Community discussions

MikroTik App

Search found 6602 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 23
by Sob
Thu Dec 02, 2021 1:48 am
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 13
Views: 658

Re: Using Let's Encrypt for SSTP

@mike6715b: Few things: - I may be wrong, but I doubt that fetch supports encrypted ftp. And if you really don't have encrypted private key, transferring it over plaintext connection wouldn't be secure at all. - The script itself is not very reliable, you should first get new certificate, import it,...
by Sob
Thu Dec 02, 2021 1:25 am
Forum: General
Topic: SMB share shows only 128MB of free space
Replies: 8
Views: 1563

Re: SMB share shows only 128MB of free space

If you want comment from MikroTik, write to support. This is officially user forum, and while MikroTik employees do visit, they may not read everything. Some may think that it's just an excuse, but there really is a lot of stuff here.
by Sob
Thu Dec 02, 2021 1:05 am
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 13
Views: 658

Re: Using Let's Encrypt for SSTP

Whether you need to upload private key depends on LE client, if it reuses the old one, or creates new one. New key for every certificate is probably default, at least judging by few LE clients I've seen. Even if it stays the same, I don't know if RouterOS would take it from previous certificate. Als...
by Sob
Thu Dec 02, 2021 12:23 am
Forum: Scripting
Topic: Script on other RB
Replies: 14
Views: 541

Re: Script on other RB

I'm not sure if I get it. You want multiple SSTP clients configured on remote routers that are probably not really under your control, otherwise you'd know what LAN subnets they have. So you'll need someone who will configure such router for outbound SSTP connection, and that person will obviously n...
by Sob
Wed Dec 01, 2021 11:50 pm
Forum: General
Topic: dhcp client get`s wrong dns
Replies: 21
Views: 612

Re: dhcp client get`s wrong dns

It seems to be getting complicated. First it looked like simple DHCP misconfiguration on ISP's side and them refusing to admit that it may even be the case. Not very usual, but not completely impossible. Now there's another layer with L2TP, with servers on internal hostnames, which is also part of h...
by Sob
Wed Dec 01, 2021 11:35 pm
Forum: General
Topic: new DNS FWD not working [SOLVED]
Replies: 9
Views: 314

Re: new DNS FWD not working [SOLVED]

It would have been so nice if MikroTik did it the same way as everyone else does. Simply let users say that example.com and everything under it should be forwarded to selected server or servers, for redundancy , without completely unnecessary regexps, let it play along with DoH, etc. I'm huge fan of...
by Sob
Wed Dec 01, 2021 11:03 pm
Forum: Beginner Basics
Topic: subnets
Replies: 11
Views: 588

Re: subnets

No firewall = everything is open (it's btw good idea to fix that). And port 443 is usually used by https, so web. Seems unusual that if would be used for some kind of autodiscovery.
by Sob
Wed Dec 01, 2021 6:18 pm
Forum: General
Topic: Round Robin DNS for local host [SOLVED]
Replies: 3
Views: 148

Re: Round Robin DNS for local host [SOLVED]

Quick test says that RouterOS returns all defined addresses, so client is free to choose. And in case it uses the first one, you're still in luck, because RouterOS changes order of addresses in each response. As for testing what's alive, that could be done using script, either a scheduled one where ...
by Sob
Wed Dec 01, 2021 5:57 pm
Forum: General
Topic: dhcp client get`s wrong dns
Replies: 21
Views: 612

Re: dhcp client get`s wrong dns

Also, you can easily disprove the "broken router" theory by connecting something else to ISP, e.g. your PC. You'll see what DNS it gets.
by Sob
Wed Dec 01, 2021 5:38 pm
Forum: General
Topic: DNS forward problem since using Win 11 *hard nut to crack*
Replies: 15
Views: 905

Re: DNS forward problem since using Win 11 *hard nut to crack*

Actually, if you didn't solve the problem shown by packet capture, where something did respond to query for nas.ts, saying that the domain doesn't exist, then Windows DNS cache is just doing what it's supposed to. The answer was clear - domain doesn't exist. So it's unlikely to start existing the ne...
by Sob
Wed Dec 01, 2021 4:58 am
Forum: Wireless Networking
Topic: /30 IP Pool with Disc Lite 5 as CPE
Replies: 1
Views: 95

Re: /30 IP Pool with Disc Lite 5 as CPE

It depends. I don't have much experience with PPPoE, so I don't know if the client somehow handles it, or if it's just subnet routed to you. If it's the latter, then you can simply route those addresses anywhere else you want with "/ip route". And not just two, but all four of them.
by Sob
Wed Dec 01, 2021 4:49 am
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 517

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

@anav: I'm not worried, I wrote it very clearly that it's not a best idea. But I'll make a note about you, on whose side you are. ;)
by Sob
Wed Dec 01, 2021 4:43 am
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 13
Views: 658

Re: Using Let's Encrypt for SSTP

@anav: That's a problem with certificates, they are very secure when everything is configured correctly, but to do that can be quite annoying and tricky. You always have to verify them, otherwise they are useless. Self-signed certificates can be as secure as trusted ones, in a way even more secure (...
by Sob
Wed Dec 01, 2021 3:58 am
Forum: Scripting
Topic: Script on other RB
Replies: 14
Views: 541

Re: Script on other RB

As I wrote, the script works for me, even with variables. The problem I had with your original one was IP address it got from "/ip address", because it contains netmask. Even if it's single address, it still has /32 mask appended, and that can't be used as value for route's gateway. After ...
by Sob
Tue Nov 30, 2021 1:53 am
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 13
Views: 658

Re: Using Let's Encrypt for SSTP

That should change in the future. There's already LE client in ROSv7, but so far only for www service. I didn't test it, but you can probably write a script to reuse the same certificate for SSTP. But you still need www service running and accessible from internet, which may not be what you want. Bu...
by Sob
Tue Nov 30, 2021 1:16 am
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 517

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

Just good practise - for the one time you do accidentally expose it or some kind of attacker makes it on the trusted side of the network. More like security through obscurity. But I can't deny that to some extent it works. As long is you use a complex/secure username/password, opening winbox port i...
by Sob
Tue Nov 30, 2021 12:32 am
Forum: Scripting
Topic: Script on other RB
Replies: 14
Views: 541

Re: Script on other RB

Variables are ok, they just need to have correct values. In this case the address, which you use for gateway, needs to have mask stripped from it. This works for me as system script : :local addr [/ip address get [find where interface=test1 disabled=no] value-name=address] :set addr [:pick $addr 0 [...
by Sob
Mon Nov 29, 2021 11:34 pm
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 517

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

Are you sure? It seemed to me that you kind of missed OP's question. Or at least the specific request to not suggest other solutions. ;) Btw, what's the point of changing WinBox port when it's not exposed? I get it when it is, it's cheap trick that helps to not get attacked by botnets almost immedia...
by Sob
Mon Nov 29, 2021 9:24 pm
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 517

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

Yep, one forwarded tcp 8291 port is enough. Or any other, if you decide to change the number, but then you'd have to enter <address>:<port> in WinBox. And sure, it's not the greatest idea security-wise, so it's better to avoid opening it to whole world. But it's not like you're automatically giving ...
by Sob
Mon Nov 29, 2021 9:06 pm
Forum: Beginner Basics
Topic: subnets
Replies: 11
Views: 588

Re: subnets

If there's no firewall on router, then it's certainly not blocking access between your subnets. It could be the other devices, maybe their firewalls don't like access from other than their local subnet.
by Sob
Mon Nov 29, 2021 8:59 pm
Forum: RouterOS v7 BETA
Topic: socks5 not working in routeros7 !
Replies: 54
Views: 2585

Re: socks5 not working in routeros7 !

It depends on how you see relation between v6 and v7. It's not unreasonable to expect some continuity, if it worked in v6, it should work in v7 too. If not, they broke it. It's not like they wrote everything from scratch. :)
by Sob
Mon Nov 29, 2021 8:56 pm
Forum: Beginner Basics
Topic: hotspot doesn't redirect to login page
Replies: 2
Views: 328

Re: hotspot doesn't redirect to login page

Traditionally it's up to client OS to detect hotspot. When connected to network, it should request some known page, check if it has expected content, and if not, assume there's a hotspot and follow redirection to login pages. All standard systems support it, so unless you were too creative with conf...
by Sob
Sat Nov 27, 2021 6:47 pm
Forum: General
Topic: SSTP - Client connect to LAN but must not use the internet of the VPN
Replies: 2
Views: 195

Re: SSTP - Client connect to LAN but must not use the internet of the VPN

Server can be configured to block internet access from VPN clients. They will still have to change their config, but it will help them to not forget. ;) Or just provide the info in a way that the problem doesn't occur, i.e. Windows 10 users need just one command to add VPN connection: Add-VpnConnect...
by Sob
Sat Nov 27, 2021 3:40 am
Forum: General
Topic: wireless-rep package for RB133 mipsle ?
Replies: 2
Views: 210

Re: wireless-rep package for RB133 mipsle ?

Changelog says it was added in 6.35, so no.
by Sob
Fri Nov 26, 2021 9:04 pm
Forum: Beginner Basics
Topic: Best site to site sertup
Replies: 5
Views: 390

Re: Best site to site sertup

I can't complain about IPSec for site to site. 1) It may not be easy and intuitive at first, but once you figure it out, it's ok. 2) AFAIK it's the only hardware accelerated VPN in RouterOS (if CPU supports it), so you can't get better performance from anything else. I didn't yet compare it with Wir...
by Sob
Fri Nov 26, 2021 8:48 pm
Forum: RouterOS v7 BETA
Topic: socks5 not working in routeros7 !
Replies: 54
Views: 2585

Re: socks5 not working in routeros7 !

I don't know what anyone has against SOCKS, it's lightweight, simple, almost primitive. It's widely supported, so it can be useful when you need to proxy selected applications. It's much simpler than trying to use policy routing or something. Sure, it can be misconfigured, but so can many other thin...
by Sob
Thu Nov 25, 2021 7:30 pm
Forum: General
Topic: How to explain my boss about complexity of RouterOS
Replies: 9
Views: 631

Re: How to explain my boss about complexity of RouterOS

I'd try. Obviously it assumes that for a week this would be the only thing for me and the guy, and boss would have to understand to not expect miracles, or at least I'd tell him that very clearly. The focus would be on maintenance of the existing thing, to be able to fix common problems, to prevent ...
by Sob
Thu Nov 25, 2021 4:25 am
Forum: General
Topic: VPN just for one of the LAN devices when the whole router is using IPSec
Replies: 10
Views: 658

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to work around that in some way.
by Sob
Thu Nov 25, 2021 4:20 am
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 691

Re: IKEv2 site2site firewall and routes

If it's site to site, wouldn't it be easier with plain static tunnel? /ip ipsec profile add name=r1 <other options> /ip ipsec peer add address=192.168.50.7 exchange-mode=ike2 name=r1 profile=r1 /ip ipsec proposal add name=r1 <other options> /ip ipsec identity add peer=r1 secret=<secret> /ip ipsec po...
by Sob
Thu Nov 25, 2021 3:38 am
Forum: General
Topic: NTT DS-lite IPv4 over IPv6 issues
Replies: 1
Views: 299

Re: NTT DS-lite IPv4 over IPv6 issues

Best for you would be built-in support for DS-Lite in RouterOS, but it currently doesn't exist. The config should be sent by server as some dhcp option, so in theory you may get it from there with lease script. But for dhcpv6 it's supported only in not yet final RouterOS v7. Another downside is that...
by Sob
Thu Nov 25, 2021 2:25 am
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5667

Re: VLAN between Non-wireless router w/ WAP

I don't see how there's connection to switch in the first place. You have three tagged vlans between router's ether3 and switch's ether1. Router is configured to access them, has dhcp server for each, that all looks fine. Switch has same tagged vlans on its ether1 and ether2, that's fine too. But th...
by Sob
Thu Nov 25, 2021 2:00 am
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - Some of the Ways To Achieve O......

