Community discussions

MikroTik App

Search found 9166 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 31
by Sob
Wed Apr 17, 2024 3:12 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 918

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

It's not blocked by your firewall, since you don't have any. Srcnat on WAN doesn't have any conditions, so that's not breaking it. Mangle rules won't touch it, so no problem there either. It seems to me that if VPN client 192.168.89.x tries to route internet traffic via this router, it should work. ...
by Sob
Sat Apr 13, 2024 1:57 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 918

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

Good news! If you have server in LAN1 (one subnet) and clients in LAN2 (another subnet), then the problem that's solved by hairpin NAT doesn't occur. So you don't need hairpin NAT. Your problem (aside from non-existent firewall filter section, but that's another story) is the mangle rule that marks ...
by Sob
Sun Dec 31, 2023 4:35 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing [SOLVED]

I'd use what I wrote before: /ip firewall nat add action=srcnat chain=srcnat out-interface=ether4-sat to-addresses=192.168.1.20 add action=srcnat chain=srcnat out-interface=ether5-fwa to-addresses=192.168.55.20 But the main point was that if you thought it was working, it couldn't. And it's not just...
by Sob
Sun Dec 31, 2023 4:27 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1278

Re: IPIPv6 tunnel uses wrong local address

Well, NAT does work (= is able to change source of tunnel's packets), but not exactly as expected. I can force tunnel to use link-local address as source, if I keep default route (with link-local gateway) and disable all global addresses. I assume something like that might be happening on your route...
by Sob
Sun Dec 31, 2023 2:55 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing [SOLVED]

Sorry to ruin it for you, but no.

If nothing else, now you have two unconditional srcnat rules. So the first one will be used for anything passing through router and nothing will ever get to second one.
by Sob
Sat Dec 30, 2023 9:45 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing

I think I see it, the two PCC rules need to have passthrough=yes.
by Sob
Sat Dec 30, 2023 9:35 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing

Unfortunately, I don't see anything obviously wrong that could cause what you were describing. And that description, that's really weird behaviour.

All VRRP masters are on same router, right?
by Sob
Sat Dec 30, 2023 9:12 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing

Addresses on VRRP interfaces should have /32 masks: /ip address add address=192.168.10.20/32 interface=vrrp1-LAN add address=192.168.1.20/32 interface=vrrp2-SAT add address=192.168.55.20/32 interface=vrrp3-FWA Then outgoing interfaces will be parent ones, and even though masquerade should have the s...
by Sob
Sat Dec 30, 2023 7:02 pm
Forum: Beginner Basics
Topic: SMTP Postfix Server Configuration [SOLVED]
Replies: 5
Views: 1518

Re: SMTP Postfix Server Configuration [SOLVED]

tcptraceroute = not the same thing as traceroute

And allowing any port won't help, because they are all allowed already. Look at forward, not input, there's no drop in forward.
by Sob
Sat Dec 30, 2023 6:57 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing

PCC with VRRP, I don't see why not. But it's probably good idea to share more info about what exactly you have (at least definition of interfaces and IP addresses; or just post whole config). You seem to have VRRPs on LAN and both WANs. But one weird thing I see, if srcnat is intended to be there an...
by Sob
Sat Dec 30, 2023 3:00 pm
Forum: General
Topic: Dual WAN PCC ok but no web browsing
Replies: 19
Views: 2028

Re: Dual WAN PCC ok but no web browsing

What about other config? Is there perhaps fasttrack in /ip firewall filter?
by Sob
Sat Dec 30, 2023 1:05 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

It's perfectly reasonable. When you have this "remote public address" that you use to forward ports from there to devices in your LAN, then the router possibly being one of those devices is not any far fetched idea. I can't come with with any good analogy right now, but trust me, it makes ...
by Sob
Sat Dec 30, 2023 12:49 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1278

Re: IPIPv6 tunnel uses wrong local address

If it's ROSv7, you can also try NAT.
by Sob
Fri Dec 29, 2023 9:43 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 21
Views: 3986

Re: simple 3 isp dhcp clients with aggregation

@anav: You missed the "afcourse via accelerators like IDM", i.e. instead of downloading one file using one connection from beginning to end, there are multiple connections, each downloading different part of that file. It may not work with everything, but when it does, you can get maximum ...
by Sob
Fri Dec 29, 2023 7:57 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Yes, original post was about forwading ports to another device behind router, and you don't need the output rule for that. But it's related, so why not cover even possible future needs right away? Worst case, it won't be used. Maybe after seeing how great these forwarded ports work, next requirement...
by Sob
Fri Dec 29, 2023 1:00 pm
Forum: General
Topic: IPIPv6 tunnel uses wrong local address
Replies: 9
Views: 1278

Re: IPIPv6 tunnel uses wrong local address

Setting local address seems as obvious choice for workaround. As simple as possible if it's static, a bit more annoying if not, but should be doable.
by Sob
Fri Dec 29, 2023 3:10 am
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Traffic coming from tunnel can be to: a) some device behind router -> route marking for responses is done in prerouting b) router itself -> route marking for responses is done in output As for different variants of the rules, don't overthink it. You need one to mark incoming connections and you can'...
by Sob
Fri Dec 29, 2023 2:47 am
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1192

Re: Policy based routing

Few things: - If in rtr1 table you still have route to 0.0.0.0/0, as you did in first post and it was correct, then adding any other route there with same gateway is pointless, because the first one already covers any possible destination. - Same for the rule to look up destination for packets with ...
by Sob
Thu Dec 28, 2023 10:19 pm
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1192

Re: Policy based routing

If the target is router itself, then output chain (instead of prerouting) is the right one for handling response packets, that's correct. It should just work without any extra routes. That's if you need to deal only with incoming connections. First rule in prerouting marks incoming connections (you ...
by Sob
Thu Dec 28, 2023 8:13 pm
Forum: General
Topic: Bug? Password-protected cert import - no interactive prompt
Replies: 11
Views: 1109

Re: Bug? Password-protected cert import - no interactive prompt

It's really simple. Imagine that you have certificate with encrypted private key and you want to import it. Don't think about why there's password, perhaps you got it like that from someone else. It doesn't matter. Don't you think that RouterOS should be smart enough to ask for the password if you d...
by Sob
Thu Dec 28, 2023 7:49 pm
Forum: General
Topic: Policy based routing
Replies: 9
Views: 1192

Re: Policy based routing

Almost there. You need to limit the route marking rule, because this one applies also to incoming packets. As a result, they will be sent back, because route marks have maximum priority in ROS. Either that, or you'd need routes to local destinations in rtr1 table. The former is probably easier/simpl...
by Sob
Thu Dec 28, 2023 7:42 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

What can I say, you know what you're doing. Gentle push was enough.

@anav: It's when you don't have public IP address from your ISP, but you want one. So you get it elsewhere (VPS) and then forward ports from there.
by Sob
Thu Dec 28, 2023 2:42 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

Masquerade on server side will have to be removed, of course. But that alone would break it and it wouldn't work at all. With this config it will. It's the good old "forwarding port through VPN", you know that.
by Sob
Thu Dec 28, 2023 1:58 pm
Forum: Beginner Basics
Topic: Trouble with port forwarding through a Wireguard VPN [SOLVED]
Replies: 14
Views: 3697

Re: Trouble with port forwarding through a Wireguard VPN [SOLVED]

You're looking for something like this: /routing table add name=wg fib /ip route add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg /ip firewall mangle add chain=prerouting in-interface=wireguard1 connection-mark=no-mark action=mark-connection new-connection-mark=wg-conn add chain=prerout...
by Sob
Wed Dec 27, 2023 10:58 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158806

Re: v7.14beta [testing] is released!

added a "vrf" interface for testing, now I cannot delete it. It doesn't even show up in the terminal if you export the config... looks like a bug to me The bug is probably that you're able to add them at all. These interfaces are the previously hidden ones that are automatically created w...
by Sob
Wed Dec 27, 2023 7:29 pm
Forum: General
Topic: IP Firewall/NAT Input and Output Chain
Replies: 16
Views: 1929

Re: IP Firewall/NAT Input and Output Chain

It's for doing src/dstnat with router's own traffic. It wasn't available in old versions. When it's forwarded traffic, you have: prerouting/dstnat -> forward -> postrouting/srcnat But for router's own traffic (to/from router) you have: prerouting/dstnat -> input output -> postrouting/srcnat So you c...
by Sob
Wed Dec 27, 2023 5:49 pm
Forum: RouterOS beta
Topic: VRF and hidden interfaces
Replies: 6
Views: 5372

Re: VRF and hidden interfaces

Fun with interfaces, 2023 edition. Original version, shows how it's processed internally, but hides names of interfaces: prerouting: in: guest out:(unknown 0), 192.168.82.1->192.168.82.123 prerouting: in: (unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123 input: in: (unknown 22) out:(unknown...
by Sob
Thu Mar 09, 2023 3:41 am
Forum: General
Topic: No access to FTP server through VPN tunnel
Replies: 9
Views: 1465

Re: No access to FTP server through VPN tunnel

That would be the first FTP server I ever saw with support for only single passive port (did you try to enter range like 20020-20030?). It's not impossible, but it would limit some features, e.g. transfers between different servers (FXP) would be problematic. But simple client-server should work. An...
by Sob
Thu Mar 09, 2023 2:12 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 7234

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

It's just another tool like many before. It can be used or misused. Now it's new, so everyone is scared/excited/whatever. But we'll manage.
by Sob
Thu Mar 09, 2023 12:09 am
Forum: General
Topic: Feature Request: Ed25519 SSH keys
Replies: 57
Views: 20825

Re: Feature Request: Ed25519 SSH keys

Reinventing the wheel properly takes time. ;) And they like to do it a lot, example: viewtopic.php?p=965896#p965896
by Sob
Wed Mar 08, 2023 10:02 pm
Forum: General
Topic: Wireguard - "asymmetric routing"
Replies: 30
Views: 2592

Re: Wireguard - "asymmetric routing"

Because it was so long ago when such things were used *1. ;)

-
*1 Individual experiences may differ for each person
by Sob
Wed Mar 08, 2023 12:23 pm
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 7234

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

Before you do something drastic, although I don't think harakiri is the thing in Canada, the thing with WG and localhost is just something that I think I saw mentioned in some thread, but I find it weird and it's entirely possible that I'm mistaken. So be calm, everything is probably mostly fine. ;)...
by Sob
Wed Mar 08, 2023 12:17 pm
Forum: General
Topic: No access to FTP server through VPN tunnel
Replies: 9
Views: 1465

Re: No access to FTP server through VPN tunnel

FTP establishes new data connection for every single transfer (download, upload, even directory listing). Just one port isn't much to work with. I can't say that it clearly couldn't work, it depends on how server handles it, but it can't hurt to try to configure at least some small range of passive ...
by Sob
Wed Mar 08, 2023 4:33 am
Forum: Scripting
Topic: Reasons to hold on to the mikrotik specific scripting language
Replies: 12
Views: 2614

Re: Reasons to hold on to the mikrotik specific scripting language

Add few built-in functions for convenience, find a way to provide more feedback on errors than silent death, and I'll be willing to say that it's ok. ;)
by Sob
Wed Mar 08, 2023 2:18 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 7234

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

I think I saw it in some threads that WG supposedly connects to localhost. I didn't examine it myself yet, but I don't see any good reason why it would do it (I'm not saying it's not possible). And you're probably significantly further than 0.3%. How much, that's hard to guess. I wouldn't be sure ab...
by Sob
Wed Mar 08, 2023 1:15 am
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 7234

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

Forums having ranks/titles based on number of posts is common knowledge, everyone learns it eventually. I remember how once someone took info from some forum about military and argued that it MUST be true, because it was written by General and they know their stuff. :D
by Sob
Tue Mar 07, 2023 9:40 pm
Forum: General
Topic: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.
Replies: 75
Views: 7234

Re: PETITION: Request to Forum Admins to prohibit posting of ChatGPT scripts on the forum, without specify the source.

