Community discussions

MikroTik App

Search found 36 matches

by vovan700i
Tue Apr 02, 2024 2:32 pm
Forum: Containers
Topic: Tailscale container: iptables not working
Replies: 2
Views: 1754

Re: Tailscale container: iptables not working

Were you lucky with yours?
As mentioned above, I approached the support and received a confirmation of this issue. You may also submit a new ticket and tell them you are interested in allowing iptables inside containers as well.
by vovan700i
Tue Mar 26, 2024 4:49 pm
Forum: Forwarding Protocols
Topic: VRF Route Leaking between VRF network and Main [SOLVED]
Replies: 16
Views: 1054

Re: VRF Route Leaking between VRF network and Main [SOLVED]

In Ros v7.14.1 Route leaking between VRF is so easy I just follow the Simple VRF Setup in the mikrotik documents and it works like a charm, however the docs never mentioned or give a snippet config on how to leak between the VRF network with the Main routing table on the Provider Router I submitted...
by vovan700i
Thu Dec 28, 2023 2:05 pm
Forum: Containers
Topic: need iptables in a container
Replies: 2
Views: 1681

Re: need iptables in a container

I described a similar problem here. According to the support, iptables is currently unavailable for third-party code. But they may eventually allow it. Please submit a ticket via the support portal.
by vovan700i
Thu Dec 28, 2023 2:01 pm
Forum: Containers
Topic: Tailscale container: iptables not working
Replies: 2
Views: 1754

Tailscale container: iptables not working

Hi, I’m trying to run an official Tailscale container . The Tailscale software works correct, but in order to enable proper forwarding it tries to create a firewall rule inside the container and fails. Command: iptables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 --wait...
by vovan700i
Sat Dec 23, 2023 7:55 pm
Forum: General
Topic: Wrong traceroute with IPv6 netmap (SNAT+DNAT)
Replies: 4
Views: 718

Re: Wrong traceroute with IPv6 netmap (SNAT+DNAT)

@mkx, thank you for the link. You are right, DST-NAT is the last step in prerouting, TTL check is the first step in forward. Thus, if a packet with 2001:db8:0:0:fd::2 as destination and TTL=1 (actually, hop limit) arrives, it is first changed to have fd01: 2345::2 as destination, then the router sub...
by vovan700i
Fri Dec 22, 2023 3:05 pm
Forum: General
Topic: Wrong traceroute with IPv6 netmap (SNAT+DNAT)
Replies: 4
Views: 718

Re: Wrong traceroute with IPv6 netmap (SNAT+DNAT)

It's the same with IPv4 NAT Don't have a bunch of public IPv4 addresses on one server to test, but thanks for confirming. And it's completely correct as far as NAT works: dst-nat replaces DST address on "forward" packets and SRC address on "return" packets (and possibly same for...
by vovan700i
Fri Dec 22, 2023 2:25 pm
Forum: General
Topic: Block of public IP's and NAT on same router
Replies: 3
Views: 573

Re: Block of public IP's and NAT on same router

Yes, it is possible as long as you adjust your firewall rules accordingly (e.g. hide the computers on the internal range behind a single public address leaving all other addresses for the router, or even route some of your public addresses to other machines).
by vovan700i
Fri Dec 22, 2023 2:07 pm
Forum: Beginner Basics
Topic: Wireguard guru needed [SOLVED]
Replies: 54
Views: 7051

Re: Wireguard guru needed [SOLVED]

Wireguard connection is working without a problem, So, it seems a wireguard guru is no longer needed. whole 192.168.88.0/24 subnet needs to be accessible by one or more PCs on 192.168.100.0/24 subnet but 192.168.100.0/24 subnet shouldn't be accessible by any device on 192.168.88.0/24 subnet This is...
by vovan700i
Fri Dec 22, 2023 12:27 pm
Forum: General
Topic: Wrong traceroute with IPv6 netmap (SNAT+DNAT)
Replies: 4
Views: 718

Wrong traceroute with IPv6 netmap (SNAT+DNAT)

Hi, Consider the following setup: a MikroTik router (v7.12.1) having a GUA (e.g. 2001:db8::2/64) on its WAN and a ULA (e.g. fd01: 2345::1/80) on its LAN; a local client having a ULA (e.g. fd01: 2345::2/80). What I would like to achieve is NPTv6 for the LAN subnet, i.e. the packet forwarded to public...
by vovan700i
Fri Dec 08, 2023 9:25 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 52054

Re: v7.13rc [testing] is released!

