Community discussions

Search found 4037 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 81
by ZeroByte
Thu Sep 20, 2018 9:20 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 3
Views: 218

Re: Possible ICMP redirect bug / change in behavior?

Yup - that's what I disabled. Still getting them. I'm suspecting that our recent problem is a combination of things, because we've never had to disable this to fix stuff until very recently. The 10.10.10.x host is a Ubiquiti cloud key, and they definitely go through their strange behaviors with diff...
by ZeroByte
Thu Sep 20, 2018 7:54 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 3
Views: 218

Re: Possible ICMP redirect bug / change in behavior?

update - apparently, disabling ICMP redirects does NOT stop the Mikrotik from sending redirects. Does the system require a reboot for this change to take effect? So using the previous example IP addressing, whenever host 10.10.10.66 sends a packet to host 192.168.0.33, the Mikrotik router sends an I...
by ZeroByte
Thu Sep 20, 2018 6:55 pm
Forum: General
Topic: Possible ICMP redirect bug / change in behavior?
Replies: 3
Views: 218

Possible ICMP redirect bug / change in behavior?

We've been upgrading some 2011 routers from pre-6.41 versions to the latest 6.43 and 6.43.1 and 6.43.2, and have noticed a change in the behavior with ICMP redirects. We've got a multi-IP-range segment on an interface with two ranges, e.g. 192.168.0.1/22 and 10.10.10.65/28 Starting with apparently v...
by ZeroByte
Mon Jul 16, 2018 6:00 pm
Forum: Beginner Basics
Topic: Multiple Machines with Same IP Address's - Please Help [SOLVED]
Replies: 3
Views: 502

Re: Multiple Machines with Same IP Address's - Please Help [SOLVED]

The problem with doing this in a single router is that the routing table must ultimately choose one particular interface as the destination for any given IP address. Having the same IP address on multiple interfaces doesn't work in this case. If you don't have a large number of these, then you could...
by ZeroByte
Mon Jul 16, 2018 5:46 pm
Forum: Forwarding Protocols
Topic: OSPF overwrite static default-gateway. Possible ?
Replies: 29
Views: 4205

Re: OSPF overwrite static default-gateway. Possible ?

I can confirm this script works a treat.. I can't believe we're here 3 years later with no other viable resolution to the core problem. This is why our core network is still 100% Cisco routers. We use Mikrotik as CPE routers, but given their 'quirky' behavior in dynamic routing protocols, I don't w...
by ZeroByte
Thu Jun 28, 2018 12:02 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: IPv6 stateful LinkLocal Addresses
Replies: 14
Views: 1653

Re: Feature Request: IPv6 stateful LinkLocal Addresses

True on all counts regarding autoconfig, but end-user access segments are a very very rare case for my operation, where yes, SLAAC is the way to go for us. We static-configure all customer attachment circuits at the PE boundary anyway, so doing this in IPv6 is no big deal. The main thing I like to u...
by ZeroByte
Tue Jun 26, 2018 12:08 am
Forum: General
Topic: Routing
Replies: 16
Views: 684

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by ZeroByte
Mon Jun 25, 2018 11:48 pm
Forum: General
Topic: Routing
Replies: 16
Views: 684

Re: Routing

You cant route public ip's trough rfc1918. You need to ether use nat - or bridge to your internal ip. That's actually not true at all. You can have rfc1918 addresses on links and forward public IP addresses across these links just fine. I used to work for a company whose entire backbone was un-natt...
by ZeroByte
Mon Jun 25, 2018 11:42 pm
Forum: Beginner Basics
Topic: Two ISP and dns monitoring
Replies: 6
Views: 330

Re: Two ISP and dns monitoring

... or now Cloudflare DNS - 1.1.1.1 / 1.0.0.1
by ZeroByte
Mon Jun 25, 2018 6:53 pm
Forum: Forwarding Protocols
Topic: Mikrotik + softether
Replies: 1
Views: 342

Re: Mikrotik + softether

Most likely, your VPN server doesn't know that the 200 network is behind your Mikrotik - i.e. it needs to get a route associated with the connection. I'm not sure about SoftEther VPN server, so unfortunately I can't tell you what button to press, so to speak. Also, if the VPN server is not the defau...
by ZeroByte
Mon Jun 25, 2018 6:47 pm
Forum: General
Topic: IPv6 problem!!!
Replies: 8
Views: 564

Re: IPv6 problem!!!

