Community discussions

MikroTik App

Search found 558 matches

  • 1
  • 2
by Van9018
Tue Feb 02, 2021 12:28 am
Forum: General
Topic: VPN IPSEC port change 500
Replies: 4
Views: 400

Re: VPN IPSEC port change 500

IP > Firewall > NAT I haven't tested the rules below. Packet sniffer, torch and the packet flow diagram (https://wiki.mikrotik.com/wiki/Manual:Packet_Flow) will help with troubleshotting. You'd need 4 rules on both endpoints chain=dst-nat src-address=<ip of local WAN interface> dst-address=<ip of re...
by Van9018
Mon Feb 01, 2021 10:40 pm
Forum: General
Topic: Two WAN Connections and Two Web servers
Replies: 5
Views: 407

Re: Two WAN Connections and Two Web servers

Hope this screenshot helps?
by Van9018
Mon Feb 01, 2021 10:28 pm
Forum: Wireless Networking
Topic: MikroTik, thoughts and opinions?
Replies: 4
Views: 518

Re: MikroTik, thoughts and opinions?

When looking at the product list, some will support hardware acceleration for IPSec. The cheaper products will make no mention of HW acceleration, in which case they won't have HW acceleration. They'll still support IPSec but it tends to max out the CPU. Some users find that wifi sucks on Mikrotiks....
by Van9018
Mon Feb 01, 2021 10:17 pm
Forum: General
Topic: After Hack are we clean ?
Replies: 6
Views: 644

Re: After Hack are we clean ?

2. Is there something else we should check Check that IP > Web Proxy has not been setup Check that a VPN user hasn't been created. To prevent future hacks, you should set up a default deny rule for the input chain (but not limit it to just the WAN, consider your LAN as untrusted too). ** Before you...
by Van9018
Mon Feb 01, 2021 10:09 pm
Forum: Beginner Basics
Topic: ip forward between two local networks
Replies: 12
Views: 849

Re: ip forward between two local networks

What is your WAN interface on that router? Ether1? These two lines are incorrect: add action=masquerade chain=srcnat src-address=192.168.1.0/24 add action=masquerade chain=srcnat src-address=192.168.2.0/24 Delete them. Then add add action=masquerade chain=srcnat out-interface=ether1 And the default ...
by Van9018
Mon Feb 01, 2021 9:59 pm
Forum: General
Topic: Ipsec required resource
Replies: 7
Views: 592

Re: Ipsec required resource

It's possible to use IPSec without hardware acceleration but at around 5-10 mbps you'll begin to max out the CPU. Then you'll have severe packet loss. If you're hoping to achieve 200 mbps over IPSec, get a HEX or any other one with HW acceleration.
by Van9018
Mon Feb 01, 2021 10:29 am
Forum: Beginner Basics
Topic: please help my mikrotik hacked By Hosts
Replies: 7
Views: 951

Re: please help my mikrotik hacked By Hosts

i check his mac address online i can't find any info
iPhone and Android may occasionally randomize their mac address as a form of privacy from tracking.
by Van9018
Mon Feb 01, 2021 10:21 am
Forum: Beginner Basics
Topic: L2TP VPN Won't Connect to CCR1009-7g-1c-1s+
Replies: 6
Views: 534

Re: L2TP VPN Won't Connect to CCR1009-7g-1c-1s+

Go to System > Logging and turn on logging for IPSec. Try and connect again, then check the log.
by Van9018
Mon Feb 01, 2021 10:11 am
Forum: General
Topic: 3 Wan - 1 for Internet and 1 for VOIP only?
Replies: 2
Views: 237

Re: 3 Wan - 1 for Internet and 1 for VOIP only?

I imagine all your phones will connect to the same remote endpoint for SIP and RTP? Create a mangle rule that marks all packets coming into your router from the LAN. When the destination IP is that of your voip, mark the packet with a routing mark of VOIP Next create a route, destination address 0.0...
by Van9018
Mon Feb 01, 2021 10:02 am
Forum: General
Topic: about layer7 regexp add name=jpg regexp="^.*(post|POST|get|GET).+\\.jpg.+\\http"
Replies: 2
Views: 223

Re: about layer7 regexp add name=jpg regexp="^.*(post|POST|get|GET).+\\.jpg.+\\http"

Backslash means the next character is a match case. In the case of \\, it means it should match one backslash. Looks like your trying to match all JPG images that are requested. The pattern looks wrong This site: https://regex101.com/ Will show you what each port of the pattern means. Most websites ...
by Van9018
Mon Feb 01, 2021 9:46 am
Forum: General
Topic: Ipsec required resource
Replies: 7
Views: 592

Re: Ipsec required resource

If there are no test results and the product description does not mention IPSec Harware Encryption then it probably doesn't have it. I use the Hex: https://mikrotik.com/product/RB750Gr3 It's test says 470 mbps. My max internet speed is 100mbps. I can sustain 100 mbps IPSec. When Covid came, I was co...
by Van9018
Mon Feb 01, 2021 9:35 am
Forum: General
Topic: route ping packet only to 2nd WAN
Replies: 2
Views: 237

Re: route ping packet only to 2nd WAN

Create a mangle rule to give packets a routing-mark. In the mangle rule you can specify what type of packets, such as ICMP Ping. And you can provide source-ip if you want only 1 device on the LAN to ping out on WAN2 Then create a route that applies to packets with the routing-mark you specified in t...
by Van9018
Mon Feb 01, 2021 6:00 am
Forum: Beginner Basics
Topic: L2TP Error
Replies: 2
Views: 252

Re: L2TP Error

Adding L2TP or IPSec to your log topics may help troubleshooting.
In Winbox, Go to System > Logging and enable those topics.
by Van9018
Mon Feb 01, 2021 5:54 am
Forum: Scripting
Topic: Send email if router rejects someone to my wifi
Replies: 4
Views: 426

Re: Send email if router rejects someone to my wifi

I think you'd have to use scripting. Scripts run on a schedule, every x minutes. The script would scan the log for keywords.
https://wiki.mikrotik.com/wiki/Manual:Scripting
by Van9018
Mon Feb 01, 2021 5:37 am
Forum: Beginner Basics
Topic: ip forward between two local networks
Replies: 12
Views: 849

Re: ip forward between two local networks

the use cases I regularly split out the data, phones, and guest networks. If all cables terminate in the same room then I don't need a vlan, instead I delete the bridge which makes each physical port it's own network. But if a customer has two floors with just 1 cable going between the floors, I ha...
by Van9018
Mon Feb 01, 2021 5:22 am
Forum: Beginner Basics
Topic: ip forward between two local networks
Replies: 12
Views: 849

Re: ip forward between two local networks

To have your subnets access the internet, you would only need to do a src-nat masquerade rule on the WAN interface only. All other interfaces should not have src-nat or dst-nat. No mangle rules. Since you've already removed the bridge, then when packets come into the router then they should be route...
by Van9018
Sun Jan 31, 2021 3:21 am
Forum: Beginner Basics
Topic: Panasonic Pbx VoIP Disable SIP ALG
Replies: 10
Views: 718

Re: Panasonic Pbx VoIP Disable SIP ALG

And as for h323 and the others, you can disable those too as they are alternatives to SIP, you're not using them.
by Van9018
Sun Jan 31, 2021 3:02 am
Forum: Beginner Basics
Topic: Panasonic Pbx VoIP Disable SIP ALG
Replies: 10
Views: 718

Re: Panasonic Pbx VoIP Disable SIP ALG

Port 5060 is for unencrypted SIP. Port 5061 is for encrypted SIP. However if SIP is encrypted, then the Mikrotik can't inspect and rewrite SIP packets. I don't know why Mikrotik lists 5061. A PBX will typically route all audio through itself. But it's possible to configure your PBX to route audio di...
by Van9018
Sat Jan 30, 2021 3:19 am
Forum: General
Topic: ROS speed degrade on high-latency WAN
Replies: 4
Views: 584

Re: ROS speed degrade on high-latency WAN

I don't know - but for what it's worth, I use the Hex model with IPSec. My internet speed is 100 mbps, latency is 178 ms from Canada to Europe and I'm able to sustain around 99 mbps over the IPSec tunnel for many hours. My test is a single file transfer via FTP. While you're maxed out, a brief packe...
by Van9018
Sat Jan 30, 2021 2:40 am
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1533

Re: L7 Filter rule exception.

If you're able to install a CA certificate on all computers in your network, then you can use something like the Fortigate firewall. Because you've installed the CA certificate on all computers, it can re-sign all encrypted connections. This gives it the ability to transparently inspect the content ...
by Van9018
Sat Jan 30, 2021 2:03 am
Forum: General
Topic: L2TP/IPSEC not connecting
Replies: 2
Views: 234

Re: L2TP/IPSEC not connecting

I had a similar issue. The L2TP/IPSec creates a default Policy/Proposal/etc. I had an additional policy, an old one that I didn't use. When I'd connect with Win7, it would pick the correct policy and establish ok. When I'd connect from a Mikrotik, it would give me errors about no proposal. I never d...
by Van9018
Sat Jan 30, 2021 1:53 am
Forum: Beginner Basics
Topic: ip forward between two local networks
Replies: 12
Views: 849

Re: ip forward between two local networks

Since you're not NAT-ing, then you shouldn't have chain=src-nat rules. chain=forward, action=accept means that ALL packets can forward between the subnets. If you'll permit all, then you don't need a default deny rule. And if you don't have a default-deny rule, then it's permitted anyway. So this ru...
by Van9018
Sat Jan 30, 2021 1:28 am
Forum: General
Topic: Route 1 ip throught vpn
Replies: 3
Views: 291

Re: Route 1 ip throught vpn

You'd have to set up a mangle rule to mark all packets from the one IP you wish to route over the VPN. You'd apply a routing mark. Then you'd create a route that applies to packets with said routing mark to forward it to the IP of your remote end point. Your remote end point would need to have a rou...
by Van9018
Sat Jan 30, 2021 1:21 am
Forum: Beginner Basics
Topic: Block all internet traffic to one port except from one IP address
Replies: 9
Views: 721

Re: Block all internet traffic to one port except from one IP address

/ip firewall filter add action=drop chain=forward comment=\ "Block all internet traffic to my port, except for specified IP address" dst-port=22654 protocol=\ udp src-address=!177.228.59.101 Yes - that line is superfluous. On an unrelate note, I try to reduce the double-negative rules, I ...
by Van9018
Sat Jan 30, 2021 12:55 am
Forum: Beginner Basics
Topic: Panasonic Pbx VoIP Disable SIP ALG
Replies: 10
Views: 718

Re: Panasonic Pbx VoIP Disable SIP ALG

I don't do port forwarding. Your PBX has to register against the VoIP provider every few minutes (usually 2 minutes). This keeps the UDP port 5060 open and forwarded to your PBX naturally. I also don't use a STUN server because the ALG is supposed to fix that. The ALG is supposed to monitor the SIP ...
by Van9018
Fri Jan 29, 2021 6:24 am
Forum: General
Topic: Two tunnels between two routers? EoIP + IPIP
Replies: 5
Views: 509

Re: Two tunnels between two routers? EoIP + IPIP

What is the gateway of your computer? It should be the IP of RA. Ping is layer 3. Since you're pinging outside of your subnet, your PC will send the Ping to your gateway IP for routing. If your gateway is RB's IP, then your ping is being routed at RB and never sent to RA. Thus the 1ms response time.
by Van9018
Fri Jan 29, 2021 5:55 am
Forum: Beginner Basics
Topic: Panasonic Pbx VoIP Disable SIP ALG
Replies: 10
Views: 718

Re: Panasonic Pbx VoIP Disable SIP ALG

Your PBX is SIP, not h323, etc. So ignore the others.

I've had problems with SIP ALG on SonicWall, but never with Mikrotik so I've always left it enabled.
by Van9018
Fri Jan 29, 2021 5:42 am
Forum: General
Topic: Request for command output
Replies: 1
Views: 133

Re: Request for command output

Ya pretty weird for sure Output is as follows: 0 interface=ether2,brdige1 address=192.168.88.176 mac-address=4C:5E:0C:11:22:33 identity=MyFavSwitch platform=MikroTik version=8.33 unpack=none age=29s uptime=15w5d7h49m47s software-id=KITN-EWBI board=CRS125-24G-1S ipv6=no interface-name=ether2 system-c...
by Van9018
Fri Jan 29, 2021 5:07 am
Forum: General
Topic: Slow VPN performance?
Replies: 9
Views: 678

Re: Slow VPN performance?

