any ready to use solution, but proxy is actually very good idea for things like this. It can't be transparent proxy, but the kind you configure on client device. If you force device to not handle DNS itself, but send all hostnames to proxy, it's technically very easy to allow just the o...
by Sob
Tue Mar 24, 2020 5:38 pm
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

RouterOS generally doesn't need restarts, almost everything works immediatelly when you change it.
by Sob
Tue Mar 24, 2020 5:05 am
Forum: General
Topic: Customized DNS caching
Replies: 2
Views: 884

Re: Customized DNS caching

You want conditional forwarding (e.g. viewtopic.php?p=778648#p778648), welcome to the club. If RouterOS could do this, then even without any extra support for DHCP, you could use lease script to make it work with dynamic servers.
by Sob
Tue Mar 24, 2020 4:54 am
Forum: General
Topic: DMZ ping and hide from traceroute?
Replies: 4
Views: 1321

Re: DMZ ping and hide from traceroute?

In fact, dropping packets is not necessary, just change TTL. For example, this will cause client 192.168.80.10 to not see router in traceroute:
/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=increment:1 passthrough=yes src-address=192.168.80.10
by Sob
Tue Mar 24, 2020 4:12 am
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

I expected to find something very wrong, but I don't see it. Outgoing connections work correctly, right? If you try to go to internet from e.g. 10.0.20.20, it uses correct outgoing inteface and address? I remember one interesting thing in your video, you removed dst-address from dstnat rule and it s...
by Sob
Tue Mar 24, 2020 3:48 am
Forum: Scripting
Topic: PHP API Login Method Example [Help Please] [SOLVED]
Replies: 11
Views: 2536

Re: PHP API Login Method Example [Help Please] [SOLVED]

Here it is. It has slightly different formatting, but it's the same code.
by Sob
Tue Mar 24, 2020 3:35 am
Forum: General
Topic: Whitelisting whole domain
Replies: 12
Views: 1624

Re: Whitelisting whole domain

... and you'll get address(es) of "mydomain.com" without subdomains.

Unfortunately for OP, this is not possible. Address list resolves hostnames. There's no way it could resolve all combinations covered by *.
by Sob
Tue Mar 24, 2020 3:29 am
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

I did a test with RB450 and this simple config (basically a subset of yours): /interface bridge add ingress-filtering=yes name=bridge1 vlan-filtering=yes /interface vlan add interface=bridge1 name=vlan45 vlan-id=45 /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interfa...
by Sob
Tue Mar 24, 2020 2:59 am
Forum: Beginner Basics
Topic: Which Ports needed for L2TP/IPsec-Server, Portforwarding on Fritzbox
Replies: 3
Views: 1107

Re: Which Ports needed for L2TP/IPsec-Server, Portforwarding on Fritzbox

Port 1701 does not need to be forwarded, it's for L2TP packets and those will come encrypted in packets to port 4500.
by Sob
Sun Mar 22, 2020 10:37 pm
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

I'll be honest, I didn't watch the video closely, it's rather long and quite boring. ;) But I skimmed through it, tried to check the ports from my side, and it doesn't work at all, there's no response from any of them. But now I realize that you never posted whole config, so that would be great next...
by Sob
Sun Mar 22, 2020 2:39 am
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Try to provide more details, what exactly did and didn't work?

- Original config without recursive routes
- Recursive routes for clients
- Recursive routes for router
by Sob
Sun Mar 22, 2020 2:31 am
Forum: Beginner Basics
Topic: Force local networks to talk over the uplink [SOLVED]
Replies: 2
Views: 1282

Re: Force local networks to talk over the uplink

Not a complete config, but it should get you started:
/ip route
add gateway=10.20.30.1 routing-mark=to-gre
/ip route rule
add action=lookup dst-address=172.30.179.0/24 src-address=172.30.178.0/24 table=to-gre
add action=lookup dst-address=172.30.178.0/24 src-address=172.30.179.0/24 table=to-gre
by Sob
Sun Mar 22, 2020 2:21 am
Forum: General
Topic: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]
Replies: 11
Views: 2520

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]

First thing I see are failing attempts to send DNS queries to router. You have this rule: /ip firewall filter add action=accept chain=input comment="Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=192.168.89.0/24 but it has the same problem as the ...
by Sob
Sun Mar 22, 2020 1:45 am
Forum: Scripting
Topic: PHP API Login Method Example [Help Please] [SOLVED]
Replies: 11
Views: 2536

Re: PHP API Login Method Example [Help Please] [SOLVED]

Are you sure you have correct password, you are connecting to right router, etc? Because your code with mrz's update works.
by Sob
Sun Mar 22, 2020 12:11 am
Forum: Beginner Basics
Topic: MikroTik Mtcna Home Learning
Replies: 13
Views: 2583

