MikroTik

msatter

security by obscurity Anyway management interfaces, be it Winbox, APIs, ssh, web and whatnot should never be exposed without proper filtering. So the version display is harmless in my opinion. I agree. If the untrusted person can see your TELNET interface, you are in much bigger trouble than an exp...

msatter

And then you have return that also stops the processing in not only the chain but also all the chains that page just like no passthrough.

msatter

All software/interfaces by Mikrotik mention the software version before login, including the Android app.

Then this must be something Mikrotik wants to communicate up front. So you can think to have RouterOS not share the current version of it and state a null value.

msatter

NordVPN says no. RouterOS is getting outdated.

msatter

I just checked and it is not going to happen till ROS 7.

viewtopic.php?p=650295

msatter

Hmmmm, interesting. I thought IKEv2 client could not do this. Going test this on a later moment.

msatter

No go, as stated on that page.

msatter

Write an e-mail to support@mikrotik.com and hope they can give you specific info.

msatter

Just keep reporting those posts.
Anyone can create an account and if they missbehave then they will be removed.

msatter

Just to add: once also before this time I couldn't login from the outside, and I found that the winbox service was "disabled" !

Define outside?

msatter

Maybe this:
viewtopic.php?f=21&t=137572&start=250#p696662

msatter

It looks sound but then I am not a expert on that.

msatter

Pi-hole is running in low power usage, and not that expensive devices. Pi-hole also features Regex so Facebook and Google can be caught and blocked. Youtube advertising is not blockable by DNS.

msatter

My answer did mentioning two places (DNS and DHCP) to change setting towards Pi-hole. If you have done that and it seemed you did because either with or witout those two lines it worked.

Those two lines, still can be omited.

msatter

Look at your DNS servers and those are going to Google and Cloudflare. Better is to use the DNS from IPVanish.

https://support.ipvanish.com/hc/en-us/a ... -DNS-Leaks

msatter

This is a catcher for traffic that want to passby the normal path. That are line one and two. First you are going to tell the clients in DHCP that they are going to use the pi-hole as DNS. If that works then you are pointing the DNS of the router itself to pi-hole. If that works then you are doing s...

msatter

I put that in NAT and the only DNS traffic allowed out is from the Pi-hole. Any other traffic on port 53, 5353, 853 is forced to the Pi-hole. Lets hope it ignores fake DNS traffic that eas not intended for DNS servers.

msatter

RouterOS converts domains to IP addresses and stores those. Not efficient to do it that way and better keep using Pi-hole like I do.

msatter

My firewall more made for domestic use and the tips from the last posting members where more appropiate for you. I can't go without connection tracking and I go do some tuning for myself.

msatter

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you? If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings Further make sure FastTrack rule is...

msatter

Great table and it would be awesome if products of interest can be selected and viewed/compared in a dedicated table.

msatter

viewtopic.php?f=13&t=142762

msatter

p <---

msatter

It is just an interface that interact with the settings of the router.The text produced has a lot of spelling errors so hope the code is better.

If you look at APP by Mikrotik for Android/iPad/iPhone then you see a new interface that also could be ported to PC and Mac.

msatter

https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

msatter

Switch off auto negotiation. If possible set to 1000Mb or 1Gb

msatter

This forum is using English as language so please post in English.

msatter

Thanks shiyiqiang08, it did not make it working. I used torch and nothing went over the connection when using the Local Address (gateway). When I used the Remote Address packets were visible but they did not return. Looking at the connection table I see a difference between NAT and Direct. NAT 192.1...

msatter

I want to do without the NAT and the SSTP is to a VPN provider.

Because I received (invalid) packets back, pointing to the correct client and port I think the other side is natting.

Next I will look with torch what traffic is passing and what direction.

msatter

I want to use action=route in Mangle with a SSTP connection. And in that rule I put in DST-address, the Local Address of the SSTP connection. It seems to work but the packets returning back from the SSTP are not arriving back at my client. After a few seconds I get (ACK/RST) back on OUTPUT and those...

msatter

How do I route to VPN without NAT?

I only find example with NAT and my im thoughts are that I need the normal entry in IP-Route to the VPN and tag/point in Mangle to the route of theVPN.
Till now I always needed a SRC-NAT to gateway of the VPN.

msatter

By marking them notrack you convey the handling to an other device or an other part of the router. I use notrack for IPSEC because IPSEC can handle itself the connections.

Any traffic, even if dropped, will still use CPU power but not as much as connection tracking would take and terminate it then.

msatter

I don't think RouterOS v7 is that far away. Some v7 features are already implemented in v6.

On the DNS part there are better programs like Unbound that do that all, in a excellent way.

msatter

I am using SSTP as client since a short while and I have my MTU set to 1500. Test yours on this the ping under tools and tag the box df (do not defragment).

I read in wiki examples that the mrru was set to 1600 but that killed my connection also try it with disabled mrru.

msatter

I have to move the newly created rule not that much. I use copy wich duplicates the rule neighbouring is openend. There could be added a extra button which does the same as copy but defaults all the settings in that new rule. You have still to move the rule one up if you want it at the top of the ru...

msatter

Notrack won't help because connction tracking is already disabled by you.

viewtopic.php?f=2&t=114664&p=599785&hil ... os#p605976

msatter

Just thinking. Do you have them well grounded (earth)?

The best is to send a request for support to Mikrotik by e-mail: support@mikrotik.com

Explain what you kind of problem you have, and how you mounted them.

msatter

...and bgp multithreading support when?

First the hell has to freeze over.

viewtopic.php?f=1&t=141920#p699481

msatter

Untracked are connection that are not steered by Connection Tracking wich looks like a "mother chicken", if those connection are known to ther and were the have to go. When a connection is stray and not know it will not pass her beak (control) and be removed. Untracked traffic is traffic that is mar...

msatter

It is indeed meshy. About mixed usage the wiki talks about that, almost at the bottom of the page:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

msatter

Thanks Emils and this morning I tried drag and drop from the Files window in Winbox and it worked again. :D I hope that it was a temporary problem and downloading/install and clearing the Winbox cache did not work. One thing that is interesting now it working again I could not connect to the router ...

msatter

Youre welcome and Mikrotik gave us great tools to get insight.

msatter

With the last two betas if have Winbox glitching and crashing. I re-downloaded Winbox but it still sometimes does not the windows and while typing all the windows disappear. Only a restart helps and then I have still sometimes manually reload the layout. I find this strange because Winbox always wor...

msatter

What if you sort on MAC or interface. Also you have the find box in the right top corner with which you can highlight the address you want to track visually.

msatter

What if you search 10.81.37 or 192.168.3 if you seek that?

msatter

You can look in the wiki.mikrotik.com for examples.

Splitting csn be done in Mangle with NTH or PCC and only Routing-mark New connections so that the streams are complete going trough one or the other port.

In IP - Routing you can use that routingmark to select the gateway (ISP) of the connection.

msatter

I am not a expert on this but some things are explainable. MAC addresses outside your router are not know so you can only use MAC addresses inside your local network. The device is requesting the traffic and that could be why it is shown as source. I would add the dst-IP to the addresslist on basis ...

msatter

Topic: ....gps info kvm.... manual add prefix fetch and toggle !

You can also try with Topic: store and I csn't test it where I am right now.

msatter

Did you disable the auto stuff in the Mikrotik for that SPF.

FS offers to program the settings in the recognisation section with wished information.

msatter

Try onder System-Logging to add under Rules - Topic info Prefix line !fetch

Search found 985 matches