With IPSec and the hap lite I would max out at 8 mbps, but packets would drop so bad that users who's traffic was not using the IPSec tunnel would complain. So I had to limit my IPSec throughput to 3 to prevent dropped packets. I upgraded to Hex and ran some tests, I can max out my internet speed ov...
by Van9018
Fri Jan 29, 2021 4:59 am
Forum: General
Topic: Route 1 ip throught vpn
Replies: 3
Views: 291

Re: Route 1 ip throught vpn

Are you trying to make a site-to-site VPN where Site/Location 1 will route all it's internet traffic over the VPN to Site/Location 2 ?
by Van9018
Fri Jan 29, 2021 4:51 am
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 10
Views: 1277

Re: What is IP SOCKS ? I got hacked and they open this

And set a password for winbox. I left it as just admin and someone's personal laptop set up a PPTP service on the Mikrotik along with vpn/vpn as the user/pass for the VPN.
Consider firewalling your winbox on the LAN side.
by Van9018
Fri Jan 29, 2021 4:37 am
Forum: Scripting
Topic: [Script] Namecheap Dynamic DNS Update Script
Replies: 8
Views: 6408

Re: [Script] Namecheap Dynamic DNS Update Script

With this script and Namecheap, you can have a much cooler and shorter ddns domain.
You can also create a CNAME record that resolves to your mikrotik ddns url. Saves you the cost of ddns hosting.
by Van9018
Fri Jan 29, 2021 4:28 am
Forum: Beginner Basics
Topic: Block all internet traffic to one port except from one IP address
Replies: 9
Views: 721

Re: Block all internet traffic to one port except from one IP address

I wonder if the way I did it would also do the job.
Your way would do the job, although anav's way would be considered the correct way.
by Van9018
Fri Jan 29, 2021 3:38 am
Forum: Beginner Basics
Topic: Internet drops to 0 kbps for 1-2 seconds
Replies: 4
Views: 311

Re: Internet drops to 0 kbps for 1-2 seconds

Are you on wifi? Plug in with a cable to rule out a wifi problem. Some troubleshooting steps: In winbox, go to Tools > Ping and ping a remote host repeatedly every 250ms. Your issue is likely a complete drop in internet? Tools > Profile will allow you to monitor the CPU usage of the Mikrotik. The CP...
by Van9018
Fri Jan 29, 2021 3:21 am
Forum: RouterBOARD hardware
Topic: Static IP
Replies: 14
Views: 894

Re: Static IP

I think I'm interpreting your requirements differently than Sob, so don't mix our suggestions together. Is the following what you're trying to do? ISP1 --> ether1 ISP2 --> ether2 ISP3 --> ether3 ISP4 --> ether4 ISP5 --> ether5 (ISP5 is for the client in question and is dedicated to that client) ethe...
by Van9018
Thu Sep 03, 2020 1:03 am
Forum: Beginner Basics
Topic: Considering purchasing a hEX
Replies: 4
Views: 336

Re: Considering purchasing a hEX

The various Mikrotik models all have the same interfaces. I always use Winbox which is a little windows utility used to configure the device. It's very snappy, the device never needs rebooting. You can also connect by MAC address so you can change the IP of the device without having to reconnect. It...
by Van9018
Thu Sep 03, 2020 12:33 am
Forum: RouterBOARD hardware
Topic: Boards keep Freezing
Replies: 4
Views: 410

Re: Boards keep Freezing

While it's working, see if anything is working the CPU harder than it should be. Tools > Profiler
by Van9018
Thu Sep 03, 2020 12:27 am
Forum: General
Topic: SSTP connection drop every 2 minutes
Replies: 3
Views: 489

Re: SSTP connection drop every 2 minutes

Enable logging for SSTP. Anything interesting in there? I've used site-to-site SSTP VPNs, they tend to last a few days at the longest but I never notice the re connection.
by Van9018
Thu Sep 03, 2020 12:12 am
Forum: General
Topic: SIP Trunk no voice path
Replies: 1
Views: 423

Re: SIP Trunk no voice path

I set up PBXs behind Mikrotiks. Since the PBX is doing the SIP registration, I never have to setup any port forwarding at all. Instead I leave the sip helper enabled. The sip helper is supposed to read the SIP messages and automatically forward ports. This always works for me. The SIP channel can't ...
by Van9018
Wed Feb 26, 2020 2:06 am
Forum: General
Topic: Allow VPN connection from a specific computer
Replies: 2
Views: 1635

Re: Allow VPN connection from a specific computer

Control it with a username and password..? I don't think I understand your question.
by Van9018
Wed Feb 26, 2020 1:51 am
Forum: General
Topic: WiFi Calling Problems
Replies: 8
Views: 2732

Re: WiFi Calling Problems

I usually leave SIP ALG enabled and use no port forwarding at all. I never enable UPnP, but that's because I don't need it. The ATT router may be doing port translation. If you do a packet capture in the Mikrotik, you can check if ports are changing for the audio and you'll be able to see if the aud...
by Van9018
Mon Feb 03, 2020 2:42 am
Forum: Beginner Basics
Topic: IOS VPN connection to home network
Replies: 3
Views: 1679

Re: IOS VPN connection to home network

Step by Step in section 5.3 of this article. https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup But you also need firewall rules not mentioned in that section. ;;; Permit L2TP VPN chain=input action=accept protocol=udp in-interface=ether1 dst-port=500 log=no log-prefix=&qu...
by Van9018
Fri Jan 31, 2020 8:18 pm
Forum: General
Topic: IPSec Site-to-Site VPN slow
Replies: 6
Views: 2700

Re: IPSec Site-to-Site VPN slow

including static route to the Mikrotik for the remote net. For just IPSec I don't think you need a route. Check out the packet flow diagram. The logic says you need a src-nat rule with action=Accept when the packet's dest ip is the remote network. This prevents the packet from being masqueraded. Wi...
by Van9018
Thu Oct 31, 2019 12:27 am
Forum: General
Topic: Some Websites not working in HTTP but working in HTTPS
Replies: 3
Views: 1007

Re: Some Websites not working in HTTP but working in HTTPS

Check IP > Web Proxy, disable it. Awhile back, hackers were enabling that. It impacted HTTP only.
by Van9018
Thu Oct 24, 2019 8:27 am
Forum: Beginner Basics
Topic: accessible packet flow diagram
Replies: 1
Views: 694

Re: accessible packet flow diagram

The packet flow diagrams show too much logic to try and describe it in it's entirety. That then makes your question too broad. Before the diagrams make sense, you should first learn about the different chains in the firewall rules, nat rules and mangle rules. Once you understand those, then the basi...
by Van9018
Wed Oct 23, 2019 11:22 am
Forum: General
Topic: Strange issue with IPSEC
Replies: 1
Views: 530

Re: Strange issue with IPSEC

Policy problem, src-nat problem (masquerade). Do you have a src-nat rule on the Mikrotik that says: If packets are destined to the remote side's subnet, then accept the packet. Put that rule above your masquerade rule. Otherwise your packet destined to the remote side will have it's src IP replaced ...
by Van9018
Wed Oct 23, 2019 11:09 am
Forum: Beginner Basics
Topic: L2TP via heX before existing home network
Replies: 1
Views: 454

Re: L2TP via heX before existing home network

RouterOS is very configurable. This means you lose a simpler GUI in favour of more flexibility. The manual is here: https://wiki.mikrotik.com/wiki/Manual:TOC You have to have a good understanding of networking protocols and concepts. To find tutorials, search google for what you want to do and with ...
by Van9018
Wed Oct 23, 2019 10:31 am
Forum: SwOS
Topic: RB260GS as unmanaged? (No IP address)
Replies: 4
Views: 2803

Re: RB260GS as unmanaged? (No IP address)

IP > DHCP Server, delete the dhcp server for bridge1 IP > Addresses, delete the ip address of bridge1 At this point, Ports 2-5 and wifi are considered a switch. ether1 remains the gateway. If you want to use ether1 as another port in the switch... IP > DHCP Client, delete DHCP Client for ether1 Brid...
by Van9018
Wed Oct 23, 2019 10:17 am
Forum: Beginner Basics
Topic: Static DNS for subdomains
Replies: 3
Views: 2011

Re: Static DNS for subdomains

---
by Van9018
Wed Oct 23, 2019 9:57 am
Forum: General
Topic: L2TP Client apparently incompatible with VPN server?
Replies: 2
Views: 738

Re: L2TP Client apparently incompatible with VPN server?

I'm not sure I understand your scenario... Your not at home with your laptop. You want your internet traffic to first go home via OpenVPN, and then out the LT2P client through ivacy.com. Is that right? I would think it's a route problem. When the L2TP connection is active and has a lower route dista...
by Van9018
Wed Oct 23, 2019 9:38 am
Forum: General
Topic: ipsec tunnel expired
Replies: 1
Views: 720

Re: ipsec tunnel expired

That command should work fine. I had a similar issue with Mikrotik to Cisco. Cisco would send a command to drop the connection but the Mikrotik wouldn't, so my SA's were still there. I couldn't ping either because the connection is dead but the Mikrotik thought it was still active. I had created a s...
by Van9018
Wed Oct 23, 2019 9:11 am
Forum: General
Topic: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?
Replies: 10
Views: 2224

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

so by forwarding 1723 i have to add nat rule that forward port to Mikrotik_A .. is that correct ? and for gre yes it's enabled on input chain on both routers just before the invalid drop chain I don't think that's correct... If your Mikrotik A is the PPTP- Client then I don't think you need any por...
by Van9018
Wed Oct 23, 2019 8:19 am
Forum: Wireless Networking
Topic: Slow WiFi (Mikrotik WAP)
Replies: 35
Views: 34127

Re: Slow WiFi (Mikrotik WAP)

is there a way to get back the 5Ghz signal after the 2,4Ghz ?? Any device normally connects to 5Ghz frequency when you are close to the router and switch to 2,4 Ghz when you are more far ...but after that it stays connect to 2,4 Ghz even if you are in fron of the router ...Is there a way to fix thi...
by Van9018
Tue Apr 16, 2019 9:29 pm
Forum: Beginner Basics
Topic: check and protect smb from outside
Replies: 2
Views: 837

Re: check and protect smb from outside

SMB from the outside is firewalled by default (out-of-box config). There should be a default deny rule in your firewall. With out-of-box config, your LAN ports would be in a bridge and there would be no firewall, so SMB within the LAN should be ok. I like to firewall outbound SMB though, disallow SM...
by Van9018
Fri Apr 12, 2019 5:51 am
Forum: Beginner Basics
Topic: routers sends back local IP instead of external
Replies: 4
Views: 845

Re: routers sends back local IP instead of external

For the sake of understanding of what you saw at first... when I use filezilla, it does work, but when I use windows explorer.... When your filezilla server uses the private IP of the machine, the remote filezilla-client will probably work because the filezilla client has a feature where it determin...
by Van9018
Sat Apr 06, 2019 10:54 pm
Forum: General
Topic: SIP port(s)
Replies: 6
Views: 977

Re: SIP port(s)

by Van9018
Thu Mar 28, 2019 9:52 pm
Forum: General
Topic: Port forwarding to two pcs for RDP
Replies: 12
Views: 3833

Re: Port forwarding to two pcs for RDP

- Can you RDP to the 2nd machine from inside the LAN? If not, then check Windows firewall. If you can, check if firewall is limited to LAN only or something like that. - Use Torch on wan interface. You should see your RDP packets coming in the wan interface, then torch again on the lan and you shoul...
by Van9018
Wed Mar 27, 2019 2:57 am
Forum: Beginner Basics
Topic: Connecting SSTP Client and SSTP Server on MT
Replies: 6
Views: 1219

Re: Connecting SSTP Client and SSTP Server on MT

Your MT-DEVICE with IP of 172.17.1.x doesn't know where the 172.16.0.0/16 network is. The MT-DEVICES need a route that says to forward 172.16.0.0/24 to <SSTP-CLIENT-NAME> Your SE-DEVICE with IP of 172.16.1.1 doesn't know where the 172.17.0.0/16 is. The SE-DEVICE needs a route to send 172.17 packets ...
by Van9018
Fri Mar 22, 2019 5:03 am
Forum: Scripting
Topic: macros bug [SOLVED]
Replies: 14
Views: 5237

Re: macros bug [SOLVED]

This page: https://wiki.mikrotik.com/wiki/Manual:S ... _statement
says the syntax of the if statement should be prefixed with a colon

{
:local myBool true;
:if ($myBool = false) do={ :put "value is false" } else={ :put "value is true" }
}
by Van9018
Fri Mar 22, 2019 4:51 am
Forum: General
Topic: How to route (assign) two Public IP's on same segment /29 and keep connectivity
Replies: 18
Views: 3850

Re: How to route (assign) two Public IP's on same segment /29 and keep connectivity

IP > Address, just add the second IP to the same interface. You may need a src-nat rule in IP > Firewall > NAT.
I don't understand your requirements though. Is Public IP #1 meant for guests, and Public IP #2 is meant for the corporate LAN?
by Van9018
Fri Mar 22, 2019 4:15 am
Forum: General
Topic: IPSEC ike2 tunnel drops [SOLVED]
Replies: 4
Views: 2075

Re: IPSEC ike2 tunnel drops [SOLVED]

I don't have much input.. sorry! I checked my IPSec configs, and I found that a second set of SA's get created, both sets exist for maybe 30 seconds and then the first set a is removed. My soft lifetime is 30 minutes, hard lifetime is 1d. The status of the SAs say 24/30 for "add lifetime"....
by Van9018
Fri Mar 22, 2019 2:28 am
Forum: General
Topic: Static DNS for Local network
Replies: 18
Views: 4769

Re: Static DNS for Local network

But I would refrain from using Layer 7 protocol expressions. Why refrain from this? I do as Sob suggested. At my office, my Mikrotik maintains a VPN to my clients. Using L7, I intercept DNS packets and redirect them to the client's internal DNS server. Now, any PC from my office can remote into any...
by Van9018
Fri Mar 22, 2019 1:46 am
Forum: Beginner Basics
Topic: Is it OK for all leds to run at once like this ?
Replies: 2
Views: 653

Re: Is it OK for all leds to run at once like this ?