I'd use different wording here and there, but I don't want to be nitpicking too much and try to turn it into my guide instead of yours. But just one thing, your added "more accurately the router knows its in the same subnet!!" may be true, but irrelevant. Router did forward packet to serve...
by Sob
Thu Nov 25, 2021 1:41 am
Forum: General
Topic: DNS forward problem since using Win 11 *hard nut to crack*
Replies: 15
Views: 905

Re: DNS forward problem since using Win 11 *hard nut to crack*

But you did get response for first query, suggesting that it reached some resolver that doesn't know about nas.ts. You didn't write where is this one defined, but request is to router, so either it should have ended up there, or it should have been forwarded elsewhere, and whichever it was, it didn'...
by Sob
Tue Nov 23, 2021 12:36 am
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

Not really more secure, just small tweaks, for example in chain=input: - you allow ports 500, 4500 and 1701, which would be for incoming L2TP/IPSec, but you don't seem to have that, so it's probably not needed - dns rules with port 53 may not be required either, as access from internet is already bl...
by Sob
Tue Nov 23, 2021 12:22 am
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 717

Re: Avoiding double NAT Fritzbox + CCR2004

@joschwe: I'd worry more about those server's two network cards, you know how exactly it's connected, but we don't, so some more details about that and your whole network could help. Also if there's dual WAN on RB without proper magle rules, that too can be problem for incoming connections.
by Sob
Mon Nov 22, 2021 11:52 pm
Forum: Beginner Basics
Topic: Please need help! vlan switch [SOLVED]
Replies: 3
Views: 390

Re: Please need help! vlan switch [SOLVED]

For the record, it wasn't as much incorrect, that vlan1 interface is possible config too, if you set tagged=bridge1 for it in "/interface bridge vlan". I'm just not sure about bridge1's default pvid=1, if that can have any unwanted side effects if left there.
by Sob
Mon Nov 22, 2021 11:40 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 747

Re: Load Balancing / Routing

You can export and post your config, and perhaps someone will spot something you missed.
by Sob
Mon Nov 22, 2021 11:34 pm
Forum: General
Topic: DNS forward problem since using Win 11 *hard nut to crack*
Replies: 15
Views: 905

Re: DNS forward problem since using Win 11 *hard nut to crack*

I think you're right about FWD and DoH (but you didn't mention having it on router). As for the problem, it's probably time to have some fun with your favourite packet sniffer. Flush Windows DNS cache, start the program and see if there's regular DNS query and any response coming back. If not, you c...
by Sob
Mon Nov 22, 2021 11:23 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 573

Re: IPsec Site to Site with one side behind NAT [SOLVED]

@sindy: I'll think twice before I start to fight with you about IPSec, so this is definitely not it, just an innocent question. What can go wrong without passive? If both peers are aware of possible NAT, they can both connect to each other, figure out that there is one, switch to udp encapsulation, ...
by Sob
Mon Nov 22, 2021 10:55 pm
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 717

Re: Avoiding double NAT Fritzbox + CCR2004

If server has two network cards, that certainly sounds like possible source of problem. Is it two network connections? If so, is there anything on server that takes care of sending responses back the same way from where requests came? It's usually not automatic.

@anav: No, not really. :)
by Sob
Mon Nov 22, 2021 10:47 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 747

Re: Load Balancing / Routing

As long as some other rule doesn't interfere (remove routing mark, assign connection mark), it should work like this. But it's not very efficient way, because now you're checking every single packet against the list. It's better to check only new connections from LAN and give them connection mark. A...
by Sob
Mon Nov 22, 2021 10:25 pm
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 717

Re: Avoiding double NAT Fritzbox + CCR2004

Few thoughts: How much sure are you that your server is configured correctly? While it's not rocket science, it can sometimes be a little tricky. You need correct range of passive ports, both them and main port open in machine's firewall. It's best if server knows own public address and uses it in P...
by Sob
Mon Nov 22, 2021 10:09 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 573

Re: IPsec Site to Site with one side behind NAT [SOLVED]

I don't see anything else obviously wrong, aside from disabled policies, but I assume that you did try with them enabled. You can enable verbose ipsec logs (in System->Logging) and see if there's some interesting info there. It's not the most pleasant work, since there's a lot of details there. Espe...
by Sob
Mon Nov 22, 2021 9:06 pm
Forum: General
Topic: DNS forward problem since using Win 11 *hard nut to crack*
Replies: 15
Views: 905

Re: DNS forward problem since using Win 11 *hard nut to crack*

There's DoH support in Windows 11, I didn't test it, but nothing suggests that system would try to use it even if not configured. And if ping resolves it correctly, which is definitely done by system, then it looks ok. But if it doesn't work with Firefox or Chrome, they do have own independent DoH, ...
by Sob
Mon Nov 22, 2021 8:45 pm
Forum: General
Topic: Router for test environment
Replies: 10
Views: 545

Re: Router for test environment

I'm not trying to ruin MikroTik's sales or anything, but I'd recommend to start with virtualization and free CHR. If you don't need wireless, you can test anything you want with it. Even physical connection to other devices is possible, if you give usb ethernet adapter to virtual machine (not all wo...
by Sob
Mon Nov 22, 2021 8:28 pm
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

I'll offer that my opinion that the DNS re-write and firewall rules to redirect DNS cannot be the "right way" ... I have no problem with local DNS. It's fine, aside from some extra maintenance required (adding new hostnames, etc; no matter how little, it's more than zero required for hair...
by Sob
Mon Nov 22, 2021 7:21 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

Hmm... - ping from 10.0.60.254 to 192.168.100.2 works => routing from 10.0.60.254 to 192.168.100.0/24 is ok - ping from 10.0.60.254 to 192.168.100.200 doesn't work => there's some problem beyond RB450G - masquerade changes source from 10.0.60.254 to 192.168.100.2 and it works => it looks like device...
by Sob
Mon Nov 22, 2021 6:33 pm
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 717

Re: Avoiding double NAT Fritzbox + CCR2004

There's no reason why double NAT itself should influence whether FTP works or not. You can have ten NATs in a row and if you correctly forward ports through all of them, it must work. Neither client or server has any way to know how many NATs are between them. But if you don't really need the second...
by Sob
Mon Nov 22, 2021 6:17 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

First, it's not real DMZ, that would be separate subnet isolated from others. But the term is also often used for forwarding all ports to selected host, which in this case is your router. The result is pretty much the same as if you had public IP address directly on your router. So how secure it is ...
by Sob
Mon Nov 22, 2021 5:58 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 573

Re: IPsec Site to Site with one side behind NAT [SOLVED]

Config from Mikrotik A says that remote subnet is 192.168. 19 .0/24, but config from Mikrotik B says that local subnet is 192.168. 18 .0/24, so that can't work. Also peer on Mikrotik B doesn't need to be passive, that's when peer can't accept incoming connections, but in this case both can (well, sh...
by Sob
Mon Nov 22, 2021 4:16 am
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Yep, that's the idea.

Btw, your last edit, nice try with RFC1918 subnets, but it will break NAT 1:1 scenarios where such address can be also on WAN interface. And in-interface-list=PFWD still isn't doing anything useful.
by Sob
Mon Nov 22, 2021 4:05 am
Forum: General
Topic: Run different PPPoE clients on the same eth port with different mac address
Replies: 1
Views: 285

Re: Run different PPPoE clients on the same eth port with different mac address

It's not exactly clean either, but it looks like VRRP can be misused not only for multiple DHCP clients, but also for multiple PPPoE clients: /interface vrrp add interface=wan name=vrrp10 v3-protocol=ipv6 vrid=10 add interface=wan name=vrrp11 v3-protocol=ipv6 vrid=11 add interface=wan name=vrrp12 v3...
by Sob
Mon Nov 22, 2021 12:16 am
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

At least you got incoming connections out of it, that's nice to have thing. You can experiment further, if you want. For example, make proper VPN for users, so they could connect to your router, and then access 192.168.11.100 directly. It would be nice and secure. Only depending on needed speeds and...
by Sob
Sun Nov 21, 2021 8:33 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

I never tried with MikroTik DDNS specifically, but it's hostname like any other and Windows can use those for shares.
by Sob
Sun Nov 21, 2021 6:59 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

Now you can forward ports to your server, see e.g. post #4. Next question is what exactly is your IPSec VPN doing and if it's going to interfere. If it's the kind that routes all your traffic through some remote server, it may. But I don't remember from top of my head how exactly it works.
by Sob
Sun Nov 21, 2021 6:40 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

And the magic NAT rule that fixes it is what exactly? The weird part is that not even ping to 192.168.100.2 works. It's from PC2 (10.0.60.254), right? But its default gateway is 10.0.60.1, i.e. RB450G, which also has 192.168.100.2. So RB450G definitely knows where to find 10.0.60.254. It's almost di...
by Sob
Sun Nov 21, 2021 6:13 pm
Forum: General
Topic: Isolated VLAN "Bound" to Specified Ethernet Port.
Replies: 11
Views: 712

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Next time (if there is next time) don't post screenshots, because they don't show everything. It's better to post text export. You can get it from terminal, if you run e.g. "/ip firewall filter export" for just firewall filter, or "/export hide-sensitive file=somename" for whole ...
by Sob
Sun Nov 21, 2021 2:14 am
Forum: General
Topic: Isolated VLAN "Bound" to Specified Ethernet Port.
Replies: 11
Views: 712

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Then it could be some other rule(s) allowing access before these have a chance to block it. Reboot is not required, config is applied immediately, although some state may persist from before. Specifically for ping/icmp, router remembers it as "connection" and works with that, instead of wi...
by Sob
Sun Nov 21, 2021 1:09 am
Forum: General
Topic: Isolated VLAN "Bound" to Specified Ethernet Port.
Replies: 11
Views: 712

