Community discussions

MikroTik App

Search found 187 matches

by sjoram
Thu Sep 07, 2023 11:46 am
Forum: General
Topic: Issue with Ring cameras & fasttrack
Replies: 5
Views: 1101

Re: Issue with Ring cameras & fasttrack

This is what I started with, but resulted in SYN,ACK replies from the internet being dropped as invalid.
by sjoram
Thu Sep 07, 2023 9:21 am
Forum: General
Topic: Issue with Ring cameras & fasttrack
Replies: 5
Views: 1101

Re: Issue with Ring cameras & fasttrack

Any ideas why fasttrack was an issue here? Ros version? I had an issue with fasttrack when using 7.11, but 7.11.2 resolved it. https://forum.mikrotik.com/viewtopic.php?t=198945 7.11.2...... I upgraded from 7.7 to 7.11.2 last weekend. Issues seem to be noticed following the reboot after that upgrade...
by sjoram
Wed Sep 06, 2023 9:55 pm
Forum: General
Topic: Issue with Ring cameras & fasttrack
Replies: 5
Views: 1101

Issue with Ring cameras & fasttrack

Had an issue with Ring cameras and fasttrack casing connections to drop and not re-establish. This was specifically when traffic was being forwarded using routing rules from one router to another via default route in second routing table which was in turn going out to the internet over 4G. If fasttr...
by sjoram
Tue Aug 29, 2023 9:54 pm
Forum: General
Topic: Connections not tracked in 'new' state
Replies: 1
Views: 850

Re: Connections not tracked in 'new' state

Update: It seems that the mangle rule used to apply the routing mark is the problem.

Instead of using that, I configured routing rules based on source address alone to forward via 4G routing table. This is working as expected.

However it means I can't use source and/or destination address lists.
by sjoram
Tue Aug 29, 2023 8:39 pm
Forum: General
Topic: Connections not tracked in 'new' state
Replies: 1
Views: 850

Connections not tracked in 'new' state

I'm having an issue with connections not being seen by the router as in new state, so SYN,ACK replies are being dropped with invalid connection. The setup is that R1 (hex) has a mangle rule applied to a specific source and destination IP list to add a routing mark There is then a second default rout...
by sjoram
Fri Jun 02, 2023 11:26 am
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Re: Address list import script - bug?

Yes that's what I'm planning to do when I get some time.
by sjoram
Fri Jun 02, 2023 10:38 am
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Re: Address list import script - bug?

I think the original error was in the 3rd party address list I'm importing, per earlier replies.

The initial delete is definitely working, as I've watched the contents of the address list whilst the script is running.
by sjoram
Tue May 30, 2023 4:16 pm
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Re: Address list import script - bug?

I'd agree that an error in the netmask seems likely, but also a bit odd that the network address was a neat 64.0.0.0. Definitely likely an issue with source data that initiated the problem, but odd that it persisted once cleared at source. No, that is what I tried to explain to you, that is not odd...
by sjoram
Tue May 30, 2023 3:46 pm
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Re: Address list import script - bug?

Most likely scenario is that for an entry added by someone/something, the subnet mask was specified as /2 instead of e.g. /24 RouterOS will automatically match the aaa.bbb.ccc.ddd/2 address to leave only the first two bits, which can be 64, instead of throwing an error when an address is specified ...
by sjoram
Tue May 30, 2023 3:45 pm
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Re: Address list import script - bug?

I also manually checked the source file downloaded directly from the internet and this did not appear to contain the 64.0.0.0/2 entry. Could this be a bug of some sort in RouterOS? I'm not saying that ROS doesn't contain a bug which add static entry to address list ... but I find it highly improbab...
by sjoram
Tue May 30, 2023 9:26 am
Forum: General
Topic: Address list import script - bug?
Replies: 11
Views: 1073

Address list import script - bug?

I have some dynamic address lists used in a firewall drop rule across 3 different routers. Seems that one of the lists picked up a 64.0.0.0/2 entry in error yesterday. I have a powershell script running on a Windows server which downloads the lists hourly and formats into a RouterOS script having st...
by sjoram
Fri Dec 09, 2022 10:14 am
Forum: General
Topic: Script not working in ROS7 [SOLVED]
Replies: 3
Views: 1033

Re: Script not working in ROS7 [SOLVED]

This router is back online now... I edited the script slightly, but still didn't work. (Remove space between end of command and ; and made sure that /import started on a new line each time) Copied the script exactly, but out into a new script, worked first time. I can't remember if I created the scr...
by sjoram
Thu Nov 17, 2022 12:37 am
Forum: General
Topic: Script not working in ROS7 [SOLVED]
Replies: 3
Views: 1033

Re: Script not working in ROS7 [SOLVED]

Thanks, I'll try adding the /import There's nothing else in the script being run by the schedule. The script that it is downloading and importing is just a script to find and clear a firewall address list and add new dynamic entries. There's no log entry showing the file is downloaded when called by...
by sjoram
Tue Nov 15, 2022 2:38 pm
Forum: General
Topic: Script not working in ROS7 [SOLVED]
Replies: 3
Views: 1033

Script not working in ROS7 [SOLVED]

I am setting up a new router from scratch which I've upgraded to the latest v7 stable. I've copied a script out of my existing ROS v6 which works fine there. Under v7, it appears not to running at all. If the commands are run manually in terminal, they work fine. All permissions are selected on the ...
by sjoram
Sat Sep 03, 2022 6:02 pm
Forum: Scripting
Topic: Update firewall filter/NAT rules based on FQDN
Replies: 0
Views: 729

Update firewall filter/NAT rules based on FQDN

Edit: Looks like I've answered my own question here.... 1) It looks like the IP for doh.opendns.com is the same globally and anycast routed, so shouldn't need to change. But I've read that address lists can use FQDNs. Presumably the router would need to be able to resolve them to an IP however? 2) I...
by sjoram
Thu Mar 18, 2021 1:45 am
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 2179

Re: Firewall filter & address lists [SOLVED]

Gone with the option to jump to a custom chain in the end... 0 ;;; Detected Port Scanners chain=input action=jump jump-target=blacklist_drop_in src-address-list=port scanners in-interface=Uno FTTC log=no log-prefix="" 1 chain=forward action=jump jump-target=blacklist_drop_in src-address-li...
by sjoram
Tue Mar 16, 2021 5:38 pm
Forum: General
Topic: Hairpin NAT Not Working [SOLVED]
Replies: 14
Views: 4591

Re: Hairpin NAT Not Working [SOLVED]

My hairpin NAT is done entirely within /ip firewall nat... First is an action=accept for traffic over IPsec tunnel, but in my case I don't think that's being used since I changed my setup to run routing as OSPF via GRE over IPsec (counter shows 0). Then the dstnat rules for dst-address=public ip dst...
by sjoram
Tue Mar 16, 2021 5:04 pm
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 2179

Re: Firewall filter & address lists [SOLVED]

I've been aware of MOAB for a while and looked at it when the previous SquidBlacklist stopped updating. Personally, I'm running firehol L1, L2, L3 and webclient along with some manual entries + port scanners MOAB quotes between 5-16K entries for a hex (as I am using). My address list counters curren...
by sjoram
Tue Mar 16, 2021 10:14 am
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 2179

Re: Firewall filter & address lists [SOLVED]

Instead of downloading a list I have another approach. If someone tries to connect to my router on a port that is not open, they get blocked to all (65535) ports for the next 24 hour. I have a rule below the blacklists to detect port scans and above the blacklists to drop them. I don't currently dr...
by sjoram
Tue Mar 16, 2021 10:10 am
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 2179

Re: Firewall filter & address lists [SOLVED]

If you would like to keep your blacklist drops in filter, then you could construct another chain like this: add chain=input action=jump jump-target=BLchain src-address-list=firehol_L1 add chain=BLchain action=return src-address-list=whitelist add chain=BLchain action=drop This way BLchain will only...
by sjoram
Tue Mar 16, 2021 12:04 am
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 2179