On a LAN, routers often try and be proactive in resolving IPs to Max (Arp Request). An ARP request is a broadcast packet. Your router will query each IP on the LAN for it's mac address. Devices will also do ARP requests. Windows will try and discover new equipment like TVs and Printers on the networ...
by Van9018
Fri Mar 22, 2019 1:37 am
Forum: General
Topic: Attempt of attacks through Remote Desktop [SOLVED]
Replies: 6
Views: 2006

Re: Attempt of attacks through Remote Desktop [SOLVED]

First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker c...
by Van9018
Fri Mar 22, 2019 1:23 am
Forum: General
Topic: SMB Server question (RB3011)
Replies: 6
Views: 2423

Re: SMB Server question (RB3011)

Might be related to line endings. The working PDF has CRLF as line ending whereas corrupted file has LF. This was a problem for iOS mail for a short time a few years ago. Use a hex editor on a corrupted PDF and locate an LF character (ascii=10). There must be a preceding CR character (ascii=13). If ...
by Van9018
Fri Mar 22, 2019 1:07 am
Forum: General
Topic: VoIP issues Mikrotik SIP ALG and Grandstream
Replies: 2
Views: 1652

Re: VoIP issues Mikrotik SIP ALG and Grandstream

I don't quite understand your setup. On my Grandstream + Mikrotik setups I leave SIP ALG on, turn sip-direct-media off and set the two ports on the UCM to switch/bridge mode so neither port is a WAN port. It's then like a 2 port switch. I don't use any NAT whatsoever because that's what the SIP ALG ...
by Van9018
Wed Mar 20, 2019 1:09 am
Forum: General
Topic: faile to obtain ip address error
Replies: 4
Views: 723

Re: faile to obtain ip address error

When lease shows mac as 00:00:00:00:00 then a device already has that IP. Some Ideas: - Turn on logging for the DHCP topic. - If log says Offering Lease without Success, check out this thread: https://forum.mikrotik.com/viewtopic.php?f=2&t=130176&p=719332&hilit=apple+dhcp#p719332 - Possi...
by Van9018
Wed Mar 20, 2019 12:59 am
Forum: General
Topic: Static IP not showing at DHCP server.
Replies: 8
Views: 4876

Re: Static IP not showing at DHCP server.

because some pc i set as static at DHCP there and i saw it at lease there.
If your PC started off as DHCP and then you set it to a static IP, the old lease will still be shown until it expires.
by Van9018
Wed Mar 20, 2019 12:14 am
Forum: Beginner Basics
Topic: Any way to scan for *anything* on the LAN? [SOLVED]
Replies: 4
Views: 961

Re: Any way to scan for *anything* on the LAN? [SOLVED]

The link local status will tell you if something is physically connected. If that device tries to communicate, it must have atleast a MAC address and the Mikrotik will record that mac in it's arp tables. You can look up this table in Switch > FDB I think. Entries in arp-tables last for about 10 minu...
by Van9018
Sat Mar 16, 2019 10:23 pm
Forum: Beginner Basics
Topic: ARP issue
Replies: 2
Views: 575

Re: ARP issue

Is this your setup ?
First Router, ether1--> Modem/internet.
2nd Router, ether1 --> First Router's ether2
by Van9018
Tue Mar 12, 2019 2:15 am
Forum: General
Topic: route ip to specific gateway
Replies: 6
Views: 2414

Re: route ip to specific gateway

Yes its one less rule but is it more efficient?? I doubt it. If ISP2 is exclusive to the webserver, I'd think of this as a one-to-one NAT where all but HTTP is firewalled. If thinking of this as a one-to-one nat, it feels a bit more semantic to not have connection-marking rules. If familiarizing my...
by Van9018
Tue Mar 12, 2019 1:30 am
Forum: Beginner Basics
Topic: Mikrotik as HUB (configuration)
Replies: 17
Views: 3359

Re: Mikrotik as HUB (configuration)

IP > DHCP Server, delete the dhcp server for bridge1 IP > Addresses, delete the ip address of bridge1 At this point, Ports 2-5 and wifi are considered a switch. ether1 remains the gateway. If you want to use ether1 as another port in the switch... IP > DHCP Client, delete DHCP Client for ether1 Brid...
by Van9018
Tue Mar 12, 2019 1:05 am
Forum: General
Topic: Harpin NAT between two VLANs
Replies: 34
Views: 3468

Re: Harpin NAT between two VLANs

Overriding www.yoursite.com would be less complicated. Do it in pi-hole if possible. If not, you can catch DNS requests in the Mikrotik, repoint the domains to your Mikrotik's DNS and override there.. You'd have to override yoursite.com and www.yoursite.com. You will need to allow port 80/443 to you...
by Van9018
Mon Mar 11, 2019 11:53 pm
Forum: General
Topic: How to reach RouterOs (web or Winbox) via my static ip address from outside network
Replies: 24
Views: 2812

Re: How to reach RouterOs (web or Winbox) via my static ip address from outside network

i see the source IP address if i run torch on the on my WAN IP but no connection is established Next would be to Torch bridge1, youd should see packets forwarding to your webserver. If not, check your NAT (Port forwarding) rules. On the same Torch, you should see packets coming from your webserver....
by Van9018
Mon Mar 11, 2019 11:46 pm
Forum: General
Topic: How to reach RouterOs (web or Winbox) via my static ip address from outside network
Replies: 24
Views: 2812

Re: How to reach RouterOs (web or Winbox) via my static ip address from outside network

Otunmusa, by default the Mikrotik won't remember which ISP your outside request came in on. So you connect to the IP of ISP2, and your port forwarding rules forward to your web server. Then your webserver replies, but the Mikrotik will send the packets out on ISP1. This is a broken connection. You h...
by Van9018
Mon Mar 11, 2019 11:21 pm
Forum: General
Topic: Harpin NAT between two VLANs
Replies: 34
Views: 3468

Re: Harpin NAT between two VLANs

You need 4 rules per hairpin. This tutorial worked for me: https://wiki.mikrotik.com/wiki/Hairpin_NAT

Or you can override DNS in the Mikrotik to repoint your website url to the LAN IP of your webserver.
by Van9018
Mon Mar 11, 2019 11:11 pm
Forum: General
Topic: route ip to specific gateway
Replies: 6
Views: 2414

Re: route ip to specific gateway

If it's specifically 1 LAN IP that gets to use ISP2 exclusively, then you could skip the connection-marking and just apply routing marks.
by Van9018
Mon Mar 11, 2019 10:59 pm
Forum: Beginner Basics
Topic: Firewall rules
Replies: 6
Views: 983

Re: Firewall rules

Or use a VPN, then configure your viewer to connect to the local IPs of the cameras. This could be more secure than exposing your Camera's communication protocols to the internet.
by Van9018
Mon Mar 11, 2019 10:32 pm
Forum: General
Topic: Viewing network traffic question
Replies: 7
Views: 1110

Re: Viewing network traffic question

I just need a simple "traffic from this IP can go through" rule. To do this, you can create a NAT rule. In Winbox, it's under IP > Firewall, click the NAT tab. Create Rule: chain=dst-nat, src-ip=<Scanner IP>, in-interface=ether1, action=dst-nat, to-address=<IP of internal PC> You can crea...
by Van9018
Fri Mar 08, 2019 9:29 am
Forum: General
Topic: Please help SSL Notworking
Replies: 2
Views: 589

Re: Please help SSL Notworking

Port conflict or no certificate. Certificate needs a private key too.
by Van9018
Fri Mar 08, 2019 9:23 am
Forum: General
Topic: Viewing network traffic question
Replies: 7
Views: 1110

Re: Viewing network traffic question

I thought the purpose of the PCI Compliance scan was to check for open ports and predictive PAT. They'll check for things such downgrade attacks on servers you may have exposed to the internet. Some routers will have security where it detects and blocks port scanners. They want you to disable that t...
by Van9018
Fri Mar 08, 2019 8:13 am
Forum: General
Topic: SSTP Server, does it REALLY work for anyone??
Replies: 7
Views: 2067

Re: SSTP Server, does it REALLY work for anyone??

You don't need to make a certificate chain, but I'd consider it good practice. You'd install 1 self-signed certificate that's marked as a Certificate Authority (CA) on your windows computers then you can create more certificates and sign them with your CA certificate and the computers will trust the...
by Van9018
Fri Mar 08, 2019 7:38 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 3079

Re: ARP/DHCP issue [SOLVED]

- When a host wants to send a packet to an internet address, it will send the packet directly to the gateway. It will NOT do an arp lookup for that internet address. - You shouldn't see two DHCP discovers and two requests during a DHCP transaction, but not a big deal. Discover, Offer, Request, Ack. ...
by Van9018
Thu Mar 07, 2019 4:44 am
Forum: General
Topic: How to get on mikrotik list of arp records at port.
Replies: 3
Views: 842

Re: How to get on mikrotik list of arp records at port.

In Winbox, Switch > FDB
Untitled.png
by Van9018
Wed Mar 06, 2019 8:03 am
Forum: Wireless Networking
Topic: Block PC to access local LAN on Mikrotik
Replies: 3
Views: 1393

Re: Block PC to access local LAN on Mikrotik

If PC is trusted and you want the firewall for good measure, then maybe iptables in ubuntu?
If PC is untrusted, then anav's suggestion is the only way. Also consider firewall input rules to protect router service ports from the untrusted computer.
by Van9018
Wed Mar 06, 2019 4:29 am
Forum: Beginner Basics
Topic: Dropping from non-DHCP clients
Replies: 1
Views: 351

Re: Dropping from non-DHCP clients

In the interface settings, set ARP to enabled (or arp-proxy if your Mikrotik is a VPN Server). You probably have arp set to reply only. Reply Only is a feature that prevents devices with statically set IPs from communicating on the network. For a statically set IP, you'd have to then manually the ma...
by Van9018
Wed Mar 06, 2019 4:25 am
Forum: RouterBOARD hardware
Topic: Problem to choose the right hardware
Replies: 5
Views: 1394

Re: Problem to choose the right hardware

Your RB450Gx4 has enough performance and AES hardware acceleration for all 3 situations.l I used a Hex Lite, a very cheap Mikrotik router, for 80 PCs and one IPSec tunnel for site-to-site. The Hex Lite does not have AES hardware acceleration so I had to slow Microsoft DFS to 3 mbit/s otherwise the C...
by Van9018
Wed Mar 06, 2019 4:13 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 3079

Re: ARP/DHCP issue [SOLVED]

If the Alarm system has an IP statically set and it's not on the same subnet as statically set in the alarm system, then the alarm system will do ARP requests for the gateway that's statically set in the Alarm system. Since no device on your network will have that IP, you will only see ARP requests ...
by Van9018
Wed Mar 06, 2019 4:00 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 3079

Re: ARP/DHCP issue [SOLVED]

You're a bit off on ARP. On an Ethernet network, every device has a mac address. When packets get sent out over Ethernet, they are actually routed only by their mac address. Not IP address. Since your PC will connect to remote devices by IP, then it needs to find out who on the network has an IP ass...
by Van9018
Wed Mar 06, 2019 3:08 am
Forum: Beginner Basics
Topic: port forwarding - can't figure it out
Replies: 2
Views: 490

Re: port forwarding - can't figure it out

Issue 1 & 2: You are looking at the firewall rules. You need to go to IP > Firewall and then click the NAT tab. Then when you create a rule you'll see chain=dst-nat and action=dst-nat

Issue 3: Your action should be dst-nat, not dns-nat
by Van9018
Thu Jan 10, 2019 3:01 am
Forum: Beginner Basics
Topic: Cannot access RouterOS using WebFig
Replies: 8
Views: 2881

Re: Cannot access RouterOS using WebFig

You can reset the device configuration back to default to make it back into a managed switch. Or if you want to do it manually anyway: - Remove your bridge - Set master-port to ther1 for ports 2-24. - Remove all port forwarding from firewall > NAT, also remove any mangle rules. Delete firewall rules...
by Van9018
Thu Jan 10, 2019 2:48 am
Forum: General
Topic: Apple devices flooding DHCP server
Replies: 15
Views: 4394

Re: Apple devices flooding DHCP server

Have you tried using a different Mikrotik to rule out the Mikrotik as the problem? Disable the DHCP Service, try obtaining an IP. Is there another DHCP service on the network? In Winbox, capture packets with Tools > Packet Sniffer. Save packets to a file. Let the problem happen for a minute. Stop th...
by Van9018
Fri Nov 09, 2018 6:08 am
Forum: General
Topic: DHCP issue
Replies: 4
Views: 1105

Re: DHCP issue

The default config of an 951G-2HnD is: Port 1 = WAN Port 2-5 & WIFI = LAN So to accomplish what you're doing, you should plug cables in like this.. R1 Port 1 -> Internet R1 Port 2 -> Client 1 LAN R1 Port 3 -> R2 Port 1 (You probably have this going to a different port?) R2 Port 2 -> Client 2 LAN...
by Van9018
Wed Oct 10, 2018 1:25 am
Forum: General
Topic: Two of Three Mikrotik router became unreachable after few days
Replies: 1
Views: 518

