Community discussions

Search found 1240 matches

by msatter
Sun Oct 20, 2019 2:23 pm
Forum: Scripting
Topic: Health/Voltage shutdown script
Replies: 3
Views: 1946

Re: Health/Voltage shutdown script

English is the language used in this forum.
by msatter
Sun Oct 20, 2019 12:06 am
Forum: Beginner Basics
Topic: blocking traffic when ipsec/ikev2 is down
Replies: 5
Views: 392

Re: blocking traffic when ipsec/ikev2 is down

I didn't play much with RouterOS as IKEv2 client, but shouldn't this work? /ip firewall filter add action=reject chain=forward connection-mark=nordvpnus ipsec-policy=out,none reject-with=icmp-network-unreachable In filter you don't know yet if the Dynamic NAT are already generated and in place if I...
by msatter
Sat Oct 19, 2019 11:47 pm
Forum: Beginner Basics
Topic: killing ikev2 with 2 ipsec/ikev2 peers
Replies: 3
Views: 312

Re: killing ikev2 with 2 ipsec/ikev2 peers

Use one profile, proposal, policy, policy group and profile for 1 up to 6 connections with NordVPN. The only difference I see that I state SHA1 in proposal: add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=NordVPN pfs-group=none And in profile: add dh-group=modp3072,modp2048,modp1024 ...
by msatter
Sat Oct 19, 2019 10:13 pm
Forum: Beginner Basics
Topic: killing ikev2 with 2 ipsec/ikev2 peers
Replies: 3
Views: 312

Re: killing ikev2 with 2 ipsec/ikev2 peers

You need a separate peer, mode-config and identity for every connection.
by msatter
Sat Oct 19, 2019 10:05 pm
Forum: Beginner Basics
Topic: blocking traffic when ipsec/ikev2 is down
Replies: 5
Views: 392

Re: blocking traffic when ipsec/ikev2 is down

To do that I put in NAT on the top a line that sent traffic marked for IKEv2 to IP 127.0.0.1 src-nat.
by msatter
Sat Oct 19, 2019 12:01 am
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

It would be handy if 'add src to address list' could optionally convert it to a /24 (or whatever), i have 15k+ address book at the moment. I am now thinking more at a new Extra besides Limit and Dst-limit because that would be cleaner. Your list is huge and this script just takes the last added IP ...
by msatter
Fri Oct 18, 2019 12:33 pm
Forum: Beginner Basics
Topic: NordVPN disconnected at 1 hour
Replies: 4
Views: 507

Re: NordVPN disconnected at 1 hour

I have no idea what this could cause and could mail support@mikrotik.com about this.

Info about support: https://mikrotik.com/support
by msatter
Fri Oct 18, 2019 12:22 pm
Forum: RouterBOARD hardware
Topic: Usage GPON module SFP in Spain
Replies: 255
Views: 52650

Re: Usage GPON module SFP in Spain

Normally you need to get the sc/upc (blue) and the difference you can read about here:

http://www.fiber-optic-cable-sale.com/f ... c-upc.html
by msatter
Thu Oct 17, 2019 10:08 pm
Forum: General
Topic: 2 domain with same address in firewall address-list
Replies: 3
Views: 182

Re: 2 domain with same address in firewall address-list

That domains can be used in address-list was an extra added function. A address can only exist one time in the same list. WWW looks nice but is in fact an error made in the past to mix a sub-domain with the top domain. So if we choose to use always WWW (redirect) for top webpages then all would be r...
by msatter
Thu Oct 17, 2019 6:23 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

SUCCESS!!!

The script caught his first two address ranges trying to DDoS my router. :D

It is now fully automatic and I only have to check if was correct in doing so.

Tonight an other 17 ranges got caught.
by msatter
Thu Oct 17, 2019 5:46 pm
Forum: General
Topic: defend from large icmp requests
Replies: 4
Views: 246

Re: defend from large icmp requests

Do have a block line under your accepts? Otherwise it would not be blocked and travel to NAT.

You wrote in your subject "large" and I assume you mean to write many.
by msatter
Wed Oct 16, 2019 11:59 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1336

Re: NordVPN-IKEv2 slow NET speed

I have looked with WireShark what is happening when I get a slow start and half the speed. This was recent time. Download it finds the correct MTU if or without the MSS line and also if clamp to pmtu is activated. Working great. On upload all goes haywire and the MTU is not found and it came even th...
by msatter
Wed Oct 16, 2019 9:25 pm
Forum: General
Topic: Block all wesites except one
Replies: 8
Views: 428

Re: Block all wesites except one

In the menu IP Routes Routes you see the WAN with 0.0.0.0/0 and if you can change that only traffic to that addres will be routed. So not usingdo not create default Route in the Wan setup put define your own.
by msatter
Wed Oct 16, 2019 9:21 pm
Forum: General
Topic: Weird IP Spoofing Ddos Attack [Need Help]
Replies: 2
Views: 184

Re: Weird IP Spoofing Ddos Attack [Need Help]

Is there a correlation between the spoofed addresses? Being in a certain range like /24.
by msatter
Wed Oct 16, 2019 9:14 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1336

Re: NordVPN-IKEv2 slow NET speed

The rule would not have to present if all was working as expected.

Pleased that helped and I got it again from other members here helping others like me with this.
by msatter
Wed Oct 16, 2019 12:57 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

This morning the reconnaissance scan came along to see if I was ready for more DDoS-ing. RangeTest.JPG This reconnaissance scan would not be caught by the script nor by the any other DDoS detector. A modern dst-limit would detect this and if I would put any address coming in on port 80 on list one. ...
by msatter
Tue Oct 15, 2019 11:13 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1336

Re: NordVPN-IKEv2 slow NET speed

Have thought about lowering the MTU because MSS is broken for upload in RouterOS!

viewtopic.php?f=2&t=152831&p=754579#p754579

Set MTU to 1280 and ! 0-1280:

viewtopic.php?f=2&t=143990&p=754524#p754564
by msatter
Tue Oct 15, 2019 9:40 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

And the complete script: # Version 1.01-20191015 # Move ip-ranges to address-lists and delete obsolete IP addresses # Warning: only collect external addresses coming in on the WAN /ip firewall address-list :foreach b in=[find where list="list-1"] do={:set $lastAddress [get value-name=address number=...
by msatter
Tue Oct 15, 2019 1:14 am
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

I have the impression that only sync packets are send and any packets sent back are ignored. Tarpit is not working then. I drop in RAW so nothing enters the connection table. Being able to add also in /24 ranges would really modernize dst-limit and when given a range any /32 are ignored so that 'nor...
by msatter
Mon Oct 14, 2019 1:43 pm
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

Thank dmitris and I had in the past read this thread and the conclusion several time. I looked at the log and noticed that the packet have a small size of 40 and I just filter now on that size of between zero and 40, directed at port 80 and being a sync packet. This is a workaround and rather have t...
by msatter
Mon Oct 14, 2019 11:01 am
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

Re: [feature request] Blocking a special kind of DDoS

The attack is still going and it I am now at 62K requests in several hours.

Now I can sit and checking the log several times a day to enter a few /24 ranges to block also the next one. :-(

Does anyone knows how I can block this kind of attacks by means given in RouterOS?
by msatter
Mon Oct 14, 2019 5:01 am
Forum: General
Topic: [feature request] Blocking a special kind of DDoS
Replies: 11
Views: 786

[feature request] Blocking a special kind of DDoS

I have since a few months a problem start address ranges are DDOS at a rate between 10K and 15K a hour. The current version Destination Limiting does not work because ranges of source addresses are use. Luckily the are all in the same 24 range or blocks of 24 ranges. It would be great if Dst. Limit ...
by msatter
Sun Oct 13, 2019 1:44 pm
Forum: Beginner Basics
Topic: SFP Module
Replies: 4
Views: 354

Re: SFP Module

Wow.. the seller told you that the SFP module has a web interface? Really?
Also i ve never seen a MAC address on a SFP module...
Then this tread must be an eye opener for you:
viewtopic.php?f=3&t=116364&sid=05dd0e7d ... ad#p751951
by msatter
Fri Oct 11, 2019 4:56 pm
Forum: General
Topic: Still struggling with MSS/MTU IKEv2
Replies: 2
Views: 533

Re: Still struggling with MSS/MTU IKEv2

Hmmmm it is becoming even stranger. I tried a different setting and only look at packets that have as TCP flag SYNC and not ACK and the upload started with a delay and was at 40% of the expected speed. This was with clamp to pmtu as action which did not work before. To test I revered the !ack TCP fl...
by msatter
Fri Oct 11, 2019 4:01 pm
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 13
Views: 3121

Re: understanding and fixing MTU/MSS/PMTU with IPsec

My line: add action=change-mss chain=forward connection-mark=!no-mark dst-port=!993,8291 log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1382 I apply a change-mss in the forward chain. My connections are marked so I use !no-mark (not marked connections and the the "...
by msatter
Fri Oct 11, 2019 1:58 pm
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 13
Views: 3121

Re: understanding and fixing MTU/MSS/PMTU with IPsec

Not in the IPSEC section. With IKEv2 you use connection marking or source addresses and those are used in the Mangle line to target traffic in the tunnel. I can't copy from the terminal in the Android APP so I have seach a computer to able to give you the lineI use for that. It should not be needed ...
by msatter
Fri Oct 11, 2019 12:09 am
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 13
Views: 3121

