Community discussions

Search found 117 matches

by sjoram
Fri Sep 27, 2019 5:15 pm
Forum: Beginner Basics
Topic: Access a switch management GUI from a PC connected to a router [SOLVED]
Replies: 3
Views: 459

Re: Access a switch management GUI from a PC connected to a router [SOLVED]

I haven't looked at any detail on that switch's management behaviour. However, I have modems in my environment providing PPPoA to PPPoE brigde from xDSL. RouterOS then handles PPPoE client. To view modem stats, I have to connect to the modem on 192.168.2.1 My ether1 interface on RouterOS is set to 1...
by sjoram
Wed Sep 11, 2019 10:55 pm
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 383

Re: Script not working

I have updated the script and scheduler to allow all 'policy' permissions. When I have time, I'll work through removing one at a time to identify the problem one.
by sjoram
Wed Sep 11, 2019 11:36 am
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 383

Re: Script not working

Would this be better moved to the Scripting board?
by sjoram
Mon Sep 09, 2019 10:09 pm
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 383

Script not working

I am trying to run two scripts on schedule performing the following. The schedules appear to work in so far as the script run count increases, but it appears the scripts themselves does not work. The same commands copied into Terminal work fine. /system script print Flags: I - invalid 0 name="dropma...
by sjoram
Sat Aug 31, 2019 5:46 pm
Forum: Wireless Networking
Topic: Secondary Channel
Replies: 1
Views: 428

Secondary Channel

Forgive my ignorance on this, but I assume the secondary channel option relates to the ability to have 2 channels running for 160MHz, or am I misunderstanding?
The hAP ac2 doesn't support this seemingly - do any of the other similar models support this?
by sjoram
Sat Aug 31, 2019 5:42 pm
Forum: Wireless Networking
Topic: 5GHz Channel
Replies: 1
Views: 435

Re: 5GHz Channel

I've manually set a channel for now.
by sjoram
Sat Aug 31, 2019 12:29 pm
Forum: Wireless Networking
Topic: WEP SSID clients not connecting
Replies: 0
Views: 280

WEP SSID clients not connecting

I need to run one of my SSIDs using 128-bit WEP (yes....I know, I'm trying to get the client devices moved to WPA2...). All of my WPA2 SSIDs - on the physical and virtual interfaces are working fine. With the SSID using WEP, clients appear to associate, but do not obtain a DHCP lease or pass traffic...
by sjoram
Sat Aug 31, 2019 12:26 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 630

Re: VirtualAP Bridging

Ended up locking myself out and having to factory reset.

Got it working using this as a guide - https://blog.ligos.net/2018-01-01/Mikro ... -VLAN.html
by sjoram
Fri Aug 30, 2019 7:13 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 630

Re: VirtualAP Bridging

OK, so one of the virtual APs is working in both 2.4GHz and 5GHz. But I've just tried to connect to another. The client appears to associate without issue, but fails to obtain DHCP. This was working fine on previous APs and nothing has changed on the LAN/router besides the wireless hardware (previou...
by sjoram
Fri Aug 30, 2019 6:50 pm
Forum: Wireless Networking
Topic: 5GHz Channel
Replies: 1
Views: 435

5GHz Channel

I've set my 2.4GHz radio to a fixed 20MHz channel but my 5GHz radio is currently selected to automatic frequency. My understanding of the permitted 5GHz uses is based on https://www.cablefree.net/wirelesstechnology/unlicensed-wireless-links/using-the-5ghz-band-in-the-uk It seems to be consistently c...
by sjoram
Fri Aug 30, 2019 1:19 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 630

Re: VirtualAP Bridging

I worked out where I went wrong. I thought I'd assigned the VLANs to the physical LAN interface facing my switch on the RB750Gr3. I hadn't, they were assigned to the bridge. When I replicated this on the wireless unit, clients connected as expected. A little disappointed in the range of 5GHz band (a...
by sjoram
Fri Aug 30, 2019 12:27 am
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 630

VirtualAP Bridging

I have a RB750Gr3 running as a router. This has several VLANs on the LAN side, one of which is VLAN 10. This connects to a HP switch via a tagged port. I have another tagged port set up for the hAP AC2. I've managed to configure the virtual AP (there will eventually be several SSIDs/VLANs) and clien...
by sjoram
Sat Aug 24, 2019 7:46 pm
Forum: General
Topic: IPSec Phase 1 fails on restart, multiple IPs
Replies: 20
Views: 2899

Re: IPSec Phase 1 fails on restart, multiple IPs

Update: Had to revert my change as it re-introduced a problem of traffic only being initiated one way across the IPSec tunnel. In my setup, the IPs on my /29 subnet are only used in filter/NAT rules, so I was able to move them to another disused interface to take them off the WAN. With this in place...
by sjoram
Sat Aug 24, 2019 7:06 pm
Forum: General
Topic: IPSec Phase 1 fails on restart, multiple IPs
Replies: 20
Views: 2899