@rextended: I understand your frustration. But you're still missing any way how it could work. You can prohibit it, maybe in rules that nobody reads anyway. And people will still post it, either because they won't know about it, it they will know and not admit it. And you can ban them after, but fir...
by Sob
Tue Mar 07, 2023 8:30 pm
Forum: General
Topic: Limit download speed but not limit browsing speed
Replies: 4
Views: 1100

Re: Limit download speed but not limit browsing speed

It depends. If it's regular download where one connection transfers a lot of data, you can mark it using connection-bytes, e.g. after 10MB: /ip firewall mangle add chain=forward connection-mark=no-mark connection-bytes=10485760-0 action=mark-connection new-connection-mark=bigtransfer and then use qu...
by Sob
Tue Mar 07, 2023 8:20 pm
Forum: Forwarding Protocols
Topic: Mesh Network and Ip adresses
Replies: 5
Views: 2983

Re: Mesh Network and Ip adresses

What if you drop the routes and use standard /ip address add address=<address>/<mask>? I don't remember if what you have now is supposed to work.
by Sob
Tue Mar 07, 2023 8:16 pm
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

Well, it makes sense. I just wonder what exactly the client does, it seems that is must use some kind of policy routing.
by Sob
Tue Mar 07, 2023 4:26 am
Forum: Wireless Networking
Topic: Guest network
Replies: 11
Views: 6542

Re: Guest network

For start, how many devices are we talking about? Is it separate router and AP(s), or just single device? If it's more than one, then VLANs allow to have centralized config on router and AP can act as dumb transparent device.
by Sob
Tue Mar 07, 2023 4:08 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

Oops, sorry, my bad. In that case, it's different problem. You'd need clients to access x.x.x.x via tunnel, but they need to access the same x.x.x.x without tunnel, because it's the VPN server they are connecting to. I'm not sure what exactly OpenVPN client does, but it probably routes whole x.x.x.x...
by Sob
Tue Mar 07, 2023 12:21 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

Do you see interfaces appearing in vpn-clients list (clients need to reconnect if they were already connected)? It's in Interfaces->Interface List, or "/interface list member print where list=vpn-clients" in CLI.
by Sob
Tue Mar 07, 2023 12:16 am
Forum: Beginner Basics
Topic: Publishing LAN services to the internet with HairPin NAT solution
Replies: 7
Views: 1252

Re: Publishing LAN services to the internet with HairPin NAT solution

The point is whether you have public address (= can have incoming connection from internet) at all. Because it's not automatic, there's shortage of public addresses, so ISPs "hide" their customers behind few public addresses using NAT. Outgoing connections to internet work, but incoming do...
by Sob
Mon Mar 06, 2023 8:43 pm
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

Then as I wrote, interface list is your friend: /interface list add name=vpn-clients /ppp profile add <other options you have> interface-list=vpn-clients /ip firewall nat add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=7012 in-interface-list=vpn-clients action=dst-nat to-addresses=y.y.y.y
by Sob
Mon Mar 06, 2023 6:09 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 1365

Re: Remote DNS Request, Block Client Device [SOLVED]

Regular DNS doesn't have anything like user agent. You can use e.g. Wireshark to check what's in packets, but in short, nothing you could use. But you could use L7 to match queries for .srv TLD:
\x03srv.\x01$
by Sob
Mon Mar 06, 2023 4:40 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 1365

Re: Remote DNS Request, Block Client Device [SOLVED]

Most likely not, but I can't wait until spammers discover that it would be perfect for generating hard to detect not-clearly-nonsense posts to establish their presence.
by Sob
Mon Mar 06, 2023 4:37 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

Anyone can connect if you use only dst-address without any in-interface. If you use dst-address with in-interface=all-ppp, it should be only VPN clients. Unless your internet connection uses PPPoE, I'm not sure about that and I can't test it right now, but it's possible/likely that all-ppp includes ...
by Sob
Mon Mar 06, 2023 1:25 am
Forum: Beginner Basics
Topic: Remote DNS Request, Block Client Device [SOLVED]
Replies: 6
Views: 1365

Re: Remote DNS Request, Block Client Device [SOLVED]

What's the point? Try to share more details. If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too. If it's resolver for regular public domains, ...
by Sob
Mon Mar 06, 2023 1:10 am
Forum: General
Topic: Question about ip - address redirection [SOLVED]
Replies: 12
Views: 1590

Re: Question about ip - address redirection [SOLVED]

It's not exactly clear. If you want to make webserver publicly accessible, then drop in-interface=bridge. If it should be accessible only to VPN clients, it's probably best if they connect directly to y.y.y.y. But if you insist that they must connect to x.x.x.x, in-interface=all-ppp should work.
by Sob
Sun Mar 05, 2023 10:16 pm
Forum: General
Topic: Malicious L2TP requests in log
Replies: 5
Views: 1724

Re: Malicious L2TP requests in log

Well, it does seem that even with L2TP server disabled, 1701 is not closed like others, e.g. netmap on unfirewalled device shows: PORT STATE SERVICE 1700/udp closed mps-raft 1701/udp open|filtered L2TP 1702/udp closed deskshare I'm not sure what exactly happens, but you can always use firewall to bl...
by Sob
Sun Mar 05, 2023 8:25 pm
Forum: Beginner Basics
Topic: Publishing LAN services to the internet with HairPin NAT solution
Replies: 7
Views: 1252

Re: Publishing LAN services to the internet with HairPin NAT solution

Support is mainly for thing like bugs. There's nothing clearly wrong in your config (firewall rules could use some reordering, but they don't break anything). So, public IP address *1, do you know what it is and are you absolutely sure that you have one directly on your router *2? *1 not 10.x.x.x, 1...
by Sob
Sun Mar 05, 2023 5:05 am
Forum: General
Topic: When should I turn off loose TCP tracking? [SOLVED]
Replies: 19
Views: 5274

Re: When should I turn off loose TCP tracking? [SOLVED]

@anav: It might break your heart, but did I mention that I don't know everything? ;)
by Sob
Sun Mar 05, 2023 5:01 am
Forum: Beginner Basics
Topic: Allowing 2 IP addresses to point to a different DNS
Replies: 2
Views: 968

Re: Allowing 2 IP addresses to point to a different DNS

You can do something like this: /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 add address=192.168.88.100/32 dns-server=192.168.123.45 gateway=192.168.88.1 netmask=24 First is defaults for subnet and second is different config for single device (192....
by Sob
Sat Mar 04, 2023 9:35 pm
Forum: General
Topic: Let's Encrypt - only 1 certificate allowed?
Replies: 9
Views: 2378

Re: Let's Encrypt - only 1 certificate allowed?

I like LE for the automation alone. Being free is nice bonus. Paid certificates always required some annoying manual work. It wasn't too bad when they had very long validity (I don't know what was the maximum, but I used to have some five-year ones), but now we're down to one year. And if it goes ev...
by Sob
Sat Mar 04, 2023 6:50 am
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 3725

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

I can't test it now, but doesn't something like this work? /ip dns static add name=lan type=FWD match-subdomain=yes forward-to=<main router> add name=something.more.specific.lan type=A address=<address> add name=another.more.specific.lan type=FWD forward-to=<another resolver> My guess/expectation is...
by Sob
Sat Feb 25, 2023 11:01 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

Well, this allows your router to be used as DNS resolver. Which is something you may want for your devices in LAN, so not wrong. But if accessible from internet, your router would be open resolver, which is not good, because it really can be used for attacking others. But in OP's case the original c...
by Sob
Fri Feb 24, 2023 10:49 pm
Forum: General
Topic: OpenVPN clients not connecting [SOLVED]
Replies: 6
Views: 3734

Re: OpenVPN clients not connecting [SOLVED]

Sorry, one more thing: /ip firewall nat add chain=srcnat src-address=200.151.54.0/24 dst-address=200.151.54.0/24 action=masquerade And about those addresses, it's just that they belong to someone else and it's possible (even though not very likely) that some servers you'd want to access could be usi...
by Sob
Fri Feb 24, 2023 10:42 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

My guess is that it's something on ISP's side. So I'd ask them. Or do you have access to some ISP's device (modem or something) that you can (are able and allowed to) turn off and on again?
by Sob
Fri Feb 24, 2023 10:36 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

My idea was whether you're perhaps replacing some ISP-supplied router, it would be possible that ISP allows it but nothing else. Or is it completely new connection that never worked before? Btw, you lost some rules in "/ip firewall filter". Those you previously had with chain=input, you wa...
by Sob
Fri Feb 24, 2023 9:58 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

So it looks like it's done by ISP's router for some reason. Does it work with some different router or directly connected PC? Could it be e.g. locked to specific device (its MAC address)?
by Sob
Fri Feb 24, 2023 9:49 pm
Forum: General
Topic: OpenVPN clients not connecting [SOLVED]
Replies: 6
Views: 3734

Re: OpenVPN clients not connecting [SOLVED]

Your dstnat rule has options in-interface=pppoe-protocol-intercon and in-interface-list=WAN (both useless) and they limit from where it will work. Drop them and it will be better. And those 200.x.x.x addresses, did you also get them from ISP? If not, you shouldn't use them and choose some from priva...
by Sob
Fri Feb 24, 2023 9:41 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

How do you define "doesn't get Internet"? Regular web browsing doesn't work, but what if you try to open https://1.1.1.1/, does that work? Or ping to some numeric address (e.g. 1.1.1.1 again)? What about ping from router itself (open Terminal and try "ping 1.1.1.1")?
by Sob
Fri Feb 24, 2023 5:50 pm
Forum: Beginner Basics
Topic: Newbie needing help [SOLVED]
Replies: 14
Views: 1900

Re: Newbie needing help [SOLVED]

Aside from seriously outdated system (but that's not breaking it), I don't see anything obviously wrong, it looks like good old default config from 2017. If you look at DHCP client (IP->DHCP Client), what does it say? Does it get any IP address? And you do have ISP's router connected to ether1, right?
by Sob
Wed Feb 22, 2023 7:48 pm
Forum: Scripting
Topic: Please remove SSL requirement for REST Api
Replies: 15
Views: 3076

Re: Please remove SSL requirement for REST Api

Don't get me wrong, I'm all for letting people decide. If someone wants unencrypted REST, is should be their choice. I'm also big fan of configurable things. Currently you can enable web server and it's all or nothing (WebFig, REST, ...) => not good. Same for current enable-ssl-certificate, it's har...
by Sob
Wed Feb 22, 2023 7:07 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2273

Re: Why doesn't the port open?