Re: understanding and fixing MTU/MSS/PMTU with IPsec

I am afraid that you have to lower than 1400. I can send 1500 over PPPoE and I can use 1398 and 1382 through the IKEv2 tunnel. I have to set this value hard because clamp to pmtu is not working for me.
by msatter
Thu Oct 10, 2019 11:37 am
Forum: General
Topic: Still struggling with MSS/MTU IKEv2
Replies: 2
Views: 533

Re: Still struggling with MSS/MTU IKEv2

I can see the ICMP packets in RAW, Mangle and Filter but not in NAT. I tried with taking away in Mangle the connection mark, needed for being directed into the IKEv2 connection, but that did not make those packets visible in NAT nor did solve the problem. I still need in a Mangle line to set a hard ...
by msatter
Wed Oct 09, 2019 1:02 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Wondering myself... This topic became really quiet lately.
It is on the slow burner since RouterOS 7 beta so not much test.
by msatter
Wed Oct 09, 2019 2:36 am
Forum: General
Topic: Still struggling with MSS/MTU IKEv2
Replies: 2
Views: 533

Still struggling with MSS/MTU IKEv2

Spending many hours if not days on this I am seeing the ICMP type 3, code 4 packet but it is not shown in connection tracking nor is going to the local network where the client is. I am running a speedtest.net and downloading is fine but uploading does not start. I am not blocking the ICMP traffic b...
by msatter
Tue Oct 08, 2019 1:12 pm
Forum: Beginner Basics
Topic: NordVPN disconnected at 1 hour
Replies: 4
Views: 507

Re: NordVPN disconnected at 1 hour

Do you have a subscription with NordVPN and which version of RouterOS are you using?

On the linked page you see a link to the original page by Mikrotik and that one is completer.
by msatter
Sun Oct 06, 2019 5:31 pm
Forum: RouterBOARD hardware
Topic: Usage GPON module SFP in Spain
Replies: 255
Views: 52650

Re: Usage GPON module SFP in Spain

This thread goes about using a SFP in a Mikrotik, which should not be posible because the ISP/provider does not allow that to happen using their service.

Now it is posible if not easy.
by msatter
Sun Oct 06, 2019 5:25 pm
Forum: General
Topic: youtube upload/download stats not showing in queue tree
Replies: 5
Views: 1629

Re: youtube upload/download stats not showing in queue tree

If you block UDP 443 then traffic is forced through TCP.
by msatter
Sun Oct 06, 2019 2:50 pm
Forum: General
Topic: youtube upload/download stats not showing in queue tree
Replies: 5
Views: 1629

Re: youtube upload/download stats not showing in queue tree

Youtube is able to use UDP port 443 instead TCP port 443.
by msatter
Fri Oct 04, 2019 11:46 am
Forum: General
Topic: Can a HTTP connection be made without a sync?
Replies: 0
Views: 238

Can a HTTP connection be made without a sync?

I have sometimes a slow kind of attack (plus minus 15.000 a day) on port 80 and I block those with an address-list. I filter on the sync and that works good. Today a saw an address from china (140.143.1x.xx) that could made a connection (SAC) on port 80 which don't reach the webserver and I think it...
by msatter
Tue Oct 01, 2019 6:46 pm
Forum: General
Topic: NordVPN IpSEC fragmentation issue
Replies: 7
Views: 725

Re: NordVPN IpSEC fragmentation issue

If your connection marking based on source addresses then stay with using just source addresses. In my situation I can use two different MTU and if on the same router using connection marking I can use 1380. When it is routed to an other router and that is using source addresses then I can use 1396....
by msatter
Tue Oct 01, 2019 11:31 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

I have some times a EAP failed in the log without any information which IKEv2 connection failed: EAPfailed.jpg I changed the log settings to add more information all the time, this one were two connection taking in sequence almost 40 minutes to connect: EAPfailed1.jpg It would be nice if the EAP fai...
by msatter
Tue Oct 01, 2019 12:52 am
Forum: General
Topic: NordVPN IpSEC fragmentation issue
Replies: 7
Views: 725

Re: NordVPN IpSEC fragmentation issue

Connection marking is the easiest and then you replace PPPoE-out by your connection-mark and don't use out-interface but connection mark.
by msatter
Tue Sep 24, 2019 11:54 pm
Forum: General
Topic: Temporary Filter Rules
Replies: 2
Views: 256

Re: Temporary Filter Rules

The only finite item are adresslists. If you can hook a rule to an adress ot domainn then it would.

An other way to put a comment code word or number on a rule and use scheduler to switch that rule on or off by finding that code word or number and switch the rule.
by msatter
Tue Sep 24, 2019 11:07 am
Forum: General
Topic: High in-state-protocol-errors
Replies: 5
Views: 520

Re: High in-state-protocol-errors

Set only the traffic through the tunnel to 1280 for testing and leave the WAN MTU alone or set it to 1492 if you have a PPPoE connection. Fasttracking over VPN is not going to work. On the other stuff I can't give you any advise. Have you used the WiKi of Mikrotik to find examples and tips? https://...
by msatter
Thu Sep 19, 2019 10:12 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Everyone is testing RouterOS v7.0beta1 (ARM)!!!
Also, not everyone has an ARM device.
by msatter
Tue Sep 17, 2019 11:58 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

I get with IKEv2 connections to a VPN provider sometimes huge lists of EAP failed in the log but I can't see which account is causing this EAP failed: errors. A bit more of information in the error message would be welcome. EAP-failed.JPG The log is one of many and in that time period of 10 minutes ...
by msatter
Mon Sep 16, 2019 7:12 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 1147

Re: IPsec INVALID_SYNTAX after upgrade

Having a lifetime of 30 minutes in ipsec proposal should be not problem. If you set Lifetime in ipsec profile to 30 minutes then you can get this error. NordVPN is offering 24 hours. Obey would enforce the 24 hours (NordVPN) but maybe RouterOS is still trying to renew. You could try strict as propos...
by msatter
Mon Sep 16, 2019 2:55 pm
Forum: General
Topic: SIP - Stale SIP Session are we the only....
Replies: 1
Views: 264

Re: SIP - Stale SIP Session are we the only....

I had a similar problem a week ago. It was caused by a loop I created in VOIP traffic. When registering with VOIP provider the counter starts for 3 minutes. To receive call I have a catcher that accept calls in the timeout period. To test shorten the re-registering time on your VOIP device or length...
by msatter
Mon Sep 16, 2019 1:07 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 1147

Re: IPsec INVALID_SYNTAX after upgrade

I have the same error when I use a lifetime that is short. I connect to a VPN provider.
by msatter
Sat Sep 14, 2019 3:07 pm
Forum: General
Topic: Packet loss just on 443 port
Replies: 12
Views: 1382

Re: Packet loss just on 443 port

Change MSS It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented...
by msatter
Thu Sep 12, 2019 11:11 pm
Forum: Beginner Basics
Topic: HEX S Problem with PPPoE connection
Replies: 4
Views: 575

Re: HEX S Problem with PPPoE connection

"Hex s" is not good to be found with search in this forum so I had to search with DuckDuckGo.

viewtopic.php?p=695939

viewtopic.php?f=2&t=137139&hilit=rb760igs

Have tried to move PPPoE to port two?
by msatter
Thu Sep 12, 2019 2:09 am
Forum: Beginner Basics
Topic: HEX S Problem with PPPoE connection
Replies: 4
Views: 575

Re: HEX S Problem with PPPoE connection

Which RouterOS are you using. I remember that there were more hEX S that had problems with Ethernet port 1. That is a while ago now.
by msatter
Thu Sep 05, 2019 6:04 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5962

Re: Security issue when Winbox exposed

Yesterday a new article on this was published: https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/ Mikrotik securityblog on this: https://blog.mikrotik.com/security/new-exploit-for-mikrotik-rou...
by msatter
Mon Sep 02, 2019 10:23 am
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN The used login name/password is an example and are not real/working. You need an account with NordVPN. There is an repeating offer of 75% with off for three years and you have a 30-day money-back guarantee, so time to tes...
by msatter
Mon Sep 02, 2019 12:38 am
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

I have to correct myself. I wrote using source adress was not possible on a single router/device and that was not correct. I am using more than one tunnel at the same time so I never was able to use source address. In your case you have to choose one of them, and as you use a range of your local net...
by msatter
Sun Sep 01, 2019 11:44 pm
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

You was mixing routing and connection marking. I would start again with the info page of Mikrotik self and only use connection marking.
by msatter
Sun Sep 01, 2019 10:07 pm
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Change to:
/ip ipsec mode-config
add connection-mark=nord name=NordVPN responder=no
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=nord passthrough=yes src-address=192.168.88.10-192.168.88.254
Offered a router setup to put yours in.
by msatter
Sun Sep 01, 2019 1:45 pm
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

If you search in the forum you will find that routing is not going to work on a single device. You have to use connection marking. Remove that ALL from your config and post your config again after that. Then the requesters for config files, can have a easier look at your config. I am not a config re...
by msatter
Sun Sep 01, 2019 11:57 am
Forum: General
Topic: not working: IKEv2_EAP_between_NordVPN_and_RouterOS
Replies: 11
Views: 1175

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

This is not the solution, but you should not use mark-routing when using a single router. Only Connection marking (mark-connection) is to be used.