IPv6 packets using Link-local IPv6 addresses are not (and in fact cannot possibly be) forwarded by routers. EVERY network segment has the exact same routing prefix - fe80::/16 - thus it is impossible to communicate with remote link-local addresses even if you wanted to do it. Having these on your ro...
by ZeroByte
Mon Jun 25, 2018 6:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: IPv6 stateful LinkLocal Addresses
Replies: 14
Views: 1653

Re: Feature Request: IPv6 stateful LinkLocal Addresses

The ability to manually specify the Link-local address can make other things easy than just a consistent default GW on all network access segments. Since our address allocation scheme creates a unique 3-nibble code for each router in our toplogoy, it makes life easy to use that code as the link-loca...
by ZeroByte
Thu May 17, 2018 10:59 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: PAP for Winbox Radius Logins
Replies: 7
Views: 1980

Re: PAP for Winbox Radius Logins

MS-CHAPv2 would also be nice for Winbox AAA login verification.
by ZeroByte
Thu May 17, 2018 10:50 pm
Forum: Beginner Basics
Topic: Got to set up a Guest AP in a hurry
Replies: 2
Views: 320

Re: Got to set up a Guest AP in a hurry

It's not too hard. Add a VAP interface to your wireless (virtual AP) and set the guest SSID there. Add a "guests" security profile - just copy the main one and change the password to your guest password. Make sure the new VAP is not connected to your LAN bridge. Add a new IP network to the new guest...
by ZeroByte
Thu Mar 01, 2018 8:43 pm
Forum: Beginner Basics
Topic: NAT forwading hairpin not working [SOLVED]
Replies: 7
Views: 448

Re: NAT forwading hairpin not working [SOLVED]

I completely understand what you're trying to do. I know why you said "in-interface=wan" in your rule, but in your case, that is a bad thing to use. I'm a fan of using in/out-interface=X wherever possible but this is one of those situations where it's not going to work. If you see no hits on the rul...
by ZeroByte
Thu Mar 01, 2018 5:17 pm
Forum: Beginner Basics
Topic: NAT forwading hairpin not working [SOLVED]
Replies: 7
Views: 448

Re: NAT forwading hairpin not working [SOLVED]

Hairpin rules require a little different logic than the way you've done it. Let's look at rule 1: 1 chain=dstnat action=dst-nat to-addresses=192.168.88.183 to-ports=10000 protocol=tcp in-interface-list=WAN dst-port=10000 log=no log-prefix="" This rule says: If the packet arrives on the WAN interface...
by ZeroByte
Thu Feb 22, 2018 4:52 pm
Forum: General
Topic: pppoe
Replies: 1
Views: 184

Re: pppoe

Don't put any IP addressing on the interfaces where you serve PPPoE. Then it is impossible to get IP service w/o PPPoE.
If you have some sort of "management" IP range in use on the same network segment, then your goal should be to move this functionality to a different VLAN.
by ZeroByte
Thu Feb 22, 2018 4:30 pm
Forum: General
Topic: Get physical interface on a bridge
Replies: 1
Views: 143

Re: Get physical interface on a bridge

Remember that the Hotspot feature is a layer3 function - so it's going to see interfaces in terms of "IP interfaces" not "switchport" interfaces (to borrow a term from Cisco and others). Scripting would need to use the bridge hosts table / switch hosts tables to find the exact physical interface. I'...
by ZeroByte
Wed Feb 21, 2018 7:06 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 53
Views: 3732