Re: IPSec Phase 1 fails on restart, multiple IPs

Hi all, I just came across this after a software upgrade to ROS, so it must be a change in behaviour between versions. I had a srcnat rule at the top of my NAT rules chain=srcnat src=10.0.0.0/8 dst=10.0.0.0/8 action=accept It would appear this was masquerading the lowest IP on the WAN interface. Lik...
by sjoram
Thu Aug 22, 2019 4:55 pm
Forum: General
Topic: IPSec Peer Encryption
Replies: 1
Views: 348

Re: IPSec Peer Encryption

To add, I have a PPPoE client towards the WAN, MTU/MRU 1432 however I also found I needed a Mangle rule for any TCP MSS over 1387 to reduce to 1386 in & out. I think due to PMTUD issues.
Could this explain why the modp over 1024 fails?
by sjoram
Tue Aug 20, 2019 1:37 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 443

Re: SSL Wildcard Cert

Thanks, confirmed by setting a new A record x.domain.net as necessary. Will leave this post here in case it helps others!
by sjoram
Tue Aug 20, 2019 1:18 am
Forum: General
Topic: IPSec Peer Encryption
Replies: 1
Views: 348

IPSec Peer Encryption

I have a site-to-site VPN running with the following settings: Proposal: Auth sha512 Encryption aes-256-cbc PFS modp3072 Peer: Hash: sha512 Encryption: aes-256 DH Group: modp1024 My understanding is best practice is to use modp3072 as a minimum for DH groups, but the connection will not establish if...
by sjoram
Tue Aug 20, 2019 12:04 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 443

Re: SSL Wildcard Cert

I think I have answered my own question and it appears to be my limited knowledge of the mechanics of SSL certs.

My wildcard cert is for *.domain.net - this won't allow me to use it for *.*.domain.net - that is one level of subdomain too deep....
by sjoram
Tue Aug 20, 2019 12:00 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 443

SSL Wildcard Cert

I am looking to enable HTTPS via Port Knocking, which I have tested successfully. However, I do have one issue. I am using a Let's Encrypt wildcard certificate. This works absolutely fine with IIS, a mail server and another web server. With Webfig, it is throwing an error that the certificate CN is ...
by sjoram
Sat Jul 27, 2019 3:59 pm
Forum: General
Topic: Script - ping 'watchdog' - high latency
Replies: 0
Views: 272

Script - ping 'watchdog' - high latency

Hi all, Having looked at various other forum posts, I'm trying to find a script to replace the System Watchdog. The reason for this is that often when my DSL connection loses sync, the PPP login on RouterOS gives up re-trying to establish PPP after a short time. This then requires either the PPP int...
by sjoram
Sun Feb 24, 2019 11:38 am
Forum: General
Topic: PPPoE client issue
Replies: 0
Views: 304

PPPoE client issue

Having an issue with PPPoE Client (for ISP WAN connection) trying to replace a RB750 with a hEX unit. Using a Draytek Vigor 120 v2 as PPPoA to PPPoE bridge Working RB750 is on 6.42.6 hEX was on 6.43.8 but I'm planning to update to 6.43.12 before trying again PPPoE client config: /interface pppoe-cli...
by sjoram
Tue Feb 12, 2019 10:27 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 25205

Re: Blacklist Filter (Development Topic)

Hi Dave, Very sorry to hear of the challenges that life has thrown at you of late. I sincerely wish you and your family all the very best. Thank you for your work on this, you know yourself how much demand your servers have seen, so I am sure this is benefiting and making life easier for a lot of pe...
by sjoram
Sun Jan 27, 2019 2:42 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 25205

Re: Blacklist Filter (Development Topic)

I found your Patreon. I looked at the different 'tiers' - $10 currently works out about £7.50 a month...I'd be more than happy to support your work. However, I do have a couple of questions (others with knowledge of your project may also have views) - sorry if this is not the best place to ask, but ...
by sjoram
Sun Jan 27, 2019 12:56 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1208

Re: Best practice hardening/NAT rules

Thanks all - I spent about 6 hours in Winbox yesterday re-crafting my config from the existing RB750 onto the RB750Gr3. I have a new found appreciation for the ability to backup/export a configuration, though as mentioned I was never going to do that here! As an aside, in my professional life (ROS i...
by sjoram
Sun Jan 27, 2019 12:44 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 362

Re: Default fasttrack rule

Here are some of the rules that I think the default IPSec accept may cause problems with: IPSec Policy: add dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \ tunnel=yes add dst-address=10.6.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address...
by sjoram
Sun Jan 27, 2019 12:34 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 362

Default fasttrack rule

I have just re-built the configuration for one of my ROS devices (replacing a RB750 with RB750Gr3) and as such I was working from the "new" default configuration. I have not previously used the fasttrack functionality, but I read that by its nature, it bypasses certain things that may cause other pa...
by sjoram
Sun Jan 27, 2019 12:21 pm
Forum: General
Topic: defconf: drop all not coming from LAN really needed?
Replies: 12
Views: 5176

Re: defconf: drop all not coming from LAN really needed?