The IKEv2 joins the WAN and has so no separate interface and only uses the dynamic NAT to get the traffic to the WAN.
by msatter
Fri Aug 30, 2019 10:26 pm
Forum: Beginner Basics
Topic: Cant block google on chrome
Replies: 1
Views: 374

Re: Cant block google on chrome

UDP 443 block.
by msatter
Fri Aug 30, 2019 2:29 pm
Forum: General
Topic: fiber pigtail connector
Replies: 5
Views: 772

Re: fiber pigtail connector

Better is a cable than a adapter

https://www.fs.com/de-en/products/42284.html
by msatter
Wed Aug 28, 2019 4:16 pm
Forum: General
Topic: Error Terminal command symbol - $
Replies: 4
Views: 619

Re: Error Terminal command symbol - $

I am using Regex for domain names very often and you have anchor it at the beginning of the domain (^) or at the end ($ (in ROS \$)). If you don't anchor them then it can match any part of the domain name. The group is used for more complex Regex matching and not needed here. Better, grouping is cor...
by msatter
Wed Aug 28, 2019 2:22 pm
Forum: General
Topic: L2TP/IPSec disaster issue like demon
Replies: 2
Views: 403

Re: L2TP/IPSec disaster issue like demon

Did you already contacted Mikrotik support on this?

The e-mail address is: support@mikrotik.com
by msatter
Wed Aug 28, 2019 1:55 pm
Forum: The Dude
Topic: Community HOWTOs
Replies: 7
Views: 11137

Re: Community HOWTOs

How do I use the function concatenate to move a value to the next line?
This not the right thread to ask this. "\r" \n" is a newline, or even "\v" in scripting.

https://wiki.mikrotik.com/wiki/Manual:Scripting
by msatter
Wed Aug 28, 2019 1:46 pm
Forum: General
Topic: Error Terminal command symbol - $
Replies: 4
Views: 619

Re: Error Terminal command symbol - $

Would this be not more efficient?

"\.gmail\..*\$"

You already hooked it up to the end with \$ sign.

It confuses me that Regex is seen as scripting in ROS......
by msatter
Wed Aug 28, 2019 11:02 am
Forum: General
Topic: Port 8089/tcp open on brand new RB4011?
Replies: 1
Views: 441

Re: Port 8089/tcp open on brand new RB4011?

The package TR-069 could be using that port.
by msatter
Mon Aug 26, 2019 7:21 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 13
Views: 1218

Re: Whitelisting websites

I have a simple system of two+1 Addres lists.

- not VPN
- VPN
- fixed VPN

Fixed VPN are destination that don't like traffic arriving from different source addresses. This if you are using more than one VPN connection at the same time.

In Mangle you can use marking to separate traffic.
by msatter
Sat Aug 24, 2019 9:04 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 13
Views: 1218

Re: Whitelisting websites

Pi-hole can do whitelisting and in the next release the domains will be in a database which gives more control over what is filtered. It will then be also able to use wildcard whitelisting and regex based whitelisting.

Pi-hole sits between the clients and used DNS server.
by msatter
Fri Aug 23, 2019 10:13 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Is there an autosupout.rif file on the router by any chance? Will send it to support and I already pushed the button to generate one. . . And it is send to support. Update: after the restart all IKEv2 connections came back/ The ones I was missing where the ones from Pure. Update 2: It appeared that...
by msatter
Fri Aug 23, 2019 10:00 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

This morning the old dynamically generated NAT lines for IKEv2 are not removed from NAT on reconnect and so I have multiple dynamic NAT lines in NAT for each connection. I installed Beta 34 yesterday and I have two routers doing IKEv2 and the one who is using Source Address as filter did not remove ...
by msatter
Fri Aug 23, 2019 12:20 am
Forum: General
Topic: Block some public ip address with wildcard [SOLVED]
Replies: 4
Views: 525

Re: Block some public ip address with wildcard [SOLVED]

Nescafe2002 gave the solving answer and I expanded on that. :D
by msatter
Thu Aug 22, 2019 8:28 pm
Forum: RouterBOARD hardware
Topic: SFP transceivers Rx and Tx power
Replies: 1
Views: 359

Re: SFP transceivers Rx and Tx power

Here you cwn find the brochure and see if you are at the max. and normally you should be lower than the max.

https://i.mt.lv/cdn/rb_files/SFP2-131002143606.pdf
by msatter
Thu Aug 22, 2019 8:20 pm
Forum: General
Topic: Block some public ip address with wildcard [SOLVED]
Replies: 4
Views: 525

Re: Block some public ip address with wildcard [SOLVED]

You can also enter a range between two ip addresses. If those can be written short by CIDR then the they will converted by ROS.

Example: 83.240.61.5-83.240.61.201
by msatter
Thu Aug 22, 2019 5:41 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208330

Re: Feature requests

There is a page in the Wiki, which is empty, that could be used for feature request to be implement and implemented in v6 or v7:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests
by msatter
Thu Aug 22, 2019 12:59 pm
Forum: RouterBOARD hardware
Topic: High ambient temperature
Replies: 6
Views: 780

Re: High ambient temperature

Hotter air rises so a opening at the bottom and top could ventilate your closet. You can put ventilation hole(s) at bottom of the door if the slit between the door and floor is small. Look if at the top of the closset is an escape for the hot air. Active ventilation needed when passive is not enough...
by msatter
Thu Aug 22, 2019 12:41 pm
Forum: General
Topic: fasttrack or RAW is better for blocking ddos attacks?
Replies: 2
Views: 328

Re: fasttrack or RAW is better for blocking ddos attacks?

Hello, I have a mikrotik ccr 1036 and most of my ddos attacks are on TCP/UDP and currently my connection tracking is disabled and i block destination hosts on RAW filtering for reduce cpu loads. so i want to know this way save better CPU usages for me or enable connection tracking and use fast trac...
by msatter
Thu Aug 22, 2019 12:36 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208330

Re: Feature requests

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7
There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)
by msatter
Wed Aug 21, 2019 7:17 pm
Forum: Beginner Basics
Topic: Unstopable DSTNAT
Replies: 16
Views: 2197

Re: Unstopable DSTNAT

That router is perfectly fine.

In the NAT rule to wich ports do you translate. You need port 80 and 443 and I leave that empty and filter on the incoming side.
by msatter
Wed Aug 21, 2019 3:28 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1448

Re: Slow Gbit speed with Mikrotik hex S

Hmmm I was moving files using FTP inside my network and saw that in beginning that I still got a high load and after a short time that dropped. So I could abandon the untrack thought and use the following filter (ip firewall filter) / ip firewall filter add action=reject chain=forward dst-address-li...
by msatter
Wed Aug 21, 2019 1:04 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 18
Views: 1585

Re: Tunnel traffic through VPN

Security is not an issue. > you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel. How is this feature called? I what like to read more about this Also I have a problem that netflix and amazon is not working through that t...
by msatter
Wed Aug 21, 2019 12:50 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1448

Re: Slow Gbit speed with Mikrotik hex S

ip - firewall - address-list

I wrote processor and to bemore clear it is Connection tracking in R-OS that slows things down.
by msatter
Wed Aug 21, 2019 10:45 am
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1448

Re: Slow Gbit speed with Mikrotik hex S

The problem with the Mediatek MT7621A design is that you have to keep traffic out that is local->local to enter the processor. This is not possible so I mark it as "notrack" traffic and so it will be not going in/through the connection table. Enabling the switch option does not work because it is au...
by msatter
Tue Aug 20, 2019 11:21 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1448

Re: Slow Gbit speed with Mikrotik hex S

I think that independent stands for not in a bridge. Bridge is more or less standard with Mikrotik.

Be aware that using the SFP will reduce overall speed again.

Connect uneven with even for each subnet so you will have the best usage of resources of the 760iGS.
by msatter
Tue Aug 20, 2019 6:15 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 18
Views: 1585

Re: Tunnel traffic through VPN

When you buy an different router with hardware support you can use IKEv2 which is safe, L2TP is not, you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.

You can then use your local DNS if you want.
by msatter
Tue Aug 20, 2019 6:02 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 18
Views: 1585

Re: Tunnel traffic through VPN

I tried PPTP, LT2P and LT2P with IPSec All of them are extremly slow. (Around 1Mbit) Only LT2P with IPSec gives me SOMETIMES 10MBit. I followed this instruction: https://support.safervpn.com/hc/en-us/articles/115004457365-Manual-PPTP-setup-on-Mikrotik-Router I have the feeling that there is a probl...
by msatter
Mon Aug 19, 2019 2:48 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 18
Views: 1585

Re: Tunnel traffic through VPN

NordVPN is fast and I get with two RB760iGS in cascade 250/250Mbit/s. Single RB760iGS shuffles around 170Mbit/s over the IKEv2 tunnel.

With a RB4011 you will get between 250 an 300Mbit/s through NordVPN.
by msatter
Tue Aug 13, 2019 1:28 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208330

Re: Feature requests

Thanks pe1chl. I had yesterday some kind of only sync requests on ports 80 and 443 from serveral different AS numbers fom Dutch, Lituania, Ukrain and China sourced server/service providers.