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

Hi @sindy, thanks for your explanation. You are right: the SIP problem is not a SIP problem, but an UDP NAT problem (a more general problem). It isn't even a bug: it's a UDP NAT limitation (a protocol limitation). I made some NAT tests and understood better how NAT works in MikroTik. I'm publishing...
by ZeroByte
Thu Feb 01, 2018 10:18 pm
Forum: General
Topic: pppoe server problem
Replies: 1
Views: 139

Re: pppoe server problem

Are you assigning the default GW to your clients?
Do the clients have "use default GW" set to yes on their pppoe-client interface configuration?
by ZeroByte
Thu Feb 01, 2018 10:06 pm
Forum: Forwarding Protocols
Topic: OSPF and Routing Broke
Replies: 3
Views: 324

Re: OSPF and Routing Broke

Did you check the routing tables during the outage to confirm that all IP routes pointed in the proper direction, and on both routers? I'm having a little trouble visualizing your issue because you speak of two routers, but when you say you checked from "the router" it's unclear which one you mean. ...
by ZeroByte
Sat Jan 20, 2018 6:34 am
Forum: General
Topic: New to Mikrotik Routing
Replies: 3
Views: 268

Re: New to Mikrotik Routing

Many smaller, inexpensive SOHO Mikrotik routers cannot do 100Mbps of throughput. Some routers can do this if you use the fast-track feature (e.g. the 2011 series). The key is to watch the CPU utilization during a speed test (through the router from a PC, not the BTest service in Mikrotik itself). If...
by ZeroByte
Sat Jan 20, 2018 5:08 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 1073

Re: IPv6 router settings

Maybe ask ISP if they could end this changing nonsense and give you permanent prefix? Perhaps they are just new to IPv6 and don't know better. Of course there's also a possibility that they are doing this on purpose, to make you pay more for some "enterprise" connection where prefix does not change...
by ZeroByte
Wed Jan 17, 2018 11:36 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 501

Re: How to disable access from local to some local to Mikrotik AP?

I made the rule: chain=forward src-address-list="ProtectedHosts" dst-address-list="LimitedClients" action=accept which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule ok - go into your router and run this command in a terminal: /ip f...
by ZeroByte
Wed Jan 17, 2018 11:21 pm
Forum: Forwarding Protocols
Topic: Forwarding DDoS
Replies: 3
Views: 520

Re: Forwarding DDoS

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in ...
by ZeroByte
Wed Jan 17, 2018 10:52 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 501

Re: How to disable access from local to some local to Mikrotik AP?

Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114 Dude - you really need to learn what you're doing if you're going to get this picky about stuff and not just expect people to do everything for you. The...
by ZeroByte
Wed Jan 17, 2018 10:42 pm
Forum: General
Topic: Splash page/redirect
Replies: 3
Views: 1354

Re: Splash page/redirect

The way to do this is to configure your hotspot with unlimited simultaneous users in the profile section, and create some basic default user/password for the hotspot. Then you create your splash page with a "continue to Internet" button on it. Design the form on this splash page to simply contain th...
by ZeroByte
Wed Jan 17, 2018 10:18 pm
Forum: General
Topic: Domain coltroler & Active directory
Replies: 1
Views: 320

Re: Domain coltroler & Active directory

The only way to accomplish that would be to run a metarouter image on your Mikrotik using something like DD-WRT, but I wouldn't recommend that. Neither Mikrotik nor the DD-WRT people work on keeping these things compatible with each other and up to date. So that is to say: Nope - Mikrotik's not an o...
by ZeroByte
Wed Jan 17, 2018 9:58 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Use specific internet connection for VPN client connection
Replies: 3
Views: 404

Re: Use specific internet connection for VPN client connection

Step1: create a static host route to whatever IP address the VPN endpoint currently uses - make the GW be the preferred IP address. Place a useful comment on this route such as "VPN" Step2: copy this route into all of your routing tables Step3: You could write a script that runs every minute and doe...
by ZeroByte
Wed Jan 17, 2018 9:53 pm
Forum: Scripting
Topic: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP
Replies: 1
Views: 161

