MikroTik

Nollitik

There is nothing to figure out - the DHCP hostname is an optional parameter that can be passed to a DHCP server within a DHCP request to provide additional information about the client. If the Apple device chooses not to send its name in the DHCP request there is nothing you can do on the Mikrotik ...

Nollitik

How does IDS and IPS work is it applied to traffic flowing out originating on the LAN out to the internet OR to Traffic originated from external sources heading to the LAN OR Return external to lan traffic Yes, I agree...that's why I have Suricata on WAN (inline mode) for traffic that didn't origin...

Nollitik

There is nothing to figure out - the DHCP hostname is an optional parameter that can be passed to a DHCP server within a DHCP request to provide additional information about the client. If the Apple device chooses not to send its name in the DHCP request there is nothing you can do on the Mikrotik ...

Nollitik

Yes, ids/ips is not an MT thing..... You must be protecting the king of some nation with all that security, what are you hiding LOL My privacy...LOL. Real answer is I got into networking when I purchased my RB450G and was fascinated with Mikrotik...that was fourteen years ago. Then, discovered pfSe...

Nollitik

Why do you need the pfsense box? Mikrotik can do it all.

It is much easier to run IPS/IDS on pfSense than Mikrotik, that's why! On pfSense, I have Suricata on WAN as well as Snort on LAN.
Another great package is pfBlpckerNG. So, why cannot I like both platforms? Mikrotik is my LAN's gatekeeper.

Nollitik

Hi, I would say (but of course lots of details are missing), this is what you miss: remove nat from the Mikrotik box and check routing on the pfsense box, to have a static route for your 10.0.8.0/24 Network to the Mikrotik box IP. Of course give the Mikrotik a static IP from 192.168.1.x. Don´t forg...

Nollitik

Here is a diagram of my setup below: Screen Shot 2022-01-17 at 11.44.12 AM.png Is this forward rule (12) I have added correct? When I ping the DMZ I get timeout. [admin@NolliTik] > /ip/firewall export # jan/17/2022 11:50:26 by RouterOS 7.1 # software id = 33B2-XGBT # # model = RB450Gx4 # serial numb...

Nollitik

What's the real issue you're having? You can add a static lease for any device and then you can add a comment to that lease via terminal / Winbox (and probably WebFig as well). I quickly checked and on one of my routers I have 30+ iOS devices and all of them send hostnames properly. The only catch ...

Nollitik

How does one add a comment to DHCP lease that didn't receive hostname from device? I cannot do so using Winbox for MacOS. Well, I discovered one can add comment via the webconfig on some things but nothing for my iPhones...thanks Apple for privacy on my own money well-spent private network...my Mik...

Nollitik

How does one add a comment to DHCP lease that didn't receive hostname from device?
I cannot do so using Winbox for MacOS.

Nollitik

It's all working now after figuring out my login/password problem for the second user. I had been creating the password, reconfirmed it, then clicked apply, then, clicked okay. Well doing so killed the newly created password when I clicked okay. One had only one choice, one either click apply or cli...

Nollitik

NO its not a bug, its a user who has made mistakes in configuring the device. I LOL reading this and seeing some of my mistakes... add name=nolliLAN ranges=10.0.8.2-10.0.8.4, 10.0.8.20-10.0.8.251 WHY??? in any case not wrong just weird from my perspective. I have cameras, servers, and a switch that...

Nollitik

Interface menu selection is where you find to add a new LIST, its tricky to find I thing its a square box vice a pulldown.............. There is no way...you'll just be creating another LAN that would have the same exact network. I even tried creating a firewall input rule and that didn't work. The...

Nollitik

Yes, looks good, Why not just put the opendns servers right in the MT, dont need pfsense for that?? /ip dns set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220 The reason is I am using pfBlockerNG package on pfSense so all DNS request resolve there. I am still having login issue fro...

Nollitik

Looking at the config, so far so good! - See three subnets one for the bridge and two for specific ports. Not really wrong but not userful are these settings. /ip dns set allow-remote-requests=yes servers=192.168.1.1,10.0.8.1,172.17.9.1 ( the router already knows these are the servers for the netwo...

Nollitik

Just realize I could use the browser and copy from Terminal that way...so, here it is... [nolli@MikroTik] > /export # jan/05/2022 16:08:27 by RouterOS 7.1 # software id = 33B2-XGBT # # model = RB450Gx4 # serial number = ADBA0ACE537B /interface bridge add admin-mac=74:4D:28:21:60:52 auto-mac=no comme...

Nollitik

Post your lastest config for assistance.

I am using Mac so cannot copy from Mikrotik terminal so I hope a pic will help. I didn't see any list called deconfig...

Screen Shot 2022-01-05 at 2.34.09 PM.png

Screen Shot 2022-01-05 at 2.39.11 PM.png

Nollitik

Pictures are nice but need to see the config /export hide-sensitive file=anynameyou wish. I should add that my advice was NOT to create a separate network but to create a separate access to the router for config purposes. For a completely different subnet, besides IP address you need IP pool, dhcp ...

Nollitik

You add the WLAN interface to the list NOT the port........ but much thanks it was not clear on my article and have just made some modifications. See if it reads better for you now!! add interface=WLAN name list=manage I am not using Wlan...this is what I have setup...see images and it seems that I...

