Community discussions

Search found 4152 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 84
by Sob
Wed Jun 19, 2019 9:58 pm
Forum: Forwarding Protocols
Topic: How to create NAT for multi device software update
Replies: 1
Views: 64

Re: How to create NAT for multi device software update

You need some connection marking. In prerouting, check for new incoming connections on px interfaces. Give them unique connections marks. And then in output, mark routing for connections with these marks.
by Sob
Sat Jun 15, 2019 5:23 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

Regarding your previous reply, your problem is not with clients, the only resolver they should get is 192.168.88.1:53 (or whatever local address your router has, but still with standard port). It's the router that needs to talk to upstream resolver on non-standard port. It's exactly what the ugly ha...
by Sob
Fri Jun 14, 2019 10:51 pm
Forum: General
Topic: Web Proxy Restrict
Replies: 3
Views: 146

Re: Web Proxy Restrict

Traffic to router itself goes in chain=input. Traffic through router (both outgoing and incoming, forwarded ports included) goes in chain=forward. I don't know what you have now, but simple firewall that only allows access from internet to forwarded ports can look like this: /ip firewall filter add ...
by Sob
Fri Jun 14, 2019 10:24 pm
Forum: General
Topic: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range
Replies: 8
Views: 272

Re: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range

1) Don't enable dynamic leases:
/ip dhcp-server
add address-pool=static-only <other parameters>
2) Select dynamic pool for server and create static leases from another subnet as you need.
by Sob
Fri Jun 14, 2019 3:21 pm
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Nah, only when I have to get out of bed too soon, then I feel like twice my age. :) It's just that I've been playing with RouterOS for several years and most of the time interface lists didn't exist. They are great when you need to quickly add another LAN/WAN and make them use common rules. Not exac...
by Sob
Fri Jun 14, 2019 2:15 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

..., so obviously my ISP is using dst-nat to redirect all request on port 53 to their own servers, ... - router has 208.67.222.222 (on port 53) as a resolver from the router dns settings(obviously not dst-nated) so it connect to 208.67.222.222 directly through the 53 port So the question is, does r...
by Sob
Fri Jun 14, 2019 2:12 pm
Forum: General
Topic: one dhcp server, static leases two diffent gateway addresses
Replies: 4
Views: 206

Re: one dhcp server, static leases two diffent gateway addresses

Where does 192.168.2.5 suddenly comes from? You didn't write what netmask you have, but in case it's the most common /24, 192.168.2.x can't be default gateway for 192.168.1.x. Or do you mean two upstream routers and routing traffic from some addresses to one and from other addresses to another?
by Sob
Fri Jun 14, 2019 2:07 pm
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long. Just to make it clear.
by Sob
Fri Jun 14, 2019 2:55 am
Forum: RouterOS v7
Topic: Feature request for v7.x
Replies: 257
Views: 58667

Re: Feature request for v7.x

1) You posted in wrong thread 2) I'm not sure if I'm getting the part about same names, but no such requirement exists. In some cases, it should be possible to skip connection marking completely, but it would only work if you'd have outgoing connections only, no incoming. And even then marking conne...
by Sob
Fri Jun 14, 2019 1:24 am
Forum: General
Topic: DNS unable to resolve host
Replies: 8
Views: 356

Re: DNS unable to resolve host

It's actually: 0000 04 74 65 73 74 03 6c 61 6e 00 00 01 00 01 .test.lan..... ^^ null byte ^^ ^^ record type (16 bits) ^^ ^^ class (16 bits) So a foolproof way (from two posts later in same referenced thread) should be: \0x03lan...?.?$ Which means ".lan" followed by 2-4 non-zero bytes at the end of p...
by Sob
Fri Jun 14, 2019 1:07 am
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

I'm not a fan of that hack either. :) But what I'm trying to say is that as it is now:

- client doesn't use router as resolver
- router doesn't use the same resolver as client

So getting different addresses for same hostname (which uses CDN) is very possible.
by Sob
Fri Jun 14, 2019 1:02 am
Forum: General
Topic: Web Proxy Restrict
Replies: 3
Views: 146

Re: Web Proxy Restrict

Filter rule sounds right, you probably don't want anything external connecting to your proxy. Even more, you probably don't want anything external connecting to your router at all, so it's usually better to block everything and only add exceptions for what you want to have open, which shouldn't be m...
by Sob
Fri Jun 14, 2019 12:45 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

It's not too bad. Firewall blocks all incoming requests from internet. They would be only accepted if someone spoofed the source address, but that's very unlikely. You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>.
by Sob
Fri Jun 14, 2019 12:35 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1095
Views: 187903