Firewall filter & address lists [SOLVED]

I have a script that imports some public IP blacklists into a dynamic address list, with entries removed and re-created (updated) every 3 hours. I then have firewall filter rules to drop input/forward/output chain traffic from/to those address lists. The challenge I have is I want to be able to &quo...
by sjoram
Sat Feb 27, 2021 8:21 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

Sorry that we weren't able to get to the bottom of it. Don't give up, you'll get there eventually!
by sjoram
Sat Feb 27, 2021 6:20 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

To be honest I think we're reaching the point I've exhausted most things I can think of based on the config you've shared. I've only been working with OSPF in my ROS a few weeks...and that's after having an issue with it on Cisco kit at work, so I set it up to help me understand it better. Might be ...
by sjoram
Sat Feb 27, 2021 1:28 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

To try to be a little clearer... Your issue might be with the 0.0.0.0/0 default route, but my WAN setup via PPPoE client also adds a route to the remote address of that interface (62.x.x.x/32) If I don't filter these two connected routes, all traffic to the WAN/internet will try to go via the addres...
by sjoram
Sat Feb 27, 2021 1:12 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

I think your conflict might be with your default route or WAN next hop. Add a route filter for the in and out chains on both sides to discard 0.0.0.0/0 to ensure you're not advertising a default route. Also don't advertise "other" OSPF routes unless you need to. In my case, I also filter m...
by sjoram
Sat Feb 27, 2021 12:55 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

So on the hex you've created a new chain in route filters, instead of the default, whereas the other router is using the default chain. That's OK, but check on routing OSPF instance that you're applying the correct chains. Also on the GRE, you're using the network addresses rather than the first ava...
by sjoram
Fri Feb 26, 2021 11:14 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

OK, I think your problem is the IP you have assigned to the bridge on each side is from the same subnet (172.16.1.0/30). It needs to be on a different subnet on each router. You can keep the same IPs but you'd need to make the addresses /32 masks. If that doesn't work, use 172.16.1.0/30 and 172.16.1...
by sjoram
Fri Feb 26, 2021 10:39 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

There's quite a few variables here that could be tripping you up and it's hard to spot the issue without being able to look at both router configs side by side at the same time.. Can you post full configs from both sides, redacting any sensitive info such as passwords, shared keys, public IPs etc? T...
by sjoram
Fri Feb 26, 2021 9:51 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

Also check your router ID is using the address assigned to the local GRE tunnel interface on each side.
by sjoram
Fri Feb 26, 2021 9:40 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

So you want the "loopback" bridge addresses to be on different subnets on each router. The addresses assigned to the tunnel itself can be on the same /30 You want the bridge addresses to be filtered out of OSPF on both sides. So in my config... Router 1: 192.168.255.1/30 - bridge Router 1:...
by sjoram
Fri Feb 26, 2021 8:40 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

Based on my experience until I got it right, it feels likely to be an issue on your route filters allowing a particular connected route to be advertised to the neighbour upsetting the GRE tunnel. When the tunnel drops, so does OSPF so the routing is restored... GRE comes up, route is advertised...an...
by sjoram
Fri Feb 26, 2021 12:31 am
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

First things first, I'm making the assumption here that your IPsec Phase 1/2 policy is working and you can ping between the two? Although I would note you seem to have a mis-match between a /30 and /32 mask. You really want the GRE tunnel interface on each side to have no smaller than a /30. I think...
by sjoram
Thu Feb 25, 2021 9:17 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

Let me take a look again at your config when in front of the PC and I'll post back. I think my GRE tunnel might have a slightly different configuration to yours.
by sjoram
Thu Feb 25, 2021 9:02 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

I think that's correct - in mine I do not specify protocol=OSPF but I'm sure thats fine. I'm reading your post/config from my phone so a little hard to follow.

If you're still struggling I'll share my example.
by sjoram
Thu Feb 25, 2021 8:19 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

You need to add route filters so that the local and remote addresses for the gre tunnel at both ends are not advertised out/received in as an OSPF route. You want them connected routes on each end only.
by sjoram
Sun Feb 21, 2021 11:55 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Thanks, really appreciate your time & input on this thread. I've found the problem & it's one of those "how did I miss that, I'm sure I checked for that" moments.... I have drop rules at the top of the filter list for input and forward chains for anything with a source address cont...
by sjoram
Sun Feb 21, 2021 11:28 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

With those rules in place, input and dstnat counters are both increasing. I really can't see anything in the existing rule base that would be tripping it up, but I guess I should just move those down through the rule base and re-try and see where they place in the list when the counters stop increas...
by sjoram
Sun Feb 21, 2021 9:58 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

> /tool sniffer quick ip-address=172.16.0.1 INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN Uno ADSL 19.287 1 <- Uno ADSL 20.291 2 <- ...you get the idea No, R1 has a fairly large firewall table, R2 is a lot simpler. However I've gone over the filter and NAT lists on both R1 & R2 several times lookin...
by sjoram
Sun Feb 21, 2021 4:00 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Yes that's correct. Also don't see an entry in the firewall connection tracking on R2.
by sjoram
Sun Feb 21, 2021 3:30 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

OK, so I disabled both policies and killed connections from active peers on both sides. I then re-enabled only the 172.16.x.x policy on both sides. The SA from R1 to R2 shows increasing counters on both R1 and R2, however the R2 to R1 counters remain at 0 on both sides. The Firewall connections do n...
by sjoram
Sun Feb 21, 2021 1:43 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

I'm with you now. :-) The reply-dst-address is 172.16.0.1 as expected. Originating connection counters are increasing with ping running, reply counters are 0. With the installed SAs, I assume it's one pair per policy hence 4 for 2 policies? That being the case, it looks like the counters are increas...
by sjoram
Sun Feb 21, 2021 1:02 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

So I have a ping running via winbox to destination 172.16.0.2 from source 172.16.0.1 Wasn't seeing anything in connections via SSH and it wouldn't accept the syntax on the IPsec command - expected : (line 1 column 79) However checking firewall connections via Winbox, I do see the ICMP source 172.16....
by sjoram
Sun Feb 21, 2021 12:47 pm
Forum: General
Topic: RouterOS making unaccounted outbound winbox connections [SOLVED]
Replies: 75
Views: 145341

Re: RouterOS making unaccounted outbound winbox connections [SOLVED]

Wrong wrong wrong. You cannot remove this sheite by simple means. Stop, dont check anything, dont waste your time........... The only approved method once infected/hacked is to use netinstall with a fresh install of the latest firmware and start from scratch. Agree with this. I had the same issue s...
by sjoram
Sun Feb 21, 2021 12:21 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

What does /ip route check 172.16.0.2 show? I.e. is there any route at all (even if the default one) for that destination? > ip route check 172.16.0.2 status: ok interface: Uno FTTC nexthop: 172.16.0.2 & "R2" > ip route check 172.16.0.1 status: ok interface: Uno ADSL nexthop: 172.16.0.1
by sjoram
Sun Feb 21, 2021 11:51 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Here's some relevant R1 config. The R2 config related to the 172.16.x.x addressing is identical but where 172.16.0.1 replace with 172.16.0.2 and where 172.16.0.2 replace with 172.16.0.1 Firewall and IPsec sections are truncated, the others represent complete export. The GREoIPsec 192.168.5.0/30,192....
by sjoram
Sun Feb 21, 2021 11:20 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

It is hard to debug things remotely without at least seeing the configuration. When you ping while the 172.x.x.x addresses are used, do you also specify the src-address or you let the machine choose one autonomously? I agree with that - been there, many times! Yes I do specify the source address......
by sjoram
Sun Feb 21, 2021 9:43 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

It's not a GRE issue in this case. I haven't got as far as setting up the GRE tunnel on 172 addresses as I can't ping the bridge addresses over the IPsec tunnel.

