Community discussions

Search found 1282 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 26
by sebastia
Mon Mar 25, 2019 2:24 pm
Forum: General
Topic: RB2011-iL-RM after botnet attack
Replies: 2
Views: 109

Re: RB2011-iL-RM after botnet attack

Netinstall is the solution. There are some topic on netinstall and how to make it work on this forum, have a look.
by sebastia
Mon Mar 25, 2019 2:21 pm
Forum: Beginner Basics
Topic: Configuration from routerboard 750 to hex
Replies: 2
Views: 95

Re: Configuration from routerboard 750 to hex

Hey

Backup can only be used on same hardware. When migrating to different one, you should export configuration (/export compact file=<name>) and import that on target.
When importing, you'll need to adjust to new hardware configuration.
by sebastia
Mon Mar 25, 2019 1:00 am
Forum: General
Topic: DNS redirect using NAT adding VLAN issue
Replies: 10
Views: 323

Re: DNS redirect using NAT adding VLAN issue

dnat is a sure way to force your way
by sebastia
Mon Mar 25, 2019 12:49 am
Forum: General
Topic: EoIP not use for ethernet5
Replies: 4
Views: 132

Re: EoIP not use for ethernet5

If you want a different behaviour for eth5 than the rest of the bridge, then you need to isolate it. Two options: another vlan within same bridge or independent of the bridge. Then once isolated, you can setup custom routing for that port, excluding access to tunnel. You do that by creating a dedica...
by sebastia
Mon Mar 25, 2019 12:41 am
Forum: General
Topic: DNS redirect using NAT adding VLAN issue
Replies: 10
Views: 323

Re: DNS redirect using NAT adding VLAN issue

Natting will work for redirecting naturally, but maybe cleaner / simpler: define different dns server depending on network segment? So, ex: /ip dhcp-server network add address=192.168.88.0/26 dns-server=192.168.88.1 domain=local gateway=192.168.88.1 ntp-server=192.168.88.1 add address=192.168.88.64/...
by sebastia
Sun Mar 24, 2019 6:56 pm
Forum: General
Topic: OpenWRT on Mikrotik
Replies: 2
Views: 180

Re: OpenWRT on Mikrotik

This is not an OpenWRT forum...but you can export / import licence through system menu.
Regarding install check their forums, but probably some variation on netinstall process.
by sebastia
Sun Mar 24, 2019 6:17 pm
Forum: General
Topic: How much Support RB3011
Replies: 4
Views: 266

Re: How much Support RB3011

So: * no bridges/switches, all is routed through cpu (switch is only used for tagging) * there is use of queue simple * there is use of interface queues * there is mangling in place * be careful with "/ip proxy cache-on-disk=yes" it can bog down cpu with IO wait-states and kill the nand * using bgp ...
by sebastia
Sat Mar 23, 2019 10:35 pm
Forum: General
Topic: How much Support RB3011
Replies: 4
Views: 266

Re: How much Support RB3011

List your config (/export hide-sensitive compact) for more in depth feedback.
Some idea's:
* use fast path: https://wiki.mikrotik.com/wiki/Manual:Fast_Path
* disable connection tracking
by sebastia
Sat Mar 23, 2019 10:16 pm
Forum: Scripting
Topic: Basic scripts not working on 6.44.1 (work in 6.43.13)
Replies: 6
Views: 248

Re: Basic scripts not working on 6.44.1 (work in 6.43.13)

Original post did mention "If I copy/paste into terminal window the commands work just fine on 6.44.1" ... So it still works just not in the script.
Permissions maybe?
by sebastia
Sat Mar 23, 2019 10:05 pm
Forum: General
Topic: bridge filter
Replies: 4
Views: 182

Re: bridge filter

You don't do that using bridge firewall, but using routing functionality, when passing traffic from internal to external zone.

Bridge filtering only applies to traffic within ONE subnet.
by sebastia
Sat Mar 23, 2019 2:34 am
Forum: RouterOS v6 RC and v7 BETA
Topic: v6.45beta19
Replies: 2
Views: 221

Re: v6.45.19

just for clarity, what is meant is 6.45beta19...
by sebastia
Sat Mar 23, 2019 2:33 am
Forum: Beginner Basics
Topic: Can't connect to a device on VLAN via VPN
Replies: 5
Views: 208

Re: Can't connect to a device on VLAN via VPN

Try pinging IOT step by step from further: starting from router iot ip, then router vpn ip, ... To verify traffic going through, add a log rule in firewall in output and/or postrouting chains. Or just sniff traffic on iot vlan interface. Regarding the vlans & bridges: not related to your issue here,...
by sebastia
Fri Mar 22, 2019 9:55 pm
Forum: Scripting
Topic: rule script
Replies: 1
Views: 88