I actually don't quite understand the need for this rule. Isn't it best hinged on WAN? ...the main reason this was not done is that many RouterOS novices who configure PPPoE (very commonly needed as a method to connect to the Internet, accomplished by adding a new PPPoE client interface) are comple...
by sjoram
Fri Jan 18, 2019 6:24 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1208

Re: Best practice hardening/NAT rules

I have come across that one, thanks. I don't think the 3MB RAM I have left will cope with that right now, but will look once to try it once I've upgraded!
by sjoram
Fri Jan 18, 2019 4:45 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1208

Re: Best practice hardening/NAT rules

I've started looking to use address lists, both to permit legitimate traffic and block some rogues. The latter is proving a challenge on the 32MB RAM in RB750 (I've had to reduce the timeout to reduce the list size), another reason for hardware upgrade! Edit: Port knocking - why didn't I do that bef...
by sjoram
Fri Jan 18, 2019 3:23 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1208

Re: Best practice hardening/NAT rules

Thanks guys. I think my problems stem from having moved over to RouterOS several years ago when: a) I still had a lot to learn about networking and firewalls/routing specifically. (Still do, but it's a lot better now!) b) I think earlier versions of ROS on which my config was built didn't have so ma...
by sjoram
Fri Jan 18, 2019 2:03 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1208

Best practice hardening/NAT rules

Hi all, I currently have a RB750 and RB750GL at two different locations, which have been in place for a couple of years. These have a PPP client connection to the ISP on the WAN side. I have found over the past year or so a number of issues as a result of my misconfiguration of the devices and had s...
by sjoram
Thu Nov 29, 2018 12:39 pm
Forum: Scripting
Topic: Update interface address, DHCP server configuration in bulk
Replies: 1
Views: 325

Update interface address, DHCP server configuration in bulk

I have a RB750 that we occasionally use to pre-build a LAN environment simulating certain functions of the WAN router. I have no experience of scripting in RouterOS but would like to find a way of entering a new list of subnets which would then automatically update the following: 7 x VLAN interface ...
by sjoram
Wed Jul 25, 2018 10:12 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

I believe mine may have been this: http://www.networkinghowtos.com/howto/mikrotik-routeros-remote-vulnerability-exploiting-the-winbox-service/ I have seen another post (which I will not reproduce here) detailing the exact steps required to perform the exploit. This leads me to believe my device may ...
by sjoram
Tue Jul 24, 2018 12:45 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default? Whe...
by sjoram
Tue Jul 24, 2018 11:14 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164 Did y...
by sjoram
Tue Jul 24, 2018 11:00 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
by sjoram
Tue Jul 24, 2018 10:59 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

Fortunately, I have the logs from my device being captured via syslog. I am just trawling through these (1700 so far) and appear to have seen the first sign last night of when I noticed problems. This shows a SUCCESSFUL winbox login, followed by SOCKS config changes and scripts being added/removed. ...
by sjoram
Tue Jul 24, 2018 4:37 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Re: Router compromised [SOLVED]

Ouch. Well "at least" it's not just me. I've spent 3 hours on it and it seems to have subsided - for now, at least.

Router has now been up 1h6m and the best it has otherwise managed in the past 3.5 hours was 15 mins.
by sjoram
Tue Jul 24, 2018 4:27 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4940

Router compromised [SOLVED]

I found my RB750 crashing due to running out of RAM this evening.Upon deeper investigation, it appeared that unauthorised access had been obtained to the router. Some firewall "drop" rules were disabled and there was a "mikrotik.php" file along with some scripts running. I found the php file rather ...
by sjoram
Sun Mar 25, 2018 12:51 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

When I disable the rule of source (PPPoE Public IP) to destination 10.0.0.0/8, I can see (having added a passthrough rule) that counters for source public IP to destination 10.0.0.0/8 are increasing when DHCP requests are made. Therefore Router B is forwarding DHCP relay packets with a source of the...
by sjoram
Sat Mar 24, 2018 7:40 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

OK, so I've worked through all my NAT rules and confirmed that it's the srcnat rule "fixing" the source IP for traffic passing over the IPSec tunnel that's causing the problem. Traffic flow is: DHCP Server (10.0.0.5/16) <--> Switch <--> Router A <--> IPSec <--> Router B <--> Switch <--> DHCP Client ...
by sjoram
Mon Mar 05, 2018 5:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

