Community discussions

MikroTik App

Search found 9242 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 31
by Sob
Tue Sep 17, 2024 1:05 am
Forum: Beginner Basics
Topic: ipv6 security
Replies: 14
Views: 1718

Re: ipv6 security

I'd say don't fight it, IPv6 is the future. But it's also true that you'll be able to survive without it for quite some time. Also it's not clear what kind of security you're after. That DNS server seems to be outgoing address of whatever resolver you use. If it's run by someone else, you can't infl...
by Sob
Tue Sep 17, 2024 12:50 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

... if you take a firewall policy then all defined settings in it are parts of this same rule and you have to be able to see it all because all these parts do matter in similar way. That's why tabs do not work inside the single object. I wouldn't go as far as saying that they don't work. But I have...
by Sob
Mon Sep 16, 2024 10:59 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

@normis: About making everyone happy, have you thought about support for customization? It's just a rough idea, but I read a bit about Qt and it seems to be heavily customizable (sizes, colors, fonts, ...). It even supports styles using CSS. I'm not sure if WinBox uses exactly that, but some CSS can...
by Sob
Sun Sep 15, 2024 10:55 pm
Forum: General
Topic: Issues when connectin is routed in/out same interface
Replies: 5
Views: 678

Re: Issues when connectin is routed in/out same interface

Since I don't see what exactly you have there, I'd suggest a quick and simple test, if it makes any difference:
/ip firewall filter
add chain=forward src-address=10.100.102.0/24 dst-address=10.100.103.0/24 action=accept place-before=0
by Sob
Sun Sep 15, 2024 3:35 am
Forum: General
Topic: Issues when connectin is routed in/out same interface
Replies: 5
Views: 678

Re: Issues when connectin is routed in/out same interface

Looks like asymmetric routing. Assuming that you have some "normal" config, client that doesn't know about the other subnet sends packet to main router, from there it goes to tailscale router, and to destination. Response goes to tailscale router, and from there directly to client, because...
by Sob
Sat Sep 14, 2024 10:55 am
Forum: General
Topic: Suggestion to MikroTik - market verticals
Replies: 14
Views: 1272

Re: Suggestion to MikroTik - market verticals

I still don't get it. It's probably true that some people bought MikroTik router by mistake, and it made them unhappy, because they don't know what to do with it. But it wasn't caused by seeing too many weird acronyms in menu, it was because they know nothing about networks. They would have the same...
by Sob
Sat Sep 14, 2024 4:41 am
Forum: General
Topic: Static DNS type FWD to populate dynamic allowed address list: first request is blocked
Replies: 9
Views: 850

Re: Static DNS type FWD to populate dynamic allowed address list: first request is blocked

Well, it would be more user friendly if it offered existing lists (same as when you add address to address list manually). But I don't remember if it was ever there. I guess not, the whole option is relatively new, they probably just made first version that does something and that's it.
by Sob
Sat Sep 14, 2024 12:03 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

A light touch on a scroll wheel is almost always faster/easier/better than repositioning you mouse on top of the dialog where the tabs are, potentially scrolling through the tabs, and finally clicking on one of them. It depends. Things being static (always in same place) has advantages too, I alway...
by Sob
Fri Sep 13, 2024 10:22 pm
Forum: General
Topic: Static DNS type FWD to populate dynamic allowed address list: first request is blocked
Replies: 9
Views: 850

Re: Static DNS type FWD to populate dynamic allowed address list: first request is blocked

It probably sends answer to client first, and client is "too quick" to use it, even before router manages to add it to list. It would be simple way how to implement it, deal with DNS request and response as usual, don't do anything special, just add request for address list to some queue, ...
by Sob
Thu Sep 12, 2024 4:28 am
Forum: Beginner Basics
Topic: Reset IPv6 after gateway reboot.
Replies: 32
Views: 2007

Re: Reset IPv6 after gateway reboot.

When there's reboot, does router see ethernet link going down and up again? Or is there anything in log at all?
by Sob
Wed Sep 11, 2024 4:46 am
Forum: Beginner Basics
Topic: Reset IPv6 after gateway reboot.
Replies: 32
Views: 2007

Re: Reset IPv6 after gateway reboot.

Is there a switch in between or something? I'd expect that reboot of gateway would cause link down and up, and dhcp client should notice that and ask again. Also, what exactly happens? Is there old prefix hanging and you get different one when you disable and enable dhcp client?
by Sob
Wed Sep 11, 2024 12:49 am
Forum: General
Topic: Suggestion to MikroTik - market verticals
Replies: 14
Views: 1272

Re: Suggestion to MikroTik - market verticals

There are different things. Crippling "home" devices as horribly as you suggested, that would be really bad. And for what? This is where MikroTik stands out. I can have load of cheap and limited routers, or I can play with something like OpenWRT, or I can get device with RouterOS and have ...
by Sob
Tue Sep 10, 2024 11:02 pm
Forum: General
Topic: Suggestion to MikroTik - market verticals
Replies: 14
Views: 1272

Re: Suggestion to MikroTik - market verticals

I for one like MikroTik exactly because they don't do things like this. All users get everything and they're limited only by power of hardware, and it's good.
by Sob
Tue Sep 10, 2024 9:36 pm
Forum: General
Topic: Routing Mark problem after moving from RouterOS 6.49.17 to 7.15.3 [SOLVED]
Replies: 10
Views: 2525

Re: Routing Mark problem after moving from RouterOS 6.49.17 to 7.15.3 [SOLVED]

If you use WinBox, then DNS resolution happens on client (PC where it runs). It's not clear what it uses as DNS server. But in case the problem really is caused by routing marks, you can always exclude router by adding dst-address=!192.168.90.1 to mangle rule (or dst-address-type=!local to cover all...
by Sob
Tue Sep 10, 2024 6:35 pm
Forum: Beginner Basics
Topic: Trouble with DNAT rules
Replies: 2
Views: 720

Re: Trouble with DNAT rules

It seems that you're testing this from LAN and that can't work, because all your dstnat rules are limited to WAN (in-interface-list=WAN, in-interface=ether1). You need to replace these conditions with either "dst-address=[PUBLIC IP]" (if it's static) or "dst-address-type=local dst-add...
by Sob
Tue Sep 10, 2024 6:23 pm
Forum: Beginner Basics
Topic: Regarding the issue of NAT
Replies: 7
Views: 1125

Re: Regarding the issue of NAT

It's not possible, connections work only with numeric addresses, they don't see hostnames. Hostname may come later in some protocols, but for NAT it would be too late anyway, even if router understood it.
by Sob
Fri Sep 06, 2024 3:07 pm
Forum: General
Topic: Question for firewall
Replies: 5
Views: 526

Re: Question for firewall

Do you have any other config beyond these two rules? If you do, then it's probably something in there. If you don't, it's not possible, or you're expecting something else than I think. What these two rules do is that first one allows any packet from given MAC address. And second blocks everything el...
by Sob
Fri Sep 06, 2024 1:40 pm
Forum: General
Topic: Question for firewall
Replies: 5
Views: 526

Re: Question for firewall

If you create only these two rules: /ip firewall filter add chain=forward src-mac-address=xx:xx:xx:xx:xx:xx action=accept add chain=forward action=drop then it won't do what you want (also in ROS6). You need third rule before those two: /ip firewall filter add chain=forward connection-state=establis...
by Sob
Wed Sep 04, 2024 11:54 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

I would add to my previous suggestion to let the user choose the colors, so it could adapt to our work environment : ) Something like: "custom theme" or "custom color palette" in addition to light and dark mode :) Yes, please. It could certainly help with making everyone happy. ...
by Sob
Wed Sep 04, 2024 5:12 pm
Forum: General
Topic: IPv6 Masquerade
Replies: 3
Views: 682

Re: IPv6 Masquerade

Yes, it just affects what address is used (src-nat = yours, masquerade = router's choice).
by Sob
Wed Sep 04, 2024 4:37 am
Forum: General
Topic: IPv6 Masquerade
Replies: 3
Views: 682

Re: IPv6 Masquerade

Use action=src-nat to-address=<address> instead of action=masquerade.
by Sob
Tue Sep 03, 2024 2:56 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

Winbox3 didn't use any kind of font smoothing and ignored operating system settings.
Not exactly true. WinBox 3 uses ClearType, if enabled in system. And doesn't use it when not enabled. WinBox 4 has forced ClearType, regardless of system settings.
by Sob
Mon Sep 02, 2024 4:52 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

Could be that MT devs started rectifying this by communicating UTF-8 from WB4 towards ROS but handling is not complete? Yes, WinBox 4 seems to save strings in UTF-8 encoding, so that would be the right way forward. Only trouble is that old one didn't handle it at all and just saved "some bytes...
by Sob
Mon Sep 02, 2024 4:20 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 375810

Re: 📣 WinBox 4 is here 📣

One bug (or missing feature) that I didn't see mentioned before: old WinBox allowed to redirect storage elsewhere by writing paths in %APPDATA%\MikroTik\WinBox\path and %APPDATA%\MikroTik\WinBox\sessionpath. New one doesn't respect it. Many people already mentioned that lack of tabs is bad, but it s...
by Sob
Thu Aug 01, 2024 1:37 am
Forum: Beginner Basics
Topic: SSH on wan from different port
Replies: 15
Views: 1450

Re: SSH on wan from different port

And since "action=dst-nat to-addresses=<router's address>" is equal to "action=redirect" (*), now you understand the whole thing, right?

(*) Not completely true. You get bonus point if you find why.
by Sob
Thu Aug 01, 2024 1:31 am
Forum: General
Topic: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]
Replies: 6
Views: 4805

Re: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]

On another look, it's also your hairpin rule, to-ports is wrong, it should be dst-port. Or it can be simplified as:
/ip firewall nat
add chain=srcnat src-address=10.1.1.0/24 dst-address=10.1.1.0/24 action=masquerade
And it will cover all other ports you might want to access in future.
by Sob
Wed Jul 31, 2024 6:07 pm
Forum: Beginner Basics
Topic: SSH on wan from different port
Replies: 15
Views: 1450

Re: SSH on wan from different port

@anav: Would this be better for you (x.x.x.x = any of router's own addresses)? /ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=2022 action=dst-nat to-addresses=x.x.x.x to-ports=22 It's the same thing, both action=dst-nat and action=redirect are form of dstnat, differen...
by Sob
Wed Jul 31, 2024 6:00 pm
Forum: General
Topic: 1:1 Netmap troubleshoot
Replies: 1
Views: 510

Re: 1:1 Netmap troubleshoot

Are you sure that you don't want src-address=192.168.0.0/24? And also that protocol=icmp is intentional?
by Sob
Wed Jul 31, 2024 3:08 am
Forum: Beginner Basics
Topic: SSH on wan from different port
Replies: 15
Views: 1450

Re: SSH on wan from different port

@anav: Try "complete" example: /ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=2022 action=redirect to-ports=22 /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-nat-state=dstnat action=accept add chain=input protocol=tcp dst-port=22 act...
by Sob
Tue Jul 30, 2024 11:13 pm
Forum: General
Topic: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]
Replies: 6
Views: 4805

Re: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]

I meant to replace the in-interface option. You most likely don't need it at all, no in-interface means that it works from all. Dst-address should work. Well, at least from LAN. From WAN it wouldn't if MY_EXTERNAL_IP is not directly on this router (NAT 1:1 or something from another router). In WinBo...
by Sob
Tue Jul 30, 2024 10:59 pm
Forum: Beginner Basics
Topic: SSH on wan from different port
Replies: 15
Views: 1450