GRE tunnel is working fine with 192.168 addressing.
by sjoram
Sat Feb 20, 2021 11:05 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

I'm looking to use this addressing with a bridge with no member ports (replicating a loopback interface) and also a GRE tunnel to run GRE over IPsec for OSPF. I have the setup working fine using different addressing, but it seems to fail if I try to use 172.16.x.x addressing. I'd like to be able to ...
by sjoram
Sat Feb 20, 2021 7:10 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 3186

172.16.0.0/12 RFC1918 in ROS [SOLVED]

I seem to have an issue any time I try to use any IP address within 172.16.0.0/12 RFC1918 range in ROS. I can use anything within 10.0.0.0/8 or 192.168.0.0/16 without any issue. Any ideas? (I wrote a longer post detailing the exact scenario in my configuration, but have an issue with this Win10 mach...
by sjoram
Sat Feb 20, 2021 1:21 am
Forum: General
Topic: DNS over IPSec tunnel [SOLVED]
Replies: 4
Views: 3920

Re: DNS over IPSec tunnel [SOLVED]

Edit: Below advice would work for a IPsec tunnel between 2 x ROS devices, but reading your post again with the config you appear to be connecting to a "cloud VPN provider". I doubt this solution will work in that scenario unfortunately, but thought worth leaving this approach here in any c...
by sjoram
Sun Feb 07, 2021 12:35 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

Re: OSPF over GRE/IPSec [SOLVED]

User error! The path I was trying to use for source and destination had asymmetric routing. The ICMP echo-request packets would pass over the GRE tunnel as expected, but the echo-reply responses would have gone through the existing Phase 2 definition on the IPSec tunnel. Tested using source and dest...
by sjoram
Sun Feb 07, 2021 1:17 am
Forum: Forwarding Protocols
Topic: OSPF over GRE/IPSec [SOLVED]
Replies: 27
Views: 7142

OSPF over GRE/IPSec [SOLVED]

I'm currently experimenting with running OSPF over GRE/IPsec IKE Phase 1 between 2 routers (R1 & R2) public IP addresses, PPPoE client interface - established IKE Phase 2 IPSec (R1) 10.5.0.0/16 <--> (R2) 10.0.0.0/16 - established (this works fine and has done for some time) GRE Tunnel establishe...
by sjoram
Sat Dec 26, 2020 10:49 pm
Forum: General
Topic: LLDP-MED and Mitel SIP phones
Replies: 3
Views: 1969

Re: LLDP-MED and Mitel SIP phones

No experience of using this so can't help directly, but we use Windows DHCP on my employer's network and utilise DHCP scope options for this configuration. The handset initially boot into the 'data' vlan and DHCP option instructs the phone to reboot into voice vlan. On HP/Aruba switches, this has th...
by sjoram
Sat Dec 26, 2020 2:32 pm
Forum: General
Topic: "Road warrior" VPN client
Replies: 1
Views: 725

"Road warrior" VPN client

I have a site-to-site VPN successfully deployed on IKEv2 using RSA cert authentication. I'm currently using a 3rd party VPN server running on Windows for 'dial-in' VPN as I couldn't get either the Microsoft or Mikrotik clients working properly. However I would prefer the VPN clients to connect direc...
by sjoram
Sat May 09, 2020 12:52 am
Forum: General
Topic: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.com?
Replies: 17
Views: 4732

Re: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.

Something new has arrived: 1.1.1.2 and backup 1.0.0.2 malicious DNS filtering servers. Check it out. 1.1.1.3 and 1.0.0.3 are also porn aware for kids protection. Been using OpenDNS here for years. I have a /29 subnet routed to each of my WAN links, so I srcnat the various LAN subnets to different p...
by sjoram
Fri May 08, 2020 10:56 pm
Forum: General
Topic: Blacklist Import - File Size [SOLVED]
Replies: 1
Views: 3144

Re: Blacklist Import - File Size [SOLVED]

Powershell Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L1.txt" Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L2.txt" Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L3.txt" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $W...
by sjoram
Fri May 08, 2020 8:41 pm
Forum: General
Topic: Blacklist Import - File Size [SOLVED]
Replies: 1
Views: 3144

Blacklist Import - File Size [SOLVED]

I'm trying to update my blacklist scripts to import the Firehol lists, levels 1, 2 & 3 separately. I am finding that the resulting address lists in RouterOS are a long way short of having imported the complete list. (11952 entries where there should be approx 40k) I believe I read somewhere else...
by sjoram
Wed May 06, 2020 2:36 pm
Forum: General
Topic: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.com?
Replies: 17
Views: 4732

Re: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.

Hmm, compared to the other service with over 600million entries why quibble over a few thousand??? I would doubt that the hex Routerboard can handle that many dynamic address list entries... Concur, but doesnt need to! "How does MOAB store 615+ million IP addresses you wonder? MOAB consists of...
by sjoram
Wed May 06, 2020 8:23 am
Forum: General
Topic: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.com?
Replies: 17
Views: 4732

Re: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.

I am using the following. malc0de has not been updated since 16/12/19, but I am still including its content. I am using PowerShell on a Windows server to grab the lists and host on a local web server, such that I can block any outbound traffic from the router, other than NATed traffic passing throu...
by sjoram
Wed May 06, 2020 8:19 am
Forum: General
Topic: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.com?
Replies: 17
Views: 4732

Re: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.

Hmm, compared to the other service with over 600million entries why quibble over a few thousand???
I would doubt that the hex Routerboard can handle that many dynamic address list entries...
by sjoram
Tue May 05, 2020 9:29 am
Forum: General
Topic: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.com?
Replies: 17
Views: 4732

Re: Where to get list of malicious hosts (sim to spamhaus dshield cymru torlist) and what can replace malwaredomainlist.

I am using the following. malc0de has not been updated since 16/12/19, but I am still including its content. I am using PowerShell on a Windows server to grab the lists and host on a local web server, such that I can block any outbound traffic from the router, other than NATed traffic passing throug...
by sjoram
Tue Apr 14, 2020 10:37 pm
Forum: General
Topic: Hotspot HTTPS Certificate Error [SOLVED]
Replies: 3
Views: 6071

Re: Hotspot HTTPS Certificate Error [SOLVED]

Update -- Pleased to report this is now resolved. The previous post from eworm was close to the solution but not quite, as adding that URL didn't work for me. There followed a combination of trial and error along with running a mirror port on my switch to capture traffic (particularly DNS and HTTP) ...
by sjoram
Mon Apr 13, 2020 10:00 pm
Forum: General
Topic: Hotspot HTTPS Certificate Error [SOLVED]
Replies: 3
Views: 6071

Re: Hotspot HTTPS Certificate Error [SOLVED]

My first guess was the trust chain is not complete, but looks like your made sure this is ok. Perhaps Android wants to access the CRL url? Try adding that to your hotspot (replacing with correct hotspot server name): /ip hotspot walled-garden ip add action=accept disabled=no dst-address=ocsp.int-x3...
by sjoram
Mon Apr 13, 2020 6:20 pm
Forum: General
Topic: Hotspot HTTPS Certificate Error [SOLVED]
Replies: 3
Views: 6071

Hotspot HTTPS Certificate Error [SOLVED]

I'm using a Let's Encrypt wildcard certificate from one of my domains to provide HTTPS access to both the RouterOS admin interface and Hotspot login pages. With the admin interface, the certificate works just fine, however when connecting to the hotspot from an Android device, it displays an error t...
by sjoram
Thu Feb 27, 2020 11:47 pm
Forum: General
Topic: squidblacklist.org Down?
Replies: 7
Views: 7710

Re: squidblacklist.org Down?

This may be an alternative. https://forum.mikrotik.com/viewtopic.php?f=9&t=152632 This seems a reasonable replacement, I'm testing it out on one of my units at the moment. Beyond copy & paste from the forum, I haven't tried writing my own scripts... I'm trying to get the script to add a log...
by sjoram
Thu Feb 27, 2020 1:43 am
Forum: General
Topic: squidblacklist.org Down?
Replies: 7
Views: 7710

Re: squidblacklist.org Down?