Resurrecting an old thread here, folks. Apologies, it's been lower down my priority list for a while so hadn't got back to it. I haven't tried removing the source address on the DHCP relay but I don't see that it should cause a problem? The reason for the srcnat rule(s) is as per https://wiki.mikrot...
by sjoram
Fri Aug 04, 2017 3:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

*bump* Any thoughts anyone? A bug or something in my config I'm missing?
by sjoram
Tue Jun 06, 2017 6:14 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

/interface vlan add interface=ether2-master-local name=VLAN5 vlan-id=5 add interface=ether2-master-local name=VLAN10 vlan-id=10 add interface=ether2-master-local name=VLAN20 vlan-id=20 add interface=ether2-master-local name=VLAN40 vlan-id=40 add interface=ether2-master-local name=VLAN60 vlan-id=60 a...
by sjoram
Sat Mar 11, 2017 3:19 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

Re: DHCP relay problem

I've just spent some time looking at this again as I still haven't managed to get it resolved. From the client machine sending the DHCP requests, all Wireshark shows up is a bunch of DHCP Discover packets. The DHCP server is showing DHCP Discover packets and DHCP offer being returned. However the DH...
by sjoram
Mon Jan 23, 2017 6:51 pm
Forum: General
Topic: Best Routerboard for IPSec on DSL
Replies: 2
Views: 526

Best Routerboard for IPSec on DSL

Can anyone recommend the best current model Routerboard for use on xDSL when running an IPSec tunnel between 2 devices? I have read some devices are better as the hardware can accelerate encryption performance rather than relying so heavily on CPU? Bear in mind that I only use 2 x interfaces on both...
by sjoram
Tue Jan 03, 2017 10:06 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2516

DHCP relay problem

I have a problem with DHCP relay on some of my VLANs. It is working fine on one but not the others. The DHCP server is 10.0.0.5/16 on a HP switch with VLAN interface into RB750 There are other local VLANs on that switch using DHCP relay on the RB750 without issue. I have an IPSec VPN to a RB750GL, w...
by sjoram
Sat Oct 29, 2016 7:27 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 684

Re: Unreplied connections

I've now enabled reverse path filtering as well as tweaking the drop rules at the bottom of the chain...and things are looking much better now.
by sjoram
Sat Oct 22, 2016 1:46 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 684

Re: Unreplied connections

Update: I noticed the problem was more pronounced on one device than the other and there were subtle differences between the two in the rules configured to drop traffic.
I've tweaked this and will see how things go over the next week or so.
by sjoram
Sat Oct 22, 2016 1:26 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 4051

Re: ISP requires VLAN and pbit set

Did you try limiting the MSS in TCP packets as per earlier posts? My 2x WAN connections are xDSL and only 20/2 and 80/20 respectively but I had major issues until I did this.
by sjoram
Sat Oct 22, 2016 1:20 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 684

Unreplied connections

I have 2x RouterOS running on 2x RB750 series routers. I'm having major problems with unreplied connections on both devices. Both the source and destination addresses are NOT on my local network, so I suspect there is some spoofing of the source addresses. My question is how can I block these reliab...
by sjoram
Sat Feb 13, 2016 12:25 pm
Forum: General
Topic: srcnat rule not working
Replies: 0
Views: 460

srcnat rule not working

Hi all, I have moved a device on my network from one VLAN with a /16 subnet onto another with a /30. It was on 10.5.0.0/16 (VLAN10) and has moved to 192.168.5.0/30 (VLAN5) RouterBOARD 750GL is 10.5.0.254 and 192.168.5.1 respectively. Device of interest was 10.5.2.2 now 192.168.5.2 I have a srcnat ru...
by sjoram
Sat May 16, 2015 10:26 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1666

Re: Problem with DHCP Relay & IPSec

**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.
by sjoram
Sun May 03, 2015 1:31 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1666

Re: Problem with DHCP Relay & IPSec

Yes the IPSec tunnel is working. Packet capture on the DHCP server doesn't show any DHCP packets originating from the remote network.
by sjoram
Sat May 02, 2015 10:20 pm
Forum: General
Topic: PPTP not reconnecting
Replies: 13
Views: 2998

Re: PPTP not reconnecting

I recommend the Draytek Vigor 120 modem.
I'm running this with a RB750 on ADSL2+ and works great.
Modem just worries about keeping the DSL in sync, RB750 handles the PPP login.
by sjoram
Sat May 02, 2015 9:53 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1666

Re: Problem with DHCP Relay & IPSec

Bumping this as no replies and still haven't managed to resolve...
I've also attempted to deploy on my new FTTC (VDSL) circuit and had the same issue and that is not behind another NAT router....
by sjoram
Sat Mar 14, 2015 5:54 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1666

Problem with DHCP Relay & IPSec

Having an issue with DHCP Relay not working over an IPSec tunnel. I've found a few previous posts and tried suggestions there to no avail. This is only a temporary setup for a few months, so don't want to wasconte too much time on it, but would be nice to get working if possible. I'm currently using...
by sjoram
Sun Aug 10, 2014 4:27 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5429

Re: IPSec - Dynamic IP with Double NAT

I'll check out the script, thanks.