Re: Two of Three Mikrotik router became unreachable after few days

Try using winbox and connect via MAC address (have to be on the same LAN) I had this issue. Router worked fine but couldn't connect via Winbox to it's IP. But connecting via MAC address worked. I never could get Winbox working again over IP. I replaced it, I have not yet done a factory reset to see ...
by Van9018
Thu Sep 13, 2018 1:01 am
Forum: Beginner Basics
Topic: Got hacked, think I need help with configuring routerOS
Replies: 17
Views: 4526

Re: Got hacked, think I need help with configuring routerOS

For the mikrotik.php virus, Winbox may still work if you connect via mac address. Check IP > Web Proxy, disable it. Go to IP > Firewall, NAT. Delete redirect rule. Go to System > Scripts, delete the bad scripts. Check System > Scheduler too. Even after you secure your router with firewall, upgrade t...
by Van9018
Tue Sep 11, 2018 1:50 am
Forum: General
Topic: Unable to connect to VPN from outside the internal network
Replies: 2
Views: 765

Re: Unable to connect to VPN from outside the internal network

Your firewall rules (500, 4500, 1701) only apply when the routing-mark = DellDsl. Ether4 has a WAN IP. The src-address of packets coming in ether4 would then be a WAN IP. Your mangle rules apply to packets coming in with a private IP - these rules probably don't get triggered.
by Van9018
Tue Sep 11, 2018 1:34 am
Forum: General
Topic: How to block Windows Update on RB2011
Replies: 3
Views: 3482

Re: How to block Windows Update on RB2011

On windows computers you can set the update server. Point it to a non-existent server. You can do that in Group Policy. Then the computers won't get any updates. For the Mikrotik, I think you'd have to resolve all those hostnames to the various IPs in which they may resolve. Then add those IPs to an...
by Van9018
Tue Sep 11, 2018 1:27 am
Forum: Beginner Basics
Topic: DNS for PPTP clients
Replies: 9
Views: 8698

Re: DNS for PPTP clients

If you're trying to resolve hostname only, then your computer goes through various steps to resolve it. 1. It checks the hosts file, this returns immediately. 2. It checks DNS, if any of your adapters has a dns suffix then it'll try and resolve that way. If any DNS servers are slow to respond, this ...
by Van9018
Fri Sep 07, 2018 2:04 am
Forum: Beginner Basics
Topic: Bruteforce prevention Issue
Replies: 14
Views: 3098

Re: Bruteforce prevention Issue

How about a Mikrotik as a VPN server. Techs VPN into that router. Then all client routers allow winbox, RDP, etc from the VPN Servers IP. It also gives the ability to cancel the tech's access to all client sites by deleting his login on the VPN server. iPhone, Android, Windows and Mac all support L2...
by Van9018
Fri Sep 07, 2018 1:11 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 1206

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Why wouldn't you let your DCs be the DHCP server rather than the router? You have redundancy with 2 DCs. If an IP in the DHCP range is in-use but the DHCP server has no lease for it, Mikrotik will mark it as in-use and try the next IP. Microsoft will give out the in-use IP. Example: Client buys a p...
by Van9018
Thu Sep 06, 2018 9:37 am
Forum: General
Topic: Feature Request: IP source guard / arp inspection
Replies: 8
Views: 3248

Re: Feature Request: IP source guard / arp inspection

This exists I believe. For your LAN interface, set arp mode to read-only.
If you want a statically set IP for a client, you'd first have to add his mac to the arp table with desired IP.
Everyone else must use their dynamic IP given by DHCP.
by Van9018
Thu Sep 06, 2018 9:13 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 1206

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Probably Windows Server thing. RAAS will hold a bunch of IPs like this.
by Van9018
Sat Aug 04, 2018 4:49 am
Forum: Beginner Basics
Topic: Nat not working
Replies: 4
Views: 1004

Re: Nat not working

I find Torch a useful tool to track where packets are being lost. Torch on the WAN to determine if packets are actually hitting your wan, if they are, check dst-nat rule - is the 'packets' field incrementing? Then torch on the LAN side, see if packets are leaving your Mikrotik with the new dest ip (...
by Van9018
Sat Aug 04, 2018 4:40 am
Forum: Beginner Basics
Topic: dhcp lease table
Replies: 5
Views: 1197

Re: dhcp lease table

Another cool feature...
Before Mikrotik gives out the next IP, it'll check to see if that IP is being used on the network. If so, a lease is created where the mac is 00:00:00:00:00 and Mikrotik moves onto the next IP to give out.
by Van9018
Sat Aug 04, 2018 4:31 am
Forum: General
Topic: IP Addresses list that access to google
Replies: 4
Views: 1351

Re: IP Addresses list that access to google

Google will use encryption, so you can't check the HTTP header. If your DNS is external, or the Mikrotik is your DNS, then maybe you can create a firewall rule to log packets coming in the LAN interface of the Mikrotik. Using a Layer7 rule you should be able to log google. Your browser and OS may ca...
by Van9018
Wed Jul 25, 2018 2:07 am
Forum: General
Topic: Hacked-Rogue DNS?
Replies: 12
Views: 3175

Re: Hacked-Rogue DNS?

- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening. How do you do this? Do you have a script? Will this add much CPU load? Rule 1: Chain=Input, in-interface=ether1, src-add-list=BANNED, action=drop Rule 2: Chain=Input, in-interface=ether1, proto=tcp, dst-...
by Van9018
Tue Jul 24, 2018 10:41 pm
Forum: General
Topic: OPENVPN creating certificate
Replies: 1
Views: 509

Re: OPENVPN creating certificate

You can create a self-signed certificate.

With a self-signed certificate, you can enter whatever values you want.
by Van9018
Tue Jul 24, 2018 10:37 pm
Forum: General
Topic: Can't get Port Forwarding of 1812 and 16384 to work
Replies: 3
Views: 979

Re: Can't get Port Forwarding of 1812 and 16384 to work

Try using Tools > Torch in Winbox. Then try and connect remotely. You'll be able to see if packets are being received by the router, and forwarded to the smoker. And that the smoker replies correctly. No gateway in the smoker can cause this. Or firewall rules in the smoker. Torch is a good place to ...
by Van9018
Tue Jul 24, 2018 10:22 pm
Forum: General
Topic: Hacked-Rogue DNS?
Replies: 12
Views: 3175

Re: Hacked-Rogue DNS?

More options: - Use Port Knocking for administrative ports - Use L2TP/IPSec and not expose administrative ports - Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening. For the last one, it seems hackers are using distributed port scans. For my routers, about 1...
by Van9018
Wed Jun 13, 2018 4:08 am
Forum: Beginner Basics
Topic: hEX - IPsec Tunnel slow
Replies: 35
Views: 11787

Re: hEX - IPsec Tunnel slow

Nothing more to do on the router if FTP maxes out your connection.

SMB is a chatty protocol, latency is a killer. You'll have to look more into SMB to see if it can be tuned for better throughput on high latency networks.
by Van9018
Wed Jun 13, 2018 3:31 am
Forum: General
Topic: PPTP client and/or server on alternate ports
Replies: 1
Views: 1707

Re: PPTP client and/or server on alternate ports

I doubt a windows client has the option to change from TCP port 1723. If your ISP is blocking 1723, then it's most likely blocking GRE as well. GRE doesn't use ports, so that'll be the show stopper for you. The SSTP VPN can be configured to listen on alternative ports, and in clients you can specify...
by Van9018
Tue Jun 12, 2018 11:12 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 5095

Re: IPSec/L2TP and Network Resources [SOLVED]

I thought there was a trick for this.

If server IP of L2TP/IPSec is the IP of your ether2 ip, and ether2 arp mode is proxy-arp, then it would work? I haven't tested this myself.

if broadcasts won't work, then SMB will still work if you use IP or WINS or DNS.
by Van9018
Mon Jun 11, 2018 10:29 am
Forum: General
Topic: SOME DOUBTS AROUND BYPASS USING WINBOX
Replies: 1
Views: 489

Re: SOME DOUBTS AROUND BYPASS USING WINBOX

You could create a mac based vlan and assign a DHCP Server to that VLAN.
by Van9018
Mon Jun 11, 2018 9:59 am
Forum: Beginner Basics
Topic: L2TP/IPSec Client
Replies: 3
Views: 916

Re: L2TP/IPSec Client

In Windows, iOS, Android and Mac - they automatically forward all traffic over the VPN. The Mikrotik does not. Edit your L2TP client interface in the Mikrotik, and under the Dial Out tab, check "Add Default Route". I'm not sure - but you may have to also set the distance of your existing d...
by Van9018
Sat Jun 09, 2018 3:44 am
Forum: General
Topic: Mikrotik detecting all traffic to Synology as invalid connections
Replies: 7
Views: 1978

Re: Mikrotik detecting all traffic to Synology as invalid connections

Any updates or solutions? I'm having the same problem. Mikrotik's invalid rule is dropping some of my synology packets. Are you using a VLAN too? If Synology is on the same lan, then packets don't go through the firewall. Could it be that packets to the synology go through the LAN and the packets f...
by Van9018
Fri Jun 08, 2018 11:20 pm
Forum: Beginner Basics
Topic: L2TP & IPSEC with Windows 10
Replies: 12
Views: 5602

Re: L2TP & IPSEC with Windows 10

Anybody want to run a packet capture on the Mikrotik? On the Wan interface. Post the results in this thread.

Would be helpful to see what Windows is sending.
by Van9018
Fri Jun 08, 2018 11:16 pm
Forum: General
Topic: DNS service on specific Public IP address
Replies: 12
Views: 1920

Re: DNS service on specific Public IP address

action=mark-connection
DNS uses UDP, not TCP. UDP is connectionless so there is no connection to mark.
by Van9018
Fri Jun 08, 2018 8:32 pm
Forum: General
Topic: DNS service on specific Public IP address
Replies: 12
Views: 1920

Re: DNS service on specific Public IP address

out-interface=wan, protocol=udp, DST-port=53 , then action=src-nat, to-address=Desired-IP router Address I think it has to be src-port=53, no? A client will send a dns query with a random src-port and dst-port of 53. When the server replies, it's src-port will be 53 and dst-port will be the src-por...
by Van9018
Thu Jun 07, 2018 1:48 am
Forum: General
Topic: DNS service on specific Public IP address
Replies: 12
Views: 1920

Re: DNS service on specific Public IP address

Try putting src-nat rule at the top.

When out-interface=wan, protocol=udp, src-port=53, then action=src-nat, to-address=Desired-IP
by Van9018
Thu Jun 07, 2018 1:32 am
Forum: General
Topic: Mikrotik Open VPN Server + Windows Client
Replies: 6
Views: 7188

Re: Mikrotik Open VPN Server + Windows Client

Are you using tap(bridge) or Tunnel/IP mode for OVPN?

Use TAP/Bridge for client. I think that creates a layer 2 tunnel so you don't have to worry about routes.
by Van9018
Wed Jun 06, 2018 10:59 pm
Forum: General
Topic: Which mikrotik router for OpenVPN
Replies: 8
Views: 5523

Re: Which mikrotik router for OpenVPN

Since 2010, Mikrotik is no longer developing their OpenVPN implementation. Expect the limitations to be permanent. Use IPSec, or GRE/IPSec if you want an interface to work with (I think Cisco supports GRE/IPSec?)
by Van9018
Wed Jun 06, 2018 10:42 pm
Forum: General
Topic: Mikrotik Open VPN Server + Windows Client
Replies: 6
Views: 7188

Re: Mikrotik Open VPN Server + Windows Client

Yes - you have to create static routes. You'd start off with a basic client-to-gateway setup as described here: http://wiki.mikrotik.com/wiki/OpenVPN Once you get that part working, then you move onto the site-to-site config by adding static routes. Your two Lans will have to be separate subnets. On...
by Van9018
Wed Jun 06, 2018 5:10 am
Forum: Beginner Basics
Topic: Probs connecting to RB2011UiAS-IN
Replies: 2
Views: 603

Re: Probs connecting to RB2011UiAS-IN

Your laptop's weird address starts with 169.254? That's a random IP that Windows will assign itself. In winbox, are you on the Neighbours tab? It should list detectable Mikrotiks on the network. Even if there is incompatible IPs, you should still be able to connect to it via MAC address. Try ether3,...
by Van9018
Wed Jun 06, 2018 4:53 am
Forum: Beginner Basics
Topic: Select public IP compared to the LAN
Replies: 5
Views: 846

Re: Select public IP compared to the LAN

As for dynamic IPs assigned by your DHCP, The config is similar but you have to use scripts to update your src-nat and default routes. First, in the DHCP protocol your DHCP Client defines a client-id. You can set this and have multiple DHCP IPs assigned to one mac. However many DHCP Servers ignore t...
by Van9018
Wed Jun 06, 2018 4:40 am
Forum: Beginner Basics
Topic: Select public IP compared to the LAN
Replies: 5
Views: 846