It seems mostly fine. In addition to previous (^^^), you can try to add temporary logging rule, either for specific port: /ip firewall mangle add chain=prerouting in-interface=pppoe-out1 protocol=udp dst-port=7777 connection-state=new action=log log-prefix=new-incoming Or a broad one for all: /ip fi...
by Sob
Wed Feb 22, 2023 6:55 pm
Forum: General
Topic: Ax2 with 7.6 default password problem [SOLVED]
Replies: 15
Views: 4109

Re: Ax2 with 7.6 default password problem [SOLVED]

How this works exactly? Netinstall still does reset password to blank, right? Or, if the sticker gets lost, will I have not very practical (but secure!) door stopper?
by Sob
Wed Feb 22, 2023 6:49 pm
Forum: Scripting
Topic: Please remove SSL requirement for REST Api
Replies: 15
Views: 3076

Re: Please remove SSL requirement for REST Api

If self-signed certificate would be enough for you, it's not like it's too difficult to get it now: /certificate add common-name=router.example.net /certificate sign router.example.net it's still inconvenient, because you need to either make the client trust it or ignore it, but it shouldn't be a sh...
by Sob
Wed Feb 22, 2023 6:34 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 3725

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

Dstnat is not good, because it redirects everything, without any fallback. If you have at least common TLD (e.g. .lan), then with recent enough RouterOS (v7), you can do this on other routers: /ip dns static add name=lan type=FWD match-subdomain=yes forward-to=<main router> and it will forward *.lan...
by Sob
Wed Feb 22, 2023 2:00 am
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 3725

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

What I meant is that when one would add internal records in public DNS, in order to solve problem with DoH and other ways how devices can bypass local data, they might end up using some resolver that filters records with private addresses. So you solve one problem, but hit another. As for MikroTik's...
by Sob
Tue Feb 21, 2023 11:16 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2273

Re: Why doesn't the port open?

Not from a screenshot, it can hide some things. But based on your description in first post it should be ok. To be sure, try to run this in Terminal:
/export file=myconfig
and then post content of created myconfig.rsc here in code tags.
by Sob
Tue Feb 21, 2023 11:06 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2273

Re: Why doesn't the port open?

Yes, it's correct and it should work. Even if it wouldn't work completely, you should at least see some incoming packets, counters for dstnat rule (columns Bytes and Packets) should increase. How do you test it?
by Sob
Tue Feb 21, 2023 11:01 pm
Forum: Beginner Basics
Topic: Port Forwarding, firewall and self hosted game server help! [SOLVED]
Replies: 4
Views: 3458

Re: Port Forwarding, firewall and self hosted game server help! [SOLVED]

It's not needed, even if service on router uses some port and dstnat rule is for same one, dstnat sends packets elsewhere before they can reach service on router.
by Sob
Tue Feb 21, 2023 8:54 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 3725

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

Some resolvers may filter private addresses. It's some trouble everywhere you look, we should scrap it all and move to all-public IPv6. :)
by Sob
Tue Feb 21, 2023 8:44 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2273

Re: Why doesn't the port open?

Is it also language barrier that makes you answer only half of questions? :) Now we know that if it start with 91, it's public address. But we still don't know it your router actually has this address. Once again, look in IP->Addresses, is this address there?
by Sob
Tue Feb 21, 2023 3:29 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1506

Re: layer7 match failed, regexp too complex

I admit that I wasn't sure, but it seems that except IN it's all long time dead (only bind nameserver supposedly misuses CH to show its version, but I wouldn't be sure about that either, because lately showing versions tends to be avoided).
by Sob
Tue Feb 21, 2023 2:56 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1506

Re: layer7 match failed, regexp too complex

Feel free to enlighten me, but DNS query packet ends with two bytes for type followed by two bytes for class. In type there's 001C, 00 gets dropped, so we're looking for 1C (lowercase \x1c is fine). Class could in theory be 0x0000-0xFFFF, but does anything we might care about use anything else than ...
by Sob
Tue Feb 21, 2023 2:44 pm
Forum: Forwarding Protocols
Topic: Acces The fortigate device from outside the site
Replies: 3
Views: 2516

Re: Acces The fortigate device from outside the site

Ok, I lied. Not intentionally, I probably got misled by RIP and overlooked the obvious. If you want to access something connected to public-ip-lan interface from outside, of course you need to allow it (this will allow full unlimited access, you may or may not want to limit it in some way): /ip fire...
by Sob
Tue Feb 21, 2023 2:33 pm
Forum: Beginner Basics
Topic: Why doesn't the port open?
Replies: 26
Views: 2273

Re: Why doesn't the port open?

For start, your "my isp ip" is public (not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x) and directly on your router (you can see it in IP->Addresses), correct?
by Sob
Tue Feb 21, 2023 2:25 pm
Forum: Beginner Basics
Topic: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]
Replies: 17
Views: 3725

Re: Multiple remote sites DNS solution, without Static DNS entries [SOLVED]

It doesn't seem very clear, so I'm just guessing... Do you mean local hostnames like workstation1.site1.lan on one router, server1.site2.lan on another, etc? Proper solution would be to run real DNS server(s), i.e. not something RouterOS can do. It could also work with FWD records (not real records ...
by Sob
Mon Feb 20, 2023 9:58 pm
Forum: Beginner Basics
Topic: how to add services / services ports
Replies: 11
Views: 2500

Re: how to add services / services ports

There are two things: - IP->Services - services that run on router - IP->Firewall->Service Ports - protocol helpers for firewall, for services that need extra care (e.g. FTP has one main connection that this helper watches and automatically recognizes related connections, so that they could be allow...
by Sob
Mon Feb 20, 2023 6:35 pm
Forum: General
Topic: Configure ProtonVPN on router with VPN active on set of ports?
Replies: 42
Views: 4561

Re: Configure ProtonVPN on router with VPN active on set of ports?

In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.
by Sob
Mon Feb 20, 2023 5:58 pm
Forum: Forwarding Protocols
Topic: Acces The fortigate device from outside the site
Replies: 3
Views: 2516

Re: Acces The fortigate device from outside the site

I can't say about RIP part, I don't know much about that. Only in firewall, when you drop all incoming packets on pppoe-out1, then allowing something after that is useless, because it will never get there (so you need to swap those rules). Other than that, I don't see any problem.
by Sob
Mon Feb 20, 2023 2:10 pm
Forum: General
Topic: New to mikrotik
Replies: 3
Views: 628

Re: New to mikrotik

Learning yourself is fun. When I found RouterOS, I knew some basics in Linux, network config, bit of iptables, etc. With RouterOS (and especially WinBox) I was like fish in a water. I'm not saying that I knew everything overnight, but most of it was pretty intuitive. Don't look down on WinBox, it's ...
by Sob
Mon Feb 20, 2023 1:48 pm
Forum: General
Topic: Masquerade issue
Replies: 6
Views: 918

Re: Masquerade issue

Try similar logging rule in srcnat. Use some other condition like source address to match only testing traffic. And check if it shows the right outgoing interface, or if it's another unknown one.
by Sob
Mon Feb 20, 2023 5:02 am
Forum: Beginner Basics
Topic: default route
Replies: 7
Views: 807

Re: default route

Several things in there are weird. For start, I don't see any NAT rule with IP address you could be updating. But I do see default route that might need it (gateway), which is unusual, because normally you just let DHCP client add dynamic default route. Also to have both DHCP servers and clients on ...
by Sob
Mon Feb 20, 2023 4:04 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 1488

Re: Trouble with Port Forwarding

Ability to upload with BT or speed of it doesn't have much to do with ability to accept incoming connections. It just makes connecting between clients easier, but it doesn't mean that it would be impossible without it.

Using VPN does need some extra config, which depends on what kind of VPN it is.
by Sob
Mon Feb 20, 2023 3:52 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 1488

Re: Trouble with Port Forwarding

@anav: There can be different results, and there's also difference between tcp and udp. In case there wouldn't be any firewall, tcp connection that reaches target host always gets something back, either ack (when something listens on that port = it's open) or rst (when nothing listens there = it's c...
by Sob
Mon Feb 20, 2023 1:34 am
Forum: General
Topic: Basic NAT hairpin rule just doesn't work [SOLVED]
Replies: 14
Views: 2041

Re: Basic NAT hairpin rule just doesn't work [SOLVED]

It all depends on what you want. Even with multiple subnets, you can use dst-address=!192.168.0.0/16 to exclude all internal addresses from this range. Or you can simply not exclude some. E.g. if you have primary LAN and separate LAN for guests, and you want to use WebFig from main LAN only, then if...
by Sob
Mon Feb 20, 2023 12:26 am
Forum: Beginner Basics
Topic: Static DNS records do work strange on Mikrotik [SOLVED]
Replies: 2
Views: 939

Re: Static DNS records do work strange on Mikrotik [SOLVED]

There's difference between DNS resolution: - in Terminal it's done by router - in WinBox it's done by machine it runs on - I'm not sure about WebFig Normally if machine with WinBox uses same router as its DNS resolver, there wouldn't be any difference. But depending on what static records you add, i...
by Sob
Mon Feb 20, 2023 12:07 am
Forum: Beginner Basics
Topic: default route
Replies: 7
Views: 807

Re: default route

The action=masquerade is your friend (instead of action=src-nat).
by Sob
Mon Feb 20, 2023 12:05 am
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 1488

Re: Trouble with Port Forwarding

You need to understand what it does. There may be misleading wording about checking for open ports. But it's actually checking if it's able to connect to something. It knows nothing about your router and its config, and has no means to discover anything about that. Either it will be able to connect ...
by Sob
Mon Feb 20, 2023 12:00 am
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 1293

Re: IPSec joining two subnets fail [SOLVED]

Generally no extra routes should be needed, but it's possible that in your case they are, it depends on how everything is configured.
by Sob
Sun Feb 19, 2023 11:44 pm
Forum: General
Topic: Basic NAT hairpin rule just doesn't work [SOLVED]
Replies: 14
Views: 2041

Re: Basic NAT hairpin rule just doesn't work [SOLVED]

There's always the simple and (almost) foolproof dst-address-type=local. The "almost" part is when you use it with port that you also use to manage router, e.g. 80 when you use WebFig on default port, that will lock you out. But you can combine it with dst-address=!192.168.69.1 to exclude ...
by Sob
Sun Feb 19, 2023 11:18 pm
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 1488

Re: Trouble with Port Forwarding

I mean, when you're using port checker, at that moment, is there any software running on internal device and listening on that port? It must be, otherwise there will be no reponse. You can't open port "for later" without something actively using it and have it shown as open.
by Sob
Sun Feb 19, 2023 11:11 pm
Forum: Beginner Basics
Topic: Trouble with Port Forwarding
Replies: 14
Views: 1488

Re: Trouble with Port Forwarding

Are you sure that on your 10.10.22.241 device something definitely listens on tcp port 65472, it's not blocked by device's own firewall, device has this router as its default gateway, etc?
by Sob
Sun Feb 19, 2023 10:40 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1506

Re: layer7 match failed, regexp too complex

L7 strips zero bytes, so you can't work with them at all. You can take 1c from type and 01 from class and look for them at the end:
/ip firewall layer7-protocol
add name=dns-aaaa regexp="\\x1c\\x01\$"
by Sob
Sat Feb 18, 2023 4:46 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

If we're talking about single NAT, this is best suited for ancient/dumb/ignorant client. "If I connect to some server and tell it that I'm alive, then server sees my address and port I'm using, and if I'm listening on that, then anyone who server tells it to can connect to me, right? What? My r...
by Sob
Sat Feb 18, 2023 3:29 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

Automatic stuff, if it means that mapping created by outgoing connection also serves for new independent incoming connections, comes from this NAT type itself and doesn't need anything else. That's why it's in both srcnat and dstnat chains. The one in srcnat can be exactly same as existing masquerad...
by Sob
Sat Feb 18, 2023 1:02 am
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 3308

Re: DDNS for my server with IP/Cloud?

