Community discussions

MikroTik App

Search found 6517 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 22
by Sob
Fri Jan 29, 2021 7:26 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1140

Re: Static IP

Let's take one step back. All these addresses (whole /28) are only for one client, right? If that's the case, bridging could be better choice, because it would be completely standard config without any tricks. But even better would be to talk to ISP and let them route whole /28 to you. That would be...
by Sob
Fri Jan 29, 2021 6:54 pm
Forum: General
Topic: IPSec Route base VPN
Replies: 1
Views: 214

Re: IPSec Route base VPN

IPSec in RouterOS doesn't provide interfaces, so routing like this is not possible. If you need one, you need to add it manually, e.g. use IPIP between endpoints and IPSec to encrypt it. But other side must have the same too.
by Sob
Fri Jan 29, 2021 6:50 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 746

Re: IPv6 over vlan issues

You can also get rid of pool. It shouldn't be breaking anything, when you get the right address from it. But it doesn't add anything useful. Next step I'd take is playing with packet sniffer. Catch what happens on parent interface (not VLAN, so you'd be able to see even things like wrong VLAN number...
by Sob
Fri Jan 29, 2021 5:20 pm
Forum: General
Topic: L2TP/IPSEC not connecting
Replies: 2
Views: 301

Re: L2TP/IPSEC not connecting

Check what happens with IPSec, peer status, logs, ...
by Sob
Fri Jan 29, 2021 5:15 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 746

Re: IPv6 over vlan issues

Some of it is typo. It's either ..::10a and ..::109, or ..::a and ..::9. So you want (if it's the first one):
/ipv6 address
add address=xxxx:xxxx:ffff:fffe::10a/126 advertise=no interface=IPv6
/ipv6 route
add dst-address=2000::/3 gateway=xxxx:xxxx:ffff:fffe::109
by Sob
Fri Jan 29, 2021 4:33 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1140

Re: Static IP

Proxy ARP is simple. With config like yours, ISP has 103.1.1.1/28, then you have e.g. 103.1.1.2/28 on your router, and it's regular subnet and works well. If you want to route e.g. 103.1.1.3 further behind your router, you can easily do that using any of methods I listed. Your router won't have any ...
by Sob
Fri Jan 29, 2021 4:09 pm
Forum: General
Topic: IPv6 over vlan issues
Replies: 11
Views: 746

Re: IPv6 over vlan issues

What exactly you got from ISP? Because if nothing else, what you do on "IPv6" interface, which if I understand it correctly is your WAN port for IPv6, looks completely wrong. If you got some /126 connecting subnet for that, it should be just static address and gateway, and no need to do an...
by Sob
Fri Jan 29, 2021 3:53 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

Order of rules is important. As I wrote, they are processed from top to bottom. For example, if you'd move the last blocking rule to top, it would block everything and no other rule would be ever used. If you'd move the first rule (accept established & etc) to bottom, but still before the blocki...
by Sob
Fri Jan 29, 2021 3:15 am
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1140

Re: Static IP

The important part here is how ISP handles this /28. Is it: a) Routed to you. ISP on their router did (in RouterOS terms) "/ip route add dst-address=x.x.x.x/28 gateway=<your router>". b) Assigned as subnet between you and ISP. ISP on their router did "/ip address add address=x.x.x.a/2...
by Sob
Fri Jan 29, 2021 1:25 am
Forum: RouterOS v7 BETA
Topic: wireguard configuration
Replies: 4
Views: 1458

Re: wireguard configuration

One common interface is enough. Why it doesn't work for you, it's hard to tell. I don't think there's anything in current RouterOS to help you with that, some statistics for individual peers, logs, or anything.
by Sob
Thu Jan 28, 2021 10:35 pm
Forum: Beginner Basics
Topic: Port forward on LTE interface
Replies: 4
Views: 445

Re: Port forward on LTE interface

Only if it differs from port in dst-port.
by Sob
Thu Jan 28, 2021 6:43 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 14
Views: 3836

Re: What is IP SOCKS ? I got hacked and they open this

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it.
by Sob
Thu Jan 28, 2021 6:11 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

Think about it a little bit, it's not difficult. Don't just copy and paste something you don't understand. Rules are evaluated from top to bottom and first matching rule is used. So you have: 1) allow established, related and untracked - standard rule to allow packets for existing connections 2) dro...
by Sob
Thu Jan 28, 2021 5:52 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 14
Views: 3836

Re: What is IP SOCKS ? I got hacked and they open this

It's a proxy server, similar to web proxy. They can use it to hide behind your router when they try to hack other devices. They will send request to proxy server on your router, it will send it to target, and target will think that it's you hacking them.
by Sob
Thu Jan 28, 2021 3:27 pm
Forum: Beginner Basics
Topic: Port forward on LTE interface
Replies: 4
Views: 445

Re: Port forward on LTE interface

If it's enough to work from internet (i.e. you don't need to connect to public address from LAN), then you can use this: /ip firewall nat add chain=dstnat dst-address=192.168.8.100 protocol=tcp dst-port=80 action=dst-nat to-addresses=<address of internal server> If you'd need it to work also from LA...
by Sob
Thu Jan 28, 2021 3:22 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1140

Re: Static IP

Sorry, I can't say that it's very clear. But if ISP gave you (= routed to you) /28, and you want to give the whole thing to your client, then just route it further. Use existing connection to client and their router as gateway: /ip route add dst-address=x.x.x.x/28 gateway=<address of client's router...
by Sob
Thu Jan 28, 2021 3:14 pm
Forum: General
Topic: PPP on a specific Wan connection
Replies: 5
Views: 584

Re: PPP on a specific Wan connection

There are different ways. If the server has static public address, then the easiest is probably to add route to this address via gateway of either wan1 or wan2.
by Sob
Thu Jan 28, 2021 2:11 pm
Forum: General
Topic: IKEv2 setup + WIN10 built-in client cannot connect anymore [SOLVED]
Replies: 4
Views: 388

Re: IKEv2 setup + WIN10 built-in client cannot connect anymore [SOLVED]

I don't know if it's that, but "certificate" and "expired" can be related, certificates do expire. So that's the first thing you should check.
by Sob
Thu Jan 28, 2021 12:57 am
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 7
Views: 1011

Re: Routing marks / mangle

I don't have any explanation why WG should differ from others. But if you suspect that marks may be inherited from tunnel traffic (outside) by tunneled traffic (inside), you can easily test it. Just add logging rule (action=log) in any chain, with any condition you need to check.
by Sob
Wed Jan 27, 2021 9:26 pm
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 7
Views: 1011

Re: Routing marks / mangle

I missed it in original post, but even v6 config wasn't correct. The mangle rule in prerouting is useless, all work is done by the one in output. If you'd want to use "send it back to where it came from" approach, which would be useful if VPN server was accessible using both WANs, you'd us...
by Sob
Wed Jan 27, 2021 9:02 pm
Forum: General
Topic: What is strtbiz.site?
Replies: 6
Views: 670

Re: What is strtbiz.site?

I'd try System->Scheduler.
by Sob
Wed Jan 27, 2021 9:02 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

I can't argue with results, of course. :) But I wouldn't expect that to be the best solution.
by Sob
Wed Jan 27, 2021 7:07 pm
Forum: General
Topic: What is strtbiz.site?
Replies: 6
Views: 670

Re: What is strtbiz.site?

If you ask your favourite search engine, you'll find out that it looks like something you don't want to have. It seems to be related to some botnet. Check if you have some unwanted scheduled scripts on your device.
by Sob
Wed Jan 27, 2021 6:46 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

EoIP in IPIP, and the whole thing in IPSec, if it should be encrypted... that sounds seriously overcomplicated to me.
by Sob
Wed Jan 27, 2021 6:04 pm
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 1140

Re: Static IP

Some more info would help. Things like if you have spare public IP address, how exactly you get it from ISP, etc.
by Sob
Wed Jan 27, 2021 5:46 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

Hmm, neither answer makes sense to me. :) As I wrote, if you'd have src-address=<peer's address> in those rules that allow IPSec traffic (IKE, ESP), it would allow this traffic from peer, but not any IPSec traffic from elsewhere. It would protect router from bots trying to scan open ports, and from ...
by Sob
Wed Jan 27, 2021 2:13 am
Forum: RouterOS v7 BETA
Topic: Routing marks / mangle
Replies: 7
Views: 1011

Re: Routing marks / mangle

by Sob
Wed Jan 27, 2021 12:02 am
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

One thing I find slightly weird, your input rules have dst -address=xxx.xxx.158.248, but it would seem more logical to use src -address=<peer's address> to allow packets from peer. Isn't it possible that there's some mixup there? Both addresses (xxx.xxx.158.248 and xxx.xxx.121.42) are public, right?...
by Sob
Tue Jan 26, 2021 10:45 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

Did you try those two changes I suggested?

I'm sure it has some explanation. Examine logs on both sides, check with packet sniffer if something is getting lost, etc.
by Sob
Tue Jan 26, 2021 7:50 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

In both configs, you dstnat everything to some other device, except selected stuff. Second config has this:
/ip firewall nat
add action=accept chain=dstnat in-interface-list=WAN protocol=ipsec-esp
The same thing would make sense also for first one.
by Sob
Tue Jan 26, 2021 5:19 pm
Forum: General
Topic: Need help with IPsec
Replies: 17
Views: 1305

Re: Need help with IPsec

Only one way to get the tunnel up again. I have to restore every router from its backup. Is it really the only way? It doesn't make any sense why restoring config should help, when it's the same config as router already has. Did you try to reboot routers, or just turn ipsec off and on again (disabl...
by Sob
Tue Jan 26, 2021 4:56 pm
Forum: General
Topic: IKE Fragmentation (RFC 7383) [SOLVED]
Replies: 2
Views: 534

Re: IKE Fragmentation (RFC 7383) [SOLVED]

What's new in 6.48 (2020-Dec-22 11:20):

...
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
...
by Sob
Tue Jan 26, 2021 2:42 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

If you have same subnet, you need proxy ARP. If you have different subnets, you don't need proxy ARP. Problems with different subnets are elsewhere, they can be on both client and server side. If client doesn't use VPN as default gateway, you have to add route to remote LAN, it doesn't happen automa...
by Sob
Sat Jan 23, 2021 10:23 pm
Forum: Beginner Basics
Topic: Webfig/Winbox not available over PPTP VPN [SOLVED]
Replies: 4
Views: 444

Re: Webfig/Winbox not available over PPTP VPN [SOLVED]

Are you sure that you found the right rule? I'd say it's the one after it that is blocking the access. Solution is simple, allow traffic that comes from VPN client(s) to WinBox/WebFig ports, so add this before the last rule: /ip firewall filter add chain=input protocol=tcp dst-port=80,8291 in-interf...
by Sob
Sat Jan 23, 2021 4:32 pm
Forum: Beginner Basics
Topic: Basic question about firewall rule organization, and grouping by chains.
Replies: 5
Views: 511

Re: Basic question about firewall rule organization, and grouping by chains.