Re: SSH on wan from different port

Simpler solution:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-nat-state=dstnat action=accept
by Sob
Tue Jul 30, 2024 9:14 pm
Forum: General
Topic: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]
Replies: 6
Views: 4805

Re: Loopback/Hairpin NAT with masquerade srcnat [SOLVED]

It's because of in-interface=pppoe-out1-fiber-internet in dstnat rule, such rule works only from outside. Replace it with either dst-address=<your public static address> (if you have one) or dst-address-type=local.
by Sob
Tue Jul 30, 2024 8:22 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 50983

Re: Feature Request: IPSEC Improvements

Anyone knows how many other vendors don't support VTI? Because if not too many, that alone is good enough reason to add it. Just one example, last time I set up tunnel with another party (where they were the boss), it took several emails before I was able to explain that I need policy-based IPSec. T...
by Sob
Mon Jul 29, 2024 4:15 pm
Forum: General
Topic: Blocking IPs via firewall filter, excessive notifications
Replies: 1
Views: 500

Re: Blocking IPs via firewall filter, excessive notifications

Order of rules matters, just put logging after blocking ones.
by Sob
Mon Jul 29, 2024 4:09 pm
Forum: General
Topic: NAT 1:1 multiply IPs
Replies: 2
Views: 651

Re: NAT 1:1 multiply IPs

Or just route the ones you like to:
/ip arp
add address=x.x.x.43 interface=WAN@MT published=yes
...
add address=x.x.x.46 interface=WAN@MT published=yes
/ip route
add dst-address=x.x.x.43 gateway=y.y.y.y
...
add dst-address=x.x.x.46 gateway=y.y.y.y
(y.y.y.y = MT1)
by Sob
Mon Jul 29, 2024 3:56 pm
Forum: Beginner Basics
Topic: Just installed and having troubles with DNS
Replies: 2
Views: 1011

Re: Just installed and having troubles with DNS

If nothing else, you're missing default route (192.168.1.1 is a guess based on configured IP address):
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
by Sob
Fri Jul 12, 2024 5:34 pm
Forum: General
Topic: Traefik Reverse proxy
Replies: 6
Views: 1013

Re: Traefik Reverse proxy

So you have working dstnat rules and problem is that this traefik can't reach something. What, where, how? Is it some internal domain name? What DNS servers does it use? Etc..
by Sob
Thu Jul 11, 2024 4:40 am
Forum: General
Topic: mangle rule to add client to list when mac address is seen
Replies: 2
Views: 838

Re: mangle rule to add client to list when mac address is seen

Or you can drop it right away: /ip firewall raw add action=drop chain=prerouting dst-address-list=!HomeAssistant src-mac-address=00:00:00:00:00:00 But this only affects routing, so it won't be able to reach internet or other vlans, but will be able to communicate with devices in same network segment...
by Sob
Thu Jul 11, 2024 1:23 am
Forum: General
Topic: Winbox feature request: ICMP/Port Knocking for administrative access
Replies: 25
Views: 1749

Re: Winbox feature request: ICMP/Port Knocking for administrative access

It depends. There are different ways, but if all you want is simple protection against stupid bots that blindly scan anything, port knocking is really simple and good enough. Especially if you're used to it from the past when we didn't have WG (which for this purpose is much more pleasant to work wi...
by Sob
Thu Jul 11, 2024 12:50 am
Forum: General
Topic: Suggestion: General Blocking "wildcard" Blocking in DNS blocklists
Replies: 13
Views: 1021

Re: Suggestion: General Blocking "wildcard" Blocking in DNS blocklists

If you're interested in changing DNS responses, you can already do that: /ip dns static add name=example.com address=127.0.0.1 match-subdomain=yes Regexp works too: /ip dns static add regexp="^(.*\\.)\?example\\.com\$" address=127.0.0.1 Edit: Or if you mean the new adlist, I didn't play wi...
by Sob
Thu Jul 11, 2024 12:24 am
Forum: General
Topic: Winbox feature request: ICMP/Port Knocking for administrative access
Replies: 25
Views: 1749

Re: Winbox feature request: ICMP/Port Knocking for administrative access

The point is to inconvenience attacker, not legitimate user. Otherwise it may lead to user choosing something weaker (e.g. shorter sequence) that's not as much annoying. In fact, it seems to me that client side is not really a big problem. I'm sure there are some existing port-knocking tools and eve...
by Sob
Wed Jul 10, 2024 11:34 pm
Forum: General
Topic: v7.x simple queue firewall filter rule not working
Replies: 4
Views: 630

Re: v7.x simple queue firewall filter rule not working

Think about your rules. For example, packet from 192.168.1.12 to 1.2.3.4 will be ignored by first rule, because the src-address=!192.168.1.12 condition is false. Which means that processing will continue with second rule and connection will get fasttracked, because if destination is 1.2.3.4, then ds...
by Sob
Wed Jul 10, 2024 12:16 am
Forum: General
Topic: Winbox feature request: ICMP/Port Knocking for administrative access
Replies: 25
Views: 1749

Re: Winbox feature request: ICMP/Port Knocking for administrative access

My trust in WinBox protocol significantly decreased since that funny incident when router happily provided list of usernames and their plaintext passwords to anyone who asked (meaning unauthorized users). And while I (want to) believe that nothing similar will happen again, I still feel better if Wi...
by Sob
Tue Jul 09, 2024 11:34 pm
Forum: Beginner Basics
Topic: Masquerade rule without source address doesn't catch wireguard traffic.
Replies: 5
Views: 1245

Re: Masquerade rule without source address doesn't catch wireguard traffic.

Nobody said anything about forward chain, and if the traffic reached *any* srcnat rule, it obviously wasn't stopped in forward, so there shouldn't be any problem there. :)
by Sob
Tue Jul 09, 2024 7:26 pm
Forum: Beginner Basics
Topic: Masquerade rule without source address doesn't catch wireguard traffic.
Replies: 5
Views: 1245

Re: Masquerade rule without source address doesn't catch wireguard traffic.

Second rule is same as first rule, with one extra condition => there's no reason why it should catch more traffic than first one. It's the opposite.

@llamajaja: You can have WG clients connecting to router as WG server and then use it to access internet, then their traffic will go out to WAN.
by Sob
Tue Jul 09, 2024 5:54 pm
Forum: General
Topic: Winbox feature request: ICMP/Port Knocking for administrative access
Replies: 25
Views: 1749

Re: Winbox feature request: ICMP/Port Knocking for administrative access

Well, VPN may be inconvenient if you use random computers, but it's possible to argue that maybe it's not best idea to access anything sensitive (such as router administration) from there. It's also true that ROSv6 doesn't have Wireguard, but perhaps that could be the reason to upgrade? The rest sou...
by Sob
Tue Jul 09, 2024 5:10 pm
Forum: Beginner Basics
Topic: I cannot locally reach my local web server.
Replies: 7
Views: 1128

Re: I cannot locally reach my local web server.

If you have IPv6 connectivity and you're not doing anything weird, access to webserver is only accept rule(s) in forward chain, e.g.: /ipv6 firewall filter add chain=forward dst-address=<server's address> protocol=tcp dst-port=80,443 action=accept It may be a bit more complicated if you have dynamic...
by Sob
Tue Jul 09, 2024 4:59 am
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 121103

Re: v7.16beta [testing] is released!

The next hop gateway is indeed a link local address. It was always a link local address previously, but it was being issued as part of the DHCP response. Nope. It may sound weird, but DHCPv6 does not have ability to add default route. The option in RouterOS to do so is MikroTik's non-standard hack,...
by Sob
Mon Jul 08, 2024 1:54 am
Forum: General
Topic: Multiple WAN IP (same gateway) - Routing question
Replies: 10
Views: 744

Re: Multiple WAN IP (same gateway) - Routing question

It's just that I don't see any advantage of this 3x1 "multi-WAN simulator" over 1x3 single WAN. And in fact, I don't even see how this fixes the problem. Either there's local-address=1.1.1.x for peer and then only this address should be used as source, or the router still might decide to u...
by Sob
Sun Jul 07, 2024 12:19 am
Forum: Forwarding Protocols
Topic: Its this config possible?? 2ISP, port forwarding and VPN
Replies: 6
Views: 2099

Re: Its this config possible?? 2ISP, port forwarding and VPN

By VPN you mean L2TP or PPTP on router? If so, did you have you firewall rules in same order as now when testing? Because that wouldn't work. Rules are checked from top to bottom, so any connection from WAN is blocked by fifth rule and further ones that allow it don't matter. As for different SSTP p...
by Sob
Sat Jul 06, 2024 11:58 pm
Forum: General
Topic: Multiple WAN IP (same gateway) - Routing question
Replies: 10
Views: 744

Re: Multiple WAN IP (same gateway) - Routing question

Why three WAN interfaces? Why not just one with three addresses? And then for IPSec set local-address=1.1.1.x (which you can do also with your current config).
by Sob
Sat Jul 06, 2024 11:47 pm
Forum: General
Topic: Vmware RouterOS Problem
Replies: 4
Views: 1694

Re: Vmware RouterOS Problem

If you're installing it, then it looks like x86 version, which is meant for physical hardware. I'd expect it to work anyway, at least previous versions did. But you probably want CHR.
by Sob
Sat Jul 06, 2024 3:14 am
Forum: General
Topic: Mangle for route to specific internet resources through vpn server
Replies: 10
Views: 783

Re: Mangle for route to specific internet resources through vpn server

Truth is, if it's endless, we're not looking forward to it. I might get lost, @anav will probably provide friendly suggestion in his own charming way, to ditch everything and start from scratch. But if you can't find the problem yourself, there's at least a chance that someone else might.
by Sob
Fri Jul 05, 2024 4:59 pm
Forum: Beginner Basics
Topic: Destination NAT problem or other... [SOLVED]
Replies: 15
Views: 5968

Re: Destination NAT problem or other... [SOLVED]

What's the point of static route on NAS? It's not breaking anything, but if it has default gateway, that 192.168.2.0/29 is already covered.
by Sob
Fri Jul 05, 2024 4:51 pm
Forum: General
Topic: Mangle for route to specific internet resources through vpn server
Replies: 10
Views: 783

Re: Mangle for route to specific internet resources through vpn server

That's not exactly what I meant. This is the same small part of config that you already posted, only in different form. But this small part is fine, the problem must be somewhere else. But it's difficult to find where exactly without seeing the rest of config.
by Sob
Fri Jul 05, 2024 3:13 am
Forum: Forwarding Protocols
Topic: Its this config possible?? 2ISP, port forwarding and VPN
Replies: 6
Views: 2099

Re: Its this config possible?? 2ISP, port forwarding and VPN

What exactly doesn't work as you want? None of your forwarded ports is configured to work exactly same from both WANs. Ports 80 and 8181 are limited to WAN1 (in-interface=WAN1). And 443 is forwarded to different internal address, depending on used WAN. Btw, SSTP can use any port, it doesn't require ...
by Sob
Fri Jul 05, 2024 2:49 am
Forum: Beginner Basics
Topic: Help SCRNAT with two public subnets
Replies: 7
Views: 886