Re: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP

Make a direct connection between the routers and number it with some throwaway subnet, such as 192.168.255.0/30
Make R1 have a backup default GW of 192.168.255.2
Make R2 have a backup default GW of 192.168.255.1

this way it won't matter which device is acting as the VRRP master.
by ZeroByte
Wed Jan 17, 2018 9:49 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: EoIP (+IPSec) interface status
Replies: 4
Views: 540

Re: EoIP (+IPSec) interface status

Try using OSPF across the tunnel. As long as the two interfaces have the same cost, OSPF will use equal-cost multipath routing (EQMP) to load share between the two paths. If one path fails, OSPF will lose adjacency across it regardless of the interface's up/down state.
by ZeroByte
Wed Jan 17, 2018 9:46 pm
Forum: Beginner Basics
Topic: EOIP Tunnel
Replies: 2
Views: 193

Re: EOIP Tunnel

Try making the tunnel operate as a layer3 (routed IP hop) connection instead of a bridge.
by ZeroByte
Wed Jan 17, 2018 9:40 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 501

Re: How to disable access from local to some local to Mikrotik AP?

The easiest thing to do would be to enable the "use IP firewall" option on your bridge so that you can make forwarding filter rules that block the traffic you want. Make an IP address list called "LimitedClients" and list the IP addresses 192.168.20.110-114 Make another IP address list called "Prote...
by ZeroByte
Wed Jan 17, 2018 6:36 pm
Forum: General
Topic: Routing between two Mikrotik routers is not working [SOLVED]
Replies: 22
Views: 759

Re: Routing between two interfaces is not working [SOLVED]

Firstly, do not masquerade between internal networks in your router. Masquerade/SrcNat is only needed for access to the public Internet, or for cases where you need to reach some network that you do not control, and it has no routing information on how to reach your actual IP addressing. Since you c...
by ZeroByte
Wed Jan 17, 2018 6:13 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Routing traffic over 2 interfaces
Replies: 4
Views: 521

Re: Routing traffic over 2 interfaces

You should use different IP ranges on different interfaces. The problem is that any device outside of the /29 network (i.e. is on the ether1 10.0.0.0/22 network) does not realize that this block of addresses is not local and must be reached via the router. They simply ARP for 10.0.0.103, which does ...
by ZeroByte
Wed Jan 17, 2018 5:54 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 1073

Re: IPv6 router settings

In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't foun...
by ZeroByte
Wed Jan 17, 2018 1:16 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 1073

Re: IPv6 router settings

One more point: Make sure that you're not blocking ICMPv6 in your IPv6 firewall filter rules. "ARP" functionality was moved into ICMP for IPv6 (now known as ND - Neighbor Discovery) I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with ...
by ZeroByte
Tue Jan 16, 2018 9:54 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 501

Re: How to disable access from local to some local to Mikrotik AP?

Make a second SSID (create a VAP interface), and make the insecure devices use the second AP, and put that on a different IP range (don't bridge the VAP - put a new IP address directly on it and configure a new DHCP service on this network). Then use the IP Firewall filter to block in-interface=VAP ...
by ZeroByte
Tue Jan 16, 2018 9:23 pm
Forum: Forwarding Protocols
Topic: MPLS, BGP and OSPF design for wisp
Replies: 20
Views: 2414

Re: MPLS, BGP and OSPF design for wisp

The goal of this design is to use OSPF only for EQMP load balancing between the sites, but BGP as the overall routing protocol. EBGP allows routing policy to be modified and advertised at each tower site. iBGP basically considers the entire AS with a more or less single unified routing policy for eg...
by ZeroByte
Tue Jan 16, 2018 8:56 pm
Forum: Beginner Basics
Topic: Demo License / Level 1 for home use
Replies: 6
Views: 714