If I say that I learned a lot from your post, will you believe me? ;)
by Sob
Sat Jan 23, 2021 4:31 pm
Forum: General
Topic: Minecraft server firewall limits the number of connections allowed in a period of time
Replies: 5
Views: 473

Re: Minecraft server firewall limits the number of connections allowed in a period of time

Sorry, that may not be the right one. I don't really use this myself. But look at dst-limit, that seems better.
by Sob
Sat Jan 23, 2021 2:48 pm
Forum: Beginner Basics
Topic: V7 Route List [SOLVED]
Replies: 10
Views: 1087

Re: V7 Route List [SOLVED]

It's still mostly the same. Mangle rule didn't change at all. You just need to define routing table first (that's new) and route's routing-mark is now routing-table . And currently you have to use command line for both, because WinBox interface is incomplete. /routing table add name=giga fib /ip rou...
by Sob
Sat Jan 23, 2021 2:41 pm
Forum: General
Topic: Minecraft server firewall limits the number of connections allowed in a period of time
Replies: 5
Views: 473

Re: Minecraft server firewall limits the number of connections allowed in a period of time

Try to play with limit option: limit (integer,time,integer; Default: ) Matches packets until a given pps limit is exceeded. Parameters are written in following format: count[/time],burst. count - maximum average packet rate measured in packets per time interval time - specifies the time interval in ...
by Sob
Sat Jan 23, 2021 4:41 am
Forum: Beginner Basics
Topic: Basic question about firewall rule organization, and grouping by chains.
Replies: 5
Views: 511

Re: Basic question about firewall rule organization, and grouping by chains.

Router doesn't care. Packet always goes in either input or forward. It's not skipping over rules in other chain, it's just that both chains are displayed on same screen, but in reality they are completely separate. I agree that having rules for each chain together, rather than mixing them with each ...
by Sob
Sat Jan 23, 2021 1:53 am
Forum: Beginner Basics
Topic: V7 Route List [SOLVED]
Replies: 10
Views: 1087

Re: V7 Route List [SOLVED]

And what exactly you do that doesn't work? Post the commands.
by Sob
Fri Jan 22, 2021 5:52 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

VPN is already not exactly as if you'd be directly connected. And if you use different subnet (which is otherwise fine), it will be even further from that. What I meant is to find interface Bridge1 and change its ARP option from default "enabled" to "proxy-arp". Then you can keep...
by Sob
Fri Jan 22, 2021 2:54 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

You use addresses from LAN subnet also for VPN clients. Problem is that when device sees address from same subnet as it has itself, it expects it to be directly reachable. But it's not true for VPN clients, because they are behind router. The fix for that is to enable proxy ARP on LAN interface, in ...
by Sob
Fri Jan 22, 2021 12:21 am
Forum: General
Topic: [Request] Winbox Default Port
Replies: 8
Views: 778

Re: [Request] Winbox Default Port

If you don't insist on it being an official feature, you can "fix" your WinBox executable. Fire up your favourite hex editor, search for bytes 63200000 and replace them with c9150000. In current version (3.27) it's there only once in both 32 and 64 bit variants, so you can't go wrong.
by Sob
Thu Jan 21, 2021 3:30 am
Forum: Beginner Basics
Topic: IPV6 on Mikrotik SXT
Replies: 2
Views: 303

Re: IPV6 on Mikrotik SXT

I don't have personal experience with LTE, I just quicky saw it few times. I know there's something about IPv6 in APN profile. I also remember that it did some weird magic with IPv4, it didn't have regular DHCP, so it may be the same for IPv6. Finally, what exactly you know about getting IPv6 addres...
by Sob
Thu Jan 21, 2021 3:20 am
Forum: General
Topic: IPSec ESP over UDP without NAT
Replies: 5
Views: 504

Re: IPSec ESP over UDP without NAT

Try to set local-address for peer to some local but not public address. That should trigger NAT detection. I'm not completely sure, I know that I tested it in the past, but can't remember how it went.
by Sob
Wed Jan 20, 2021 7:36 pm
Forum: General
Topic: Forum Account Deletion
Replies: 1
Views: 503

Re: Forum Account Deletion

Wouldn't it be easier to simply forget that you have this account? I mean, to post one single thing, then wait 4.5 years before returning to request to have your account deleted... is it really worth it? :) But if it really bothers you that much, try reporting your post, perhaps someone will see it,...
by Sob
Wed Jan 20, 2021 7:20 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

When you use PPPoE to access internet, then PPPoE interface is the actual WAN interface. Ethernet interface is just where PPPoE packets go, but everything from/to internet is inside PPPoE. As for outgoing NAT/masquerade (which is what hides your whole LAN behind one public address), all these varian...
by Sob
Wed Jan 20, 2021 3:48 pm
Forum: General
Topic: Changing TTL for incoming packets from client
Replies: 4
Views: 471

Re: Changing TTL for incoming packets from client

You can use you command, just change incorrect chain=prerouting to chain=forward and add in-interface=<where client is connected>. But you're wasting your time with incoming packets too, client can change TTL for both incoming and outgoing packets.
by Sob
Tue Jan 19, 2021 6:01 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

But in your config, interface "Orange Optic" is ethernet. PPPoE is named "PPPoE-Orange". So you need in-interface=PPPoE-Orange in dstnat rules.
by Sob
Tue Jan 19, 2021 5:57 pm
Forum: General
Topic: Changing TTL for incoming packets from client
Replies: 4
Views: 471

Re: Changing TTL for incoming packets from client

You're wasting your time, client can change TTL as easily as you can, so whatever you do, they will do the opposite and avoid your blocking.
by Sob
Tue Jan 19, 2021 1:14 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 1451

Re: Feature Request: Bridge Joiner

Nope, interface list doesn't help: /interface list add name=bridge-port-test /interface list member add interface=bridge1 list=bridge-port-test add interface=ether3 list=bridge-port-test /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge2 interface=bridge-port-test /interfa...
by Sob
Tue Jan 19, 2021 1:01 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

Ok, so interface "Orange Optic" is PPPoE interface, that would be correct. If you're sure that you have public address (it's not to underestimate you personally, but it sometimes happens that users get this part wrong), what about counters for these rules? Is there anything or all zeroes? ...
by Sob
Tue Jan 19, 2021 12:53 pm
Forum: RouterBOARD hardware
Topic: RouterBoard 450G booting problem.
Replies: 5
Views: 626

Re: RouterBoard 450G booting problem.

Check the capacitors, their tops should be nice and flat. If they are bulging or leaking, they are going bad. See e.g. images in this post (two green ones are bad, the brown one in the back is good). If that's it, it's possible to replace them and the board should run like new again.
by Sob
Tue Jan 19, 2021 12:42 pm
Forum: Beginner Basics
Topic: NAT not working...
Replies: 45
Views: 3079

Re: NAT not working...

Is "Orange Optic" the old interface or the new one? If it's the old one, it would be clear why it can't work. If it's the new one, are you sure that it still has public address?
by Sob
Tue Jan 19, 2021 2:09 am
Forum: General
Topic: OVPN wrong netmask
Replies: 1
Views: 214

Re: OVPN wrong netmask

The "routes=192.168.101.1" in PPP secret is nonsense, that field is for adding routes to remote subnets behind connected client, so 192.168.101.1 doesn't belong there when it's local address. I wouldn't expect it to add /8 route, but remove it and you'll see if it helps or not.
by Sob
Tue Jan 19, 2021 1:58 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 1451

Re: Feature Request: Bridge Joiner

You could as well bridge all ether1, ether4 and ether5 together, add filters between ether1 and ether4/5, and it would work too. But I do agree that having only one interface instead of separate WAN and LAN would complicate things, it would need additional filters to separate router's own communicat...
by Sob
Mon Jan 18, 2021 11:36 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 1451

Re: Feature Request: Bridge Joiner

@mkx: What RouterOS do you have that it lets you do that? :)
by Sob
Mon Jan 18, 2021 12:46 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Bridge Joiner
Replies: 11
Views: 1451

Re: Feature Request: Bridge Joiner

The idea is that instead of joining two bridges, you take all ports from both and add them to one common bridge. Which will give you the same result as joining two bridges would, therefore you don't need to join bridges. If you can explain how joining bridges would be different and better, it would ...
by Sob
Sun Jan 17, 2021 11:36 pm
Forum: Forwarding Protocols
Topic: double mangle marking and routing mark
Replies: 3
Views: 486

Re: double mangle marking and routing mark

It could be possible to use a scheme with combined marks. Clean connection would get "mark1", then to add "mark2", you'd have to check whether there's already "mark1" and depending on that you'd assign "mark2" or "mark1-mark2". And then you'd need ba...
by Sob
Sun Jan 17, 2021 10:41 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 840

Re: VPN Server: Migrate certificates to new hardware

Certificates generated by RouterOS are like any other certificates, i.e. they are fine. Only transferring whole RouterOS CA between devices is... let's say unfinished.
by Sob
Sun Jan 17, 2021 10:22 pm
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 716

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

It's not that difficult, play with it, experiment, it will get to you. As for packets, how they are passing through router, yes, I know that. But I cheated, I read this: https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram. :)
by Sob
Sun Jan 17, 2021 3:05 am
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 716

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

ARP is used to get device's MAC address (hardware address) for given IP address, because packets in same subnet are actually sent to hardware address of target device. When you have a subnet, in your case 192.168.16.0/24, devices connected to it expect that other devices with IP addresses from this ...
by Sob
Sat Jan 16, 2021 10:44 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1855

Re: L7 Filter rule exception.

If I was boss, you were my non-behaving employees, and the social approach ("don't try to make me mad, or else!") wouldn't work, I'd probably cut off direct internet access. The only way to get anywhere would be through e.g. SOCKS proxy. That should be pretty reliable with right ACLs. Conn...
by Sob
Sat Jan 16, 2021 9:59 pm
Forum: RouterOS v7 BETA
Topic: IP Route In RouterOS V7
Replies: 7
Views: 1825

Re: IP Route In RouterOS V7

It's still there, only you have to create routing table in /routing/table/, it doesn't happen automatically as in v6.
by Sob
Sat Jan 16, 2021 9:54 pm
Forum: Beginner Basics
Topic: Routing traffic for specified domains to a different gateway [SOLVED]
Replies: 7
Views: 831

Re: Routing traffic for specified domains to a different gateway [SOLVED]

Hostnames in address list are resolved based on their TTL, they are re-resolved when it expires. Wildcards or regexps can't be used, because you can't resolve all possible combinations in advance. L7 is problematic too, because even though you can see target hostname (using either layer7-protocol or...
by Sob
Sat Jan 16, 2021 9:37 pm
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 716

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

Corrections: - proxy-arp, not local-proxy-arp - on SOHO_VLAN, not on BR1 It's only for communication with devices on SOHO_VLAN. Communication between OpenVPN clients doesn't need it. Only currently it's blocked by firewall. You can either add static interface for each client and use that for rules, ...
by Sob
Sat Jan 16, 2021 7:13 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 507

Re: Strange Dst.Address connection

It looks like normal outgoing connection. Same as those dns queries to 8.8.8.8. Even if you're connecting to 70.152.-.-, something else can be connecting to 31.12.71.119. You can easily find out that the address is http://yp.shoutcast.com/.
by Sob
Sat Jan 16, 2021 6:51 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 507

