MikroTik

eXtremer

moderator note: do not quote preceding post, use "Post Reply"

Exactly, same thing in my case, only 3 entries without any error. Is there a solution?

eXtremer

Can smb help me with DShield, it doesn't work as supposed to. It adds "Start" address and the IP's are without /24

Thank you.

$update url=https://www.dshield.org/block.txt listname=DShield delimiter=("\t") cidr=/24 timeout=1d nolog=1

eXtremer

Hello magchiel, Did you manage to solve this issue? The tunnel in my case is working but sometimes not and I want to figure it out why does this happen. My log: 15:02:31 interface,info Tunnel-RDDN link up 15:04:13 interface,info Tunnel-RDDN link down 15:04:40 interface,info Tunnel-RDDN link up 15:06...

eXtremer

Router, after router. Change connection from WAN to LAN.

And disable dhcp server on tplink so it will be a wireless switch

Thank you, all good now.

eXtremer

Hi all, I want to increase wireless range so I've decided to connect a spare TP-Link router as an Access Point. Connected the cable to the WAN port of the TP-Link router, the router gets and IP from the main Mikrotik router, I connect my Notebook to the new Access Point and I have internet, all good...

eXtremer

Yes. And BTW the *.csv file isn't saved. I click save but I don't see the file. Hmm, you're right about the CSV. I actually never use it but I'll fix/remove it for a next version. Does anyone need it? :) The viewer app has no history capability, only real-time. I do have a (slightly crude but worki...

eXtremer

Thank you, Rudios

I think the issue is solved but I will still monitor the situation to see if it works 100% as it should.

eXtremer

Is it possible to add sorting by day, week, month ?
eXtremer, do you mean having a daily/weekly/monthly graph?

Yes.

And BTW the *.csv file isn't saved. I click save but I don't see the file.

eXtremer

Great app, thank you!
Karma +1

Is it possible to add sorting by day, week, month ?

eXtremer

Please post your current mangle and route rules

No solution?

eXtremer

Please post your current mangle and route rules Mangle: /ip firewall mangle add action=accept chain=prerouting disabled=no dst-port=80 protocol=tcp add action=accept chain=prerouting disabled=no dst-address=192.168.0.0/24 add action=accept chain=prerouting disabled=no dst-address=188.XXX.XX.0/24 in...

eXtremer

Hey guys could you give me please the exact rules for my situation, I'm not too god in configuring Mikrotik and I have to guess what you meant to say. Create a mark-connection rule instead and enable passthrough. Use the same routing mark as used by the desired pcc rule. If I use this rule, no websi...

eXtremer

Hi all, If someone could help me with this one I would really appreciate. I need one IP in my LAN to use all the time just one gateway (provider) and not both providers I have, how to accomplish this? Please in examples, I will not be able to do something with theory. What I've tried to do and didn'...

eXtremer

try this may be it will wok (I don't have such a case in my lab to test it): /ip firewall mangle add action=mark-connection chain=forward disabled=no new-connection-mark=user1_conn passthrough=yes src-address=192.168.1.2 add action=mark-routing chain=output connection-mark=user1_conn disabled=no ne...

eXtremer

I think you must mark the connection of this user in mangle....
then rout this mark connection in ip>rout
be careful to the order of the rule.

I will be more that glad too see an example. Thank you.

eXtremer

anyone ?

eXtremer

Hello,

I have 2 providers that work both at the same time using PCC load balacing.
Now, I would like that one PC on my LAN should always use just one gateway (provider), what mangle or another rule should I make in order to accomplish this ?