Ref the tunnel not passing traffic after one end upgraded to v6.18 with other end still on v6.17, I've now upgraded the other RB750 and have both ends on v6.18 and the tunnel is now passing traffic.
by sjoram
Sun Aug 10, 2014 4:26 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16891

Re: v6.17 SNMP - Interface Stats

I have just upgraded to v6.18 and currently working. Will monitor and report back if it falls over again.
by sjoram
Wed Aug 06, 2014 2:48 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5429

Re: IPSec - Dynamic IP with Double NAT

Update to this: I haven't found a way to deal automatically with the dynamic IP on one side yet, but it hasn't as yet changed - I'm not sure how the lease works from the ISP but it seems semi-sticky. But I've upgraded ROS on the RB750 at one end to v6.18 with the other end still on v6.17 and cannot ...
by sjoram
Sun Aug 03, 2014 11:42 am
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16891

Re: v6.17 SNMP - Interface Stats

I've just tried the disable, reboot, enable, reboot to no avail. Some "sensors" are responding to an auto-discovery (see below) but not the ones (interfaces) that I'm interested in. Trying to manually add an interface "sensor", the device reports no interfaces are available. http://www.oram-net.net/...
by sjoram
Sun Jul 20, 2014 5:26 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

Just in case anyone does a search and is reading this thread, I resolved. http://forum.mikrotik.com/viewtopic.php?f=2&t=87170 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=<private IP e.g. 10.0.0.5> to-ports=<private port e.g. 9326> protocol=tcp dst-address=<public IP> dst-port=<publ...
by sjoram
Sun Jul 20, 2014 5:15 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 950

Re: Doubts about pppoe MTU

If I understand your problem correctly, see screenshots in below file.
You need one rule to cover in interface and another rule to cover out interface (same interface on both rules - your PPP interface).

http://www.oram-net.net/public/ROS-MSS.pdf
by sjoram
Sun Jul 20, 2014 5:06 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 1315

Re: Hairpin NAT - Problem configuring

Thanks, I re-read the wiki article yet again and the srcnat stuff finally clicked in my head.
I've configured & working.
by sjoram
Sun Jul 20, 2014 12:47 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 950

Re: Doubts about pppoe MTU

My PPPoE MTU is 1432 but I had to use MSS clamping to reduce MSS on TCP SYN packets to 1386.
by sjoram
Sat Jul 19, 2014 1:23 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 1315

Hairpin NAT - Problem configuring

Trying to configure Hairpin NAT and I can't make it work. I need clients on 10.0.0.0/16 (VLAN 10) to be able to access the services as per the dstnat rules. Other VLANs and external connections can work the dstnat rules fine, it's just clients on the same VLAN/subnet as the server they are accessing...
by sjoram
Sat Jul 19, 2014 1:00 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16891

v6.17 SNMP - Interface Stats

I have been using PRTG Network Monitor to collect via SNMP interface (bandwidth) statistics. Since some time yesterday after upgrade to v6.17, the interfaces are no longer reporting via SNMP. I've deleted all SNMP "sensors" and re-run an auto-discovery and it has not found any of the interfaces as "...
by sjoram
Fri Jul 18, 2014 11:57 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5429

Re: IPSec - Dynamic IP with Double NAT

Right, I've managed to 'fudge' this. Phase1 came up no problems but when I enabled debug logging for IPSec, the RB750 with the double NAT gave the error that it ignored the packet because it does not listen on the public IP address. Since nothing going to the WAN interface of the RB750 from the WAN ...
by sjoram
Fri Jul 18, 2014 7:46 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 2427

Re: RB750 Routerboard Upgrade problem

All good.
I've just done the ROS and RB upgrade.

Cheers
by sjoram
Fri Jul 18, 2014 7:41 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 4051

Re: ISP requires VLAN and pbit set

Try the forward chain.
I have a mangle rule to change the MSS on packets in/out of WAN interface and mine uses forward chain.
by sjoram
Fri Jul 18, 2014 7:28 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 2427

Re: RB750 Routerboard Upgrade problem

Thanks.

I currently have 2.36 RB with 5.4 ROS
There was not a newer version within 5.4
Tried copying the file to the device to do the RB upgrade but it's not taking it.