Re: Strange Dst.Address connection

And what is it you don't like about it? It's a connection from 192.168.?.? to this address. Tcp and port 80 is standard for unencrypted http.
by Sob
Sat Jan 16, 2021 6:31 am
Forum: General
Topic: Strange Dst.Address connection
Replies: 6
Views: 507

Re: Strange Dst.Address connection

You should probably share a few more details, like where exactly you see it, etc.
by Sob
Sat Jan 16, 2021 5:24 am
Forum: Beginner Basics
Topic: Routing traffic for specified domains to a different gateway [SOLVED]
Replies: 7
Views: 831

Re: Routing traffic for specified domains to a different gateway [SOLVED]

It may be tricky, mainly the part how you identify destination addresses. Websites often download stuff from many other domain, not just from their main domain. And even the main domain can be hosted in some cloud and can have several IP addresses that change all the time. But let's say you want to ...
by Sob
Sat Jan 16, 2021 5:00 am
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 934

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

I think it was port used by outgoing connection, not another port opened by UPnP. And it's ok, connection tracking can deal with that. It would only be problem, if remote host from the first connection tried to connect to this newly forwarded port, and if it would use same source port as the origina...
by Sob
Sat Jan 16, 2021 4:56 am
Forum: Beginner Basics
Topic: NAT Loopback / DNS
Replies: 9
Views: 755

Re: NAT Loopback / DNS

The best way is to read and understand the linked article, and then everything will be clear and simple. But you can always "cheat", post your config and we'll tell you what's wrong with it. /export hide-sensitive file=myconfig Then look for file myconfig.rsc and post its content in code t...
by Sob
Sat Jan 16, 2021 4:49 am
Forum: General
Topic: How to use a public subnet and a natted subnet
Replies: 9
Views: 673

Re: How to use a public subnet and a natted subnet

It depends on what you want. I like to have used addresses pingable, so they need to be either assigned to some device, or dstnatted as whole (or at least icmp) to another. But it's possible to live without that.
by Sob
Sat Jan 16, 2021 1:04 am
Forum: General
Topic: How to use a public subnet and a natted subnet
Replies: 9
Views: 673

Re: How to use a public subnet and a natted subnet

It's actually good idea to make the router aware of the routed subnet, other than just using some addresses or ports with src/dstnat. If a subnet is routed to you, and you don't assign addresses anywhere, and a packet comes for some unused one, your router will have no idea that it's your address, s...
by Sob
Sat Jan 16, 2021 12:40 am
Forum: General
Topic: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]
Replies: 7
Views: 716

Re: Can establish VPN connection but no connectivity to local lan and wan [SOLVED]

I didn't study it in detail, but one obvious problem, if you're giving addresses from LAN subnet to VPN clients, you need to enable proxy ARP for interface which has this subnet.
by Sob
Fri Jan 15, 2021 5:52 am
Forum: General
Topic: Cant get pings to complete with RB750 tied back to back
Replies: 3
Views: 291

Re: Cant get pings to complete with RB750 tied back to back

What about the laptops, do they like to get pinged from non-local subnets? If they have Windows, it's by default blocked in firewall.
by Sob
Fri Jan 15, 2021 5:42 am
Forum: Scripting
Topic: Enable winbox service via api
Replies: 18
Views: 1486

Re: Enable winbox service via api

Yes, for example with php: <?php require_once('routeros_api.class.php'); $api = new RouterosAPI(); if($api->connect('127.127.127.127', 'username', 'password')) { $api->write('/ip/service/print', false); $api->write('?name=ssh'); $response = $api->read(true); if(!empty($response)) { $api->write('/ip/...
by Sob
Fri Jan 15, 2021 1:01 am
Forum: Beginner Basics
Topic: Find specific NAT rule
Replies: 7
Views: 609

Re: Find specific NAT rule

/ip firewall nat print where dst-port="55882"
by Sob
Fri Jan 15, 2021 12:14 am
Forum: General
Topic: /31, RFC 3021
Replies: 2
Views: 426

Re: /31, RFC 3021

I tried only a quick test, but I don't see icmp to ff:ff:ff:ff:ff:ff with /32, only arp queries and waiting for answer. And with /31 there's a difference between lower and upper address, if RouterOS has the upper one, it seems to work. I had .4 on v6 device and .5 on v7 device and it fooled me into ...
by Sob
Thu Jan 14, 2021 10:47 pm
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 934

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

My quick test says that the whole thing is currently pretty dumb, UPnP is aware of only own ports. So if I use UPnP to forward port, next request to forward same port elsewhere will fail. If the port is manually forwarded, UPnP is happy to add duplicate and tell client that it's ok (but it's a lie, ...
by Sob
Thu Jan 14, 2021 9:57 pm
Forum: General
Topic: portknock
Replies: 5
Views: 470

Re: portknock

Actually, that's not a bad solution. I tend to forget about scripting, because that thing hates me. ;) Plus doing things using scripts needs more resources than a built-in function. But in this case, if you make the other list override the first one (so when address appears in there, it will have ef...
by Sob
Thu Jan 14, 2021 4:10 am
Forum: Beginner Basics
Topic: Two routers and two subnets on local network [SOLVED]
Replies: 2
Views: 319

Re: Two routers and two subnets on local network [SOLVED]

Yes, it's normal. In default firewall, some rules reference interface lists. The idea behind that is to not have interfaces hardcoded in firewall rules, so if you change something (use different WAN port, add another LAN, etc), you update only interface list and don't have to touch firewall rules. W...
by Sob
Thu Jan 14, 2021 3:25 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

Don't apologize, that's what the forum is for. Enjoy the happy end.
by Sob
Thu Jan 14, 2021 3:23 am
Forum: General
Topic: portknock
Replies: 5
Views: 470

Re: portknock

That's problematic. You could add another list to override the first one. Address in first list enables routing to tunnel. Address in second list disables it, even though the address is still in first list too. It should be simple, just add addresses in second list with same timeout and change firew...
by Sob
Thu Jan 14, 2021 3:05 am
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 934

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

That's two things. 1) Port forwarding is already simple. I understand that some will disagree, but if adding (and understanding) some simple rules is too difficult for them, maybe those people don't really want a complex system like RouterOS. I don't mean to be too harsh, and I wouldn't discourage a...
by Sob
Wed Jan 13, 2021 11:26 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 840

Re: VPN Server: Migrate certificates to new hardware

That's not question for me, you need someone who has experience with performance of different devices. I just mentioned CHR as a simple way how to test transfers of certificates between different devices. Also, unless you need to generate certificates directly on router for any reason, you can alway...
by Sob
Wed Jan 13, 2021 8:46 pm
Forum: General
Topic: Share public IP to router behind mikrotik
Replies: 7
Views: 642

Re: Share public IP to router behind mikrotik

... for now I have only one customer so two usable IP is OK for me. It's more like one. With /30 mask and no other tricks, two of four addresses are used as network address and broadcast, third goes on your router, and only one is available for customers, so one customer. With slightly different co...
by Sob
Wed Jan 13, 2021 8:04 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

If you don't need hairpin NAT, i.e. the ability to connect to STATIC_IP:<forwarded_port> from LAN (it was the other poster who mentioned it), then use: /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.100.2 dst-port=2302 protocol=tcp to-addresses=192.168.88.101 ... If you do need...
by Sob
Wed Jan 13, 2021 7:33 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

But judging by the screenshot and the rule added by UPnP, you don't have STATIC_IP directly on router (in IP->Addresses), right? If not and you actually have just NAT 1:1, dstnat rules with dst-address=STATIC_IP won't work for connections from internet. You can use dst-address=192.168.100.2 and see ...
by Sob
Wed Jan 13, 2021 12:50 am
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

Two questions: - Is your STATIC_IP same as you see at https://wtfismyip.com/clean? - If you look at dstnat rules' counters, if there anything or just zeroes? Other than that, you can use action=dstnat instead of action=netmap (there doesn't seem to be a difference, but dstnat is more common), and yo...
by Sob
Wed Jan 13, 2021 12:00 am
Forum: Scripting
Topic: local server failover
Replies: 3
Views: 530

Re: local server failover

It's surely doable with few more ifs, in each branch (do/else) first check if the desired state is already active, and only do any changes when it isn't.
by Sob
Tue Jan 12, 2021 11:47 pm
Forum: General
Topic: Share public IP to router behind mikrotik
Replies: 7
Views: 642

Re: Share public IP to router behind mikrotik

You waste three of four available addresses, but other than that it's ok. If you don't mind, you're done. If you do, then check here for other possibilities.
by Sob
Tue Jan 12, 2021 11:36 pm
Forum: General
Topic: MT as a separate subnet on internal network
Replies: 2
Views: 342

Re: MT as a separate subnet on internal network

If you can't or don't want to do anything with main router, VLAN won't help you, if MT's WAN port is still connected to main network as it is now. Firewall filter is good enough, nothing will pass from other networks to main one, as long as you (or anyone else with access to MT) don't disabled it or...
by Sob
Tue Jan 12, 2021 11:16 pm
Forum: Scripting
Topic: Mail DHCP-leases
Replies: 3
Views: 488

Re: Mail DHCP-leases

I don't know if it's the best way, but you can simply remove the condition, i.e. replace [find where server=dhcp1 ] with [find]. And to include server name in output, you get it from [get $i server] like all other properties.
by Sob
Tue Jan 12, 2021 10:49 pm
Forum: Beginner Basics
Topic: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]
Replies: 9
Views: 934

Re: Port Forwarding: proper way to do "DMZ" + UPnP? [SOLVED]

You may be out of luck. I'm not aware of any option where dynamic rules should be added. Normally, if you have only some selected ports forwarded, adding dynamic ones at the end makes sense, because you don't want them to override static ones. E.g. if you have public webserver on port 80, you don't ...
by Sob
Tue Jan 12, 2021 10:37 pm
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

And for OP, if you didn't make a mistake and only tested it from LAN (which wouldn't work), are you sure that you have public IP address?
by Sob
Tue Jan 12, 2021 10:33 pm
Forum: Beginner Basics
Topic: Port forwarding and firewall improvements [SOLVED]
Replies: 13
Views: 971

Re: Port forwarding and firewall improvements [SOLVED]

It doesn't work from LAN because of in-interface-list=WAN. To fix it, replace it with dst-address=<your public address> (if you have static address). If you have dynamic address, you can use dst-address-type=local. If it's for port that is also used for service on router (for example, you may need <...
by Sob
Tue Jan 12, 2021 8:04 pm
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 506

Re: Firewall Rules

That's quite a lot of stuff for quick understanding. One possible problem I see is that you don't use stateful firewall. Basic version of that would be: /ip firewall filter add chain=forward connection-state=established,related,untracked action=accept add chain=forward connection-state=invalid actio...
by Sob
Tue Jan 12, 2021 6:52 pm
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 840

Re: VPN Server: Migrate certificates to new hardware

I'm not sure about details, so it's probably best to test it yourself. In case you don't have free spare device, you can use CHR (RouterOS VM; free version is enough).
by Sob
Tue Jan 12, 2021 7:45 am
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 506