Re: Select public IP compared to the LAN

You'd still need to add the default route manually, as you'd do if you were only dealing with 1 static IP. In my example I should've used a bigger subnet such as /29 which would yield 6 usable addresses. So for 200.218.100.0/29 .0 = the network, can't use that IP .1 to .6 = IPs that can be used. You...
by Van9018
Wed Jun 06, 2018 3:59 am
Forum: Beginner Basics
Topic: hosted website points to mikrotik webfig
Replies: 2
Views: 760

Re: hosted website points to mikrotik webfig

I imagine your setup works when you connect from outside your home? (if you've done the port forwarding already) You will need a hairpin NAT for internal clients to connect to the internal website. https://wiki.mikrotik.com/wiki/Hairpin_NAT An alternative solution is to override DNS. If your PCs beh...
by Van9018
Wed Jun 06, 2018 2:21 am
Forum: Forwarding Protocols
Topic: sip phone being stopped at wan address
Replies: 7
Views: 1606

Re: sip phone being stopped at wan address

If you have: Phones <--> Mikrotik <---> Internet <---> Mikrotik <---> PBX then set up the nat rule as mentioned for the PBX mikrotik. Leave SIP Helpers ON for both Mikrotiks. Or tunnel so NAT and PAT are not in the mix. If you don't have control of the router in front of the phones, then there are t...
by Van9018
Wed Jun 06, 2018 1:44 am
Forum: Beginner Basics
Topic: Select public IP compared to the LAN
Replies: 5
Views: 846

Re: Select public IP compared to the LAN

I'll assume it's a block of static addresses. You assign ether1 the block of public static addresses. ie: 200.218.100.0/30 In IP > Firewall > Nat, add a src-nat rule. When packets come from interface of 2nd LAN, then action=src-nat, to-address = 2nd public IP. Move this rule above the masquerade rul...
by Van9018
Wed Jun 06, 2018 1:23 am
Forum: General
Topic: Mikrotik Open VPN Server + Windows Client
Replies: 6
Views: 7188

Re: Mikrotik Open VPN Server + Windows Client

If bridge mode (tap) then:
If you have a bridge1, edit the interface and set arp mode to proxy.
If you don't have bridge 1, edit ether2 and set arp mode to proxy.

Can you at least ping the Mikrotik address?
by Van9018
Wed Jun 06, 2018 1:14 am
Forum: General
Topic: Troubleshooting performance issues
Replies: 8
Views: 1337

Re: Troubleshooting performance issues

I tested the site I'm at. My networking process went to 40% on my RB750 but I got the full 100mbit. And I have a bunch of rules and a queue too with ipsec (speed test didn't go through ipsec). So now I think your cpu usage is normal since mine is the same and I get the expected numbers. You may have...
by Van9018
Wed Jun 06, 2018 1:01 am
Forum: Beginner Basics
Topic: How to choose the right load balacing mode ?
Replies: 7
Views: 1219

Re: How to choose the right load balacing mode ?

It sounds like what you really want is Bonding. Ask your ISP if they support it, they may not. With Bonding, your ISP gives you two physical connections and 1 public IP. To reduce technical support, an ISP would likely give you a modem/device that does the bonding so you technically would have only ...
by Van9018
Tue Jun 05, 2018 1:00 pm
Forum: General
Topic: Troubleshooting performance issues
Replies: 8
Views: 1337

Re: Troubleshooting performance issues

What process is taking up 30% of CPU? Seems high.

Check the interface stats for CRC errors and dropped packets. Tools > Packet Sniffer, look for tcp retransmissions.
by Van9018
Tue Jun 05, 2018 12:37 pm
Forum: Beginner Basics
Topic: How to choose the right load balacing mode ?
Replies: 7
Views: 1219

Re: How to choose the right load balacing mode ?

PCC load balancing is common: https://wiki.mikrotik.com/wiki/Manual:PCC With PCC, if a client behind your router opens multiple connections to the same host, all connections will go out the same WAN. Where as N-th load balancing the multiple connections could be across both WANs. When using a websit...
by Van9018
Tue Jun 05, 2018 12:00 pm
Forum: Beginner Basics
Topic: IPSec tunnel connectivity
Replies: 7
Views: 1142

Re: IPSec tunnel connectivity

What about the route table? No routes required. The policy handles this. Packets get routed out the wan with the 0.0.0.0/0 rule, then the policy kicks in and sees the packet matching the ipsec policy. It encrypts the packet and drops it back into the routing logic, where it goes out the wan again b...
by Van9018
Tue Jun 05, 2018 11:31 am
Forum: Beginner Basics
Topic: L2TP & IPSEC with Windows 10
Replies: 12
Views: 5602

Re: L2TP & IPSEC with Windows 10

It's because your L2TP/IPSec server is behind a NAT. DMZ doesn't fix it. Registry key should. Life might be better if you change modem mode back to bridge mode. For Windows Vista, 7, 8, 10, and 2008 Server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent RegValue: AssumeUDPEncapsula...
by Van9018
Tue Jun 05, 2018 11:07 am
Forum: Beginner Basics
Topic: L2TP IPSec VPN questions
Replies: 1
Views: 834

Re: L2TP IPSec VPN questions

No. Sorry! I wish for this too.

In this thread: viewtopic.php?t=39999
Mikrotik support says this feature is not supported.
by Van9018
Tue Jun 05, 2018 10:59 am
Forum: Beginner Basics
Topic: L2TP/IPSEC server configuration questions
Replies: 6
Views: 1321

Re: L2TP/IPSEC server configuration questions

1. Port 4500 is used to detect NAT traversal. If the client has a public IP and not behind a NAT device, then IPSec will happen over the ipsec-esp protocol. This may be a rare occurrence and maybe you'll never see the counts increase. 2. I also never have problems with leaving FastTrack alone. Maybe...
by Van9018
Tue Jun 05, 2018 10:52 am
Forum: General
Topic: Open DNS and Mikrotik
Replies: 1
Views: 2305

Re: Open DNS and Mikrotik

To make all internal computers use OpenDNS you would have to: - Go to IP > DHCP Client, uncheck the checkbox to use peer dns so that Mikrotik doesn't use the DNS servers provided by your ISP - Go to IP > DNS, allow remote requests. By default the firewall should block input requests from the WAN, wh...
by Van9018
Tue Jun 05, 2018 10:15 am
Forum: The User Manager
Topic: DHCP server problem
Replies: 12
Views: 12279

Re: DHCP server problem

I would start with Tools > Packet sniffer. Set it to save to a file and only capture UDP packets. Click Apply, then Start and renew the IP on a client. Wait 10 seconds and stop the packet capture. Copy the file to your computer and open it with Wireshark. In the list of packets, you should see a Dis...
by Van9018
Tue Jun 05, 2018 10:01 am
Forum: General
Topic: slow connection over pptp!
Replies: 1
Views: 1139

Re: slow connection over pptp!

Possibly because the encryption process is maxing out the CPU. Go to Tools > Profiler and do the test again. Is the CPU being maxed? If it gets maxed, packets will be dropped. Thus slower and less reliable. As far as I know, only IPSec makes use of the AES hardware acceleration. Other protocols such...
by Van9018
Tue Jun 05, 2018 9:45 am
Forum: Wireless Networking
Topic: dhcp-server lease disable and enable numbers. [SOLVED]
Replies: 2
Views: 2418

Re: dhcp-server lease disable and enable numbers. [SOLVED]

How do you determine if a MAC is wanted? Manually? Something to try is changing arp mode of your ether2 to read-only. This means 2 things: - You must manually add a mac to the arp list for any static IP on your network. - Other clients must use DHCP to get an IP. There is a checkbox in the DHCP Serv...
by Van9018
Tue Jun 05, 2018 9:32 am
Forum: General
Topic: Weird ip problem on torch
Replies: 1
Views: 528

Re: Weird ip problem on torch

What interface are your Torch'ing on? And which way are the bogus packets going?
by Van9018
Fri Feb 23, 2018 2:29 am
Forum: General
Topic: Going to be traveling, need advice on remote/vpn connection [SOLVED]
Replies: 10
Views: 2101

Re: Going to be traveling, need advice on remote/vpn connection [SOLVED]

IPSec may not work everywhere. Hotspots may block it. Hotels will likely allow it. Our international airport blocks all obvious VPNs like IPSec, PPTP https://www.softether.org/ is an "Open-Source Free ​Cross-platform Multi-protocol VPN Program". It can be daunting to learn, but with that o...
by Van9018
Fri Feb 23, 2018 2:08 am
Forum: General
Topic: No IP is being assigned to my RB951G-2HnD
Replies: 1
Views: 420

Re: No IP is being assigned to my RB951G-2HnD

Can you provide a little detail on how you're using the device? DHCP Client is on the LAN/WAN or bridge interface? Mikrtok's work great in a professional environment. In my opinion, Mikrotik's are better than Cisco due to feature set, flexibility, consistent gui over models and troubleshooting tools...
by Van9018
Tue Aug 15, 2017 11:08 pm
Forum: General
Topic: Are packet marks supposed to stay on in the IPsec layer?
Replies: 4
Views: 1195

Re: Are packet marks supposed to stay on in the IPsec layer?

You should still be able to firewall outbound packets, but before their encrypted. Packets destined to the remote network that don't have the packet mark and going out the wan interface could be dropped. As for prioritizing, I don't see how it would work. You could prioritize within the IPSec tunnel...
by Van9018
Sat Aug 12, 2017 11:16 pm
Forum: General
Topic: Question about poe
Replies: 5
Views: 1623

Re: Question about poe

If your only looking to power a single cisco phone, search your local vendors for a 802.3af POE DC Injector. Since your cisco phone is 802.3af then your POE DC Injector must be 802.3af. If specs don't mention if their PoE is 802.3af, then assume it's not and do research. An example of a single DC in...
by Van9018
Sat Aug 12, 2017 3:45 am
Forum: Beginner Basics
Topic: Mikrotik Blocking Inbound VoIP Calls
Replies: 4
Views: 2426

Re: Mikrotik Blocking Inbound VoIP Calls

Are you using load balancing? Are you registering to a company PBX behind a firewall or to a paid service? One way audio problems are often from NAT or PAT. In the SIP protocol, your phone will tell the PBX which port it's listening for inbound audio, and what ports it will be sending audio out, as ...
by Van9018
Sat Aug 12, 2017 3:12 am
Forum: Beginner Basics
Topic: DHCP not send for win7 clients
Replies: 2
Views: 566

Re: DHCP not send for win7 clients

Reboot the router. If problem persists, use Tools > Packet Sniffer to see if Win 7 client DHCP requests are making it to router, and if the router is replying.

Also check windows event log for things like IP conflict.
by Van9018
Sat Aug 12, 2017 3:09 am
Forum: SwOS
Topic: HEX PoE not for SwOS?
Replies: 2
Views: 2258

Re: HEX PoE not for SwOS?

Are you trying to make the Hex POE act like a 5 port switch? That can be done through configurations.
by Van9018
Sat Aug 12, 2017 3:05 am
Forum: General
Topic: Honeypot with Mikrotik
Replies: 2
Views: 2487

Re: Honeypot with Mikrotik

A honeypot is just adding remote IPs to an address-list and denying every IP on that list from connecting to your port forwards. The remote IPs must meet some firewall criteria, such as attempting to create too many connections in a short period of time. Some sample firewall rules are: https://wiki....
by Van9018
Sat Aug 12, 2017 2:50 am
Forum: Beginner Basics
Topic: NAT issue : port 80 works, 443 does not
Replies: 7
Views: 7118

Re: NAT issue : port 80 works, 443 does not

Nope, you need to allow them somehow. The best way (in most cases) is the magic rule
Bloody hell, I just checked my rules on several routers. Default config for forward chain was allow established, allow related, drop invalid. Which is why I've never had to add a rule for NAT'd connections.
by Van9018
Sat Aug 12, 2017 1:57 am
Forum: General
Topic: Question about poe
Replies: 5
Views: 1623

Re: Question about poe

Both RB2011 and RB951 will output 12 watts when the input power is 24 volts, such as when using the included power supply.

Both these devices output 24v passive. It won't power any device that is expecting 48 volts 802.3af/at.
by Van9018
Sat Aug 12, 2017 1:32 am
Forum: Beginner Basics
Topic: NAT issue : port 80 works, 443 does not
Replies: 7
Views: 7118

Re: NAT issue : port 80 works, 443 does not

This setup looks correct. You don't need the filter rules to allow ports 80 and 443 as it's implied when you have NAT rules setup. Go to Tools > Torch. Torch will show you what packets are coming and going from what interfaces. In a working scenario, you should see packets destined to port 443 comin...
by Van9018
Sat Aug 12, 2017 1:22 am
Forum: General
Topic: Are packet marks supposed to stay on in the IPsec layer?
Replies: 4
Views: 1195

Re: Are packet marks supposed to stay on in the IPsec layer?