Re: Help SCRNAT with two public subnets

Just add any number of rules according to your needs, for example: /ip firewall nat add chain=srcnat src-address=10.20.30.40 action=src-nat to-addresses=p.p.p.1 add chain=srcnat src-address=10.20.30.0/24 action=src-nat to-addresses=p.p.p.2 add chain=srcnat src-address=192.168.1.0/24 action=src-nat t...
by Sob
Thu Jul 04, 2024 8:19 pm
Forum: General
Topic: Mangle for route to specific internet resources through vpn server
Replies: 10
Views: 783

Re: Mangle for route to specific internet resources through vpn server

No problem there. I'll tell you a secret, if instead of screenshots you do export: /export hide-sensitive file=myconfig and then you paste content of resulting myconfig.rsc here in code tags (feel free to censor things like public IP address if you want, but don't overdo it), it's less work and give...
by Sob
Thu Jul 04, 2024 7:18 pm
Forum: Beginner Basics
Topic: Help SCRNAT with two public subnets
Replies: 7
Views: 886

Re: Help SCRNAT with two public subnets

More detailed explanation of what "nat Vlan 20 behind Vlan 10" means might help.
by Sob
Thu Jul 04, 2024 6:39 am
Forum: General
Topic: Terminal does not support localized language
Replies: 2
Views: 381

Re: Terminal does not support localized language

In fact, *nothing* in RouterOS really supports anything beyond 7-bit ascii. Sometimes it "accidentally" works, but that's all. RouterOS doesn't understand any encoding, it just sees some bytes and how they display as characters is not consistent. E.g. if I put "ěščřžýáíé" in some...
by Sob
Thu Jul 04, 2024 4:32 am
Forum: General
Topic: Mangle for route to specific internet resources through vpn server
Replies: 10
Views: 783

Re: Mangle for route to specific internet resources through vpn server

Some mistake in your config, perhaps? Showing it to someone might help.
by Sob
Thu Jul 04, 2024 4:24 am
Forum: Beginner Basics
Topic: Block all DNS requests except type A
Replies: 2
Views: 675

Re: Block all DNS requests except type A

You should probably write a bit more about what you want to achieve.
by Sob
Thu Jul 04, 2024 4:20 am
Forum: General
Topic: Port forwarding using dst-nat not working
Replies: 5
Views: 1096

Re: Port forwarding using dst-nat not working

Since there's nothing obviously wrong, just check what exactly happens, if counters increment, if you see packets (using e.g. Tools->Torch), or add some logging like: /ip firewall mangle add chain=prerouting in-interface-list=WAN protocol=tcp dst-port=443 connection-state=new action=mark-connection ...
by Sob
Wed Jul 03, 2024 11:46 pm
Forum: Beginner Basics
Topic: Destination NAT problem or other... [SOLVED]
Replies: 15
Views: 5968

Re: Destination NAT problem or other... [SOLVED]

If the new srcnat rule helped, then either NAS has invalid or missing gateway (it should be this router's 192.168.100.2), or it doesn't accept connections from non-local addresses (other that 192.168.100.x).
by Sob
Wed Jul 03, 2024 5:12 pm
Forum: Beginner Basics
Topic: Destination NAT problem or other... [SOLVED]
Replies: 15
Views: 5968

Re: Destination NAT problem or other... [SOLVED]

Try a little packet watching: /ip firewall mangle add chain=prerouting dst-address=192.168.2.2 protocol=tcp dst-port=80 connection-state=new action=mark-connection new-connection-mark=natdebug log=yes log-prefix=newconn passthrough=yes add chain=prerouting connection-mark=natdebug action=log add cha...
by Sob
Wed Jul 03, 2024 4:47 pm
Forum: General
Topic: Routing specific IP adresses through local unix server connected to VPN
Replies: 3
Views: 424

Re: Routing specific IP adresses through local unix server connected to VPN

This creates asymmetric routing, which may possily cause some trouble. Try if one of these helps, either exclude this traffic from connection tracking: /ip firewall raw add src-address=192.168.0.0/24 dst-address=10.2.0.0/16 action=notrack and make sure that your firewall filter allows all packets wi...
by Sob
Wed Jul 03, 2024 4:36 pm
Forum: General
Topic: Bind public IP per L2TP VPN User.
Replies: 2
Views: 410

Re: Bind public IP per L2TP VPN User.

I don't think you can. You could limit access to server, but that would affect all users. Problem is, when new connection comes, you don't yet know what user it is. You know it only after authentication and then it's too late, because user is already connected. Checking the source address would have...
by Sob
Wed Jul 03, 2024 4:24 pm
Forum: Beginner Basics
Topic: dst-nat internal vlan not work
Replies: 3
Views: 1177

Re: dst-nat internal vlan not work

Keep it simple:
/ip firewall nat
add chain=srcnat src-address=10.12.20.0/24 dst-address=10.12.20.0/24 action=masquerade
by Sob
Wed Jul 03, 2024 1:24 am
Forum: Beginner Basics
Topic: Destination NAT problem or other... [SOLVED]
Replies: 15
Views: 5968

Re: Destination NAT problem or other... [SOLVED]

In this case, you don't need the firewall rule. If you check default rules, you'll see that forward chain has two rules that could possibly block something. One drops packets with invalid state, that's not it. The other drops new connections from WAN, that could be it, but only when they are not dst...
by Sob
Wed Jul 03, 2024 12:47 am
Forum: Beginner Basics
Topic: Simple NAT 1:1 Setup [SOLVED]
Replies: 7
Views: 4644

Re: Simple NAT 1:1 Setup [SOLVED]

Actually, if the new masquerade rule helped, you should check PC2's firewall again and make sure that it allows icmp from anywhere and not just from local subnet. Then this masquerade rule wouldn't be needed. But you would need it for PLC if that really doesn't have any gateway.
by Sob
Tue Jul 02, 2024 10:13 pm
Forum: Beginner Basics
Topic: Simple NAT 1:1 Setup [SOLVED]
Replies: 7
Views: 4644

Re: Simple NAT 1:1 Setup [SOLVED]

In random order: For solving the mystery, check (on PC2) "ipconfig /all" and "route print". Even if you remove default gateway, it should be there ... somehow. Sorry about the srcnat rule I posted, it's incomplete, it should have action=masquerade. No, address on router doesn't p...
by Sob
Tue Jul 02, 2024 8:56 pm
Forum: Beginner Basics
Topic: Simple NAT 1:1 Setup [SOLVED]
Replies: 7
Views: 4644

Re: Simple NAT 1:1 Setup [SOLVED]

The problem with missing gateway is that it really can't work without it. If PLC/PC2 has only 192.168.1.0/24 and no gateway, it means that it knows how to reach any 192.168.1.x, but has no idea where packets to any other address should go. If you try to ping PC1's 10.101.54.22, you should get an err...
by Sob
Tue Jul 02, 2024 8:23 pm
Forum: Beginner Basics
Topic: Simple NAT 1:1 Setup [SOLVED]
Replies: 7
Views: 4644

Re: Simple NAT 1:1 Setup [SOLVED]

My guess would be firewall on PC2 blocking incoming ping requests. Other than that, I probably misunderstood "No Gateway" for PC2, it must have gateway 192.168.1.1, otherwise it wouldn't work at all. Counters not incrementing for PC2->PC1 ping is probably oversight, because it happens only...
by Sob
Tue Jul 02, 2024 7:30 am
Forum: Beginner Basics
Topic: dst-nat internal vlan not work
Replies: 3
Views: 1177

Re: dst-nat internal vlan not work

You have dstnat rules with in-interface-list=WAN, they can't work for requests that are not from interfaces in WAN list. I didn't study everything in detail, but you probably need something like: /ip firewall address-list add list=dstnat-addresses address=192.168.1.150 add list=dstnat-addresses addr...
by Sob
Tue Jul 02, 2024 7:06 am
Forum: General
Topic: Simulating Drop Rules with Logging to Prevent Production Disruptions
Replies: 2
Views: 323

Re: Simulating Drop Rules with Logging to Prevent Production Disruptions

Placing an action=log rule with the server list after all the accept rules would log even the allowed connections, which isn't helpful.
No, it wouldn't. Once the packet is accepted by a rule, processing stops there, following rules are not checked.
by Sob
Tue Jul 02, 2024 6:10 am
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 121103

Re: v7.16beta [testing] is released!

*) 6to4 - make "remote-address" parameter mandatory; In other words, you're dropping support for RFC 3056. Because that needs unspecified remote address. Is it intentional? I know that the whole thing is not very popular. Accompanied RFC 3068 is even deprecated. I'm probably one of the fe...
by Sob
Wed Apr 17, 2024 3:12 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 1293

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

It's not blocked by your firewall, since you don't have any. Srcnat on WAN doesn't have any conditions, so that's not breaking it. Mangle rules won't touch it, so no problem there either. It seems to me that if VPN client 192.168.89.x tries to route internet traffic via this router, it should work. ...
by Sob
Sat Apr 13, 2024 1:57 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 1293

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

Good news! If you have server in LAN1 (one subnet) and clients in LAN2 (another subnet), then the problem that's solved by hairpin NAT doesn't occur. So you don't need hairpin NAT. Your problem (aside from non-existent firewall filter section, but that's another story) is the mangle rule that marks ...
by Sob
Sun Dec 31, 2023 4:35 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing [SOLVED]

I'd use what I wrote before: /ip firewall nat add action=srcnat chain=srcnat out-interface=ether4-sat to-addresses=192.168.1.20 add action=srcnat chain=srcnat out-interface=ether5-fwa to-addresses=192.168.55.20 But the main point was that if you thought it was working, it couldn't. And it's not just...
by Sob
Sun Dec 31, 2023 4:27 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1603

Re: IPIPv6 tunnel uses wrong local address

Well, NAT does work (= is able to change source of tunnel's packets), but not exactly as expected. I can force tunnel to use link-local address as source, if I keep default route (with link-local gateway) and disable all global addresses. I assume something like that might be happening on your route...
by Sob
Sun Dec 31, 2023 2:55 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing [SOLVED]

Sorry to ruin it for you, but no.

If nothing else, now you have two unconditional srcnat rules. So the first one will be used for anything passing through router and nothing will ever get to second one.
by Sob
Sat Dec 30, 2023 9:45 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing

I think I see it, the two PCC rules need to have passthrough=yes.
by Sob
Sat Dec 30, 2023 9:35 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing

Unfortunately, I don't see anything obviously wrong that could cause what you were describing. And that description, that's really weird behaviour.