Nollitik

To make changes so you dont get locked out. create one port off the bridge like this and do all your config from there...... https://forum.mikrotik.com/viewtopic.php?t=181718 Okay I used port three to reconfigure the router; however, the step I am having issue with is where do I add say ether 2 to ...

Nollitik

What is the proper way to create separate network that are not bridged? I have the new RB450x4 and I would like to separate my LAN from my guest network, but would like to keep default firewall Screen Shot 2022-01-03 at 6.31.31 PM.png I can easily take port five (5) off the bridge but if I try port ...

Nollitik

Hello Just mentioning, in case it helps you, that I managed to get ntopng working with the MikroTik Traffic Flow (NetFlowv9) This is including the internal client -> external server usage (after nat) in ntopng The NAT information required to do so is in the exported flows and the solution uses a mo...

Nollitik

Just wanted to report that I can access without any problem ...thanks all helpers!

Nollitik

Well I think mkx was basically stating, devices (besides MT) have their own sets of behaviours in the software on them, example PCs have sometimes 1 or more software firewalls running

Okay, let me try first and see what happens.

Nollitik

Also make sure firewalls on LAN devices allow connections from different IP subnet, default windows firewall settings don't allow that.

Interesting ... I have the default firewall as below image ... wouldn't that get covered under ICMP?

Screen Shot 2020-06-23 at 10.18.58 AM.png

Nollitik

Yes, the router will route between them at L3, unless you have a blocking fw rule.

Cool ... that's what I thought ... thank you!

Nollitik

I have my main network interface on Ether 2 - (10.0.8.0/24) and I have created a separate network on Ether 4 - (10.8.27.0/24)
I would like to be able to access via the browser servers on Ether 4 from my Ether 2 network ... would I be able to access since
My connection is within LAN?

Nollitik

If "now" means "after upgrading from pre-6.41" where you could declare one Ethernet interface to be a master one, and indicate other Ethernet interfaces as its slaves, this method of configuration has been replaced by the "new bridge setup" where the same effect is pro...

Nollitik

How do one remove slave from an interface now?

Screen Shot 2020-06-22 at 11.17.44 PM.png

Nollitik

The solution turned out to be simple however involved third party application. By using the Packet Sniffer tool and Wireshark, I could achieve my goal without, as appeared, taxing the router. Thank you Sob and others for responding.

Screen Shot 2020-03-07 at 10.26.18 AM.png

Nollitik

Since OP is on limited budget, don't hesitate to use AirB&B...it could surprise you!

Nollitik

Is it possible to use the Dude to capture all connections in Firewall > Connections? I have looked at the manual, and it has a syslog; however, the manual seems to lack meaningful or significant instructions. I have installed the server on my RB450Gx4 and the Mac version client so far. Well, the Ma...

Nollitik

Is it possible to use the Dude to capture all connections in Firewall > Connections? I have looked at the manual, and it has a syslog; however, the manual seems to lack meaningful or significant instructions. I have installed the server on my RB450Gx4 and the Mac version client so far.

Nollitik

I never found RouterOS scripting intuitive, so personally I wouldn't go there. The only scripting I'd do would be making unique file names, so that multiple files could be saved. Then I'd download them and do needed processing elsewhere using other means. That's if I'd choose this way with snapshot...

Nollitik

It would really be cool to have Winbox or Macbox for the MacOS...never understood why Mikrotik hasn't made the leap. I have been using Winbox4Mac for years now...even preferring it over webConfig but that's not the point. Having the app available through the AppStore could bring many more home netwo...

Nollitik

You can do: /ip firewall connection print file=connections.txt And if you wrap it in a script run from scheduler that would generate unique file names like connections-2019-12-11-18-23-00.txt, you could use it to keep history. But working with all those files will be probably nightmare. Okay Sob yo...

Nollitik

You can do: /ip firewall connection print file=connections.txt And if you wrap it in a script run from scheduler that would generate unique file names like connections-2019-12-11-18-23-00.txt, you could use it to keep history. But working with all those files will be probably nightmare. Okay Sob, t...

Nollitik

The action=fasttrack-connection rule makes the connections which match it (which usually means all connections) to be handled the fasttrack way, which effectively means that it prevents most packets from ever reaching any further rules in its chain (forward). Including your rule 9. More than that, ...

Nollitik

Okay Sindy, I read the link you provided and tried again with connection-bytes set at 500, still nothing logged to memory for testing when opened new connection. That link doesn't deal with the fasttracking rule which changes a lot, basically it prevents most packets belonging to established connec...

Nollitik

The first step is to understand how the firewall rule chains and connection-state attributes work. This post might be helpful. Knowing this, you cannot be surprised that your rule shows only the first packet of each new connection. You can use attributes like connection-bytes to log first few packe...

Nollitik

Ok I gave up trying to reconfigure it in the end. I have updated to the latest stable release but not really bothered trying again. Thanks The attitude to success is never given up...so, when you were setting up, did you create a user and password? Are you sure it not your browser preventing you? D...

Nollitik

It totally confused me as well; however, may I suggest to always make your router do DNS resolving first then Google such as 192.168.88.1, 8.8.8.8.

Nollitik

It's great to see another with pfSense and Mikrotik combo network. Usually, a firewall never suddenly blocks websites though.

Nollitik

Hmm... no. Quick test says that it's about state of DHCP client (when it starts, stops, requests address, gets it, ...) and similar changes in state of routing protocols like BGP. If you want to log when connections are established, you can add logging for "firewall" topic, choose some pr...