I blocked in 12 hours almost 50 000 connections in RAW, now it is quiet again.
by msatter
Tue Aug 13, 2019 11:07 am
Forum: General
Topic: 6.46b28 Wireless Access List bug
Replies: 1
Views: 392

Re: 6.46b28 Wireless Access List bug

When adding devices to the access list "Signal Strength Range" is limited to -1;120, where it should be -120;120.
Already mentioned in the 6.46.Beta thread:

viewtopic.php?f=21&t=149910&start=50#p744204
by msatter
Tue Aug 13, 2019 11:04 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208330

Re: Feature requests

Using Address Lists not only with IP address and Domain Name but also with the ASN number.

Never found a way to block in routing incoming traffic using ASN and I had to fallback on generating my own Address List to filter those IP ranges out.
by msatter
Sun Aug 11, 2019 1:57 pm
Forum: General
Topic: ROS DNS-client "ignoring" TTL set by own DNS server
Replies: 3
Views: 373

ROS DNS-client "ignoring" TTL set by own DNS server

When I make a static DNS entry and I look in Cache then I see it counting the TTL down for a few seconds and then it starts counting from the top again.

I have to move the static entries to an external DNS server to have a normal TTL countdown of the given TTL value.
by msatter
Wed Aug 07, 2019 11:23 am
Forum: General
Topic: IPSEC / IKEv2 tunnel for only selected devices
Replies: 9
Views: 867

Re: IPSEC / IKEv2 tunnel for only selected devices

Also the TCP MTU could be off. In Mangle add this line and move it up as high as possible. You need still to mark the traffic and the DNS could be working with your or against you. So try both ways. /ip firewall mangle add action=change-mss chain=forward connection-mark=!no-mark src-address-list=SHI...
by msatter
Wed Aug 07, 2019 10:08 am
Forum: General
Topic: IPSEC / IKEv2 tunnel for only selected devices
Replies: 9
Views: 867

Re: IPSEC / IKEv2 tunnel for only selected devices

/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=udp port=!53 add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=tcp port=!53 /ip ipse...
by msatter
Wed Aug 07, 2019 12:18 am
Forum: General
Topic: Resolving Local Domain
Replies: 2
Views: 425

Re: Resolving Local Domain

You could have a look at DNSmasq that is also used in Pi-hole. Add to --synth-domain the ability to create names using sequential numbers, as well as encodings of IP addresses. For instance, --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-* creates 21 domain names of the form int...
by msatter
Tue Aug 06, 2019 7:10 pm
Forum: General
Topic: IPSEC / IKEv2 tunnel for only selected devices
Replies: 9
Views: 867

Re: IPSEC / IKEv2 tunnel for only selected devices

Lets take a step back. You had it working but it was slow. My suggrstion is to not put DNS traffic into the VPN and use the Pihole instead. To get traffic to the pihole you put the IP of pihole into, the DNS given to clients, in your DHCP. So your rule is the mangle rule and from one rule you hsve t...
by msatter
Tue Aug 06, 2019 2:23 pm
Forum: General
Topic: Surfshark IKEv2 VPN
Replies: 6
Views: 1040

Re: Surfshark IKEv2 VPN

Hmmmm there is someting going on with using pmtu as that did not worked for me. If you replace pmtu with value 1280 it should be running as expected. Hope that Mikrotik gets the calculation correct soon.
by msatter
Tue Aug 06, 2019 2:19 pm
Forum: General
Topic: IPSEC / IKEv2 tunnel for only selected devices
Replies: 9
Views: 867

Re: IPSEC / IKEv2 tunnel for only selected devices

Yes yes no. You are still using source address for all traffic and in NAT the NordVPN Nat is always on top. So you have to add in your proposed rule UDP!/!53 and duplicate that line and change to TCP/!53 !53 stands for everything except 53. So DNS traffic should then go to your Pi-hole as that was t...
by msatter
Mon Aug 05, 2019 7:32 pm
Forum: General
Topic: IPSEC / IKEv2 tunnel for only selected devices
Replies: 9
Views: 867

Re: IPSEC / IKEv2 tunnel for only selected devices

Remember if you use the source address, that your DNS requests will also go to the VPN.

You can now also mark connection, see link to Mikrotik on the NordVPN page top, and then you can mark specific which traffic you want to goto the VPN.
by msatter
Sun Aug 04, 2019 9:15 pm
Forum: RouterBOARD hardware
Topic: hEX S - switch functionality?
Replies: 4
Views: 609

Re: hEX S - switch functionality?

Keep on living.

You are seeking hardware vlan and Mikrotik does support vlan in software.

So no need to jump of the cliff.
by msatter
Fri Aug 02, 2019 1:58 pm
Forum: General
Topic: Policy based IPSec
Replies: 7
Views: 733

Re: Policy based IPSec

.
.
Which is totally what I'm looking actually since now I can apply "incoming" connection mark to all incoming connections and basically apply IPSec to connection-mark=!incoming.

It's still useful to limit source of IPSec policy a bit in order to make hairpin work properly

!incoming = nomark
by msatter
Thu Aug 01, 2019 1:02 pm
Forum: Beginner Basics
Topic: Disabling o removing DNS Dynamic Servers
Replies: 16
Views: 1417

Re: Disabling o removing DNS Dynamic Servers

I am on a Beta and that one also does not allow to remove the dynamic servers.
by msatter
Thu Aug 01, 2019 11:15 am
Forum: Beginner Basics
Topic: Cannot get BT (UK) with PPPoE working :(
Replies: 5
Views: 516

Re: Cannot get BT (UK) with PPPoE working :(

Have you enabled use peer DNS in the PPPoE setting in the Mikrotik? Check with pinging from a client (computer).
by msatter
Thu Aug 01, 2019 11:09 am
Forum: General
Topic: No VPN client account after night
Replies: 2
Views: 237

Re: No VPN client account after night

Version of the routerOS running on that device?
by msatter
Wed Jul 31, 2019 8:50 pm
Forum: General
Topic: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)
Replies: 13
Views: 2763

Re: [Request] Add "DNS over HTTPS" to RouterOS (Internet security protocols)

Start in RouterOS by be able to disable Dynamic DNS. athis undermines the first step so that has to be done before anything else.
by msatter
Wed Jul 31, 2019 1:48 pm
Forum: Beginner Basics
Topic: Disabling o removing DNS Dynamic Servers
Replies: 16
Views: 1417

Re: Disabling o removing DNS Dynamic Servers

I can't also not shed those and made a feature request for that.

viewtopic.php?f=1&t=45934&p=741888#p741888
by msatter
Tue Jul 30, 2019 4:05 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Using now NordVPN for a while on the beta and I get after 24 hours problem with the reconnects. I installed 46.6beta16 which stated a more conclusive error log but it has not changed. I get ipsec,error EAP failed and sometimes even ipsec,error INVALID_SYNTAX EAP failed can be due to using all the si...
by msatter
Tue Jul 30, 2019 2:14 pm
Forum: General
Topic: How to set priority code on vlan (for pppoe)
Replies: 9
Views: 867

Re: How to set priority code on vlan (for pppoe)

I can only set the vlan and I do it in /interface vlan

Then PPPoE uses the VLAN interface as exit and the VLAN uses WAN as exit (eth1 in your case)

You have to state which router you use because some like mine can do only software VLAN.
by msatter
Mon Jul 29, 2019 11:25 pm
Forum: RouterBOARD hardware
Topic: GPeR question
Replies: 18
Views: 2328

Re: GPeR question

Look at it as a media converter. It only put out what came in and the other way and amplify the voltage to make the next leg of the cable.

Is a delay a big criteria? Before then it even never arrived.
by msatter
Mon Jul 29, 2019 8:38 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1587

Re: Significant Speed Issues with MikroTik [SOLVED]

Good to read that it has been resolved and in searching for strange problems check whole chain is the second step.
by msatter
Sun Jul 28, 2019 11:03 pm
Forum: General
Topic: NordVPN
Replies: 7
Views: 911

Re: NordVPN

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add name=NordVPN pfs-group=none

Atleast aes128
by msatter
Sun Jul 28, 2019 1:49 pm
Forum: General
Topic: Surfshark IKEv2 VPN
Replies: 6
Views: 1040

Re: Surfshark IKEv2 VPN

Have a look here on this:
viewtopic.php?f=13&t=150377&hilit=1280
by msatter
Sat Jul 27, 2019 12:51 pm
Forum: General
Topic: Why need to kick-start a IKEv2 connection to provider
Replies: 5
Views: 616

Re: Why need to kick-start a IKEv2 connection to provider

I just concluded my short test and did not find noticeable difference between tracking and notracking. I am notracking the outside of the IPSEC connection/tunnel and traffic inside the tunnel is not Fasttrack-ed nor Notrack-ed. Using two routers in series increases the speed to between 200 and 300MB...
by msatter
Sat Jul 27, 2019 12:31 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208330

Re: Feature requests

Able to disable dynamic DNS servers when using an IKEv2 connection to a VPN provider as NordVPN. This to have only the manual entered DNS server receiving requests and no fallback to the dynamic provided DNS servers of the VPN provider.
by msatter
Sat Jul 27, 2019 3:21 am
Forum: General
Topic: Why need to kick-start a IKEv2 connection to provider
Replies: 5
Views: 616

Re: Why need to kick-start a IKEv2 connection to provider

Thanks Sindy. I had not the chance to test it. I read it in the Wiki: It is very important that bypass rule is placed at the top of all other NAT rules. Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack. /ip firewall fil...
by msatter
Fri Jul 26, 2019 2:54 pm
Forum: General
Topic: Why need to kick-start a IKEv2 connection to provider
Replies: 5
Views: 616