Re: Feature requests

Both proxies are disabled by default, so they just take space in menu and little bit on disk, but that's it. Ability to uninstall them completely wouldn't change much, they already don't do anything if you don't enable them. I can understand that seeing some things in menu can annoy people for whate...
by Sob
Thu Jun 13, 2019 4:41 am
Forum: Virtualization
Topic: 951Ui-2nD MetaRouter [SOLVED]
Replies: 5
Views: 332

Re: 951Ui-2nD MetaRouter [SOLVED]

There's no help. You can either buy some other supported device with larger storage, or you'd need to have really small metarouter. The latter could be theoretically possible if you are assembler guru, but realistically, I don't think there's any chance to create anything useful like this.
by Sob
Thu Jun 13, 2019 4:31 am
Forum: General
Topic: DNS unable to resolve host
Replies: 8
Views: 356

Re: DNS unable to resolve host

Use regexp="\\x03lan.\\x01" instead (3 = length of "lan"). Just the "." alone means any character, so if there would be TLD .<something>lan, your regexp would match too.
by Sob
Wed Jun 12, 2019 10:25 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

Problem is, it doesn't do what you think. You need the router to use the right resolver (i.e. not ISP's) and client to use router (default is 192.168.88.1; you can have different config) as resolver. What actually happens is that when client gets 192.168.88.1 and tries to use it, dstnat forwards all...
by Sob
Wed Jun 12, 2019 8:55 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 287
Views: 57543

Re: v6.45beta [testing] is released!

I hope I'm not missing the point, but isn't this IKEv2 & policy routing something that would be best solved by what's known as route/interface-based VPN, VTI, etc? I remember it used to be popular request here few years ago. If I understand it correctly, Linux implementation provides interfaces for ...
by Sob
Wed Jun 12, 2019 12:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

I'm using the router as a DNS resolver and have a Dst-nat rule to redirect all traffic to the opendns servers, and still i get different IPs Sounds contradictory to me. Either the laptop uses router as resolver, i.e. it has router's address as its only resolver, and there's no dstnat. Or you redire...
by Sob
Tue Jun 11, 2019 11:50 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

Akamai is CDN, i.e. huge network with servers all over the world, doing load balancing and stuff. Everything is dynamic. Address of given website is CNAME with decent TTL, but target e7772.g.akamaiedge.net really has only 20 seconds TTL. You might get the same address again and usually you will, but...
by Sob
Mon Jun 10, 2019 3:37 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

Another difference (edit: well, it's actually the same principle) is that now it's independent, the address list will have address(es) even when nothing uses router's DNS resolver (device can have e.g. hardcoded 8.8.8.8). It's true that it's not foolproof now either, some sites can have multiple add...
by Sob
Mon Jun 10, 2019 5:07 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: GUI supported Let's Encrypt with SSL Offloading
Replies: 3
Views: 205

Re: Feature Request: GUI supported Let's Encrypt with SSL Offloading

As reverse proxy for http(s) I use Nginx, previously Pound, I also know about HAProxy, and there's probably more. There's also stunnel which is not specifically for https, but can do other interesting stuff. Downside of all of these is that you can't put them directly on router, you need another mac...
by Sob
Sun Jun 09, 2019 11:36 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: GUI supported Let's Encrypt with SSL Offloading
Replies: 3
Views: 205

Re: Feature Request: GUI supported Let's Encrypt with SSL Offloading

There's already long thread about Let's Encrypt support: Support for ACME/Let's Encrypt certificate management Few notes: 1) You don't need to do anything with IP addresses, certificates use hostnames. They can contain IP addresses too, but Let's Encrypt won't give you certificate for them. 2) It wi...
by Sob
Sat Jun 08, 2019 5:41 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Add print server (printer support)
Replies: 137
Views: 56154

Re: Add print server (printer support)

There's no official word, but I guess the consideration of this feature is postponed to RouterOS v8 or later. ;)
by Sob
Sat Jun 08, 2019 5:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3245

Re: firewall src add and dst add

It would require to change how it works. Now you give it hostname and router actively resolves it. It's obvious that it can't try to resolve all possible combinations. So it would have to be as you suggest, not actively resolve anything, only look for what's already in cache. But it wouldn't work fo...
by Sob
Thu Jun 06, 2019 11:33 pm
Forum: Beginner Basics
Topic: Port forwarding
Replies: 2
Views: 180

Re: Port forwarding

If you have default firewall, this should do the trick:
/ip firewall nat
add chain=dstnat dst-address=192.168.0.9 protocol=tcp dst-port=8999 action=dst-nat to-addresses=10.0.0.220
by Sob
Wed Jun 05, 2019 8:09 pm
Forum: Beginner Basics
Topic: Port forwarding question
Replies: 4
Views: 244

