Community discussions

Search found 505 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11
by Van9018
Tue Apr 16, 2019 9:29 pm
Forum: Beginner Basics
Topic: check and protect smb from outside
Replies: 2
Views: 249

Re: check and protect smb from outside

SMB from the outside is firewalled by default (out-of-box config). There should be a default deny rule in your firewall. With out-of-box config, your LAN ports would be in a bridge and there would be no firewall, so SMB within the LAN should be ok. I like to firewall outbound SMB though, disallow SM...
by Van9018
Fri Apr 12, 2019 5:51 am
Forum: Beginner Basics
Topic: routers sends back local IP instead of external
Replies: 4
Views: 276

Re: routers sends back local IP instead of external

For the sake of understanding of what you saw at first... when I use filezilla, it does work, but when I use windows explorer.... When your filezilla server uses the private IP of the machine, the remote filezilla-client will probably work because the filezilla client has a feature where it determin...
by Van9018
Sat Apr 06, 2019 10:54 pm
Forum: General
Topic: SIP port(s)
Replies: 6
Views: 349

Re: SIP port(s)

by Van9018
Thu Mar 28, 2019 9:52 pm
Forum: General
Topic: Port forwarding to two pcs for RDP
Replies: 12
Views: 479

Re: Port forwarding to two pcs for RDP

- Can you RDP to the 2nd machine from inside the LAN? If not, then check Windows firewall. If you can, check if firewall is limited to LAN only or something like that. - Use Torch on wan interface. You should see your RDP packets coming in the wan interface, then torch again on the lan and you shoul...
by Van9018
Wed Mar 27, 2019 2:57 am
Forum: Beginner Basics
Topic: Connecting SSTP Client and SSTP Server on MT
Replies: 6
Views: 346

Re: Connecting SSTP Client and SSTP Server on MT

Your MT-DEVICE with IP of 172.17.1.x doesn't know where the 172.16.0.0/16 network is. The MT-DEVICES need a route that says to forward 172.16.0.0/24 to <SSTP-CLIENT-NAME> Your SE-DEVICE with IP of 172.16.1.1 doesn't know where the 172.17.0.0/16 is. The SE-DEVICE needs a route to send 172.17 packets ...
by Van9018
Fri Mar 22, 2019 5:03 am
Forum: Scripting
Topic: macros bug
Replies: 6
Views: 418

Re: macros bug

This page: https://wiki.mikrotik.com/wiki/Manual:S ... _statement
says the syntax of the if statement should be prefixed with a colon

{
:local myBool true;
:if ($myBool = false) do={ :put "value is false" } else={ :put "value is true" }
}
by Van9018
Fri Mar 22, 2019 4:51 am
Forum: General
Topic: How to route (assign) two Public IP's on same segment /29 and keep connectivity
Replies: 18
Views: 817

Re: How to route (assign) two Public IP's on same segment /29 and keep connectivity

IP > Address, just add the second IP to the same interface. You may need a src-nat rule in IP > Firewall > NAT.
I don't understand your requirements though. Is Public IP #1 meant for guests, and Public IP #2 is meant for the corporate LAN?
by Van9018
Fri Mar 22, 2019 4:15 am
Forum: General
Topic: IPSEC ike2 tunnel drops [SOLVED]
Replies: 4
Views: 404

Re: IPSEC ike2 tunnel drops [SOLVED]

I don't have much input.. sorry! I checked my IPSec configs, and I found that a second set of SA's get created, both sets exist for maybe 30 seconds and then the first set a is removed. My soft lifetime is 30 minutes, hard lifetime is 1d. The status of the SAs say 24/30 for "add lifetime". It's afte...
by Van9018
Fri Mar 22, 2019 2:28 am
Forum: General
Topic: Static DNS for Local network
Replies: 18
Views: 744

Re: Static DNS for Local network

But I would refrain from using Layer 7 protocol expressions. Why refrain from this? I do as Sob suggested. At my office, my Mikrotik maintains a VPN to my clients. Using L7, I intercept DNS packets and redirect them to the client's internal DNS server. Now, any PC from my office can remote into any...
by Van9018
Fri Mar 22, 2019 1:46 am
Forum: Beginner Basics
Topic: Is it OK for all leds to run at once like this ?
Replies: 2
Views: 186

Re: Is it OK for all leds to run at once like this ?