Re: Firewall Rules

According to description it should work. But it depends on what you actually did. ;)

Doing:
/export hide-sensitive file=myconfig
and then posting content of myconfig.rsc in code tags should reveal more.
by Sob
Tue Jan 12, 2021 6:32 am
Forum: General
Topic: Mikrotik VLAN & WiFi Configuration [SOLVED]
Replies: 2
Views: 408

Re: Mikrotik VLAN & WiFi Configuration [SOLVED]

You need to either: a) Use "/interface bridge vlan" and tell router that wlan-public-2ghz and wlan-public-5ghz contain tagged vlan 21. b) Remove tagging from wlan-public-2ghz and wlan-public-5ghz and set pvid 21 for them as bridge ports. In both cases you need vlan 21 tagged on bridge (in ...
by Sob
Tue Jan 12, 2021 6:20 am
Forum: General
Topic: Firewall Rules
Replies: 5
Views: 506

Re: Firewall Rules

Input is for traffic to router itself (for services running on router), see e.g. https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram. Forward is what you need for routing between interfaces. If there's no traffic in forward, there must be some mistake somewhere else.
by Sob
Tue Jan 12, 2021 3:09 am
Forum: General
Topic: Port mapping webpage
Replies: 2
Views: 511

Re: Port mapping webpage

Simplified port mapping was recently added to Quick Set (there's a button for it). But I don't think it should show up upon login.
by Sob
Tue Jan 12, 2021 3:06 am
Forum: General
Topic: VPN Server: Migrate certificates to new hardware
Replies: 9
Views: 840

Re: VPN Server: Migrate certificates to new hardware

AFAIK certificates are transferrable, but the relation between RouterOS CA and issued certificates is not. So for example if you'd want to revoke some, you can't. Binary backup should contain everything, but it's not meant for different device models. I think it's bad, but so far it doesn't seem to ...
by Sob
Mon Jan 11, 2021 11:07 pm
Forum: RouterBOARD hardware
Topic: RB idea
Replies: 8
Views: 947

Re: RB idea

Clever, but probably not something that OP or users with similar requirements would appreciate that much, it's still two devices and extra cable.
by Sob
Mon Jan 11, 2021 10:38 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 1456

Re: Putting more information into router advertisement packets?

I agree with you, but as it is now, you can't do much with v6, but at least v7 shows that things are slowly improving (it's not fully automatic, but you can make it so with script). Unfortunately, IPv6 is not the higgest priority for MikroTik, so it may take a while before you're fully satisfied.
by Sob
Mon Jan 11, 2021 10:29 pm
Forum: RouterBOARD hardware
Topic: RB idea
Replies: 8
Views: 947

Re: RB idea

About laptops without ethernet, there's simple solution, don't buy such crippled devices. If you already made that mistake, then suffer. It's the equivalent of touching hot stove, it's an important life lesson. I know it's not helpful, but I couldn't resist. Don't take it dead serious. :) But not al...
by Sob
Mon Jan 11, 2021 10:09 pm
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 1555

Re: Tips to understand if router hacked [SOLVED]

Yes, "/log print" is one way, or use WinBox or WebFig to view log, whatever you like most.

If you are getting already blacklisted addresses, there's not much you can do with it, other than convincing ISP to give you new static address that's not blacklisted.
by Sob
Mon Jan 11, 2021 10:05 pm
Forum: Beginner Basics
Topic: forward requests from LAN IP to external server by domain name
Replies: 2
Views: 278

Re: forward requests from LAN IP to external server by domain name

You can set server address on device to some fake unused one (e.g. 10.10.10.10) and create dstnat rule: /ip firewall nat add chain=dstnat dst-address=10.10.10.10 protocol=tcp dst-port=25 action=dst-nat to-addresses=1.2.3.4 comment=someuniqueid But you can't use hostname in to-addresses, so you need ...
by Sob
Mon Jan 11, 2021 9:51 pm
Forum: Beginner Basics
Topic: Help - Route 2 Segment under 2 Gateway.
Replies: 1
Views: 194

Re: Help - Route 2 Segment under 2 Gateway.

Problem is, devices use their default gateway to access other subnets. And just because you add router connected to both subnets, it won't magically start routing between them. The router itself would be for it, after all, routing is its life. But other devices won't start to use it as gateway when ...
by Sob
Mon Jan 11, 2021 9:46 pm
Forum: General
Topic: how to set a firewall address list group
Replies: 5
Views: 515

Re: how to set a firewall address list group

And it's a pity, because ipset (which is probably used internally) does support lists of lists, together with other useful lists types (I would very much like to have its hash:ip,port list).
by Sob
Mon Jan 11, 2021 12:17 am
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 1555

Re: Tips to understand if router hacked [SOLVED]

Send and receive are two different things, you don't need anything listening on smtp port to send mail. Of course if anyone would be able to hack the router enough to install own software, they could install smtp server if they wanted to. I just don't see any reasonable explanation what it would be ...
by Sob
Sun Jan 10, 2021 6:44 pm
Forum: General
Topic: Saniity Check - Winbox in IP Services
Replies: 2
Views: 253

Re: Saniity Check - Winbox in IP Services

It depends on whether you want to use WinBox or not. L2TP don't have much to do with it. If you want to use WinBox only over L2TP, you may limit allowed sources in "Available From" (or you can do the same using firewall filter), but you can't disable it completely.
by Sob
Sun Jan 10, 2021 6:37 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 1456

Re: Putting more information into router advertisement packets?

Few points: - IPv6 is supposed to eventually replace IPv4, so IPv6-only networks make sense. Only when you do it now, you may be a little bit too ahead. Most of the internet is still IPv4-only, so you need NAT64 + DNS64, which is not exactly nice (mainly the DNS64 part). That said, it's not wrong, y...
by Sob
Sun Jan 10, 2021 5:55 pm
Forum: Beginner Basics
Topic: RB760IGS ignores VLAN settings
Replies: 1
Views: 226

Re: RB760IGS ignores VLAN settings

When you have vlan interface on bridge, then in "/interface bridge vlan" it must be tagged also on bridge interface, e.g.:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=1000
by Sob
Sun Jan 10, 2021 5:51 pm
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 1555

Re: Tips to understand if router hacked [SOLVED]

Your rule will stop connections to router itself, but that's useless, because there's no smtp server on router. What I meant is: /ip firewall filter add chain=forward protocol=tcp dst-port=25 action=reject reject-with=tcp-reset log=yes log-prefix=smtp It will stop smtp connections through router and...
by Sob
Sat Jan 09, 2021 6:31 pm
Forum: Beginner Basics
Topic: Putting more information into router advertisement packets?
Replies: 24
Views: 1456

Re: Putting more information into router advertisement packets?

Currently you can't, it's not much configurable yet. DNS servers are simply taken from "/ip dns", but you don't want to add router's own address there. You can combine it with DHCPv6. If you add server without pool, it will function in stateless mode and only provide info (you'll have to e...
by Sob
Sat Jan 09, 2021 6:22 pm
Forum: General
Topic: Load Balancing and
Replies: 5
Views: 568

Re: Load Balancing and

Here you have it with explanation how it works:

https://wiki.mikrotik.com/wiki/Manual:PCC
by Sob
Sat Jan 09, 2021 6:18 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

Sure, use anything you like, it's not like any of this would be personal secret of mine. If it was, I wouldn't share it. :)
by Sob
Sat Jan 09, 2021 12:14 am
Forum: Beginner Basics
Topic: Tips to understand if router hacked [SOLVED]
Replies: 15
Views: 1555

Re: Tips to understand if router hacked [SOLVED]

If it's spam, it's far more likely that it's some infected device behind the router than the router itself. If you're not running mailserver, you can block access from LAN to SMTP port (tcp 25), because nothing should need it (clients should use other ports to access mailservers). You can also log c...
by Sob
Fri Jan 08, 2021 11:47 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

The conclusion for me is that adding any kind of static route should not be used alone to bypass masquerade rules. Correct, not in combination with IPSec. For the record, what I do about leaking packets is: /ip route add dst-address=10.0.0.0/8 type=unreachable add dst-address=172.16.0.0/12 type=unr...
by Sob
Fri Jan 08, 2021 10:21 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

Two things: 1) I'm not sure why you have sa-src-address=192.168.13.254, which is part of LAN subnet. But that probably don't have any negative effect. 2) There's a catch with accessing remote subnet from router itself over plain IPSec tunnels. It doesn't work with default config, because router choo...
by Sob
Fri Jan 08, 2021 8:17 pm
Forum: General
Topic: Howto mark Amazon AWS traffic?
Replies: 4
Views: 498

Re: Howto mark Amazon AWS traffic?

How exactly you do it? Do you mark routing directly based on address list? That wouldn't work well if it changes very often. But if you mark connections based on address list and then mark routing based on connection marks, it should work.
by Sob
Fri Jan 08, 2021 1:58 am
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

But they are not ignored! If I remove the dummy rule (dst-address=192.168.0.0/16 gateway=vpn-blackhole) then it fails to work again. If you don't believe me then try it, you will see. So that blackhole rule is not ignored and it is needed. I would like to know why it is needed, and how it is used. ...
by Sob
Thu Jan 07, 2021 10:25 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

There are two things: 1) Routing and outgoing interface. Based on routes, outgoing interface should be vpn-blackhole. And that's true when IPSec is not active. Active IPSec clearly changes routing decision in some way. Again, it's not completely wrong, because it reflects where those packets really ...
by Sob
Thu Jan 07, 2021 7:54 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

I assumed that you used same rules, so it was strange why it would work on one device and not on another. If the working one has ipsec-policy=out,none, then it explains it. This condition matches only when there's no IPSec policy for packets. And when there is (like in this case), it doesn't match a...
by Sob
Thu Jan 07, 2021 5:04 pm
Forum: Beginner Basics
Topic: Substring ( URI?) firewall filter
Replies: 8
Views: 656

Re: Substring ( URI?) firewall filter

It's not that I'd recommend it, I see it more as hack, but it's possible.
by Sob
Thu Jan 07, 2021 6:27 am
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

It's something with IPSec, I can reproduce it. When I add logging rule in forward chain, then with peer disabled it shows vpn-blackhole as outgoing interface, but with peer enabled it changes to ether1-internet. It's kind of right, because it's actually where packets go to, but I'm not sure if firew...
by Sob
Wed Jan 06, 2021 11:33 pm
Forum: Beginner Basics
Topic: Substring ( URI?) firewall filter
Replies: 8
Views: 656

Re: Substring ( URI?) firewall filter

Proxy in RouterOS can be misused as reverse proxy:

https://web.archive.org/web/20201111190 ... eb_Servers

It's not ideal, but I've seen people doing worse things.
by Sob
Tue Jan 05, 2021 11:55 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1160

Re: Adding static route won't bypass nat

I don't see it, but srcnat's condition is out-interface=ether1-internet, so it will match only connections going out via ether1-internet. That will happen when router thinks that route to destination leads there. And that should only happen when your static route is either not active, or if there's ...
by Sob
Tue Dec 29, 2020 4:44 pm
Forum: General
Topic: Hairpin NAT no longer working after setting up VLANS [SOLVED]
Replies: 9
Views: 937