This may be an alternative.
viewtopic.php?f=9&t=152632
I'll test over the weekend and report back...
by sjoram
Mon Feb 24, 2020 10:02 pm
Forum: General
Topic: squidblacklist.org Down?
Replies: 7
Views: 7710

Re: squidblacklist.org Down?

I'm aware of MOAB but believe it doesn't support RB hardware as it doesn't use dynamic lists and instead writes to disk (therefore significant wear on the flash)... I'll check out the other links, thanks. It's mostly been useful to reduce the amount of malicious hits on the mail server. It does run ...
by sjoram
Mon Feb 24, 2020 3:41 pm
Forum: General
Topic: squidblacklist.org Down?
Replies: 7
Views: 7710

Re: squidblacklist.org Down?

It would appear that the person who originally set up that site passed away last year. It would seem that whatever mechanisms were in place for updates of the blacklists were still proving effective, but something or someone has now taken the service offline, potentially for good. Does anyone know o...
by sjoram
Mon Feb 24, 2020 3:34 pm
Forum: General
Topic: squidblacklist.org Down?
Replies: 7
Views: 7710

squidblacklist.org Down?

Was anyone using this and know what's happened to them? I noticed today that after a ROS upgrade yesterday, I was no longer seeing the log entries for the daily schedule of the script to import the blacklists. On further investigation to check if it was related to the upgrade, the script is failing ...
by sjoram
Fri Sep 27, 2019 5:15 pm
Forum: Beginner Basics
Topic: Access a switch management GUI from a PC connected to a router [SOLVED]
Replies: 3
Views: 1951

Re: Access a switch management GUI from a PC connected to a router [SOLVED]

I haven't looked at any detail on that switch's management behaviour. However, I have modems in my environment providing PPPoA to PPPoE brigde from xDSL. RouterOS then handles PPPoE client. To view modem stats, I have to connect to the modem on 192.168.2.1 My ether1 interface on RouterOS is set to 1...
by sjoram
Wed Sep 11, 2019 10:55 pm
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 2629

Re: Script not working

I have updated the script and scheduler to allow all 'policy' permissions. When I have time, I'll work through removing one at a time to identify the problem one.
by sjoram
Wed Sep 11, 2019 11:36 am
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 2629

Re: Script not working

Would this be better moved to the Scripting board?
by sjoram
Mon Sep 09, 2019 10:09 pm
Forum: Scripting
Topic: Script not working
Replies: 2
Views: 2629

Script not working

I am trying to run two scripts on schedule performing the following. The schedules appear to work in so far as the script run count increases, but it appears the scripts themselves does not work. The same commands copied into Terminal work fine. /system script print Flags: I - invalid 0 name="d...
by sjoram
Sat Aug 31, 2019 5:46 pm
Forum: Wireless Networking
Topic: Secondary Channel
Replies: 3
Views: 4139

Secondary Channel

Forgive my ignorance on this, but I assume the secondary channel option relates to the ability to have 2 channels running for 160MHz, or am I misunderstanding?
The hAP ac2 doesn't support this seemingly - do any of the other similar models support this?
by sjoram
Sat Aug 31, 2019 5:42 pm
Forum: Wireless Networking
Topic: 5GHz Channel
Replies: 1
Views: 1325

Re: 5GHz Channel

I've manually set a channel for now.
by sjoram
Sat Aug 31, 2019 12:29 pm
Forum: Wireless Networking
Topic: WEP SSID clients not connecting
Replies: 0
Views: 956

WEP SSID clients not connecting

I need to run one of my SSIDs using 128-bit WEP (yes....I know, I'm trying to get the client devices moved to WPA2...). All of my WPA2 SSIDs - on the physical and virtual interfaces are working fine. With the SSID using WEP, clients appear to associate, but do not obtain a DHCP lease or pass traffic...
by sjoram
Sat Aug 31, 2019 12:26 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 1589

Re: VirtualAP Bridging

Ended up locking myself out and having to factory reset.

Got it working using this as a guide - https://blog.ligos.net/2018-01-01/Mikro ... -VLAN.html
by sjoram
Fri Aug 30, 2019 7:13 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 1589

Re: VirtualAP Bridging

OK, so one of the virtual APs is working in both 2.4GHz and 5GHz. But I've just tried to connect to another. The client appears to associate without issue, but fails to obtain DHCP. This was working fine on previous APs and nothing has changed on the LAN/router besides the wireless hardware (previou...
by sjoram
Fri Aug 30, 2019 6:50 pm
Forum: Wireless Networking
Topic: 5GHz Channel
Replies: 1
Views: 1325

5GHz Channel

I've set my 2.4GHz radio to a fixed 20MHz channel but my 5GHz radio is currently selected to automatic frequency. My understanding of the permitted 5GHz uses is based on https://www.cablefree.net/wirelesstechnology/unlicensed-wireless-links/using-the-5ghz-band-in-the-uk It seems to be consistently c...
by sjoram
Fri Aug 30, 2019 1:19 pm
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 1589

Re: VirtualAP Bridging

I worked out where I went wrong. I thought I'd assigned the VLANs to the physical LAN interface facing my switch on the RB750Gr3. I hadn't, they were assigned to the bridge. When I replicated this on the wireless unit, clients connected as expected. A little disappointed in the range of 5GHz band (a...
by sjoram
Fri Aug 30, 2019 12:27 am
Forum: Wireless Networking
Topic: VirtualAP Bridging
Replies: 4
Views: 1589

VirtualAP Bridging

I have a RB750Gr3 running as a router. This has several VLANs on the LAN side, one of which is VLAN 10. This connects to a HP switch via a tagged port. I have another tagged port set up for the hAP AC2. I've managed to configure the virtual AP (there will eventually be several SSIDs/VLANs) and clien...
by sjoram
Sat Aug 24, 2019 7:46 pm
Forum: General
Topic: IPSec Phase 1 fails on restart, multiple IPs
Replies: 20
Views: 6252

Re: IPSec Phase 1 fails on restart, multiple IPs

Update: Had to revert my change as it re-introduced a problem of traffic only being initiated one way across the IPSec tunnel. In my setup, the IPs on my /29 subnet are only used in filter/NAT rules, so I was able to move them to another disused interface to take them off the WAN. With this in place...
by sjoram
Sat Aug 24, 2019 7:06 pm
Forum: General
Topic: IPSec Phase 1 fails on restart, multiple IPs
Replies: 20
Views: 6252

Re: IPSec Phase 1 fails on restart, multiple IPs

Hi all, I just came across this after a software upgrade to ROS, so it must be a change in behaviour between versions. I had a srcnat rule at the top of my NAT rules chain=srcnat src=10.0.0.0/8 dst=10.0.0.0/8 action=accept It would appear this was masquerading the lowest IP on the WAN interface. Lik...
by sjoram
Thu Aug 22, 2019 4:55 pm
Forum: General
Topic: IPSec Peer Encryption
Replies: 1
Views: 823

Re: IPSec Peer Encryption

To add, I have a PPPoE client towards the WAN, MTU/MRU 1432 however I also found I needed a Mangle rule for any TCP MSS over 1387 to reduce to 1386 in & out. I think due to PMTUD issues.
Could this explain why the modp over 1024 fails?
by sjoram
Tue Aug 20, 2019 1:37 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 1694

Re: SSL Wildcard Cert

Thanks, confirmed by setting a new A record x.domain.net as necessary. Will leave this post here in case it helps others!
by sjoram
Tue Aug 20, 2019 1:18 am
Forum: General
Topic: IPSec Peer Encryption
Replies: 1
Views: 823

IPSec Peer Encryption

I have a site-to-site VPN running with the following settings: Proposal: Auth sha512 Encryption aes-256-cbc PFS modp3072 Peer: Hash: sha512 Encryption: aes-256 DH Group: modp1024 My understanding is best practice is to use modp3072 as a minimum for DH groups, but the connection will not establish if...
by sjoram
Tue Aug 20, 2019 12:04 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 1694

Re: SSL Wildcard Cert

I think I have answered my own question and it appears to be my limited knowledge of the mechanics of SSL certs.