I wouldn't say it's complicated. It's slightly different. If you have only IPv4, then with typical setup you have one public address on router, so it's one hostname and it covers all internal servers you might have. MikroTik's DDNS works and it's just few clicks. If you add IPv6, then every device h...
by Sob
Fri Feb 17, 2023 11:29 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

But why!? (@Sob!) Just because you can or is fun to have?? Bring us the real problem! What did I do? I'm just explaining and discussing interesting technical thing. Because it's just that, interesting. I'm not saying that MikroTik should drop everything else and add this, not even necessarily add i...
by Sob
Fri Feb 17, 2023 10:02 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

@Znevna: I agree that it's slightly weird. I suppose you can see the possible problem and how this solves it *1 , right? The weird part is, how is it actual problem, unless we're talking about some software from pre-NAT times? Because anything aware of NAT must assume that direct incoming connection...
by Sob
Fri Feb 17, 2023 8:32 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

Don't overthink it, it's just a tool, it's up to you how you use it. Take the netfilter module from first post (https://github.com/Chion82/netfilter-full-cone-nat). If it was in RouterOS, you could do e.g: /ip firewall nat add chain=srcnat src-address-list=consoles protocol=udp out-interface=WAN act...
by Sob
Fri Feb 17, 2023 8:01 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 1293

Re: IPSec joining two subnets fail [SOLVED]

There are different levels. Routing needs a route (but in this case even default one is enough). With proxy ARP I'm not completely sure, there were some changes, possibly bugs, but route pointing to different interface than LAN should be sure bet. It's even possible that it's not needed and default ...
by Sob
Fri Feb 17, 2023 6:05 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 1293

Re: IPSec joining two subnets fail [SOLVED]

Because IPSec carries only IP packets (= L3). You can have L2 with EoIP, but then you'll have to deal with different problems, at least some DHCP isolation would be required if each site should have own server. If you stick with IPSec, for proxy ARP to work, you'll need routes to remote sites. As fo...
by Sob
Fri Feb 17, 2023 5:51 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

Correct. But with <whatever_it_would_be_called> NAT being dynamic and creating incoming dstnats for each outgoing connection, one public address would be good enough for several consoles.
by Sob
Fri Feb 17, 2023 5:47 pm
Forum: General
Topic: IPSec joining two subnets fail [SOLVED]
Replies: 8
Views: 1293

Re: IPSec joining two subnets fail [SOLVED]

But why? You won't have L2 connectivity anyway. And if it's only L3, you might as well go with clean and simple separate subnets. But if you insist, it should be possible. Currently you have problem on site A, because e.g. 192.168.10.200 has /24, so it thinks that even remote 192.168.10.10 is local....
by Sob
Fri Feb 17, 2023 5:34 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

as you can see RouterOS also maps to the same inside global ip and port for all streams. Yes. But now when 3.3.3.3 tries to connect to x.x.x.x:12345, will it reach 192.168.88.115:12345? No, because RouterOS will correctly see it as new unsolicited connection. But this <whatever_it_would_be_called> ...
by Sob
Fri Feb 17, 2023 5:15 pm
Forum: General
Topic: Masquerade issue
Replies: 6
Views: 918

Re: Masquerade issue

Check VRF and hidden interfaces. I was under impression that it's already fixed/handled, but maybe not everywhere? I think I didn't test NAT myself.
by Sob
Fri Feb 17, 2023 4:03 pm
Forum: General
Topic: Feature requests
Replies: 1748
Views: 647685

Re: Feature requests

Who decided that everything in web browser is the right way? I for one say it's not. Don't touch my toys! ;)
by Sob
Fri Feb 17, 2023 3:41 pm
Forum: Beginner Basics
Topic: Slow bandwidth debian server behind NAT
Replies: 8
Views: 1336

Re: Slow bandwidth debian server behind NAT

It's definitely not that RouterOS couldn't handle port forwarding. Slighly wrong VLAN and IP config shouldn't do it either. Same goes for seemingly unnecessary proxy ARP. But what if you forget about dual WAN for a moment (disable DHCP client on ether10) and try with only single connection, does it ...
by Sob
Fri Feb 17, 2023 2:24 am
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 3308

Re: DDNS for my server with IP/Cloud?

Well, it's confusing. I mistakenly read it as "Works fine as long as my internet supplier does not change addresses IP addresses." Looking at OP's older threads (and I participated there too, who would have thought :)), that's not the case ("My internet provider does not change the pr...
by Sob
Thu Feb 16, 2023 7:38 pm
Forum: Beginner Basics
Topic: mikrotik connect to proxy and share internet to another bridge
Replies: 7
Views: 1157

Re: mikrotik connect to proxy and share internet to another bridge

Short answer: NO Long answer: Maybe. It would work with transparent proxy and requests that could be intercepted this way, e.g. HTTP (but not HTTPS). So in practice it's NO again. Other way would be to make clients aware of proxy. Manual config would be impractical, but there may be some chance with...
by Sob
Thu Feb 16, 2023 7:28 pm
Forum: General
Topic: The ISP provides two IP addresses (by DHCP and PPPoE) on one WAN port
Replies: 6
Views: 885

Re: The ISP provides two IP addresses (by DHCP and PPPoE) on one WAN port

MAC addresses alone are not that big problem, it may look weird at first, but VRRP hack works.
by Sob
Thu Feb 16, 2023 7:20 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

@anav: Be careful with untrusted others. UPnP's problem is lack of security. You can help it a bit, e.g. you can control who uses it (or more precisely who can control it), by allowing access only from some devices (firewall filtering by IP or better MAC address) or interfaces. So you can allow acce...
by Sob
Thu Feb 16, 2023 6:54 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

UPnP should be solution (for single NAT) for everything that supports it. That should be any non-ancient game. Unless authors were too progressive and went only with more modern PCP. It wouldn't be wisest choice to support only that without UPnP as backup, but if you wanted, you could partially blam...
by Sob
Thu Feb 16, 2023 6:11 pm
Forum: General
Topic: IPv6 SLAAC
Replies: 3
Views: 1353

Re: IPv6 SLAAC

On 7.7, yes. Just go in IPv6->Addresses and it should be there. You have to accept RAs first:
/ipv6 settings
set accept-router-advertisements=yes
And also reboot to make it work, because in v7 the change no longer applies immediatelly, which is most likely bug.
by Sob
Thu Feb 16, 2023 6:01 pm
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 3308

Re: DDNS for my server with IP/Cloud?

It shouldn't be difficult, luckily I don't need it myself, so my experience is limited, but at first sight there are different tools ready for the job (e.g. ddclient). And if you're using own domain (as it seems you do), then if there's some API for its DNS, you can do it without relying on any othe...
by Sob
Thu Feb 16, 2023 4:15 pm
Forum: Beginner Basics
Topic: DDNS for my server with IP/Cloud?
Replies: 11
Views: 3308

Re: DDNS for my server with IP/Cloud?

Admittedly unhelpful advice: The only proper solution is to tell ISP to stop doing stupid things and keep static addresses.

DDNS is just hotfix with various problems. But if it's unavoidable, it's probably best/easiest to use some independent DDNS on server itself.
by Sob
Thu Feb 16, 2023 1:26 am
Forum: General
Topic: What are your show stoppers for migrating to ROS7?
Replies: 22
Views: 1994

Re: What are your show stoppers for migrating to ROS7?

At home it's 6to4 instantly crashing system (SUP-97719). I need it to work, because it's still my source of IPv6 (ISP didn't yet manage to provide native IPv6 and I don't like third party tunnels). It might be useful indicator of v7 maturity. Given its low popularity, when they fix this, they probab...
by Sob
Thu Feb 16, 2023 12:01 am
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 2278

Re: VPN IPSEC cant ping from one side [SOLVED]

Current bytes = 0 means that nothing is sent or received. But if you're pinging from router, it's expected, you need to set source address, because it's choosing wrong one:
/ping src-address=192.168.55.1 address=192.168.7.1
by Sob
Wed Feb 15, 2023 10:52 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

Well, the definition by itself is not completely clear. For full cone it says that "all requests from the same internal IP address and port are mapped to the same external IP address and port ", but that's not necessarily same internal and external port number. So i.i.i.i:1234 always mappe...
by Sob
Wed Feb 15, 2023 10:25 pm
Forum: General
Topic: Proxy access list synchronization between multiple devices
Replies: 1
Views: 414

Re: Proxy access list synchronization between multiple devices

Central place and API for updating sounds best to me. It would require some programming, but you could choose any language you like (= much better than suffer with RouterOS scripting; just personal opinion, not objective fact).
by Sob
Wed Feb 15, 2023 10:08 pm
Forum: Beginner Basics
Topic: Port forwarding suddenly stopped working [SOLVED]
Replies: 8
Views: 1589

Re: Port forwarding suddenly stopped working [SOLVED]

The config in first post got somehow shorter and useless to see the problem, but original version had this: /ip firewall filter add action=jump chain=forward comment="USER FORWARD CHAIN" jump-target=USERforward ... add action=accept chain=USERforward dst-address=192.168.16.126 out-interfac...
by Sob
Wed Feb 15, 2023 9:57 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

No, this, as I understand it, solves it. Imagine some udp-based game or another system with p2p communication. If it was ideal NAT-less internet: - client A sends packet from a.a.a.a:aaa to remote server - client B sends packet from b.b.b.b:bbb to remote server - server tells these addresses with po...
by Sob
Wed Feb 15, 2023 8:48 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

If you mean forwarding port ranges to different devices, it wouldn't really work, would it? Not without some configuration on those devices that would force them to use these ports as source. If I'm dstnatting e.g. 1000-1999 to device A and 2000-2999 to device B, then if device A uses e.g 1500 as so...
by Sob
Wed Feb 15, 2023 8:28 pm
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 2278

Re: VPN IPSEC cant ping from one side [SOLVED]

Those blue unreachable routes to remote subnets (on both routers) are wrong. Right now I'm not sure (temporary brain outage ;)) they are breaking it, I think they shouldn't. But you don't need them, so they can be removed. You can also check if IPSec counters are increasing (in IP->IPSec->Installed ...
by Sob
Wed Feb 15, 2023 8:00 pm
Forum: General
Topic: Ignore/filter a particular MAC on particuar DHCP server
Replies: 5
Views: 647

Re: Ignore/filter a particular MAC on particuar DHCP server

/system logging add topics=dhcp And then in log: 18:56:32 dhcp,debug LAN received discover id 3870440748 from 0.0.0.0 '1:0:c:29:e0:d9:dd' 18:56:32 dhcp,debug,packet secs = 58 18:56:32 dhcp,debug,packet ciaddr = 0.0.0.0 18:56:32 dhcp,debug,packet chaddr = 00:0C:29:E0:D9:DD 18:56:32 dhcp,debug,packet...
by Sob
Wed Feb 15, 2023 7:53 pm
Forum: General
Topic: "Routing Table" Parameter for IPv6 Routes Not in Effect (v7.5) [SOLVED]
Replies: 17
Views: 5013

Re: "Routing Table" Parameter for IPv6 Routes Not in Effect (v7.5) [SOLVED]

If something doesn't work for you, it's usually good idea to post more details. Someone might want to try to reproduce it. Or they might point some possible mistake of yours. In any case, if you're looking for any useful feedback, it can't hurt.
by Sob
Wed Feb 15, 2023 7:45 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

I think you can't: - You can have NAT 1:1, but that's only for one internal device (or more, if you have multiple public addresses, but who has enough?) - You can forward ports manually, but that's missing the "just works without user interaction" part - You can use UPnP, but it's again no...
by Sob
Wed Feb 15, 2023 7:28 pm
Forum: General
Topic: IPSEC Site-to-Site with Azure virtual Gate very slow [SOLVED]
Replies: 2
Views: 1292

Re: IPSEC Site-to-Site with Azure virtual Gate very slow [SOLVED]

Do you perhaps have firewall that uses fasttrack (https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack; which is not compatible with IPSec)?
by Sob
Wed Feb 15, 2023 7:18 pm
Forum: Announcements
Topic: v7.8rc is released!
Replies: 125
Views: 46177

Re: v7.8rc is released!