Nollitik

I think you should first of all describe the task more precisely. "logging all connections" may mean to just log each connection initiation attempt which is relatively easy, or to log each connection's resulting data volume as it ends, which is much more complex, or to record all connecti...

Nollitik

According to manual page you linked, "state" means "DHCP Client and routing state messages". Yes that's what I saw and interpreted that to mean client IP:port and destination:port as displayed in IP>Firewall>Connections...am I correct? Would it be better to set up a firewall rul...

Nollitik

Well I tested by creating a log rule of State and write to memory...nothing happened!

Screen Shot 2019-12-05 at 8.38.26 PM.png

Nollitik

Well, I was reading here https://wiki.mikrotik.com/wiki/Manual:System/Log and https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Connection_tracking It seems that logging state to disk should achieve what I want, record of all source and destination without all the DNS chatter. Wondered whether prefi...

Nollitik

How to go about logging all connections except the actual DNS request to the Mikrotik...is that possible?
My Mikrotik is the RB450x4 and I added a 32GB SD card.

Nollitik

Another +1 for a MacBox version of Winbox!

Nollitik

Hey. It's DNS flood from outside, perhaps from your ISP. So just disable your DNS "allow-remote-requests" option. If it's already disabled, then relax. Every router in the world drops so many trash you can't imagine. Yes, I know it's harmless traffic; however, I have an edge pfSense box t...

Nollitik

So, the other day my Internet was down and a public IP address was not available from my ISP. The next day the Internet was still down; however, I noticed that I received a private IP address from my ISP that raised a red flag. My configured router's address is 10.0.8.1, yet my ISP was attempting to...

Nollitik

It seems that a firewall rule on the router might be blocking you since you're not connecting from LAN. The solution is to give the change instructions to the customer for them to do it while you watch via teamview.

Nollitik

Please read his reply again. After you have changed something using another menu item (like you did), do NOT look at Quick Set again. Forget that it exists. Quick Set does NOT work correctly anymore after you have made another change. We have asked MikroTIk many times to remove Quick Set after anot...

Nollitik

The secret of Quick Set (well, it's not really a secret) is that you either use it exclusively and forget that anything outside of it exists, or you use it once to create initial config and then forget that Quick Set exists. Seeing wrong addresses in Quick Set is a sign that you made some changes o...

Nollitik

Trying to understand why quick set has my guest IP as my local address instead of my personal network 10.0.8.1. Is it because ether5, which is where my guest resides, is the only ether port that's not a slave? Even if I disable ether5, quick set still shows my guest IP address as local network. If I...

Nollitik

I think you need to set the IP address that the VPN client comes in as. Then firewall rules will dictate what clients can then reach the next subnet. If I understood the diagram... its not VPN from one site to another... but a wired connection. If that is the case... you have one feed from the firs...

Nollitik

Whenever I see oVPN in a Mikrotik thread... I stop reading. OpenVPN has been crippled in Mikrotik for like 10 years now. Thanks Gotsprings...maybe that why I intuitively wanted to use L3TP/IPsec at the Mikrotik. That's where I am struggling to visualize when the VPN client reaches the Mikrotik, how...

Nollitik

I got the inspiration from guys such as this: https://www.technadu.com/double-vpn/45274/ However, in their case, it's to hide the IP address from one's ISP. Whereas, in my case, it's just because it seems doable and kind of a "James Bond" approach/novelty. Also, in my case, the WAN is a pf...

Nollitik

A company's office doesn't have a public IP address. My office does. I have the Far office calling my Office over L2TP. The route between them is 2 points. On each router... I have a route that points to the l2tp route. Encryption engine grabs the traffic before it goes over the tunnel. I vpn to my...

Nollitik

Has anyone used a double VPN? What I mean is there is an edge router and a LAN router. So, road warrior client would VPN to the edge router from the Internet and would traverse to the LAN router where the client would present a key to get to the back office. It's like entering the building (edge rou...

Nollitik

You need to fix the mask, because it explains your problem, quite a few of Google's networks are in 172.0.0.0/8.

Oh, now wonder...thank you for sharing!

Nollitik

Okay, I fixed it...all is well!

Screen Shot 2019-08-23 at 11.05.58 AM.png

Nollitik

Your IP addresses are both assigned to ether2 which is part of the bridge, you probably meant to assign them to bride and ether5, like your dhcp servers. Edit: 172.0.0.0/8 is not a private ip range!!! Don't use it on your LAN. Your configured netmask fucks up routing to any public 172.x.y.z IP. Yes...

Nollitik

Or just /export hide-sensitive Copy/Past result here. Last night, I switched router back to the old and was able to visit google.com as well as gmail just to confirm. Here is the result from the new RB450x4 [Nolli@MikroTik] > /export hide-sensitive # aug/23/2019 10:09:03 by RouterOS 6.45.3 # softwa...

Nollitik

Try to stretch "breaks" a little, into few sentences maybe... There's lot of ways how something can break, it would be good to understand what exactly is happening here. Try to describe it in a way that someone who doesn't see it can understand. What I am saying is the original RB450G wit...

Nollitik

Posting part of settings is not all that helpful.
/export config hide-sensitive file=yourconfigaug22

What am I doing wrong...see image below!