My wildcard cert is for *.domain.net - this won't allow me to use it for *.*.domain.net - that is one level of subdomain too deep....
by sjoram
Tue Aug 20, 2019 12:00 am
Forum: General
Topic: SSL Wildcard Cert
Replies: 3
Views: 1694

SSL Wildcard Cert

I am looking to enable HTTPS via Port Knocking, which I have tested successfully. However, I do have one issue. I am using a Let's Encrypt wildcard certificate. This works absolutely fine with IIS, a mail server and another web server. With Webfig, it is throwing an error that the certificate CN is ...
by sjoram
Sat Jul 27, 2019 3:59 pm
Forum: General
Topic: Script - ping 'watchdog' - high latency
Replies: 0
Views: 1094

Script - ping 'watchdog' - high latency

Hi all, Having looked at various other forum posts, I'm trying to find a script to replace the System Watchdog. The reason for this is that often when my DSL connection loses sync, the PPP login on RouterOS gives up re-trying to establish PPP after a short time. This then requires either the PPP int...
by sjoram
Sun Feb 24, 2019 11:38 am
Forum: General
Topic: PPPoE client issue
Replies: 0
Views: 758

PPPoE client issue

Having an issue with PPPoE Client (for ISP WAN connection) trying to replace a RB750 with a hEX unit. Using a Draytek Vigor 120 v2 as PPPoA to PPPoE bridge Working RB750 is on 6.42.6 hEX was on 6.43.8 but I'm planning to update to 6.43.12 before trying again PPPoE client config: /interface pppoe-cli...
by sjoram
Tue Feb 12, 2019 10:27 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 188
Views: 61605

Re: Blacklist Filter (Development Topic)

Hi Dave, Very sorry to hear of the challenges that life has thrown at you of late. I sincerely wish you and your family all the very best. Thank you for your work on this, you know yourself how much demand your servers have seen, so I am sure this is benefiting and making life easier for a lot of pe...
by sjoram
Sun Jan 27, 2019 2:42 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 188
Views: 61605

Re: Blacklist Filter (Development Topic)

I found your Patreon. I looked at the different 'tiers' - $10 currently works out about £7.50 a month...I'd be more than happy to support your work. However, I do have a couple of questions (others with knowledge of your project may also have views) - sorry if this is not the best place to ask, but ...
by sjoram
Sun Jan 27, 2019 12:56 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 3150

Re: Best practice hardening/NAT rules

Thanks all - I spent about 6 hours in Winbox yesterday re-crafting my config from the existing RB750 onto the RB750Gr3. I have a new found appreciation for the ability to backup/export a configuration, though as mentioned I was never going to do that here! As an aside, in my professional life (ROS i...
by sjoram
Sun Jan 27, 2019 12:44 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 1060

Re: Default fasttrack rule

Here are some of the rules that I think the default IPSec accept may cause problems with: IPSec Policy: add dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \ tunnel=yes add dst-address=10.6.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address...
by sjoram
Sun Jan 27, 2019 12:34 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 1060

Default fasttrack rule

I have just re-built the configuration for one of my ROS devices (replacing a RB750 with RB750Gr3) and as such I was working from the "new" default configuration. I have not previously used the fasttrack functionality, but I read that by its nature, it bypasses certain things that may caus...
by sjoram
Sun Jan 27, 2019 12:21 pm
Forum: General
Topic: defconf: drop all not coming from LAN really needed?
Replies: 12
Views: 22785

Re: defconf: drop all not coming from LAN really needed?

I actually don't quite understand the need for this rule. Isn't it best hinged on WAN? ...the main reason this was not done is that many RouterOS novices who configure PPPoE (very commonly needed as a method to connect to the Internet, accomplished by adding a new PPPoE client interface) are comple...
by sjoram
Fri Jan 18, 2019 6:24 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 3150

Re: Best practice hardening/NAT rules

I have come across that one, thanks. I don't think the 3MB RAM I have left will cope with that right now, but will look once to try it once I've upgraded!
by sjoram
Fri Jan 18, 2019 4:45 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 3150

Re: Best practice hardening/NAT rules

I've started looking to use address lists, both to permit legitimate traffic and block some rogues. The latter is proving a challenge on the 32MB RAM in RB750 (I've had to reduce the timeout to reduce the list size), another reason for hardware upgrade! Edit: Port knocking - why didn't I do that bef...
by sjoram
Fri Jan 18, 2019 3:23 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 3150

Re: Best practice hardening/NAT rules

Thanks guys. I think my problems stem from having moved over to RouterOS several years ago when: a) I still had a lot to learn about networking and firewalls/routing specifically. (Still do, but it's a lot better now!) b) I think earlier versions of ROS on which my config was built didn't have so ma...
by sjoram
Fri Jan 18, 2019 2:03 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 3150

Best practice hardening/NAT rules

Hi all, I currently have a RB750 and RB750GL at two different locations, which have been in place for a couple of years. These have a PPP client connection to the ISP on the WAN side. I have found over the past year or so a number of issues as a result of my misconfiguration of the devices and had s...
by sjoram
Thu Nov 29, 2018 12:39 pm
Forum: Scripting
Topic: Update interface address, DHCP server configuration in bulk
Replies: 1
Views: 1028

Update interface address, DHCP server configuration in bulk

I have a RB750 that we occasionally use to pre-build a LAN environment simulating certain functions of the WAN router. I have no experience of scripting in RouterOS but would like to find a way of entering a new list of subnets which would then automatically update the following: 7 x VLAN interface ...
by sjoram
Wed Jul 25, 2018 10:12 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

I believe mine may have been this: http://www.networkinghowtos.com/howto/mikrotik-routeros-remote-vulnerability-exploiting-the-winbox-service/ I have seen another post (which I will not reproduce here) detailing the exact steps required to perform the exploit. This leads me to believe my device may ...
by sjoram
Tue Jul 24, 2018 12:45 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default? Whe...
by sjoram
Tue Jul 24, 2018 11:14 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164 Did y...
by sjoram
Tue Jul 24, 2018 11:00 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
by sjoram
Tue Jul 24, 2018 10:59 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

Fortunately, I have the logs from my device being captured via syslog. I am just trawling through these (1700 so far) and appear to have seen the first sign last night of when I noticed problems. This shows a SUCCESSFUL winbox login, followed by SOCKS config changes and scripts being added/removed. ...
by sjoram
Tue Jul 24, 2018 4:37 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Re: Router compromised [SOLVED]

Ouch. Well "at least" it's not just me. I've spent 3 hours on it and it seems to have subsided - for now, at least.