Hi,

Would like to note that the bug with non-working mangle mark routing rules with VxLAN described by esipoko in April and by me in December is still in place as of 7.13rc3. Wish it could be fixed in 7.13 stable. SUP-136716
by vovan700i
Fri Dec 08, 2023 6:59 pm
Forum: General
Topic: VXLAN NAT Problem [SOLVED]
Replies: 19
Views: 5625

Re: VXLAN NAT Problem [SOLVED]

Hi @esipoko,

I can confirm the bug you explained exists as of 7.12.1. Described it here and reported to the support (SUP-136716).
by vovan700i
Wed Dec 06, 2023 10:56 am
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Re: Routing rule VS mangle mark routing

but with no vxlans That is a key, thanks! I replaced vxlan with eoip and mangle mark routing now works. So, it seems to be a vxlan bug, will report to MikroTik support soon. UPD: SUP-136716 + reply on 27 December 2023: We have managed to reproduce the issue locally in our labs and look forward to f...
by vovan700i
Wed Dec 06, 2023 10:38 am
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Re: Routing rule VS mangle mark routing

I built an approximation to this, but with no vxlans (just used another bridge, and ether2 as wan2) First of all, thank you for your effort. It seemed to mostly work, but the vrf-wan2 being a vrf made it quite painful. I seemed to need to reboot whenever I had done more than a couple of changes. I ...
by vovan700i
Wed Dec 06, 2023 10:06 am
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Re: Routing rule VS mangle mark routing

I use domain based vpn with mangle (mark routing). Additionally you have to add ip-route rule to route (what you marked with mangle) to vpn gateway. Example: /ip firewall mangle: add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 \ dst-address-list=!LIST new-routing-mark=ipsec pas...
by vovan700i
Tue Dec 05, 2023 9:38 pm
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Re: Routing rule VS mangle mark routing

Created an empty CHR and tested the same config. Sadly, the problem persists: route rule works, mangle mark routing doesn't work. /interface bridge add ingress-filtering=no name=bridge vlan-filtering=yes /interface bridge port add bridge=bridge interface=ether1 pvid=17 /interface bridge vlan add bri...
by vovan700i
Tue Dec 05, 2023 5:46 pm
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Re: Routing rule VS mangle mark routing

Maybe. but we can't see what you have missed if you do not post more of your configuration. Post the rest of your config when you are trying to use mangle rules so we can see where there might be an error. Fair enough. Below is a list of other relevant commands for simplicity. All drop/reject filte...
by vovan700i
Tue Dec 05, 2023 3:39 pm
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3140

Routing rule VS mangle mark routing

Hi, According to the docs , one can use any or both of the following methods for policy routing: routing rule, e.g. /routing rule add action=lookup dst-address=9.9.9.9/32 src-address=192.168.2.0/24 table=vrf-wan2 mangle mark routing, e.g. /ip firewall mangle add action=mark-routing chain=prerouting ...
by vovan700i
Mon Dec 04, 2023 10:35 am
Forum: Containers
Topic: Containers broken after restore from backup
Replies: 5
Views: 2260

Re: Containers broken after restore from backup

Has anyone run into this? Yes, I also experienced it. After a config reset the host (e.g. 7.12.1) boots with all containers stopped and they won't start until I delete and re-create them manually. What is more, when copying a container in winbox, it misses a remote image, so I must type it myself e...
by vovan700i
Mon Dec 04, 2023 10:24 am
Forum: Containers
Topic: container ipv6 gw not work
Replies: 2
Views: 2087

Re: container ipv6 gw not work

As of 7.12.1 I have IPv6 in containers working stable. Tested both from inside (/container shell 0, then ping 2001:4860:4860::8888, for example) and outside (ping container address from a third machine connected to the host). Look at your filter/nat firewall config and test it on real machines befor...
by vovan700i
Mon Dec 04, 2023 10:11 am
Forum: Containers
Topic: Caddy reverse proxy with automatic lets encrypt.
Replies: 2
Views: 3048

Re: Caddy reverse proxy with automatic lets encrypt.