Screen Shot 2019-08-22 at 10.02.49 PM.png

Nollitik

So, my new RB450Gx4 went into production last night/early this morning and now Google, Google Play, and Gmail breaks...not understanding what's happening. My IP > Settings are the same and exact as the original RB450G that the new router replaced...see the image below. Firewall is default just as th...

Nollitik

I can't really say that I understand your disappointment. There's nothing special about cached DNS records, router will get new and fresh ones from upstream resolvers. It does that all the time anyway, when old ones time out. I realized that I shouldn't be disappointed because cache is short-term m...

Nollitik

Not really. DNS cache does hold records requested by clients, but how long depends on their TTL. So some will be there for hours or even days, but others only for seconds. Oh and reboot also clears it. Sob, I discovered such a short list it's disappointing...see image below! So, I might as well put...

Nollitik

If you're not sure what you're looking for, then just export everything ("/export file=myconfig"), then open resulting file in some text editor and you'll see if what you want is there. Sob, I like this above. I had thought that DNS cache would keep track of the website visited and would ...

Nollitik

By doing it the way you did, you orphaned the DHCP server so your laptop did not get an address when you woke it up. You could still have accessed the router by setting a fixed IP inside one of those networks on your laptop. Next time, do not disable the bridge but remove port 5 from it and set you...

Nollitik

I would like to have a different IP address on Ethernet 2 from Ethernet 5...so, I disabled the bridge interface and set Ethernet 2 to 10.0.8.0 and Ethernet 5 to 172.17.9.0 then put the laptop to sleep before going to bed. This morning I could not access the router...even resetting by depressing the ...

Nollitik

Maybe you use wrong description? Original post sounded like you want to transfer running state of router. I guess you probably don't want that, it's hard to believe that you kept the original running without reboot for ten years. If what you actually want to transfer is config, e.g. address list, j...

Nollitik

... would like to transfer my DNS cache of my establish, related IP state to the new router. The old router I had kept the default IP address (192.168.88.1); however, on the new router, the address and range is 10.0.8.2-10.0.8.254 with router on 10.0.8.1. You can't. Connection tracking states are m...

Nollitik

Well, I am a proud owner of a new RB450G☓4 (arrived today) and would like to transfer my DNS cache of my establish, related IP state to the new router. The old router I had kept the default IP address (192.168.88.1); however, on the new router, the address and range is 10.0.8.2-10.0.8.254 with route...

Nollitik

Sindy, this is what you really wanted...had to use web browser instead of Winbox. However, I just saw that the thread is turning into awesome...have to read all new responses. /ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=none-stat...

Nollitik

Here's the screen shot you requested. I didn't :-D What I actually wanted was a copy-paste of the text output (select the text, right-click on it, left-click on "copy" in the drop-down menu, then Ctrl-V here), not a picture. You cannot use Ctrl-F for strings in a picture, you cannot rearr...

Nollitik

I am dropping traffic, yet nothing is been added to the address list...see screen shot, what's up? Your picture shows you are adding only source addresses of TCP packets to the list, but dropping everything. So other than TCP packets are just dropped, their addresses are not added to the list. Pres...

Nollitik

I am dropping traffic, yet nothing is been added to the address list...see screen shot, what's up?

Nollitik

2w = two weeks

Thanks Pe1ch1...wasn't expecting such a long time...I now take that to mean the time the source list shall exist. So, does dynamic therefore means that the list would roll over to the next two weeks period?

Nollitik

I am creating a drop port scanners per https://wiki.mikrotik.com/wiki/Drop_port_scanners and wanted to find out what the 2w means in address-list-timeout=2w. The only option offered is none dynamic or none static...see screen shot.

Nollitik

This is awesome...if only I could get this on a RB450G...is there? Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions. So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512M...

Nollitik

This is awesome...if only I could get this on a RB450G...is there?

Nollitik

Found it...it was on the general tab, and I was trying to edit the lease time on the active tab.

Nollitik

I have been watching the server and discovered it's setting short leases of approximately 7mins. That seems like a bug. How to set leases to a greater period like 7days? The only other choice is to make static. Looking at the screen shot I realize that particular device was sleeping, while DHCP cont...

Nollitik

Best will be to sniff the network and analyse the packets with something like wireshark to see what is happening, problem might be caused by client side

Not sure I am following...is not the client side I believe...I want to say a bug! I have wireshark installed...will try having a look.

Nollitik

Curious as to why DHCP server seems to assign then, moments later deassign...see screen shot.

Nollitik

Where are you entering the address...it can only be on the camera and can't be DHCP server! I used the same setup...RB450G that connects Hikvisions IP box cameras with static IP address of my network 10.0.8.0 and a camera has 10.0.8.171. This is what I ended up doing. I've never had a problem assig...

Nollitik

Not really sure what you're asking...why limit data? Does he has broadband issues...if so get a bigger Internet package from his ISP like 100Mb per second or more! The kid will, eventually, figured out how to change the Mac address too thanks to Google.

Nollitik

Where are you entering the address...it can only be on the camera and can't be DHCP server! I used the same setup...RB450G that connects Hikvisions IP box cameras with static IP address of my network 10.0.8.0 and a camera has 10.0.8.171.

Nollitik

Okay, that makes more sense now. Two things though.. 1) Netinstall uses Ethernet, not serial. 2) Netinstall doesn't like virtual machines. I've never had any luck with getting it working in VMware Fusion either. I ended up keeping an old macbook running Windows XP for these type of situations. I tr...

