MikroTik

jantypas

I don't quite understand why -- but dst-address-list, even if it has the same IP in it, is not dst-address. That works. Thanks ofr the help.

jantypas

OK -- for my education at least

Why does yours work and mine doesn't -- what is different? I see the order of the rules are different but they should say the same thing.

jantypas

I've reduced everything down to the basics but it doesn't seem to help.... The hardware is an RB5009 that simply has two interfaces (an OUT (FRC) and an IN (LAN). (There are firewalls upstrea.) The goal of the firewall ruleset at this point is: Allow everything out Allow return traffic in Allow SSH ...

jantypas

I've reduced everything down to the basics but it doesn't seem to help.... The hardware is an RB5009 that simply has two interfaces (an OUT (FRC) and an IN (LAN). (There are firewalls upstrea.) The goal of the firewall ruleset at this point is: Allow everything out Allow return traffic in Allow SSH ...

jantypas

The subject (almost) says it all :-) I've got an RB5009 attached to a business Comcast line with a /28 IPv6 static block and (supposedly) static IPv6 prefix. That's the problem -- the last part -- the prefix is "almost" static (which doesn't count....) I get 2603:3024:11bd:11xx::/56, but i...

jantypas

Here are the firewall rules: /ipv6 address add from-pool=ComcastV6 interface=ether1-COMCAST add address=2603:3024:11bd:c1a1::1 interface=ether2-LAN /ipv6 dhcp-client add add-default-route=yes interface=ether1-COMCAST pool-name=ComcastV6 \ pool-prefix-length=56 rapid-commit=no request=prefix use-peer...

jantypas

This probably should go in the beginners section since I would think I'd figured this out by now -- but apparently not -- it's been some time since I've had to do this.... The following *should* be a very basic firewall that blocks all unsolicited inbound traffic, masquerades outbound traffic and ha...

jantypas

I did do that -- wireshark shoes a lot of retransmits and sequence events -- but I'm sure what I can do about it. The MTU is 1280, not 14xx, TCP MSG is set, what else is there to do?

jantypas

CPUs never go above 35% on the speedtests.... To be more specific: The CHR on the Internet edge is sending IN 199.181.204.0/24 from our BGP edge router. The far branch end will consume a slice of that (199.181.204.128/26). On the wireguard tunnel, I've allocated two IP addresses (192.168.88.1/30 and...

jantypas

Actually, it's an everything performance problem -- a problem that's all over the net, but no answers..... forgive the length of this -- there's a lot here, but I want to make sure I covered everything in this case.... I have a CHR Router under VMWare (7.1.3), attached to gigabit fiber. Plenty of RA...

jantypas

Hello all -- I'm trying to get router rules to work on CHR 7.1.1. In 6.x, at least for V4, I could make it work. What I'm trying to do: I have two ISPs using BGP[/list I want to set up a source-based routing rule that either says "if the incoming interface is ether3, or the source address is 19...

jantypas

OK great -- I'll remove the mangle rules and stick with the routing rules. V6 is also from the same provider albeit over a sit tunnel. like HE would do. So there, it's just one set, and it's easy -- I'll let radv do its magic. For those outside of this detail, this was created because the local &quo...

jantypas

Hello all, I've just been assigned my ARIN IP space so I'm trying to figure out which way to go..... THe ISP is tunneling my IPv4 space over a local provider (IPIP tunnel). So let's say ARIN assigned me public space 100.200.100.x/24 (V6 as well, but we'll get to that) I still need the local ISP defa...

jantypas

I also finally realized I can't type today

jantypas

Not complaining here, but I'm beginning to wonder if we've got things all wrong. I, too, wanted the Uber Mikrotik box with everything on it, but Mikrotik hasn't even got OpenVPN with UDP, and I don't see it coming any time soon, even in RouterOS 7. But when I look at it, nearly everything we're aski...

jantypas

My bad -- I think in MT world, we call it a sit interface -- typically one uses it for things like Hurricane Electric Ipv6 in V4 tunnels.
It may just be easier to have a single "virtual" router rather than the pair where I'd have to run BGP for no real reason.