Why oh why do you do these things? ;) From the new DNS docs: If DNS static entries list matches the requested domain name, then the router will assume that this router is responsible for any type of DNS request for the particular name. For example, if there is only an "A" record in the lis...
by Sob
Wed Feb 15, 2023 4:21 pm
Forum: Beginner Basics
Topic: Port forwarding suddenly stopped working [SOLVED]
Replies: 8
Views: 1589

Re: Port forwarding suddenly stopped working [SOLVED]

Try this:
/ip firewall filter
add action=accept chain=USERforward connection-nat-state=dstnat
by Sob
Wed Feb 15, 2023 12:23 am
Forum: General
Topic: RouterOS DNS service for local domain
Replies: 4
Views: 817

Re: RouterOS DNS service for local domain

It could be the problem with 7.7 erroneously returning NXDOMAIN for AAAA records (or others, but these are most likely to get queried by clients) if you define only A. That was fixed in 7.8 (currently only RC, but otherwise probably not worse than 7.7).
by Sob
Wed Feb 15, 2023 12:15 am
Forum: General
Topic: Does src-net also change source port if needed?
Replies: 4
Views: 854

Re: Does src-net also change source port if needed?

It depends on client, it's pretty easy with CHR I used. :)
by Sob
Tue Feb 14, 2023 9:21 pm
Forum: General
Topic: Ignore/filter a particular MAC on particuar DHCP server
Replies: 5
Views: 647

Re: Ignore/filter a particular MAC on particuar DHCP server

Doesn't your RouterOS have Block Access checkbox like mine does? Or:
/ip dhcp-server lease
add server=<server> mac-address=xx:xx:xx:xx:xx:xx block-access=yes
by Sob
Tue Feb 14, 2023 8:34 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44172

Re: FEATURE REQUEST: full cone NAT

So in other words, it's basically alternative to UPnP that works automatically without requiring client to do anything. And the key part is that it can work for multiple clients sharing same public address (unlike mrz's NAT 1:1, which is otherwise fine, but it needs one public address for each inter...
by Sob
Tue Feb 14, 2023 3:42 pm
Forum: General
Topic: Howto copy configuration from RB951G-2HnD to hAP ax3 ? [SOLVED]
Replies: 13
Views: 1906

Re: Howto copy configuration from RB951G-2HnD to hAP ax3 ? [SOLVED]

Certificates are not a problem if you don't have any. Otherwise, unfortunately, yes, because export doesn't include them.
by Sob
Tue Feb 14, 2023 3:08 pm
Forum: General
Topic: Failover (WAN Backup) tutorial - trying to understand
Replies: 17
Views: 4724

Re: Failover (WAN Backup) tutorial - trying to understand

Says the king of hijackers. ;) Mine was just a quick note that no, official tutorial with multiple routing tables is not necessarily broken.
by Sob
Tue Feb 14, 2023 2:54 pm
Forum: General
Topic: Failover (WAN Backup) tutorial - trying to understand
Replies: 17
Views: 4724

Re: Failover (WAN Backup) tutorial - trying to understand

I didn't study it in detail, but @anav's examples seem to be simple fixed-role primary/backup. So ISP1 is always primary and ISP2 is used only when ISP1 fails. One routing table is enough for that. Multiple routing tables would be needed if you'd want to have group of devices using ISP1 and ISP2 as ...
by Sob
Tue Feb 14, 2023 2:37 pm
Forum: Beginner Basics
Topic: VPN IPSEC cant ping from one side [SOLVED]
Replies: 6
Views: 2278

Re: VPN IPSEC cant ping from one side [SOLVED]

It seems overcomplicated. You probably don't need mode config and extra addresses, just simple static tunnel between subnets. Also plain IPSec is different from L2TP, it doesn't give you any new interface and doesn't use routes the same way. Instead if defines what should go to tunnel using policies...
by Sob
Tue Feb 14, 2023 2:05 pm
Forum: General
Topic: RouterOS DNS service for local domain
Replies: 4
Views: 817

Re: RouterOS DNS service for local domain

So it works for some but not all? Then it means that RouterOS is doing something and it would need a closer look (e.g. catch and examine some packets) to see what's wrong.
by Sob
Tue Feb 14, 2023 1:41 pm
Forum: Beginner Basics
Topic: finevpn on mikrotik
Replies: 1
Views: 740

Re: finevpn on mikrotik

From quick look it seems that VPN provider uses Wireguard. So see section (7) in viewtopic.php?t=182340 to get started. If you'd want to use VPN only for selected source devices and/or destinations, it's possible too.
by Sob
Tue Feb 14, 2023 1:06 pm
Forum: General
Topic: Does src-net also change source port if needed?
Replies: 4
Views: 854

Re: Does src-net also change source port if needed?

Yes it will. It has to, otherwise it wouldn't work. It tries to keep original port if the mapping (newsrcaddr:srcport<->dstaddr:dstport) is free, but if not, it will change srcport.
by Sob
Mon Feb 13, 2023 7:34 pm
Forum: General
Topic: DNS over HTTPS
Replies: 258
Views: 124258

Re: DNS over HTTPS

1.1 Yes and no. You can skip certificate, set verify-doh-cert=no and it will work. But the point of certificates is to ensure that nobody between you and target server can read or change what you both send and receive. If you don't verify certificates, anyone on the way can fiddle with your data. Yo...
by Sob
Mon Feb 13, 2023 7:02 pm
Forum: General
Topic: Firewall filter by binary / hex Value
Replies: 2
Views: 781

Re: Firewall filter by binary / hex Value

Firewall supports "content" matcher. Only if I remember correctly and nothing changed, any unprintable characters have to be entered using CLI (e.g. content="\01\20\ff") and they will show as garbage in GUI.
by Sob
Mon Feb 13, 2023 6:55 pm
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116354

Re: v7.7 [stable] is released!

@Miguelin: It's not like they broke everything, it still mostly works. You should probably open new thread and post (much) more info about your problem.
by Sob
Mon Feb 13, 2023 6:52 pm
Forum: Beginner Basics
Topic: Tagged VLAN on WAN (HeX)
Replies: 4
Views: 683

Re: Tagged VLAN on WAN (HeX)

In RouterOS you can simply create VLAN interface:
/interface vlan
add interface=<physical interface> name=<name of vlan interface> vlan-id=<vlan number>
by Sob
Mon Feb 13, 2023 11:00 am
Forum: Beginner Basics
Topic: Port forwarding issues
Replies: 6
Views: 951

Re: Port forwarding issues

The problem with multi WAN is that you need to send responses back the same way the requests came from, but it doesn't happen automatically. You'll need new routing tables (one for each WAN), mark connections based on incoming interface, and then mark routing for responses. See e.g. this example: ht...
by Sob
Mon Feb 13, 2023 10:45 am
Forum: Containers
Topic: how enable container on CHR\x86? Topic is solved
Replies: 46
Views: 30097

Re: how enable container on CHR\x86? Topic is solved

One way to solve it would be it they added confirmation at boot. It would require access to physical or virtual console, i.e. something that any attacker wouldn't have, so it would be safe. User would enable containers and do regular reboot. While booting, system would ask if they really want it (wi...
by Sob
Sun Feb 12, 2023 8:26 pm
Forum: Beginner Basics
Topic: DHCP and ICMP in RAW table instead of standard Firewall
Replies: 7
Views: 896

Re: DHCP and ICMP in RAW table instead of standard Firewall

It depends. Raw happens right at the beginning, so you can deal with something before any heavy processing starts. Especially if you're going to drop something anyway, doing it in raw should be more efficient. But don't ask about details, I don't have any numbers to show how much.
by Sob
Sun Feb 12, 2023 8:14 pm
Forum: Beginner Basics
Topic: How to DST-NAT trhough 2 routers for remote access
Replies: 5
Views: 1930

Re: How to DST-NAT trhough 2 routers for remote access

You successfully neutralized your firewall (by disabling #6 and #14 you now allow pretty much everything; probably not the best plan), but other than that, it's hard to tell. The image doesn't seem very clear. Is the server behind second (blue) router or not? Its LAN is connected to it, but its WAN ...
by Sob
Sun Feb 12, 2023 5:29 pm
Forum: Beginner Basics
Topic: Port forwarding issues
Replies: 6
Views: 951

Re: Port forwarding issues

And regarding the actual port forwarding, you can't forward it to 256 addresses at once, you need to-addresses=<single address>.
by Sob
Sun Feb 12, 2023 3:09 pm
Forum: General
Topic: Wireguard only works from wg-interface-ip
Replies: 6
Views: 1012

Re: Wireguard only works from wg-interface-ip

That's not it. You can use IP address as gateway, but WG doesn't really care, it decides itself where to send packets, based on peers' allowed-address. E.g. if you'd have WG interface with 10.0.0.1/24 and two peers: - peer1, allowed addresses 10.0.0.2, 192.168.2.0/24 - peer2, allowed addresses 10.0....
by Sob
Sun Feb 12, 2023 2:46 pm
Forum: The Dude
Topic: Newbie Questions for Dude
Replies: 3
Views: 2635

Re: Newbie Questions for Dude

Correction, it's Tools->Layout. And even Undo button works. So I wonder if before it didn't or I somehow missed it.
by Sob
Sun Feb 12, 2023 6:12 am
Forum: General
Topic: Zerotier and Streaming
Replies: 42
Views: 8124

Re: Zerotier and Streaming

He's not selfish and wants everyone to have same fun. :)
by Sob
Sun Feb 12, 2023 6:07 am
Forum: The Dude
Topic: Newbie Questions for Dude
Replies: 3
Views: 2635

Re: Newbie Questions for Dude

I think it's those "Item alignment" buttons at the top. As I remember, the result wasn't too bad. I mean at first. But later, after you fine tune it by moving different things and accidentally press it again, it's tragic. ;)
by Sob
Fri Feb 10, 2023 12:48 pm
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116354

Re: v7.7 [stable] is released!

Yes, lately it's breaking a bit too much. As in my example, there was default (and actually the only) behaviour since forever, and everyone relied on it, knowingly or accidentally. It's one thing to change default, it can be annoying, but sometimes it's inevitable. But not even an option to get the ...
by Sob
Fri Feb 10, 2023 3:21 am
Forum: General
Topic: HTTPS-redirect with RoS 7.5 - bad news for hotspots...
Replies: 10
Views: 4767

Re: HTTPS-redirect with RoS 7.5 - bad news for hotspots...

But it never really worked anyway. Or did it? I mean properly, without certificate errors. Any client should be aware that hotspots exist and try to detect them automatically. If that doesn't work with your hotspot for some reason, it's probable best to try to find why. Because it should, and then y...
by Sob
Fri Feb 10, 2023 3:04 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116354

Re: v7.7 [stable] is released!

*) dns - query upstream DNS servers for other record types even if static entry exists; This change, while not necessarily wrong, is not great either. Previously when I set record of any type, it took over the whole name, i.e. it blocked all other types from upstream. Simple example, public server ...
by Sob
Fri Feb 10, 2023 1:39 am
Forum: General
Topic: Creating static DNS A records with v7.7
Replies: 9
Views: 1766

Re: Creating static DNS A records with v7.7

Perhaps it's a puzzle for fans, to let them discover new features in some more exciting way than just reading the docs. Or it's some cunning plan how to discover what people want, by watching what they try to do with it, without asking them directly. Or just whoever is in charge of documentation is ...
by Sob
Thu Feb 09, 2023 5:01 am
Forum: General
Topic: DNS forwarding - multiple DNS servers?
Replies: 3
Views: 6359

Re: DNS forwarding - multiple DNS servers?