Nollitik

Thanks for responding, IntrusDave. To be clear this was not my first time configuring my RB450G with no default configuration...I have had the router over six years; however, it my first time needing to reformat the nand disk. When I say Mikrotik should make available a RS-232 driver, I mean have a ...

Nollitik

Put some screwdriver (or anything metal) into the hole, apply power and wait until it boots. You will need to open the router...see video.
https://www.youtube.com/watch?v=G-iIxxXcYq0

Nollitik

Thanks for sharing those firewall rules...not sure I understand them though. I made note of them. Firewall rule (e) chain: input > action: drop...that's normal...you should get lots of "hits." Do you have the Asus in bridge mode? I had a setup where a Mikrotik RB450G is my master router to...

Nollitik

Hi,
thanks, but i don't see how this is a solution to my situation.

Follow the site to site instructions here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Except for the IP address, this picture seems to be what you described!

Screen Shot 2015-08-02 at 10.58.16 AM.png

Nollitik

Did you used a USB-Serial adapter and if so, what, where did you get the drivers?

Nollitik

Having to reformat the router turned out to be a waste of valuable time...the amount of hours (if calculated at minimum U.S. wage) I have put into diagnosis and attempting to reformat, I could have bought another router. Of course, if it weren't for the sake of learning, I wouldn't have tried. The g...

Nollitik

The more complex a configuration and the longer one had that configuration with periodic upgrades is the more chances that a mishap can lead to having to reformat the router. I am dealing with that right now, and the amount of hours at minimum wage I have put into diagnosis I could have bought anoth...

Nollitik

Hi! Im having issues connecting to L2TP/IPSEC server hosted on rb750gl ROS version .. i tried 6.0. Rc14/ 6.24 and 6.30.2. I can connect to it fine with windows PC, but when i try to connect from android or ios device ... no connection is happening. MT router is behind WatchGuard and it have public ...

Nollitik

So, did you get it to work? I am a Mac user and am in a situation where I'll need to do a clean install of RouterOS...I didn't plan on using Windows 7 on my Mac via Parallels because of the virtual environment is unreliable. I had that same issue - I was able to trace it back to unreliable unzip me...

Nollitik

Don't crawl...dash swiftly to Facebook...hurry...run!

Nollitik

So, did you get it to work? I am a Mac user and am in a situation where I'll need to do a clean install of RouterOS...I didn't plan on using Windows 7 on my Mac via Parallels because of the virtual environment is unreliable.

Nollitik

You may start here: http://wiki.mikrotik.com/wiki/Scripts http://www.mikrotik-routeros.com/category/scripts/ http://www.mikrotik-routeros.com/category/scripts/ https://www.nasa-security.net/mikrotik/cool-stuff/

Nollitik

Glad you found a "pretty easy solution" eventually you'll find VPN a pretty easy solution as well.

Nollitik

Hi, did you already try to netinstall your device? The file system may be corrupted. If this strange behavior continues after netinstall, I would say the device is a candidate for RMA. Ape Thank you, Ape for responding. No, I haven't yet...I am waiting on support finding after they examine the supo...

Nollitik

A linux system.
If it should be low energy and low cost, a raspberry pi can do the job.

Ape

+1...here's a link with how to instruction: http://resources.intenseschool.com/rasp ... og-server/

Nollitik

I have HD IP cameras (Hikvision) behind a Mikrotik 450G natted. I can attest to the best solution is VPN. Yes, it's a steep learning curve...why not though...afraid of learning? No worrying about your Internet upload speed or bandwidth to stream HD videos, you'll have. I had no foundation in network...

Nollitik

The router is behaving strangle and really weird. Instead of resetting the router with no default configuration, I decided to keep the default config so I would have three separate networks. The default works without a hitch; however, as soon as I add my former networks, identity, and a user with pa...

Nollitik

I noticed you didn't allow IPsec in firewall: /ip firewall filter add chain=input comment=established,related connection-state=\ established,related in-interface=WAN add chain=input comment=ESP disabled=yes in-interface=WAN protocol=ipsec-esp add chain=input comment="UDP 500,4500" disabled...

Nollitik

So, here the weird part...I reset the router under 6.30.2 and got the default setting (192.168.88.1) then exhausted from monkeying with the router, I decided to watch a movie. I connected my Apple Extreme to which all Apple devices connect including the AppleTV to it's usual Ether2 port on the Mikro...

Nollitik

Well, I figured out if I get kicked out of Winbox after resetting with no default configuration I need to restart the computer...very awkward indeed. As soon as I connect to the router using the Mac address then go to input setting, I am kicked out, and when I launch Winbox (winbox4mac) again, I ge...

Nollitik

Well, I figured out if I get kicked out of Winbox after resetting with no default configuration I need to restart the computer...very awkward indeed.

Nollitik

So, I enabled the Winbox interface in Mac Server for ether1, removed default configuration, and got out my USB serial cable...it's a male. :shock: It's the first time I ever used it...had the wildest laugh. Found the right cable, found out that the Mac Server is only to connect two Mikrotik routers.

Nollitik

So, I enabled the Winbox interface in Mac Server for ether1, removed default configuration, and got out my USB serial cable...it's a male.

It's the first time I ever used it...had the wildest laugh.

Nollitik

This is becoming a nightmare...when I reset the router, connect and delete default configuration, I am unable to get back into router. I keep getting error connecting to Mac address. Winbox seems unresponsive...I am using Winbox4mac. I really would like to restore from my backup; however, after com...