Re: Port forwarding question

For the lazy among us, what is this DMZ+ mode? If it forwards ports to selected device, I don't see any reason why they couldn't be forwarded further.
I know how to do port forwarding on a MikroTik, ...
Convince us. :)
by Sob
Wed Jun 05, 2019 8:05 pm
Forum: General
Topic: Mikrotik Console Port
Replies: 4
Views: 250

Re: Mikrotik Console Port

Is there any way to prevent this in the future?
Education? Warning label? Some cover and glue? :)
by Sob
Wed Jun 05, 2019 5:47 pm
Forum: General
Topic: AWS - private network interaction [SOLVED]
Replies: 4
Views: 290

Re: AWS - private network interaction [SOLVED]

Actually no, if only this server needs is, it's probably good idea. The only mistake is netmask, dst-address=192.168.0.3/24 is wrong, it should be only dst-address=192.168.0.3 (or dst-address=192.168.0.0/24 for whole network).
by Sob
Wed Jun 05, 2019 2:44 am
Forum: General
Topic: EOIP - ethernet over IP protocol
Replies: 3
Views: 211

Re: EOIP - ethernet over IP protocol

Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik.
For the record, there's something for Linux & friends (e.g. https://github.com/Nat-Lab/eoip), but I didn't test it.
by Sob
Wed Jun 05, 2019 1:07 am
Forum: General
Topic: mikrotik ppoe without nat /24 block
Replies: 8
Views: 249

Re: mikrotik ppoe without nat /24 block

For basic config, route will be only one (default) with gateway from /30, so: /ip address add address=x.x.x.a/30 interface=ether1 /ip route add dst-address=0.0.0.0/0 gateway=x.x.x.b Then you will also get some dynamic route(s) to addresses from your /24, depending on what exactly you do with them. I...
by Sob
Wed Jun 05, 2019 12:21 am
Forum: General
Topic: mikrotik ppoe without nat /24 block
Replies: 8
Views: 249

Re: mikrotik ppoe without nat /24 block

Then you should be able to access 45.x.y.2/24 remotely. It could be just some small mistake... And no, you don't sound like you know how to set it up with /30. ;) Well, probably just the /30 part itself. For the /24, you don't need to do anything with routing to allow those addresses access internet...
by Sob
Tue Jun 04, 2019 11:55 pm
Forum: General
Topic: mikrotik ppoe without nat /24 block
Replies: 8
Views: 249

Re: mikrotik ppoe without nat /24 block

Did you also add default route? /ip route add add dst-address=0.0.0.0/0 gateway=42.x.y.1 And of course this and the point to point address alone without other config will allow outside access to 42.x.y.2 only. It's just first step. I wouldn't say that separate /30 to connect to provider is easier (a...
by Sob
Tue Jun 04, 2019 10:49 pm
Forum: General
Topic: AWS - private network interaction [SOLVED]
Replies: 4
Views: 290

Re: AWS - private network interaction [SOLVED]

Easy, you need only one srcnat rule:
/ip firewall nat
add chain=srcnat src-address=192.168.255.0/24 action=src-nat to-addresses=192.168.0.123
by Sob
Tue Jun 04, 2019 10:47 pm
Forum: Scripting
Topic: 3 WAN load balance issues
Replies: 10
Views: 626

Re: 3 WAN load balance issues

You shouldn't need to do any marking in input, because both input and forward are covered by common rules in prerouting. Marking routing in output is important, if you want router reachable from internet using any WAN, because you need to send replies where the requests came from.
by Sob
Tue Jun 04, 2019 10:43 pm
Forum: Wireless Networking
Topic: Hard wire extender/coud router switch to increase wireless coverage
Replies: 4
Views: 196

Re: Hard wire extender/coud router switch to increase wireless coverage

If you want it only (or mainly) for wireless, something smaller than another 24-port CRS would be probably better:

https://mikrotik.com/products/group/wir ... and-office
by Sob
Tue Jun 04, 2019 10:36 pm
Forum: General
Topic: Bare Metal installation
Replies: 6
Views: 446

Re: Bare Metal installation

Is there .img for x86? I don't see it on download page, only CHR, and I don't think it will run on bare metal. But you can install x86 from CD somewhere where it will work (even virtual machine), create disk image from that, write it to real disk and it might work.
by Sob
Tue Jun 04, 2019 10:31 pm
Forum: General
Topic: mikrotik ppoe without nat /24 block
Replies: 8
Views: 249