Thank you

http://img404.imageshack.us/img404/646/pccd.jpg

eXtremer

I have exactly the same issue, can connect to PPTP Server from LAN IP but can't connect from WAN (my hope PC) there aren't any packet hits on the firewall, what could be the problem ? 1. The provider isn't blocking any ports 2. I can RDP through mikrotik (so the WAN interface is reachable on mikroti...

eXtremer

NVM, found solution: http://forum.mikrotik.com/viewtopic.php?f=2&t=25302 http://wiki.mikrotik.com/wiki/Manual:IP/IPsec Wasn't realy stright forward, but in short - Level of every policy should be set "unique" instead of "required" br andriss Have you tested it ? In my case i...

eXtremer

He uses google DNS.

eXtremer

No good connection... Log: 12:59:56 ipsec IPsec-SA request for 69.22.XXX.XX queued due to no phase1 found. 12:59:56 ipsec initiate new phase 1 negotiation: 72.88.XXX.XXX[500]<=>69.22.XXX.XX[500] 12:59:56 ipsec begin Identity Protection mode. 12:59:57 ipsec received broken Microsoft ID: FRAGMENTATION...

eXtremer

IPsec uses port 500, should I open it with Firewall -> NAT or there is no need ?
Thank you.

eXtremer

I found another great tutorial ...it sound easy but I have a few questions. Where should I put these IP's: 169.12.XXX.1 and 169.24.XXX.0/24 in the image below ? My subnet is 192.168.0.1 And the Peer IP addresses: 72.45.XX.XX and 72.88.XXX.XXX OR 166.222.XX.XXX ? http://www.vionblog.com/wp-content/up...

eXtremer

I didn't do anything yet, that's why I posted to this forum I need to create this VPN channel but I don't know how to do it properly, what commands should I enter. Really need your help. The VPN is needed so that my users behind MIkrotik coulld work with one program that is placed on the other end (...

eXtremer

Hi all,

IPsec VPN secure channel between 2 sites, no connection.

The tutorial helped: http://gregsowell.com/?p=787

eXtremer

Hi all, So, I have about 20 PC's on my Network, but other devices connect to my router like Laptops, Mobile Devices and so on, the DHCP started releasing IP's with 192.168.0.196...192.168.0.195, 192.168.0.194...then *.*.*.180, *.*.*.123...*.*.*.47, *.*.*.45, *.*.*.44...*.*.*.25... *.*.*.18, *.*.*.13...

eXtremer

I'm fine with ECMP, what to change something that is working well ?
Could smb give me an example of rule I have to make, I know there is a lot of theory on the internet.

Thank you.

eXtremer

Hello, First of all I have to Providers for ECMP load balancing & fail over, now when I want to see my Traffic stats with one provider I need to enter it's website, but that providers allows connections only from its network, and sometimes the connections goes from the other provider and I canno...

eXtremer

HAve you tried connecting this line direct to a PC and see if your getting the same issue? recently in my area Frontier took over Verizon and since the change over Ive been having the same issue with my lines, one by one I have to call in and have them change me to a different gateway to fix. The i...

eXtremer

Should it be:

:global ping1 [/ping 8.8.8.8 count=3 interface=Orange]
:global ping2 [/ping 8.8.8.8 count=3 interface=MTC]

or

:global ping1 [/ping 8.8.8.8 count=3 routing-table=Orange]
:global ping2 [/ping 8.8.8.8 count=3 routing-table=MTC]

?

eXtremer

Sorry, its just me not being specific enough, please provide /system script print /system scheduler print regards PJD Print: [admin@MikroTik] > /system script print Flags: I - invalid 0 name="script1" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,s...

eXtremer

Added the Schedule!

Run count is still 0.

What the result should be ? There should be something in the Log ?

eXtremer

Here is the screenshot of the terminal...

About the schedule, could help with this, never made a rule like this...
Thanks.

eXtremer

Copy the code run in terminal, and copy the full code again from the terminal, and paste here. P.S. you need to set a scheduler let say every 30sec to run this script. Regards, PJD I'm using Winbox to run the script (System->Scripts) and not the terminal. So, I ran the script you gave me and in the...

eXtremer

Hi, I did supply this script to be amended not a ready solution. Provide your ip address print, and route print, and I will look at it for you. PJD [admin@MikroTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.1/24 192.168.0.0 19...

eXtremer

No, the script is not working because I made a mistake first time, added IP 8.8.8.4 that is wrong, there is no such IP and that route should be disabled but it didn't happened.