Re: MikroTik Mtcna Home Learning

Don't forget the big one, even uncertified specialist should be able to configure routers. ;)
by Sob
Sun Mar 22, 2020 12:09 am
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

You have several dstnat rules forwarding ports to same server. So if all those ports work, there's no reason why just one wouldn't. The only difference is that 53 is udp and others are tcp (I don't know about 27016). So make sure that you don't block udp in firewall filter. You can go step by step a...
by Sob
Sat Mar 21, 2020 11:51 pm
Forum: Beginner Basics
Topic: firewall setup for SVN
Replies: 3
Views: 1566

Re: firewall setup for SVN

Your rules are not wrong, but the result depends also on other rules you have. Right now your problem is that DNS doesn't seem to be working. Depending on what you configured, you either need to allow access to external server (udp port 53) or to router.
by Sob
Sat Mar 21, 2020 11:45 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

I don't use this config often, but it seems ok. First route is probably from dhcp client, and it's what RB itself will use, if it needs to access internet. You can disable it and add same two routes like you have for wan1 and wan2, but without routing mark, and it will give you the same failover.
by Sob
Sat Mar 21, 2020 11:30 pm
Forum: Beginner Basics
Topic: surfshark vpn
Replies: 3
Views: 2506

Re: surfshark vpn

It's not important, it's a tool, encrypted tunnel, you can use it for anything you want. Problem with this kind of VPNs is that their target group is mostly non-technical users. So they either create some magic one-click application, or show few guides for most common operating system, but often don...
by Sob
Sat Mar 21, 2020 10:41 pm
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

Based on description, there's something wrong. But I don't know what. Sharing config could help. Bridge vlan filtering is (I guess) long-term plan for switch configuration. But on most devices it's not there yet. It works for basic switching when you bridge all ports together, but add anything "adva...
by Sob
Sat Mar 21, 2020 6:40 pm
Forum: Beginner Basics
Topic: MikroTik Mtcna Home Learning
Replies: 13
Views: 2583

Re: MikroTik Mtcna Home Learning

You will be only MTUNA. It doesn't look any worse than MTCNA, as long as you don't tell anyone that it's made up. ;)
by Sob
Sat Mar 21, 2020 6:31 pm
Forum: Scripting
Topic: Script code syntax check [Check Selected]
Replies: 5
Views: 2176

Re: Script code syntax check [Check Selected]

Kingdom for standard "syntax error at line X, column Y"! :)
by Sob
Sat Mar 21, 2020 1:30 am
Forum: General
Topic: Winbox password recovery?
Replies: 6
Views: 1433

Re: Winbox password recovery?

I'm not sure if I understand what's your goal. But if you want to create new account and delete old one, then yes, that's what you'd do.
by Sob
Sat Mar 21, 2020 1:28 am
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

What exactly are you trying? Share more details. For example this: With this setup I expected that if I put a pc on eth10 with the ip 172.27.46.2, it would be able to communicate with 172.27.46.1 (routers ip on vlan46). ? It should work. Ping 172.27.46.2 from router or 172.27.46.1 from PC, use Tools...
by Sob
Sat Mar 21, 2020 1:13 am
Forum: General
Topic: SSL certificate for mynetname domain
Replies: 10
Views: 2183

Re: SSL certificate for mynetname domain

Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them, and nobody in their right mind should do that. My favourite tool for own certificates is XCA . It's a...
by Sob
Sat Mar 21, 2020 1:00 am
Forum: General
Topic: Winbox password recovery?
Replies: 6
Views: 1433

Re: Winbox password recovery?

And what's the problem? Simly update WinBox and current stored accounts will still be there.

Or if you want to transfer settings to another computer, you're looking for:

%APPDATA%\MikroTik\Winbox\

which is usually:

C:\Users\<username>\AppData\Roaming\MikroTik\Winbox\
by Sob
Fri Mar 20, 2020 11:38 pm
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

Untagged ports use what they have as pvid. Each vlan is separate interface with different IP subnet, so access to anywhere else would be through routing. I'm not sure what was happening before. But check your firewall, make sure you have correct routes, etc.
by Sob
Fri Mar 20, 2020 11:07 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

That's common problem. Because even with lines connected directly to router, availability of gateway doesn't guarantee anything, because it can be dead right after that. That's why people came up with more advanced solutions, like the one in linked thread.
by Sob
Fri Mar 20, 2020 10:50 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

It's enough to have "DigiCert Global Root CA", server sends both own and intermediate certificate. And IPv6 doesn't seem to be there at all. Numeric address doesn't work. And it didn't help either, when I tried to fool it with: /ip dns static add address=2606:4700:4700::1111 name=one.one.one.one /ip...
by Sob
Fri Mar 20, 2020 10:19 pm
Forum: General
Topic: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]
Replies: 11
Views: 2520