Nollitik

This is becoming a nightmare...when I reset the router, connect and delete default configuration, I am unable to get back into router. I keep getting error connecting to Mac address. Winbox seems unresponsive...I am using Winbox4mac. I really would like to restore from my backup; however, after comp...

Nollitik

it may be better to connect to the WAN port, that way you are not modifying the ports that you are working with.

Good idea...if I have no default configuration, there is no firewall on ether1. I will try that in the morning...thanks for sharing.

Nollitik

Click on the "Neighbors" tab, next to the "Managed". It will scan for Mikrotik devices. Thanks IntrusDave for responding. Yes, I did that and logged in with the Mac address; however, as soon as I make a change, such as assigning ether2 as master port, I am automatically shut out...

Nollitik

How to connect to the router if one issue a reset with no default configuration? Winbox 3 rc12 doesn't have the scan button for the Mac address anymore. Using neighbors, I can see the Mac address...wondering whether that will enable access.

Nollitik

I m interested by your automatic blacklist script, would you mind sharing ? What kind of mikrotik do you have to handle that much firewall entry? Thanks a lot My blacklists are currently private, but I have been working on a system to allow them to be downloaded by others. I'll see if I can finish ...

Nollitik

Yes, Mikrotik RB951G-2HnD should work with two gigabit switch each having twenty-four ports; however, I would go with a RB450G (256 vs 128 RAM and has a microSD slot) with the above switches and a wireless access point (my setup for a home office...older RB450G with no microSD). Still, as Jarda said...

Nollitik

karlisi is correct. In the IP->Firewall->Address Lists, you have a single entry per line. I have over 6000 entries in my address lists. I have a server that generates a blacklist every night, and each morning all of the Mikrotik routers that I manage download that list. Wow! Do you add addresses fr...

Nollitik

AFAIK this is not possible, address lists are made from separate entries for each address. This form is more manageable as one entry with multiple values.

Okay, thanks!

Nollitik

Still face the same issue...in the sense that it's transferred to the Firewall > address list instead. What I want to do is this: /IP firewall address list add address xxx.xxx.xx1, xx.x.xxx.x2, xx.xx.x.xx3, etc., list = Blacklist, so that one has one entry rather than a new entry for each single IP ...

Nollitik

Your firewall rule uses address-list, there is no need for more rules. In Blacklist address list you will put all addresses to be blocked by this rule. Like this /ip firewall filter add action=drop chain=input comment="drop blacklisted addresses" \ src-address-list=Blacklist disabled=no /...

Nollitik

I want to create an address-list named Blacklist of IP address that made an attempt to access router from WAN. So, it would like this: Input chain > In interface: Ether1 > Scr. address-list: Blacklist > Action:reject The problem is I would actually like to add a list of IP addresses to this address-...

Nollitik

You can try assigning a fixed IP address. Here are some links to solutions that seem common among the iPod Touch.
https://discussions.apple.com/thread/2757493?tstart=0
https://discussions.apple.com/thread/1282140?tstart=0
https://www.ifixit.com/Answers/View/963 ... IP+address

Nollitik

I could also do with some extra assistance / documentation on using this feature, it looks useful! I agree and would like further explanation...for instance, advantage of ipsec-policy >in/none VS ipsec-policy >in/ipsec although, intuitively, ipsec-policy >in/none seems to have an edge since it chec...

Nollitik

Just a suggestion to not display confidential info (IP address) next time.

Nollitik

I also would like to be sure I understand IPsec-policy match...so if I have a firewall rule as: input chain > advanced >IPsec-policy: in/none >Protocol: 50 (ipsec-ESP) >Action: Accept Then that would place restrictions and add security enhancement through policy matching? I want to learn as much as...

Nollitik

I also would like to be sure I understand IPsec-policy match...so if I have a firewall rule as: input chain > advanced >IPsec-policy: in/none >Protocol: 50 (ipsec-ESP) >Action: Accept Then that would place restrictions and add security enhancement through policy matching? I want to learn as much as ...

Nollitik

Is there a way to change either the font or text size used by winbox?

Thanks.

Colin

+1

Nollitik

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past. Actually, Fallenwrx, that's exactly what worked with passive unchecked...thanks for sharing. Maybe Mikrotik should allow the option to select generate IPsec-pee...

Nollitik

Thanks to Mikrotik support for resolving my VPN issue. It turned out to be the dynamic generated peer where the problem resided. So, if I reboot the router, I would need to delete the dynamic generated peer for the manually created peer to take effect. My hope is that Mikrotik gives one the option i...

Nollitik

Hi! Please give advice to me how is the best to setup this vpn. I have two offices (LAN: 10.1.0.0/24 and 10.8.0.0/24) both with mikrotik router to Internet, and one Mikrotik router with static IP address (name it VPN server). The offices connects with L2TP VPN to the VPN Server. What i need to conf...

Nollitik

Hi, First post :) I am having problems on some workstations connecting to a CCR1016-12G running OS version v6.29.1. When I debug, it is stopping on the auth of the user and keeps repeating in the log below until a timeout : <81>: LCP Timer <81>: sent LCP ConfReq id=0x5 <mru 1460> <magic 0x4a49c93b>...

Nollitik

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.

Sorry that was a false alarm...problem still has not resolved.

Nollitik

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.

Nollitik

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communicatio...

Nollitik

I had/have similar issue, described here . Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors) I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both ...