Re: rule script

try this

/ip firewall nat remove [find comment="rule1"];
/ip firewall nat add place-before=4 ...
by sebastia
Fri Mar 22, 2019 9:10 pm
Forum: Beginner Basics
Topic: Can't connect to a device on VLAN via VPN
Replies: 5
Views: 208

Re: Can't connect to a device on VLAN via VPN

Normally it's a question of routing / firewall, but * in forward: traffic is implicitly allowed already, not dropped -> so allowed * routing is not in config, so default stuff there then: default route over wan + route to all local networks Hence it should be working already. Try diagnosing the issu...
by sebastia
Fri Mar 22, 2019 4:52 pm
Forum: General
Topic: LHG LTE Kit - Passthrough getting address but no internet with more WAN's
Replies: 8
Views: 338

Re: LHG LTE Kit - Passthrough getting address but no internet with more WAN's

With regards to your original issue, post config of the router / 1036: /export hide-sensitive compact. For info: I was able to resolve my issue. It was / is (as from 6.43) a bug in pass-through implementation using routing info for pass-though traffic decision. Because of that rp-filter was erroneou...
by sebastia
Fri Mar 22, 2019 4:28 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

Try to understand how client and nvr communicate first. otherwise it's just guessing.
by sebastia
Fri Mar 22, 2019 2:38 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

If you disable that rule, responses will not be able to go out over matching isp1 => this basically disables ISP1 routing So then if you have a client in ISP1 range it will connect over ISP2 ip (=that's the only functioning ip connectivity) and since that is your default route for connection from in...
by sebastia
Fri Mar 22, 2019 2:24 pm
Forum: General
Topic: What tunnel method for dynamic ip wan ?
Replies: 1
Views: 162

Re: What tunnel method for dynamic ip wan ?

any tunnel capable of nat traversal will do: sstp, ovpn, ipsec, ...
by sebastia
Fri Mar 22, 2019 2:21 pm
Forum: Beginner Basics
Topic: Can't connect to a device on VLAN via VPN
Replies: 5
Views: 208

Re: Can't connect to a device on VLAN via VPN

Hoi

Config is big help, but not enough. Explain what are you trying to achieve?
* trying to connect from outside? so from ether1-wan?
* connect to vpn server? where is the vpn server?
* access home network over vpn tunnel ending at vpn server?
by sebastia
Fri Mar 22, 2019 2:02 pm
Forum: General
Topic: Forward OpenVPN
Replies: 1
Views: 106

Re: Forward OpenVPN

Hey I'll need two elements: * dst-nat from router ip (+port) to sever ip (+port) * allow traffic in forward chain from ouside to linux server for that specific port The second step might be already there in form of default config: "accept dst-nat-ed traffic in forward" To verify that rules applies l...
by sebastia
Fri Mar 22, 2019 1:58 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

"Why does it work only by disabling the only route with the ISP1 mark?"
Please indicate which rule you're disabling.
by sebastia
Thu Mar 21, 2019 10:27 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

Just to check: you don't have VRF or routing rules do you? Assuming negative to above, the connections initiated from outside to inside will stick to original WAN interface. So the only question that remains is: how is the app talking to nvr and are in process of this conversation any new connection...
by sebastia
Thu Mar 21, 2019 5:33 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

What is the content of "Internal" list?
by sebastia
Thu Mar 21, 2019 1:03 pm
Forum: Scripting
Topic: how to mikrotik connect to linux
Replies: 1
Views: 124

Re: how to mikrotik connect to linux

Hello

Not sure what you want exactly: log forwarding? what is the link with http(s)?
by sebastia
Thu Mar 21, 2019 12:50 pm
Forum: Beginner Basics
Topic: Can't connect to web interface internal
Replies: 10
Views: 309

Re: Can't connect to web interface internal

Hey

You should start by connecting to it and exporting current config ("/export hide-sensitive compact") and post it here, between <code> tags.
by sebastia
Thu Mar 21, 2019 12:13 pm
Forum: General
Topic: Snort / Packet sniffing / NIDSing
Replies: 8
Views: 415

Re: Snort / Packet sniffing / NIDSing

Maybe a "race" condition on start-up. Try to adjust the scheduler with initial delay before sniffer start

:delay 5
/tool sniffer start
by sebastia
Thu Mar 21, 2019 12:24 am
Forum: General
Topic: QoS and Queue tree
Replies: 3
Views: 775