Re: Hairpin NAT no longer working after setting up VLANS [SOLVED]

You have dstnat rules with in-interface=ether1, so they only work for connections from internet. Two basic options are: a) Replace in-interface=ether1 with dst-address=<your public address> b) Replace in-interface=ether1 with dst-address-type=local dst-address=!<destination address you want to exclu...
by Sob
Tue Dec 29, 2020 4:32 pm
Forum: General
Topic: Reading Source IP on my Filtering DNS Server
Replies: 12
Views: 855

Re: Reading Source IP on my Filtering DNS Server

I think it's safe to say that client 192.168.88.150 and server 10.10.10.1 are not in same subnet. :)
by Sob
Tue Dec 29, 2020 4:20 pm
Forum: General
Topic: Reading Source IP on my Filtering DNS Server
Replies: 12
Views: 855

Re: Reading Source IP on my Filtering DNS Server

Your first srcnat rule tells router to masquerade (= change source to router's address) any connection passing through router, no matter what's the source or destination. What you request is what you get. Usually you want that only for connections from LAN to internet, so it would mean adding someth...
by Sob
Mon Dec 28, 2020 12:40 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 44
Views: 13161

Re: Feature Request: IPv6 NAT66 Support

Well, changing prefix is matter of opinion, I guess. I wouldn't want it, but I can see why somebody else would. Preferably it should be a choice offered by ISP. When I wrote mistake, I was thinking about giving only single /64 to user, because it's limiting and I don't think there's any way how it c...
by Sob
Mon Dec 28, 2020 12:07 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 44
Views: 13161

Re: Feature Request: IPv6 NAT66 Support

I wouldn't hold my breath for ways to subnet /64. Personally I don't think that SLAAC in current form was great idea. Using /64 is terribly wasteful. Deriving IP address from MAC address turned out to be quite unfortunate. Fixing privacy problem with Privacy Extensions and the whole thing with tempo...
by Sob
Mon Dec 28, 2020 6:51 am
Forum: General
Topic: Is it possible to "subnet" a /64 prefix between 2 internal LANs?
Replies: 10
Views: 1037

Re: Is it possible to "subnet" a /64 prefix between 2 internal LANs?

Main problem with other than /64 prefixes is lack of autoconfiguration. If you'd go with static config, you can subnet it any way you like. But static config doesn't go well with dynamic prefix. Even if it doesn't change randomly, you still have no guarantee that it won't do it one day. This part co...
by Sob
Mon Dec 28, 2020 5:11 am
Forum: Beginner Basics
Topic: Generate paket lost on specific destination ! [SOLVED]
Replies: 3
Views: 437

Re: Generate paket lost on specific destination ! [SOLVED]

Or if you want it less predictable, there's also:
random (integer: 1..99; Default: ) - Matches packets randomly with given probability.
by Sob
Sun Dec 27, 2020 4:20 am
Forum: General
Topic: Please finish implementation of OpenVPN protocol (authentication without password, certificates)
Replies: 5
Views: 548

Re: Please finish implementation of OpenVPN protocol (authentication without password, certificates)

And most of the VPN proiders use for authentication certificates without login and password. Just this part alone may not be a problem. RouterOS supports client certificates for OpenVPN. It also requires you to enter some username, but when I tested it with server that uses official OpenVPN with ce...
by Sob
Fri Dec 25, 2020 8:30 pm
Forum: Beginner Basics
Topic: Questions about "Use host names in firewall rules" [SOLVED]
Replies: 3
Views: 533

Re: Questions about "Use host names in firewall rules" [SOLVED]

In newer versions you can put hostname directly in address list and system will resolve it automatically (and refresh it when its ttl expires). So it's easier and script is not needed. But if for some reason you like script better, you can keep using it. The right chain depends on what you're trying...
by Sob
Thu Dec 24, 2020 11:56 pm
Forum: Useful user articles
Topic: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)
Replies: 42
Views: 7637

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets. Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so ...
by Sob
Thu Dec 24, 2020 8:42 pm
Forum: General
Topic: Give other address pool to OpenVPN users [SOLVED]
Replies: 2
Views: 349

Re: Give other address pool to OpenVPN users [SOLVED]

You can either: a) Fix your office tunnels to include VPN range at main office's end. So add other policies for 192.168.54.0/24 or change existing ones from 192.168.55.0/24 to 192.168.54.0/ 23 . b) Use srcnat to hide 192.168.54.x behind some 192.168.55.x, to match existing policies. Clean solution i...
by Sob
Wed Dec 23, 2020 11:26 pm
Forum: Scripting
Topic: hairpin with 2 WAN
Replies: 2
Views: 552

Re: hairpin with 2 WAN

You can use scripts in PPP profile, just use this as "On Up": :local Name [/interface pppoe-client get $interface name] /ip firewall address-list remove [find where list=Hairpin comment=$Name] /ip firewall address-list add list=Hairpin address=$"local-address" comment=$Name] and ...
by Sob
Wed Dec 23, 2020 10:05 pm
Forum: General
Topic: Difference between Winbox and Terminal
Replies: 5
Views: 551

Re: Difference between Winbox and Terminal

They probably moved some stuff around. It's no problem in WinBox, because worst case is that user will be confused for a minute and then will find it in the new place. Doing the same in CLI means broken scripts, that's much more annoying.
by Sob
Tue Dec 22, 2020 10:41 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 561

Re: IP Firewall Address list FQDN resolution expiration

I don't have anything with Tile architecture, but CHR 6.46.8 works exactly as I describe, and it's the same as any other version I've seen. If yours keeps adding new addresses, but old ones (that the hostname no longer resolves to) are not removed, it's bug. Replacing expired addresses with current ...
by Sob
Tue Dec 22, 2020 9:51 pm
Forum: General
Topic: traffic to a webserver sitting behind a router [SOLVED]
Replies: 16
Views: 1242

Re: traffic to a webserver sitting behind a router [SOLVED]

^^^ What he wrote.

And there's nothing special about VLANs, except when you mess with bridge's Use IP Firewall option, then things can become quite unexpected.
by Sob
Tue Dec 22, 2020 9:35 pm
Forum: Beginner Basics
Topic: Firewall message
Replies: 1
Views: 289

Re: Firewall message

Some of your firewall NAT rules has enabled logging, so you see this message when matching connection comes in. Find which one, check what if does, if you need it, etc.
by Sob
Tue Dec 22, 2020 12:32 am
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

Easy to understand way would be to have separate fields for IP address and mask (but I'm not advocating for it, I like current <address>/<mask>). And to not have editable field for network at all, because IP address and mask is enough (except for peer-to-peer use, so there should be optional field f...
by Sob
Tue Dec 22, 2020 12:21 am
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 561

Re: IP Firewall Address list FQDN resolution expiration

I still don't know if I get it. What confuses me, is that what seems to be description of current state, is not what happens, I mean these parts: If the FQDN address resolves to a new address that IP will be added to the list >>>and the old IP item will be retained<<<. ..., this will resolve the IP ...
by Sob
Mon Dec 21, 2020 11:46 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

Yes. The other image you posted shows it, router's address can be anything between HostMin and HostMax (inclusive).
by Sob
Mon Dec 21, 2020 10:57 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 561

Re: IP Firewall Address list FQDN resolution expiration

Well, it's possible that I missed your point. I'll test what happens with entries added with hostname and timeout (I never tested that combination before), maybe it will make things clearer. In any case, my understanding of hostnames in address list is that it's for tracking current address of given...
by Sob
Mon Dec 21, 2020 9:46 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1203

Re: Trouble setting up port forwarding

If you have one public address for yourself, they "lose" it either way, it doesn't matter if it's on your router or theirs. Don't count CGNAT address, there's plenty of those, only public ones are scarce.
by Sob
Mon Dec 21, 2020 9:37 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 561

Re: IP Firewall Address list FQDN resolution expiration

It should be all automatic, resolved addresses simply inherit ttl from dns record, disappear when it expires, and system then resolves hostname again.
by Sob
Mon Dec 21, 2020 8:13 pm
Forum: Beginner Basics
Topic: Problems with portforwarding.
Replies: 9
Views: 821

Re: Problems with portforwarding.

To allow all forwarded ports at once (you most likely want that, otherwise why would you forward them at all), use this:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
by Sob
Mon Dec 21, 2020 8:09 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1203

Re: Trouble setting up port forwarding

Two basic options:

a) They changed dhcp/pppoe (whatever you have) config and you now have public address on your router
b) They just forward ports from public address to your 100.x.x.x, i.e. NAT 1:1.
by Sob
Mon Dec 21, 2020 1:16 am
Forum: Scripting
Topic: How do I disable a rule in IP ROUTE? [SOLVED]
Replies: 4
Views: 713

Re: How do I disable a rule in IP ROUTE? [SOLVED]

Examples:
/ip route disable [find comment="test"]
/ip route disable [find dst-address=10.0.0.0/8]
/ip route disable [find dst-address=0.0.0.0/0 gateway=10.1.1.1]
by Sob
Sun Dec 20, 2020 5:28 am
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

You're wrong. :) For start, forget the Network field, just pretend it's not there. You won't miss it. RouterOS will fill it automatically based on IP address and mask. You don't enter network in e.g. Windows, only address and mask. It's the same in RouterOS, only mask has different form. When you ha...
by Sob
Sat Dec 19, 2020 11:04 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

And gateway address for this router is in IP->Routes, as part of default route (the one with "Dst. Address" 0.0.0.0/0, usually added by DHCP client). What I actually think can be confusing is "Network" when adding IP address. Normally it's useless and I don't remember any other O...
by Sob
Sat Dec 19, 2020 10:26 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

You can see it as shortcut. Instead of entering separate 192.168.88.1 as address and 255.255.255.0 as netmask, you have just one value address/mask (24 is equal to 255.255.255.0).
by Sob
Sat Dec 19, 2020 9:08 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2873

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

"Address List" is not completely wrong, it is list of addresses. Similar thing is in other places too, for example: IP->ARP -> ARP List IP->Routes -> Route List ... It wouldn't hurt if windows got same titles as menu items. But I'd still keep some as they are now, e.g.: IP->DNS -> DNS Sett...
by Sob
Sat Dec 19, 2020 7:47 pm
Forum: General
Topic: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%
Replies: 7
Views: 867

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

From what I tried a year ago ( this post and this post ), hEX S is nice, but not exactly performance beast with vlans. If I remember correctly, those tests were without any firewall. Number of connections is critical. If you have many, it's relatively ok. But for example for copying file between vla...
by Sob
Sat Dec 19, 2020 1:52 am
Forum: Scripting
Topic: Removing ip addresses in a list based on another
Replies: 7
Views: 931

Re: Removing ip addresses in a list based on another

You're right. It's actually documented: https://wiki.mikrotik.com/wiki/Manual:Scripting#Reserved_variable_names So on one hand I can't complain, but on the other it confirms what I'm saying, this whole thing is not intuitive (to me at least), because who would expect all property names to be reserve...
by Sob
Thu Dec 17, 2020 8:03 pm
Forum: General
Topic: OVPN/CPU max out ?
Replies: 4
Views: 657

Re: OVPN/CPU max out ?