I don't know if marks are supposed to stay when encrypted. I can see why not since the ESP packet may be a brand new packet. In this article: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle scroll down to the property ipsec-policy: in | out, ipsec | none This looks interesting, but I don't ...
by Van9018
Sat Aug 12, 2017 12:41 am
Forum: General
Topic: a virus scanner on the router board
Replies: 14
Views: 8187

Re: a virus scanner on the router board

Do you have a Mikrotik firewall script that protects the user from this mallware? There is no router firewall rule that'll protect users from malware. Routers with AV built in often only do a signature based detection which has a low detection rate. Computer malware protection should be down on the...
by Van9018
Fri Aug 11, 2017 9:59 pm
Forum: Beginner Basics
Topic: use two ISP simulatenously
Replies: 10
Views: 9612

Re: use two ISP simulatenously

With PCC, if a client behind your router opens multiple connections to the same host, all connections will go out the same WAN. Where as N-th load balancing the multiple connections could be across both LANs. When using a website, a browser cookie is used to remember the session and thus you can use...
by Van9018
Tue Aug 08, 2017 2:08 am
Forum: Beginner Basics
Topic: use two ISP simulatenously
Replies: 10
Views: 9612

Re: use two ISP simulatenously

PCC load balancing is common: https://wiki.mikrotik.com/wiki/Manual:PCC
by Van9018
Thu Aug 03, 2017 1:05 am
Forum: General
Topic: High CPU on "networking" process
Replies: 6
Views: 4198

Re: High CPU on "networking" process

Tools > Torch may display useful information. A loop in the network can also cause high CPU as it floods the network.
by Van9018
Thu Aug 03, 2017 1:00 am
Forum: Beginner Basics
Topic: Multiple srcnat/static IPs per internal ip
Replies: 3
Views: 642

Re: Multiple srcnat/static IPs per internal ip

In Mikrotik you can mark a connection. Then you can apply a routing-mark to packets who belong to that connection. Then you can route based on routing-marks. These get set up under the mangle rules. Create a rule, when a SYN (new-connection) packet comes in the WAN, action=mark-connection and set co...
by Van9018
Wed Aug 02, 2017 6:49 pm
Forum: Beginner Basics
Topic: What can a mikrotik
Replies: 13
Views: 2188

Re: What can a mikrotik

Wouldn't the bulk of the traffic be going through just your switch, and not the router? So the Hex will be fine as your router, but doesn't help your LAN. If you have slowness when accessing SQL Server, I'd start looking at that server first..
by Van9018
Wed Aug 02, 2017 12:01 am
Forum: General
Topic: Setup Mikrotik as VPN Service to hide Public IP
Replies: 3
Views: 1745

Re: Setup Mikrotik as VPN Service to hide Public IP

It would work. Many VPNs with encryption may use a lot of CPU. Mikrotik supports AES hardware support BUT only for IPSec. SSTP, OpenVPN, etc will not use AES acceleration and will use the CPU. You may want to consider installing RouterOS on a computer/server for better performance and memory. Router...
by Van9018
Tue Aug 01, 2017 11:43 pm
Forum: Beginner Basics
Topic: What can a mikrotik
Replies: 13
Views: 2188

Re: What can a mikrotik

- Complete firewall, better than consumer devices - VPNs, site-to-site if you will connect another lab later - VPN for roadwarriors, support for SSTP and others. - Troubleshooting Tools, go to Tools menu in winbox. These are a huge help when there are anomalies in your network. - Snappy interface (I...
by Van9018
Tue Aug 01, 2017 11:32 pm
Forum: General
Topic: WAN interface usage is higher than LAN interface usage
Replies: 10
Views: 4756

Re: WAN interface usage is higher than LAN interface usage

An inbound queue can cause this. In the case of a single TCP connection, the sender will send packets as fast as it can until it detects packet loss. Then it'll slow it's transmission until the point where packets are not being lost. In the case of many short lived TCP connections, such as many inte...
by Van9018
Tue Aug 01, 2017 6:28 pm
Forum: General
Topic: DHCP and STATIC IP on the same interface
Replies: 5
Views: 2666

Re: DHCP and STATIC IP on the same interface

Ohhh.. Your dynamic IP and Static IP both have the same subnet. You'll have to use a script like ZeroByte says.

See the following link. A script can be called when a lease is added/changed/removed. You need atleast v6.39rc33
https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client
by Van9018
Tue Aug 01, 2017 12:28 pm
Forum: General
Topic: DHCP and STATIC IP on the same interface
Replies: 5
Views: 2666

Re: DHCP and STATIC IP on the same interface

Do both your 0.0.0.0/0 routes have the same distance? Set the static route distance to 2, in IP > DHCP Client, set distance to 1.
by Van9018
Tue Aug 01, 2017 2:08 am
Forum: SwOS
Topic: RB260GSP support VOIP
Replies: 3
Views: 2904

Re: RB260GSP support VOIP

The RB260GSP's PoE is 24v, it won't power Cisco phones. They don't support LLDP-MED. They support VoIP (as all switches would?) If DHCP Option 66 is used on data vlan and network is configured so data network devices can access provisioning, then out-of-the-box phones can auto-provision themselves w...
by Van9018
Sun Jul 30, 2017 9:31 pm
Forum: General
Topic: Block IP Ranges in SwitchOS
Replies: 4
Views: 990

Re: Block IP Ranges in SwitchOS

1. Go through all interfaces and set master-port=none 2. Go to Bridge, add bridge1 3. Click the Settings button. Select "Use IP-Firewall" 4. Go to Bridge > Ports, add all interfaces to bridge1 Now you should be able to use the IP > Firewall to filter IP ranges. By putting interfaces into a...
by Van9018
Wed Jul 26, 2017 4:31 am
Forum: General
Topic: Plz Help me
Replies: 4
Views: 1226

Re: Plz Help me

When packets go out ether2, they need to take on ether2's pubic IP. 1. IP > Firewall > NAT, add masquerade rule for packets going out ether2. Same for ether1 (it probably exists already) At this point packets will still go out Ether1. So setup Mangle rules and routing. The mangle rule will mark pack...
by Van9018
Tue Jul 25, 2017 8:13 pm
Forum: General
Topic: Hot to get Multiple Public IP's on 1 interface?
Replies: 8
Views: 3765

Re: Hot to get Multiple Public IP's on 1 interface?

You can try creating multiple DHCP clients with different Client IDs. But the ISP DHCP server may just use MAC anyway and ignore client-id.
by Van9018
Tue Jul 25, 2017 2:08 am
Forum: General
Topic: [Solved] Several internet connections on a mikrotik
Replies: 9
Views: 1712

Re: [Solved] Several internet connections on a mikrotik

Each wan needs masquerade rule. Each wan needs a mangle rule: chain=forward, src-nat=192.168.?.0/24, action=mark-routing, new-routing-mark=WAN1 (or WAN2, etc) Each wan needs a routing rule with routing-mark configured. Solved. I bought another router. Not Mikrotik........ Which router did you go wit...
by Van9018
Tue Jul 25, 2017 1:47 am
Forum: General
Topic: Block Of IP Addresses
Replies: 6
Views: 1533

Re: Block Of IP Addresses

Follow this guide for one-to-one NAT:
https://wiki.mikrotik.com/wiki/How_to_l ... Local_ones
by Van9018
Mon Jul 24, 2017 1:41 am
Forum: Beginner Basics
Topic: New to MT - How to add rule allowing port through via wireless
Replies: 3
Views: 604

Re: New to MT - How to add rule allowing port through via wireless

Sounds like you're using the Mikrotik as just a switch with AP? Ports 2-5 and wifi are already bridged (so it's like a switch already). You wouldn't use ether1 in this case. If you already have a DHCP server on the network, and you forgot to turn off the DHCP server in the Mikrotik, then maybe somet...
by Van9018
Mon Jul 24, 2017 1:31 am
Forum: General
Topic: Minor issue with dual wan failover
Replies: 5
Views: 1841

Re: Minor issue with dual wan failover

When WAN1 goes down, I think the connections associated with WAN1 are reset/dropped, and thus all clients will have to re-establish their connections. When WAN1 comes back online, connections established out WAN2 DON'T get reset because WAN2 is still online. However the routing does in fact send pac...
by Van9018
Mon Jul 24, 2017 12:15 am
Forum: General
Topic: How to combine 3 WAN speed
Replies: 10
Views: 13426

Re: How to combine 3 WAN speed

Load Balancing: https://wiki.mikrotik.com/wiki/Manual:PCC But you can't split a connection like a single download across wans when using load balancing. If three WANs are from same ISP, call the ISP and ask if they support bonding. If you wish to have 16 mbps from one site to another site, and you h...
by Van9018
Wed Jul 19, 2017 12:08 am
Forum: General
Topic: Speed less than 20 Mbps
Replies: 5
Views: 2576

Re: Speed less than 20 Mbps

What are your wireless settings? I tested another cap lite this morning and at best it gave me 17 mbps. I've tried this and that, compared brands, I can't get the cap lites to break 25mbps. I'd love to figure this out!!
by Van9018
Tue Jul 18, 2017 11:49 pm
Forum: General
Topic: can I redirect https to my router?
Replies: 24
Views: 5145

Re: can I redirect https to my router?

I would never, ever accept a third-party root CA from anyone telling me that I had to install it on my computer in order to use their network Neither would I, and as the I.T. of a company I wouldn't ask guests or contractors to do so. But they would be expected to use the guest wifi where there wou...
by Van9018
Tue Jul 18, 2017 9:54 am
Forum: Beginner Basics
Topic: hex rb750 to hap ac lite
Replies: 2
Views: 668

Re: hex rb750 to hap ac lite

Plug Ether2 of the hap into the hex. Turn off DHCP Server on the hap Delete the default 192.168.88.1 IP (under IP > Addresses) add a DHCP Client for interface: bridge-local Now you have 1 LAN. If you plug ether1 of the hap into the hex, you end up with a sub-LAN and certain functions like printer di...
by Van9018
Tue Jul 18, 2017 9:49 am
Forum: General
Topic: Firewall Rule didn't properly work
Replies: 2
Views: 739

Re: Firewall Rule didn't properly work

What ports are you applying this filter on? Facebook and Youtube will both use HTTPS so you can't scan that traffic. At best you can drop DNS queries that contain certain texts. For packets going out the wan where the destination port is 53 and L7 filter applies, then drop the packet. Some clients m...
by Van9018
Tue Jul 18, 2017 9:39 am
Forum: Beginner Basics
Topic: How to add another WAN link
Replies: 2
Views: 617

Re: How to add another WAN link

Maybe these are a good place to start:

Failover WAN
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

A load balancing WAN:
https://wiki.mikrotik.com/wiki/Manual:PCC
by Van9018
Tue Jul 18, 2017 9:26 am
Forum: General
Topic: Does DHCP server check for address availability?
Replies: 7
Views: 1587

Re: Does DHCP server check for address availability?

Yes it does check! And it'll skip that IP. I tested this last month after I discovered that Microsoft DHCP Server doesn't check. If you suspect clients are giving themselves static IPs, you can look into setting the arp-mode to read-only on your interface. This means the Mikrotik will respond to all...
by Van9018
Tue Jul 18, 2017 2:36 am
Forum: General
Topic: can I redirect https to my router?
Replies: 24
Views: 5145

Re: can I redirect https to my router?

Mikrotik won't be the right choice for web content filtering. Other devices (Sonicwall? Fortigate?) have features where you can upload your own CA certificate, and install that CA cert on the internal computers. Now the router can generate certs on the fly and those certs will be trusted by the inte...
by Van9018
Mon Jul 17, 2017 4:10 am
Forum: Beginner Basics
Topic: My first mikrotik device
Replies: 5
Views: 1218

Re: My first mikrotik device

ISPs in my region allow for 1 device to be connected. A second won't obtain an IP, and a new mac won't obtain a new IP until the old lease expires. Try cloning the mac of your Asus to your ether1. In winbox, go to Terminal and paste the following: /interface ethernet set ether1 mac-address=xxx (wher...
by Van9018
Mon Jul 17, 2017 4:03 am
Forum: General
Topic: Anyone else having this VPN issue?
Replies: 17
Views: 2804

Re: Anyone else having this VPN issue?