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN [SOLVED]

I don't see it. If it's L2TP, then this is wrong: /ip firewall filter add action=accept chain=forward comment="Allow ALL forward traffic from 192.168.89.0/24 to any network" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.89.0/24 because traffic from client will be coming in via dyna...
by Sob
Fri Mar 20, 2020 9:38 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

I'm not sure I understand the last part. Both 192.168.1.1 and 192.168.8.1 should be pingable from RB. If not, on Ubi router it would be caused by your config. And for LTE it's unlikely that manufacturer would block ping from LAN. For failover, there are different methods. You can add route via LTE a...
by Sob
Fri Mar 20, 2020 6:56 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

So on RB, scrap VLAN interface and move 192.168.8.X/24 to bridge. You should be able to reach 192.168.8.1 directly (do a traceroute to it from RB and it should be first hop). The rest of config remains, only srcnat needs to be different. I don't have much time now, but as a quick way you can use: /i...
by Sob
Fri Mar 20, 2020 6:28 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Port with LTE should be untagged and you want same network segment tagged on the port with RB. But do you mean that both LTE and RB are on LAN0, i.e. there are two L3 subnets in same L2 segment? In that case, forget VLANs and simply add 192.168.2.x/24 on bridge. The only thing you'll need to tweak i...
by Sob
Fri Mar 20, 2020 6:19 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

parent proxy? For socks5
I think you should open dedicated thread about possible SOCKS improvements. I can think about some myself, but this thread is not the right place for it.
by Sob
Fri Mar 20, 2020 5:59 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

I'm still lost, I'm affraid. Where exactly is LTE modem connected to? Does it have some LAN1 on router? Assuming that it does and that LAN0 is your main LAN with 192.168.1.0/24, what happens if you add VLAN with id 8 in "VLAN Network" on top of LAN0 and then create new BRIDGE2 containing LAN0.8 and ...
by Sob
Fri Mar 20, 2020 5:33 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

I don't know Ubiquity's VLAN config, but it sounds almost unbeliveable. Why would it even be there, if it couldn't do such simple thing? So what exactly e.g. LAN0.10 in screenshot does? I'd expect it to be tagged VLAN 10 on top of LAN0 interface.
by Sob
Fri Mar 20, 2020 5:27 pm
Forum: General
Topic: Problems OpenVPN [SOLVED]
Replies: 4
Views: 1385

Re: Problems OpenVPN [SOLVED]

Make sure that port 1197 is really open. You can use some online port checker. If it's not, check your firewall rules. Order of rules matters, you need the accept rule before others that would block the port.
by Sob
Fri Mar 20, 2020 5:21 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 115788

Re: v6.47beta [testing] is released!

You can save certificates from web browser. Open https url, view used certificates, select the root one, export it, copy file to router, import it, ... and tadaaa, success! And it's safe, because browser already verified it, you're not downloading it from any possibly untrusted third party (I swear ...
by Sob
Fri Mar 20, 2020 5:06 pm
Forum: Beginner Basics
Topic: Could DNAT To address use host name?
Replies: 1
Views: 1108

Re: Could DNAT To address use host name?

Currently not. And I'm not sure how much it's needed, static addresses are usually enough. But if you do need it, you can use scheduled script to update it. Simple example: :local host :set host "host.example.net" :do { :local newip :set newip [:resolve $host] foreach i in=[/ip firewall nat find com...
by Sob
Fri Mar 20, 2020 4:54 pm
Forum: General
Topic: Problems OpenVPN [SOLVED]
Replies: 4
Views: 1385

Re: Problems OpenVPN [SOLVED]

It doesn't look like it's able to connect at all. Do you see any activity on server? Incoming packets to port 1197?
by Sob
Fri Mar 20, 2020 4:47 pm
Forum: General
Topic: Basic question about L2TP + IPsec VPN
Replies: 13
Views: 2793

Re: Basic question about L2TP + IPsec VPN

Srcnat rule is fix for this (when you have different subnets for LAN and VPN,uncheck remote gateway, but don't add manual route):
If I uncheck the "Use the remote gateway" options in the client side I cannot reach the LAN through the VPN
by Sob
Fri Mar 20, 2020 4:32 pm
Forum: Beginner Basics
Topic: Reaching Host with Public IP in/from inside a segmented network
Replies: 2
Views: 1220

Re: Reaching Host with Public IP in/from inside a segmented network

Any connection from in-interface-list=LAN (except those to 192.168.1-4.0/24) will get connection mark WANx-connection and then routing mark to-WANx. Problem is, routing table to-WANx has only single default route to internet and no route to local subnets. So packet to 192.168.80.100 will end up goin...
by Sob
Fri Mar 20, 2020 3:51 pm
Forum: General
Topic: Vlan in "new bridge" configuration
Replies: 24
Views: 3861