Why need to kick-start a IKEv2 connection to provider

It seems to give a 30% reduction to use NOTRACK in a IPSEC connection. The current client config in ROS has an option to set Prerouting or Output but the IP addresses used do not catch anything in RAW. It uses the internal addresses and not the addresses communicated to. So I made an addresslist wit...
by msatter
Thu Jul 25, 2019 9:26 am
Forum: General
Topic: [ASK] FastTrack for SpeedTest
Replies: 14
Views: 948

Re: [ASK] FastTrack for SpeedTest

i modiface from msatter . i found it makes traffic ONLY when Speedtest.net is running, but what eals i found special dummy rules dont make traffic,even on connect-list fasttrack is 0. Do im getting fastrack for Speedtest? Filter add action=fasttrack-connection chain=forward comment="Speedtest fastt...
by msatter
Wed Jul 24, 2019 2:14 pm
Forum: General
Topic: [ASK] FastTrack for SpeedTest
Replies: 14
Views: 948

Re: [ASK] FastTrack for SpeedTest

msatter , good idea by port. i'm running torch on same time with speed test. There is millions of ports Speedtest.net is using destination port 8080 and my line in Mangle is then: /ip firewall mangle add action=fasttrack-connection chain=prerouting comment="Speedtest fasttracking" connection-mark=n...
by msatter
Tue Jul 23, 2019 8:29 pm
Forum: RouterBOARD hardware
Topic: My Groove AC is dead
Replies: 13
Views: 1246

Re: My Groove AC is dead

How disassemble and use the reset:

https://m.youtube.com/watch?v=k9Yna2f5Hao

Hope yours is the same.
by msatter
Tue Jul 23, 2019 3:56 pm
Forum: Beginner Basics
Topic: problem to reach some websites [SOLVED]
Replies: 20
Views: 1889

Re: problem to reach some websites [SOLVED]

Thanks and when I ping from my PC then normal (not VPN) has a 1472 MTU and both VPN connection a 1410 MTU. So I set the rule to do 1410 and then I have problems. Only When I am going down for NordVPN to MTU 1398 I can connect. I think that noting is left to use Wireshark again to see what is differe...
by msatter
Tue Jul 23, 2019 3:02 pm
Forum: General
Topic: [ASK] FastTrack for SpeedTest
Replies: 14
Views: 948

Re: [ASK] FastTrack for SpeedTest

Run speedtest and look in connections wich port is used and fasttrak that port.

You know that fasttracking is making router is making is working better and not to used as limiter to your customers.
by msatter
Tue Jul 23, 2019 12:43 pm
Forum: Beginner Basics
Topic: problem to reach some websites [SOLVED]
Replies: 20
Views: 1889

Re: problem to reach some websites [SOLVED]

Where could lie the problem. I noticed it with NordVPN and PureVPN did not show that problem. A thing I remember doing the speedtest (xs4all) with PureVPN that not always the upload started and even gave a timeout. I have now only for NordVPN the MTU limited and not for PureVPN and the run side-by-s...
by msatter
Mon Jul 22, 2019 5:21 pm
Forum: Beginner Basics
Topic: problem to reach some websites [SOLVED]
Replies: 20
Views: 1889

Re: problem to reach some websites [SOLVED]

I am testing on the moment NordVPN and used before other VPN providers. MTU was sometimes a problem and I could always go without any changes to the MTU. Using NordVPN in the same configuration as with PureVPN IKEv2 I could not reach some sites and it stayed on getting the certificates for TLS and t...
by msatter
Sat Jul 20, 2019 1:28 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35983

Re: v6.45.2 [stable] is released!

Not make releases at the end of the week as most people do like their weekend too.
by msatter
Sat Jul 20, 2019 12:09 am
Forum: General
Topic: gpon conection
Replies: 1
Views: 303

Re: gpon conection

Have a read in this topic about GPON in Spain:

viewtopic.php?f=3&t=116364
by msatter
Fri Jul 19, 2019 5:18 pm
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1201

Re: IPSEC performance problem

I tried something else. Currently using an SFP for the WAN and that has in the RB760iGS (same processor as the RB750GR3). I connect it up differently replacing the SFP up-link with a ethernet port connected to a media converter. Now the usage of the processor is bit better and the firewall/network l...
by msatter
Fri Jul 19, 2019 12:31 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

I get every 120 seconds a new IP and rebuild of the IKEv2 connection. This is interupting traffic and makes browsing a waiting game for pages..if it even arrive. I understand that they are using TTL this way to spread users over the servers. However it spoils it for me and I have now fixed the IP ad...
by msatter
Fri Jul 19, 2019 12:22 pm
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1201

Re: IPSEC performance problem

When using multiple IPSEC connections side by side the traffic tends hurdles still together on one core.
by msatter
Thu Jul 18, 2019 10:51 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Thanks for the feedback. We will try to add it in the 6.45.2 as well. It will also be possible to specify both the src-address-list and connection-mark parameters to form a single NAT rule. If anyone is wondering, currently an example is published here . New question about IKEv2 and re-keying. Usin...
by msatter
Mon Jul 15, 2019 7:39 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

I have to have a good look at it when I have access to Winbox and my RouterOS in front of me. Seeing what is catching the first and tailing packets. So I have to come back on this. I am using L2TP/IPSEC on the inner box and the outer (GW) is transparant for that. IKEv2 is routed on the inner bock an...
by msatter
Sun Jul 14, 2019 11:16 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

The next step is when it hit the IKEv2 Nat rule and the connection is not there anymore what happens then? It will head for the WAN which is transfering anything not specific caught by other routing rules. Outgoing encrypted traffic will fall dead because the receiving IKEv2 server is not there anym...
by msatter
Sun Jul 14, 2019 10:53 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

I do not agree because forwarded traffic is only dropped if it on his way to the WAN while it is tagged to go through the IKEv2 connection. In the NAT itself the first split is made by only NAT traffic to the WAN the is not connection marked. So if traffic is on it's way through Mangle and marked an...
by msatter
Sun Jul 14, 2019 11:32 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable ...
by msatter
Sat Jul 13, 2019 2:09 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

IKEv2 is not having it's own interface and encrypted traffic uses WAN. Traffic (not encrypted) marked for IKEv2 has so nothing lost in routing so when detected be indicated as unreachable.
by msatter
Sat Jul 13, 2019 12:55 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

You want to stop traffic what is not caught by IPSEC and so it is normal traffic.
by msatter
Sat Jul 13, 2019 12:46 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1602

Re: blackhole/unreachable with IPSec policies [SOLVED]

I am using a in rules that drops forwarded traffic that has the connection mark and goes out through the WAN. I am using the specific ports now instead of connection mark. I am using this this for L2TP/IPSEC but maybe this can be used for IKEv2 to. Sindy made a blackhole by using an extra bridge. Th...
by msatter
Fri Jul 12, 2019 4:58 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1336

Re: NordVPN-IKEv2 slow NET speed

That speed is not to bad. I am using PureVPN and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.
by msatter
Fri Jul 12, 2019 4:55 pm
Forum: General
Topic: Google Station
Replies: 4
Views: 544

Re: Google Station

Why do you want to be brainwashed by Alphabet (Google)?
by msatter
Fri Jul 12, 2019 3:11 pm
Forum: General
Topic: MikroTik blacklists (IPv4/IPv6)
Replies: 4
Views: 519

Re: MikroTik blacklists (IPv4/IPv6)

If you don't run any services that can reached from the outside you can drop all NEW traffic coming in on the WAN not even hitting connection tracking.

Dispite that, securing down you router is alway needed.
by msatter
Fri Jul 12, 2019 9:53 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Update: problem tackled with help of mkx. In the previous Beta EAP for ikev2 was made available and I needed to split all over two routers. It needed changes in Hairpin, which broke the catching traffic better be served locally. I have an problem I can't explain with dstnat to an local address on UD...
by msatter
Thu Jul 11, 2019 3:07 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator (CLI only);

Thanks and I am going to test is later. I was looking where is was hidden in Winbox and could just not find it. It is for now CLI only. :-)

ip - ipsec - mode-config
by msatter
Tue Jul 09, 2019 1:50 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 107
Views: 40454

Re: v6.46beta [testing] is released!

Hi Folks, Has been a long time since I have post here, but I need a help now! Does mikrotik already support Openvpn with tls? This is because we need to use NORDVPN here in brazil and its a hard time doing it, so, please could you guys solve this problem to enable us to start to sell thousand of de...
by msatter
Fri Jul 05, 2019 4:55 pm
Forum: General
Topic: SFP RB4011
Replies: 19
Views: 1563

Re: SFP RB4011

On Mikrotik page about the 4011: We have two versions available. RB4011iGS+5HacQ2HnD-IN-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specif...
by msatter
Wed Jul 03, 2019 11:05 am
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 4179

Re: NordVpn and mikrotik?

I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.
by msatter
Sun Jun 30, 2019 10:58 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253
by msatter
Sat Jun 29, 2019 5:22 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
by msatter
Wed Jun 26, 2019 11:12 pm
Forum: RouterBOARD hardware
Topic: hEX S & SFP S-RJ01
Replies: 4
Views: 616

Re: hEX S & SFP S-RJ01

by msatter
Wed Jun 26, 2019 11:53 am
Forum: General
Topic: Unable to write on External USB EXT3 HDD
Replies: 3
Views: 313

Re: Unable to write on External USB EXT3 HDD

I had similar problem with a SD card in a hEX-S. Could not copy files from and write to.