OK to upgrade direct to ROS 5.26 from the versions above?
by sjoram
Fri Jul 18, 2014 7:14 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 2427

Re: RB750 Routerboard Upgrade problem

So essentially, do the ROS upgrade first, then the RouterBOARD?

I thought I saw somewhere it should be done RouterBOARD first but could be wrong?
by sjoram
Fri Jul 18, 2014 6:46 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 2427

RB750 Routerboard Upgrade problem

I have 2xRB750 Managed to upgrade one RouterBOARD (& then RouterOS) fine this morning. The other is refusing to upgrade. The new RouterBOARD goes on but then after the reboot it reverts back to the old version again. Current RBOARD version is 2.36 Trying to upgrade to the current latest version, dow...
by sjoram
Fri Jul 18, 2014 5:26 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5429

Re: IPSec - Dynamic IP with Double NAT

Scripts will not help you here. MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT]. NAT-T only works on client side with MikroTik. So just to be clear, you think the Netgear that has worked previously must have been behaving differently?...
by sjoram
Fri Jul 18, 2014 1:58 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5429

IPSec - Dynamic IP with Double NAT

Hi All, I need to compile a script that will get the WAN IP address from an internet source (because the RB750 is doing double-NAT so its WAN IP address is not a public IP address). I then need this to run a script to update the local WAN IP address of an IPSec tunnel. (The other end has a fixed IP)...
by sjoram
Sat May 17, 2014 10:19 pm
Forum: General
Topic: IPSec with Dynamic IP Peer
Replies: 1
Views: 750

IPSec with Dynamic IP Peer

Hi, Apologies, I know this has been asked a number of times before but having read a few threads, I'm struggling to adapt the scripts I need to my scenario. My RB750 has a static IP address available for its side of the connection, however the remote end is using a Netgear device on a Dynamic IP add...
by sjoram
Sun Dec 29, 2013 11:15 am
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1088

Re: Block comms between VLANs except DHCP & Public IPs

Resolved - devices I was creating an exception for had a mis-configured gateway!
by sjoram
Sat Dec 28, 2013 11:17 pm
Forum: SwOS
Topic: Mix untagged/tagged (access/trunk) VLANs on same port?
Replies: 2
Views: 7304

Re: Mix untagged/tagged (access/trunk) VLANs on same port?

Thanks, I'll give that a try when I get a moment.
by sjoram
Sat Dec 28, 2013 9:18 pm
Forum: Beginner Basics
Topic: Dynamic Mangle rule for reducing MSS value
Replies: 0
Views: 1941

Dynamic Mangle rule for reducing MSS value

Hi all, Previously used my RB750 on a MPoA connection but have recently moved to PPPoA. Have a Draytek Vigor 120 acting as PPPoA to PPPoE bridge. Have a PPPoE client configured on my RB750 to login to my ISP and this acts as my dialer interface. Had some problems which with the help of http://forum....
by sjoram
Fri Dec 27, 2013 2:06 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

Edit: Thought I had it sorted, but I haven't.
Getting further than before but still no success. Getting a timeout, but don't understand why as no internal nor external client has any issue connecting to my mail server.

Image
by sjoram
Fri Dec 27, 2013 1:13 am
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

Setup is exactly as per working mail clients.
Using System/Email in Winbox and using the sent test message option
by sjoram
Thu Dec 26, 2013 3:49 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

No fw running on server. No issues inside LAN (any VLAN) or from WAN with any other smtp access
by sjoram
Thu Dec 26, 2013 3:38 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

Correct trying to enable ROS email function.
Tried internal mail server and gmail.
With debug level logging all I get is error connecting to server. No further info.
by sjoram
Thu Dec 26, 2013 3:22 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

PCs are fine, just ROS is the issue. Can ping IP no problem.
by sjoram
Thu Dec 26, 2013 3:03 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

Tried that, only got the same as per thread summary.
by sjoram
Thu Dec 26, 2013 10:31 am
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Re: Email - error connecting to server

Nothing at all - doesn't appear to be reaching.it.
by sjoram
Tue Dec 24, 2013 9:22 pm
Forum: SwOS
Topic: Mix untagged/tagged (access/trunk) VLANs on same port?
Replies: 2
Views: 7304

Mix untagged/tagged (access/trunk) VLANs on same port?