Re: Vlan in "new bridge" configuration

You're almost there:

1) If you have vlan interfaces on bridge, bridge itself must be listed as tagged member for given vlan id:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2-master,ether3 untagged=ether4 vlan-ids=40
...
2) Bridge needs vlan-filtering=yes.
by Sob
Fri Mar 20, 2020 3:44 pm
Forum: General
Topic: SSL certificate for mynetname domain
Replies: 10
Views: 2183

Re: SSL certificate for mynetname domain

If you create certificate yourself, nobody will trust it. Except you, if you import your own CA as trusted, and possibly people who will do the same. It's usable only for strictly private use, but even that is not convenient, because CA needs to be added as trusted to every single device that will u...
by Sob
Fri Mar 20, 2020 3:22 pm
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

The last rule was my mistake, address is changed back only after postrouting, so it couldn't work. Sorry. But judging by the amount of packets, there's probably traffic also from other clients, so it's not very useful. And using action=accept is not exactly correct, because it stops processing in gi...
by Sob
Fri Mar 20, 2020 5:57 am
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

So you want e.g. client 10.0.0.20 to connect to server 1.1.1.1:8180, which would redirect it to 10.0.1.252:8080, correct? It should work: - Client 10.0.0.20 tries to connect to 1.1.1.1:8180. - Mangle rule gives it routing mark "slave_adsl". - Dstnat changes destination to 10.0.1.252:8080. - Normally...
by Sob
Fri Mar 20, 2020 3:57 am
Forum: General
Topic: Basic question about L2TP + IPsec VPN
Replies: 13
Views: 2793

Re: Basic question about L2TP + IPsec VPN

That's default config for Windows clients, they use VPN as gateway for everything. I never understood this. As user, I need to access some remote private network, but why would I also want to do all my internet browsing through there? Same as server admin, I need users to access local network, but t...
by Sob
Fri Mar 20, 2020 2:54 am
Forum: General
Topic: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN
Replies: 5
Views: 1599

Re: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN

^^^ this. Watch packets step by step, add some logging rules at top of prerouting, forward and postrouting. Packet must pass through all of them in this order. You can see if it happens, if srcnat work correctly, etc. But config looks ok, it should work.
by Sob
Fri Mar 20, 2020 2:48 am
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Let's start with RouterOS, this is basic bridge config, pretty much what you have now: /interface bridge add name=bridge /interface bridge port add bridge=bridge interface=ether1 add bridge=bridge interface=ether2 ... /ip address add address=192.168.1.170/24 interface=bridge /ip route add dst-addres...
by Sob
Thu Mar 19, 2020 4:40 am
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Sorry, I missed this one. There are two important pieces: 1) You need two distinct gateways. You have one on main router and then you need other one from LTE router. You can either connect it to RB using vlan, or you could simply bridge everything together (you'd have one L2 segment with two L3 subn...
by Sob
Thu Mar 19, 2020 4:28 am
Forum: General
Topic: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN
Replies: 5
Views: 1599

Re: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN

If you can reach service on server, but you can't ping the same server, it can be caused by server's firewall. For example all Windows don't accept pings from non-local subnets by default.

Access from tunnel to internet should work. In filter it's allowed by rule #7 and also #8. Srcnat looks ok too.
by Sob
Thu Mar 19, 2020 4:17 am
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

Removing sensitive stuff is ok, but it must not break ability to understand the config. If you ask about port 8888, I need to see dstnat rule for port 8888. Currently it's not there. If it contains a public address you want to hide, it's no problem, just replace it with your fake 2.2.2.2. I can look...
by Sob
Thu Mar 19, 2020 3:54 am
Forum: General
Topic: Router auto backing up
Replies: 2
Views: 1072

Re: Router auto backing up

Are you sure there's nothing in System->Scheduler?
by Sob
Thu Mar 19, 2020 3:53 am
Forum: General
Topic: Port Forwarding issue
Replies: 4
Views: 1214

Re: Port Forwarding issue

If you enter address with port 8080 and it changes to 80 in browser's address bar, then you need to fix your webserver, because redirection comes from there. Dstnat is transparent, it can't do that.

@anav: in (2) you meant out-interface=WAN
by Sob
Thu Mar 19, 2020 3:48 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Fail2Ban
Replies: 3
Views: 2700

Re: Feature Request: Fail2Ban

@alfredo: It's not good. The one for ftp is kind of ok, because it really looks for failed login attempts (but firewall is not the right place for it). For ssh (and pretty much everything else you could use it for) it's bad, because it only counts connections, it doesn't know if login succeeded or f...
by Sob
Thu Mar 19, 2020 3:41 am
Forum: General
Topic: DMZ ping and hide from traceroute?
Replies: 4
Views: 1321

Re: DMZ ping and hide from traceroute?