I don't know the answer, but if you already have the device (I'm guessing you have some previous experience with them and you didn't just find random board on internet), it would be best to test it with trial license (it runs unlimited for 24 hours). If you don't have it yet, then remember that x86 ...
by Sob
Thu Dec 17, 2020 7:39 pm
Forum: General
Topic: Implementation of Hairpin NAT question
Replies: 8
Views: 764

Re: Implementation of Hairpin NAT question

That has to be the longest config posted to this forum. But it should be as I wrote, you have unconditional masquerade, and it applies to all connections passing through router , except those from IPSec that excluded by accept rules in srcnat chain. So replace this: /ip firewall nat add action=masqu...
by Sob
Thu Dec 17, 2020 7:11 pm
Forum: Scripting
Topic: Removing ip addresses in a list based on another
Replies: 7
Views: 931

Re: Removing ip addresses in a list based on another

It's not Lua, it's MikroTik's custom thing (they briefly had Lua in some beta version, but it didn't make it to final). It wouldn't be that bad, it's slightly unintuitive, but it would be possible to get used to it. Main problem is that it doesn't have any useful feedback, typo in code means silent ...
by Sob
Thu Dec 17, 2020 6:33 pm
Forum: Beginner Basics
Topic: how to correctly enable DNS over HTTPS
Replies: 6
Views: 898

Re: how to correctly enable DNS over HTTPS

The https://my.nextdns.io/ creates temporary account even without registering, so I did quick test with that, and it works. Only server addresses are slightly different: /ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A /ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A ...
by Sob
Thu Dec 17, 2020 3:10 pm
Forum: Beginner Basics
Topic: how to correctly enable DNS over HTTPS
Replies: 6
Views: 898

Re: how to correctly enable DNS over HTTPS

Address https://dns.nextdns.io/id is probably wrong. I have no previous experience with the service, but it seems that "id" should be replaced by some identifier you get from them by registering.
by Sob
Wed Dec 16, 2020 9:50 pm
Forum: General
Topic: Help with IPv6 setup
Replies: 8
Views: 701

Re: Help with IPv6 setup

IPv4 and IPv6 are independent, so that can't directly break anything. But things do work slightly differently. With IPv4, you typically have one public address and you forward ports from it to internal servers. IPv6 by default doesn't use NAT, so internal servers have public addresses directly on th...
by Sob
Wed Dec 16, 2020 9:06 pm
Forum: General
Topic: Help with IPv6 setup
Replies: 8
Views: 701

Re: Help with IPv6 setup

Try this and scroll down to /ipv6 firewall:
/system default-configuration print
by Sob
Wed Dec 16, 2020 8:19 pm
Forum: General
Topic: Help with IPv6 setup
Replies: 8
Views: 701

Re: Help with IPv6 setup

You don't want address, you want prefix: /ipv6 dhcp-client add interface=<WAN> request=prefix pool-name=from-dhcp add-default-route=yes If you don't get it, you have a problem. If you do, then it will create new pool, and you can assign subnet from it using: /ipv6 address add interface=<LAN> address...
by Sob
Wed Dec 16, 2020 6:54 pm
Forum: General
Topic: Implementation of Hairpin NAT question
Replies: 8
Views: 764

Re: Implementation of Hairpin NAT question

As a quick and easy fix, you may need additional srcnat rule(s). For example something like: /ip firewall nat add chain=srcnat src-address=<VPN clients subnet> dst-address=<LAN subnet> action=masquerade Better solution would be to have proper routing, firewall config on all devices, etc. Config can ...
by Sob
Wed Dec 16, 2020 6:46 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1203

Re: Trouble setting up port forwarding

You have to ask ISP. They may be able to give you public address directly. Or at least do NAT 1:1, so you wouldn't really have it, but every packet to it would be forwarded to address on your router, so most things would work ok. If you are really unlucky, they may have no free addresses left. Wheth...
by Sob
Wed Dec 16, 2020 2:37 pm
Forum: Beginner Basics
Topic: Trouble setting up port forwarding
Replies: 14
Views: 1203

Re: Trouble setting up port forwarding

... gives me 100.x.x.x which is not a private IP).
It depends. Is X in 100.X.x.x between 64 and 127? If so, it's CGNAT range and it's not public either. Then your ability to forward ports would depend on ISP first forwarding ports to you from real public address.
by Sob
Wed Dec 16, 2020 2:21 pm
Forum: Beginner Basics
Topic: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]
Replies: 6
Views: 501

Re: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]

Probably not, unless you'd have some special config (e.g. some policy routing where this traffic can use different routes and outgoing interfaces, and you'd need NAT for only one).
by Sob
Wed Dec 16, 2020 6:39 am
Forum: Beginner Basics
Topic: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]
Replies: 6
Views: 501

Re: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]

I don't know what's with the marking, you shouldn't need it for this. As for srcnat, first one looks wrong because of out-interface and out-bridge-port, second one can't work when it looks for non-existent connection mark, and third one is closest to what you described you want. If you add destinati...
by Sob
Wed Dec 16, 2020 5:37 am
Forum: Beginner Basics
Topic: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]
Replies: 6
Views: 501

Re: NAT on Loopback for one desitnation from one LAN Data Subnets [SOLVED]

It's usually good idea to share non-working config and have someone spot the problem, rather than have them inventing the whole thing from scratch.
by Sob
Tue Dec 15, 2020 6:59 am
Forum: Beginner Basics
Topic: Please save my Christmas VPN Network [SOLVED]
Replies: 14
Views: 1353

Re: Please save my Christmas VPN Network [SOLVED]

One tiny little detail, when you added source NAT on RPi like you did, you don't need the route (at least for connections from VPN to LAN).
by Sob
Tue Dec 15, 2020 3:47 am
Forum: General
Topic: IPSEC and Fastrack
Replies: 1
Views: 308

Re: IPSEC and Fastrack

Those two default rules in forward filter are fine for site to site VPNs. But not for popular VPNs where you route your traffic to internet via the tunnel, and you only get single IP address for your end from them. Because then you have to use srcnat, and only after that will outgoing packets match ...
by Sob
Tue Dec 15, 2020 3:20 am
Forum: Beginner Basics
Topic: Port forwarding don't work, cannot access from WAN (new router)
Replies: 7
Views: 528

Re: Port forwarding don't work, cannot access from WAN (new router)

One reason could be if old router had different address, you'd have swapped it for the new one, and device connected behind switch (so it would not get disconnected) would still keep dhcp lease and wrong gateway from the old one. Or the service could have failed and wasn't listening on the port.
by Sob
Tue Dec 15, 2020 3:14 am
Forum: Beginner Basics
Topic: on premise website as https
Replies: 7
Views: 635

Re: on premise website as https

No, router has nothing to do with that. It's webserver like any other. So either configure it as https-only with http disabled (clients will have to type address with https://, unless I missed that some browsers would use https by default), or keep http enabled and configure it to redirect everythin...
by Sob
Tue Dec 15, 2020 3:07 am
Forum: General
Topic: IPv6 DNS Cache only available when allow-remote-requests=yes [SOLVED]
Replies: 4
Views: 420

Re: IPv6 DNS Cache only available when allow-remote-requests=yes [SOLVED]

Hotspot definitely interferes with traffic, but I don't know if it does anything with DNS. It sounds possible.
by Sob
Tue Dec 15, 2020 2:54 am
Forum: Beginner Basics
Topic: Please save my Christmas VPN Network [SOLVED]
Replies: 14
Views: 1353

Re: Please save my Christmas VPN Network [SOLVED]

Fifth line in your screenshot is dynamic route to 192.168.10.0/24 on ether1, which based on default route (I'm not sure why you have two, but it doesn't matter now) is your WAN port, i.e. connected to internet. The route has preferred source 192.168.10.1, which means that for some reason you added 1...
by Sob
Mon Dec 14, 2020 11:40 pm
Forum: Beginner Basics
Topic: Please save my Christmas VPN Network [SOLVED]
Replies: 14
Views: 1353

Re: Please save my Christmas VPN Network [SOLVED]

This one should be easy, I'll just blame it on user error. Not only is 192.168.10.1/24 on router, it's on WAN interface on top of that. So if VPN clients connected to RPi server get addresses from same subnet, some part of this config is not right.

Otherwise no further comments for now. :)
by Sob
Mon Dec 14, 2020 8:55 pm
Forum: Beginner Basics
Topic: Please save my Christmas VPN Network [SOLVED]
Replies: 14
Views: 1353

Re: Please save my Christmas VPN Network [SOLVED]

According to screenshot, you have address 192.168.10.1/24 on router, and it may not be what you want. Or what is your exact plan with subnets? Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet? @anav: I can tell you don't know my nativ...
by Sob
Mon Dec 14, 2020 6:05 pm
Forum: Beginner Basics
Topic: Please save my Christmas VPN Network [SOLVED]
Replies: 14
Views: 1353

Re: Please save my Christmas VPN Network [SOLVED]

Is 192.168.10.0/24 only on RPi? Does the rest of LAN know about it? This should make it better:
/ip route
add dst-address=192.168.10.0/24 gateway=192.168.1.120
by Sob
Mon Dec 14, 2020 5:54 pm
Forum: Beginner Basics
Topic: Port forwarding don't work, cannot access from WAN (new router)
Replies: 7
Views: 528

Re: Port forwarding don't work, cannot access from WAN (new router)

In your IP routes......... one should not display your actual WANIP or gateway IP on a config here, use fake numbers or use letters........... Not exactly, one should always keep real addresses when they are private ones (in this case the better term would be "non-public", because there's...
by Sob
Mon Dec 14, 2020 5:38 pm
Forum: General
Topic: IPv6 DNS Cache only available when allow-remote-requests=yes [SOLVED]
Replies: 4
Views: 420

Re: IPv6 DNS Cache only available when allow-remote-requests=yes [SOLVED]

The DNS cache works fine for connected IPv4 networks when "allow-remote-requests=no", ...
That, if true, would be bug.
by Sob
Mon Dec 14, 2020 4:14 am
Forum: General
Topic: Feature Request: Conditional DNS Forwarding
Replies: 8
Views: 3403

Re: Feature Request: Conditional DNS Forwarding

Wait no more, it's in RouterOS since 6.47. In slightly different form (static records named FWD) and more limited (only one server), but it works.
by Sob
Sun Dec 13, 2020 7:20 pm
Forum: Virtualization
Topic: Why RouterOS CHR and x86 use the same distribution package?
Replies: 5
Views: 907

Re: Why RouterOS CHR and x86 use the same distribution package?