Re: QoS and Queue tree

Configure tunnel with "dscp: inherit", use that to mangle / mark traffic and finally prioritise / shape
by sebastia
Wed Mar 20, 2019 11:19 am
Forum: Beginner Basics
Topic: mikrotik nat redirect to local from local
Replies: 2
Views: 114

Re: mikrotik nat redirect to local from local

Hey

Since you're changing port number on the external and internal ip's you'll need to do "hairpin" construction. see https://wiki.mikrotik.com/wiki/Hairpin_NAT or search on forlum.
by sebastia
Wed Mar 20, 2019 11:11 am
Forum: General
Topic: Snort / Packet sniffing / NIDSing
Replies: 8
Views: 415

Re: Snort / Packet sniffing / NIDSing

Hey When packet sniffer is used, Fast Path is suspended, so that should be the reason for lack of packets: "sniffer, torch and traffic generator is not running;" -> https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_handler Fast path / track being enabled is just a flag / toggle: allow it or not. ...
by sebastia
Tue Mar 19, 2019 10:01 pm
Forum: General
Topic: LHG LTE Kit - Passthrough getting address but no internet with more WAN's
Replies: 8
Views: 338

Re: LHG LTE Kit - Passthrough getting address but no internet with more WAN's

I am using passthrough but with 6.42.12: there the dhcp is still handing out a /30 (or wider) and the problem doesn't occur. My config is almost default, with minimal mods: # mar/19/2019 20:27:48 by RouterOS 6.42.12 # model = RBSXTR /interface lte set [ find ] mac-address=AC:FF:FF:00:00:00 mtu=1500 ...
by sebastia
Tue Mar 19, 2019 9:22 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

Won't happen: you have only 3 connection marking rules. First two are for incoming from wan, last is this: add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list="!Internal" in-interface-list=!VPNs new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.10.0/2...
by sebastia
Tue Mar 19, 2019 9:58 am
Forum: General
Topic: LHG LTE Kit - Passthrough getting address but no internet with more WAN's
Replies: 8
Views: 338

Re: LHG LTE Kit - Passthrough getting address but no internet with more WAN's

Hey Thanks for the info. I'm in similar boat as: * lte client is on 6.42.12 * when I upgrade to 6.43+ on SXT LTE kit, after a while I'm no longer able to communicate over passthrough interface. Note: in 6.43 Mikrotik upgraded the pass-through interface to a point-to-point config, with /32 addresses,...
by sebastia
Mon Mar 18, 2019 11:42 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

Hey This were actually my suggestions on how to do mangling! Regarding the comments: # why the in-interface-list=!VPN? ---> Large story, it is not needed but it does not disturb if in-interface is matching that's all you need to know, there is no need for "!VPN", as I'm guessing wan1 / 2 are not par...
by sebastia
Sun Mar 17, 2019 10:50 pm
Forum: General
Topic: LHG LTE Kit - Passthrough getting address but no internet with more WAN's
Replies: 8
Views: 338

Re: LHG LTE Kit - Passthrough getting address but no internet with more WAN's

I might be in similar boat as you are. Your LTE is on ROS 6.43+ right? in case 1 (not working) when you ping the gateway (10.177.0.1) what do you see in your ARP table for that ip? In case 2 (working), I see 2 routes over ether3, what are their full details (/ip route print detail)? 0/0 -> 10.177.0....
by sebastia
Sat Mar 16, 2019 7:19 pm
Forum: General
Topic: load-balancing don't work
Replies: 46
Views: 1483

Re: load-balancing don't work

scrolling is tiresome activity, agreed
by sebastia
Sat Mar 16, 2019 4:01 pm
Forum: Scripting
Topic: RB750Gr 3 Load Balancing Scripting
Replies: 9
Views: 344

Re: RB750Gr 3 Load Balancing Scripting

Of course I used it in the second context, but it's nice to learn of the first ! (the first was covered by first line already...)
by sebastia
Sat Mar 16, 2019 3:48 pm
Forum: General
Topic: load-balancing don't work
Replies: 46
Views: 1483

Re: load-balancing don't work

Looking good:
* some pass-through's are not needed, but won't hurt
* with this config FastTrack MAY NOT be used
(and use code tags next time...)
by sebastia
Sat Mar 16, 2019 2:14 pm
Forum: General
Topic: How to solve multiple same IP addresses?
Replies: 6
Views: 239

Re: How to solve multiple same IP addresses?

i'm guessing similar to regular dhcp-client, ip firewall is not applicable here?
by sebastia
Sat Mar 16, 2019 1:54 pm
Forum: Scripting
Topic: RB750Gr 3 Load Balancing Scripting
Replies: 9
Views: 344