I use Caddy with automatic LE certificates running on top of RouterOS in container, it works like a charm. In fact, the only thing I needed for certificates to work is the following lines in config (inside each domain section or separately with imports followed): tls { dns cloudflare MY_TOKEN } Be a...
by vovan700i
Thu Oct 12, 2023 11:01 am
Forum: RouterOS beta
Topic: Static DNS FWD entries using DoH not working [SOLVED]
Replies: 18
Views: 9904

Re: Static DNS FWD entries using DoH not working [SOLVED]

@gfunkdave, thank you. It would be nice if they could implement DoH with static FWD entries. Supported the community effort with my SUP-130888.
by vovan700i
Wed Aug 09, 2023 10:23 pm
Forum: Announcements
Topic: v7.11rc is released!
Replies: 195
Views: 49403

Re: v7.11rc is released!

Hello, I have 4 DAC-SFP+ in my Mikrotik switch which are shown with a temperature of 255C. I can set the value to disable them to 256, so they are working perfectly fine. But the fans of the whole switch are running in maximum speed. The switch is in my living room, so it is really anoying. mikroti...
by vovan700i
Tue Jul 18, 2023 7:08 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 107243

Re: v7.11beta [testing] is released!

Done! Look under Tips and Tricks section. Hi @antonsb , thank you for implementing IPv6 for containers, it is highly appreciated. The following issues occurred for me on RB5009 with v7.11b5: 1) I added an IPv6 address and an IPv6 gateway to the existing veth interface using the following command. I...
by vovan700i
Fri Jul 14, 2023 4:00 pm
Forum: Containers
Topic: IPv6 in containers
Replies: 11
Views: 5685

Re: IPv6 in containers

@biomesh , thank you for confirmation. does not seem like veth bug to me - this is container that answers, that such entry is already in place. @antonsb , well, you are technically right, it is a container that answers that an address/route is already in place. I mean that no addresses/routes assig...
by vovan700i
Fri Jul 14, 2023 12:46 pm
Forum: Containers
Topic: IPv6 in containers
Replies: 11
Views: 5685

Re: IPv6 in containers

next beta will have ipv6 support for veth
Wow, it was quick, thank you, @antonsb!

Could you please also check/confirm a veth bug I mentioned above?
by vovan700i
Fri Jul 14, 2023 11:45 am
Forum: Containers
Topic: IPv6 in containers
Replies: 11
Views: 5685

Re: IPv6 in containers

@biomesh , thanks for sharing your solution. It is universal and works pretty fine. However, it may be a little too complex to recreate and recompile multiple containers, track new versions and support all relevant platforms, at least for me. Based on your idea I can see another possible workaround...
by vovan700i
Thu Jul 13, 2023 11:50 pm
Forum: Containers
Topic: IPv6 in containers
Replies: 11
Views: 5685

IPv6 in containers

Hi all, I would like to (re)open discussion of IPv6 in containers. In my view, as of now (stable v7.10.2) the problem has at least two sides: 1) No address. It is not possible to assign one or more IPv6 addresses to a container's virtual ethernet interface (veth) since /interface/veth explicitly exp...
by vovan700i
Thu Jun 15, 2023 8:56 pm
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 366
Views: 130679

Re: v7.10 [stable] is released!