In IP > IPSec, SA tab, try flushing the SA's? I had an endpoint that was a Cisco. Sometimes Cisco was send a delete message and the Mikrotik would remove the active peer but leave the security associations in place. Then no traffic would happen. Try turning on logging for IPSec to see if the remote ...
by Van9018
Sun Jul 16, 2017 12:58 pm
Forum: General
Topic: Mikrotik x Cisco ASA - VPN IPSEC
Replies: 1
Views: 819

Re: Mikrotik x Cisco ASA - VPN IPSEC

Try turning on logging for ipsec, see if it tells you why it's mismatching.
by Van9018
Sun Jul 16, 2017 12:52 pm
Forum: Wireless Networking
Topic: public or campsite or marina wifi APs or hide many devices behind one MAC
Replies: 5
Views: 972

Re: public or campsite or marina wifi APs or hide many devices behind one MAC

What you say is correct! MACs need only be unique on the Layer 2 network. However as the Mikrotik can support many Layer 2 networks, it's probably computationally easier and faster to have a single ARP table across all Layer 2 networks. Because of the single arp table, you wouldn't be able to have a...
by Van9018
Sun Jul 16, 2017 1:40 am
Forum: General
Topic: NAT rules for local network
Replies: 5
Views: 1865

Re: NAT rules for local network

I don't understand what you mean by this? Using the DNS means that you always have to use the switch part so that they can see each other. When using Hairpin, all traffic for the FTP connection will go through the Mikrotik. In a scenario where the user's network looks like this: Modem ---> Mikrotik ...
by Van9018
Sat Jul 15, 2017 11:11 pm
Forum: General
Topic: NAT rules for local network
Replies: 5
Views: 1865

Re: NAT rules for local network

Or use DNS overrides. In IP > DNS, add a static dns entry to point your ftp url to the private IP of your ftp server.
by Van9018
Fri Jul 14, 2017 12:17 am
Forum: Scripting
Topic: Download IP List
Replies: 2
Views: 1228

Re: Download IP List

by Van9018
Thu Jul 13, 2017 10:35 pm
Forum: General
Topic: Speed less than 20 Mbps
Replies: 5
Views: 2576

Re: Speed less than 20 Mbps

I've spent many hours trying to get better wifi speeds out of various Mikrotik products. I've never gotten anything better than 20mbps for 2.4 Ghz. My solution was to go with another brand for wifi, but I still use Mikrotik for Routing, VPNs, etc. Others have posted this same problem. I've followed ...
by Van9018
Thu Jul 13, 2017 10:19 pm
Forum: Beginner Basics
Topic: Allow team viewer only for specific IP
Replies: 6
Views: 8555

Re: Allow team viewer only for specific IP

I think I've got it.... In Team Viewer options, set "Incoming LAN Connections" to "Accept Exclusively". Your ID field now shows your IP instead of an ID. Team Viewer is not supposed to connect to Team Viewer servers now. If you don't trust it, use the L7 to kill *.teamviewer.com ...
by Van9018
Thu Jul 13, 2017 3:21 am
Forum: Beginner Basics
Topic: Firewall rules allowing specific ports outbound
Replies: 1
Views: 4218

Re: Firewall rules allowing specific ports outbound

It says "Outbound" firewall. By default Mikrotik doesn't have an outbound firewall. It's not common for a company network to have outbound firewall rules applied. Maybe banks and institutions with full time I.T. departments. You can read the rules under IP > Firewall, click the Filters tab...
by Van9018
Thu Jul 13, 2017 2:55 am
Forum: Beginner Basics
Topic: VPN is fast, but Internet traffic is slow
Replies: 8
Views: 3513

Re: VPN is fast, but Internet traffic is slow

When traffic is slow, does Tools > Profile show any processes with high CPU?
by Van9018
Thu Jul 13, 2017 2:53 am
Forum: General
Topic: cap Lite locking up? Dead?
Replies: 1
Views: 650

Re: cap Lite locking up? Dead?

There should be a reset button on it that'll reset it to factory default configurations. Then try connection eth2 to your laptop. Does it still lock up at some point? If not, you can do a firmware update. If it still locks up, then maybe a Net install to do a firmware update. After that... I'd deem ...
by Van9018
Thu Jul 13, 2017 2:49 am
Forum: Beginner Basics
Topic: Allow team viewer only for specific IP
Replies: 6
Views: 8555

Re: Allow team viewer only for specific IP

Team Viewer's knowledge base says team viewer has over 200 servers and are expanding. They won't publish a list of IPs so you'll have to update your list via 3rd party sources on a regular basis. TV will prefer port 5938, but fall back on tcp 443 and then tcp 80, so you can't block by port only. You...
by Van9018
Wed Jul 12, 2017 10:05 pm
Forum: Beginner Basics
Topic: DHCP server offering lease without success
Replies: 30
Views: 43964

Re: DHCP server offering lease without success

A duplicate client MAC could cause this. While it's failing, check the arp table on the Mikrotik. It's under Switch > Host, or Switch > FDB. It should show your PC's mac address as being down one of the interfaces. Tools > Packet Sniffer on the Mikrotik will also show if the Mikrotik is in fact actu...
by Van9018
Wed Jul 12, 2017 9:53 pm
Forum: Beginner Basics
Topic: Mikrotik - How to config same gateway wan and local?
Replies: 8
Views: 1444

Re: Mikrotik - How to config same gateway wan and local?

Your default route 0.0.0.0 says to use 192.168.2.1 as gateway. I think the "reachable via ether1" means nothing, it's just friendly info for the tech to see. So it'll route to 192.168.2.1, that IP belongs to Local2. Now I think Local2 will put it back in the routing, where it'll get routed...
by Van9018
Wed Jul 12, 2017 9:32 pm
Forum: Beginner Basics
Topic: IP leak from LAN to wan ?
Replies: 10
Views: 2758

Re: IP leak from LAN to wan ?

even creating a separate bridge group with only the wan port in.
Wan port should not be in a bridge, nor a slave to any other port. Goto IP > Firewall, NAT There should be 1 masquerade rule tied to the wan port (usually ether1).
by Van9018
Wed Jul 12, 2017 9:24 pm
Forum: General
Topic: RB1100Ahx2 Offering lease problem, and whiteout success
Replies: 2
Views: 961

Re: RB1100Ahx2 Offering lease problem, and whiteout success

- If you have a bridge, DHCP should be tied to the bridge instead of interface Use Tools > Packet Sniffer on the Mikrotik, and Wireshark on the PC. Do an IP renewal. With this you'll see if DHCP packets are being lost, and you'll see if the client is rejecting the offer. Or maybe you'll find a secon...
by Van9018
Wed Jul 12, 2017 9:18 pm
Forum: Beginner Basics
Topic: Mikrotik - How to config same gateway wan and local?
Replies: 8
Views: 1444

Re: Mikrotik - How to config same gateway wan and local?

You can't have the same IP scheme for 2 interfaces. Change Local2 to 192.168.3.0/24 ( or change the WAN IP scheme )
by Van9018
Tue Jul 11, 2017 8:26 pm
Forum: General
Topic: Site to Site IPSec VPN stops passing traffic
Replies: 3
Views: 1366

Re: Site to Site IPSec VPN stops passing traffic

It may be something about time outs, or 1 end kills the connection after some idle time. When the connection is dead (but still shows connected on both sides), use packet sniffer to capture IPSec packets. Also turn on logging for IPSec, maybe something useful will show in the logs. I did this with C...
by Van9018
Tue Jul 11, 2017 10:24 am
Forum: General
Topic: IPsec enchansments
Replies: 2
Views: 1241

Re: IPsec enchansments

IPSec doesn't use ports like UDP and TCP do. So a connection is only defined by src-ip and dst-ip. The security associations are applied to a connection, which are used to decrypt the payload. This means there is no option for Mikrotik to create a connection identifier. However, if the IPSec connect...
by Van9018
Tue Jul 11, 2017 2:18 am
Forum: General
Topic: PCI Compliane CVE2003-0213 TopPop
Replies: 1
Views: 461

Re: PCI Compliane CVE2003-0213 TopPop

While that particular vulnerability was fixed, PPTP VPNs overall are considered less secure than alternatives. I don't foresee PCI Compliance wanting to make exceptions. Even PopTop's website recommends alternatives: http://poptop.sourceforge.net/dox/protocol-security.phtml IPSec, OpenVPN and SSTP a...
by Van9018
Tue Jul 11, 2017 1:48 am
Forum: General
Topic: install mikrotik as bridge
Replies: 4
Views: 894

Re: install mikrotik as bridge

Yes - in my scenario you'd be moving the Mikrotik from in front of the fortigate to behind the fortigate. If you want to have it in front of the fortigate (Fortigate --> Mikrotik --> Modem) Then look for an option in the fortigate called operation mode. Change it from Gateway/NAT to Router/Transpare...
by Van9018
Tue Jul 11, 2017 1:30 am
Forum: General
Topic: What is Google DNS doing here?
Replies: 9
Views: 1551

Re: What is Google DNS doing here?

Yes - Wireshark can read it.
by Van9018
Mon Jul 10, 2017 9:30 pm
Forum: Beginner Basics
Topic: Site-to-site VPN through NAT and firewall on one side
Replies: 1
Views: 786

Re: Site-to-site VPN through NAT and firewall on one side

I'd use IPSec as underlying tunnel, with NAT-T mode enabled. NAT-T uses UDP port 4500 to encapsulate the IPSec packets making them NAT friendly. The primary side can be the initiator, so you only need to set up port forwarding on the remote site. You can configure the policies so the IPSec tunnel is...
by Van9018
Mon Jul 10, 2017 9:19 pm
Forum: General
Topic: install mikrotik as bridge
Replies: 4
Views: 894

Re: install mikrotik as bridge

Put the Mikrotik bridge on the other side of the Fortigate. Fortigate --> Mikrotik (Port 2), then Mikrotik (Port 3) --> Switch Disable DHCP Server Edit port 3 interface, set master-interface to none Create bridge1 Add port 2 and port 3 to the bridge. Go to Bridge, click the settings button Enable &q...
by Van9018
Mon Jul 10, 2017 9:05 pm
Forum: General
Topic: What is Google DNS doing here?
Replies: 9
Views: 1551

Re: What is Google DNS doing here?

Use Tools > Packet Sniffer to view the content of the DNS queries. Or post the packet capture on this thread.
by Van9018
Mon Jul 10, 2017 8:34 pm
Forum: General
Topic: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON
Replies: 22
Views: 5936

Re: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON

Good to hear it worked!

Setting interfaces to 100 Full can also resolve frequent link up/downs when both endpoints are gigabit running through old Cat 5e cables. This sometimes happens in old buildings with Cat 5 and long cable runs.
by Van9018
Mon Jul 10, 2017 6:02 am
Forum: Beginner Basics
Topic: ISP assigned static IP - changing from DHCP remotely
Replies: 4
Views: 1136

Re: ISP assigned static IP - changing from DHCP remotely

I think it has similar concepts to dual wan. To have both IPs work at the same time, the TCP connections coming in on the static IP needs to be marked. Outbound packets for that connection would need to be marked, and then a route added for packets with that route.
by Van9018
Mon Jul 10, 2017 5:52 am
Forum: General
Topic: Mark packets on one router so another one can use the marks?
Replies: 7
Views: 2175

Re: Mark packets on one router so another one can use the marks?

Maybe if Host 1 can have two IPs? Windows and linux both support this I think. Then you can mark packets that come into Router 1 from IP2 of Host 1, you can forward that packet to Router 2.
by Van9018
Mon Jul 10, 2017 5:39 am
Forum: Scripting
Topic: help with auto shutdown
Replies: 10
Views: 4359

Re: help with auto shutdown

Mikrotik devices are safe to loose power in normal operation mode. 3 times in the last 5 years a Mikrotik had issues after power outage for me. First time the static WAN IP was missing. Route was still there. Adding the WAN IP fixed it. Second time I guided a user through restoring the config from ...
by Van9018
Mon Jul 10, 2017 1:29 am
Forum: Scripting
Topic: Really? No No-Ip working script?
Replies: 8
Views: 3782

Re: Really? No No-Ip working script?

That looks like the script from the Mikrotik scripts page. It didn't for me neither, which is why I fell back on the one liner.
by Van9018
Mon Jul 10, 2017 1:25 am
Forum: General
Topic: random speed limitation
Replies: 3
Views: 677

Re: random speed limitation

I use auto-negotiation unless there is a problem. I've found auto-negotiation always works well with two gigabit end points. But if one or both are 100mbit, then it's possible the the auto-negotiation features are implemented slightly differently, and auto-negotiation may fail. With ROS version arou...
by Van9018
Mon Jul 10, 2017 1:18 am
Forum: General
Topic: DNS over VPN
Replies: 7
Views: 8373

Re: DNS over VPN

+1 for
I use that one a lot. Works well for me.
by Van9018
Sat Jul 08, 2017 12:17 am
Forum: Scripting
Topic: Really? No No-Ip working script?
Replies: 8
Views: 3782

Re: Really? No No-Ip working script?

The most basic script is to just send an update every minute. NoIP hasn't blocked me from sending so many updates. The \3F in the script below translates to a question mark. By excluding my IP from the host, NoIp will use the IP that sent the request. /tool fetch url=("http://dynupdate.no-ip.co...
by Van9018
Fri Jul 07, 2017 6:25 am
Forum: Wireless Networking
Topic: Slow WiFi (Mikrotik WAP)
Replies: 35
Views: 34127

Re: Slow WiFi (Mikrotik WAP)

I stopped using Mikrotik for wifi as I've never gotten anything better than 25mbps (3MB/s) on 2.4Ghz. I switched to another brand for wifi APs and performance is better.
Lots of people have this issue and no solutions found yet.
viewtopic.php?f=7&t=122853
by Van9018
Fri Jul 07, 2017 6:04 am
Forum: General
Topic: random speed limitation
Replies: 3
Views: 677

Re: random speed limitation

In each interface you can view the status tab for bad packets and CRC errors. For the RB951-2n specifically, don't use port 5. In the few I implemented, port 5 always had dropped packets due to CRC errors. Check your wan interface to see if it's 100 FULL duplex, and not half duplex. Finally you can ...
by Van9018
Wed Jul 05, 2017 10:35 pm
Forum: Beginner Basics
Topic: How to isolate physical ports
Replies: 5
Views: 2854

Re: How to isolate physical ports

Yeah - Bridge > Ports is where you go.