All VRRP masters are on same router, right?
by Sob
Sat Dec 30, 2023 9:12 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing

Addresses on VRRP interfaces should have /32 masks: /ip address add address=192.168.10.20/32 interface=vrrp1-LAN add address=192.168.1.20/32 interface=vrrp2-SAT add address=192.168.55.20/32 interface=vrrp3-FWA Then outgoing interfaces will be parent ones, and even though masquerade should have the s...
by Sob
Sat Dec 30, 2023 7:02 pm
Forum: Beginner Basics
Topic: SMTP Postfix Server Configuration [SOLVED]
Replies: 5
Views: 2351

Re: SMTP Postfix Server Configuration [SOLVED]

tcptraceroute = not the same thing as traceroute

And allowing any port won't help, because they are all allowed already. Look at forward, not input, there's no drop in forward.
by Sob
Sat Dec 30, 2023 6:57 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing

PCC with VRRP, I don't see why not. But it's probably good idea to share more info about what exactly you have (at least definition of interfaces and IP addresses; or just post whole config). You seem to have VRRPs on LAN and both WANs. But one weird thing I see, if srcnat is intended to be there an...
by Sob
Sat Dec 30, 2023 3:00 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2441

Re: Dual WAN PCC ok but no web browsing

What about other config? Is there perhaps fasttrack in /ip firewall filter?
by Sob
Sat Dec 30, 2023 1:05 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

It's perfectly reasonable. When you have this "remote public address" that you use to forward ports from there to devices in your LAN, then the router possibly being one of those devices is not any far fetched idea. I can't come with with any good analogy right now, but trust me, it makes ...
by Sob
Sat Dec 30, 2023 12:49 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1603

Re: IPIPv6 tunnel uses wrong local address

If it's ROSv7, you can also try NAT.
by Sob
Fri Dec 29, 2023 9:43 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 21
Views: 4330

Re: simple 3 isp dhcp clients with aggregation

@anav: You missed the "afcourse via accelerators like IDM", i.e. instead of downloading one file using one connection from beginning to end, there are multiple connections, each downloading different part of that file. It may not work with everything, but when it does, you can get maximum ...
by Sob
Fri Dec 29, 2023 7:57 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Yes, original post was about forwading ports to another device behind router, and you don't need the output rule for that. But it's related, so why not cover even possible future needs right away? Worst case, it won't be used. Maybe after seeing how great these forwarded ports work, next requirement...
by Sob
Fri Dec 29, 2023 1:00 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1603

Re: IPIPv6 tunnel uses wrong local address

Setting local address seems as obvious choice for workaround. As simple as possible if it's static, a bit more annoying if not, but should be doable.
by Sob
Fri Dec 29, 2023 3:10 am
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Traffic coming from tunnel can be to: a) some device behind router -> route marking for responses is done in prerouting b) router itself -> route marking for responses is done in output As for different variants of the rules, don't overthink it. You need one to mark incoming connections and you can'...
by Sob
Fri Dec 29, 2023 2:47 am
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1780

Re: Policy based routing

Few things: - If in rtr1 table you still have route to 0.0.0.0/0, as you did in first post and it was correct, then adding any other route there with same gateway is pointless, because the first one already covers any possible destination. - Same for the rule to look up destination for packets with ...
by Sob
Thu Dec 28, 2023 10:19 pm
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1780

Re: Policy based routing

If the target is router itself, then output chain (instead of prerouting) is the right one for handling response packets, that's correct. It should just work without any extra routes. That's if you need to deal only with incoming connections. First rule in prerouting marks incoming connections (you ...
by Sob
Thu Dec 28, 2023 8:13 pm
Forum: General
Topic: Bug? Password-protected cert import - no interactive prompt
Replies: 5
Views: 1310

Re: Bug? Password-protected cert import - no interactive prompt

It's really simple. Imagine that you have certificate with encrypted private key and you want to import it. Don't think about why there's password, perhaps you got it like that from someone else. It doesn't matter. Don't you think that RouterOS should be smart enough to ask for the password if you d...
by Sob
Thu Dec 28, 2023 7:49 pm
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1780

Re: Policy based routing

Almost there. You need to limit the route marking rule, because this one applies also to incoming packets. As a result, they will be sent back, because route marks have maximum priority in ROS. Either that, or you'd need routes to local destinations in rtr1 table. The former is probably easier/simpl...
by Sob
Thu Dec 28, 2023 7:42 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

What can I say, you know what you're doing. Gentle push was enough.

@anav: It's when you don't have public IP address from your ISP, but you want one. So you get it elsewhere (VPS) and then forward ports from there.
by Sob
Thu Dec 28, 2023 2:42 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Masquerade on server side will have to be removed, of course. But that alone would break it and it wouldn't work at all. With this config it will. It's the good old "forwarding port through VPN", you know that.
by Sob
Thu Dec 28, 2023 1:58 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 5183

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

You're looking for something like this: /routing table add name=wg fib /ip route add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg /ip firewall mangle add chain=prerouting in-interface=wireguard1 connection-mark=no-mark action=mark-connection new-connection-mark=wg-conn add chain=prerout...
by Sob
Wed Dec 27, 2023 10:58 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 498
Views: 170699

Re: v7.14beta [testing] is released!

added a "vrf" interface for testing, now I cannot delete it. It doesn't even show up in the terminal if you export the config... looks like a bug to me The bug is probably that you're able to add them at all. These interfaces are the previously hidden ones that are automatically created w...
by Sob
Wed Dec 27, 2023 7:29 pm
Forum: General
Topic: IP Firewall/NAT Input and Output Chain
Replies: 12
Views: 4021

Re: IP Firewall/NAT Input and Output Chain

It's for doing src/dstnat with router's own traffic. It wasn't available in old versions. When it's forwarded traffic, you have: prerouting/dstnat -> forward -> postrouting/srcnat But for router's own traffic (to/from router) you have: prerouting/dstnat -> input output -> postrouting/srcnat So you c...
by Sob
Wed Dec 27, 2023 5:49 pm
Forum: RouterOS beta
Topic: VRF and hidden interfaces
Replies: 6
Views: 6199

Re: VRF and hidden interfaces

Fun with interfaces, 2023 edition. Original version, shows how it's processed internally, but hides names of interfaces: prerouting: in: guest out:(unknown 0), 192.168.82.1->192.168.82.123 prerouting: in: (unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123 input: in: (unknown 22) out:(unknown...
by Sob
Thu Mar 09, 2023 3:41 am
Forum: General
Topic: No access to FTP server through VPN tunnel
Replies: 9
Views: 1924

Re: No access to FTP server through VPN tunnel

That would be the first FTP server I ever saw with support for only single passive port (did you try to enter range like 20020-20030?). It's not impossible, but it would limit some features, e.g. transfers between different servers (FXP) would be problematic. But simple client-server should work. An...
by Sob
Thu Mar 09, 2023 2:12 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 8184

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

It's just another tool like many before. It can be used or misused. Now it's new, so everyone is scared/excited/whatever. But we'll manage.
by Sob
Thu Mar 09, 2023 12:09 am
Forum: General
Topic: Feature Request: Ed25519 SSH keys
Replies: 57
Views: 21975

Re: Feature Request: Ed25519 SSH keys

Reinventing the wheel properly takes time. ;) And they like to do it a lot, example: viewtopic.php?p=965896#p965896
by Sob
Wed Mar 08, 2023 10:02 pm
Forum: General
Topic: Wireguard - "asymmetric routing"
Replies: 30
Views: 2891

Re: Wireguard - "asymmetric routing"

Because it was so long ago when such things were used *1. ;)

-
*1 Individual experiences may differ for each person
by Sob
Wed Mar 08, 2023 12:23 pm
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 8184

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

Before you do something drastic, although I don't think harakiri is the thing in Canada, the thing with WG and localhost is just something that I think I saw mentioned in some thread, but I find it weird and it's entirely possible that I'm mistaken. So be calm, everything is probably mostly fine. ;)...
by Sob
Wed Mar 08, 2023 12:17 pm
Forum: General
Topic: No access to FTP server through VPN tunnel
Replies: 9
Views: 1924

Re: No access to FTP server through VPN tunnel

FTP establishes new data connection for every single transfer (download, upload, even directory listing). Just one port isn't much to work with. I can't say that it clearly couldn't work, it depends on how server handles it, but it can't hurt to try to configure at least some small range of passive ...
by Sob
Wed Mar 08, 2023 4:33 am
Forum: Scripting
Topic: Reasons to hold on to the mikrotik specific scripting language
Replies: 13
Views: 3288

Re: Reasons to hold on to the mikrotik specific scripting language

Add few built-in functions for convenience, find a way to provide more feedback on errors than silent death, and I'll be willing to say that it's ok. ;)
by Sob
Wed Mar 08, 2023 2:18 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 8184

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

I think I saw it in some threads that WG supposedly connects to localhost. I didn't examine it myself yet, but I don't see any good reason why it would do it (I'm not saying it's not possible). And you're probably significantly further than 0.3%. How much, that's hard to guess. I wouldn't be sure ab...
by Sob
Wed Mar 08, 2023 1:15 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 8184

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

Forums having ranks/titles based on number of posts is common knowledge, everyone learns it eventually. I remember how once someone took info from some forum about military and argued that it MUST be true, because it was written by General and they know their stuff. :D
by Sob
Tue Mar 07, 2023 9:40 pm
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 8184

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

@rextended: I understand your frustration. But you're still missing any way how it could work. You can prohibit it, maybe in rules that nobody reads anyway. And people will still post it, either because they won't know about it, it they will know and not admit it. And you can ban them after, but fir...
by Sob
Tue Mar 07, 2023 8:30 pm
Forum: General
Topic: Limit download speed but not limit browsing speed
Replies: 4
Views: 1501

Re: Limit download speed but not limit browsing speed

It depends. If it's regular download where one connection transfers a lot of data, you can mark it using connection-bytes, e.g. after 10MB: /ip firewall mangle add chain=forward connection-mark=no-mark connection-bytes=10485760-0 action=mark-connection new-connection-mark=bigtransfer and then use qu...
by Sob
Tue Mar 07, 2023 8:20 pm
Forum: Forwarding Protocols
Topic: Mesh Network and Ip adresses
Replies: 5
Views: 3232

Re: Mesh Network and Ip adresses

What if you drop the routes and use standard /ip address add address=<address>/<mask>? I don't remember if what you have now is supposed to work.
by Sob
Tue Mar 07, 2023 8:16 pm
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

Well, it makes sense. I just wonder what exactly the client does, it seems that is must use some kind of policy routing.
by Sob
Tue Mar 07, 2023 4:26 am
Forum: Wireless Networking
Topic: Guest network
Replies: 11
Views: 9377

Re: Guest network

For start, how many devices are we talking about? Is it separate router and AP(s), or just single device? If it's more than one, then VLANs allow to have centralized config on router and AP can act as dumb transparent device.
by Sob
Tue Mar 07, 2023 4:08 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

Oops, sorry, my bad. In that case, it's different problem. You'd need clients to access x.x.x.x via tunnel, but they need to access the same x.x.x.x without tunnel, because it's the VPN server they are connecting to. I'm not sure what exactly OpenVPN client does, but it probably routes whole x.x.x.x...
by Sob
Tue Mar 07, 2023 12:21 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

Do you see interfaces appearing in vpn-clients list (clients need to reconnect if they were already connected)? It's in Interfaces->Interface List, or "/interface list member print where list=vpn-clients" in CLI.
by Sob
Tue Mar 07, 2023 12:16 am
Forum: Beginner Basics
Topic: Publishing LAN services to the internet with HairPin NAT solution
Replies: 7
Views: 1595

Re: Publishing LAN services to the internet with HairPin NAT solution

The point is whether you have public address (= can have incoming connection from internet) at all. Because it's not automatic, there's shortage of public addresses, so ISPs "hide" their customers behind few public addresses using NAT. Outgoing connections to internet work, but incoming do...
by Sob
Mon Mar 06, 2023 8:43 pm
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

Then as I wrote, interface list is your friend: /interface list add name=vpn-clients /ppp profile add <other options you have> interface-list=vpn-clients /ip firewall nat add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=7012 in-interface-list=vpn-clients action=dst-nat to-addresses=y.y.y.y
by Sob
Mon Mar 06, 2023 6:09 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 2176

Re: Remote DNS Request, Block Client Device [SOLVED]

Regular DNS doesn't have anything like user agent. You can use e.g. Wireshark to check what's in packets, but in short, nothing you could use. But you could use L7 to match queries for .srv TLD:
\x03srv.\x01$
by Sob
Mon Mar 06, 2023 4:40 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 2176