jantypas

So I've almost got it. Let's assume I have a physical tunnel endpoint on my end of 12.13.14.1 and the ISP has 11.12.13.1. The GRE tunnel is 11.12.13.1 <-> 12.13.14.1. My gateway rule for 191.192.193.0/24 is: 191.192.193.0/24 via gw 12.13.14.1. Probe 11.12.13.1 to make sure that gateway is up. At tha...

jantypas

But then again, I think a lot of things, and most people think I need medication.... so who knows. It's been so long since I've had routed public IP space, I don't remember.... I am fortunate enough to still have an Internic assigned IP block. It's small so most ISPs won't route it, but I found one ...

jantypas

Since Mikrotik appears not to be pursuing other concepts such as Wireguard and ZeroTier, and we're still waiting for OpenVPN with UDP, I finally gave up waiting and just bought a Protecteli box. The atom powered unit can easily run a small Linux distro (Ubutnu 19 in my case), and it handles all of t...

jantypas

Here's a wierd one for the day folks.... I've got a couple of MT machiens -- one is the trusty RB1100AH that needs to be replaced soon. (That's going to a young person who wants to learn this stuff...) The other is a VM isntance of a CHR. I've even convinced a hard-core ASAer to look at Mikrotik. (C...

jantypas

I, too, am a ZeroTier user. For those who wonder why we should put it in Microtik, especially if it can appear as a layer-2 interface: ZeroTier is great for doing OSPF across WANs -- yes, I know that's what BGP is for, but there are times we need a "broadcast" interface across a WAN ZeroTi...

jantypas

OK, it's my fault, I told everyone I had it working, and it did work, until Comcast upgraded my modem.... Old setup: ----> Comcast Netgear Gateway --- Mikrotik 1100AH --- LAN Mikrotik would do a DHCPv6 request of the gateway with a prefix of /60 and a prefix hint of /60. I'd get it, and everything w...

jantypas

Very nice choices -- maybe the CCR9 will replace this unit and I can gift this unit to someone who's learning about Mikrotik while coming from an old ASA. He was a bit put off by the Mikrotik CLI but, he's learning you can get a lot of power for a fraction of the Cisco price. While I would love ever...

jantypas

Very nice choices -- maybe the CCR9 will replace this unit and I can gift this unit to someone who's learning about Mikrotik while coming from an old ASA. He was a bit put off by the Mikrotik CLI but, he's learning you can get a lot of power for a fraction of the Cisco price. While I would love ever...

jantypas

The subject says it all -- I've got a nice, solid RB1100AH. It's currently an edge router, with a 250Mb/40Mb connection to it. It serves as the edge fireall, IPv6 firewall etc. I let a PFsense box do the IPSEC and OpenVPN work because that's easier for others to handle when compared to the Mikrotik ...

jantypas

I shall -- what's special about it? However, I took a shot in the dark and just added the VLANs to the bridges. It works.
So most important, thanks to both of you for the help.

jantypas

Since the previous ASCII art attempt was bad, I have a visio image I can send if it helps....... First, we have a pfSense router with two interfaces -- one is for untagged traffic to keep things simple. The other interface is for tagged traffic (Vlans 100, 101, 102). The pFSense box sends out untagg...

jantypas

OK -- so here's what I have pFsense -----------------------------------------------------CRS Trunk Switch (100, 101, 102) | | | (All are hybrid ports) S1 S2 S3 | | | | UP 100 UP UP 101 102 | UniFIs Where UP = untagged ports and the numbers are VLANs. The pFSense box sends out untagged traffic to the...

jantypas

I knew this day would come -- I'm hoping people can soften the blow for I have sinned.... Years ago, when I started with Mikrotik, I bought the RB1100 (how I remember that fan), and as needs came, I started adding CRS switches. We didn't VLANs at the time, so I never bothered. I just kept adding swi...

jantypas

Hello all--- I know I'm close to an answer, but close enough.... I'm a Comcast static IP business customer. Comcast is now also offering me a ./56 V6 prefix (assigned by DHCPv6). First, since Comcast *truly* does not want to talk about this. I believe the following is true? Assume my prefix is 1111:...

jantypas

Wish I could use VLANs, but not every switch in this environment is really VLAN friendly. I just removed them for the sake of the discussion, so I really have no choice but to double NAT at the moment.....