Formatting in ROS made no difference, Windows could not format the card. I put in a camera and formating was succesful and the card working again in the hEX-S.
by msatter
Tue Jun 25, 2019 5:56 pm
Forum: RouterBOARD hardware
Topic: hEX S & SFP S-RJ01
Replies: 4
Views: 616

Re: hEX S & SFP S-RJ01

SFP port can be purposed however you need it to be. Can you put the SFP into your :AN and connect a PC to it and access the router? It sounds like hardware issue or negotiation problem between modem and SFP. Indeed switch of auto negotiation and set speed to 1Gbit. Those SFP can generate much heat ...
by msatter
Mon Jun 24, 2019 12:57 pm
Forum: General
Topic: Im having issues with UDP conns for VOIP being unreliable.
Replies: 4
Views: 436

Re: Im having issues with UDP conns for VOIP being unreliable.

It could be due to firewall connection tracking settings. Default has these two settings: udp-timeout: 10s udp-stream-timeout: 3m I'm not familiar with how VoIP works, but settings above might be too short for some idle VoIP clients. Solution would be either to enable sending keep alive packets (if...
by msatter
Sun Jun 23, 2019 2:43 pm
Forum: Beginner Basics
Topic: Firewall list performace hit
Replies: 3
Views: 349

Re: Firewall list performace hit

The performance hit is present but not huge. Address lists are vety effrctive and use RAW filtering so it won't reach connection tracking. I only use VPN to browse so thst means any services by you are unreachable for me. VPN is also a eay for us to be on the internet and not be watched all the time...
by msatter
Thu Jun 20, 2019 11:44 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 3026

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

To me just dropping seems better to me. The fixes are on the way and my DECT phone blinked red today to indicate that needed attention. That was the RSS notification of this and the security log was containing new information.
by msatter
Wed Jun 19, 2019 1:06 pm
Forum: Scripting
Topic: Select rule exact match by fields
Replies: 4
Views: 507

Re: Select rule exact match by fields

“!” logical NOT :put (!true);
“&&” , “and” logical AND :put (true&&true)
“||” , “or” logical OR :put (true||false);

Standard seems AND
by msatter
Wed Jun 19, 2019 12:55 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible...
by msatter
Wed Jun 19, 2019 10:56 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; Where can I set that identity? I also noticed that the counters are all the same and these are L2tp/IPSEC connections: wrong-counters.JPG The local addresses, in PPP screen, are in the 172.20.12.xxx range (multip...
by msatter
Tue Jun 18, 2019 11:29 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by msatter
Tue Jun 18, 2019 11:25 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Hello! I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN). IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3 If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "sear...
by msatter
Tue Jun 18, 2019 6:07 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 3026

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Chain input is a good step if you look at Mikrotik awn kernel. Also there are forwards and not all linux systems are already updated for this. Having also a main filter in the RAW looking at traffic coming in through the WAN is wise.
by msatter
Tue Jun 18, 2019 12:49 pm
Forum: General
Topic: Upload file and change it into a script
Replies: 2
Views: 260

Re: Upload file and change it into a script

If your script is longer tha 4KB then you can run tha rsc file by using import file=xyz.rsc
by msatter
Tue Jun 18, 2019 12:43 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 3026

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Till we have a conformation about this, from Mikrotik put that rule in RAW. Which is the best place for it.
by msatter
Fri Jun 14, 2019 11:43 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstrea...
by msatter
Thu Jun 13, 2019 11:05 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 25258

Re: Blacklist Filter (Development Topic)

The ADD in the rules is there to add the line to the RAW section in the firewall. After thst it not used anymore.

Dropping unwanted traffic is most efficient in RAW and so it won't reach connection tracking.
by msatter
Thu Jun 13, 2019 1:41 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 651

Re: Annoyed with Mikrotik 'Support'

Duh. 60 Degrees is the angle and if you look at hardware section you see also a X3 (new) version that has an angle of 180 degrees. The width is limited by the distance. I won't reach the planet Mars despite it could be well in the 60 degrees angle. From the Mikrotik wiki and if you look at the LHG v...
by msatter
Wed Jun 12, 2019 11:42 pm
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 651

Re: Annoyed with Mikrotik 'Support'

Mikrotik creates a number for each support question and it seems that only one question is accepted. Try next time first the suggestion mentioned earlier and search a bit. If no find put the questions in separate e-mails if the differ much.

The forum is often faster than support.
by msatter
Wed Jun 12, 2019 2:53 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less. I set in the 'inside' router ...
by msatter
Sat Jun 08, 2019 1:41 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 25258

Re: Blacklist Filter (Development Topic)

I helped with an earlier version and it is should be incremental and your get the changes you missed since the last sucessful update you had. The sheer number of routers connecting still can give a heavy bandwith usage. Dave is doing a great job despite his personal set backs. https://forum.mikrotik...
by msatter
Tue Jun 04, 2019 1:48 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 7
Views: 1126

Re: Cheapest router for home use with 1Gb

I would also go for the 4011. The hAP ac^2 is good but you need to go to fasttracking to reach real high speeds. The encypting power is 4 times higher with the 4011.
by msatter
Tue Jun 04, 2019 12:52 am
Forum: General
Topic: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)
Replies: 9
Views: 1109

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Hey mada3k, I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S), so I assume that there is no OpenSSL hardware encryption engine support :-( Look at this page and you see that ECB in worse than CBC: https://datalocker....
by msatter
Tue Jun 04, 2019 12:40 am
Forum: Scripting
Topic: Script doesn't continue after a statement [SOLVED]
Replies: 6
Views: 534

Re: Script doesn't continue after a statement

Maybe, use :log info " " instead of /log info " " You confused the actual logging and the log menu itself at this line: /log info "test this" Good that you managed to solve it yourself. I tested /log info "test" and it worked. I never use that and use :log because you can call it wherever you are i...
by msatter
Mon Jun 03, 2019 10:17 pm
Forum: Scripting
Topic: Script doesn't continue after a statement [SOLVED]
Replies: 6
Views: 534

Re: Script doesn't continue after a statement

Maybe, use :log info " " instead of /log info " "

You confused the actual logging and the log menu itself at this line:
/log info "test this"
by msatter
Sun Jun 02, 2019 6:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detect...
by msatter
Sat Jun 01, 2019 3:39 am
Forum: Beginner Basics
Topic: Confused with PASSTHROUGH YES/NO in Mangle
Replies: 7
Views: 617

Re: Confused with PASSTHROUGH YES/NO in Mangle

If a rule/line is matching and the Passthrough is NOT marked for that line then the rest of the lines are skipped in Mangle. If a rule/line is matching and the Passthrough is marked then the next line is processed. If that line or an later line is also matching then the value is overwritten if that ...
by msatter
Fri May 31, 2019 10:37 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fasttrack encypted connections the Piggyback way (test)

So after giving up on running it on router I returned to using two routers to be able to use Mangle + PCC to distribute traffic over several IKEv2 and L2TP/IPSEC connections. Also activated fastracking for the first NAT on the 'inner' router which was a bit of hustle. I had made a jump to two chains...
by msatter
Thu May 30, 2019 11:11 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

I give it a rest for now. I can spend days trying to get it work. Who know Mikrotik will give IKEv2 it's own interface and client settings so can do this without double NAT or IPIP tunnels.

Spend too much time on this running in circles.

Thank to Sindy again for all the help.
by msatter
Wed May 29, 2019 6:50 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

So I have two address-list, one for those sites only liking you coming from one IP and those that do not like VPN connections. Again, mangling cannot coexist with fasttracking. So I'd suggest to use your address lists of source-sensitive sites to choose the proper action=src-nat rule with the prope...
by msatter
Wed May 29, 2019 6:14 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

And it's gone.....
by msatter
Wed May 29, 2019 5:57 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

Thanks I am now adapting my config. I factor is that I don't have one IKEv2 connection but multiple and I want separate traffic to those IKEv2 connections with help of mangle. I had it working with multiple connections but I could not go far enough back to restore that. Update: Basically I want to d...
by msatter
Wed May 29, 2019 4:33 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

This is what I have added. /ip address add address=127.0.1.1 interface=aux-lo network=127.0.1.1 add address=10.0.1.1 interface=ipip-outer network=10.0.1.1 /interface ipip add mtu=1500 name=ipip-inner remote-address=127.0.1.1 add local-address=127.0.1.1 mtu=1500 name=ipip-outer remote-address=127.0.0...
by msatter
Wed May 29, 2019 2:52 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

I tried mangle route to an IP in 10.0.1.0 which is in the outer but no luck. Then I went back to route marking and ping on the router itself works but from a client it doesn't. There really strange things the NAT is not hit. Using route marking I see in connections the client IP - target - target - ...
by msatter
Wed May 29, 2019 11:12 am
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

What I want to archive is that 'basic' client behavior using a IKEv2 connection. It is not that simple now the NAT line is created triggered by the source address and the source address is the one of the clients. I tried double NAT on one box and did not get that working. When I use IPIP I saw the c...
by msatter
Tue May 28, 2019 5:28 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Re: Routing to interface with IPIP-dummy

Solved it by marking routing....I did this hundreds of times but not try it here. I will make a short manual so using the new IKEv2 possibilities easier without an client available in ROS/Winbox. Thanks to Sindy for the IPIP idea. It was working and then it stopped and I have figure out why it does ...
by msatter
Tue May 28, 2019 3:48 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 758

Routing to interface with IPIP-dummy

I am bussy with using the latest implementation of IKv2 with EAP authentication. I have it working but I have to manually change each time the entry address of the IKEv2 connection in Mangle. Using the IPIP is partly working when I test it using the ping tool in Winbox. /ip address add address=172.2...
by msatter
Tue May 28, 2019 12:16 pm
Forum: General
Topic: Bonding using openvpn?
Replies: 6
Views: 498

Re: Bonding using openvpn?