Router has now been up 1h6m and the best it has otherwise managed in the past 3.5 hours was 15 mins.
by sjoram
Tue Jul 24, 2018 4:27 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 9568

Router compromised [SOLVED]

I found my RB750 crashing due to running out of RAM this evening.Upon deeper investigation, it appeared that unauthorised access had been obtained to the router. Some firewall "drop" rules were disabled and there was a "mikrotik.php" file along with some scripts running. I found ...
by sjoram
Sun Mar 25, 2018 12:51 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

When I disable the rule of source (PPPoE Public IP) to destination 10.0.0.0/8, I can see (having added a passthrough rule) that counters for source public IP to destination 10.0.0.0/8 are increasing when DHCP requests are made. Therefore Router B is forwarding DHCP relay packets with a source of the...
by sjoram
Sat Mar 24, 2018 7:40 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

OK, so I've worked through all my NAT rules and confirmed that it's the srcnat rule "fixing" the source IP for traffic passing over the IPSec tunnel that's causing the problem. Traffic flow is: DHCP Server (10.0.0.5/16) <--> Switch <--> Router A <--> IPSec <--> Router B <--> Switch <--> DH...
by sjoram
Mon Mar 05, 2018 5:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

Resurrecting an old thread here, folks. Apologies, it's been lower down my priority list for a while so hadn't got back to it. I haven't tried removing the source address on the DHCP relay but I don't see that it should cause a problem? The reason for the srcnat rule(s) is as per https://wiki.mikrot...
by sjoram
Fri Aug 04, 2017 3:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

*bump* Any thoughts anyone? A bug or something in my config I'm missing?
by sjoram
Tue Jun 06, 2017 6:14 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

/interface vlan add interface=ether2-master-local name=VLAN5 vlan-id=5 add interface=ether2-master-local name=VLAN10 vlan-id=10 add interface=ether2-master-local name=VLAN20 vlan-id=20 add interface=ether2-master-local name=VLAN40 vlan-id=40 add interface=ether2-master-local name=VLAN60 vlan-id=60 a...
by sjoram
Sat Mar 11, 2017 3:19 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

Re: DHCP relay problem

I've just spent some time looking at this again as I still haven't managed to get it resolved. From the client machine sending the DHCP requests, all Wireshark shows up is a bunch of DHCP Discover packets. The DHCP server is showing DHCP Discover packets and DHCP offer being returned. However the DH...
by sjoram
Mon Jan 23, 2017 6:51 pm
Forum: General
Topic: Best Routerboard for IPSec on DSL
Replies: 2
Views: 1106

Best Routerboard for IPSec on DSL

Can anyone recommend the best current model Routerboard for use on xDSL when running an IPSec tunnel between 2 devices? I have read some devices are better as the hardware can accelerate encryption performance rather than relying so heavily on CPU? Bear in mind that I only use 2 x interfaces on both...
by sjoram
Tue Jan 03, 2017 10:06 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 6840

DHCP relay problem

I have a problem with DHCP relay on some of my VLANs. It is working fine on one but not the others. The DHCP server is 10.0.0.5/16 on a HP switch with VLAN interface into RB750 There are other local VLANs on that switch using DHCP relay on the RB750 without issue. I have an IPSec VPN to a RB750GL, w...
by sjoram
Sat Oct 29, 2016 7:27 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 1656

Re: Unreplied connections

I've now enabled reverse path filtering as well as tweaking the drop rules at the bottom of the chain...and things are looking much better now.
by sjoram
Sat Oct 22, 2016 1:46 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 1656

Re: Unreplied connections

Update: I noticed the problem was more pronounced on one device than the other and there were subtle differences between the two in the rules configured to drop traffic.
I've tweaked this and will see how things go over the next week or so.
by sjoram
Sat Oct 22, 2016 1:26 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 7447

Re: ISP requires VLAN and pbit set

Did you try limiting the MSS in TCP packets as per earlier posts? My 2x WAN connections are xDSL and only 20/2 and 80/20 respectively but I had major issues until I did this.
by sjoram
Sat Oct 22, 2016 1:20 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 1656

Unreplied connections

I have 2x RouterOS running on 2x RB750 series routers. I'm having major problems with unreplied connections on both devices. Both the source and destination addresses are NOT on my local network, so I suspect there is some spoofing of the source addresses. My question is how can I block these reliab...
by sjoram
Sat Feb 13, 2016 12:25 pm
Forum: General
Topic: srcnat rule not working
Replies: 0
Views: 796

srcnat rule not working

Hi all, I have moved a device on my network from one VLAN with a /16 subnet onto another with a /30. It was on 10.5.0.0/16 (VLAN10) and has moved to 192.168.5.0/30 (VLAN5) RouterBOARD 750GL is 10.5.0.254 and 192.168.5.1 respectively. Device of interest was 10.5.2.2 now 192.168.5.2 I have a srcnat ru...
by sjoram
Sat May 16, 2015 10:26 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 3446

Re: Problem with DHCP Relay & IPSec

**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.
by sjoram
Sun May 03, 2015 1:31 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 3446

Re: Problem with DHCP Relay & IPSec

Yes the IPSec tunnel is working. Packet capture on the DHCP server doesn't show any DHCP packets originating from the remote network.
by sjoram
Sat May 02, 2015 10:20 pm
Forum: General
Topic: PPTP not reconnecting
Replies: 13
Views: 5205

Re: PPTP not reconnecting

I recommend the Draytek Vigor 120 modem.
I'm running this with a RB750 on ADSL2+ and works great.
Modem just worries about keeping the DSL in sync, RB750 handles the PPP login.
by sjoram
Sat May 02, 2015 9:53 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 3446

Re: Problem with DHCP Relay & IPSec

Bumping this as no replies and still haven't managed to resolve...
I've also attempted to deploy on my new FTTC (VDSL) circuit and had the same issue and that is not behind another NAT router....
by sjoram
Sat Mar 14, 2015 5:54 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 3446

Problem with DHCP Relay & IPSec

Having an issue with DHCP Relay not working over an IPSec tunnel. I've found a few previous posts and tried suggestions there to no avail. This is only a temporary setup for a few months, so don't want to wasconte too much time on it, but would be nice to get working if possible. I'm currently using...
by sjoram
Sun Aug 10, 2014 4:27 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 7225

Re: IPSec - Dynamic IP with Double NAT

I'll check out the script, thanks.

Ref the tunnel not passing traffic after one end upgraded to v6.18 with other end still on v6.17, I've now upgraded the other RB750 and have both ends on v6.18 and the tunnel is now passing traffic.
by sjoram
Sun Aug 10, 2014 4:26 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 24506

Re: v6.17 SNMP - Interface Stats

I have just upgraded to v6.18 and currently working. Will monitor and report back if it falls over again.
by sjoram
Wed Aug 06, 2014 2:48 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 7225

Re: IPSec - Dynamic IP with Double NAT

Update to this: I haven't found a way to deal automatically with the dynamic IP on one side yet, but it hasn't as yet changed - I'm not sure how the lease works from the ISP but it seems semi-sticky. But I've upgraded ROS on the RB750 at one end to v6.18 with the other end still on v6.17 and cannot ...
by sjoram
Sun Aug 03, 2014 11:42 am
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 24506

Re: v6.17 SNMP - Interface Stats

I've just tried the disable, reboot, enable, reboot to no avail. Some "sensors" are responding to an auto-discovery (see below) but not the ones (interfaces) that I'm interested in. Trying to manually add an interface "sensor", the device reports no interfaces are available. http...
by sjoram
Sun Jul 20, 2014 5:26 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

Just in case anyone does a search and is reading this thread, I resolved. http://forum.mikrotik.com/viewtopic.php?f=2&t=87170 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=<private IP e.g. 10.0.0.5> to-ports=<private port e.g. 9326> protocol=tcp dst-address=<public IP> dst-port=<...
by sjoram
Sun Jul 20, 2014 5:15 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 1785

Re: Doubts about pppoe MTU

If I understand your problem correctly, see screenshots in below file.
You need one rule to cover in interface and another rule to cover out interface (same interface on both rules - your PPP interface).

http://www.oram-net.net/public/ROS-MSS.pdf
by sjoram
Sun Jul 20, 2014 5:06 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 2156

Re: Hairpin NAT - Problem configuring

Thanks, I re-read the wiki article yet again and the srcnat stuff finally clicked in my head.
I've configured & working.
by sjoram
Sun Jul 20, 2014 12:47 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 1785

Re: Doubts about pppoe MTU

My PPPoE MTU is 1432 but I had to use MSS clamping to reduce MSS on TCP SYN packets to 1386.
by sjoram
Sat Jul 19, 2014 1:23 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 2156

Hairpin NAT - Problem configuring

Trying to configure Hairpin NAT and I can't make it work. I need clients on 10.0.0.0/16 (VLAN 10) to be able to access the services as per the dstnat rules. Other VLANs and external connections can work the dstnat rules fine, it's just clients on the same VLAN/subnet as the server they are accessing...
by sjoram
Sat Jul 19, 2014 1:00 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 24506

v6.17 SNMP - Interface Stats

I have been using PRTG Network Monitor to collect via SNMP interface (bandwidth) statistics. Since some time yesterday after upgrade to v6.17, the interfaces are no longer reporting via SNMP. I've deleted all SNMP "sensors" and re-run an auto-discovery and it has not found any of the inter...
by sjoram
Fri Jul 18, 2014 11:57 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 7225

Re: IPSec - Dynamic IP with Double NAT

Right, I've managed to 'fudge' this. Phase1 came up no problems but when I enabled debug logging for IPSec, the RB750 with the double NAT gave the error that it ignored the packet because it does not listen on the public IP address. Since nothing going to the WAN interface of the RB750 from the WAN ...
by sjoram
Fri Jul 18, 2014 7:46 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 3541

Re: RB750 Routerboard Upgrade problem

All good.
I've just done the ROS and RB upgrade.