AFAIK the only failover for FWD that ever sort of worked is: /ip dns static add type=A name=myns.tld address=x.x.x.x add type=A name=myns.tld address=y.y.y.y add type=FWD name=example.net match-subdomain=yes forward-to=myns.tld It's far from perfect, because it's dumb round robin. First query goes t...
by Sob
Thu Feb 09, 2023 3:43 am
Forum: General
Topic: Port Forwarding not working for WAN VRRP setup [SOLVED]
Replies: 2
Views: 1175

Re: Port Forwarding not working for WAN VRRP setup [SOLVED]

Your rules don't use destination addresses, the only condition related to that is in-interface-list=WAN. Possible explanation is that your WAN list contains parent interface, but not the VRRP one. But since that one is seen as incoming interface for packets to x.x.x.3, it doesn't work. But you proba...
by Sob
Thu Feb 09, 2023 2:00 am
Forum: General
Topic: Creating static DNS A records with v7.7
Replies: 9
Views: 1766

Re: Creating static DNS A records with v7.7

That's not what it's for. It doesn't get addresses from list, it adds addresses to list. For more details see: viewtopic.php?p=952360#p952360
by Sob
Sat Dec 24, 2022 1:30 pm
Forum: General
Topic: Let's Encrypt - only 1 certificate allowed?
Replies: 9
Views: 2378

Re: Let's Encrypt - only 1 certificate allowed?

No, it's RouterOS. The whole thing is basically like an early alpha version that leaked out prematurely. It's fine as techdemo, but not actually usable yet. You can get one certificate, it works, and that's it. It doesn't even renew, at least not automatically. You can't request another one (for dif...
by Sob
Fri Dec 23, 2022 10:52 pm
Forum: Announcements
Topic: v7.7rc is released!
Replies: 259
Views: 91427

Re: v7.7rc is released!

Now that we have containers, it may be time to leave some things in the dust (like SMB server, proxy, hotspot, and apparently also DNS resolver) and focus on routing again. I'd rather if they didn't. It's my fear of containers, that they could serve as excuse for MikroTik to not implement some thin...
by Sob
Fri Dec 23, 2022 6:44 pm
Forum: Announcements
Topic: v7.7rc is released!
Replies: 259
Views: 91427

Re: v7.7rc is released!

Now once you add an A or AAAA entry, both A and AAAA records are handled by static entries. We will discuss this internally once more and will decide how to proceed. Unless you use DoH: /ip dns set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query /ip dns static add name=forum.mikr...
by Sob
Thu Dec 22, 2022 7:04 pm
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 3644

Re: NO WAY?! AI writes Mikrotik-Scripts...

Some declarations just turn out to be premature. :)

troy.jpg
by Sob
Wed Dec 21, 2022 7:57 pm
Forum: General
Topic: Renewing Let's Encrypt SSL Certificate [SOLVED]
Replies: 10
Views: 11218

Re: Renewing Let's Encrypt SSL Certificate [SOLVED]

That's not what I meant. First, out of the three hostnames, only one could possibly make sense, acme-v02.api.letsencrypt.org is the one LE client is connecting to, acme-staging-v02.api.letsencrypt.org is testing (non-prodution) version of that, and letsencrypt.org is just for public website. But as ...
by Sob
Wed Dec 21, 2022 2:17 pm
Forum: General
Topic: Renewing Let's Encrypt SSL Certificate [SOLVED]
Replies: 10
Views: 11218

Re: Renewing Let's Encrypt SSL Certificate [SOLVED]

I'm not sure it's supposed to work, see:

https://letsencrypt.org/docs/faq/#what- ... web-server
by Sob
Wed Dec 21, 2022 12:08 am
Forum: General
Topic: Client VPN (Nord) - Migrating from IKEv2/IPSEC to Wireguard
Replies: 4
Views: 1460

Re: Client VPN (Nord) - Migrating from IKEv2/IPSEC to Wireguard

Use WinBox to connect to router's MAC address. And when you get in, check 1) in viewtopic.php?p=956630#p956630
by Sob
Wed Dec 21, 2022 12:05 am
Forum: Beginner Basics
Topic: Need Help on Setting RB450Gx4
Replies: 8
Views: 1651

Re: Need Help on Setting RB450Gx4

Sorry about late response, open tab got burried among other stuff. It doesn't seem correct at all, "/ip firewall nat" is for changing sources or destinations. For blocking and allowing stuff there's "/ip firewall filter". Since you currently don't have any, you may want to get so...
by Sob
Tue Dec 20, 2022 11:59 pm
Forum: General
Topic: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing
Replies: 7
Views: 1238

Re: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing

It depends, what's your problem with double NAT? I'm not saying it's great, it isn't, but for many things it isn't too bad either. If you have public address and want incoming connections, you can set it as NAT 1:1 and it will work for many/most things. It's true that it can change behaviour of some...
by Sob
Tue Dec 20, 2022 11:49 pm
Forum: General
Topic: Route over IPSEC tunnel by port or dst fqdn
Replies: 10
Views: 2080

Re: Route over IPSEC tunnel by port or dst fqdn

If you also have two distinct marks (you do, right?), then srcnat conditions should match, source should get changed to one address or another, and then the right IPSec policy should apply. Right now I don't know what could be the problem. If you export and post your config, maybe someone will see s...
by Sob
Tue Dec 20, 2022 11:44 pm
Forum: Beginner Basics
Topic: DNS Server - DNS Static TTL question
Replies: 1
Views: 465

Re: DNS Server - DNS Static TTL question

It's normal to have "copy" of static records in cache. I'm not sure about TTL, it used to show the same value as defined for static record. I guess it can be some internal thing, but I can't tell what exactly it could be. But external queries get responses with full TTL, so that's correct.
by Sob
Tue Dec 20, 2022 8:49 pm
Forum: General
Topic: IPv6 policy routing example.
Replies: 3
Views: 1503

Re: IPv6 policy routing example.

If you use addresses from each tunnel in distinct part of LAN and you can identify source even without using addresses (e.g. by interface), then you could use mangle rules the same way as for incoming connections. Marking connection in forward is possible, but it won't help you with outgoing ones, b...
by Sob
Tue Dec 20, 2022 4:57 pm
Forum: General
Topic: IPv6 policy routing example.
Replies: 3
Views: 1503

Re: IPv6 policy routing example.

Not tested, but routing rules should do the trick, without any mangling: /routing rule add action=lookup dst-address=<he-subnet>/48 table=main add action=lookup dst-address=<6rd-subnet>/56 table=main add action=lookup src-address=<he-subnet>/48 table=he add action=lookup src-address=<6rd-subnet>/56 ...
by Sob
Mon Dec 19, 2022 4:41 pm
Forum: Beginner Basics
Topic: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS) [SOLVED]
Replies: 31
Views: 3785

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS) [SOLVED]

@Świętopełek: Dstnat is just one step. Even if you redirect everything to router, if requests came from internet, they already had your router's address as their destination, so nothing much changed there. What happens still depends on your firewall filter (chain=input).
by Sob
Mon Dec 19, 2022 3:01 pm
Forum: General
Topic: ipsec-policy not working? [SOLVED]
Replies: 4
Views: 1490

Re: ipsec-policy not working? [SOLVED]

The problem is that ipsec-policy looks for policy that matches current src/dst address combination, in whatever chain it is. Forward chain sees packets from <real local address> to <remote address>, but your policy is for <virtual local subnet> <-> <remote subnet>, so it can't match and packet is al...
by Sob
Mon Dec 19, 2022 2:42 pm
Forum: General
Topic: DoH in router with pihole
Replies: 5
Views: 1587

Re: DoH in router with pihole

True, it's more logical. But then clients depend on Pi-hole and if it happens to not work for any reason, nothing works for clients (at least it seems that way to them). If everything goes to router, it can be easily and automatically (using Netwatch of scheduled script) redirected to somewhere else...
by Sob
Sun Dec 18, 2022 3:24 pm
Forum: Beginner Basics
Topic: Forward dns related traffic to pfsense
Replies: 4
Views: 1035

Re: Forward dns related traffic to pfsense

You need to look closely at what happens. Tools->Netwatch, logging rules in right places, ... find out where exactly it goes wrong. Step by step, see incoming packets in prerouting, verify in postrouting that nothing blocked them, watch for responses, etc..
by Sob
Sun Dec 18, 2022 3:18 pm
Forum: General
Topic: Changing ipv6 prefix
Replies: 95
Views: 18752

Re: Changing ipv6 prefix

There's RFC for it, mentioned in this thread, about how CPE devices should handle changing prefixes (advertise old one with zero lifetime). It doesn't seem difficult to add built-in support for that.
by Sob
Sun Dec 18, 2022 4:23 am
Forum: General
Topic: address list auto-sync of IP changes of domain address
Replies: 15
Views: 2638

Re: address list auto-sync of IP changes of domain address

You're either trying to fix someone else's mistake, or you're making one yourself: a) If authoritative server says that www.example.net has address 1.2.3.4 and sticks an hour long TTL to it, then it's their responsibility to keep 1.2.3.4 alive for at least that long. If it fails sooner, too bad. But...
by Sob
Sun Dec 18, 2022 3:57 am
Forum: General
Topic: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing
Replies: 7
Views: 1238

Re: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing

So the bridge is something you want, but don't actually have yet? Because I was wondering how it works. :) It would be simple if you got two IP addresses from ISP, but otherwise I'm not sure how it could be done, at least not in any simple and straightforward way, without changing something on main ...
by Sob
Sun Dec 18, 2022 3:42 am
Forum: General
Topic: Changing ipv6 prefix
Replies: 95
Views: 18752

Re: Changing ipv6 prefix

RouterOS should definitely handle this, changing prefixes is valid config. After all, D in DHCP means dynamic and not necessarily only "not assigned manually", prefix can change too. But that forcibly changing prefixes for customers "just because" is horrible idea, that's also tr...
by Sob
Sun Dec 18, 2022 3:35 am
Forum: General
Topic: Mangle not working as expected
Replies: 5
Views: 1302

Re: Mangle not working as expected

Original config should work for VPN->GRUPPO_DISPOSITIVI_VOIP connections, but not for GRUPPO_DISPOSITIVI_VOIP->VPN connections, because route marking rule requires connection mark that's only assigned to VPN->GRUPPO_DISPOSITIVI_VOIP connections.
by Sob
Sun Dec 18, 2022 3:28 am
Forum: Beginner Basics
Topic: Forward dns related traffic to pfsense
Replies: 4
Views: 1035

Re: Forward dns related traffic to pfsense

It should work, any connection to 192.168.4.254:53 should be allowed. If you have rules at the beginning as shown, there's nothing to stop this traffic.
by Sob
Sun Dec 18, 2022 3:21 am
Forum: General
Topic: ipsec-policy not working? [SOLVED]
Replies: 4
Views: 1490

Re: ipsec-policy not working? [SOLVED]

Is there any srcnat involved? Meaning that tunnel wouldn't be for addresses in Office list but for some other virtual address/subnet and srcnat would change source to that. The ipsec-policy in forward couldn't work in such case, because srcnat happens only after forward.
by Sob
Sun Dec 18, 2022 3:13 am
Forum: General
Topic: Route over IPSEC tunnel by port or dst fqdn
Replies: 10
Views: 2080

Re: Route over IPSEC tunnel by port or dst fqdn

If you look at generated IPSec policies, are there two different local addresses?
by Sob
Sun Dec 18, 2022 2:48 am
Forum: General
Topic: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing
Replies: 7
Views: 1238

Re: WAN to LAN1 - bridge without NAT / while other LAN and Wi-Fi clients using Routing

You can use same SSID and IP range, but it won't help you, because they will be on wrong device, so anything connected to that won't have access to main network when it's online. If it's just about reconnecting to another AP being annoying, you could use Netwatch to monitor whether main router is al...
by Sob
Sun Dec 18, 2022 2:32 am
Forum: General
Topic: DoH in router with pihole
Replies: 5
Views: 1587

Re: DoH in router with pihole

You can either let Pi-hole do it (https://docs.pi-hole.net/guides/dns/cloudflared/), or if you'd want to use router's DoH, it would be possible too, but only if clients won't be using its DNS cache (which you may or may not want, depending on how exactly your Pi-hole fits in).
by Sob
Sun Dec 18, 2022 2:21 am
Forum: Beginner Basics
Topic: defining a specified data limit for users without using hotspot or user manager
Replies: 12
Views: 3073

Re: defining a specified data limit for users without using hotspot or user manager

If you don't have MT router and want to play with RouterOS, you can use (free) CHR.
by Sob
Sun Dec 18, 2022 2:19 am
Forum: General
Topic: IPSEC + overlaping subnet again [SOLVED]
Replies: 4
Views: 1807

Re: IPSEC + overlaping subnet again [SOLVED]

Exactly as you have it, but only half of them. :) Second rule changes your 10.0.0.x to 10.168.10.x when connecting to their 10.14.x.x, that's what you want. First one matches if their 10.14.x.x tries to connect to your virtual 10.168.10.x, but it doesn't do anything useful with it. To handle such in...
by Sob
Sun Dec 18, 2022 2:06 am
Forum: General
Topic: access to client-client from WAN side?
Replies: 2
Views: 669

Re: access to client-client from WAN side?