Sorry for posting a question that has come up on a number of other threads, but looking for clarity on the latest status. Elsewhere, I use HP Procurve 2600 series switches which can mix both untagged and tagged VLANs on the same port, no issue. I bought one of the RouterBOARD SwOS products assuming ...
by sjoram
Tue Dec 24, 2013 9:09 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

The above masquerade didn't work. I'm currently running a f/w version that doesn't allow export compact (reluctant to upgrade unless I have a particular issue to solve - been a victim of failed firmware upgrades on devices in the past!). Tell me what sections I need to post from the config and I'll ...
by sjoram
Tue Dec 24, 2013 9:03 pm
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1088

Re: Block comms between VLANs except DHCP & Public IPs

Edited: I have this working now, except for one particular exception. I have rules set as per below Accept UDP 67-68 from 10.4.0.0/16 to 10.0.0.5 Drop all (other) from 10.4.0.0/16 to 10.0.0.0/8 I'm trying to add the following (above the drop rule), but it appears the below isn't allowing traffic to ...
by sjoram
Tue Dec 24, 2013 9:00 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 3305

Email - error connecting to server

Configured email server settings, getting the above when sending a test email. No Firewall rules to prevent this, and email server is on VLAN connected to my RB750. Other external and internal clients using the mail server normally. Router can ping/traceroute the IP address without an interface spec...
by sjoram
Tue Dec 24, 2013 8:37 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

I've just come across the same problem - what was the fix? i'll search out the thread when I have a mo and post link. Sorry for delay posting back. Can't find original thread to give context as to how/why this works, but filter rule added as follows (needs to be done from CLI): add action=accept ch...
by sjoram
Sat Dec 14, 2013 5:37 pm
Forum: General
Topic: PPPoE Client (WAN)
Replies: 2
Views: 729

Re: PPPoE Client (WAN)

Thanks, I'll make a note to amend the interface as well as updating the IP address it is masquerading as! :D
by sjoram
Sat Dec 14, 2013 5:24 pm
Forum: General
Topic: PPPoE Client (WAN)
Replies: 2
Views: 729

PPPoE Client (WAN)

Changing ISPs soon and will need to configure PPPoE client (first time on ROS). I've pre-configured the PPPoE interface and left disabled. Question is, I currently have some srcnat rules that specify the out interface as eth1. (Masquerade) Can I leave these rules as eth1 or will I need to change the...
by sjoram
Sat Dec 14, 2013 5:22 pm
Forum: General
Topic: Block DNS other than OpenDNS
Replies: 2
Views: 1458

Re: Block DNS other than OpenDNS

Thanks, I'll try that tomorrow.

Edit: Working a treat :D
by sjoram
Sat Dec 14, 2013 4:57 pm
Forum: General
Topic: Block DNS other than OpenDNS
Replies: 2
Views: 1458

Block DNS other than OpenDNS

All, Looking to add a firewall rule on the output chain that blocks all DNS packets other than to OpenDNS IP addresses. Am I correct in that I need to add 2 filter rules on the output chain to allow packets to the 2 OpenDNS IP addresses (1 per IP) and then a block rule that needs to be UNDERNEATH th...
by sjoram
Tue Oct 15, 2013 12:40 am
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.
by sjoram
Sat Sep 21, 2013 7:04 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

Managed to find another thread on here that enabled me to add a further filter rule to the pre-hotspot chain to resolve this.
by sjoram
Sat Sep 21, 2013 5:24 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

I've tried disabling this rule and it prevents clients from being re-directed to the login page, they have to browse to the page manually.
Any suggestions for how I can fix the routing of DNS once clients have authenticated to the hotspot?
by sjoram
Tue Sep 17, 2013 3:35 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

All I need is for DNS requests from hotspot clients to appear from the correct IP address to external DNS resolvers and not use the internal DNS cache. If I remove/disable the entry for DNS redirection, will clients connecting initially still be redirected to the hotspot login page? I'll give it a t...
by sjoram
Tue Sep 17, 2013 3:01 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

Thanks, I spotted that after my original post. Question now is can I remove this without affecting hotspot functionality?
by sjoram
Tue Sep 17, 2013 11:27 am
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

Re: RB750 - Hotspot & DNS

*bump* Can anyone assist?
by sjoram
Sun Sep 08, 2013 4:35 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 2389

RB750 - Hotspot & DNS

Hi, I use OpenDNS for DNS but I have a couple of different IP addresses with different filtering categories. I have different masquerade rules configured for different internal VLANs such that most appear to the outside world on one particular IP address but there is one VLAN that appears on a diffe...
by sjoram
Mon Apr 01, 2013 3:06 pm
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1088

Block comms between VLANs except DHCP & Public IPs

Hi all,

Need help on how I configure RB750 to block comms between VLANs on internal IPs (10.x.0.0/16 subnets, 1 per VLAN) but allow DHCP (inc relay) and allow any traffic directed at public IPs which have NAT rules forwarding to a host on one of the VLANs.
by sjoram
Sat Mar 09, 2013 9:17 pm
Forum: General
Topic: RB750 v5.4 cannot export compact
Replies: 3
Views: 612