Re: Remote DNS Request, Block Client Device [SOLVED]

Most likely not, but I can't wait until spammers discover that it would be perfect for generating hard to detect not-clearly-nonsense posts to establish their presence.
by Sob
Mon Mar 06, 2023 4:37 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

Anyone can connect if you use only dst-address without any in-interface. If you use dst-address with in-interface=all-ppp, it should be only VPN clients. Unless your internet connection uses PPPoE, I'm not sure about that and I can't test it right now, but it's possible/likely that all-ppp includes ...
by Sob
Mon Mar 06, 2023 1:25 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 2176

Re: Remote DNS Request, Block Client Device [SOLVED]

What's the point? Try to share more details. If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too. If it's resolver for regular public domains, ...
by Sob
Mon Mar 06, 2023 1:10 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 2432

Re: Question about ip - address redirection [SOLVED]

It's not exactly clear. If you want to make webserver publicly accessible, then drop in-interface=bridge. If it should be accessible only to VPN clients, it's probably best if they connect directly to y.y.y.y. But if you insist that they must connect to x.x.x.x, in-interface=all-ppp should work.
by Sob
Sun Mar 05, 2023 10:16 pm
Forum: General
Topic: Malicious L2TP requests in log
Replies: 5
Views: 2185

Re: Malicious L2TP requests in log

Well, it does seem that even with L2TP server disabled, 1701 is not closed like others, e.g. netmap on unfirewalled device shows: PORT STATE SERVICE 1700/udp closed mps-raft 1701/udp open|filtered L2TP 1702/udp closed deskshare I'm not sure what exactly happens, but you can always use firewall to bl...
by Sob
Sun Mar 05, 2023 8:25 pm
Forum: Beginner Basics
Topic: Publishing LAN services to the internet with HairPin NAT solution
Replies: 7
Views: 1595

Re: Publishing LAN services to the internet with HairPin NAT solution

Support is mainly for thing like bugs. There's nothing clearly wrong in your config (firewall rules could use some reordering, but they don't break anything). So, public IP address *1, do you know what it is and are you absolutely sure that you have one directly on your router *2? *1 not 10.x.x.x, 1...
by Sob
Sun Mar 05, 2023 5:05 am
Forum: General
Topic: When should I turn off loose TCP tracking? [SOLVED]
Replies: 19
Views: 7597

Re: When should I turn off loose TCP tracking? [SOLVED]

@anav: It might break your heart, but did I mention that I don't know everything? ;)
by Sob
Sun Mar 05, 2023 5:01 am
Forum: Beginner Basics
Topic: Allowing 2 IP addresses to point to a different DNS
Replies: 2
Views: 1186

Re: Allowing 2 IP addresses to point to a different DNS

You can do something like this: /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 add address=192.168.88.100/32 dns-server=192.168.123.45 gateway=192.168.88.1 netmask=24 First is defaults for subnet and second is different config for single device (192....
by Sob
Sat Mar 04, 2023 9:35 pm
Forum: General
Topic: Let's Encrypt - only 1 certificate allowed?
Replies: 9
Views: 2786

Re: Let's Encrypt - only 1 certificate allowed?

I like LE for the automation alone. Being free is nice bonus. Paid certificates always required some annoying manual work. It wasn't too bad when they had very long validity (I don't know what was the maximum, but I used to have some five-year ones), but now we're down to one year. And if it goes ev...
by Sob
Sat Mar 04, 2023 6:50 am
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 5228

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

I can't test it now, but doesn't something like this work? /ip dns static add name=lan type=FWD match-subdomain=yes forward-to=<main router> add name=something.more.specific.lan type=A address=<address> add name=another.more.specific.lan type=FWD forward-to=<another resolver> My guess/expectation is...
by Sob
Sat Feb 25, 2023 11:01 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

Well, this allows your router to be used as DNS resolver. Which is something you may want for your devices in LAN, so not wrong. But if accessible from internet, your router would be open resolver, which is not good, because it really can be used for attacking others. But in OP's case the original c...
by Sob
Fri Feb 24, 2023 10:49 pm
Forum: General
Topic: OpenVPN clients not connecting [SOLVED]
Replies: 7
Views: 5838

Re: OpenVPN clients not connecting [SOLVED]

Sorry, one more thing: /ip firewall nat add chain=srcnat src-address=200.151.54.0/24 dst-address=200.151.54.0/24 action=masquerade And about those addresses, it's just that they belong to someone else and it's possible (even though not very likely) that some servers you'd want to access could be usi...
by Sob
Fri Feb 24, 2023 10:42 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

My guess is that it's something on ISP's side. So I'd ask them. Or do you have access to some ISP's device (modem or something) that you can (are able and allowed to) turn off and on again?
by Sob
Fri Feb 24, 2023 10:36 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

My idea was whether you're perhaps replacing some ISP-supplied router, it would be possible that ISP allows it but nothing else. Or is it completely new connection that never worked before? Btw, you lost some rules in "/ip firewall filter". Those you previously had with chain=input, you wa...
by Sob
Fri Feb 24, 2023 9:58 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

So it looks like it's done by ISP's router for some reason. Does it work with some different router or directly connected PC? Could it be e.g. locked to specific device (its MAC address)?
by Sob
Fri Feb 24, 2023 9:49 pm
Forum: General
Topic: OpenVPN clients not connecting [SOLVED]
Replies: 7
Views: 5838

Re: OpenVPN clients not connecting [SOLVED]

Your dstnat rule has options in-interface=pppoe-protocol-intercon and in-interface-list=WAN (both useless) and they limit from where it will work. Drop them and it will be better. And those 200.x.x.x addresses, did you also get them from ISP? If not, you shouldn't use them and choose some from priva...
by Sob
Fri Feb 24, 2023 9:41 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

How do you define "doesn't get Internet"? Regular web browsing doesn't work, but what if you try to open https://1.1.1.1/, does that work? Or ping to some numeric address (e.g. 1.1.1.1 again)? What about ping from router itself (open Terminal and try "ping 1.1.1.1")?
by Sob
Fri Feb 24, 2023 5:50 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 2770

Re: Newbie needing help [SOLVED]

Aside from seriously outdated system (but that's not breaking it), I don't see anything obviously wrong, it looks like good old default config from 2017. If you look at DHCP client (IP->DHCP Client), what does it say? Does it get any IP address? And you do have ISP's router connected to ether1, right?
by Sob
Wed Feb 22, 2023 7:48 pm
Forum: Scripting
Topic: Please remove SSL requirement for REST Api
Replies: 15
Views: 3606

Re: Please remove SSL requirement for REST Api

Don't get me wrong, I'm all for letting people decide. If someone wants unencrypted REST, is should be their choice. I'm also big fan of configurable things. Currently you can enable web server and it's all or nothing (WebFig, REST, ...) => not good. Same for current enable-ssl-certificate, it's har...
by Sob
Wed Feb 22, 2023 7:07 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2671

Re: Why doesn't the port open?

It seems mostly fine. In addition to previous (^^^), you can try to add temporary logging rule, either for specific port: /ip firewall mangle add chain=prerouting in-interface=pppoe-out1 protocol=udp dst-port=7777 connection-state=new action=log log-prefix=new-incoming Or a broad one for all: /ip fi...
by Sob
Wed Feb 22, 2023 6:55 pm
Forum: General
Topic: Ax2 with 7.6 default password problem [SOLVED]
Replies: 15
Views: 6294

Re: Ax2 with 7.6 default password problem [SOLVED]

How this works exactly? Netinstall still does reset password to blank, right? Or, if the sticker gets lost, will I have not very practical (but secure!) door stopper?
by Sob
Wed Feb 22, 2023 6:49 pm
Forum: Scripting
Topic: Please remove SSL requirement for REST Api
Replies: 15
Views: 3606

Re: Please remove SSL requirement for REST Api

If self-signed certificate would be enough for you, it's not like it's too difficult to get it now: /certificate add common-name=router.example.net /certificate sign router.example.net it's still inconvenient, because you need to either make the client trust it or ignore it, but it shouldn't be a sh...
by Sob
Wed Feb 22, 2023 6:34 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 5228

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

Dstnat is not good, because it redirects everything, without any fallback. If you have at least common TLD (e.g. .lan), then with recent enough RouterOS (v7), you can do this on other routers: /ip dns static add name=lan type=FWD match-subdomain=yes forward-to=<main router> and it will forward *.lan...
by Sob
Wed Feb 22, 2023 2:00 am
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 5228

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

What I meant is that when one would add internal records in public DNS, in order to solve problem with DoH and other ways how devices can bypass local data, they might end up using some resolver that filters records with private addresses. So you solve one problem, but hit another. As for MikroTik's...
by Sob
Tue Feb 21, 2023 11:16 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2671

Re: Why doesn't the port open?

Not from a screenshot, it can hide some things. But based on your description in first post it should be ok. To be sure, try to run this in Terminal:
/export file=myconfig
and then post content of created myconfig.rsc here in code tags.
by Sob
Tue Feb 21, 2023 11:06 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2671

Re: Why doesn't the port open?

Yes, it's correct and it should work. Even if it wouldn't work completely, you should at least see some incoming packets, counters for dstnat rule (columns Bytes and Packets) should increase. How do you test it?
by Sob
Tue Feb 21, 2023 11:01 pm
Forum: Beginner Basics
Topic: Port Forwarding, firewall and self hosted game server help! [SOLVED]
Replies: 4
Views: 4728

Re: Port Forwarding, firewall and self hosted game server help! [SOLVED]

It's not needed, even if service on router uses some port and dstnat rule is for same one, dstnat sends packets elsewhere before they can reach service on router.
by Sob
Tue Feb 21, 2023 8:54 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 5228

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

Some resolvers may filter private addresses. It's some trouble everywhere you look, we should scrap it all and move to all-public IPv6. :)
by Sob
Tue Feb 21, 2023 8:44 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2671

Re: Why doesn't the port open?

Is it also language barrier that makes you answer only half of questions? :) Now we know that if it start with 91, it's public address. But we still don't know it your router actually has this address. Once again, look in IP->Addresses, is this address there?
by Sob
Tue Feb 21, 2023 3:29 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1913

Re: layer7 match failed, regexp too complex

I admit that I wasn't sure, but it seems that except IN it's all long time dead (only bind nameserver supposedly misuses CH to show its version, but I wouldn't be sure about that either, because lately showing versions tends to be avoided).
by Sob
Tue Feb 21, 2023 2:56 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1913

Re: layer7 match failed, regexp too complex

Feel free to enlighten me, but DNS query packet ends with two bytes for type followed by two bytes for class. In type there's 001C, 00 gets dropped, so we're looking for 1C (lowercase \x1c is fine). Class could in theory be 0x0000-0xFFFF, but does anything we might care about use anything else than ...
by Sob
Tue Feb 21, 2023 2:44 pm
Forum: Forwarding Protocols
Topic: Acces The fortigate device from outside the site
Replies: 3
Views: 2777

Re: Acces The fortigate device from outside the site

Ok, I lied. Not intentionally, I probably got misled by RIP and overlooked the obvious. If you want to access something connected to public-ip-lan interface from outside, of course you need to allow it (this will allow full unlimited access, you may or may not want to limit it in some way): /ip fire...
by Sob
Tue Feb 21, 2023 2:33 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2671

Re: Why doesn't the port open?