Look in the wiki.mikrotik.com for PCC and there you have the choice on what information you can split up traffic.

The simplest one is uding destination address.
by msatter
Tue May 28, 2019 10:19 am
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

Thanks Sindy and it a pity that it did not work as expected. Did you try using different ports as you control the client and the server? When I use IKEv2 I don't activate notracking for now. Tested it with one active IKEv2 connection active and still one core was loaded up...general observation is t...
by msatter
Mon May 27, 2019 12:43 am
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

Thanks looking forward to it. With IKEv2 I need to know the which IP entry point is given and ROS knows it but having no script on start / change I can't automate it. When using mode config + address list I get a NAT line at the top src-natting the new address of the entry point for encrypting. If n...
by msatter
Sun May 26, 2019 11:19 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

Sindy suggested to use IPIP to see if can run it on one router but I have see how that is going to be setup. Well, that suggestion was relevant in the context of one CPU thread being loaded at 100 % and the others idling as you've stated here, not the whole machine running at 100 % as you've stated...
by msatter
Sun May 26, 2019 5:31 pm
Forum: General
Topic: DNS ghost traffic
Replies: 4
Views: 407

Re: DNS ghost traffic

The usrrs are free to use a different DNS and Android and APP want to use the DNS of Google itself. You can stop that by blocking that traffic to what I call Rouge DNS servers by putting them in a addresslist and drop that traffic. You can choose to put a NAT enforcer to lesd that trafgic to your ow...
by msatter
Sun May 26, 2019 3:12 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

I had not yet used Fasttracking and the next two are 'profiles'fastracked using outer (GW) and inner (filter/nat/mangle/raw). Inner fasttracked: no picture present And for comparison non encrypting: no picture present] And as second comparison non encrypting on a standalone router with PPPoE: no pic...
by msatter
Sun May 26, 2019 11:40 am
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

I have made 'profile' screenshots when the router(s) are loaded and doing encrypting: no picture present IKEv2 in cascade setup of a box doing the PPPoE and IKEv2. There i NAT running on the box for the IKEv2. no picture present At the same time the other router doing filtering/nat/mangle/raw no pic...
by msatter
Sat May 25, 2019 9:47 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

hmmm reading it I going to put it in a third blank. RB750Gr2 to see how it works and my live boxes are to complicated now to fit in in one time. During testing IPIP I noticed that in connections only one line appeared of the four expected that stated the searched dynamic IP of the IKEv2 connection w...
by msatter
Sat May 25, 2019 8:48 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

I tried to build IPIP on the single router but I did not manage to get it working. The example in the wiki seems to not do what I see on my router.Thanks for the link and I will see if that is working. I already overheated my brain serveral time in the past week. If I can get it to work then Mikroti...
by msatter
Sat May 25, 2019 11:07 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by msatter
Fri May 24, 2019 2:12 am
Forum: General
Topic: Android client for MikroTik VPN
Replies: 5
Views: 917

Re: Android client for MikroTik VPN

As client I use OpenVPN and for IKEv2 StrongSwan. A good solution is if you own the router that is able to provide VPN connections to isu that. This to have VPN for all devices connected to that router. OpenVPN is a bit of a Unicorn with Mikrotik however IKEv2 is in Beta supported. Works well and I ...
by msatter
Thu May 23, 2019 11:52 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

If your IKEv2 client is running on the PC, the UDP transport of the encrypted data becomes a plaintext transit traffic for the router connecting that PC to the rest of the world, so fasttracking that traffic makes sense if the router doesn't have enough CPU to handle the forwarding and firewalling....
by msatter
Wed May 22, 2019 11:14 pm
Forum: RouterBOARD hardware
Topic: BiDi SFP on CRS326-24G-2S+: light but no link
Replies: 3
Views: 422

Re: BiDi SFP on CRS326-24G-2S+: light but no link

I solved my problem by turning auto negotiation off, and setting the link capacity to 1G fixed. As always. Maybe Mikrotik will implement a extra button in ROS in that screen with the text "Does not work" and pressing it will disable auto negotiation for you. Or make the default negotiation state be...
by msatter
Wed May 22, 2019 8:24 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10842

Re: Help with IKEv2/IPsec client configuration

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking. If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath....
by msatter
Mon May 20, 2019 10:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0. The NAT is generated and then I have change my original source address...
by msatter
Mon May 20, 2019 10:22 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by msatter
Sun May 19, 2019 10:41 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10842

Re: Help with IKEv2/IPsec client configuration

Hello emils Please, provided the configuration command for use Ikev2 with EAP authentication. I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication. This is the Linux config for NordVPN for exemple: https://nordvpn.com/tutorials/linux/ikev2ipsec/ You can h...
by msatter
Sun May 19, 2019 9:22 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Re: Fastrack encypted connections the Piggyback way (test)

Thanks Sindy and I was this afternoon ofline to test it so I did not see your reply earlier. I had the PPPoE running and changed my settings but I could not get any traffic to the "PPPoE" router so I still know nothing. I had to discover that you have to use a bridge to even have an IP on ether2 vis...
by msatter
Sun May 19, 2019 3:53 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 1012

Fasttrack encypted connections the Piggyback way (test)

I have been bussy with IKEv2 connections the last few days and now all is working I was disappointed the my RB760iGS only managed to do 70-90 Mbit/s due to networking an firewalling task being taking all the CPU of Core 0 while the others are almost idling. I am thinking and going to setup in a mome...
by msatter
Sat May 18, 2019 10:03 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10842

Re: Help with IKEv2/IPsec client configuration

Many thanks and I have working with PureVPN and their support could not help me much. I sm uding now a IP address of one of their XX-ikev.ptoservers so that the internal and network IP (range) is constant. This have a src-nst with a condtant gateway. Thanks to Mikrotik make it possible and also Nord...
by msatter
Fri May 17, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore. I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:...
by msatter
Wed May 15, 2019 11:26 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

I am a bit further and I needed two certificates to be in the certificates box. https://blogger.davidmanouchehri.com/2017/09/ Now I get twice the error that the [b ]peer's ID does not match certificate [/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 Subject...
by msatter
Wed May 15, 2019 11:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried. I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to s...
by msatter
Tue May 14, 2019 9:37 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released! IKEv2

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there) ip ipsec identity add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv...
by msatter
Mon May 13, 2019 12:29 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 94
Views: 22807

Re: [Feature request] Wireguard

Wireguard was tested by INRIA Source: https://www.security.nl/posting/608796/Onderzoekers+testen+cryptografische+werking+WireGuard-vpn Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol deri...
by msatter
Fri May 03, 2019 12:27 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?
by msatter
Sun Apr 28, 2019 11:30 pm
Forum: General
Topic: GoogleFiber
Replies: 16
Views: 1257

Re: GoogleFiber

Also check if your ethernet interface negotiates to the correct speed and duplex.
Status shows as Unknown.
Then set it manually.
by msatter
Sat Apr 27, 2019 2:03 pm
Forum: General
Topic: GoogleFiber
Replies: 16
Views: 1257

Re: GoogleFiber

That is correct, you got an IP without that line active so you could also omit that line.

Can't test because I am not even on the same continent. ;-)
by msatter
Sat Apr 27, 2019 1:39 pm
Forum: General
Topic: GoogleFiber
Replies: 16
Views: 1257

Re: GoogleFiber

by msatter
Sun Apr 21, 2019 12:22 pm
Forum: General
Topic: DHCP client on bridge does not work?
Replies: 13
Views: 6149

Re: DHCP client on bridge does not work?