eXtremer

After adding this script... :global ping1 [/ping 8.8.8.8 count=3 interface=Orange] :global ping2 [/ping 8.8.8.4 count=3 interface=MTC] :global gw1 [/ip route get number=0 gateway-status] :global gw2 [/ip route get number=1 gateway-status] :if (($ping1=0) && ($ping2=3) && ($gw1="...

eXtremer

My script does exactly that, the ips on the top 192.168.2.1 and 3.1 could be replaced with your static or something like 8.8.8.8, thats on Internet then just adapt the routes so its checking via each line, and disables the one with no internet access. Simple. Btw. I don't think there is another way...

eXtremer

you try to change the 1st upstream don't change distance=1, 2nd upstream change distance=2 example: /ip route add check-gateway=ping comment="1st upstream" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x/x scope=30 target-scope=10 add check-gateway=ping comment="2nd upst...

eXtremer

Hi,

Check the post below, should help you.

http://forum.mikrotik.com/viewtopic.php?f=2&t=53090
PJD

Thanks, but I don't want script, I know there is a easier workaround, in my case both IP's are static, no modems or whatsoever.

eXtremer

Hmm, forgot to add "connection-mark=no-mark" to the incoming mangle (so it doesn't mark replying packets from outgoing connections). Also "dst-address-type=!local" should not be necessary for this prerouting. This ist just an example, try this and test if this is working for you...

eXtremer

Just checked, NO connection to port 25, but I can connect to the router with Winbox - same IP.

eXtremer

Please post your config. Once again I must say that I'm having issues only with Orange interface (77.89.XXX.142), with the second Provider (MTC) everything is all right, allways reachable. Another thing, after adding the Mangle rules, the IP now is always reachable (ping), but when trying to telnet...

eXtremer

Nothing changed, still have this issue... I've made a rule to check every 20 seconds if port 25 is unreachable (I have a mail server behind mikrotik) it's not such a big probelm because mail are keep on coming through the other IP but this situation needs to be solved, can't understand why it's happ...

eXtremer

Added those lines.. / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=...

eXtremer

There are no mangle rules, I'm using ECMP not PCC.

eXtremer

Hi all. I'm using 2 providers with RB750G (load balancing + routing failover), since I've changed one provide a week ago I'm having sporadic problems reaching one of the static IP, I'm pinging the IP everything is all right after 5 minutes can't reach it any more, then I can reach it again after som...

eXtremer

Hi all.

I'm using mikrotik's proxy to deny access to specific websites and files.
Is there a way to allow for example mp3 download, but only a few per day, for example 10-20.
Is there a way to do it ?

Thank you in advance.

eXtremer

If you want to allow only specific addresses that are able to connect to RDP then it should be src-address-list=ALLOW

ty, my fault

eXtremer

Hi all. I have a few port-forward rules, to 2 of them everyone can connect. add action=dst-nat chain=dstnat comment="Port Forward" disabled=no dst-port=9999 protocol=tcp to-addresses=192.168.0.3 to-ports=3389 add action=dst-nat chain=dstnat comment="Port Forward" disabled=no dst-...

eXtremer

I didn't notice this rule along others, if I disable it I can't ping my external IP's add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp So I've added the forward rule you said about, now if I enable this line "/ip firewall filter add chain=icmp action=d...

eXtremer

/ip firewall filter add action=drop chain=icmp comment="" disabled=no add action=accept chain=icmp comment="" disabled=yes icmp-options=0:0 in-interface=WAN2 protocol=icmp add action=accept chain=icmp comment="" disabled=yes icmp-options=3:0 in-interface=WAN2 protocol=...

eXtremer

do you have a jump rule to icmp chain?

No, I have jump rule only for forward, that's it.