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

If 192.168.88.1 is router (most likely), then it's correct, you can ping it, but it doesn't really matter. If you want to block it too, you can, but this time chain=input would be correct one. But again, it's probably pointless, it makes sense only if you want to block access to router completely, u...
by Sob
Sun Nov 21, 2021 12:46 am
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

One loosely related bonus tip: Even if you have static address (but not as static to be guaranteed forever, because you may e.g. change ISP), you may be tempted to use shortcuts like in-interface=WAN (let's forget for a while that you can't use it anyway if you want hairpin NAT), simply because it w...
by Sob
Sun Nov 21, 2021 12:24 am
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Different subnet scenario is now wrong in different way. Your in-interface-list=PFWD will break it, because it says nothing about destination address. It will catch connections to your server, but also connections to any other server. You'll realize your mistake very quickly, if you try that with so...
by Sob
Sat Nov 20, 2021 11:47 pm
Forum: General
Topic: Isolated VLAN "Bound" to Specified Ethernet Port.
Replies: 11
Views: 712

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

It won't do much good in input chain, the right place is forward chain.
by Sob
Sat Nov 20, 2021 11:44 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

I don't see exact rule, but generally when masquerade fixes a problem like this, it means there's a missing route somewhere (or firewall blocking).
by Sob
Sat Nov 20, 2021 11:41 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

It doesn't mean anything, that's what server sees and it's always public address, no matter behind how many other routers you are. What matters is whether you can forward ports from that address to your router. Best case is that the address is "yours" and ISP is doing NAT 1:1, i.e. forward...
by Sob
Sat Nov 20, 2021 11:10 pm
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

@anav: I see no problem in discussing things here, it won't be worse than many other threads. And it doesn't hurt to let others chime in too, even Italians, trolls (I'm not commenting about that or making any judgements :)), or pretty much anyone else can possibly add something interesting or useful...
by Sob
Sat Nov 20, 2021 9:18 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

There's not much we can help you with, it's not something you can configure just on your MikroTik router, it depends entirely on your usptream router and whether you can change its config. And even that one is not guaranteed to have public address, it can be behind another NAT. It's pretty normal th...
by Sob
Sat Nov 20, 2021 9:09 pm
Forum: Beginner Basics
Topic: PCC load balance, but pc got 2 default gateway !help [SOLVED]
Replies: 5
Views: 547

Re: PCC load balance, but pc got 2 default gateway !help [SOLVED]

I understand, but even with dhcp enabled, it's still possible to have another forgotten manually configured gateway in advanced setting, from some past experiments perhaps. Did you check that it's really not there?
by Sob
Sat Nov 20, 2021 8:57 pm
Forum: General
Topic: Strange DNS behavior with DoH enabled
Replies: 3
Views: 476

Re: Strange DNS behavior with DoH enabled

There's known inconsistency between processing with and without DoH: https://forum.mikrotik.com/viewtopic.php?p=798048#p798048 Don't ask me why they did it like that, it doesn't make sense to me either. In your case, the command actually sends three queries for A, AAAA and MX. Without DoH, RouterOS ...
by Sob
Sat Nov 20, 2021 8:02 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 1926

Re: Bypass the VPN for SMB access from outside [SOLVED]

Security concerns aside (I too think that it's not the greatest idea to expose smb to the world, but it's your choice), it boils down to whether you have public address or not. It doesn't have to be static (DDNS takes care of that) and it doesn't have to be directly on your router, but you must be a...
by Sob
Sat Nov 20, 2021 7:46 pm
Forum: Beginner Basics
Topic: PCC load balance, but pc got 2 default gateway !help [SOLVED]
Replies: 5
Views: 547

Re: PCC load balance, but pc got 2 default gateway !help [SOLVED]

I don't see any way how router could cause this. Don't you just have 192.168.0.1 as another manual gateway in Windows config?

Adapter properties -> IPv4 -> Advanced -> Default gateways
by Sob
Sat Nov 20, 2021 7:18 pm
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5667

Re: VLAN between Non-wireless router w/ WAP

I'll repeat myself, just understand that there's two things, vlans as separate interfaces that create tagged packets, and bridge vlan filtering as a way to configure switch/bridge. I personally like examples in manual (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering), as...
by Sob
Sat Nov 20, 2021 7:02 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

Then how complete is RBM33G's config you posted? Are there any firewall rules? Usual stateful firewall would have problem with how it's connected, because it creates asymmetric routing: - in one direction, 192.168.100.200 sends packet to its gateway 192.168.100.1 and RBM33G sends it to 192.168.100.2...
by Sob
Sat Nov 20, 2021 5:45 pm
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Jus one thing is sufficient make the DNS method superior for user than can not create own network without "Hairpin" or DNS: The traffic do not go trought CPU / NAT / connection-tracking for work. That's certainly interesting when there's going to be heavy traffic between client and server...
by Sob
Sat Nov 20, 2021 5:05 pm
Forum: RouterOS v7 BETA
Topic: socks5 not working in routeros7 !
Replies: 54
Views: 2585

Re: socks5 not working in routeros7 !

I agree that it sucks, and it should get fixed if it's broken. But do you really believe that posting again and again will help? I'm sure they already noticed, but if they don't see it as priority, it's not very likely that more posts and threads from you will change their mind.
by Sob
Sat Nov 20, 2021 4:58 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

How about ping between RBM33G and RB450G (192.168.100.1 <-> 192.168.100.2), does that work? If not, then how exactly are they connected? From what you posted, I'd assume cable between RBM33G's ether1 or ether2 and RB450G's ether2. Which is also weird, because if RBM33G's interfaces are bridged, it w...
by Sob
Sat Nov 20, 2021 4:47 pm
Forum: Forwarding Protocols
Topic: proxy-arp only for VPN connections?
Replies: 2
Views: 417

Re: proxy-arp only for VPN connections?

I'm now also leaning to not using overlapping subnets and proxy ARP, but it does have some advantages. Well, at least one, LAN hosts see VPN clients as members of same subnet, so you can save same effort when configuring firewalls, where default ones often allow access from same subnet. Anyway, if y...
by Sob
Sat Nov 20, 2021 4:05 am
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

gateway=192.168.100.2
by Sob
Sat Nov 20, 2021 3:43 am
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 19
Views: 1036

Re: Imposible getting ping when using vlans

PC1 has 192.168.100.1 on RBM33G as gateway, but I don't see any route to 10.0.60.0/24 on RBM33G.
by Sob
Sat Nov 20, 2021 3:22 am
Forum: Useful user articles
Topic: Port Forwarding Not Working, Hairpin NAT & More!!
Replies: 26
Views: 3177

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

If you don't mind a bit of constructive criticism from self-proclaimed NAT expert... ;) You should more clearly separate hairpin NAT and proper dstnat rules , because even though here they work together, they are two completely different things. Hairpin NAT just fixes the problem with communication ...
by Sob
Sat Nov 20, 2021 1:02 am
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5667

Re: VLAN between Non-wireless router w/ WAP

Vlans can be slightly confusing, because it's both a way to have tagged packets (to carry multiple separate networks over same link) and a way to configure switch (or have switch-like behaviour using software bridge). If should help to understand which is which. The first one is simple: /interface v...
by Sob
Fri Nov 19, 2021 11:36 pm
Forum: Beginner Basics
Topic: L2TP - Port forwarding from WAN to L2TP device
Replies: 10
Views: 1262

Re: L2TP - Port forwarding from WAN to L2TP device

It's already in last post from @wormik, only if you don't have static interfaces for VPN clients, you can use address instead:
/ip firewall nat
add chain=srcnat dst-address=10.0.0.14 action=masquerade
by Sob
Fri Nov 19, 2021 11:24 pm
Forum: General
Topic: Accessing a subnet in which the Mikrotik isn't the gateway
Replies: 2
Views: 557

Re: Accessing a subnet in which the Mikrotik isn't the gateway

Clean solution is to configure the other network to know about yours, so add route to yours to other network's gateway. Or just use srcnat on eth5, to make all connections to other network look like they come from 192.168.31.250:
/ip firewall nat add out-interface=eth5 action=masquerade
by Sob
Fri Nov 19, 2021 10:36 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 1712

Re: Working around NAT hairpin [SOLVED]

I'm on strike until final RouterOS v7 comes out, but I had to come and check if you behave. ;) Although thinking about it, I probably should have said something to someone, if I wanted it to have any effect. Not that I'd really think it would make any difference. Nah, I'm just kidding completely, I ...
by Sob
Fri Nov 19, 2021 10:24 pm
Forum: General
Topic: DNS, how to set (DHCP) and for self-usage? [RouterOS]
Replies: 1
Views: 319

Re: DNS, how to set (DHCP) and for self-usage? [RouterOS]

DHCP server parameters are in "/ip dhcp-server network". If I remember correctly, router automatically adds either itself of DNS servers from "/ip dns", if you don't enter any manually. But that can be prevented using dns-none=yes options ("No DNS" checkbox in WinBox). ...
by Sob
Fri Nov 19, 2021 10:17 pm
Forum: Beginner Basics
Topic: Routing subnets
Replies: 2
Views: 423

Re: Routing subnets

You can't have 192.168. 100 .x on WAN (assuming it's usual /24) and 192.168. 100 .x/28 on LAN. Well, you can, but it's not exactly cleanest config (it would work if you enable proxy ARP on WAN). Clean way is non-overlapping subnets. And one catch with that is that upstream router (gateway) must know...
by Sob
Fri Nov 19, 2021 10:09 pm
Forum: Beginner Basics
Topic: Route between VPN and LAN networks
Replies: 3
Views: 674

Re: Route between VPN and LAN networks

Adding "route 192.168.1.0 255.255.255.0" to client *.ovpn config file is also working solution, but it looks weird. It's not weird. Client can route either everything though VPN (I don't remember what's the option for that, probably something with gateway) or only selected subnet(s). If i...
by Sob
Fri Nov 19, 2021 9:35 pm
Forum: General
Topic: IPv4 mode for Winbox
Replies: 8
Views: 668

Re: IPv4 mode for Winbox

"Happy eyeballs" is connecting to both IPv4 and IPv6 in parallel and using whatever succeeds first, which is not really necessary here, it would be enough to simply try all addresses one by one. WinBox already uses modern getaddrinfo() api, which returns all addresses a hostname resolves t...
by Sob
Fri Nov 19, 2021 9:13 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 1712

Re: Working around NAT hairpin [SOLVED]

DNS override has exactly one advantage - traffic doesn't have to unnecessarily go to router and back. Everything else speaks for hairpin NAT, see e.g.: Why hairpin NAT is the best thing in the world (only slightly biased comparison with local DNS override :D) It's almost boring, fully transparent, s...
by Sob
Fri Jan 29, 2021 7:26 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1652