jantypas

In a perfect world, I want to do this: Inter--- RB1100AH ----- CRS24------ Main Router |||| | switch wlan0 Assume the RB1100 has static WAN addresses and NATs all of its internal LAN ports. The LAN side of the IPs are on the subnet 10.0.0.0/16. I have a series of non-switched interfaces on the 1100....

jantypas

Good evening all.... I just received my new CRS125. I hate to admit it.... I've got my two 1100AHs, and they work great, but this is the first switch/router nit I've had where I need to use the switch and router parts, and I'm stumped. So, some basic questions: Assume the 1100s are doing their routi...

jantypas

Both are fanless? Remember, this is in a home office.

jantypas

Well, it seems I can't get the RB1100AH anymore. This is a home office with high-bandwidth links, so the 450G isn't quite enough. I had an RB1100, but that wasn't office friendly with its fans, and I've the RB1100AH, but these are hard to get. What's the successor? We know it isn't the RB1200. It ne...

jantypas

I, like many people are setting up an L2TP/IPSEC VPN. Thus far, I have: - Created the PPP user and address pool - Created the IPSEC policy with generate policy 0.0.0.0/0 - Set up the L2TP server - Added accept rules on the input chain for ports 500,1701 and 4500, as well as protocols 50 and 51. My r...

jantypas

Hello all, I know it's a beta and, things do change... but has anyone been able to get a road-warrior config with L2TP/IPSEC and Mikrotik. I have already done the following with various degrees of success. On the laptop (a Mac), I'm behind a cellular router which has both dynamic IP to the network a...

jantypas

I'm sure this has been asked 10,000 times before, in fact, I know I was one of those 10,000, but I've had 9,999 failures since :-) I'm trying to set up a Routerboard 450G (OS 4.14) to be used as an OVPN server. I've got an OpenVPN server working just fine on a Fedora 14 box with self-signed certs fo...

jantypas

Good morning all --- I'm making the transition from a Linux router to a Mikrotik box. I have the 450G right now while I wait for the 1100. I'm try to do several things.... Some are probably easy, but these are a few that have me stumped... 1. I've set up an OpenVPN server. I see where I put in my ce...

Search found 39 matches

Re: This very simple firewall ruleset SHOULD work-- but.....

Re: This very simple firewall ruleset SHOULD work-- but.....

This very simple firewall ruleset SHOULD work-- but.....

This very simple firewall ruleset SHOULD work-- but.....

Mikrotik (7.11.2) and Comcast Business IPv6 (DUID issues?)

Why do I get esetablished IPv6 packets dropped in 7.8

DNAT NAT should work, but appears blocked

Re: GRE performance problems

Re: GRE performance problems

GRE performance problems

Router OS 7.1.1 and router rules

Re: PCC routing or routing rules?

PCC routing or routing rules?

Re: Feature Request - Wireguard Protocol

Re: Feature Request - Wireguard Protocol

Re: Public IP space tunneling -- I think this is right?

Re: Public IP space tunneling -- I think this is right?

Public IP space tunneling -- I think this is right?

Re: Feature Request: zerotier vpn

RouterOS side-carring traffic

Re: Feature Request: zerotier vpn

Comcast Business service and DHCPv6 from a Mikrotik device

Re: Looking for a successor to the RB110AH

Re: Looking for a successor to the RB110AH

Looking for a successor to the RB110AH

Re: Time for VLAN confessions!

Re: Time for VLAN confessions!

Re: Time for VLAN confessions!

Time for VLAN confessions!

Comcast IPv6 and Mikrotik

Re: New CRS125 -- basic questions about switching vs routing

Re: New CRS125 -- basic questions about switching vs routing

New CRS125 -- basic questions about switching vs routing

Re: If not the RB1100AH, which one?

If not the RB1100AH, which one?

L2TP/IPSEC and NAT -- but client IP is unknown (0.0.0.0/0)

Anyone have success with IPSEC and NAT-T on 5.0r8

Trouble creating certificates for OVPN server via Easy-RSA

IP6 6-to-4 tunnels (Hurricane Electric) with Mikrotik