Nollitik

Per Mikrotik support, I disabled all drop rules and that doesn't resolve the L2TP authentication process thus making connection possible, despite IPsec successfully connects. Sent another supout file.

Nollitik

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication...

Nollitik

What ticket number?

[Ticket#2015061066000766] VPN Analysis and Recommendation

Nollitik

Hello together, since a few days I own a static public IP-Address and so I tried to configure a VPN with my RouterBoard RB2011UiAS-2HnD. I've watched several youtube videos but I can't get the l2tp/IPSec VPN to work from external. My RB ist natted. Firewall Rules (Input, Accept - UDP dst-port 500, ...

Nollitik

Hallo.
I have Mikrotik RB751. I have to configuration router, every ether port in mikrotik has to than master port: none. How do I configuration address and route table ?

Not sure what you want to do however I think this video might help you...good luck!
https://www.youtube.com/watch?v=ulDefmf1ces

Nollitik

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past. Thanks Fallenwrx for responding. I am using RouterOS 6.29 and when one selects IPsec in the L2TP server, it auto generates an IPsec Peer with a policy to "...

Nollitik

Enable ipsec debug logs in /system logging menu. Try to connect and post the log output here. Thanks for responding and awaiting my follow MrZ. My log is very long (both L2TP and IPsec)...would take too much time to redact confidential info. Could I just send the supout file to Mikrotik support...I...

Nollitik

Since I can connect to my VPN from my guess network at home...connection from the coffee failed, to trouble shoot most would say check firewall. However, from the coffee shop, L2TP is sending and receiving control messages with the client...therefore that would imply going through the firewall, does...

Nollitik

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.

No, the client is using either iOS devices or Android devices over WIFI.

Nollitik

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut...

Nollitik

This road warrior L2TP/IPsec is so, so FRUSTRATING, it seems that it could make one jump over the cliff. No matter how much improvements, it just seem to follow a golden rule: the more things change, the more they remain the same. The problem I have is the L2TP server never gets to the authenticatio...

Nollitik

Please look at the site to site section here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

Nollitik

Looks like you're having problems completing IPsec phase 1 so it can't go on to phase 2. I take it you're doing a site to site.

Nollitik

Bump :D - Any ideas on either setting up the VPN or why I cannot get any debug-level logging to try and troubleshoot myself? I'd just like to get some visibility as to what's going on and why it's failing. Thanks! If you go to System >Logging, then add to memory L2TP and IPsec...please see screen s...

Nollitik

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut...

Nollitik

So, I am still having policy issue with my VPN ..... If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction. Note that Microsoft, a member of the consortium behind the development of PPTP, specifically recommends against its use. As for L...

Nollitik

after upgrading to 6.29 while formatting 16g sd card ex3 at 45% card disappear. now no sd card in in disk . and also winbox not loading previous session e.g after close winbox all open windows closed in next winbox login. routerboard: yes model: 450G serial-number: 279601723555 current-firmware: 3....

Nollitik

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut ...

Nollitik

What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support...

Nollitik

What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support...

Nollitik

What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. Hello I followed this You tube guide - https://www.youtube.com/watch?v=cgfXs6ZJrgs Additions and Blog on my ...

Nollitik

If understand correctly, you're trying to stream via airplay from an IOS device to your AppleTV...namely YouTube content...is there any reason you can't get the YouTube content directly from your AppleTV? No, I am trying to stream m4v file via iTunes HomeSharing using Gigabit LAN. And it freezing. ...

Nollitik

What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support....

Nollitik

I have made a request to have the final version of Winbox available in the app store...lets make more quality noise so it can happen.

Nollitik

If understand correctly, you're trying to stream via airplay from an IOS device to your AppleTV...namely YouTube content...is there any reason you can't get the YouTube content directly from your AppleTV?

Nollitik

For VPN, there is no explanation of what policy override and policy strict means... From the manual: no - do not generate policies port-override -- generate policies and force policy to use any port (old behavior) port-strict -- use ports from peer's proposal, which should match peer's policy Okay,...

Nollitik

Upgraded today on 450G...all is good so far!

Nollitik

Make the log a rich text file that can be easily exported for further analysis if one needs.

Nollitik

The twenty-first century calls for graphic illustration of how to. For VPN, there is no explanation of what policy override and policy strict means...no wonder folks have difficulty setting up VPN. Don't kill an excellent router useability by providing inadequate graphic depiction of how to use.

Nollitik

Awesome discussion...thanks for sharing

Nollitik

Not sure what problems folks are having. I have the RB450G that connects two Apple TV's...Apple TV1 and Apple TV3 via a gigabit switch and cat7 Ethernet cables for two years...streaming Netflix, never a problem.

Nollitik

Boen_robot, I was really wondering with my connection state how could some unauthorized party gain entry twice at least. Their algorithm didn't match and hence timed out. That's why I had concluded pinging and port sniffing. It really disturbed me so much that I just turned off rule 3 & 4 (VPN)....

Nollitik

Thank you Boen_robot for responding. Here are my rules (see screen shot)...would you suggest putting your first one at zero? Also, I use interface 5 as my guess network that is separate from my home network. I also use the guess network to test VPN on my network...would your second rule interferes? ...

Nollitik

Well, since me setup VPN (still not working) I discovered non-authorized parties have been trying to access the open port. I would like to setup an ICMP rule however, reading the manual just seems confusing. I figured, if I am correct, that it would be on the input chain, and the connection state wo...