For start, your "my isp ip" is public (not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x) and directly on your router (you can see it in IP->Addresses), correct?
by Sob
Tue Feb 21, 2023 2:25 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 5228

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

It doesn't seem very clear, so I'm just guessing... Do you mean local hostnames like workstation1.site1.lan on one router, server1.site2.lan on another, etc? Proper solution would be to run real DNS server(s), i.e. not something RouterOS can do. It could also work with FWD records (not real records ...
by Sob
Mon Feb 20, 2023 9:58 pm
Forum: Beginner Basics
Topic: how to add services / services ports
Replies: 11
Views: 3640

Re: how to add services / services ports

There are two things: - IP->Services - services that run on router - IP->Firewall->Service Ports - protocol helpers for firewall, for services that need extra care (e.g. FTP has one main connection that this helper watches and automatically recognizes related connections, so that they could be allow...
by Sob
Mon Feb 20, 2023 6:35 pm
Forum: General
Topic: Configure ProtonVPN on router with VPN active on set of ports?
Replies: 42
Views: 5268

Re: Configure ProtonVPN on router with VPN active on set of ports?

In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.
by Sob
Mon Feb 20, 2023 5:58 pm
Forum: Forwarding Protocols
Topic: Acces The fortigate device from outside the site
Replies: 3
Views: 2777

Re: Acces The fortigate device from outside the site

I can't say about RIP part, I don't know much about that. Only in firewall, when you drop all incoming packets on pppoe-out1, then allowing something after that is useless, because it will never get there (so you need to swap those rules). Other than that, I don't see any problem.
by Sob
Mon Feb 20, 2023 2:10 pm
Forum: General
Topic: New to mikrotik
Replies: 3
Views: 724

Re: New to mikrotik

Learning yourself is fun. When I found RouterOS, I knew some basics in Linux, network config, bit of iptables, etc. With RouterOS (and especially WinBox) I was like fish in a water. I'm not saying that I knew everything overnight, but most of it was pretty intuitive. Don't look down on WinBox, it's ...
by Sob
Mon Feb 20, 2023 1:48 pm
Forum: General
Topic: Masquerade issue
Replies: 6
Views: 1146

Re: Masquerade issue

Try similar logging rule in srcnat. Use some other condition like source address to match only testing traffic. And check if it shows the right outgoing interface, or if it's another unknown one.
by Sob
Mon Feb 20, 2023 5:02 am
Forum: Beginner Basics
Topic: default route
Replies: 7
Views: 940

Re: default route

Several things in there are weird. For start, I don't see any NAT rule with IP address you could be updating. But I do see default route that might need it (gateway), which is unusual, because normally you just let DHCP client add dynamic default route. Also to have both DHCP servers and clients on ...
by Sob
Mon Feb 20, 2023 4:04 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 2192

Re: Trouble with Port Forwarding

Ability to upload with BT or speed of it doesn't have much to do with ability to accept incoming connections. It just makes connecting between clients easier, but it doesn't mean that it would be impossible without it.

Using VPN does need some extra config, which depends on what kind of VPN it is.
by Sob
Mon Feb 20, 2023 3:52 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 2192

Re: Trouble with Port Forwarding

@anav: There can be different results, and there's also difference between tcp and udp. In case there wouldn't be any firewall, tcp connection that reaches target host always gets something back, either ack (when something listens on that port = it's open) or rst (when nothing listens there = it's c...
by Sob
Mon Feb 20, 2023 1:34 am
Forum: General
Topic: Basic NAT hairpin rule just doesn't work [SOLVED]
Replies: 14
Views: 3179

Re: Basic NAT hairpin rule just doesn't work [SOLVED]

It all depends on what you want. Even with multiple subnets, you can use dst-address=!192.168.0.0/16 to exclude all internal addresses from this range. Or you can simply not exclude some. E.g. if you have primary LAN and separate LAN for guests, and you want to use WebFig from main LAN only, then if...
by Sob
Mon Feb 20, 2023 12:26 am
Forum: Beginner Basics
Topic: Static DNS records do work strange on Mikrotik [SOLVED]
Replies: 2
Views: 1613

Re: Static DNS records do work strange on Mikrotik [SOLVED]

There's difference between DNS resolution: - in Terminal it's done by router - in WinBox it's done by machine it runs on - I'm not sure about WebFig Normally if machine with WinBox uses same router as its DNS resolver, there wouldn't be any difference. But depending on what static records you add, i...
by Sob
Mon Feb 20, 2023 12:07 am
Forum: Beginner Basics
Topic: default route
Replies: 7
Views: 940

Re: default route

The action=masquerade is your friend (instead of action=src-nat).
by Sob
Mon Feb 20, 2023 12:05 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 2192

Re: Trouble with Port Forwarding

You need to understand what it does. There may be misleading wording about checking for open ports. But it's actually checking if it's able to connect to something. It knows nothing about your router and its config, and has no means to discover anything about that. Either it will be able to connect ...
by Sob
Mon Feb 20, 2023 12:00 am
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 2091

Re: IPSec joining two subnets fail [SOLVED]

Generally no extra routes should be needed, but it's possible that in your case they are, it depends on how everything is configured.
by Sob
Sun Feb 19, 2023 11:44 pm
Forum: General
Topic: Basic NAT hairpin rule just doesn't work [SOLVED]
Replies: 14
Views: 3179

Re: Basic NAT hairpin rule just doesn't work [SOLVED]

There's always the simple and (almost) foolproof dst-address-type=local. The "almost" part is when you use it with port that you also use to manage router, e.g. 80 when you use WebFig on default port, that will lock you out. But you can combine it with dst-address=!192.168.69.1 to exclude ...
by Sob
Sun Feb 19, 2023 11:18 pm
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 2192

Re: Trouble with Port Forwarding

I mean, when you're using port checker, at that moment, is there any software running on internal device and listening on that port? It must be, otherwise there will be no reponse. You can't open port "for later" without something actively using it and have it shown as open.
by Sob
Sun Feb 19, 2023 11:11 pm
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 2192

Re: Trouble with Port Forwarding

Are you sure that on your 10.10.22.241 device something definitely listens on tcp port 65472, it's not blocked by device's own firewall, device has this router as its default gateway, etc?
by Sob
Sun Feb 19, 2023 10:40 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1913

Re: layer7 match failed, regexp too complex

L7 strips zero bytes, so you can't work with them at all. You can take 1c from type and 01 from class and look for them at the end:
/ip firewall layer7-protocol
add name=dns-aaaa regexp="\\x1c\\x01\$"
by Sob
Sat Feb 18, 2023 4:46 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

If we're talking about single NAT, this is best suited for ancient/dumb/ignorant client. "If I connect to some server and tell it that I'm alive, then server sees my address and port I'm using, and if I'm listening on that, then anyone who server tells it to can connect to me, right? What? My r...
by Sob
Sat Feb 18, 2023 3:29 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

Automatic stuff, if it means that mapping created by outgoing connection also serves for new independent incoming connections, comes from this NAT type itself and doesn't need anything else. That's why it's in both srcnat and dstnat chains. The one in srcnat can be exactly same as existing masquerad...
by Sob
Sat Feb 18, 2023 1:02 am
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 4270

Re: DDNS for my server with IP/Cloud?

I wouldn't say it's complicated. It's slightly different. If you have only IPv4, then with typical setup you have one public address on router, so it's one hostname and it covers all internal servers you might have. MikroTik's DDNS works and it's just few clicks. If you add IPv6, then every device h...
by Sob
Fri Feb 17, 2023 11:29 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

But why!? (@Sob!) Just because you can or is fun to have?? Bring us the real problem! What did I do? I'm just explaining and discussing interesting technical thing. Because it's just that, interesting. I'm not saying that MikroTik should drop everything else and add this, not even necessarily add i...
by Sob
Fri Feb 17, 2023 10:02 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

@Znevna: I agree that it's slightly weird. I suppose you can see the possible problem and how this solves it *1 , right? The weird part is, how is it actual problem, unless we're talking about some software from pre-NAT times? Because anything aware of NAT must assume that direct incoming connection...
by Sob
Fri Feb 17, 2023 8:32 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

Don't overthink it, it's just a tool, it's up to you how you use it. Take the netfilter module from first post (https://github.com/Chion82/netfilter-full-cone-nat). If it was in RouterOS, you could do e.g: /ip firewall nat add chain=srcnat src-address-list=consoles protocol=udp out-interface=WAN act...
by Sob
Fri Feb 17, 2023 8:01 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 2091

Re: IPSec joining two subnets fail [SOLVED]

There are different levels. Routing needs a route (but in this case even default one is enough). With proxy ARP I'm not completely sure, there were some changes, possibly bugs, but route pointing to different interface than LAN should be sure bet. It's even possible that it's not needed and default ...
by Sob
Fri Feb 17, 2023 6:05 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 2091

Re: IPSec joining two subnets fail [SOLVED]

Because IPSec carries only IP packets (= L3). You can have L2 with EoIP, but then you'll have to deal with different problems, at least some DHCP isolation would be required if each site should have own server. If you stick with IPSec, for proxy ARP to work, you'll need routes to remote sites. As fo...
by Sob
Fri Feb 17, 2023 5:51 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

Correct. But with <whatever_it_would_be_called> NAT being dynamic and creating incoming dstnats for each outgoing connection, one public address would be good enough for several consoles.
by Sob
Fri Feb 17, 2023 5:47 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 2091

Re: IPSec joining two subnets fail [SOLVED]

But why? You won't have L2 connectivity anyway. And if it's only L3, you might as well go with clean and simple separate subnets. But if you insist, it should be possible. Currently you have problem on site A, because e.g. 192.168.10.200 has /24, so it thinks that even remote 192.168.10.10 is local....
by Sob
Fri Feb 17, 2023 5:34 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

as you can see RouterOS also maps to the same inside global ip and port for all streams. Yes. But now when 3.3.3.3 tries to connect to x.x.x.x:12345, will it reach 192.168.88.115:12345? No, because RouterOS will correctly see it as new unsolicited connection. But this <whatever_it_would_be_called> ...
by Sob
Fri Feb 17, 2023 5:15 pm
Forum: General
Topic: Masquerade issue
Replies: 6
Views: 1146

Re: Masquerade issue

Check VRF and hidden interfaces. I was under impression that it's already fixed/handled, but maybe not everywhere? I think I didn't test NAT myself.
by Sob
Fri Feb 17, 2023 4:03 pm
Forum: General
Topic: Feature requests
Replies: 1788
Views: 672516

Re: Feature requests

Who decided that everything in web browser is the right way? I for one say it's not. Don't touch my toys! ;)
by Sob
Fri Feb 17, 2023 3:41 pm
Forum: Beginner Basics
Topic: Slow bandwidth debian server behind NAT
Replies: 8
Views: 1561

Re: Slow bandwidth debian server behind NAT

It's definitely not that RouterOS couldn't handle port forwarding. Slighly wrong VLAN and IP config shouldn't do it either. Same goes for seemingly unnecessary proxy ARP. But what if you forget about dual WAN for a moment (disable DHCP client on ether10) and try with only single connection, does it ...
by Sob
Fri Feb 17, 2023 2:24 am
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 4270

Re: DDNS for my server with IP/Cloud?