Sure it is. First is simple dstnat, same thing like when you forward ports, only you skip protocol and it will take all. And for second, use mangle to increase ttl by one, and block ttl exceeded packets from RB to client using filter in output.
by Sob
Thu Mar 19, 2020 3:27 am
Forum: General
Topic: Roadwarrior client router
Replies: 20
Views: 3775

Re: Roadwarrior client router

You don't need to care about that uncontrolled router, all you need from it is access to internet and your VPN server. Just add VPN client interface, tell it to add default route and you're almost done. Use firewall filter (chain=forward) to block access from LAN interface to WAN, to make sure that ...
by Sob
Thu Mar 19, 2020 3:19 am
Forum: Beginner Basics
Topic: HELP OPEN PORT 30000-33000
Replies: 4
Views: 1654

Re: HELP OPEN PORT 30000-33000

It's better to post exported config, images don't show everything. But in this case, dst-address=192.168.88.1 for first two rules is wrong (unless you're really looking for packets having 192.168.88.1 as original destination). About port status, if they should be open, no firewall anywhere must bloc...
by Sob
Thu Mar 19, 2020 3:04 am
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 5674

Re: VLAN setup help

Same kind of config is also for switch, when it runs RouterOS (right, now I see it). And this CRS should even support automatic HW offloading. If you have basic config working, i.e. you have vlan interface on router, with dhcp server and clients connected to AP are getting addresses, the rest is jus...
by Sob
Mon Mar 16, 2020 1:41 am
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

It won't help. As I wrote, no rules = everything allowed. Try some simple debugging, you can watch traffic on interface with Tools->Torch. If you're going from 10.0.10.100, it will be on bridge-main. If you look there, you should see packets from 10.0.10.100 to 10.0.20.x. Destination is on vlan-srv1...
by Sob
Mon Mar 16, 2020 1:08 am
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

Both 10.0.20.11 and 10.0.20.199 are in same subnet, router does not do anything with their communication. Depending on how you have things connected, it may not be even passing through router, it could be just through some connected switch. Even different subnets, those need to pass through router, ...
by Sob
Mon Mar 16, 2020 12:59 am
Forum: General
Topic: Load Balance , Fail Over
Replies: 1
Views: 779

Re: Load Balance , Fail Over

And what's the problem? You just need two distinct gateways. CCR2 on the left has them. And CCR1 on right has one from modem and the other one can be the address from /29 on CCR2.
by Sob
Mon Mar 16, 2020 12:50 am
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

It was quick and simple, "thank you" in words is enough. :)
by Sob
Mon Mar 16, 2020 12:33 am
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

Make a small change, drag current rules #4 and #9 to top, so that their new positions are #0 and #1.

And one more thing, these new ones should have dst-address, not src-address.
by Sob
Mon Mar 16, 2020 12:11 am
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

Can you show "/ip route rule" block with exact added rules according to my previous post, that didn't fix the problem? Because I think it should fix it, just make sure the new ones are before others.
by Sob
Sun Mar 15, 2020 11:24 pm
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

Then we need more info. Config is good start, then some description of exact steps that don't do what you expect, etc.
by Sob
Sun Mar 15, 2020 8:08 pm
Forum: General
Topic: Unable to Load Private Key
Replies: 4
Views: 1014

Re: Unable to Load Private Key

And what exactly are you trying to do? I don't remember openssl commands, but it looks like you're trying to convert key from crt file to the other one, which doesn't make sense.
by Sob
Sun Mar 15, 2020 7:30 pm
Forum: General
Topic: Unable to Load Private Key
Replies: 4
Views: 1014

Re: Unable to Load Private Key

And is there key block in source file, i.e. cert_export_client1.crt?
by Sob
Sun Mar 15, 2020 7:29 pm
Forum: Beginner Basics
Topic: HELP OPEN PORT 30000-33000
Replies: 4
Views: 1654

Re: HELP OPEN PORT 30000-33000

If you need range of ports, just enter it as such, i.e. dst-port=30000-31000. And if the port should show as open, not only it must pass through router, but target device must actually listen on it. Which will happen for correctly configured webserver, but not necessarily for range of ports that may...
by Sob
Sun Mar 15, 2020 7:23 pm
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

Try again and be more accurate. There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23. And I'm not sure...
by Sob
Sun Mar 15, 2020 6:56 pm
Forum: Beginner Basics
Topic: How do I make VLANs see each other? [SOLVED]
Replies: 21
Views: 3566

Re: How do I make VLANs see each other? [SOLVED]