Re: Demo License / Level 1 for home use

I think the electricity savings would more than pay for a hEX over a powerful PC running 24x7. ;)
by ZeroByte
Tue Jan 16, 2018 8:33 pm
Forum: General
Topic: Multiple subnet routing
Replies: 1
Views: 135

Re: Multiple subnet routing

In layer 3, each node must have a route to every other IP address in the network. I'm assuming that the PFSense cluster is a layer3 firewall and not acting as a transparent L2 firewall. I'm also assuming that the public IP addresses for your company are on the WAN interfaces of the NG0x nodes (where...
by ZeroByte
Tue Jan 16, 2018 6:09 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 8880

Re: BGP Route Reflectors, how to properly configure??

But, this example seems to be a bad practice and for my opinion it doesn't have sense, because, the idea of getting two RR is to increase the uptime of any iBGP solution, so why are you going to configure a Route-Reflect client to only one RR instead of configuring to both of RRs?? I think this is ...
by ZeroByte
Tue Jan 16, 2018 5:50 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 601

Re: Dual wan PCC load balancing

ok - it looks like your NAT rules are to blame. You're using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping. I see why you thought to use this, as it's apparent that you have a 1:1 relationship between a specific public IP address and private IP...
by ZeroByte
Mon Jan 15, 2018 6:17 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 8880

Re: BGP Route Reflectors, how to properly configure??

Can you please point out the part in the RFC that says you must use the same ID on all members of the same cluster? I was going to draw a diagram of a scenario that would cause blackholing, but I found one on this website http://network-101.blogspot.co.uk/2011/06/bgp-cluster-id-loop-prevention.html...
by ZeroByte
Mon Jan 15, 2018 6:07 pm
Forum: Beginner Basics
Topic: Probably a basic issue not able to network across multiple networks and devices
Replies: 4
Views: 200

Re: Probably a basic issue not able to network across multiple networks and devices

The upstream router needs to have a static route to the downstream router.

Add an IP route w/ the dst=10.0.1.0/24 and gateway=wan.ip.of.rb911
by ZeroByte
Mon Jan 15, 2018 6:05 pm
Forum: RouterBOARD hardware
Topic: hEX PoE Routing between sfp ethernet and eth0
Replies: 1
Views: 233

Re: hEX PoE Routing between sfp ethernet and eth0

Not sure which port you mean by "eth0" as Mikrotik's ethernet interfaces are named "ether1, ether2, ..." but regardless, it is easy to have ports as isloated layer3 ports in Mikrotik. Just make sure that they're not part of any master/slave switch groups (v6.40.5 and earlier) and are not configured ...
by ZeroByte
Mon Jan 15, 2018 5:55 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 601

Re: Dual wan PCC load balancing

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren't creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That's the most common mistake I've seen in posts with your problem.
by ZeroByte
Thu Jan 11, 2018 10:45 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 8601

Re: IGMP Snooping Command

I read the manual page you linked to. By my reading, it's entirely possible that the multicast helper acts in a manner similar to PIM in dense mode - i.e. it sends a copy to EACH client at its individual mod rate, as opposed to sending a copy only to the subscribed stations. Given that they just now...
by ZeroByte
Thu Jan 11, 2018 4:37 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 8601

Re: IGMP Snooping Command

Sorry, of course I mean multicast traffic. I need IPTV from my ISP to work on a notebook over WiFi. The problem now is: when any device connected to my hAP lite via WiFi start viewing IPTV, all other wifi-clients start receiving multicast traffic simultaneously. IGMP snooping enabled/disabled on br...
by ZeroByte
Thu Jan 11, 2018 12:43 am
Forum: General
Topic: IGMP Snooping Command
Replies: 12
Views: 8601

Re: IGMP Snooping Command

Well, IGMP flooding over WiFi is still here. I have a hAP lite with RouterOS 6.41 and even after enabling IGMP snooping on bridge interface I have IGMP traffic on all connected wireless devices. This may be a silly question, but are any wireless devices subscribed to the multicast group? Furthermor...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 81