I want to have only echo reply and net unreachable, anything else dropped.

eXtremer

I used to have this rule:

add action=reject chain=input comment="" connection-state=new disabled=yes in-interface=WAN2 reject-with=icmp-network-unreachable

But if this rule is enabled I can't connect to my router using Winbox, but I can connect to other ports (port forward).

eXtremer

From http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter I wanted to add: add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" add chain=icmp action=drop comm...

eXtremer

you need src no dst

I've tried with src then with dst, doesn't work. I've added only the IP without the protocol, same thing.

eXtremer

Some spamm bots trying to send email through my mail server, my mail server blocks them but I want the router to block it. For example to block the IP address below, I made one rule, but it doesn't work, what I'm doing wrong ? Thank you. My rule: /ip firewall filter add action=drop chain=input comme...

eXtremer

One issue solved: /ip firewall filter add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN1 protocol=tcp src-address=0.0.0.0/0 add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN2 protocol=tcp src-address=0.0.0.0/0 add ac...

eXtremer

Your configuration is messed up in many ways. Your loadbalancing scheme is badly breaking things since you're just using ECMP instead of a stable scheme such as PCC, and your NAT rules are all over the place (and ECMP doesn't work well with servers behind NAT). Things are made worse by the fact tha...

eXtremer

Somebody ?

eXtremer

Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram. Arax/WAN1 (PPPoE) - first provider WAN2 (static) -...

eXtremer

Nope it isn't working, If I add the same rules without ! my mail server will not send email from LAN. And the SSL websites (port 443) wont work, damn it will I ever solve this...

eXtremer

yes, and the exclamation mark made the difference - either from outside (with !), or from inside (no !). you needed to have two rules then (for each network). i'm just trying to explain what caused it, I know that you solved it. Understand, thank you http://www.torrentsmd.com/pic/smilies/thx.gif Ac...

eXtremer

your port forward rules had the address inverted - "!192.168.88.1" means "Not This Address!". Do not check the exclamation mark (!) in the rules. If I don't check exclamation it doesn't work from the outside, only in LAN. But it doesn't matter now with port forwards it is solved...

eXtremer

Played a little bit with the rules, completely removed the Src. Address (192.168.0.0/24) from all port forward rules and now it's working in both situation. [SOLVED]

eXtremer

But, I still have the Outlook issue... http://img842.imageshack.us/img842/6690/natl.jpg If I remove the ! from the Src. Address for the rule nr. 7 and 8 (port forward for POP3 and SMTP ports 110 and 25) - it works in the LAN using the public IP (87.233.82.82), but it doesn't work outside the LAN, if...

eXtremer

are all other sites working? for example other web mail servises like gmail or yahoo?

Solved, so I just put the 80 to 81 forward rule above the transparent proxy rule and it works!

eXtremer

why would you need a NAT rule like that? disable it and see if it changes something

I said in the above posts why I needed, I disabled it - nothing changed.

eXtremer

Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP :| ERROR: Gateway Timeout While trying to retrieve the URL http://mail.domain.com/: * Connection refused Your cache administrator is Webmaster. Generated...

eXtremer

Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP :| ERROR: Gateway Timeout While trying to retrieve the URL http://mail.domain.com/: * Connection refused Your cache administrator is Webmaster. Generated ...

eXtremer

You never mentioned there were more ports being forwarded. You need to make the same hairpin NAT exceptions for ALL ports. Since you have a bunch of ports, it's easier to just do it for the entire host. Remove the following line: /ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-addr...

eXtremer

It IS a DNS issue. DNS just helps you resolve a name to an IP, the browser then actually uses the IP address to access the service. Access by IP is working, so the problem MUST be with DNS. Go to the command line both at work and at home and run "nslookup whatever.domain.com" and compare ...

eXtremer

Then you have a DNS problem. If it works via IP, it works via IP. Check what IP address the domain name resolves to. The thing is that, I'm at home at the moment and I can use both ways, IP or domain and it's working, but at work it isn't working when trying with domain name, so I don't thing it is...

eXtremer

Here the complete NAT ruleset you need: /ip firewall nat add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.200 to-port=81 add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masq...

eXtremer

The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog...

eXtremer

http://wiki.mikrotik.com/wiki/Manual:System/Log Add a logging action for the 'web-proxy' topic. Thank you fewi, just one thing, I changed the action from memory to disk, because I want to keep the logs for a few day and to check it from time to time, my question is for how long the system will save...

eXtremer

Another thing, how could I see what websites a user (IP) is surfing ? there is no such information in the logs area!
Thank you in advance.

eXtremer

http://wiki.mikrotik.com/wiki/Manual:IP ... ccess_List
Make two proxy access rules that accept traffic unconditionally from the two IP addresses, and put them higher in the list than the deny rule.