Fast Forward depends on many other setting to be active. See the manual.

https://wiki.mikrotik.com/wiki/Manual:I ... st_Forward
by msatter
Sat Apr 20, 2019 12:42 pm
Forum: General
Topic: Android Mobile App Feature Request
Replies: 2
Views: 331

Re: Android Mobile App Feature Request

There does not appear to be a dedicated forum for the mobile app, so I did not know where else to post this.
There is only one official thread on that and it can be found here:

viewtopic.php?f=21&t=98407
by msatter
Wed Apr 17, 2019 11:22 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 1407

Re: Preventing IPSec-less L2TP [SOLVED]

That is not a problem and I made it work that way. Some sites, like this forum do not like that approach, I have to use a single IP address ( fixed-vpn ) during a session when I am logged in. Others site I visit block VPN so I have also a addresslist no-vpn . Each list is about 20 entries long so no...
by msatter
Wed Apr 17, 2019 10:45 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 1407

Re: Preventing IPSec-less L2TP [SOLVED]

I was afraid that I need NAT when using a VPN provider. I have multiple connections which have different public IP addresses on the side of the VPN provider. By example, a webpage is collected by different IP addresses from the VPN provider and on my side I split (initiate) it those request based on...
by msatter
Wed Apr 17, 2019 2:39 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 1407

Re: Preventing IPSec-less L2TP [SOLVED]

Thanks for your patience and I am looking for a way to skip NAT. I have marked the route in Mangle and it puzzles me why I still need NAT. In the default client setup for L2TP(-IPSEC) the local address is set in the 172.20.12.x range and I changed that to a address that is my local network thinking ...
by msatter
Tue Apr 16, 2019 11:50 am
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 1407

Re: Preventing IPSec-less L2TP [SOLVED]

Thanks Sindy, I am using mangle to mark connection and route . I hoped to be able skip NAT but I was not able to. I run several VPN side to side and I get overlapping 172.20.12.x as local address. Mangle 33 chain=route-vpn action=mark-routing new-routing-mark=VPN11 passthrough=no connection-mark=VPN...
by msatter
Tue Apr 16, 2019 11:07 am
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 1407

Re: Preventing IPSec-less L2TP [SOLVED]

I had a look at my VPN and up goes no traffic over port 1701 up but down I traffic on port 1701 coming from the VPN connection and the packey count are almost the same as on ipsec-esp in the line above in RAW. If I disable the accept for 1701 incoming, in RAW, my VPN is death. Is my traffic down enc...
by msatter
Tue Apr 16, 2019 10:52 am
Forum: The Dude
Topic: Where is db cleanup and maintenance info
Replies: 16
Views: 6561

Re: Where is db cleanup and maintenance info

The Wiki on this:

https://wiki.mikrotik.com/wiki/Manual:T ... /db_vacuum

Also have a look at this script to backup and vacuum:

https://github.com/sayajin101/Dude-Backup-Script
by msatter
Mon Apr 08, 2019 2:43 pm
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 983

Re: [Feature request] Address List extension

That's awesome. It is a good start to making a script that could for example let Google or Facebook in a Walled Garden list or perhaps QoS rule or blocking. I wish I knew how to deduplicate it. It would be great as an online script generator. I tested it and it seemed an effective way to block Face...
by msatter
Tue Apr 02, 2019 11:18 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 25258

Re: Blacklist Filter (Development Topic)

Humans can be truly awfull but using you undergoing your treatment to steal from you then there are no words to describe my feelings about that.

I am sorry to read that you are ill and that the outcome is uncertain. I wish all the strength to overcome this horrible time in your life.
by msatter
Mon Apr 01, 2019 11:15 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40178

Re: UKNOF 43 CVE

The beta released today, addresses IPv6 route cache using more memory than available. MAJOR CHANGES IN v6.45: ---------------------- !) ipv6 - fixed soft lockup when forwarding IPv6 packets; !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table; ---------------------- Changes in this...
by msatter
Mon Apr 01, 2019 12:52 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40178

Re: UKNOF 43 CVE

@bmann has made some very good points which I can relate to. I come from the Cisco camp and I was amazed when I bought my RB1100AHx4 what I was getting for the money... and it's made in Latvia, not China! Personally, I think Mikrotik products are possibly a bit too cheap and I would be happy to pay...
by msatter
Fri Mar 29, 2019 3:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40178

Re: UKNOF 43 CVE

Thanks Maznu for finding this and reporting it to Mikrotik. Good to see that the communications is up-to-speed now so that Mikrotik can handle this correctly and in time for us Mikrotik device owners.
by msatter
Fri Mar 29, 2019 1:53 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.
by msatter
Thu Mar 28, 2019 12:43 am
Forum: General
Topic: Mikrotik: Change the default Powerbox config!
Replies: 16
Views: 1493

Re: Mikrotik: Change the default Powerbox config!

Does MAC telnet travels over the internet?
by msatter
Thu Mar 28, 2019 12:36 am
Forum: General
Topic: Mikrotik: Change the default Powerbox config!
Replies: 16
Views: 1493

Re: Mikrotik: Change the default Powerbox config!

Maybe Mikrotik can use internet detecting to switch the rules off when no internet is reachable on that interface. If you make on your side the Internet unreachable it will become a LAN port instead of WAN. This could gives a security risk in the time between switching. https://wiki.mikrotik.com/wik...
by msatter
Wed Mar 27, 2019 2:14 pm
Forum: Beginner Basics
Topic: How do you turn on hEX's DMZ?
Replies: 16
Views: 2305

Re: How do you turn on hEX's DMZ?

If the exposed host is comprimised then there is access to the internal network. Not with a DMZ if it is separated well.
by msatter
Sun Mar 24, 2019 11:33 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71465

Re: v6.45beta [testing] is released!

Thanks for adding ECDSA certificates!
by msatter
Wed Mar 20, 2019 1:07 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 425
Views: 144639

Re: Tik App, MikroTik android utility ALPHA test

Neither of the two apps are in Beta anymore. Delete them, and install them again from the regular stores, if you still see the beta. I uninstalled the APP and installed it again but is still stating beta on the APP page and shows up in my beta list in the Play Store. Got it. I have first to leave t...
by msatter
Wed Mar 20, 2019 12:17 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 425
Views: 144639

Re: Tik App, MikroTik android utility ALPHA test

My post has nothing to do with getting the APP. It has everything to do with making sure the APP is up to date and informing MT users which is the latest app version. For example my APP was on version 0.24. I was fat dumb and happy. NO INDICATIONS were provided UNLIKE other apps, that my app was ou...
by msatter
Tue Mar 19, 2019 7:08 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 425
Views: 144639

Re: Tik App, MikroTik android utility ALPHA test

I AM NOT DEAF I ONLY CAN'T READ.
by msatter
Mon Mar 18, 2019 9:01 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 709

Re: Putty updated to 0.71

RB760iGS (hEX S) with the SFP being cooled. @msatter pray tell how do you cool the SFP on your hEXs ... got a pic? Yes, and I have now only the one between the power cable and the SFP and used a round file to make slight indentation so that not to much force is put on the power connector. When it i...
by msatter
Mon Mar 18, 2019 3:07 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 709

Re: Putty updated to 0.71

Or a coffee LOL.
Remember: sleeping is poor substitute for caffeine.
Sleep helps me to solve problems and caffeine makes me run in circles around it and not solving the problem. Some problem can't be solved and the you have learn with them.
by msatter
Mon Mar 18, 2019 3:04 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 709

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) And yes, I have been he...
by msatter
Mon Mar 18, 2019 2:15 am
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 709

Putty updated to 0.71

Our trusty Putty has been updated to version 0.71. A time ago a vulnerability was discovered and through the EU-funded bounty program a few more were shared. The latest version can be downloaded from: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Change log: https://www.chiark.green...
by msatter
Sun Mar 17, 2019 1:47 pm
Forum: Beginner Basics
Topic: Recommend way to block Ads with Mikrotik
Replies: 10
Views: 3482

Re: Recommend way to block Ads with Mikrotik

No, I am using Pi-hole.
by msatter
Sun Mar 17, 2019 12:58 pm
Forum: Scripting
Topic: Bypass mobile phones to different dhcp pool
Replies: 4
Views: 423

Re: Bypass mobile phones to different dhcp pool

Beta 6.45

*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
by msatter
Thu Mar 14, 2019 2:35 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 959

Re: How to really make backups (by script) ?

It seems that the MAC address is programmed in the hardware which appears when you erase the restored MAC.

It is config backup and the setting you mention a for the same device or if you want to duplicste a device.
by msatter
Wed Mar 13, 2019 2:52 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 959

Re: How to really make backups (by script) ?

Copy and past your MAC reset script in the export.rsc file.
by msatter
Thu Mar 07, 2019 7:08 pm
Forum: General
Topic: hEX S shows activity on disabled SFP port without a link
Replies: 6
Views: 363

Re: hEX S shows activity on disabled SFP port without a link

Should be fixed in 6.44

*) ethernet - fixed packet forwarding when SFP interface is disabled on hEX S;
by msatter
Fri Feb 22, 2019 7:28 pm
Forum: Beginner Basics
Topic: Turn off system LED
Replies: 1
Views: 216

Re: Turn off system LED

Led me shine a bright beam of blue light to what you missed to see:

viewtopic.php?f=3&t=144860
by msatter
Fri Feb 22, 2019 2:32 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5962

Re: Security issue when Winbox exposed

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements.
That is not a direct answer to my question however a indirect one, like this will do. :-)
by msatter
Fri Feb 22, 2019 1:31 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5962

Re: Security issue when Winbox exposed

Because the most common question is, when you will fix this. It's already fixed. So it was already fixed before Tenable contacted Mikrotik? I just noticed that my Dect phone was blinking red and it was the Mikrotik RSS feed that was updated about this. I still urge to state minimal safe patch level...
by msatter
Fri Feb 22, 2019 1:30 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5962

Re: Security issue when Winbox exposed

@msatter To me Tenable went public to soon. Absolutely agree, however, I wonder why would they do it... This is pure hypothesis : Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided ...
by msatter
Fri Feb 22, 2019 1:20 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 5962

Re: Security issue when Winbox exposed

Statement https://blog.mikrotik.com/security/cve-20193924-dude-agent-vulnerability.html I understand that Mikrotik wants to speak in a positive way about this but why include the in bold words? Tenable had previously contacted MikroTik about this issue, so a fix has already been released on Februar...
by msatter
Fri Feb 22, 2019 1:25 am
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12496

Re: v6.44rc [testing] is released!

It takes a bit longer and if you don't have any response from support during this monday then send a reminder.