Re: Static IP

Let's take one step back. All these addresses (whole /28) are only for one client, right? If that's the case, bridging could be better choice, because it would be completely standard config without any tricks. But even better would be to talk to ISP and let them route whole /28 to you. That would be...
by Sob
Fri Jan 29, 2021 6:54 pm
Forum: General
Topic: IPSec Route base VPN
Replies: 1
Views: 341

Re: IPSec Route base VPN

IPSec in RouterOS doesn't provide interfaces, so routing like this is not possible. If you need one, you need to add it manually, e.g. use IPIP between endpoints and IPSec to encrypt it. But other side must have the same too.
by Sob
Fri Jan 29, 2021 6:50 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 1197

Re: IPv6 over vlan issues

You can also get rid of pool. It shouldn't be breaking anything, when you get the right address from it. But it doesn't add anything useful. Next step I'd take is playing with packet sniffer. Catch what happens on parent interface (not VLAN, so you'd be able to see even things like wrong VLAN number...
by Sob
Fri Jan 29, 2021 5:20 pm
Forum: General
Topic: L2TP/IPSEC not connecting
Replies: 2
Views: 730

Re: L2TP/IPSEC not connecting

Check what happens with IPSec, peer status, logs, ...
by Sob
Fri Jan 29, 2021 5:15 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 1197

Re: IPv6 over vlan issues

Some of it is typo. It's either ..::10a and ..::109, or ..::a and ..::9. So you want (if it's the first one):
/ipv6 address
add address=xxxx:xxxx:ffff:fffe::10a/126 advertise=no interface=IPv6
/ipv6 route
add dst-address=2000::/3 gateway=xxxx:xxxx:ffff:fffe::109
by Sob
Fri Jan 29, 2021 4:33 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1652

Re: Static IP

Proxy ARP is simple. With config like yours, ISP has 103.1.1.1/28, then you have e.g. 103.1.1.2/28 on your router, and it's regular subnet and works well. If you want to route e.g. 103.1.1.3 further behind your router, you can easily do that using any of methods I listed. Your router won't have any ...
by Sob
Fri Jan 29, 2021 4:09 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 1197

Re: IPv6 over vlan issues

What exactly you got from ISP? Because if nothing else, what you do on "IPv6" interface, which if I understand it correctly is your WAN port for IPv6, looks completely wrong. If you got some /126 connecting subnet for that, it should be just static address and gateway, and no need to do an...
by Sob
Fri Jan 29, 2021 3:53 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

Order of rules is important. As I wrote, they are processed from top to bottom. For example, if you'd move the last blocking rule to top, it would block everything and no other rule would be ever used. If you'd move the first rule (accept established & etc) to bottom, but still before the blocki...
by Sob
Fri Jan 29, 2021 3:15 am
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1652

Re: Static IP

The important part here is how ISP handles this /28. Is it: a) Routed to you. ISP on their router did (in RouterOS terms) "/ip route add dst-address=x.x.x.x/28 gateway=<your router>". b) Assigned as subnet between you and ISP. ISP on their router did "/ip address add address=x.x.x.a/2...
by Sob
Fri Jan 29, 2021 1:25 am
Forum: RouterOS v7 BETA
Topic: wireguard configuration
Replies: 4
Views: 2369

Re: wireguard configuration

One common interface is enough. Why it doesn't work for you, it's hard to tell. I don't think there's anything in current RouterOS to help you with that, some statistics for individual peers, logs, or anything.
by Sob
Thu Jan 28, 2021 10:35 pm
Forum: Beginner Basics
Topic: Port forward on LTE interface
Replies: 4
Views: 729

Re: Port forward on LTE interface

Only if it differs from port in dst-port.
by Sob
Thu Jan 28, 2021 6:43 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 14
Views: 6640

Re: What is IP SOCKS ? I got hacked and they open this

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it.
by Sob
Thu Jan 28, 2021 6:11 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

Think about it a little bit, it's not difficult. Don't just copy and paste something you don't understand. Rules are evaluated from top to bottom and first matching rule is used. So you have: 1) allow established, related and untracked - standard rule to allow packets for existing connections 2) dro...
by Sob
Thu Jan 28, 2021 5:52 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 14
Views: 6640

Re: What is IP SOCKS ? I got hacked and they open this

It's a proxy server, similar to web proxy. They can use it to hide behind your router when they try to hack other devices. They will send request to proxy server on your router, it will send it to target, and target will think that it's you hacking them.
by Sob
Thu Jan 28, 2021 3:27 pm
Forum: Beginner Basics
Topic: Port forward on LTE interface
Replies: 4
Views: 729

Re: Port forward on LTE interface

If it's enough to work from internet (i.e. you don't need to connect to public address from LAN), then you can use this: /ip firewall nat add chain=dstnat dst-address=192.168.8.100 protocol=tcp dst-port=80 action=dst-nat to-addresses=<address of internal server> If you'd need it to work also from LA...
by Sob
Thu Jan 28, 2021 3:22 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1652

Re: Static IP

Sorry, I can't say that it's very clear. But if ISP gave you (= routed to you) /28, and you want to give the whole thing to your client, then just route it further. Use existing connection to client and their router as gateway: /ip route add dst-address=x.x.x.x/28 gateway=<address of client's router...
by Sob
Thu Jan 28, 2021 3:14 pm
Forum: General
Topic: PPP on a specific Wan connection
Replies: 5
Views: 772

Re: PPP on a specific Wan connection

There are different ways. If the server has static public address, then the easiest is probably to add route to this address via gateway of either wan1 or wan2.
by Sob
Thu Jan 28, 2021 2:11 pm
Forum: General
Topic: IKEv2 setup + WIN10 built-in client cannot connect anymore [SOLVED]
Replies: 4
Views: 611

Re: IKEv2 setup + WIN10 built-in client cannot connect anymore [SOLVED]

I don't know if it's that, but "certificate" and "expired" can be related, certificates do expire. So that's the first thing you should check.
by Sob
Thu Jan 28, 2021 12:57 am
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 9
Views: 3111

Re: Routing marks / mangle

I don't have any explanation why WG should differ from others. But if you suspect that marks may be inherited from tunnel traffic (outside) by tunneled traffic (inside), you can easily test it. Just add logging rule (action=log) in any chain, with any condition you need to check.
by Sob
Wed Jan 27, 2021 9:26 pm
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 9
Views: 3111

Re: Routing marks / mangle

I missed it in original post, but even v6 config wasn't correct. The mangle rule in prerouting is useless, all work is done by the one in output. If you'd want to use "send it back to where it came from" approach, which would be useful if VPN server was accessible using both WANs, you'd us...
by Sob
Wed Jan 27, 2021 9:02 pm
Forum: General
Topic: What is strtbiz.site?
Replies: 6
Views: 1240

Re: What is strtbiz.site?

I'd try System->Scheduler.
by Sob
Wed Jan 27, 2021 9:02 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

I can't argue with results, of course. :) But I wouldn't expect that to be the best solution.
by Sob
Wed Jan 27, 2021 7:07 pm
Forum: General
Topic: What is strtbiz.site?
Replies: 6
Views: 1240

Re: What is strtbiz.site?

If you ask your favourite search engine, you'll find out that it looks like something you don't want to have. It seems to be related to some botnet. Check if you have some unwanted scheduled scripts on your device.
by Sob
Wed Jan 27, 2021 6:46 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

EoIP in IPIP, and the whole thing in IPSec, if it should be encrypted... that sounds seriously overcomplicated to me.
by Sob
Wed Jan 27, 2021 6:04 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1652

Re: Static IP

Some more info would help. Things like if you have spare public IP address, how exactly you get it from ISP, etc.
by Sob
Wed Jan 27, 2021 5:46 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

Hmm, neither answer makes sense to me. :) As I wrote, if you'd have src-address=<peer's address> in those rules that allow IPSec traffic (IKE, ESP), it would allow this traffic from peer, but not any IPSec traffic from elsewhere. It would protect router from bots trying to scan open ports, and from ...
by Sob
Wed Jan 27, 2021 2:13 am
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 9
Views: 3111

Re: Routing marks / mangle

by Sob
Wed Jan 27, 2021 12:02 am
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

One thing I find slightly weird, your input rules have dst -address=xxx.xxx.158.248, but it would seem more logical to use src -address=<peer's address> to allow packets from peer. Isn't it possible that there's some mixup there? Both addresses (xxx.xxx.158.248 and xxx.xxx.121.42) are public, right?...
by Sob
Tue Jan 26, 2021 10:45 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

Did you try those two changes I suggested?

I'm sure it has some explanation. Examine logs on both sides, check with packet sniffer if something is getting lost, etc.
by Sob
Tue Jan 26, 2021 7:50 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

In both configs, you dstnat everything to some other device, except selected stuff. Second config has this:
/ip firewall nat
add action=accept chain=dstnat in-interface-list=WAN protocol=ipsec-esp
The same thing would make sense also for first one.
by Sob
Tue Jan 26, 2021 5:19 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1724

Re: Need help with IPsec

Only one way to get the tunnel up again. I have to restore every router from its backup. Is it really the only way? It doesn't make any sense why restoring config should help, when it's the same config as router already has. Did you try to reboot routers, or just turn ipsec off and on again (disabl...
by Sob
Tue Jan 26, 2021 4:56 pm
Forum: General
Topic: IKE Fragmentation (RFC 7383) [SOLVED]
Replies: 2
Views: 712

Re: IKE Fragmentation (RFC 7383) [SOLVED]

What's new in 6.48 (2020-Dec-22 11:20):

...
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
...
by Sob
Tue Jan 26, 2021 2:42 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

If you have same subnet, you need proxy ARP. If you have different subnets, you don't need proxy ARP. Problems with different subnets are elsewhere, they can be on both client and server side. If client doesn't use VPN as default gateway, you have to add route to remote LAN, it doesn't happen automa...
by Sob
Sat Jan 23, 2021 10:23 pm
Forum: Beginner Basics
Topic: Webfig/Winbox not available over PPTP VPN [SOLVED]
Replies: 4
Views: 996

Re: Webfig/Winbox not available over PPTP VPN [SOLVED]

Are you sure that you found the right rule? I'd say it's the one after it that is blocking the access. Solution is simple, allow traffic that comes from VPN client(s) to WinBox/WebFig ports, so add this before the last rule: /ip firewall filter add chain=input protocol=tcp dst-port=80,8291 in-interf...
by Sob
Sat Jan 23, 2021 4:32 pm
Forum: Beginner Basics
Topic: Basic question about firewall rule organization, and grouping by chains.
Replies: 5
Views: 704

Re: Basic question about firewall rule organization, and grouping by chains.