If I undestand correctly, it's two subnets behind same router, which has 1.1.1.1 as public address and some port(s) should be forwarded to server 10.11.110.200. And it should work from both internet and other LAN subnet 10.10.10.0/24. It that's the case, it should work, you just need correct dstnat ...
by Sob
Sun Dec 18, 2022 12:14 am
Forum: General
Topic: Bug: 6to4 tunnel critical kernel failure on RouterOS v7.5+
Replies: 4
Views: 857

Re: Bug: 6to4 tunnel critical kernel failure on RouterOS v7.5+

Yep, it's broken. Already reported as SUP-97719.
by Sob
Sun Dec 11, 2022 8:03 pm
Forum: Beginner Basics
Topic: defining a specified data limit for users without using hotspot or user manager
Replies: 12
Views: 3073

Re: defining a specified data limit for users without using hotspot or user manager

I think more people have this in common. Italian cats seem to like it, but that's some weird exception.
by Sob
Sun Dec 11, 2022 4:36 pm
Forum: RouterBOARD hardware
Topic: NAND change and license migration ..Help
Replies: 35
Views: 4438

Re: NAND change and license migration ..Help

@BartoszP: That's related, sometimes it's like manufacturers are thinking "oh well, so we can't limit what customers do with hardware, but at least we can still screw them with software!" ;) I'm not saying that it's MikroTik's intention, not with their otherwise fair approach, unlimited up...
by Sob
Sun Dec 11, 2022 3:51 pm
Forum: General
Topic: OVPN Clinet - link established but not connected - RouterOS 7.6
Replies: 38
Views: 7285

Re: OVPN Clinet - link established but not connected - RouterOS 7.6

But it's also true that OpenVPN suggests that certfificates should be created with specific usage: https://openvpn.net/community-resources/how-to/#important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to But still, it shouldn't...
by Sob
Sun Dec 11, 2022 3:38 pm
Forum: Beginner Basics
Topic: defining a specified data limit for users without using hotspot or user manager
Replies: 12
Views: 3073

Re: defining a specified data limit for users without using hotspot or user manager

I'm afraid not. RouterOS scripting doesn't like me. I can manage to produce something when I need it, but I always suffer while doing it, so otherwise I tend to avoid it. :) If you're at least a bit into programming, you can check official docs: https://help.mikrotik.com/docs/display/ROS/Scripting h...
by Sob
Sun Dec 11, 2022 5:25 am
Forum: Beginner Basics
Topic: Need Help on Setting RB450Gx4
Replies: 8
Views: 1651

Re: Need Help on Setting RB450Gx4

Routes seem ok, only if those subnets are only reachable via 192.168.2.1, you don't need check-gateway=ping, because they should point there whether it's up or not. As for ping, if you were able to ping 192.168.2.2 from 192.168.2.1, then communication between them is clearly working. Not being able ...
by Sob
Sun Dec 11, 2022 5:15 am
Forum: Beginner Basics
Topic: defining a specified data limit for users without using hotspot or user manager
Replies: 12
Views: 3073

Re: defining a specified data limit for users without using hotspot or user manager

You could use passthrough rules as counters, but then you'd need some mechanism to check whether limits are exceeded. Which probably shouldn't be too difficult to do using scripting. But unsolved problem is that if router reboots, counters will reset, so you'd need something else that would periodic...
by Sob
Sun Dec 11, 2022 5:10 am
Forum: General
Topic: OVPN Clinet - link established but not connected - RouterOS 7.6
Replies: 38
Views: 7285

Re: OVPN Clinet - link established but not connected - RouterOS 7.6

To me, "works with original OpenVPN" is pretty good argument why it should work with RouterOS too...
by Sob
Sun Dec 11, 2022 4:06 am
Forum: General
Topic: Creating a test network need static IP by port
Replies: 6
Views: 921

Re: Creating a test network need static IP by port

It could be that people are not exactly sure what you want. More details could help. Maybe tell us how it was done in old days, and we'll see if present day technology can handle it or not.
by Sob
Sat Dec 10, 2022 11:22 pm
Forum: Beginner Basics
Topic: Forward reverse DNS lookups to another server?
Replies: 5
Views: 2210

Re: Forward reverse DNS lookups to another server?

They added match-subdomain (which is great thing) in 7.5 and so far it's CLI-only, so it's easy to miss. Previously subdomains required use of regexp. Then they broke FWD records in 7.6 and later, but fortunately it seems that it's not intentional. So it's going in right direction, but slowly and so...
by Sob
Sat Dec 10, 2022 10:36 pm
Forum: General
Topic: Route over IPSEC tunnel by port or dst fqdn
Replies: 10
Views: 2080

Re: Route over IPSEC tunnel by port or dst fqdn

It depends on what local addresses (for your end of tunnel) you get from them. If they are different ones, it should work (most likely). But if it happens to be same address, it wouldn't work.
by Sob
Sat Dec 10, 2022 3:20 am
Forum: RouterBOARD hardware
Topic: NAND change and license migration ..Help
Replies: 35
Views: 4438

Re: NAND change and license migration ..Help

Given the right interface, I could change license level ten times a minute. Can you do the same with car engine? There really is huge difference. :) And about licenses, I'm not sure that it's really MikroTik's main business. It made sense at the beginning with x86 licenses that you'd buy for your ow...
by Sob
Sat Dec 10, 2022 2:52 am
Forum: General
Topic: Loopback NAT or Hairpin on mikroitk [SOLVED]
Replies: 11
Views: 2418

Re: Loopback NAT or Hairpin on mikroitk [SOLVED]

Hey, sometimes different words help. And yes, sometimes it's waste of time.
by Sob
Fri Dec 09, 2022 11:22 pm
Forum: General
Topic: Does Paramount+ require IPv6 ? [SOLVED]
Replies: 11
Views: 2174

Re: Does Paramount+ require IPv6 ? [SOLVED]

It doesn't seem likely that something would require IPv6 and wouldn't be able to work without it. Such service would be inaccesible to 2/3 users (global average).
by Sob
Fri Dec 09, 2022 8:33 pm
Forum: General
Topic: Send specific traffic to WireGuard tunnel [SOLVED]
Replies: 3
Views: 2009

Re: Send specific traffic to WireGuard tunnel [SOLVED]

@anav is not completely correct, you can route traffic to selected destinations identified by hostnames, it's just that reliability depends on other factors. It's easy if you have specific hostname (www.example.net) with static or mostly static IP address, the site hosts everything on www.example.ne...
by Sob
Fri Dec 09, 2022 8:21 pm
Forum: RouterBOARD hardware
Topic: NAND change and license migration ..Help
Replies: 35
Views: 4438

Re: NAND change and license migration ..Help

Suggestion, don't do car analogies, they don't work. MikroTik made the same mistake when explaning why you can't upgrade license levels ("Just like you can't easily upgrade your car's engine from 2L to 4L just by paying the difference, you can't switch license levels as easily."), and it's...
by Sob
Fri Dec 09, 2022 7:40 pm
Forum: General
Topic: Loopback NAT or Hairpin on mikroitk [SOLVED]
Replies: 11
Views: 2418

Re: Loopback NAT or Hairpin on mikroitk [SOLVED]

It's connection tracking. If there's connection from x.x.x.x:x to y.y.y.y:y, router remembers that and knows that response from y.y.y.y:y to x.x.x.x:x belongs to same connection. That's the simple case without NAT. When there's NAT (srcnat, dstnat or both), it's the same principle, only with changed...
by Sob
Fri Dec 09, 2022 7:02 pm
Forum: General
Topic: 6.48.6 looses Interface list setting for VPN? [SOLVED]
Replies: 10
Views: 2087

Re: 6.48.6 looses Interface list setting for VPN? [SOLVED]

You can create static interface for user and that one won't disappear:
/interface l2tp-server
add name=<interface name> user=<user name>
by Sob
Fri Dec 09, 2022 3:37 am
Forum: General
Topic: Always On VPN with MikroTik Configuration
Replies: 7
Views: 1772

Re: Always On VPN with MikroTik Configuration

I don't know if Windows domain has any special requirements, but can't you simply split it into two "independent" parts? 1) VPN for clients that will allow them to access 192.168.0.0/24 2) domain-joined devices that are either in different subnet (could be VPN as well as just another subne...
by Sob
Fri Dec 09, 2022 3:16 am
Forum: Beginner Basics
Topic: firstimer wAP RBwAP2nD
Replies: 3
Views: 609

Re: firstimer wAP RBwAP2nD

No. If you're able to connect using WinBox, it's in normal running mode. Netinstall mode is when it boots from network and waits for being installed. You probably haven't mastered the art of button pressing and only reset it. :) I don't know what this device defaults to, generally there are several ...
by Sob
Thu Dec 08, 2022 9:44 pm
Forum: The Dude
Topic: The Dude and multi vendor devices
Replies: 6
Views: 3132

Re: The Dude and multi vendor devices

It depends on your requirements. See https://wiki.mikrotik.com/wiki/Manual:T ... _v6/Probes, if that covers what you need, then probably yes. Just remember that Dude is currently not developed and there's no guarantee that it will change. So if it does all you need, fine. If not, you're out of luck.
by Sob
Thu Dec 08, 2022 9:32 pm
Forum: Beginner Basics
Topic: firstimer wAP RBwAP2nD
Replies: 3
Views: 609

Re: firstimer wAP RBwAP2nD

I'd start with WinBox and try to connect to device's MAC address.
by Sob
Thu Dec 08, 2022 9:29 pm
Forum: General
Topic: Cannot ping LAN devices over IPSEC tunnel
Replies: 2
Views: 1061

Re: Cannot ping LAN devices over IPSEC tunnel

Mangle rules, connection gets wan1_cnx mark and then WAN1 routing mark, but there's no route to 192.168.6.1 in WAN1 table, so it goes to internet. Don't mark it when it's from IPSec tunnel.
by Sob
Thu Dec 08, 2022 9:21 pm
Forum: Beginner Basics
Topic: Forward reverse DNS lookups to another server?
Replies: 5
Views: 2210

Re: Forward reverse DNS lookups to another server?