Re: mikrotik ppoe without nat /24 block

However this will only work if ISP blindly routes whole /24 subnet through single interface and doesn't rely on ARP to resolve target device for individual addresses.
This is easily fixed by enabling proxy ARP on WAN.
by Sob
Tue Jun 04, 2019 5:15 pm
Forum: RouterBOARD hardware
Topic: How to find the MAC Address from device via Winbox?? [Damaged label]
Replies: 4
Views: 270

Re: How to find the MAC Address from device via Winbox?? [Damaged label]

If you can get in, then "/interface print" will show current MAC addresses and if they were changed, "/interface ethernet print detail" will also show original ones.
by Sob
Tue Jun 04, 2019 9:42 am
Forum: General
Topic: Mikrotik icmp traffic from itself?
Replies: 3
Views: 193

Re: Mikrotik icmp traffic from itself?

Icmp type 11 is "Time Exceeded", so this would be packets from those addresses being routed through this router, their TTL reaching zero and router sending notification back to them.
by Sob
Tue Jun 04, 2019 12:34 am
Forum: General
Topic: Strange DNS problem with OpenVPN & Windows 10 [ Metric weight is done ] [SOLVED]
Replies: 5
Views: 247

Re: Strange DNS problem with OpenVPN & Windows 10 [ Metric weight is done ] [SOLVED]

You'd have to check with packet sniffer what exact queries is each device sending. Every system can have different behaviour, it can also be influenced by configuration. It's difficult to tell what exactly is wrong without seeing what's happening.
by Sob
Tue Jun 04, 2019 12:04 am
Forum: General
Topic: IPv6 transition mechanism
Replies: 71
Views: 4963

Re: IPv6 transition mechanism

I can't say that I like current "everything over https", "everything in or through cloud", "no incoming connections required" approach. This was one thing IPv6 was supposed to solve, direct connectivity, decentralization, etc. But maybe it's too late for that. It will take another ten years for IPv6...
by Sob
Mon Jun 03, 2019 9:33 pm
Forum: General
Topic: Strange DNS problem with OpenVPN & Windows 10 [ Metric weight is done ] [SOLVED]
Replies: 5
Views: 247

Re: Strange DNS problem with OpenVPN & Windows 10 [ Metric weight is done ] [SOLVED]

When you use hostname without any dot, Windows will always try to append domain suffix. If there's some, your "server" becomes e.g. "server.mynet.local" and you don't have such record. I'm not sure what it does when there's none, if there's some default suffix or if it fails. If you add "." as suffi...
by Sob
Mon Jun 03, 2019 9:19 pm
Forum: Beginner Basics
Topic: Confused with PASSTHROUGH YES/NO in Mangle
Replies: 7
Views: 422

Re: Confused with PASSTHROUGH YES/NO in Mangle

^^^ You added question marks by mistake. ;)
by Sob
Mon Jun 03, 2019 9:18 pm
Forum: General
Topic: IPv6 transition mechanism
Replies: 71
Views: 4963

Re: IPv6 transition mechanism

I didn't test it lately, but advertising multiple prefixes should work. If you can ensure that router will correctly change the advertisement based on connection status, it would be good enough for failover scenario. Load balancing would be more difficult, because it's up to client to decide what so...
by Sob
Mon Jun 03, 2019 5:27 pm
Forum: General
Topic: IPv6 transition mechanism
Replies: 71
Views: 4963

Re: IPv6 transition mechanism

I'm afraid that even though prefix translation is not the right IPv6 way , it will be very popular, because it's "as simple as IPv4 NAT". Everything is on router, you can have the dumbest device in LAN and still give it any kind of load balancing, policy routing and stuff that's simply not possible ...
by Sob
Mon Jun 03, 2019 4:10 pm
Forum: Beginner Basics
Topic: Does RouterOS support these features?
Replies: 3
Views: 240

Re: Does RouterOS support these features?

- Inbound VPN with OpenVPN
So far only MikroTik's "lightweight" implementation of OpenVPN (no udp, compression, pushed routes, ...).
by Sob
Mon Jun 03, 2019 3:43 pm
Forum: Beginner Basics
Topic: NAT problem?
Replies: 12
Views: 549

Re: NAT problem?

... - i tryed setting several destination nats, ...
And you still didn't show us any...
by Sob
Sat Jun 01, 2019 6:29 pm
Forum: Wireless Networking
Topic: Wireless Vlan Trunk
Replies: 3
Views: 402

Re: Wireless Vlan Trunk

What about the link from your first post? It looked good.
by Sob
Fri May 31, 2019 3:28 pm
Forum: Beginner Basics
Topic: NAT problem?
Replies: 12
Views: 549

Re: NAT problem?

Wild guess, your dstnat rule could be wrong. Maybe if you'd show it to someone, they could see what the problem is.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 84