If I say that I learned a lot from your post, will you believe me? ;)
by Sob
Sat Jan 23, 2021 4:31 pm
Forum: General
Topic: Minecraft server firewall limits the number of connections allowed in a period of time
Replies: 5
Views: 659

Re: Minecraft server firewall limits the number of connections allowed in a period of time

Sorry, that may not be the right one. I don't really use this myself. But look at dst-limit, that seems better.
by Sob
Sat Jan 23, 2021 2:48 pm
Forum: Beginner Basics
Topic: V7 Route List [SOLVED]
Replies: 10
Views: 1652

Re: V7 Route List [SOLVED]

It's still mostly the same. Mangle rule didn't change at all. You just need to define routing table first (that's new) and route's routing-mark is now routing-table . And currently you have to use command line for both, because WinBox interface is incomplete. /routing table add name=giga fib /ip rou...
by Sob
Sat Jan 23, 2021 2:41 pm
Forum: General
Topic: Minecraft server firewall limits the number of connections allowed in a period of time
Replies: 5
Views: 659

Re: Minecraft server firewall limits the number of connections allowed in a period of time

Try to play with limit option: limit (integer,time,integer; Default: ) Matches packets until a given pps limit is exceeded. Parameters are written in following format: count[/time],burst. count - maximum average packet rate measured in packets per time interval time - specifies the time interval in ...
by Sob
Sat Jan 23, 2021 4:41 am
Forum: Beginner Basics
Topic: Basic question about firewall rule organization, and grouping by chains.
Replies: 5
Views: 704

Re: Basic question about firewall rule organization, and grouping by chains.

Router doesn't care. Packet always goes in either input or forward. It's not skipping over rules in other chain, it's just that both chains are displayed on same screen, but in reality they are completely separate. I agree that having rules for each chain together, rather than mixing them with each ...
by Sob
Sat Jan 23, 2021 1:53 am
Forum: Beginner Basics
Topic: V7 Route List [SOLVED]
Replies: 10
Views: 1652

Re: V7 Route List [SOLVED]

And what exactly you do that doesn't work? Post the commands.
by Sob
Fri Jan 22, 2021 5:52 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

VPN is already not exactly as if you'd be directly connected. And if you use different subnet (which is otherwise fine), it will be even further from that. What I meant is to find interface Bridge1 and change its ARP option from default "enabled" to "proxy-arp". Then you can keep...
by Sob
Fri Jan 22, 2021 2:54 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

You use addresses from LAN subnet also for VPN clients. Problem is that when device sees address from same subnet as it has itself, it expects it to be directly reachable. But it's not true for VPN clients, because they are behind router. The fix for that is to enable proxy ARP on LAN interface, in ...
by Sob
Fri Jan 22, 2021 12:21 am
Forum: General
Topic: [Request] Winbox Default Port
Replies: 8
Views: 1165

Re: [Request] Winbox Default Port

If you don't insist on it being an official feature, you can "fix" your WinBox executable. Fire up your favourite hex editor, search for bytes 63200000 and replace them with c9150000. In current version (3.27) it's there only once in both 32 and 64 bit variants, so you can't go wrong.
by Sob
Thu Jan 21, 2021 3:30 am
Forum: Beginner Basics
Topic: IPV6 on Mikrotik SXT
Replies: 2
Views: 452

Re: IPV6 on Mikrotik SXT

I don't have personal experience with LTE, I just quicky saw it few times. I know there's something about IPv6 in APN profile. I also remember that it did some weird magic with IPv4, it didn't have regular DHCP, so it may be the same for IPv6. Finally, what exactly you know about getting IPv6 addres...
by Sob
Thu Jan 21, 2021 3:20 am
Forum: General
Topic: IPSec ESP over UDP without NAT
Replies: 5
Views: 698

Re: IPSec ESP over UDP without NAT

Try to set local-address for peer to some local but not public address. That should trigger NAT detection. I'm not completely sure, I know that I tested it in the past, but can't remember how it went.
by Sob
Wed Jan 20, 2021 7:36 pm
Forum: General
Topic: Forum Account Deletion
Replies: 1
Views: 666

Re: Forum Account Deletion

Wouldn't it be easier to simply forget that you have this account? I mean, to post one single thing, then wait 4.5 years before returning to request to have your account deleted... is it really worth it? :) But if it really bothers you that much, try reporting your post, perhaps someone will see it,...
by Sob
Wed Jan 20, 2021 7:20 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

When you use PPPoE to access internet, then PPPoE interface is the actual WAN interface. Ethernet interface is just where PPPoE packets go, but everything from/to internet is inside PPPoE. As for outgoing NAT/masquerade (which is what hides your whole LAN behind one public address), all these varian...
by Sob
Wed Jan 20, 2021 3:48 pm
Forum: General
Topic: Changing TTL for incoming packets from client
Replies: 4
Views: 1518

Re: Changing TTL for incoming packets from client

You can use you command, just change incorrect chain=prerouting to chain=forward and add in-interface=<where client is connected>. But you're wasting your time with incoming packets too, client can change TTL for both incoming and outgoing packets.
by Sob
Tue Jan 19, 2021 6:01 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

But in your config, interface "Orange Optic" is ethernet. PPPoE is named "PPPoE-Orange". So you need in-interface=PPPoE-Orange in dstnat rules.
by Sob
Tue Jan 19, 2021 5:57 pm
Forum: General
Topic: Changing TTL for incoming packets from client
Replies: 4
Views: 1518

Re: Changing TTL for incoming packets from client

You're wasting your time, client can change TTL as easily as you can, so whatever you do, they will do the opposite and avoid your blocking.
by Sob
Tue Jan 19, 2021 1:14 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 2014

Re: Feature Request: Bridge Joiner

Nope, interface list doesn't help: /interface list add name=bridge-port-test /interface list member add interface=bridge1 list=bridge-port-test add interface=ether3 list=bridge-port-test /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge2 interface=bridge-port-test /interfa...
by Sob
Tue Jan 19, 2021 1:01 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

Ok, so interface "Orange Optic" is PPPoE interface, that would be correct. If you're sure that you have public address (it's not to underestimate you personally, but it sometimes happens that users get this part wrong), what about counters for these rules? Is there anything or all zeroes? ...
by Sob
Tue Jan 19, 2021 12:53 pm
Forum: RouterBOARD hardware
Topic: RouterBoard 450G booting problem.
Replies: 5
Views: 935

Re: RouterBoard 450G booting problem.

Check the capacitors, their tops should be nice and flat. If they are bulging or leaking, they are going bad. See e.g. images in this post (two green ones are bad, the brown one in the back is good). If that's it, it's possible to replace them and the board should run like new again.
by Sob
Tue Jan 19, 2021 12:42 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3794

Re: NAT not working...

Is "Orange Optic" the old interface or the new one? If it's the old one, it would be clear why it can't work. If it's the new one, are you sure that it still has public address?
by Sob
Tue Jan 19, 2021 2:09 am
Forum: General
Topic: OVPN wrong netmask
Replies: 1
Views: 330

Re: OVPN wrong netmask

The "routes=192.168.101.1" in PPP secret is nonsense, that field is for adding routes to remote subnets behind connected client, so 192.168.101.1 doesn't belong there when it's local address. I wouldn't expect it to add /8 route, but remove it and you'll see if it helps or not.
by Sob
Tue Jan 19, 2021 1:58 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 2014

Re: Feature Request: Bridge Joiner

You could as well bridge all ether1, ether4 and ether5 together, add filters between ether1 and ether4/5, and it would work too. But I do agree that having only one interface instead of separate WAN and LAN would complicate things, it would need additional filters to separate router's own communicat...
by Sob
Mon Jan 18, 2021 11:36 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 2014

Re: Feature Request: Bridge Joiner

@mkx: What RouterOS do you have that it lets you do that? :)
by Sob
Mon Jan 18, 2021 12:46 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 2014

Re: Feature Request: Bridge Joiner

The idea is that instead of joining two bridges, you take all ports from both and add them to one common bridge. Which will give you the same result as joining two bridges would, therefore you don't need to join bridges. If you can explain how joining bridges would be different and better, it would ...
by Sob
Sun Jan 17, 2021 11:36 pm
Forum: Forwarding Protocols
Topic: double mangle marking and routing mark
Replies: 3
Views: 927

Re: double mangle marking and routing mark

It could be possible to use a scheme with combined marks. Clean connection would get "mark1", then to add "mark2", you'd have to check whether there's already "mark1" and depending on that you'd assign "mark2" or "mark1-mark2". And then you'd need ba...
by Sob
Sun Jan 17, 2021 10:41 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 1266

Re: VPN Server: Migrate certificates to new hardware

Certificates generated by RouterOS are like any other certificates, i.e. they are fine. Only transferring whole RouterOS CA between devices is... let's say unfinished.
by Sob
Sun Jan 17, 2021 10:22 pm
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 1051

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

It's not that difficult, play with it, experiment, it will get to you. As for packets, how they are passing through router, yes, I know that. But I cheated, I read this: https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram. :)
by Sob
Sun Jan 17, 2021 3:05 am
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 1051

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

ARP is used to get device's MAC address (hardware address) for given IP address, because packets in same subnet are actually sent to hardware address of target device. When you have a subnet, in your case 192.168.16.0/24, devices connected to it expect that other devices with IP addresses from this ...
by Sob
Sat Jan 16, 2021 10:44 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 3115

Re: L7 Filter rule exception.

If I was boss, you were my non-behaving employees, and the social approach ("don't try to make me mad, or else!") wouldn't work, I'd probably cut off direct internet access. The only way to get anywhere would be through e.g. SOCKS proxy. That should be pretty reliable with right ACLs. Conn...
by Sob
Sat Jan 16, 2021 9:59 pm
Forum: RouterOS v7 BETA
Topic: IP Route In RouterOS V7
Replies: 7
Views: 2460

Re: IP Route In RouterOS V7

It's still there, only you have to create routing table in /routing/table/, it doesn't happen automatically as in v6.
by Sob
Sat Jan 16, 2021 9:54 pm
Forum: Beginner Basics
Topic: Routing traffic for specified domains to a different gateway [SOLVED]
Replies: 7
Views: 2343

Re: Routing traffic for specified domains to a different gateway [SOLVED]

Hostnames in address list are resolved based on their TTL, they are re-resolved when it expires. Wildcards or regexps can't be used, because you can't resolve all possible combinations in advance. L7 is problematic too, because even though you can see target hostname (using either layer7-protocol or...
by Sob
Sat Jan 16, 2021 9:37 pm
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 1051

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

Corrections: - proxy-arp, not local-proxy-arp - on SOHO_VLAN, not on BR1 It's only for communication with devices on SOHO_VLAN. Communication between OpenVPN clients doesn't need it. Only currently it's blocked by firewall. You can either add static interface for each client and use that for rules, ...
by Sob
Sat Jan 16, 2021 7:13 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 684

Re: Strange Dst.Address connection

It looks like normal outgoing connection. Same as those dns queries to 8.8.8.8. Even if you're connecting to 70.152.-.-, something else can be connecting to 31.12.71.119. You can easily find out that the address is http://yp.shoutcast.com/.
by Sob
Sat Jan 16, 2021 6:51 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 684