I would ask why, but I know you don't like that question. It's just a little bit of useless code in both versions. Unlike with RBs, there's no "16MB flash problem" with CHR or x86, so who cares.
by Sob
Sun Dec 13, 2020 7:09 pm
Forum: General
Topic: traffic to a webserver sitting behind a router [SOLVED]
Replies: 16
Views: 1242

Re: traffic to a webserver sitting behind a router [SOLVED]

With the original broad srcnat rule, you already had working hairpin NAT, because it applied to all connections passing trough router. But one thing it does, it hides real addresses. It's easy choice for connections from LAN, because you can either have wrong source address, or not connect at all. B...
by Sob
Sun Dec 13, 2020 5:03 am
Forum: Scripting
Topic: Removing ip addresses in a list based on another
Replies: 7
Views: 931

Re: Removing ip addresses in a list based on another

There's no "/ip firewall remove". This works for me: /ip firewall address-list remove [/ip firewall address-list find list="test" address="1.2.3.4"] but only when I write list name and address like this, I can't find a way how to make it work with variables. I assume it...
by Sob
Sat Dec 12, 2020 8:54 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

Yes, that too can be used. I took 192.168.4.153 for the device as requirement, I didn't think much about it, that maybe it isn't. :)
by Sob
Sat Dec 12, 2020 8:43 pm
Forum: General
Topic: traffic to a webserver sitting behind a router [SOLVED]
Replies: 16
Views: 1242

Re: traffic to a webserver sitting behind a router [SOLVED]

It can cause issues if there's need for hairpin NAT, i.e. when you connect to REALIP:80 not only from internet, but also from same LAN where server is. In that case it would need another srcnat rule: /ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masqu...
by Sob
Sat Dec 12, 2020 8:32 pm
Forum: Scripting
Topic: Winbox missing binding-script option for DHCPv6?
Replies: 1
Views: 347

Re: Winbox missing binding-script option for DHCPv6?

They often add CLI-only options first and then add them to WinBox later. And from time to time they seem to forget about some.
by Sob
Fri Dec 11, 2020 6:57 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

In that case it may be better to do a local test first, get the hang of it, and then if it doesn't work in target location, you'll know that it's not you. If the network cares a lot about security, maybe it's something they are doing, perhaps they don't like more than one MAC address connected to on...
by Sob
Fri Dec 11, 2020 6:52 pm
Forum: General
Topic: traffic to a webserver sitting behind a router [SOLVED]
Replies: 16
Views: 1242

Re: traffic to a webserver sitting behind a router [SOLVED]

Yes, there is, fix your broken srcnat config. You probably have something like:
/ip firewall nat
add chain=srcnat action=masquerade
and it touches even traffic you don't want it to. Adding out-interface=<WAN interface> to it could be the fix, unless you have some special requirements.
by Sob
Fri Dec 11, 2020 6:02 pm
Forum: General
Topic: help me socks5 to another gateway
Replies: 9
Views: 1227

Re: help me socks5 to another gateway

Port of SOCKS server doesn't matter. Clients connect to that port, but server creates new outgoing connections, and they look like any other connection from router itself. You can't tell if some outgoing connection is from SOCKS server, or if it's e.g. router checking for updates. Good news is that ...
by Sob
Fri Dec 11, 2020 5:51 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

What if you set use-ip-firewall=no, is it possible to connect from 192.168.4.x to device? It should be, because the router will function as completely transparent bridge (of course it won't work from other subnets like this). If even this won't work, then there's something really weird, but I don't ...
by Sob
Fri Dec 11, 2020 3:59 pm
Forum: General
Topic: Routeros built-in services interface
Replies: 6
Views: 579

Re: Routeros built-in services interface

You don't have to guess. It it was blocked by rule with in-interface-list=!LAN, then clearly the source interface wasn't in that list. :)
by Sob
Fri Dec 11, 2020 3:47 pm
Forum: General
Topic: Routeros built-in services interface
Replies: 6
Views: 579

Re: Routeros built-in services interface

Default rule works with interface list named "LAN", which contains exactly one interface. If you add other interfaces to router, but don't add them to LAN interface list, then no suprise, you won't be able to access any of router's services from these interfaces. Whether you want to add th...
by Sob
Fri Dec 11, 2020 3:38 pm
Forum: Beginner Basics
Topic: LetsEncrypt for the Hotspot?
Replies: 3
Views: 439

Re: LetsEncrypt for the Hotspot?

It depends on what you're after. If you need certificate for your hotspot login page (when you redirect user to some https://hotspot.yourdomain.tld), you can use LE certificate. Only the router won't do anything to help you with getting it, you'll need some external system to get it (e.g. using DNS ...
by Sob
Fri Dec 11, 2020 3:25 pm
Forum: General
Topic: help me socks5 to another gateway
Replies: 9
Views: 1227

Re: help me socks5 to another gateway

SOCKS proxy is server, service running on router. Client connects to router, router then connects to requested destination and relays traffic between the two. Your rule in prerouting could see incoming traffic from client to router, but that's useless, you need to work with traffic from router to de...
by Sob
Thu Dec 10, 2020 9:29 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1519

Re: DNS over HTTPS, round robin support

It says that in order to use DoH, you must set a regular DNS server, because it is needed to resolve the address of the DoH host. I'd say it's just simplification for most common target audience. If DoH resolver uses hostname (instead of numeric address like https://1.1.1.1/dns-query), router needs...
by Sob
Thu Dec 10, 2020 9:06 pm
Forum: General
Topic: [Feature Request] ODoH
Replies: 2
Views: 502

Re: [Feature Request] ODoH

Maybe it's just me, but it starts to look overcomplicated. Basic DoH made sense, I may not want ISP, hotspot operator, or anyone on the way sniffing in my queries, either just seeing them or in worse case blocking or changing them. That happens. Some do it because they like to, some are forced to do...
by Sob
Thu Dec 10, 2020 8:14 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

Once more, can you access 192.168.4.153 (the gateway-less device) from other 192.168.4.X devices? And that with this router present, and if that doesn't work, then without this router, with device connected directly to switch in 192.168.4.0/24 network?
by Sob
Thu Dec 10, 2020 8:09 pm
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 39
Views: 2962

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

I don't remember what RB model and how fast internet connections you have, and I'm not re-reading whole thread to find out if you mentioned it or not. But generally, you want the router to do some work, so it needs some resources to do it. Dynamic routing works like this. Whether it's too much or no...
by Sob
Thu Dec 10, 2020 4:37 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1519

Re: DNS over HTTPS, round robin support

I do not disagreee with you. It's just that when I need to know something, I rather spend few minutes testing it than waiting and hoping that someone gives me the answer. And for basic test, simply add two records in IP->DNS->Static for any made up hostname and random addresses, use it as DoH server...
by Sob
Thu Dec 10, 2020 5:36 am
Forum: General
Topic: External WiFi USB dongle
Replies: 2
Views: 346

Re: External WiFi USB dongle

Unless MikroTik silently added support for something (or I missed the announcement), the answer is still "no".
by Sob
Thu Dec 10, 2020 5:24 am
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1519

Re: DNS over HTTPS, round robin support

I don't know the answer and right now I'm too lazy to test it. But you can easily do it yourself. To watch default behaviour, just add logging rule in output for destinations with tcp/443 (or whatever your DoH server uses). And then in output again, you can block (reject/drop) connections to selecte...
by Sob
Thu Dec 10, 2020 5:12 am
Forum: Beginner Basics
Topic: Need some explanation regarding PCC load balancing mangle rules [SOLVED]
Replies: 39
Views: 2962

Re: Need some explanation regarding PCC load balancing mangle rules [SOLVED]

Routing marks are per-packet. If you want them routed the right way, you have to keep marking them.
by Sob
Thu Dec 10, 2020 4:47 am
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

I actually tested this one and it worked for me. Does the device have /24 mask? Or in other words, can you access it from other devices in 192.168.4.0/24 subnet? If yes, then use Tools->Torch on both interfaces and check what's going on, if you see incoming packets from 192.168.0.220 on one interfac...
by Sob
Thu Dec 10, 2020 4:27 am
Forum: General
Topic: Winbox2 and Winbox3 Differences pertinent to Windows10
Replies: 5
Views: 674

Re: Winbox2 and Winbox3 Differences pertinent to Windows10

Does WinBox 2 still work with current RouterOS?! That sounds surprising. It doesn't work for me. But it does download 1.2MB of dlls from router (for some strange reason they still exist even in latest 6.48beta58; why, that's beyond me), but something fails and it ends with "Missing RouterOS Win...
by Sob
Thu Dec 10, 2020 3:54 am
Forum: General
Topic: NAT address from fully routed block to private subnet
Replies: 1
Views: 222

Re: NAT address from fully routed block to private subnet

If you have routed subnet, you can do all kind of (dirty) tricks. Every single address from /28 is (should be) routed to you, and you can use all 16 of them if you want, at least for communication with outside world. For example, you could as well use 1.2.3.0 for your srcnat, even though it's alread...
by Sob
Sat Dec 05, 2020 1:48 pm
Forum: Beginner Basics
Topic: Issue in NAT and port-forwarding since I changed ISP [SOLVED]
Replies: 7
Views: 785

Re: Issue in NAT and port-forwarding since I changed ISP [SOLVED]

Do dstnat rules get any hits? In other words, does the main router really forward anything to RB? The answers are either twice yes or twice no.

Btw, if your "LAN" interface list is correct, you don't need filter rules #6 and #7, because #5 already blocks everything from WAN.
by Sob
Fri Dec 04, 2020 10:03 pm
Forum: Scripting
Topic: duplicated rules
Replies: 5
Views: 757

Re: duplicated rules

In theory, a script could check if some rule exists before adding it. It would definitely make it more complex. But I'm not sure if it's even possible, because it would mean searching for rules that have certain parameters and also don't have any other parameters. A workaround would be to use rules ...
by Sob
Fri Dec 04, 2020 9:43 pm
Forum: Scripting
Topic: duplicated rules
Replies: 5
Views: 757

Re: duplicated rules

You most likely don't want any automatic sorting, because order of rules matters. You could sort a subset of them without breaking anything, but you would first have to define what can be touched and what can't, which may be difficult. A separate chain for "sortable" rules could work, but ...
by Sob
Fri Dec 04, 2020 5:12 pm
Forum: General
Topic: Problem with admin password
Replies: 2
Views: 312

Re: Problem with admin password

I never tested this with password, but in other fields RouterOS stores whatever byte values it gets. What exactly it is depends on used encoding. So if you set Windows single-byte encoding to the same one as hacker had, you should get in (and if what you have is really the correct password, of cours...
by Sob
Fri Dec 04, 2020 2:53 am
Forum: General
Topic: DNS over HTTPS
Replies: 159
Views: 44484

Re: DNS over HTTPS

Are you aware of a way to do this that doesn't import over 100 certificates?
This one is enough: https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

Edit: It doesn't work for me with v7 either (v6 works fine).
by Sob
Fri Dec 04, 2020 2:49 am
Forum: Beginner Basics
Topic: Issue in NAT and port-forwarding since I changed ISP [SOLVED]
Replies: 7
Views: 785

Re: Issue in NAT and port-forwarding since I changed ISP [SOLVED]

It looks correct. From what I've seen, you have everything you need. There could be some problem elsewhere (for example, you could be be blocking forwarded ports in firewall filter), but not if the same config worked before and you didn't do any such changes. - Do the rules get any hits? - Does the ...
by Sob
Fri Dec 04, 2020 12:45 am
Forum: General
Topic: VLAN and ProtonVPN IPsec
Replies: 5
Views: 526