Re: RB750Gr 3 Load Balancing Scripting

That's a too general statement!
In this particular case gr3 is running into it's hardware limits, not it's software limitations. Don't make such blank statements in the future.
by sebastia
Fri Mar 15, 2019 7:21 pm
Forum: General
Topic: Issues with routes with package/routing marks
Replies: 17
Views: 511

Re: Issues with routes with package/routing marks

Hey /ip firewall mangle # why the in-interface-list=!VPN? # passthrough not needed here add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=ISP1_conn add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-W...
by sebastia
Fri Mar 15, 2019 4:51 pm
Forum: General
Topic: Simple queue not limiting speed
Replies: 7
Views: 262

Re: Simple queue not limiting speed

Any traffic should be limited by that queue. That is not the case: it depends... in case of simple queue on your configuration. If the traffic is switched / bridged and "use-ip-frewall" is not set, it will NOT pass through simple queue. So you'll need to either set that or change queues used. On qu...
by sebastia
Fri Mar 15, 2019 1:00 pm
Forum: General
Topic: How to solve multiple same IP addresses?
Replies: 6
Views: 239

Re: How to solve multiple same IP addresses?

Hi

Are these static ip addresses or dynamic?
by sebastia
Fri Mar 15, 2019 12:58 pm
Forum: Beginner Basics
Topic: ARP issue
Replies: 2
Views: 170

Re: ARP issue

Hey

Arp is used within a subnet. To isolate them, create another subnet on R2, and setup routing rules between both routers.
by sebastia
Fri Mar 15, 2019 11:52 am
Forum: Beginner Basics
Topic: Firewall rules
Replies: 6
Views: 353

Re: Firewall rules

@sebastia I don't think DNS catch is going to work . Steveocee is right and the OP needs hairping nat. client send packet to IP of camera, get changed to internal IP of camera, return traffic has source IP of Internal camera IP. client device drops it because it's does not much the dst-ip of origin...
by sebastia
Fri Mar 15, 2019 11:34 am
Forum: General
Topic: Simple queue not limiting speed
Replies: 7
Views: 262

Re: Simple queue not limiting speed

Haven't used simple queues in non-ip related manner yet. Good to know. If you look at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Diagram, you'll notice that queuing is invoked during "Input" & "Postrouting". So if traffic is not entering router or is switched / bridged, it will not be mana...
by sebastia
Thu Mar 14, 2019 10:41 pm
Forum: Beginner Basics
Topic: lost with a route!
Replies: 5
Views: 169

Re: lost with a route!

Based on your addition, sounds like it's a directly attached connection, for which no additional routes would be necessary.
Do you have an ip set on eth1? Or should it be configured through some other way (ex: dhcp)?

if eth1 shouldn't have an 10. address, a network schema should help.
by sebastia
Thu Mar 14, 2019 10:29 pm
Forum: General
Topic: Simple queue not limiting speed
Replies: 7
Views: 262

Re: Simple queue not limiting speed

Simple queues work by ip ranges: https://wiki.mikrotik.com/wiki/Manual:Q ... ple_Queues

You'll need to work with range used by that vlan/bridge
by sebastia
Thu Mar 14, 2019 9:06 pm
Forum: Scripting
Topic: DHCP server DNS update
Replies: 3
Views: 332

Re: DHCP server DNS update

Update on the dhcp server script { # :log info message="leaseBound=$leaseBound, leaseServerName=$leaseServerName, leaseActMAC=$leaseActMAC, leaseActIP=$leaseActIP, lease-hostname=$"lease-hostname""; :global lowerCase; :global mapHostName; # on de-assignment the lease data is already gone (currently)...
by sebastia
Thu Mar 14, 2019 3:33 pm
Forum: Beginner Basics
Topic: lost with a route!
Replies: 5
Views: 169

Re: lost with a route!

Hey Jordi I'm guessing the 10. network is not directly connected to Tik? So you'll need to tell the Tik how to reach it: which other router should the traffic for 10 be passed on to. And vice-versa, tell the other router, how to reach the 192. network. To do that you'll need to specify for both the ...
by sebastia
Thu Mar 14, 2019 3:28 pm
Forum: General
Topic: problems with import .rsc files on mAP Lite
Replies: 4
Views: 143

Re: problems with import .rsc files on mAP Lite

Hey

rsc is just a script, so you can execute it line by line, with any modifications you want.
Normally, export & import on same version should just work. If it doesn't try to pinpoint what fails and open a ticket with support, so they can fix it for the future releases.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 26