Cheers
by sjoram
Fri Jul 18, 2014 7:41 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 7447

Re: ISP requires VLAN and pbit set

Try the forward chain.
I have a mangle rule to change the MSS on packets in/out of WAN interface and mine uses forward chain.
by sjoram
Fri Jul 18, 2014 7:28 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 3541

Re: RB750 Routerboard Upgrade problem

Thanks.

I currently have 2.36 RB with 5.4 ROS
There was not a newer version within 5.4
Tried copying the file to the device to do the RB upgrade but it's not taking it.

OK to upgrade direct to ROS 5.26 from the versions above?
by sjoram
Fri Jul 18, 2014 7:14 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 3541

Re: RB750 Routerboard Upgrade problem

So essentially, do the ROS upgrade first, then the RouterBOARD?

I thought I saw somewhere it should be done RouterBOARD first but could be wrong?
by sjoram
Fri Jul 18, 2014 6:46 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 3541

RB750 Routerboard Upgrade problem

I have 2xRB750 Managed to upgrade one RouterBOARD (& then RouterOS) fine this morning. The other is refusing to upgrade. The new RouterBOARD goes on but then after the reboot it reverts back to the old version again. Current RBOARD version is 2.36 Trying to upgrade to the current latest version,...
by sjoram
Fri Jul 18, 2014 5:26 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 7225

Re: IPSec - Dynamic IP with Double NAT

Scripts will not help you here. MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT]. NAT-T only works on client side with MikroTik. So just to be clear, you think the Netgear that has worked previously must have been behaving differently?...
by sjoram
Fri Jul 18, 2014 1:58 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 7225

IPSec - Dynamic IP with Double NAT

Hi All, I need to compile a script that will get the WAN IP address from an internet source (because the RB750 is doing double-NAT so its WAN IP address is not a public IP address). I then need this to run a script to update the local WAN IP address of an IPSec tunnel. (The other end has a fixed IP)...
by sjoram
Sat May 17, 2014 10:19 pm
Forum: General
Topic: IPSec with Dynamic IP Peer
Replies: 1
Views: 1095

IPSec with Dynamic IP Peer

Hi, Apologies, I know this has been asked a number of times before but having read a few threads, I'm struggling to adapt the scripts I need to my scenario. My RB750 has a static IP address available for its side of the connection, however the remote end is using a Netgear device on a Dynamic IP add...
by sjoram
Sun Dec 29, 2013 11:15 am
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1653

Re: Block comms between VLANs except DHCP & Public IPs

Resolved - devices I was creating an exception for had a mis-configured gateway!
by sjoram
Sat Dec 28, 2013 11:17 pm
Forum: SwOS
Topic: Mix untagged/tagged (access/trunk) VLANs on same port?
Replies: 2
Views: 8093

Re: Mix untagged/tagged (access/trunk) VLANs on same port?

Thanks, I'll give that a try when I get a moment.
by sjoram
Sat Dec 28, 2013 9:18 pm
Forum: Beginner Basics
Topic: Dynamic Mangle rule for reducing MSS value
Replies: 0
Views: 2276

Dynamic Mangle rule for reducing MSS value

Hi all, Previously used my RB750 on a MPoA connection but have recently moved to PPPoA. Have a Draytek Vigor 120 acting as PPPoA to PPPoE bridge. Have a PPPoE client configured on my RB750 to login to my ISP and this acts as my dialer interface. Had some problems which with the help of http://forum....
by sjoram
Fri Dec 27, 2013 2:06 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

Edit: Thought I had it sorted, but I haven't.
Getting further than before but still no success. Getting a timeout, but don't understand why as no internal nor external client has any issue connecting to my mail server.

Image
by sjoram
Fri Dec 27, 2013 1:13 am
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

Setup is exactly as per working mail clients.
Using System/Email in Winbox and using the sent test message option
by sjoram
Thu Dec 26, 2013 3:49 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

No fw running on server. No issues inside LAN (any VLAN) or from WAN with any other smtp access
by sjoram
Thu Dec 26, 2013 3:38 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

Correct trying to enable ROS email function.
Tried internal mail server and gmail.
With debug level logging all I get is error connecting to server. No further info.
by sjoram
Thu Dec 26, 2013 3:22 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

PCs are fine, just ROS is the issue. Can ping IP no problem.
by sjoram
Thu Dec 26, 2013 3:03 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

Tried that, only got the same as per thread summary.
by sjoram
Thu Dec 26, 2013 10:31 am
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Re: Email - error connecting to server

Nothing at all - doesn't appear to be reaching.it.
by sjoram
Tue Dec 24, 2013 9:22 pm
Forum: SwOS
Topic: Mix untagged/tagged (access/trunk) VLANs on same port?
Replies: 2
Views: 8093

Mix untagged/tagged (access/trunk) VLANs on same port?

Sorry for posting a question that has come up on a number of other threads, but looking for clarity on the latest status. Elsewhere, I use HP Procurve 2600 series switches which can mix both untagged and tagged VLANs on the same port, no issue. I bought one of the RouterBOARD SwOS products assuming ...
by sjoram
Tue Dec 24, 2013 9:09 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

The above masquerade didn't work. I'm currently running a f/w version that doesn't allow export compact (reluctant to upgrade unless I have a particular issue to solve - been a victim of failed firmware upgrades on devices in the past!). Tell me what sections I need to post from the config and I'll ...
by sjoram
Tue Dec 24, 2013 9:03 pm
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1653

Re: Block comms between VLANs except DHCP & Public IPs

Edited: I have this working now, except for one particular exception. I have rules set as per below Accept UDP 67-68 from 10.4.0.0/16 to 10.0.0.5 Drop all (other) from 10.4.0.0/16 to 10.0.0.0/8 I'm trying to add the following (above the drop rule), but it appears the below isn't allowing traffic to ...
by sjoram
Tue Dec 24, 2013 9:00 pm
Forum: General
Topic: Email - error connecting to server
Replies: 14
Views: 6747

Email - error connecting to server

Configured email server settings, getting the above when sending a test email. No Firewall rules to prevent this, and email server is on VLAN connected to my RB750. Other external and internal clients using the mail server normally. Router can ping/traceroute the IP address without an interface spec...
by sjoram
Tue Dec 24, 2013 8:37 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

I've just come across the same problem - what was the fix? i'll search out the thread when I have a mo and post link. Sorry for delay posting back. Can't find original thread to give context as to how/why this works, but filter rule added as follows (needs to be done from CLI): add action=accept ch...
by sjoram
Sat Dec 14, 2013 5:37 pm
Forum: General
Topic: PPPoE Client (WAN)
Replies: 2
Views: 1162

Re: PPPoE Client (WAN)

Thanks, I'll make a note to amend the interface as well as updating the IP address it is masquerading as! :D
by sjoram
Sat Dec 14, 2013 5:24 pm
Forum: General
Topic: PPPoE Client (WAN)
Replies: 2
Views: 1162

PPPoE Client (WAN)

Changing ISPs soon and will need to configure PPPoE client (first time on ROS). I've pre-configured the PPPoE interface and left disabled. Question is, I currently have some srcnat rules that specify the out interface as eth1. (Masquerade) Can I leave these rules as eth1 or will I need to change the...
by sjoram
Sat Dec 14, 2013 5:22 pm
Forum: General
Topic: Block DNS other than OpenDNS
Replies: 2
Views: 2232

Re: Block DNS other than OpenDNS

Thanks, I'll try that tomorrow.