Re: VLAN and ProtonVPN IPsec

Ooops, you're right about src-address-list=!vpn not being enough. But together with dst-address-list=!vpn it should do the trick. Or not? I'd say yes, but I have to think twice before I disagree with you. :)
by Sob
Fri Dec 04, 2020 12:35 am
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 1028

Re: Very old ROS versions

There would be easy way, since they already have files on server in some directory structure, they could simply show it, with enabled automatic directory indexes. Nothing fancy, but friendly enough and no extra maintenance required.
by Sob
Fri Dec 04, 2020 12:14 am
Forum: General
Topic: VLAN and ProtonVPN IPsec
Replies: 5
Views: 526

Re: VLAN and ProtonVPN IPsec

You have mode config with both connection-mark=ProtonVPN and src-address-list=vpn. I never tested it, but I assume that packets would need both the right source address and connection mark. But you have no connection marks. Remove connection-mark=ProtonVPN and it will probably work. Btw, your "...
by Sob
Thu Dec 03, 2020 9:34 pm
Forum: Beginner Basics
Topic: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]
Replies: 18
Views: 1292

Re: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]

You can use any name you like. But of course the chain name and jump target must match.
by Sob
Thu Dec 03, 2020 9:31 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

If you mean that the gateway-less device would have 192.168.10.130, then you couldn't connect it to 192.168.4.0/24 network like this, because nothing would know to look for it there. But you could configure mAP as simple router, with 192.168.4.X/24 on one interface and 192.168.10.Y/24 on another, an...
by Sob
Thu Dec 03, 2020 8:39 pm
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 1028

Re: Very old ROS versions

What's wrong with @sindy's answer? It's quite likely exactly what MikroTik people think. ;)
by Sob
Thu Dec 03, 2020 8:34 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

Then you can solve it either on router which is between PC and this VLAN (using srcnat rule similar to what I posted, limited to just the device as target) and you wouldn't need mAP at all, or you can connect device behind mAP with this config: /interface bridge add name=bridge1 protocol-mode=none /...
by Sob
Thu Dec 03, 2020 7:51 pm
Forum: Beginner Basics
Topic: Issue in NAT and port-forwarding since I changed ISP [SOLVED]
Replies: 7
Views: 785

Re: Issue in NAT and port-forwarding since I changed ISP [SOLVED]

What's in your WAN-IP address list? If your router itself doesn't have public address, then the list must contain whatever private address is on its WAN port (for connections from outside) and the public address (for connections from LAN and hairpin NAT). And of course the main router must forward p...
by Sob
Thu Dec 03, 2020 7:38 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 46562

Re: v7.1beta3 [development] is released!

Missing CHR disk space was false alarm, the magic "turn it off and on again" fixed it. Now there's 34.6MB free.
by Sob
Thu Dec 03, 2020 6:53 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 46562

Re: v7.1beta3 [development] is released!

When i run /export verbose the last thing that gets displayed is /radius incoming set accept=no port=3799 and then it hangs forever. Anyone else having this behavior? I have same behaviour on CHR. Also all free disk space is gone. Right after update it showed 8kB free, then I deleted two autosupout...
by Sob
Thu Dec 03, 2020 6:43 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

It's your starting post that's not clear to me. You have company network 192.168.4.0/24, that's fine, no problem. But suddenly there's PC with completely different address connected to same switch. Where does it come from? Why isn't it in same subnet? Is there another router? Can the PC currently ac...
by Sob
Thu Dec 03, 2020 5:53 pm
Forum: Beginner Basics
Topic: Communication with Ethernet device without gateway
Replies: 22
Views: 2584

Re: Communication with Ethernet device without gateway

It's not clear from your description how is everything connected. But if mAP should serve as gateway between PC in 192.168.0.0/24 subnet and device (which doesn't support any default gateway) in 192.168.4.0/24 subnet, then you need just this: /ip address add address=192.168.0.X/24 interface=ether1 a...
by Sob
Thu Dec 03, 2020 5:39 pm
Forum: Beginner Basics
Topic: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]
Replies: 18
Views: 1292

Re: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]

You now have dstnat rules that apply to all destination addresses except 192.168.10.0/24. With the config you posted, just 192.168.10.1 would be enough, because router doesn't have any other address from 192.168.10.0/24 anyway. Using more than just 192.168.10.1 makes sense if there would be other ad...
by Sob
Thu Dec 03, 2020 4:42 pm
Forum: General
Topic: SSTP VPN behind NAT possible?
Replies: 4
Views: 552

Re: SSTP VPN behind NAT possible?

..., the lte router on the server side forwards every package to the mikrotik behind it. If this is true, then it should work. You can add rule like this: /ip firewall mangle add action=log chain=prerouting connection-state=new in-interface=<interface_connected_to_LTE_router> log-prefix=new_connect...
by Sob
Thu Dec 03, 2020 2:30 am
Forum: Beginner Basics
Topic: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]
Replies: 18
Views: 1292

Re: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]

Few corrections and clarifications: 2a looks funny and basically says use the interface thats local but is not your subnet (works if there are no other subnets). No, it says "when destination address is any address on router, except that one". It has nothing to do with subnets, you can hav...
by Sob
Thu Dec 03, 2020 2:10 am
Forum: General
Topic: copying Certificates to backup machine
Replies: 4
Views: 469

Re: copying Certificates to backup machine

According to manual , other same model devices are supported: RouterOS backup feature allows you to save your current device's configuration, which then can be re-applied on the same or a different device (with the same model name/number). This is very useful since it allows you to effortlessly rest...
by Sob
Thu Dec 03, 2020 1:56 am
Forum: Beginner Basics
Topic: V7 Route List [SOLVED]
Replies: 10
Views: 1087

Re: V7 Route List [SOLVED]

The field for routing table is missing from WinBox in current beta, but command line works.
by Sob
Thu Dec 03, 2020 1:49 am
Forum: Beginner Basics
Topic: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]
Replies: 18
Views: 1292

Re: Router Set Up and Working Except for Port Forwarding From LAN [SOLVED]

You can replace dst-address=WANIP with dst-address-type=local (it will match any address assigned to router). And if you want to use some of forwarded ports also for some service on router itself (e.g. your port 80, which is by default used by WebFig), you can exclude some address using additional d...
by Sob
Thu Dec 03, 2020 1:40 am
Forum: Beginner Basics
Topic: Pivpn wireguard portforwarding problem [SOLVED]
Replies: 3
Views: 624

Re: Pivpn wireguard portforwarding problem [SOLVED]

Does the router itself have 178.148.x.x? If it doesn't, then dst-address=178.148.x.x in dstnat rule won't work for connections from outside. The correct one would be dst-address=192.168.0.14 (the address on router's WAN port) and you have to also forward port from modem to it (assuming that you have...
by Sob
Wed Dec 02, 2020 2:17 pm
Forum: Beginner Basics
Topic: Multiple gateway routing [SOLVED]
Replies: 2
Views: 361

Re: Multiple gateway routing [SOLVED]

You can have as many addresses in same subnet as you want, that's not a problem. But you won't be able to use them just like that as two gateways and route traffic depending on which one was used, if they are on same interface. But it is possible: https://forum.mikrotik.com/viewtopic.php?f=13&t=...
by Sob
Wed Dec 02, 2020 2:42 am
Forum: General
Topic: VPN routeing question
Replies: 5
Views: 549

Re: VPN routeing question

If you'd use same subnet as on server side, you'd additionally need proxy arp. I think it's better to keep separate subnets. But you can use anything else from 10.x.x.x, and Windows will add route to whole 10.0.0.0/8. It's ok if you're sure that clients don't need any other 10.x.x.x elsewhere. Other...
by Sob
Wed Dec 02, 2020 2:26 am
Forum: General
Topic: How to change internet address to local, reverse NAT
Replies: 12
Views: 1077

Re: How to change internet address to local, reverse NAT

Srcnat is quick and dirty solution. And as long as you don't care about real source addresses, it's ok. Better one would be to tell server to send responses back from requests came. It's definitely doable if the server runs Linux, probably other systems too, but AFAIK not on Windows.
by Sob
Wed Dec 02, 2020 2:07 am
Forum: General
Topic: hardware offloading in bridged ports mirktoik 4011 [SOLVED]
Replies: 2
Views: 388

Re: hardware offloading in bridged ports mirktoik 4011 [SOLVED]

Maybe this (from https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features): By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware ...
by Sob
Tue Dec 01, 2020 9:02 pm
Forum: General
Topic: how can recovery license to level 3 [SOLVED]
Replies: 1
Views: 250

Re: how can recovery license to level 3 [SOLVED]

Other users can't help you with license, try https://mikrotik.com/support.
by Sob
Tue Dec 01, 2020 9:00 pm
Forum: General
Topic: How to change internet address to local, reverse NAT
Replies: 12
Views: 1077

Re: How to change internet address to local, reverse NAT

Then just add some srcnat rule, for example:
/ip firewall nat
add chain=srcnat dst-addresses=172.16.100.100 protocol=tcp dst-port=80 action=masquerade
by Sob
Tue Dec 01, 2020 12:46 am
Forum: Beginner Basics
Topic: Locked out of ssh/winbox... but how ?
Replies: 6
Views: 688

Re: Locked out of ssh/winbox... but how ?

If you have binary backups, they are no fun to work with, you don't see what's inside. Text exports are better in this regard, you can easily compare them as text files, put them in some versioning system like git to have history of changes, anything. Unfortunately, exports don't contain all data (e...
by Sob
Tue Dec 01, 2020 12:40 am
Forum: General
Topic: Multiple VLANs on a single Router Port.
Replies: 11
Views: 1676

Re: Multiple VLANs on a single Router Port.

Config structure is mostly the same for all interfaces (CLI, WinBox and WebFig). Only when you're not used to it, finding some option among all presented may take a few extra seconds, but use it few times and it quickly gets easier.
by Sob
Mon Nov 30, 2020 2:00 pm
Forum: General
Topic: Help to configure Public IP with port forwarding [SOLVED]
Replies: 2
Views: 320

Re: Help to configure Public IP with port forwarding [SOLVED]

If you mean that you're connecting to public address from LAN, then you can't have dstnat rules with in-interface=ether1, because connections from LAN will have different incoming interface. Use dst-address=<your public address> instead. And you also need to read https://wiki.mikrotik.com/wiki/Hairp...
by Sob
Mon Nov 30, 2020 12:33 am
Forum: General
Topic: ipsec to juniper [SOLVED]
Replies: 6
Views: 663

Re: ipsec to juniper [SOLVED]

You have PFS disabled for Juniper, but enabled for RouterOS (pfs-group=modp1536 in proposal).
by Sob
Mon Nov 30, 2020 12:28 am
Forum: General
Topic: How is your public IP address determined?
Replies: 23
Views: 1624

Re: How is your public IP address determined?

About multihoming, professional solutions aside (own prefix, BGP and stuff, because that's not for little guy), it's not completely hopeless. If you're interested in incoming connections, servers can have addresses from more ISPs at the same time and you can use DNS to control what remote clients wi...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 22