Well, it's confusing. I mistakenly read it as "Works fine as long as my internet supplier does not change addresses IP addresses." Looking at OP's older threads (and I participated there too, who would have thought :)), that's not the case ("My internet provider does not change the pr...
by Sob
Thu Feb 16, 2023 7:38 pm
Forum: Beginner Basics
Topic: mikrotik connect to proxy and share internet to another bridge
Replies: 7
Views: 1483

Re: mikrotik connect to proxy and share internet to another bridge

Short answer: NO Long answer: Maybe. It would work with transparent proxy and requests that could be intercepted this way, e.g. HTTP (but not HTTPS). So in practice it's NO again. Other way would be to make clients aware of proxy. Manual config would be impractical, but there may be some chance with...
by Sob
Thu Feb 16, 2023 7:28 pm
Forum: General
Topic: The ISP provides two IP addresses (by DHCP and PPPoE) on one WAN port
Replies: 6
Views: 1087

Re: The ISP provides two IP addresses (by DHCP and PPPoE) on one WAN port

MAC addresses alone are not that big problem, it may look weird at first, but VRRP hack works.
by Sob
Thu Feb 16, 2023 7:20 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

@anav: Be careful with untrusted others. UPnP's problem is lack of security. You can help it a bit, e.g. you can control who uses it (or more precisely who can control it), by allowing access only from some devices (firewall filtering by IP or better MAC address) or interfaces. So you can allow acce...
by Sob
Thu Feb 16, 2023 6:54 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

UPnP should be solution (for single NAT) for everything that supports it. That should be any non-ancient game. Unless authors were too progressive and went only with more modern PCP. It wouldn't be wisest choice to support only that without UPnP as backup, but if you wanted, you could partially blam...
by Sob
Thu Feb 16, 2023 6:11 pm
Forum: General
Topic: IPv6 SLAAC
Replies: 3
Views: 1839

Re: IPv6 SLAAC

On 7.7, yes. Just go in IPv6->Addresses and it should be there. You have to accept RAs first:
/ipv6 settings
set accept-router-advertisements=yes
And also reboot to make it work, because in v7 the change no longer applies immediatelly, which is most likely bug.
by Sob
Thu Feb 16, 2023 6:01 pm
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 4270

Re: DDNS for my server with IP/Cloud?

It shouldn't be difficult, luckily I don't need it myself, so my experience is limited, but at first sight there are different tools ready for the job (e.g. ddclient). And if you're using own domain (as it seems you do), then if there's some API for its DNS, you can do it without relying on any othe...
by Sob
Thu Feb 16, 2023 4:15 pm
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 4270

Re: DDNS for my server with IP/Cloud?

Admittedly unhelpful advice: The only proper solution is to tell ISP to stop doing stupid things and keep static addresses.

DDNS is just hotfix with various problems. But if it's unavoidable, it's probably best/easiest to use some independent DDNS on server itself.
by Sob
Thu Feb 16, 2023 1:26 am
Forum: General
Topic: What are your show stoppers for migrating to ROS7?
Replies: 22
Views: 2259

Re: What are your show stoppers for migrating to ROS7?

At home it's 6to4 instantly crashing system (SUP-97719). I need it to work, because it's still my source of IPv6 (ISP didn't yet manage to provide native IPv6 and I don't like third party tunnels). It might be useful indicator of v7 maturity. Given its low popularity, when they fix this, they probab...
by Sob
Thu Feb 16, 2023 12:01 am
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 3396

Re: VPN IPSEC cant ping from one side [SOLVED]

Current bytes = 0 means that nothing is sent or received. But if you're pinging from router, it's expected, you need to set source address, because it's choosing wrong one:
/ping src-address=192.168.55.1 address=192.168.7.1
by Sob
Wed Feb 15, 2023 10:52 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

Well, the definition by itself is not completely clear. For full cone it says that "all requests from the same internal IP address and port are mapped to the same external IP address and port ", but that's not necessarily same internal and external port number. So i.i.i.i:1234 always mappe...
by Sob
Wed Feb 15, 2023 10:25 pm
Forum: General
Topic: Proxy access list synchronization between multiple devices
Replies: 1
Views: 477

Re: Proxy access list synchronization between multiple devices

Central place and API for updating sounds best to me. It would require some programming, but you could choose any language you like (= much better than suffer with RouterOS scripting; just personal opinion, not objective fact).
by Sob
Wed Feb 15, 2023 10:08 pm
Forum: Beginner Basics
Topic: Port forwarding suddenly stopped working [SOLVED]
Replies: 8
Views: 2419

Re: Port forwarding suddenly stopped working [SOLVED]

The config in first post got somehow shorter and useless to see the problem, but original version had this: /ip firewall filter add action=jump chain=forward comment="USER FORWARD CHAIN" jump-target=USERforward ... add action=accept chain=USERforward dst-address=192.168.16.126 out-interfac...
by Sob
Wed Feb 15, 2023 9:57 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

No, this, as I understand it, solves it. Imagine some udp-based game or another system with p2p communication. If it was ideal NAT-less internet: - client A sends packet from a.a.a.a:aaa to remote server - client B sends packet from b.b.b.b:bbb to remote server - server tells these addresses with po...
by Sob
Wed Feb 15, 2023 8:48 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

If you mean forwarding port ranges to different devices, it wouldn't really work, would it? Not without some configuration on those devices that would force them to use these ports as source. If I'm dstnatting e.g. 1000-1999 to device A and 2000-2999 to device B, then if device A uses e.g 1500 as so...
by Sob
Wed Feb 15, 2023 8:28 pm
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 3396

Re: VPN IPSEC cant ping from one side [SOLVED]

Those blue unreachable routes to remote subnets (on both routers) are wrong. Right now I'm not sure (temporary brain outage ;)) they are breaking it, I think they shouldn't. But you don't need them, so they can be removed. You can also check if IPSec counters are increasing (in IP->IPSec->Installed ...
by Sob
Wed Feb 15, 2023 8:00 pm
Forum: General
Topic: Ignore/filter a particular MAC on particuar DHCP server
Replies: 5
Views: 814

Re: Ignore/filter a particular MAC on particuar DHCP server

/system logging add topics=dhcp And then in log: 18:56:32 dhcp,debug LAN received discover id 3870440748 from 0.0.0.0 '1:0:c:29:e0:d9:dd' 18:56:32 dhcp,debug,packet secs = 58 18:56:32 dhcp,debug,packet ciaddr = 0.0.0.0 18:56:32 dhcp,debug,packet chaddr = 00:0C:29:E0:D9:DD 18:56:32 dhcp,debug,packet...
by Sob
Wed Feb 15, 2023 7:53 pm
Forum: General
Topic: "Routing Table" Parameter for IPv6 Routes Not in Effect (v7.5) [SOLVED]
Replies: 17
Views: 6863

Re: "Routing Table" Parameter for IPv6 Routes Not in Effect (v7.5) [SOLVED]

If something doesn't work for you, it's usually good idea to post more details. Someone might want to try to reproduce it. Or they might point some possible mistake of yours. In any case, if you're looking for any useful feedback, it can't hurt.
by Sob
Wed Feb 15, 2023 7:45 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

I think you can't: - You can have NAT 1:1, but that's only for one internal device (or more, if you have multiple public addresses, but who has enough?) - You can forward ports manually, but that's missing the "just works without user interaction" part - You can use UPnP, but it's again no...
by Sob
Wed Feb 15, 2023 7:28 pm
Forum: General
Topic: IPSEC Site-to-Site with Azure virtual Gate very slow [SOLVED]
Replies: 2
Views: 2091

Re: IPSEC Site-to-Site with Azure virtual Gate very slow [SOLVED]

Do you perhaps have firewall that uses fasttrack (https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack; which is not compatible with IPSec)?
by Sob
Wed Feb 15, 2023 7:18 pm
Forum: Announcements
Topic: v7.8rc is released!
Replies: 125
Views: 48717

Re: v7.8rc is released!

Why oh why do you do these things? ;) From the new DNS docs: If DNS static entries list matches the requested domain name, then the router will assume that this router is responsible for any type of DNS request for the particular name. For example, if there is only an "A" record in the lis...
by Sob
Wed Feb 15, 2023 4:21 pm
Forum: Beginner Basics
Topic: Port forwarding suddenly stopped working [SOLVED]
Replies: 8
Views: 2419

Re: Port forwarding suddenly stopped working [SOLVED]

Try this:
/ip firewall filter
add action=accept chain=USERforward connection-nat-state=dstnat
by Sob
Wed Feb 15, 2023 12:23 am
Forum: General
Topic: RouterOS DNS service for local domain
Replies: 4
Views: 971

Re: RouterOS DNS service for local domain

It could be the problem with 7.7 erroneously returning NXDOMAIN for AAAA records (or others, but these are most likely to get queried by clients) if you define only A. That was fixed in 7.8 (currently only RC, but otherwise probably not worse than 7.7).
by Sob
Wed Feb 15, 2023 12:15 am
Forum: General
Topic: Does src-net also change source port if needed?
Replies: 4
Views: 1050

Re: Does src-net also change source port if needed?

It depends on client, it's pretty easy with CHR I used. :)
by Sob
Tue Feb 14, 2023 9:21 pm
Forum: General
Topic: Ignore/filter a particular MAC on particuar DHCP server
Replies: 5
Views: 814

Re: Ignore/filter a particular MAC on particuar DHCP server

Doesn't your RouterOS have Block Access checkbox like mine does? Or:
/ip dhcp-server lease
add server=<server> mac-address=xx:xx:xx:xx:xx:xx block-access=yes
by Sob
Tue Feb 14, 2023 8:34 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 49459

Re: FEATURE REQUEST: full cone NAT

So in other words, it's basically alternative to UPnP that works automatically without requiring client to do anything. And the key part is that it can work for multiple clients sharing same public address (unlike mrz's NAT 1:1, which is otherwise fine, but it needs one public address for each inter...
by Sob
Tue Feb 14, 2023 3:42 pm
Forum: General
Topic: Howto copy configuration from RB951G-2HnD to hAP ax3 ? [SOLVED]
Replies: 13
Views: 2895

Re: Howto copy configuration from RB951G-2HnD to hAP ax3 ? [SOLVED]

Certificates are not a problem if you don't have any. Otherwise, unfortunately, yes, because export doesn't include them.
by Sob
Tue Feb 14, 2023 3:08 pm
Forum: General
Topic: Failover (WAN Backup) tutorial - trying to understand
Replies: 17
Views: 7061

Re: Failover (WAN Backup) tutorial - trying to understand

Says the king of hijackers. ;) Mine was just a quick note that no, official tutorial with multiple routing tables is not necessarily broken.
by Sob
Tue Feb 14, 2023 2:54 pm
Forum: General
Topic: Failover (WAN Backup) tutorial - trying to understand
Replies: 17
Views: 7061

Re: Failover (WAN Backup) tutorial - trying to understand

I didn't study it in detail, but @anav's examples seem to be simple fixed-role primary/backup. So ISP1 is always primary and ISP2 is used only when ISP1 fails. One routing table is enough for that. Multiple routing tables would be needed if you'd want to have group of devices using ISP1 and ISP2 as ...
by Sob
Tue Feb 14, 2023 2:37 pm
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 3396

Re: VPN IPSEC cant ping from one side [SOLVED]

It seems overcomplicated. You probably don't need mode config and extra addresses, just simple static tunnel between subnets. Also plain IPSec is different from L2TP, it doesn't give you any new interface and doesn't use routes the same way. Instead if defines what should go to tunnel using policies...
by Sob
Tue Feb 14, 2023 2:05 pm
Forum: General
Topic: RouterOS DNS service for local domain
Replies: 4
Views: 971

Re: RouterOS DNS service for local domain

So it works for some but not all? Then it means that RouterOS is doing something and it would need a closer look (e.g. catch and examine some packets) to see what's wrong.
by Sob
Tue Feb 14, 2023 1:41 pm
Forum: Beginner Basics
Topic: finevpn on mikrotik
Replies: 1
Views: 1082

Re: finevpn on mikrotik

From quick look it seems that VPN provider uses Wireguard. So see section (7) in viewtopic.php?t=182340 to get started. If you'd want to use VPN only for selected source devices and/or destinations, it's possible too.
by Sob
Tue Feb 14, 2023 1:06 pm
Forum: General
Topic: Does src-net also change source port if needed?
Replies: 4
Views: 1050

Re: Does src-net also change source port if needed?