You need other rules before those you have now: /ip route rule add dst-address=10.0.10.0/24 action=lookup-only-in-table table=main ... You can probably add whole 10.0.0.0/8 and 192.168.0.0/16. Btw, it would have made more sense to continue in previous thread, because there's no chance that anyone co...
by Sob
Sat Mar 14, 2020 2:19 pm
Forum: General
Topic: Routing 4 lans and 4 wans [SOLVED]
Replies: 21
Views: 4458

Re: Routing 4 lans and 4 wans [SOLVED]

You could say that, it will make traffic from given LAN use different routing table containing only default route, i.e. it won't be able to find other local subnets. But if you want access between LANs blocked, you probably should add firewall-level blocking anyway, for keeping good habits.
by Sob
Sat Mar 14, 2020 2:12 pm
Forum: Beginner Basics
Topic: Best firewall setup ever [SOLVED]
Replies: 7
Views: 2559

Re: Best firewall setup ever [SOLVED]

No, it's not good starting point, current default firewall is better for that, it's simpler, easier to understand, ... - Forward chain here is wide open for everything, which is not ideal, even though in practice for regular user with at most one public address and NAT, it shouldn't be major problem...
by Sob
Fri Mar 13, 2020 11:44 pm
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

You have wrong gateways. See my previous post, the routes there with 1.1.1.X, it should be 1.1.1.1 for all three (1.1.1.1%ether1-wan, 1.1.1.1%ether2-wan, 1.1.1.1%ether3-wan). And better than screenshots is to do: /export hide-sensitive file=myconfig and then post content of resulting myconfig.rsc in...
by Sob
Fri Mar 13, 2020 6:00 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

It depends, there are many tricks, but so far I don't see any obvious solution, not even speaking about clean one. There would either have to be some cooperation from main router, it would have to be able to tell which WAN you want to use when sending packets from RB, but that's problematic. Or you ...
by Sob
Fri Mar 13, 2020 5:45 pm
Forum: General
Topic: Routing 4 lans and 4 wans [SOLVED]
Replies: 21
Views: 4458

Re: Routing 4 lans and 4 wans [SOLVED]

Not for static config like this. It would be a problem if you e.g. wanted incoming connections (forwarded ports) from WAN, which device in target LAN doesn't use for outgoing connections. It would need other config to deal with it. It also, as is, effectively blocks access from one LAN to another.
by Sob
Fri Mar 13, 2020 4:41 pm
Forum: General
Topic: Use of public IP space on local hosts. 1:1 NAT?
Replies: 13
Views: 3100

Re: Use of public IP space on local hosts. 1:1 NAT?

I don't have clear answer. PPPoE is used for internet access, it works, other addresses can be routed over it, ... so from this perspective I see no problem. But I'm not ISP, maybe they could have some problem I'm not seeing. For example, I don't know how's compatibility with common client routers, ...
by Sob
Fri Mar 13, 2020 3:58 pm
Forum: Beginner Basics
Topic: [SOLVED] Hairpin NAT issues
Replies: 5
Views: 1714

Re: Hairpin NAT issues

Also make sure that you have correct dstnat rule. Common mistake is to have it with in-interface=WAN, which can't work from LAN.
by Sob
Fri Mar 13, 2020 3:39 pm
Forum: General
Topic: load balancing and failover on mikrotik from generic router with ppoe and static connection
Replies: 26
Views: 4308

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

It seems to me that you're looking at wrong place. If both WANs are connected to Ubiquity router and RB is only bridge, it's the router that should be handling any kind of load balancing.
by Sob
Fri Mar 13, 2020 3:26 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 44776

Re: Winbox v3.22 released!

Great, that's half of the work done. It would be real shame to not add Ctrl+Ins now. ;)
by Sob
Fri Mar 13, 2020 3:24 pm
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

In that case, you need to treat it as multi-WAN. The only difference is that you most likely have the same gateway for all addresses, so when creating other routing tables, you need to include interface (1.1.1.X is gateway address): /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether1-wan rout...
by Sob
Fri Mar 13, 2020 2:55 pm
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

And how do you get those addresses? Is it DHCP? Or static addresses, but locked to specific MAC address? In other words, you can't just put them all on one interface?
by Sob
Fri Mar 13, 2020 2:49 pm
Forum: General
Topic: Use of public IP space on local hosts. 1:1 NAT?
Replies: 13
Views: 3100

Re: Use of public IP space on local hosts. 1:1 NAT?

It should be "Routes" option in PPP->Secrets.
by Sob
Fri Mar 13, 2020 2:42 pm
Forum: Beginner Basics
Topic: How can I assign an external IP address to one of the local ones? [SOLVED]
Replies: 21
Views: 4569

Re: How can I assign an external IP address to one of the local ones? [SOLVED]

Do you have three WANs (that's what the other thread is about) or is it one connection from one ISP with three addresses? The latter would be simple srcnat: /ip firewall nat add chain=srcnat src-address=10.0.10.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.156 add chain=srcnat src-addre...
by Sob
Fri Mar 13, 2020 2:31 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 44776

Re: Winbox v3.22 released!