Re: Strange Dst.Address connection

And what is it you don't like about it? It's a connection from 192.168.?.? to this address. Tcp and port 80 is standard for unencrypted http.
by Sob
Sat Jan 16, 2021 6:31 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 684

Re: Strange Dst.Address connection

You should probably share a few more details, like where exactly you see it, etc.
by Sob
Sat Jan 16, 2021 5:24 am
Forum: Beginner Basics
Topic: Routing traffic for specified domains to a different gateway [SOLVED]
Replies: 7
Views: 2343

Re: Routing traffic for specified domains to a different gateway [SOLVED]

It may be tricky, mainly the part how you identify destination addresses. Websites often download stuff from many other domain, not just from their main domain. And even the main domain can be hosted in some cloud and can have several IP addresses that change all the time. But let's say you want to ...
by Sob
Sat Jan 16, 2021 5:00 am
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 1792

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

I think it was port used by outgoing connection, not another port opened by UPnP. And it's ok, connection tracking can deal with that. It would only be problem, if remote host from the first connection tried to connect to this newly forwarded port, and if it would use same source port as the origina...
by Sob
Sat Jan 16, 2021 4:56 am
Forum: Beginner Basics
Topic: NAT Loopback / DNS
Replies: 9
Views: 1317

Re: NAT Loopback / DNS

The best way is to read and understand the linked article, and then everything will be clear and simple. But you can always "cheat", post your config and we'll tell you what's wrong with it. /export hide-sensitive file=myconfig Then look for file myconfig.rsc and post its content in code t...
by Sob
Sat Jan 16, 2021 4:49 am
Forum: General
Topic: How to use a public subnet and a natted subnet
Replies: 9
Views: 865

Re: How to use a public subnet and a natted subnet

It depends on what you want. I like to have used addresses pingable, so they need to be either assigned to some device, or dstnatted as whole (or at least icmp) to another. But it's possible to live without that.
by Sob
Sat Jan 16, 2021 1:04 am
Forum: General
Topic: How to use a public subnet and a natted subnet
Replies: 9
Views: 865

Re: How to use a public subnet and a natted subnet

It's actually good idea to make the router aware of the routed subnet, other than just using some addresses or ports with src/dstnat. If a subnet is routed to you, and you don't assign addresses anywhere, and a packet comes for some unused one, your router will have no idea that it's your address, s...
by Sob
Sat Jan 16, 2021 12:40 am
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 1051

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

I didn't study it in detail, but one obvious problem, if you're giving addresses from LAN subnet to VPN clients, you need to enable proxy ARP for interface which has this subnet.
by Sob
Fri Jan 15, 2021 5:52 am
Forum: General
Topic: Cant get pings to complete with RB750 tied back to back
Replies: 3
Views: 451

Re: Cant get pings to complete with RB750 tied back to back

What about the laptops, do they like to get pinged from non-local subnets? If they have Windows, it's by default blocked in firewall.
by Sob
Fri Jan 15, 2021 5:42 am
Forum: Scripting
Topic: Enable winbox service via api
Replies: 17
Views: 2415

Re: Enable winbox service via api

Yes, for example with php: <?php require_once('routeros_api.class.php'); $api = new RouterosAPI(); if($api->connect('127.127.127.127', 'username', 'password')) { $api->write('/ip/service/print', false); $api->write('?name=ssh'); $response = $api->read(true); if(!empty($response)) { $api->write('/ip/...
by Sob
Fri Jan 15, 2021 1:01 am
Forum: Beginner Basics
Topic: Find specific NAT rule
Replies: 13
Views: 1792

Re: Find specific NAT rule

/ip firewall nat print where dst-port="55882"
by Sob
Fri Jan 15, 2021 12:14 am
Forum: General
Topic: /31, RFC 3021
Replies: 2
Views: 768

Re: /31, RFC 3021

I tried only a quick test, but I don't see icmp to ff:ff:ff:ff:ff:ff with /32, only arp queries and waiting for answer. And with /31 there's a difference between lower and upper address, if RouterOS has the upper one, it seems to work. I had .4 on v6 device and .5 on v7 device and it fooled me into ...
by Sob
Thu Jan 14, 2021 10:47 pm
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 1792

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

My quick test says that the whole thing is currently pretty dumb, UPnP is aware of only own ports. So if I use UPnP to forward port, next request to forward same port elsewhere will fail. If the port is manually forwarded, UPnP is happy to add duplicate and tell client that it's ok (but it's a lie, ...
by Sob
Thu Jan 14, 2021 9:57 pm
Forum: General
Topic: portknock
Replies: 5
Views: 693

Re: portknock

Actually, that's not a bad solution. I tend to forget about scripting, because that thing hates me. ;) Plus doing things using scripts needs more resources than a built-in function. But in this case, if you make the other list override the first one (so when address appears in there, it will have ef...
by Sob
Thu Jan 14, 2021 4:10 am
Forum: Beginner Basics
Topic: Two routers and two subnets on local network [SOLVED]
Replies: 2
Views: 514

Re: Two routers and two subnets on local network [SOLVED]

Yes, it's normal. In default firewall, some rules reference interface lists. The idea behind that is to not have interfaces hardcoded in firewall rules, so if you change something (use different WAN port, add another LAN, etc), you update only interface list and don't have to touch firewall rules. W...
by Sob
Thu Jan 14, 2021 3:25 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

Don't apologize, that's what the forum is for. Enjoy the happy end.
by Sob
Thu Jan 14, 2021 3:23 am
Forum: General
Topic: portknock
Replies: 5
Views: 693

Re: portknock

That's problematic. You could add another list to override the first one. Address in first list enables routing to tunnel. Address in second list disables it, even though the address is still in first list too. It should be simple, just add addresses in second list with same timeout and change firew...
by Sob
Thu Jan 14, 2021 3:05 am
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 1792

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

That's two things. 1) Port forwarding is already simple. I understand that some will disagree, but if adding (and understanding) some simple rules is too difficult for them, maybe those people don't really want a complex system like RouterOS. I don't mean to be too harsh, and I wouldn't discourage a...
by Sob
Wed Jan 13, 2021 11:26 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 1266

Re: VPN Server: Migrate certificates to new hardware

That's not question for me, you need someone who has experience with performance of different devices. I just mentioned CHR as a simple way how to test transfers of certificates between different devices. Also, unless you need to generate certificates directly on router for any reason, you can alway...
by Sob
Wed Jan 13, 2021 8:46 pm
Forum: General
Topic: Share public IP to router behind mikrotik
Replies: 7
Views: 895

Re: Share public IP to router behind mikrotik

... for now I have only one customer so two usable IP is OK for me. It's more like one. With /30 mask and no other tricks, two of four addresses are used as network address and broadcast, third goes on your router, and only one is available for customers, so one customer. With slightly different co...
by Sob
Wed Jan 13, 2021 8:04 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

If you don't need hairpin NAT, i.e. the ability to connect to STATIC_IP:<forwarded_port> from LAN (it was the other poster who mentioned it), then use: /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.100.2 dst-port=2302 protocol=tcp to-addresses=192.168.88.101 ... If you do need...
by Sob
Wed Jan 13, 2021 7:33 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

But judging by the screenshot and the rule added by UPnP, you don't have STATIC_IP directly on router (in IP->Addresses), right? If not and you actually have just NAT 1:1, dstnat rules with dst-address=STATIC_IP won't work for connections from internet. You can use dst-address=192.168.100.2 and see ...
by Sob
Wed Jan 13, 2021 12:50 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

Two questions: - Is your STATIC_IP same as you see at https://wtfismyip.com/clean? - If you look at dstnat rules' counters, if there anything or just zeroes? Other than that, you can use action=dstnat instead of action=netmap (there doesn't seem to be a difference, but dstnat is more common), and yo...
by Sob
Wed Jan 13, 2021 12:00 am
Forum: Scripting
Topic: local server failover
Replies: 3
Views: 793

Re: local server failover

It's surely doable with few more ifs, in each branch (do/else) first check if the desired state is already active, and only do any changes when it isn't.
by Sob
Tue Jan 12, 2021 11:47 pm
Forum: General
Topic: Share public IP to router behind mikrotik
Replies: 7
Views: 895

Re: Share public IP to router behind mikrotik

You waste three of four available addresses, but other than that it's ok. If you don't mind, you're done. If you do, then check here for other possibilities.
by Sob
Tue Jan 12, 2021 11:36 pm
Forum: General
Topic: MT as a separate subnet on internal network
Replies: 2
Views: 477

Re: MT as a separate subnet on internal network

If you can't or don't want to do anything with main router, VLAN won't help you, if MT's WAN port is still connected to main network as it is now. Firewall filter is good enough, nothing will pass from other networks to main one, as long as you (or anyone else with access to MT) don't disabled it or...
by Sob
Tue Jan 12, 2021 11:16 pm
Forum: Scripting
Topic: Mail DHCP-leases
Replies: 3
Views: 760

Re: Mail DHCP-leases

I don't know if it's the best way, but you can simply remove the condition, i.e. replace [find where server=dhcp1 ] with [find]. And to include server name in output, you get it from [get $i server] like all other properties.
by Sob
Tue Jan 12, 2021 10:49 pm
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 1792

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

You may be out of luck. I'm not aware of any option where dynamic rules should be added. Normally, if you have only some selected ports forwarded, adding dynamic ones at the end makes sense, because you don't want them to override static ones. E.g. if you have public webserver on port 80, you don't ...
by Sob
Tue Jan 12, 2021 10:37 pm
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

And for OP, if you didn't make a mistake and only tested it from LAN (which wouldn't work), are you sure that you have public IP address?
by Sob
Tue Jan 12, 2021 10:33 pm
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 1516

Re: Port forwarding and firewall improvements [SOLVED]

It doesn't work from LAN because of in-interface-list=WAN. To fix it, replace it with dst-address=<your public address> (if you have static address). If you have dynamic address, you can use dst-address-type=local. If it's for port that is also used for service on router (for example, you may need <...
by Sob
Tue Jan 12, 2021 8:04 pm
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 695

Re: Firewall Rules

That's quite a lot of stuff for quick understanding. One possible problem I see is that you don't use stateful firewall. Basic version of that would be: /ip firewall filter add chain=forward connection-state=established,related,untracked action=accept add chain=forward connection-state=invalid actio...
by Sob
Tue Jan 12, 2021 6:52 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 1266

Re: VPN Server: Migrate certificates to new hardware

I'm not sure about details, so it's probably best to test it yourself. In case you don't have free spare device, you can use CHR (RouterOS VM; free version is enough).
by Sob
Tue Jan 12, 2021 7:45 am
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 695

Re: Firewall Rules

According to description it should work. But it depends on what you actually did. ;)