Understood, thank again

eXtremer

it is not squid in RouterOS. (older versions had squid, but that was 2.9.x) for a lot of downloads you cannot predict the size, so they will download 200MB and then you disable them. In these cases I usually suggest throttling, so these big downloads get lower data rate. You can look up queues for ...

eXtremer

You can't until they have already downloaded the first 200MB, which would waste that bandwidth.

But, if it is the same squid why it doesn't have this option ?

In squid under linux there was something like that:

reply_body_max_size 200000000 deny LAN !allowADMIN

eXtremer

Hi all. I worked with squid before, but how you know already the rules in RouterOS are different. I need to deny downloading files that have more than 200MB, but I need this rule to work for everyone except 2 computers, hot to do it ? Thank you in advance Boar name: RB750G And a easy one, I want to ...

eXtremer

Like I said with that rule, it will allow the first x Bytes of traffic through and then start to drop stuff once it breaches that limit. If there is an accept rule for established connections above that, it will fire before the drop rule allowing the connection to continue. The router has no way of...

eXtremer

Thank you fewi & Feklar....about blocking torrents to be downloaded or blocking websites I've made such a simple rule, I don't even know if it's made right but the truth is - it works! Maybe it needs some tweaking and with your help it will work better and faster. http://img442.imageshack.us/img...

eXtremer

To drop all connections through the router that have transferred more than 20MB: /ip firewall filter add chain=forward connection-bytes=20000000-0 action=drop Of course, usually that's a bad idea. What if a user wants to download a large file? Updates, or a Linux distro Live CD image? To deny acces...

eXtremer

I would really appreciate if you would give an example (if it will not be to hard for you) rather than posting a link to the wiki page, it will much easier for a newbie like me to understand how a specific rule works. For example: /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst...

eXtremer

Use an exclamation point to negate and match all but one IP address: "dst-address=!192.168.0.100". If you need to cover all IPs in a subnet save one you need to have two rules, one accepting on the negated IP that is to be included, one dropping on the negated subnet. You can possibly use...

eXtremer

Hi all. Is it possible to make a firewall rule that will work for all IP's in the 192.168.0.1/24 except one IP, for example: 192.168.0.100 I don't know where is that option. And one more question, I want to deny downloading a file that has more that 200MB, how to do that in RouterOS ? Thank in advan...

eXtremer

http://wiki.mikrotik.com/wiki/Hairpin_NAT Note that the same issue occurred with the D-Link - it just decided to not give you any options and implement SOME NAT rule that fixes it for you without telling you. RouterOS requires you to configure everything manually - which can be both a blessing and ...

eXtremer

Hi all. So, I have a mail server, I can reach it from my LAN when I use the private IP (192.168.0.222) but when I use the public IP (87.226.61.X) from my LAN I can't reach it, why ? I've just change from d-link router to mikrotik and I didn't have this problem with d-link. What I'm doing wrong ? Ple...

eXtremer

Nobody ???

So I've set the parameters for both provider, for first and second providers port 1 and 2 (WAN), made a LAN between 3,4,5 ports (3'rd port master), now I don't know how to set so that both providers (internet connection) would work together + load balancing.

eXtremer

Hi all. Today I bought a RB750G, Mikrotik routers is something new to me so I need some help configure it as I need. So, till now I had a D-Link DIR-615, but sometimes I had problems with my internet provider so with decided to have a backup provider, that means 2 WAN ports and the router that I hav...

eXtremer

I have at the moment just one Provider and sometimes the connection drops and I really don't like when it's happening (as I have a Mail server and I need to have internet connection all the time), now I want to have a second Provider as a Backup, my question is: can RB750G be configured for my situa...

Search found 92 matches