PTR records are created automatically when you add static A/AAAA, but that may not be what you want. Other than that, recent v7 can do this: /ip dns static add name=20.172.in-addr.arpa type=FWD forward-to=192.168.2.1 match-subdomain=yes add name=21.172.in-addr.arpa type=FWD forward-to=192.168.2.1 ma...
by Sob
Thu Dec 08, 2022 8:48 pm
Forum: Beginner Basics
Topic: Need Help on Setting RB450Gx4
Replies: 8
Views: 1651

Re: Need Help on Setting RB450Gx4

There's some weird stuff like DHCP clients on all interfaces (why?), but there's no firewall or anything else that would block access between interfaces. If ether2-p2p is connected to another network where devices have default gateway other than this router, that could be a problem if there's no rou...
by Sob
Thu Dec 08, 2022 8:21 pm
Forum: Beginner Basics
Topic: route ipv6 prefix to a vlan [SOLVED]
Replies: 2
Views: 1086

Re: route ipv6 prefix to a vlan [SOLVED]

Regular static route, where gateway is link-local (fe80:...) address of target machine.
by Sob
Thu Dec 08, 2022 7:34 pm
Forum: General
Topic: Last Mikrotik youtube video about Hairpin NAT
Replies: 6
Views: 875

Re: Last Mikrotik youtube video about Hairpin NAT

It's a bit confusing and also wrong. Response packet from server will first have 10.0.0.3 (real server's address) as source and 10.0.0.1 (router's address) as destination. And after all NAT is undone, it will have source 172.16.16.1 (server's address as seen by client) and destination 10.0.0.2 (clie...
by Sob
Thu Dec 08, 2022 5:53 pm
Forum: Beginner Basics
Topic: Need Help on Setting RB450Gx4
Replies: 8
Views: 1651

Re: Need Help on Setting RB450Gx4

Pointing out mistakes in what you did works better when we can see it, the real thing with everything that can influence it. See Step2 in viewtopic.php?t=182601
by Sob
Thu Dec 08, 2022 12:53 am
Forum: General
Topic: configure port forwarding through load balancing environment in RB951UI
Replies: 8
Views: 1236

Re: configure port forwarding through load balancing environment in RB951UI

Rules are processed in order from top to bottom. If some rule accepts packet, no further rules will be able to touch it. So you're excluding packets to listed destination subnets from futher processing.

@anav: You know the answer, it can't do any good with dst-address-type=local.
by Sob
Thu Dec 08, 2022 12:34 am
Forum: Beginner Basics
Topic: RB2011UiAS-IN vs RB2011UiAS-RM
Replies: 4
Views: 990

Re: RB2011UiAS-IN vs RB2011UiAS-RM

I wouldn't count on MAC addresses, it's probably just that one of your devices is newer than other. My guess is that they start to use new range when they exhaust previous one. E.g. at the beginning, for a long time, everything I remember had 00:0C:42:xx:xx:xx.
by Sob
Thu Dec 08, 2022 12:22 am
Forum: General
Topic: 6.48.6 looses Interface list setting for VPN? [SOLVED]
Replies: 10
Views: 2087

Re: 6.48.6 looses Interface list setting for VPN? [SOLVED]

Is it client or server? But in both cases, if you "defined L2TP interface", i.e. you definitely added something, it's either client interface that must be there, or optional "L2TP Server Binding", and both should be usable. What wouldn't work is the dynamic interface created for ...
by Sob
Thu Dec 08, 2022 12:17 am
Forum: Beginner Basics
Topic: Wireguard, only 1 peer works [SOLVED]
Replies: 10
Views: 2490

Re: Wireguard, only 1 peer works [SOLVED]

Why convoluted? It's quite simple, I'm sure you saw it here many times. You know, all those "force users to use my Pi-hole" and such.
by Sob
Thu Dec 08, 2022 12:06 am
Forum: Beginner Basics
Topic: L2TP - how to separate LAN/internet traffic
Replies: 1
Views: 553

Re: L2TP - how to separate LAN/internet traffic

It's client-side option. E.g. if you have Windows, they for some strange reason (opinions about that may differ) assume that user wants to route everything over VPN. If you don't, you have to disable it, e.g. using PowerShell (unless you have some outdated Windows): Set-VpnConnection -Name "con...
by Sob
Wed Dec 07, 2022 11:22 pm
Forum: General
Topic: ROS 7.6 Mangle LAN to LAN prerouting [SOLVED]
Replies: 4
Views: 1562

Re: ROS 7.6 Mangle LAN to LAN prerouting [SOLVED]

Again, just don't mark it. You can use e.g. this as first rule: /ip firewall mangle add chain=prerouting in-interface=!WAN dst-address=192.168.0.0/16 action=accept Order of rules matters, so anything from LAN to 192.168.x.x will be accepted right away and no futher rules will touch it, so it won't g...
by Sob
Wed Dec 07, 2022 3:56 pm
Forum: RouterBOARD hardware
Topic: NAND change and license migration ..Help
Replies: 35
Views: 4438

Re: NAND change and license migration ..Help

You don't have to dispose it, you could buy another license, much cheaper than another device. Depending on what you need, L4 might be enough. Although, it would be nice if MikroTik provided free replacement, even if they don't have to. More happy customers, more confidence, more future sales. I wou...
by Sob
Wed Dec 07, 2022 3:38 pm
Forum: General
Topic: configure port forwarding through load balancing environment in RB951UI
Replies: 8
Views: 1236

Re: configure port forwarding through load balancing environment in RB951UI

If you just posted the whole thing without fiddling with it too much... I see "/ip firewall nat" twice, so which one is it, and what else is missing/changed? You don't need anything special, just regular dstnat rule. What you have should work, provided that there's 192.168.2.2 on ether2, u...
by Sob
Wed Dec 07, 2022 3:20 pm
Forum: Beginner Basics
Topic: RB2011UiAS-IN vs RB2011UiAS-RM
Replies: 4
Views: 990

Re: RB2011UiAS-IN vs RB2011UiAS-RM

If it was only between RB2011UiAS-2HnD-IN and RB2011UiAS-RM, you could look whether it has wifi or not. But also wifi-less RB2011UiAS-IN would need something different.
by Sob
Wed Dec 07, 2022 3:12 pm
Forum: General
Topic: Is dst-nat different in 7x than 6x ?
Replies: 2
Views: 490

Re: Is dst-nat different in 7x than 6x ?

Aside from EoIP being seemingly useless, at least I don't see any reason in provided description why it's there at all, it should work. Try some more logging, see e.g. this as example: viewtopic.php?p=963756#p963756
by Sob
Wed Dec 07, 2022 2:57 pm
Forum: General
Topic: WAN Failover/Dual WAN and DDNS?
Replies: 18
Views: 2785

Re: WAN Failover/Dual WAN and DDNS?

And also stole the original post (viewtopic.php?t=187532). Bad user! :lol:
by Sob
Wed Dec 07, 2022 2:56 pm
Forum: General
Topic: ROS 7.6 Mangle LAN to LAN prerouting [SOLVED]
Replies: 4
Views: 1562

Re: ROS 7.6 Mangle LAN to LAN prerouting [SOLVED]

1) Verbose export = bad idea, too hard to read.
2) viewtopic.php?p=956630#p956630

In short, just don't mark routing for traffic destined to LANs.
by Sob
Wed Dec 07, 2022 3:25 am
Forum: Beginner Basics
Topic: Wireguard, only 1 peer works [SOLVED]
Replies: 10
Views: 2490

Re: Wireguard, only 1 peer works [SOLVED]

Yep, it's endpoint-address="", see viewtopic.php?p=965756#p965756
by Sob
Wed Dec 07, 2022 12:31 am
Forum: General
Topic: RouterOS 7 on RB600 and RB800
Replies: 3
Views: 996

Re: RouterOS 7 on RB600 and RB800

Search is your friend:

viewtopic.php?t=172742

I don't know if latest v6 has RouterBOOT that supports v7, but when I tested it with also PPC RB333 and 6.49.2, which was latest at the time, it didn't:

viewtopic.php?p=912199#p912199
by Sob
Wed Dec 07, 2022 12:25 am
Forum: General
Topic: RB600A License issue
Replies: 4
Views: 652

Re: RB600A License issue

License can be updated also from late 3.x (I don't remember exact number, but it's something after 3.20).
by Sob
Tue Dec 06, 2022 3:54 am
Forum: Scripting
Topic: Colorize scripting
Replies: 17
Views: 3055

Re: Colorize scripting

Colors? Come on! What will be next? Reporting syntax errors instead of "silent death"? It would ruin the experience! I'm kidding, of course. But after it being like this for so many years, I do sometimes think that the general unfriendliness of RouterOS scripting might be by design for som...
by Sob
Mon Dec 05, 2022 5:26 am
Forum: General
Topic: Whitelist by URL for 5 Cisco domains
Replies: 2
Views: 669

Re: Whitelist by URL for 5 Cisco domains

Address list supports hostnames, but it's useless for wildcards, because it resolves given hostnames, and it can't resolve all possible combinations. But they recently added this interesting thing: https://forum.mikrotik.com/viewtopic.php?p=952360#p952360 I didn't see any official word about it, wha...
by Sob
Mon Dec 05, 2022 1:13 am
Forum: General
Topic: pppoe reconnecting multiple times and DoH throwing errors to logs
Replies: 1
Views: 446

Re: pppoe reconnecting multiple times and DoH throwing errors to logs

I don't know about first one. But DoH trying even when it can't succeed, it's simply because it doesn't know it in advance. It needs to resolve something, either because there was external request or because router itself needs it, so it tries to connect to configured server... and oops, it failed. ...
by Sob
Mon Dec 05, 2022 12:53 am
Forum: General
Topic: Route over IPSEC tunnel by port or dst fqdn
Replies: 10
Views: 2080

Re: Route over IPSEC tunnel by port or dst fqdn

Do you have both connection mark and src address list set in mode config? I never tried that, so I'm not sure if it works as OR or AND. Try only connection mark. Then you need right conditions. For some ports from specific address e.g.: /ip firewall mangle add chain=prerouting src-address=192.168.0....
by Sob
Mon Dec 05, 2022 12:42 am
Forum: Beginner Basics
Topic: Man pages/documentation for the commands [SOLVED]
Replies: 1
Views: 919

Re: Man pages/documentation for the commands [SOLVED]

One thing I like about old documentation is this nice user friendly page (which new documentation unfortunately doesn't have): https://wiki.mikrotik.com/wiki/Manual:TOC If you're interested in IP routes, you just scroll down a bit to IP section, select Route and on target page: https://wiki.mikrotik...
by Sob
Sat Dec 03, 2022 7:05 pm
Forum: General
Topic: Route over IPSEC tunnel by port or dst fqdn
Replies: 10
Views: 2080

Re: Route over IPSEC tunnel by port or dst fqdn

I don't use it often, but mode-config has either matching using address list or connection mark. If you choose the latter, you can mark whatever you want to send via tunnel. Something like: /ip firewall mangle add in-interface=<LAN> connection-state=new src-address=192.168.0.44 action=mark-connectio...
by Sob
Sat Dec 03, 2022 6:42 pm
Forum: General
Topic: 450G flashing green led & port led
Replies: 5
Views: 3362

Re: 450G flashing green led & port led

So what changed after those many years? Did original power supply die? If not, it should have kept working. Did it perhaps have higher voltage? I saw that, RB stopped working with I think 24V, but worked fine with 12V. And when I looked inside, capacitors weren't in great shape at all.
by Sob
Sat Dec 03, 2022 6:33 pm
Forum: Beginner Basics
Topic: Help needed with bridge VLANs & DHCP
Replies: 13
Views: 1507

Re: Help needed with bridge VLANs & DHCP

Because while the whole thing is quite simple, especially after you get it, some details may be less obvious when you're starting.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 31