Nollitik

I would like to see an official Winbox available via Apple's App Store...that way I don't need to run Apps that the developer has not registered or identified with Apple. Will the official release accomplish this? Wishful Thinking.. :) You are preaching to the crowd... I guess at this point, a beta...

Nollitik

My Droid connects using the standard settings. The only problem I have is that I need to add an input rule to the firewall to allow the IP address I get from my carrier since my last input rule is block anything not specified to pass. I don't know a way around this. Wondered if a rule that accepts ...

Nollitik

I would like to see an official Winbox available via Apple's App Store...that way I don't need to run Apps that the developer has not registered or identified with Apple. Will the official release accomplish this?

Nollitik

http://mikrotik.patokatech.com Thank you...I will try your setup later. Also, wondered if you had Android, IOS as well as Mac's as client...those are the devices I mostly use. It's just sad that Mikrotik won't have proper instructions with modern day menu driven that folks with home offices can use...

Nollitik

Has anyone got VPN - L2TP/IPSEC to work in RouterOS 6.16 and above could share their setup? I have been unable to get this working now for quite awhile and I am now on Router OS 6.22. I would like to see screen shots with private info blotted out of course. Ever since Mikrotik changed generate polic...

Nollitik

1.png

2.png

Nollitik

I have been trying to get VPN to work and accessed by multiplatform, such as MacOS, IOS, Android, and Windows 7. I followed the tutorial Mikrotik gave here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec I have also had my Supout.rif file read. I'll start by posting screen shots of the log I got when...

Nollitik

I emailed to support...lets hope someone responds.

Nollitik

Better to write such requests directly to mikrotik support by email.

Is it support at mikrotik dot com?

Nollitik

you must have received a confirmation email. if not, tell me the login you used. Please refresh my account (Nollitik) at Mikrotik.com Support so I can use the supout.rif reader. I can't login because the account was never properly activated. Please, please, please...this VPN has been dragging out t...

Nollitik

you must have received a confirmation email. if not, tell me the login you used.

Yes, I did however, I might have had a typo and for my protection wouldn't accept the correct one later. My login is the same as here...Nollitik. Thank you!

Nollitik

you can read these files in your mikrotik.com account, look for supout.rif viewer. you will see that it's not a simple document You make it sound so easy; however, I am just in a loop. I set up a Mikrotik.com account and can't log in. The password gave was no good. Requested change password...chang...

Nollitik

How can I export a readable Support.rif file to a word processor so I can annotate private info before uploading for analysis? I tried both under MacOS Mavericks as well as Windows 7 Ultimate and both are unable to open document...very frustrating indeed. Why don't they have it in rich text file for...

Nollitik

Your log shows the behavior problem similar to what the server is doing so I mentioned.

Nollitik

There are bugs associated with RouterOS v6.12 relating to L2TP...see here: http://forum.mikrotik.com/viewtopic.php?f=2&t=78816

Nollitik

[/quote] The video and audio is recorded by Mikrotik on the MUMs .[/quote] That's sad...a Mikrotik event and they didn't take the audio directly off the sound board or PA mixer. Maybe someone might read this feedback and begin to do so for future event. Yes, your presentation was about Mikrotik; how...

Nollitik

As mentioned previously, see my presentation about L2TP/IPSec setup itself. Video also linked in my sig. It's VERY difficult to follow along with your video as the background noise is more audible and a turn off. May I suggest fine tuning your presentation so your voice clearly heard! Also, today's...

Nollitik

It seems the VPN in Router OS v6.12 has bugs issues...could relate to number 3 in the link below.

http://forum.mikrotik.com/viewtopic.php?f=2&t=78816

Nollitik

As an Apple MacOS user myself, you might be the first to provide the ready-to-go L2TP over IPsec...so prepare a great presentation for us all. Having said that, this link might offer you some insight despite the road warrior setup for Windows: http://mum.mikrotik.com/presentations/HR13/kirnak.pdf I ...

Nollitik

Well of course I am extremely not happy learning that after spending so much time trying to resolve VPN issue only to read here: http://forum.mikrotik.com/viewtopic.php?f=2&t=78816 There is an issue with the L2TP server...it has bugs. Three days ago after receiving no response I made a decision ...

Nollitik

Note: All packets are IPIP encapsulated in tunnel mode, and their new IP header's src-address and dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use tunnel mode (id est you use transport mode), then only packets whose source and destination addresses a...

Nollitik

Okay, after examining the log further, it seems that the issue is with L2TP and IPsec never got a chance to do its thing because the L2TP server closed the connection. I am connecting a tablet with Android 4.2, and it seems to just repeating the process...see screen shot from the log. I double check...

Nollitik

It seems from the log that the issue surrounds Policy...I selected no policy generated. Please view my log as well as the policy tab screen shot...thank you.

Nollitik

Okay, the issue seems to be Mavericks which I am very unhappy about having to go through a twelve pages of thread without a clear answer. Just to share it for folks having VPN issues and who's client use Mavericks. https://discussions.apple.com/thread/54 ... 0&tstart=0

Nollitik

I keep getting this message in Console on VPN connection using the default configuration to determine which side of the fence having the issue and wanted to see whether someone can help me decipher so I can remedy the situation. I am using Mavericks latest update. The sad part is I was hoping that l...

Search found 257 matches