*) sfp - fixed "rate" monitor value for SFP interface on L009UiGS series devices; *) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch; *) sfp - fixed combo-sfp linking at 1G rate for CRS312 switch; *) sfp - improved 10G interface stability for 98DX8208, 98DX8212, 98DX8332...
by vovan700i
Fri Feb 15, 2019 5:18 pm
Forum: RouterBOARD hardware
Topic: Passive PoE: MikroTik and Ubiquiti
Replies: 6
Views: 7739

Re: Passive PoE: MikroTik and Ubiquiti

Hi, it‘s passive mode. In the hEX the POE is „forced-on“. All of my devices Support 24V passive POE. And the hEX POE comes with a 24V power source. Good, thank you for clarification! BTW, I found in the wiki (https://wiki.mikrotik.com/wiki/Manual:PoE-Out): MikroTik uses RJ45 mode B pinout for power...
by vovan700i
Fri Feb 15, 2019 4:06 pm
Forum: RouterBOARD hardware
Topic: Passive PoE: MikroTik and Ubiquiti
Replies: 6
Views: 7739

Re: Passive PoE: MikroTik and Ubiquiti

Hi, can‘t speak for the CRS328 but I am powering a UBNT G3 Dome Camera, a UAP-AC-LR and a UAP-AC-M by a hEX-POE (RB960PGS). No Problems so far since 6 months. Thank you for sharing your experience! I guess you use 802.3af/A PoE (Pairs 1, 2+; 3, 6 Return) which is supported by all the devices you me...
by vovan700i
Fri Feb 15, 2019 2:07 pm
Forum: RouterBOARD hardware
Topic: Passive PoE: MikroTik and Ubiquiti
Replies: 6
Views: 7739

Passive PoE: MikroTik and Ubiquiti

Hi, I would like to know whether anyone managed to connect UVC-G3 (non-AF) cameras or any other Passive PoE-in capable device by Ubiquiti to CRS328-24P-4S+RM or any other Passive PoE-out capable device by MikroTik. Are Passive PoE technologies used by MikroTik and Ubiquiti intercompatible? To be mor...
by vovan700i
Wed Jan 09, 2019 11:32 am
Forum: Wireless Networking
Topic: WAP ac 5GHz issues with iPhone XS
Replies: 143
Views: 43979

Re: WAP ac 5GHz issues with iPhone XS

I have RB962UiGS-5HacT2HnT with RouterOS 6.43.8 and a new iPad Pro 11'' 2018 (MTXP2LLA, latest iOS) and confirm the issue discussed above. The iPad connects to my 5GHz-AC network successfully, but Safari stops loading pages shortly afterwards while the connection seems to be active. All my other App...
by vovan700i
Wed Jun 21, 2017 10:28 am
Forum: General
Topic: OpenVPN server in tap/ethernet mode - netmask handling issue
Replies: 1
Views: 4383

Re: OpenVPN server in tap/ethernet mode - netmask handling issue

Update: The official comment from Emils, MikroTik support: The server side will use /32 regardless of what netmask you specify under OVPN server settings so that the router knows which client has which address. There should be no issues in such configuration. Although I find more logic in applying ...
by vovan700i
Mon Jun 19, 2017 11:27 am
Forum: General
Topic: OpenVPN server in tap/ethernet mode - netmask handling issue
Replies: 1
Views: 4383

OpenVPN server in tap/ethernet mode - netmask handling issue

Hello everyone, I have several MikroTik routers (both hardware and CHR) with the latest stable firmware (currently, 6.39.2). I have set up an OpenVPN server on one of them and clients on the others. For my purposes I want tunnels to be established in tap/ethernet mode with /30 ipv4 netmask. The clie...
by vovan700i
Fri Feb 19, 2016 11:21 am
Forum: General
Topic: Cloud Hosted Router: L2TP/IPsec server behind 1:1 NAT on Amazon EC2
Replies: 2
Views: 2790

Cloud Hosted Router: L2TP/IPsec server behind 1:1 NAT on Amazon EC2

I'm trying to set a L2TP/IPsec server on CHR running on Amazon EC2. I've already made PPTP and pure L2TP connections work, but I'm currently facing a problem with L2TP/IPsec which I believe is caused by the fact EC2 virtual machines run behind one-to-one NAT (the machine is provided with a private a...