Doing:
/export hide-sensitive file=myconfig
and then posting content of myconfig.rsc in code tags should reveal more.
by Sob
Tue Jan 12, 2021 6:32 am
Forum: General
Topic: Mikrotik VLAN & WiFi Configuration [SOLVED]
Replies: 2
Views: 691

Re: Mikrotik VLAN & WiFi Configuration [SOLVED]

You need to either: a) Use "/interface bridge vlan" and tell router that wlan-public-2ghz and wlan-public-5ghz contain tagged vlan 21. b) Remove tagging from wlan-public-2ghz and wlan-public-5ghz and set pvid 21 for them as bridge ports. In both cases you need vlan 21 tagged on bridge (in ...
by Sob
Tue Jan 12, 2021 6:20 am
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 695

Re: Firewall Rules

Input is for traffic to router itself (for services running on router), see e.g. https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram. Forward is what you need for routing between interfaces. If there's no traffic in forward, there must be some mistake somewhere else.
by Sob
Tue Jan 12, 2021 3:09 am
Forum: General
Topic: Port mapping webpage
Replies: 2
Views: 733

Re: Port mapping webpage

Simplified port mapping was recently added to Quick Set (there's a button for it). But I don't think it should show up upon login.
by Sob
Tue Jan 12, 2021 3:06 am
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 1266

Re: VPN Server: Migrate certificates to new hardware

AFAIK certificates are transferrable, but the relation between RouterOS CA and issued certificates is not. So for example if you'd want to revoke some, you can't. Binary backup should contain everything, but it's not meant for different device models. I think it's bad, but so far it doesn't seem to ...
by Sob
Mon Jan 11, 2021 11:07 pm
Forum: RouterBOARD hardware
Topic: RB idea
Replies: 8
Views: 1309

Re: RB idea

Clever, but probably not something that OP or users with similar requirements would appreciate that much, it's still two devices and extra cable.
by Sob
Mon Jan 11, 2021 10:38 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 2141

Re: Putting more information into router advertisement packets?

I agree with you, but as it is now, you can't do much with v6, but at least v7 shows that things are slowly improving (it's not fully automatic, but you can make it so with script). Unfortunately, IPv6 is not the higgest priority for MikroTik, so it may take a while before you're fully satisfied.
by Sob
Mon Jan 11, 2021 10:29 pm
Forum: RouterBOARD hardware
Topic: RB idea
Replies: 8
Views: 1309

Re: RB idea

About laptops without ethernet, there's simple solution, don't buy such crippled devices. If you already made that mistake, then suffer. It's the equivalent of touching hot stove, it's an important life lesson. I know it's not helpful, but I couldn't resist. Don't take it dead serious. :) But not al...
by Sob
Mon Jan 11, 2021 10:09 pm
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 2188

Re: Tips to understand if router hacked [SOLVED]

Yes, "/log print" is one way, or use WinBox or WebFig to view log, whatever you like most.

If you are getting already blacklisted addresses, there's not much you can do with it, other than convincing ISP to give you new static address that's not blacklisted.
by Sob
Mon Jan 11, 2021 10:05 pm
Forum: Beginner Basics
Topic: forward requests from LAN IP to external server by domain name
Replies: 2
Views: 380

Re: forward requests from LAN IP to external server by domain name

You can set server address on device to some fake unused one (e.g. 10.10.10.10) and create dstnat rule: /ip firewall nat add chain=dstnat dst-address=10.10.10.10 protocol=tcp dst-port=25 action=dst-nat to-addresses=1.2.3.4 comment=someuniqueid But you can't use hostname in to-addresses, so you need ...
by Sob
Mon Jan 11, 2021 9:51 pm
Forum: Beginner Basics
Topic: Help - Route 2 Segment under 2 Gateway.
Replies: 1
Views: 330

Re: Help - Route 2 Segment under 2 Gateway.

Problem is, devices use their default gateway to access other subnets. And just because you add router connected to both subnets, it won't magically start routing between them. The router itself would be for it, after all, routing is its life. But other devices won't start to use it as gateway when ...
by Sob
Mon Jan 11, 2021 9:46 pm
Forum: General
Topic: how to set a firewall address list group
Replies: 5
Views: 741

Re: how to set a firewall address list group

And it's a pity, because ipset (which is probably used internally) does support lists of lists, together with other useful lists types (I would very much like to have its hash:ip,port list).
by Sob
Mon Jan 11, 2021 12:17 am
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 2188

Re: Tips to understand if router hacked [SOLVED]

Send and receive are two different things, you don't need anything listening on smtp port to send mail. Of course if anyone would be able to hack the router enough to install own software, they could install smtp server if they wanted to. I just don't see any reasonable explanation what it would be ...
by Sob
Sun Jan 10, 2021 6:44 pm
Forum: General
Topic: Saniity Check - Winbox in IP Services
Replies: 2
Views: 363

Re: Saniity Check - Winbox in IP Services

It depends on whether you want to use WinBox or not. L2TP don't have much to do with it. If you want to use WinBox only over L2TP, you may limit allowed sources in "Available From" (or you can do the same using firewall filter), but you can't disable it completely.
by Sob
Sun Jan 10, 2021 6:37 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 2141

Re: Putting more information into router advertisement packets?

Few points: - IPv6 is supposed to eventually replace IPv4, so IPv6-only networks make sense. Only when you do it now, you may be a little bit too ahead. Most of the internet is still IPv4-only, so you need NAT64 + DNS64, which is not exactly nice (mainly the DNS64 part). That said, it's not wrong, y...
by Sob
Sun Jan 10, 2021 5:55 pm
Forum: Beginner Basics
Topic: RB760IGS ignores VLAN settings
Replies: 1
Views: 375

Re: RB760IGS ignores VLAN settings

When you have vlan interface on bridge, then in "/interface bridge vlan" it must be tagged also on bridge interface, e.g.:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=1000
by Sob
Sun Jan 10, 2021 5:51 pm
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 2188

Re: Tips to understand if router hacked [SOLVED]

Your rule will stop connections to router itself, but that's useless, because there's no smtp server on router. What I meant is: /ip firewall filter add chain=forward protocol=tcp dst-port=25 action=reject reject-with=tcp-reset log=yes log-prefix=smtp It will stop smtp connections through router and...
by Sob
Sat Jan 09, 2021 6:31 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 2141

Re: Putting more information into router advertisement packets?

Currently you can't, it's not much configurable yet. DNS servers are simply taken from "/ip dns", but you don't want to add router's own address there. You can combine it with DHCPv6. If you add server without pool, it will function in stateless mode and only provide info (you'll have to e...
by Sob
Sat Jan 09, 2021 6:22 pm
Forum: General
Topic: Load Balancing and
Replies: 5
Views: 868

Re: Load Balancing and

Here you have it with explanation how it works:

https://wiki.mikrotik.com/wiki/Manual:PCC
by Sob
Sat Jan 09, 2021 6:18 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

Sure, use anything you like, it's not like any of this would be personal secret of mine. If it was, I wouldn't share it. :)
by Sob
Sat Jan 09, 2021 12:14 am
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 2188

Re: Tips to understand if router hacked [SOLVED]

If it's spam, it's far more likely that it's some infected device behind the router than the router itself. If you're not running mailserver, you can block access from LAN to SMTP port (tcp 25), because nothing should need it (clients should use other ports to access mailservers). You can also log c...
by Sob
Fri Jan 08, 2021 11:47 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

The conclusion for me is that adding any kind of static route should not be used alone to bypass masquerade rules. Correct, not in combination with IPSec. For the record, what I do about leaking packets is: /ip route add dst-address=10.0.0.0/8 type=unreachable add dst-address=172.16.0.0/12 type=unr...
by Sob
Fri Jan 08, 2021 10:21 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

Two things: 1) I'm not sure why you have sa-src-address=192.168.13.254, which is part of LAN subnet. But that probably don't have any negative effect. 2) There's a catch with accessing remote subnet from router itself over plain IPSec tunnels. It doesn't work with default config, because router choo...
by Sob
Fri Jan 08, 2021 8:17 pm
Forum: General
Topic: Howto mark Amazon AWS traffic?
Replies: 4
Views: 719

Re: Howto mark Amazon AWS traffic?

How exactly you do it? Do you mark routing directly based on address list? That wouldn't work well if it changes very often. But if you mark connections based on address list and then mark routing based on connection marks, it should work.
by Sob
Fri Jan 08, 2021 1:58 am
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

But they are not ignored! If I remove the dummy rule (dst-address=192.168.0.0/16 gateway=vpn-blackhole) then it fails to work again. If you don't believe me then try it, you will see. So that blackhole rule is not ignored and it is needed. I would like to know why it is needed, and how it is used. ...
by Sob
Thu Jan 07, 2021 10:25 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

There are two things: 1) Routing and outgoing interface. Based on routes, outgoing interface should be vpn-blackhole. And that's true when IPSec is not active. Active IPSec clearly changes routing decision in some way. Again, it's not completely wrong, because it reflects where those packets really ...
by Sob
Thu Jan 07, 2021 7:54 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

I assumed that you used same rules, so it was strange why it would work on one device and not on another. If the working one has ipsec-policy=out,none, then it explains it. This condition matches only when there's no IPSec policy for packets. And when there is (like in this case), it doesn't match a...
by Sob
Thu Jan 07, 2021 5:04 pm
Forum: Beginner Basics
Topic: Substring ( URI?) firewall filter
Replies: 8
Views: 867

Re: Substring ( URI?) firewall filter

It's not that I'd recommend it, I see it more as hack, but it's possible.
by Sob
Thu Jan 07, 2021 6:27 am
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

It's something with IPSec, I can reproduce it. When I add logging rule in forward chain, then with peer disabled it shows vpn-blackhole as outgoing interface, but with peer enabled it changes to ether1-internet. It's kind of right, because it's actually where packets go to, but I'm not sure if firew...
by Sob
Wed Jan 06, 2021 11:33 pm
Forum: Beginner Basics
Topic: Substring ( URI?) firewall filter
Replies: 8
Views: 867

Re: Substring ( URI?) firewall filter

Proxy in RouterOS can be misused as reverse proxy:

https://web.archive.org/web/20201111190 ... eb_Servers

It's not ideal, but I've seen people doing worse things.
by Sob
Tue Jan 05, 2021 11:55 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1760

Re: Adding static route won't bypass nat

I don't see it, but srcnat's condition is out-interface=ether1-internet, so it will match only connections going out via ether1-internet. That will happen when router thinks that route to destination leads there. And that should only happen when your static route is either not active, or if there's ...
by Sob
Tue Dec 29, 2020 4:44 pm
Forum: General
Topic: Hairpin NAT no longer working after setting up VLANS [SOLVED]
Replies: 9
Views: 1414

Re: Hairpin NAT no longer working after setting up VLANS [SOLVED]