Edit: Working a treat :D
by sjoram
Sat Dec 14, 2013 4:57 pm
Forum: General
Topic: Block DNS other than OpenDNS
Replies: 2
Views: 2232

Block DNS other than OpenDNS

All, Looking to add a firewall rule on the output chain that blocks all DNS packets other than to OpenDNS IP addresses. Am I correct in that I need to add 2 filter rules on the output chain to allow packets to the 2 OpenDNS IP addresses (1 per IP) and then a block rule that needs to be UNDERNEATH th...
by sjoram
Tue Oct 15, 2013 12:40 am
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.
by sjoram
Sat Sep 21, 2013 7:04 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

Managed to find another thread on here that enabled me to add a further filter rule to the pre-hotspot chain to resolve this.
by sjoram
Sat Sep 21, 2013 5:24 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

I've tried disabling this rule and it prevents clients from being re-directed to the login page, they have to browse to the page manually.
Any suggestions for how I can fix the routing of DNS once clients have authenticated to the hotspot?
by sjoram
Tue Sep 17, 2013 3:35 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

All I need is for DNS requests from hotspot clients to appear from the correct IP address to external DNS resolvers and not use the internal DNS cache. If I remove/disable the entry for DNS redirection, will clients connecting initially still be redirected to the hotspot login page? I'll give it a t...
by sjoram
Tue Sep 17, 2013 3:01 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

Thanks, I spotted that after my original post. Question now is can I remove this without affecting hotspot functionality?
by sjoram
Tue Sep 17, 2013 11:27 am
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

Re: RB750 - Hotspot & DNS

*bump* Can anyone assist?
by sjoram
Sun Sep 08, 2013 4:35 pm
Forum: General
Topic: RB750 - Hotspot & DNS
Replies: 10
Views: 3485

RB750 - Hotspot & DNS

Hi, I use OpenDNS for DNS but I have a couple of different IP addresses with different filtering categories. I have different masquerade rules configured for different internal VLANs such that most appear to the outside world on one particular IP address but there is one VLAN that appears on a diffe...
by sjoram
Mon Apr 01, 2013 3:06 pm
Forum: Beginner Basics
Topic: Block comms between VLANs except DHCP & Public IPs
Replies: 3
Views: 1653

Block comms between VLANs except DHCP & Public IPs

Hi all,

Need help on how I configure RB750 to block comms between VLANs on internal IPs (10.x.0.0/16 subnets, 1 per VLAN) but allow DHCP (inc relay) and allow any traffic directed at public IPs which have NAT rules forwarding to a host on one of the VLANs.
by sjoram
Sat Mar 09, 2013 9:17 pm
Forum: General
Topic: RB750 v5.4 cannot export compact
Replies: 3
Views: 1183

Re: RB750 v5.4 cannot export compact

:lol: ...sorry ignore me....for some reason my brain read 5.4 as a higher revision than 5.12 :?
by sjoram
Sat Mar 09, 2013 8:02 pm
Forum: General
Topic: RB750 v5.4 cannot export compact
Replies: 3
Views: 1183

RB750 v5.4 cannot export compact

As above, RB750 v5.4 cannot use export compact
Get error 'expected end of command' suggesting it doesn't like me adding compact to the end of the export command.
Any ideas?
by sjoram
Tue Feb 26, 2013 9:33 pm
Forum: General
Topic: PPTP connection drops when user has Linksys wireless router
Replies: 26
Views: 13858

Re: PPTP connection drops when user has Linksys wireless rou

Just to advise that I seem to be having PPTP VPN on 2k3 server dropping after around 30-45mins of running OK using a RB750.
by sjoram
Tue Feb 26, 2013 8:50 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

Thanks, I'll wait till the weekend to move the public IPs so I'm on site if things go wrong.
Will then take a look and see what I have.
Thanks all for the input so far.
by sjoram
Tue Feb 26, 2013 7:15 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

This is what I have at the moment. The masquerade issue aside, should the below work? Yes I know some are disabled - I disabled them after they didn't work as expected, until I had the chance to look at it again. /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place ...
by sjoram
Mon Feb 25, 2013 7:38 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

This is why I don't think masquerade will work on VLAN10. Do I actually need the IP addresses assigned to VLAN10 for NAT to work? I have srcnat rules running to mask external traffic going to the internet behind two IPs (rather than using the default masquerade), one of these is not included on the ...
by sjoram
Mon Feb 25, 2013 8:58 am
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

Yep, problem I have is I'm not sure I can use masquerade as I have a number of IP addresses assigned to that particular interface, so how would it know which to use for masquerade?
by sjoram
Sun Feb 24, 2013 11:35 am
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

OK today I have tried Chain srcnat Src Add 10.0.0.0/16 Dst Add 46.65.209.241 Proto TCP Dst Port 443 action = src-nat to 46.65.209.241 No joy Interestingly, I have IIS running on port 80 NAT'ed against one IP address and that works without one of the above rules. Services directed at port 80 on anoth...
by sjoram
Sat Feb 23, 2013 10:17 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

Re: NAT problem

Hmm, looks like what I need but can't make it work. The example command on the wiki won't work for me because the interface has multiple IP addresses assigned so I can't use masquerade. Tried customising the rule to my situation but no joy. Essentially for my situation, for example, I have Web serve...
by sjoram
Sat Feb 23, 2013 5:39 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 6814

NAT problem

Hoping someone can assist with the below. New to RouterOS, gone live on a RB750 today. Having an issue with one of my NAT rules. Works great for users on other VLANs or on the Internet, but users on the same VLAN as the server are not connecting. My old Netgear used to run its NAT rules on internal ...
by sjoram
Sun Feb 10, 2013 10:07 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 3500

Re: RB750 - VLANs/Bridges/Interfaces

I'd have thought a cisco AP could send Vlan Tagged packets.
It can, other than the native VLAN as far as I can tell...(which is the problem!)
by sjoram
Sun Feb 10, 2013 9:56 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 3500

Re: RB750 - VLANs/Bridges/Interfaces

I don't think that's what I'm trying to do. Essentially over my two sites I would have: VLAN 10 = 10.0.0.0/16 <--> 10.5.0.0/16 VLAN 20 = 10.1.0.0/16 <--> 10.6.0.0/16 VLAN 40 = 10.2.0.0/16 <--> 10.7.0.0/16 VLAN 60 = 10.3.0.0/16 <--> 10.8.0.0/16 VLAN 80 = 10.4.0.0/16 <--> 10.9.0.0/16 I don't need to h...
by sjoram
Sun Feb 10, 2013 9:43 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 3500

Re: RB750 - VLANs/Bridges/Interfaces

Essentially what I'm trying to do is: Port 1 - WAN Port 2 - VLAN10 client (no tag) Port 3 - VLAN10 client (no tag) Port 4 - VLAN10 client (no tag) Port 5 - Cisco WAP (VLAN10 no tag, VLANs20,40,60,80 with tags) No need to firewall between VLAN10 clients, but I'd want to firewall off the VLANs from co...
by sjoram
Sun Feb 10, 2013 8:55 pm
Forum: Beginner Basics
Topic: RB750 - VLANs/Bridges/Interfaces
Replies: 6
Views: 3500

RB750 - VLANs/Bridges/Interfaces

Hi guys, Relatively new to RouterOS and need some help. Working with a RB750 and need to know if there's a solution to the below, or whether I'm trying to do the impossible. I'm going to be running two RB750s in two separate locations, one of which is running VLAN-capable switches, one of which is n...