On a LAN, routers often try and be proactive in resolving IPs to Max (Arp Request). An ARP request is a broadcast packet. Your router will query each IP on the LAN for it's mac address. Devices will also do ARP requests. Windows will try and discover new equipment like TVs and Printers on the networ...
by Van9018
Fri Mar 22, 2019 1:37 am
Forum: General
Topic: Attempt of attacks through Remote Desktop
Replies: 6
Views: 326

Re: Attempt of attacks through Remote Desktop

First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker c...
by Van9018
Fri Mar 22, 2019 1:23 am
Forum: General
Topic: SMB Server question (RB3011)
Replies: 2
Views: 239

Re: SMB Server question (RB3011)

Might be related to line endings. The working PDF has CRLF as line ending whereas corrupted file has LF. This was a problem for iOS mail for a short time a few years ago. Use a hex editor on a corrupted PDF and locate an LF character (ascii=10). There must be a preceding CR character (ascii=13). If ...
by Van9018
Fri Mar 22, 2019 1:07 am
Forum: General
Topic: VoIP issues Mikrotik SIP ALG and Grandstream
Replies: 2
Views: 350

Re: VoIP issues Mikrotik SIP ALG and Grandstream

I don't quite understand your setup. On my Grandstream + Mikrotik setups I leave SIP ALG on, turn sip-direct-media off and set the two ports on the UCM to switch/bridge mode so neither port is a WAN port. It's then like a 2 port switch. I don't use any NAT whatsoever because that's what the SIP ALG ...
by Van9018
Wed Mar 20, 2019 1:09 am
Forum: General
Topic: faile to obtain ip address error
Replies: 4
Views: 227

Re: faile to obtain ip address error

When lease shows mac as 00:00:00:00:00 then a device already has that IP. Some Ideas: - Turn on logging for the DHCP topic. - If log says Offering Lease without Success, check out this thread: https://forum.mikrotik.com/viewtopic.php?f=2&t=130176&p=719332&hilit=apple+dhcp#p719332 - Possibly another ...
by Van9018
Wed Mar 20, 2019 12:59 am
Forum: General
Topic: Static IP not showing at DHCP server.
Replies: 8
Views: 3151

Re: Static IP not showing at DHCP server.

because some pc i set as static at DHCP there and i saw it at lease there.
If your PC started off as DHCP and then you set it to a static IP, the old lease will still be shown until it expires.
by Van9018
Wed Mar 20, 2019 12:14 am
Forum: Beginner Basics
Topic: Any way to scan for *anything* on the LAN? [SOLVED]
Replies: 4
Views: 289

Re: Any way to scan for *anything* on the LAN? [SOLVED]

The link local status will tell you if something is physically connected. If that device tries to communicate, it must have atleast a MAC address and the Mikrotik will record that mac in it's arp tables. You can look up this table in Switch > FDB I think. Entries in arp-tables last for about 10 minu...
by Van9018
Sat Mar 16, 2019 10:23 pm
Forum: Beginner Basics
Topic: ARP issue
Replies: 2
Views: 207

Re: ARP issue

Is this your setup ?
First Router, ether1--> Modem/internet.
2nd Router, ether1 --> First Router's ether2
by Van9018
Tue Mar 12, 2019 2:15 am
Forum: General
Topic: route ip to specific gateway
Replies: 6
Views: 247

Re: route ip to specific gateway

Yes its one less rule but is it more efficient?? I doubt it. If ISP2 is exclusive to the webserver, I'd think of this as a one-to-one NAT where all but HTTP is firewalled. If thinking of this as a one-to-one nat, it feels a bit more semantic to not have connection-marking rules. If familiarizing my...
by Van9018
Tue Mar 12, 2019 1:30 am
Forum: Beginner Basics
Topic: Mikrotik as HUB (configuration)
Replies: 16
Views: 810

Re: Mikrotik as HUB (configuration)

IP > DHCP Server, delete the dhcp server for bridge1 IP > Addresses, delete the ip address of bridge1 At this point, Ports 2-5 and wifi are considered a switch. ether1 remains the gateway. If you want to use ether1 as another port in the switch... IP > DHCP Client, delete DHCP Client for ether1 Brid...
by Van9018
Tue Mar 12, 2019 1:05 am
Forum: General
Topic: Harpin NAT between two VLANs
Replies: 34
Views: 1053

Re: Harpin NAT between two VLANs

Overriding www.yoursite.com would be less complicated. Do it in pi-hole if possible. If not, you can catch DNS requests in the Mikrotik, repoint the domains to your Mikrotik's DNS and override there.. You'd have to override yoursite.com and www.yoursite.com. You will need to allow port 80/443 to you...
by Van9018
Mon Mar 11, 2019 11:53 pm
Forum: General
Topic: How to reach RouterOs (web or Winbox) via my static ip address from outside network
Replies: 24
Views: 934