For ports 3-5, edit the interface and set master-port to none. I'm not sure if it's required or not.
by Van9018
Wed Jul 05, 2017 4:51 am
Forum: Wireless Networking
Topic: Need advice
Replies: 3
Views: 656

Re: Need advice

Wired as much as possible. Fewer issues.
by Van9018
Wed Jul 05, 2017 3:31 am
Forum: Beginner Basics
Topic: Port Forwarding Partially works
Replies: 5
Views: 1356

Re: Port Forwarding Partially works

I agree to consider DNS overrides as an alternative to hairpin NAT. I find it simpler.
by Van9018
Wed Jul 05, 2017 3:06 am
Forum: General
Topic: Firewall Connections Listed To Unconfigured IPs
Replies: 5
Views: 827

Re: Firewall Connections Listed To Unconfigured IPs

I don't think it matters what IPs are assigned and which are not. If a packet comes down the cable into your router and there are no firewall rules to stop it, then it'll get NAT'ed (if a rule exists) and routed. Even if a bogus packet with a private IP will get NAT'ed if a NAT rule is matched. Conn...
by Van9018
Wed Jul 05, 2017 2:51 am
Forum: General
Topic: Newly installed RB2011 loses its config
Replies: 6
Views: 1203

Re: Newly installed RB2011 loses its config

It's not supposed to. Maybe it's defective? Tried another RB2011?
by Van9018
Wed Jul 05, 2017 2:27 am
Forum: Beginner Basics
Topic: How to isolate physical ports
Replies: 5
Views: 2854

Re: How to isolate physical ports

I found vlans in Mikrotik's to be more complicated than other switches. To wrap my head around it, I think of VLANs on a Mikrotik as just bridges. Think of VLAN interfaces as a device that adds vlan tags on egress and removes tags on ingress. A standard interface (eth1, eth2, etc) are always untagge...
by Van9018
Wed Jul 05, 2017 1:43 am
Forum: Beginner Basics
Topic: How to just open ports
Replies: 23
Views: 119485

Re: How to just open ports

You need to setup hairpin NAT https://wiki.mikrotik.com/wiki/Hairpin_NAT By default, when you are internal, you can't connect to your internal website via your external IP address. This is because when you connect to 31.5.xxx.xxx, the packets are redirected to your webserver without changing (NATing...
by Van9018
Wed Jul 05, 2017 1:26 am
Forum: General
Topic: Certificate renewal
Replies: 4
Views: 3074

Re: Certificate renewal

Don't think you can replace the certificate. But deleting and importing is easy enough? Scriptable too.
by Van9018
Wed Jul 05, 2017 12:30 am
Forum: General
Topic: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON
Replies: 22
Views: 5936

Re: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON

The screen changes when unchecking auto-negotiation. You then select your speed. TX and RX flow control is off. For me this was already set as off.
100full.png
by Van9018
Tue Jul 04, 2017 10:50 pm
Forum: Scripting
Topic: help with auto shutdown
Replies: 10
Views: 4359

Re: help with auto shutdown

if i used the script to auto shutdown the routerboard not shutdown? I think the shutdown command will cause the Mikrotik to unmount resources so it's in a safe state to unplug the power. You could buy an electrical timer. Shutdown at 2:45, timer cuts power at 2:46, then the timer turns power back o...
by Van9018
Tue Jul 04, 2017 10:12 pm
Forum: General
Topic: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON
Replies: 22
Views: 5936

Re: RE: Re: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON

I can't set the ethernet speed on the Huawei, it doesn't have such thing in the menu and I can't even access the menu being set in bridge mode by the ISP. All other devices work just fine, including cheap routers so I really think this is something related strictly to ROS and Mikrotik. I also could...
by Van9018
Sat Jul 01, 2017 12:20 am
Forum: General
Topic: Make an ip act like another
Replies: 2
Views: 625

Re: Make an ip act like another

Phones may require the ability to detect the printer on the network (like air print). In order the search the network, the printer and phone must be on the same broadcast domain (meaning the same LAN). My solution to this problem was to keep the wlan and lan in a bridge with 1 subnet. Then use Bridg...
by Van9018
Sat Jul 01, 2017 12:05 am
Forum: General
Topic: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON
Replies: 22
Views: 5936

Re: Half duplex 100 only and link duplex mismatch on hAP Lite and EPON

The auto-negotiation standard grew to quickly. Vendors may have different interpretations on how 10/100 auto-negotiation should work. These interpretation issues are rare in gigabit links. Without auto-negotiation, link speed can still be determined but duplex cannot. If you set both devices to 100M...
by Van9018
Thu Jun 29, 2017 11:02 pm
Forum: General
Topic: Wixbox.exe error
Replies: 7
Views: 1171

Re: Wixbox.exe error

In the problematic windows profile, go to: C:\Users\<USERNAME>\AppData\Roaming\Mikrotik\Winbox Close Winbox if open. Create a folder called Backup, move all the folders in the backup folder. Delete registry key HKCU\Software\Mikrotik Run winbox again, does it work now? If not, use procmon from syste...
by Van9018
Thu Jun 29, 2017 10:53 pm
Forum: General
Topic: How to block Webcam Internet Access by MAC Address
Replies: 2
Views: 788

Re: How to block Webcam Internet Access by MAC Address

I would think using src mac address would work. But instead of specifying the dst-address as not 192.168.2.0/24 I would use out-interface=ether1 Or put the camera on it's own interface and block that interface from the internet. in-interface=ether-x, out-interface=ether-1 You could also deny the web...
by Van9018
Thu Jun 29, 2017 10:29 pm
Forum: General
Topic: Winbox: can log in from one computer but not another
Replies: 3
Views: 605

Re: Winbox: can log in from one computer but not another

username is case sensitive. I spent an hour learning this.
by Van9018
Thu Jun 29, 2017 10:24 pm
Forum: General
Topic: Deauth
Replies: 1
Views: 897

Re: Deauth

A deauth is when the station (the mikrotik) tries to kick a client off the wifi, probably from too much data loss from a weak signal, or noisy frequency. If the client doesn't receive the deauth, it may try to continue communicating. At this point the Mikrotik may see the device as unknown since the...
by Van9018
Thu Jun 29, 2017 10:14 pm
Forum: General
Topic: Router/switch with poe to connect IPcam or AP
Replies: 1
Views: 504

Re: Router/switch with poe to connect IPcam or AP

Your IPCam and AP is probably 802.3af/at (which is a standard). Many Mikrotik products are PoE but only output at 24v, so not 8.2.3af/at. The Hex Poe router supports 802.3af but comes with a 24 volt power supply, so you have to buy the 48POW power supply separately. The RBGPOE is a power injector. I...
by Van9018
Thu Jun 29, 2017 9:56 pm
Forum: General
Topic: Unable to run two site to site GRE Tunnels on Mikrotik RB-750 Board
Replies: 1
Views: 603

Re: Unable to run two site to site GRE Tunnels on Mikrotik RB-750 Board

Your issue could be a routing problem. What are the routes when both GRE tunnels are connected?
And if you disable tunnel A, does tunnel B work as expected? Only when both tunnels are connected?
by Van9018
Wed Jun 28, 2017 12:18 am
Forum: General
Topic: Connection tracking: tcp established timeout [SOLVED]
Replies: 2
Views: 2456

Re: Connection tracking: tcp established timeout [SOLVED]

Changing the TCP connection timeout could have a negative impact on other things. It's really supposed to be the end points that have a keep-alive mechanism. VoIP clients are supposed to register themselves with the server every x minutes. Often it's 2 minutes. I'd look for those settings in the voi...
by Van9018
Tue Jun 27, 2017 11:33 pm
Forum: Wireless Networking
Topic: mAP lite powered by RB960PGS (hEX PoE) - 802.3af?
Replies: 2
Views: 1093

Re: mAP lite powered by RB960PGS (hEX PoE) - 802.3af?

I think the mAP can support power in via pins 1,2,3,6 (Mode A) or 4,5,7,8 (Mode B). And I think the hEX can only send power out via pins 4,5,7,8 (Mode B). The description of the hEX PoE says "It can power at/af mode B (4,5+)(7,8-) compatible devices, if 48-57 input voltage is used." It doe...
by Van9018
Tue Jun 27, 2017 11:52 am
Forum: Wireless Networking
Topic: Failure to subsequently reconnect
Replies: 2
Views: 589

Re: Failure to subsequently reconnect

This happens to me too, but not consistently. Once in awhile a device won't reconnect until I clear that SSID from cache and reconnect. I didn't look into it. Try turning on extra logs for wifi and see what the logs show. I've given up on Mikrotik for office wireless solutions.
by Van9018
Tue Jun 27, 2017 11:48 am
Forum: Beginner Basics
Topic: Blocking Three IP/Mac Addresses
Replies: 2
Views: 708

Re: Blocking Three IP/Mac Addresses

If you're not concerned about security and just want a simple way to block a non-malicious user from eating bandwidth, you can create a DHCP reservation for these 3 MACs and assign them an invalid IP. You can also find the rogue devices by looking at arp tables which will tell you which port the mac...
by Van9018
Tue Jun 27, 2017 11:35 am
Forum: Beginner Basics
Topic: Ping/transmision between networks
Replies: 1
Views: 379

Re: Ping/transmision between networks

Firewall should block by interface, not protocol and port.

When packets come in Ether9 and not going out Ether1, drop the packet Same for Ether10.
When packets come in Bridge1 and not going out Ether1, drop the packet.
by Van9018
Tue Jun 27, 2017 11:29 am
Forum: Beginner Basics
Topic: Nat Rule - FTP Filezilla server
Replies: 5
Views: 8495

Re: Nat Rule - FTP Filezilla server

If you use plain FTP (no encryption) then you only need to port forward tcp 21. The FTP Helper service will dynamically forward inbound ports, and also translate your private IP to public. If you use encrypted FTP, you have to set up port forwarding for the destination ports and also define these po...
by Van9018
Mon Jun 26, 2017 10:04 pm
Forum: General
Topic: Why Mikrotik ???
Replies: 32
Views: 10055

Re: Why Mikrotik ???

- Consistent gui across products. Cisco's gui varies - Winbox is a very snappy and portable exe, quite nice to work with. Some cisco products require java and a clunky software install just to do port forwarding. - Tools: Huge set of tools including pcap capture. I wouldn't bother using Cisco's sad ...
by Van9018
Sun Jun 25, 2017 11:55 pm
Forum: Beginner Basics
Topic: Unresponsive router
Replies: 2
Views: 528

Re: Unresponsive router

by Van9018
Sun Jun 25, 2017 11:50 pm
Forum: General
Topic: Mikrotik is unable to open ports for port forwarding [SOLVED]
Replies: 5
Views: 3112

Re: Mikrotik is unable to open ports for port forwarding [SOLVED]

For UPNP, turn it on under IP > UPNP
Looks like Uber conference uses SIP/VoIP. There is no port forwarding to setup for that.
Uber conference website says to disable SIP ALG. I'd first try it with it enabled... Then try turning it off with UPNP enabled.
by Van9018
Sun Jun 25, 2017 9:36 pm
Forum: General
Topic: nat problem between clients
Replies: 16
Views: 2257

Re: nat problem between clients

It looks like you have 1 WAN and LANs.
There is no NAT required between LANs. No 0.0.0.0/0 routes required to route from 1 lan to the next.

If you only have 1 WAN, then you should only have 1 0.0.0.0/0 route.
by Van9018
Sun Jun 25, 2017 12:46 am
Forum: Beginner Basics
Topic: Vpn server in mikrotic pc
Replies: 3
Views: 685

Re: Vpn server in mikrotic pc

SSTP VPN will likely get around firewalls at airports, etc.
https://wiki.mikrotik.com/wiki/SSTP_step-by-step
And an SSTP client is built into Windows.
by Van9018
Sun Jun 25, 2017 12:44 am
Forum: General
Topic: SSTP between 2 Mikrotik issue with " verify server certificate " at client
Replies: 1
Views: 784

Re: SSTP between 2 Mikrotik issue with " verify server certificate " at client

Use "Verify Server Address from Certificate" instead of "Verify Certificate". Otherwise the Mikrotik will want to check the server's certificate against a certificate revocation list or online service. Both of which you may not have defined in your CA certificate if you're using ...
by Van9018
Sun Jun 25, 2017 12:25 am
Forum: Wireless Networking
Topic: Wirelles can over 25mb of Download
Replies: 18
Views: 5688

Re: Wirelles can over 25mb of Download

My Config: From the default out-of-box config, I change SSID in wlan1 and in default security profile, I set Auth types to WPA-PSK, WPA2-PSK, aes ccm and I set the pre shared key. Thats all. To troubleshoot the slow performance, I I tried changing band to 2Ghz-n only, freqency and channel width. All...
by Van9018
Fri Jun 23, 2017 10:08 am
Forum: Beginner Basics
Topic: Mikrotik as Trasparent Router
Replies: 2
Views: 616

Re: Mikrotik as Trasparent Router

Sounds like you want a switch. The Mikrotik can be configured as such. IP > Interface, go through ether2 - ether5, set master port to ether1. IP > Bridge > Ports. Remove ether2 and add ether1 to bridge-local IP > DHCP Server, delete the entry IP > Address, delete the default 192.168.88.0 entry IP > ...
  • 1
  • 2