Ctrl+C already works for aborting commands. But it could probably have double use, where copying would work when there's some selected text. Or there are also safe non-conflicting Ctrl+Ins and Shift+Ins (my favourite, but those currently don't work in Terminal either).
by Sob
Fri Mar 13, 2020 4:06 am
Forum: General
Topic: Use of public IP space on local hosts. 1:1 NAT?
Replies: 13
Views: 3100

Re: Use of public IP space on local hosts. 1:1 NAT?

Route must be on ISP's router:
/ip route
add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.2
Not on customer's.
by Sob
Thu Mar 12, 2020 2:59 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 44776

Re: Winbox v3.22 released!

One cosmetic problem, optional fields have wrong vertical centering. With small zoom the text is too much to top, while with big zoom it's too much to bottom. It happens everywhere for this field type. Other fields (simple edits, dropdowns) have it correct.
by Sob
Thu Mar 12, 2020 2:37 pm
Forum: Beginner Basics
Topic: Port foward doesn't work SSH [SOLVED]
Replies: 19
Views: 3940

Re: Port foward doesn't work SSH [SOLVED]

So you already have the rule (with prefix "5") and it doesn't log anything. In that case, check the server, because router is sending packets there, but server doesn't send anything back.
by Sob
Thu Mar 12, 2020 2:30 pm
Forum: General
Topic: Routing 4 lans and 4 wans [SOLVED]
Replies: 21
Views: 4458

Re: Routing 4 lans and 4 wans [SOLVED]

No, read my previous post again. :) 1) First two rules mark incoming connections and you don't need to do anything else with packets in this direction, so you can stop here with passthrough=no (but passthrough=yes won't break anything). 2) Next two rules mark outgoing connections and you also need t...
by Sob
Thu Mar 12, 2020 1:58 pm
Forum: Beginner Basics
Topic: Port foward doesn't work SSH [SOLVED]
Replies: 19
Views: 3940

Re: Port foward doesn't work SSH [SOLVED]

You didn't post the rules that produced the log, so we don't know what you have there. If you don't have it already, add also this, to log responses from server: /ip firewall mangle add chain=prerouting src-address=192.168.0.99 protocol=tcp src-port=22 action=log And you'll see if server responds or...
by Sob
Thu Mar 12, 2020 2:52 am
Forum: General
Topic: Routing 4 lans and 4 wans [SOLVED]
Replies: 21
Views: 4458

Re: Routing 4 lans and 4 wans [SOLVED]

For start, reverse passthrough parameters in all chain=prerouting rules. When you have passthrough=yes, it means that processing in given chain will continue. When it's passthrough=no, it will stop with the rule that has it (if other options match). So when you mark new incoming connections from int...
by Sob
Wed Mar 11, 2020 2:09 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 44776

Re: Winbox v3.22 released!

There's a bug with read-only fields and copying to clipboard. I discovered it when I tried to copy log messages (after double clicking line in log window), but it's actually not new, same happens also in older WinBox with other fields: winbox-readonly-copy.png - If I double-click the field to select...
by Sob
Wed Mar 11, 2020 12:48 pm
Forum: General
Topic: How to raise "upgradeable to"?
Replies: 26
Views: 5118

Re: How to raise "upgradeable to"?

And I already told the good news to all devices in my museum... ;)

Anyway, last for mipsle should be:

https://download.mikrotik.com/routeros/ ... 6.32.4.zip
by Sob
Tue Mar 10, 2020 7:17 pm
Forum: Beginner Basics
Topic: Disable IP-sec DNS
Replies: 1
Views: 1115

Re: Disable IP-sec DNS

It's currently in beta:

viewtopic.php?p=775499#p775499
by Sob
Tue Mar 10, 2020 2:28 pm
Forum: General
Topic: dualwan hairpin nat consultation
Replies: 16
Views: 3065

Re: dualwan hairpin nat consultation

It's not hairpin NAT problem. Only devices in same subnet as server need hairpin NAT. In your case it's only vlan1. Both vlan10 and vlan11 have diffent subnet, so no hairpin NAT is needed there. It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's ...
by Sob
Tue Mar 10, 2020 2:18 pm
Forum: General
Topic: unable to ping routers ip locally after implementing Nth load balancing
Replies: 1
Views: 914