Yes it will. It has to, otherwise it wouldn't work. It tries to keep original port if the mapping (newsrcaddr:srcport<->dstaddr:dstport) is free, but if not, it will change srcport.
by Sob
Mon Feb 13, 2023 7:34 pm
Forum: General
Topic: DNS over HTTPS
Replies: 265
Views: 131916

Re: DNS over HTTPS

1.1 Yes and no. You can skip certificate, set verify-doh-cert=no and it will work. But the point of certificates is to ensure that nobody between you and target server can read or change what you both send and receive. If you don't verify certificates, anyone on the way can fiddle with your data. Yo...
by Sob
Mon Feb 13, 2023 7:02 pm
Forum: General
Topic: Firewall filter by binary / hex Value
Replies: 2
Views: 916

Re: Firewall filter by binary / hex Value

Firewall supports "content" matcher. Only if I remember correctly and nothing changed, any unprintable characters have to be entered using CLI (e.g. content="\01\20\ff") and they will show as garbage in GUI.
by Sob
Mon Feb 13, 2023 6:55 pm
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 121819

Re: v7.7 [stable] is released!

@Miguelin: It's not like they broke everything, it still mostly works. You should probably open new thread and post (much) more info about your problem.
by Sob
Mon Feb 13, 2023 6:52 pm
Forum: Beginner Basics
Topic: Tagged VLAN on WAN (HeX)
Replies: 4
Views: 861

Re: Tagged VLAN on WAN (HeX)

In RouterOS you can simply create VLAN interface:
/interface vlan
add interface=<physical interface> name=<name of vlan interface> vlan-id=<vlan number>
by Sob
Mon Feb 13, 2023 11:00 am
Forum: Beginner Basics
Topic: Port forwarding issues
Replies: 6
Views: 1134

Re: Port forwarding issues

The problem with multi WAN is that you need to send responses back the same way the requests came from, but it doesn't happen automatically. You'll need new routing tables (one for each WAN), mark connections based on incoming interface, and then mark routing for responses. See e.g. this example: ht...
by Sob
Mon Feb 13, 2023 10:45 am
Forum: Containers
Topic: how enable container on CHR\x86? Topic is solved
Replies: 48
Views: 48170

Re: how enable container on CHR\x86? Topic is solved

One way to solve it would be it they added confirmation at boot. It would require access to physical or virtual console, i.e. something that any attacker wouldn't have, so it would be safe. User would enable containers and do regular reboot. While booting, system would ask if they really want it (wi...
by Sob
Sun Feb 12, 2023 8:26 pm
Forum: Beginner Basics
Topic: DHCP and ICMP in RAW table instead of standard Firewall
Replies: 7
Views: 1190

Re: DHCP and ICMP in RAW table instead of standard Firewall

It depends. Raw happens right at the beginning, so you can deal with something before any heavy processing starts. Especially if you're going to drop something anyway, doing it in raw should be more efficient. But don't ask about details, I don't have any numbers to show how much.
by Sob
Sun Feb 12, 2023 8:14 pm
Forum: Beginner Basics
Topic: How to DST-NAT trhough 2 routers for remote access
Replies: 5
Views: 2379

Re: How to DST-NAT trhough 2 routers for remote access

You successfully neutralized your firewall (by disabling #6 and #14 you now allow pretty much everything; probably not the best plan), but other than that, it's hard to tell. The image doesn't seem very clear. Is the server behind second (blue) router or not? Its LAN is connected to it, but its WAN ...
by Sob
Sun Feb 12, 2023 5:29 pm
Forum: Beginner Basics
Topic: Port forwarding issues
Replies: 6
Views: 1134

Re: Port forwarding issues

And regarding the actual port forwarding, you can't forward it to 256 addresses at once, you need to-addresses=<single address>.
by Sob
Sun Feb 12, 2023 3:09 pm
Forum: General
Topic: Wireguard only works from wg-interface-ip
Replies: 6
Views: 1144

Re: Wireguard only works from wg-interface-ip

That's not it. You can use IP address as gateway, but WG doesn't really care, it decides itself where to send packets, based on peers' allowed-address. E.g. if you'd have WG interface with 10.0.0.1/24 and two peers: - peer1, allowed addresses 10.0.0.2, 192.168.2.0/24 - peer2, allowed addresses 10.0....
by Sob
Sun Feb 12, 2023 2:46 pm
Forum: The Dude
Topic: Newbie Questions for Dude
Replies: 3
Views: 3433

Re: Newbie Questions for Dude

Correction, it's Tools->Layout. And even Undo button works. So I wonder if before it didn't or I somehow missed it.
by Sob
Sun Feb 12, 2023 6:12 am
Forum: General
Topic: Zerotier and Streaming
Replies: 42
Views: 9546

Re: Zerotier and Streaming

He's not selfish and wants everyone to have same fun. :)
by Sob
Sun Feb 12, 2023 6:07 am
Forum: The Dude
Topic: Newbie Questions for Dude
Replies: 3
Views: 3433

Re: Newbie Questions for Dude

I think it's those "Item alignment" buttons at the top. As I remember, the result wasn't too bad. I mean at first. But later, after you fine tune it by moving different things and accidentally press it again, it's tragic. ;)
by Sob
Fri Feb 10, 2023 12:48 pm
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 121819

Re: v7.7 [stable] is released!

Yes, lately it's breaking a bit too much. As in my example, there was default (and actually the only) behaviour since forever, and everyone relied on it, knowingly or accidentally. It's one thing to change default, it can be annoying, but sometimes it's inevitable. But not even an option to get the ...
by Sob
Fri Feb 10, 2023 3:21 am
Forum: General
Topic: HTTPS-redirect with RoS 7.5 - bad news for hotspots...
Replies: 10
Views: 5842

Re: HTTPS-redirect with RoS 7.5 - bad news for hotspots...

But it never really worked anyway. Or did it? I mean properly, without certificate errors. Any client should be aware that hotspots exist and try to detect them automatically. If that doesn't work with your hotspot for some reason, it's probable best to try to find why. Because it should, and then y...
by Sob
Fri Feb 10, 2023 3:04 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 121819

Re: v7.7 [stable] is released!

*) dns - query upstream DNS servers for other record types even if static entry exists; This change, while not necessarily wrong, is not great either. Previously when I set record of any type, it took over the whole name, i.e. it blocked all other types from upstream. Simple example, public server ...
by Sob
Fri Feb 10, 2023 1:39 am
Forum: General
Topic: Creating static DNS A records with v7.7
Replies: 9
Views: 2237

Re: Creating static DNS A records with v7.7

Perhaps it's a puzzle for fans, to let them discover new features in some more exciting way than just reading the docs. Or it's some cunning plan how to discover what people want, by watching what they try to do with it, without asking them directly. Or just whoever is in charge of documentation is ...
by Sob
Thu Feb 09, 2023 5:01 am
Forum: General
Topic: DNS forwarding - multiple DNS servers?
Replies: 3
Views: 9199

Re: DNS forwarding - multiple DNS servers?

AFAIK the only failover for FWD that ever sort of worked is: /ip dns static add type=A name=myns.tld address=x.x.x.x add type=A name=myns.tld address=y.y.y.y add type=FWD name=example.net match-subdomain=yes forward-to=myns.tld It's far from perfect, because it's dumb round robin. First query goes t...
by Sob
Thu Feb 09, 2023 3:43 am
Forum: General
Topic: Port Forwarding not working for WAN VRRP setup [SOLVED]
Replies: 2
Views: 1919

Re: Port Forwarding not working for WAN VRRP setup [SOLVED]

Your rules don't use destination addresses, the only condition related to that is in-interface-list=WAN. Possible explanation is that your WAN list contains parent interface, but not the VRRP one. But since that one is seen as incoming interface for packets to x.x.x.3, it doesn't work. But you proba...
by Sob
Thu Feb 09, 2023 2:00 am
Forum: General
Topic: Creating static DNS A records with v7.7
Replies: 9
Views: 2237

Re: Creating static DNS A records with v7.7

That's not what it's for. It doesn't get addresses from list, it adds addresses to list. For more details see: viewtopic.php?p=952360#p952360
by Sob
Sat Dec 24, 2022 1:30 pm
Forum: General
Topic: Let's Encrypt - only 1 certificate allowed?
Replies: 9
Views: 2786

Re: Let's Encrypt - only 1 certificate allowed?

No, it's RouterOS. The whole thing is basically like an early alpha version that leaked out prematurely. It's fine as techdemo, but not actually usable yet. You can get one certificate, it works, and that's it. It doesn't even renew, at least not automatically. You can't request another one (for dif...
by Sob
Fri Dec 23, 2022 10:52 pm
Forum: Announcements
Topic: v7.7rc is released!
Replies: 259
Views: 94900

Re: v7.7rc is released!

Now that we have containers, it may be time to leave some things in the dust (like SMB server, proxy, hotspot, and apparently also DNS resolver) and focus on routing again. I'd rather if they didn't. It's my fear of containers, that they could serve as excuse for MikroTik to not implement some thin...
by Sob
Fri Dec 23, 2022 6:44 pm
Forum: Announcements
Topic: v7.7rc is released!
Replies: 259
Views: 94900

Re: v7.7rc is released!

Now once you add an A or AAAA entry, both A and AAAA records are handled by static entries. We will discuss this internally once more and will decide how to proceed. Unless you use DoH: /ip dns set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query /ip dns static add name=forum.mikr...
by Sob
Thu Dec 22, 2022 7:04 pm
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 4789

Re: NO WAY?! AI writes Mikrotik-Scripts...

Some declarations just turn out to be premature. :)

troy.jpg
by Sob
Wed Dec 21, 2022 7:57 pm
Forum: General
Topic: Renewing Let's Encrypt SSL Certificate [SOLVED]
Replies: 10
Views: 16343

Re: Renewing Let's Encrypt SSL Certificate [SOLVED]

That's not what I meant. First, out of the three hostnames, only one could possibly make sense, acme-v02.api.letsencrypt.org is the one LE client is connecting to, acme-staging-v02.api.letsencrypt.org is testing (non-prodution) version of that, and letsencrypt.org is just for public website. But as ...
by Sob
Wed Dec 21, 2022 2:17 pm
Forum: General
Topic: Renewing Let's Encrypt SSL Certificate [SOLVED]
Replies: 10
Views: 16343

Re: Renewing Let's Encrypt SSL Certificate [SOLVED]

I'm not sure it's supposed to work, see:

https://letsencrypt.org/docs/faq/#what- ... web-server
  • 1
  • 2
  • 3
  • 4
  • 5
  • 31