You have dstnat rules with in-interface=ether1, so they only work for connections from internet. Two basic options are: a) Replace in-interface=ether1 with dst-address=<your public address> b) Replace in-interface=ether1 with dst-address-type=local dst-address=!<destination address you want to exclu...
by Sob
Tue Dec 29, 2020 4:32 pm
Forum: General
Topic: Reading Source IP on my Filtering DNS Server
Replies: 12
Views: 1074

Re: Reading Source IP on my Filtering DNS Server

I think it's safe to say that client 192.168.88.150 and server 10.10.10.1 are not in same subnet. :)
by Sob
Tue Dec 29, 2020 4:20 pm
Forum: General
Topic: Reading Source IP on my Filtering DNS Server
Replies: 12
Views: 1074

Re: Reading Source IP on my Filtering DNS Server

Your first srcnat rule tells router to masquerade (= change source to router's address) any connection passing through router, no matter what's the source or destination. What you request is what you get. Usually you want that only for connections from LAN to internet, so it would mean adding someth...
by Sob
Mon Dec 28, 2020 12:40 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 46
Views: 14885

Re: Feature Request: IPv6 NAT66 Support

Well, changing prefix is matter of opinion, I guess. I wouldn't want it, but I can see why somebody else would. Preferably it should be a choice offered by ISP. When I wrote mistake, I was thinking about giving only single /64 to user, because it's limiting and I don't think there's any way how it c...
by Sob
Mon Dec 28, 2020 12:07 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 46
Views: 14885

Re: Feature Request: IPv6 NAT66 Support

I wouldn't hold my breath for ways to subnet /64. Personally I don't think that SLAAC in current form was great idea. Using /64 is terribly wasteful. Deriving IP address from MAC address turned out to be quite unfortunate. Fixing privacy problem with Privacy Extensions and the whole thing with tempo...
by Sob
Mon Dec 28, 2020 6:51 am
Forum: General
Topic: Is it possible to "subnet" a /64 prefix between 2 internal LANs?
Replies: 10
Views: 1406

Re: Is it possible to "subnet" a /64 prefix between 2 internal LANs?

Main problem with other than /64 prefixes is lack of autoconfiguration. If you'd go with static config, you can subnet it any way you like. But static config doesn't go well with dynamic prefix. Even if it doesn't change randomly, you still have no guarantee that it won't do it one day. This part co...
by Sob
Mon Dec 28, 2020 5:11 am
Forum: Beginner Basics
Topic: Generate paket lost on specific destination ! [SOLVED]
Replies: 3
Views: 662

Re: Generate paket lost on specific destination ! [SOLVED]

Or if you want it less predictable, there's also:
random (integer: 1..99; Default: ) - Matches packets randomly with given probability.
by Sob
Sun Dec 27, 2020 4:20 am
Forum: General
Topic: Please finish implementation of OpenVPN protocol (authentication without password, certificates)
Replies: 5
Views: 848

Re: Please finish implementation of OpenVPN protocol (authentication without password, certificates)

And most of the VPN proiders use for authentication certificates without login and password. Just this part alone may not be a problem. RouterOS supports client certificates for OpenVPN. It also requires you to enter some username, but when I tested it with server that uses official OpenVPN with ce...
by Sob
Fri Dec 25, 2020 8:30 pm
Forum: Beginner Basics
Topic: Questions about "Use host names in firewall rules" [SOLVED]
Replies: 3
Views: 775

Re: Questions about "Use host names in firewall rules" [SOLVED]

In newer versions you can put hostname directly in address list and system will resolve it automatically (and refresh it when its ttl expires). So it's easier and script is not needed. But if for some reason you like script better, you can keep using it. The right chain depends on what you're trying...
by Sob
Thu Dec 24, 2020 11:56 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 61
Views: 18860

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets. Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so ...
by Sob
Thu Dec 24, 2020 8:42 pm
Forum: General
Topic: Give other address pool to OpenVPN users [SOLVED]
Replies: 2
Views: 514

Re: Give other address pool to OpenVPN users [SOLVED]

You can either: a) Fix your office tunnels to include VPN range at main office's end. So add other policies for 192.168.54.0/24 or change existing ones from 192.168.55.0/24 to 192.168.54.0/ 23 . b) Use srcnat to hide 192.168.54.x behind some 192.168.55.x, to match existing policies. Clean solution i...
by Sob
Wed Dec 23, 2020 11:26 pm
Forum: Scripting
Topic: hairpin with 2 WAN
Replies: 2
Views: 946

Re: hairpin with 2 WAN

You can use scripts in PPP profile, just use this as "On Up": :local Name [/interface pppoe-client get $interface name] /ip firewall address-list remove [find where list=Hairpin comment=$Name] /ip firewall address-list add list=Hairpin address=$"local-address" comment=$Name] and ...
by Sob
Wed Dec 23, 2020 10:05 pm
Forum: General
Topic: Difference between Winbox and Terminal
Replies: 5
Views: 690

Re: Difference between Winbox and Terminal

They probably moved some stuff around. It's no problem in WinBox, because worst case is that user will be confused for a minute and then will find it in the new place. Doing the same in CLI means broken scripts, that's much more annoying.
by Sob
Tue Dec 22, 2020 10:41 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 1023

Re: IP Firewall Address list FQDN resolution expiration

I don't have anything with Tile architecture, but CHR 6.46.8 works exactly as I describe, and it's the same as any other version I've seen. If yours keeps adding new addresses, but old ones (that the hostname no longer resolves to) are not removed, it's bug. Replacing expired addresses with current ...
by Sob
Tue Dec 22, 2020 9:51 pm
Forum: General
Topic: traffic to a webserver sitting behind a router [SOLVED]
Replies: 16
Views: 1554

Re: traffic to a webserver sitting behind a router [SOLVED]

^^^ What he wrote.

And there's nothing special about VLANs, except when you mess with bridge's Use IP Firewall option, then things can become quite unexpected.
by Sob
Tue Dec 22, 2020 9:35 pm
Forum: Beginner Basics
Topic: Firewall message
Replies: 1
Views: 407

Re: Firewall message

Some of your firewall NAT rules has enabled logging, so you see this message when matching connection comes in. Find which one, check what if does, if you need it, etc.
by Sob
Tue Dec 22, 2020 12:32 am
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

Easy to understand way would be to have separate fields for IP address and mask (but I'm not advocating for it, I like current <address>/<mask>). And to not have editable field for network at all, because IP address and mask is enough (except for peer-to-peer use, so there should be optional field f...
by Sob
Tue Dec 22, 2020 12:21 am
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 1023

Re: IP Firewall Address list FQDN resolution expiration

I still don't know if I get it. What confuses me, is that what seems to be description of current state, is not what happens, I mean these parts: If the FQDN address resolves to a new address that IP will be added to the list >>>and the old IP item will be retained<<<. ..., this will resolve the IP ...
by Sob
Mon Dec 21, 2020 11:46 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

Yes. The other image you posted shows it, router's address can be anything between HostMin and HostMax (inclusive).
by Sob
Mon Dec 21, 2020 10:57 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 1023

Re: IP Firewall Address list FQDN resolution expiration

Well, it's possible that I missed your point. I'll test what happens with entries added with hostname and timeout (I never tested that combination before), maybe it will make things clearer. In any case, my understanding of hostnames in address list is that it's for tracking current address of given...
by Sob
Mon Dec 21, 2020 9:46 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1498

Re: Trouble setting up port forwarding

If you have one public address for yourself, they "lose" it either way, it doesn't matter if it's on your router or theirs. Don't count CGNAT address, there's plenty of those, only public ones are scarce.
by Sob
Mon Dec 21, 2020 9:37 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 1023

Re: IP Firewall Address list FQDN resolution expiration

It should be all automatic, resolved addresses simply inherit ttl from dns record, disappear when it expires, and system then resolves hostname again.
by Sob
Mon Dec 21, 2020 8:13 pm
Forum: Beginner Basics
Topic: Problems with portforwarding.
Replies: 9
Views: 1096

Re: Problems with portforwarding.

To allow all forwarded ports at once (you most likely want that, otherwise why would you forward them at all), use this:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
by Sob
Mon Dec 21, 2020 8:09 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1498

Re: Trouble setting up port forwarding

Two basic options:

a) They changed dhcp/pppoe (whatever you have) config and you now have public address on your router
b) They just forward ports from public address to your 100.x.x.x, i.e. NAT 1:1.
by Sob
Mon Dec 21, 2020 1:16 am
Forum: Scripting
Topic: How do I disable a rule in IP ROUTE? [SOLVED]
Replies: 4
Views: 1291

Re: How do I disable a rule in IP ROUTE? [SOLVED]

Examples:
/ip route disable [find comment="test"]
/ip route disable [find dst-address=10.0.0.0/8]
/ip route disable [find dst-address=0.0.0.0/0 gateway=10.1.1.1]
by Sob
Sun Dec 20, 2020 5:28 am
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

You're wrong. :) For start, forget the Network field, just pretend it's not there. You won't miss it. RouterOS will fill it automatically based on IP address and mask. You don't enter network in e.g. Windows, only address and mask. It's the same in RouterOS, only mask has different form. When you ha...
by Sob
Sat Dec 19, 2020 11:04 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

And gateway address for this router is in IP->Routes, as part of default route (the one with "Dst. Address" 0.0.0.0/0, usually added by DHCP client). What I actually think can be confusing is "Network" when adding IP address. Normally it's useless and I don't remember any other O...
by Sob
Sat Dec 19, 2020 10:26 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

You can see it as shortcut. Instead of entering separate 192.168.88.1 as address and 255.255.255.0 as netmask, you have just one value address/mask (24 is equal to 255.255.255.0).
by Sob
Sat Dec 19, 2020 9:08 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 4642

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

"Address List" is not completely wrong, it is list of addresses. Similar thing is in other places too, for example: IP->ARP -> ARP List IP->Routes -> Route List ... It wouldn't hurt if windows got same titles as menu items. But I'd still keep some as they are now, e.g.: IP->DNS -> DNS Sett...
by Sob
Sat Dec 19, 2020 7:47 pm
Forum: General
Topic: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%
Replies: 7
Views: 1331

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

From what I tried a year ago ( this post and this post ), hEX S is nice, but not exactly performance beast with vlans. If I remember correctly, those tests were without any firewall. Number of connections is critical. If you have many, it's relatively ok. But for example for copying file between vla...
by Sob
Sat Dec 19, 2020 1:52 am
Forum: Scripting
Topic: Removing ip addresses in a list based on another
Replies: 7
Views: 1582

Re: Removing ip addresses in a list based on another

You're right. It's actually documented: https://wiki.mikrotik.com/wiki/Manual:Scripting#Reserved_variable_names So on one hand I can't complain, but on the other it confirms what I'm saying, this whole thing is not intuitive (to me at least), because who would expect all property names to be reserve...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 23