Re: RB750 v5.4 cannot export compact

:lol: ...sorry ignore me....for some reason my brain read 5.4 as a higher revision than 5.12 :?
by sjoram
Sat Mar 09, 2013 8:02 pm
Forum: General
Topic: RB750 v5.4 cannot export compact
Replies: 3
Views: 612

RB750 v5.4 cannot export compact

As above, RB750 v5.4 cannot use export compact
Get error 'expected end of command' suggesting it doesn't like me adding compact to the end of the export command.
Any ideas?
by sjoram
Tue Feb 26, 2013 9:33 pm
Forum: General
Topic: PPTP connection drops when user has Linksys wireless router
Replies: 26
Views: 11834

Re: PPTP connection drops when user has Linksys wireless rou

Just to advise that I seem to be having PPTP VPN on 2k3 server dropping after around 30-45mins of running OK using a RB750.
by sjoram
Tue Feb 26, 2013 8:50 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

Thanks, I'll wait till the weekend to move the public IPs so I'm on site if things go wrong.
Will then take a look and see what I have.
Thanks all for the input so far.
by sjoram
Tue Feb 26, 2013 7:15 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

This is what I have at the moment. The masquerade issue aside, should the below work? Yes I know some are disabled - I disabled them after they didn't work as expected, until I had the chance to look at it again. /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place hotsp...
by sjoram
Mon Feb 25, 2013 7:38 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

This is why I don't think masquerade will work on VLAN10. Do I actually need the IP addresses assigned to VLAN10 for NAT to work? I have srcnat rules running to mask external traffic going to the internet behind two IPs (rather than using the default masquerade), one of these is not included on the ...
by sjoram
Mon Feb 25, 2013 8:58 am
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

Yep, problem I have is I'm not sure I can use masquerade as I have a number of IP addresses assigned to that particular interface, so how would it know which to use for masquerade?
by sjoram
Sun Feb 24, 2013 11:35 am
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

OK today I have tried Chain srcnat Src Add 10.0.0.0/16 Dst Add 46.65.209.241 Proto TCP Dst Port 443 action = src-nat to 46.65.209.241 No joy Interestingly, I have IIS running on port 80 NAT'ed against one IP address and that works without one of the above rules. Services directed at port 80 on anoth...
by sjoram
Sat Feb 23, 2013 10:17 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

Re: NAT problem

Hmm, looks like what I need but can't make it work. The example command on the wiki won't work for me because the interface has multiple IP addresses assigned so I can't use masquerade. Tried customising the rule to my situation but no joy. Essentially for my situation, for example, I have Web serve...
by sjoram
Sat Feb 23, 2013 5:39 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4867

NAT problem

Hoping someone can assist with the below. New to RouterOS, gone live on a RB750 today. Having an issue with one of my NAT rules. Works great for users on other VLANs or on the Internet, but users on the same VLAN as the server are not connecting. My old Netgear used to run its NAT rules on internal ...
by sjoram
Sun Feb 10, 2013 10:07 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 2552

Re: RB750 - VLANs/Bridges/Interfaces

I'd have thought a cisco AP could send Vlan Tagged packets.
It can, other than the native VLAN as far as I can tell...(which is the problem!)
by sjoram
Sun Feb 10, 2013 9:56 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 2552

Re: RB750 - VLANs/Bridges/Interfaces

I don't think that's what I'm trying to do. Essentially over my two sites I would have: VLAN 10 = 10.0.0.0/16 <--> 10.5.0.0/16 VLAN 20 = 10.1.0.0/16 <--> 10.6.0.0/16 VLAN 40 = 10.2.0.0/16 <--> 10.7.0.0/16 VLAN 60 = 10.3.0.0/16 <--> 10.8.0.0/16 VLAN 80 = 10.4.0.0/16 <--> 10.9.0.0/16 I don't need to h...
by sjoram
Sun Feb 10, 2013 9:43 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 2552

Re: RB750 - VLANs/Bridges/Interfaces

Essentially what I'm trying to do is: Port 1 - WAN Port 2 - VLAN10 client (no tag) Port 3 - VLAN10 client (no tag) Port 4 - VLAN10 client (no tag) Port 5 - Cisco WAP (VLAN10 no tag, VLANs20,40,60,80 with tags) No need to firewall between VLAN10 clients, but I'd want to firewall off the VLANs from co...
by sjoram
Sun Feb 10, 2013 8:55 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 2552

RB750 - VLANs/Bridges/Interfaces

Hi guys, Relatively new to RouterOS and need some help. Working with a RB750 and need to know if there's a solution to the below, or whether I'm trying to do the impossible. I'm going to be running two RB750s in two separate locations, one of which is running VLAN-capable switches, one of which is n...