Re: unable to ping routers ip locally after implementing Nth load balancing

You mark all new connections from LanBridge and routing for them, so if your routing tables conn1-3 have only defalt route to internet, posted mangle rules would effectively block access to e.g. other local subnets (traffic would go to internet instead). But router itself shouldn't be affected by th...
by Sob
Mon Mar 09, 2020 2:25 pm
Forum: General
Topic: Routing and pass valid(public) ips to another mikrotik
Replies: 3
Views: 1507

Re: Routing and pass valid(public) ips to another mikrotik

It should. You of course need to configure that address on RB4011, then make sure that no firewalls block it, etc.
by Sob
Mon Mar 09, 2020 12:14 pm
Forum: General
Topic: Routing and pass valid(public) ips to another mikrotik
Replies: 3
Views: 1507

Re: Routing and pass valid(public) ips to another mikrotik

Remove address from loopbackp-ips and route it to RB4011?
by Sob
Mon Mar 09, 2020 3:32 am
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 5674

Re: VLAN setup help

First, it's not clear how it works now. What addresses do guests get? Is there separate subnet only on AP? Also how the blocked access to LAN works would be interesting to know. For new config you need to configure switch to allow tagged vlan 9 on ports connected to AP and router. You didn't even wr...
by Sob
Sat Mar 07, 2020 10:48 pm
Forum: Beginner Basics
Topic: Winbox Discovery of Devices
Replies: 3
Views: 2139

Re: Winbox Discovery of Devices

A. Maybe you were too paranoid with firewall (chain=input)?
by Sob
Sat Mar 07, 2020 9:37 pm
Forum: Beginner Basics
Topic: Port Forwarding firewall rules
Replies: 39
Views: 6528

Re: Port Forwarding firewall rules

If you don't have srcnat rule (hairpin), then only dstnat applies. So when server gets the packet, it's from 192.168.1.10. Server doesn't know that it came from router and not directly from client (*). It's not server's fault to send response directly to 192.168.1.10, it doesn't know any better, thi...
by Sob
Sat Mar 07, 2020 9:16 pm
Forum: General
Topic: Integrated ROS OpenVPN server and Multi Wan - not working
Replies: 5
Views: 2115

Re: Integrated ROS OpenVPN server and Multi Wan - not working

Still the same problem. Connection from internet to either 10.0.1.x or 10.0.2.x will match one of two accept rules at the beginning and won't get marked, they basically "neutralize" two following mangle rules. And that's why you needed to add other connection marking rules in forward chain. If you c...
by Sob
Sat Mar 07, 2020 6:36 pm
Forum: Beginner Basics
Topic: How to move firewall rules up and down
Replies: 6
Views: 2517

Re: How to move firewall rules up and down

Yes, you can drag rules, it works. Except maybe when you use WinBox on Mac, I don't do it myself, but I think I've noticed some complaints about that somewhere in this forum.
by Sob
Sat Mar 07, 2020 6:28 pm
Forum: Beginner Basics
Topic: Port Forwarding firewall rules
Replies: 39
Views: 6528

Re: Port Forwarding firewall rules

We don't use action=masquerade for static address (it's replaced by action=src-nat). We still use out-interface=WAN. And we add to-addresses=<WAN IP>, not dst-address=<WAN IP>.
by Sob
Sat Mar 07, 2020 6:09 pm
Forum: Beginner Basics
Topic: Port Forwarding firewall rules
Replies: 39
Views: 6528

Re: Port Forwarding firewall rules

1) No. Hairpin NAT is needed only when client and server are in same subnet (you can re-read https://wiki.mikrotik.com/wiki/Hairpin_NAT to understand why). There's no need for hairpin NAT for different subnets. It won't break anything if you add it, but it won't add anything useful either. 2a) Yes, ...
by Sob
Sat Mar 07, 2020 5:10 pm
Forum: Beginner Basics
Topic: Port Forwarding firewall rules
Replies: 39
Views: 6528

Re: Port Forwarding firewall rules

Second config has bridge itself in vlan 20 as untagged port, which allows you to put IP address on bridge directly, without need for extra vlan interface. But you can do this only for one vlan, because bridge interface has only one pvid. First config, yes, ether1 can be trunk port. And bridge is alw...
by Sob
Sat Mar 07, 2020 4:49 pm
Forum: General
Topic: Can each wireless user connect to their own VLAN?
Replies: 6
Views: 2104

Re: Can each wireless user connect to their own VLAN?

I think you get it, except you maybe overlooked the part that client, which doesn't have anything else defined in access-list, uses default config from wlan interface, in this case tagged 82.
by Sob
Sat Mar 07, 2020 4:44 pm
Forum: General
Topic: How add anydesk to address list
Replies: 1
Views: 1448

Re: How add anydesk to address list

You can't add wildcards to address list. If it's just one hostname, it's easy, because RouterOS can resolve it. But *.net.anydesk.com can be anything, it's not possible to resolve all possible hostnames, it would be millions of them.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 19