Re: How to reach RouterOs (web or Winbox) via my static ip address from outside network

i see the source IP address if i run torch on the on my WAN IP but no connection is established Next would be to Torch bridge1, youd should see packets forwarding to your webserver. If not, check your NAT (Port forwarding) rules. On the same Torch, you should see packets coming from your webserver....
by Van9018
Mon Mar 11, 2019 11:46 pm
Forum: General
Topic: How to reach RouterOs (web or Winbox) via my static ip address from outside network
Replies: 24
Views: 934

Re: How to reach RouterOs (web or Winbox) via my static ip address from outside network

Otunmusa, by default the Mikrotik won't remember which ISP your outside request came in on. So you connect to the IP of ISP2, and your port forwarding rules forward to your web server. Then your webserver replies, but the Mikrotik will send the packets out on ISP1. This is a broken connection. You h...
by Van9018
Mon Mar 11, 2019 11:21 pm
Forum: General
Topic: Harpin NAT between two VLANs
Replies: 34
Views: 1053

Re: Harpin NAT between two VLANs

You need 4 rules per hairpin. This tutorial worked for me: https://wiki.mikrotik.com/wiki/Hairpin_NAT

Or you can override DNS in the Mikrotik to repoint your website url to the LAN IP of your webserver.
by Van9018
Mon Mar 11, 2019 11:11 pm
Forum: General
Topic: route ip to specific gateway
Replies: 6
Views: 247

Re: route ip to specific gateway

If it's specifically 1 LAN IP that gets to use ISP2 exclusively, then you could skip the connection-marking and just apply routing marks.
by Van9018
Mon Mar 11, 2019 10:59 pm
Forum: Beginner Basics
Topic: Firewall rules
Replies: 6
Views: 411

Re: Firewall rules

Or use a VPN, then configure your viewer to connect to the local IPs of the cameras. This could be more secure than exposing your Camera's communication protocols to the internet.
by Van9018
Mon Mar 11, 2019 10:32 pm
Forum: General
Topic: Viewing network traffic question
Replies: 7
Views: 425

Re: Viewing network traffic question

I just need a simple "traffic from this IP can go through" rule. To do this, you can create a NAT rule. In Winbox, it's under IP > Firewall, click the NAT tab. Create Rule: chain=dst-nat, src-ip=<Scanner IP>, in-interface=ether1, action=dst-nat, to-address=<IP of internal PC> You can create a 2nd r...
by Van9018
Fri Mar 08, 2019 9:29 am
Forum: General
Topic: Please help SSL Notworking
Replies: 2
Views: 156

Re: Please help SSL Notworking

Port conflict or no certificate. Certificate needs a private key too.
by Van9018
Fri Mar 08, 2019 9:23 am
Forum: General
Topic: Viewing network traffic question
Replies: 7
Views: 425

Re: Viewing network traffic question

I thought the purpose of the PCI Compliance scan was to check for open ports and predictive PAT. They'll check for things such downgrade attacks on servers you may have exposed to the internet. Some routers will have security where it detects and blocks port scanners. They want you to disable that t...
by Van9018
Fri Mar 08, 2019 8:13 am
Forum: General
Topic: SSTP Server, does it REALLY work for anyone??
Replies: 7
Views: 333

Re: SSTP Server, does it REALLY work for anyone??

You don't need to make a certificate chain, but I'd consider it good practice. You'd install 1 self-signed certificate that's marked as a Certificate Authority (CA) on your windows computers then you can create more certificates and sign them with your CA certificate and the computers will trust the...
by Van9018
Fri Mar 08, 2019 7:38 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 462

Re: ARP/DHCP issue [SOLVED]

- When a host wants to send a packet to an internet address, it will send the packet directly to the gateway. It will NOT do an arp lookup for that internet address. - You shouldn't see two DHCP discovers and two requests during a DHCP transaction, but not a big deal. Discover, Offer, Request, Ack. ...
by Van9018
Thu Mar 07, 2019 4:44 am
Forum: General
Topic: How to get on mikrotik list of arp records at port.
Replies: 3
Views: 180

Re: How to get on mikrotik list of arp records at port.

In Winbox, Switch > FDB
Untitled.png
by Van9018
Wed Mar 06, 2019 8:03 am
Forum: Wireless Networking
Topic: Block PC to access local LAN on Mikrotik
Replies: 3
Views: 200

Re: Block PC to access local LAN on Mikrotik

If PC is trusted and you want the firewall for good measure, then maybe iptables in ubuntu?
If PC is untrusted, then anav's suggestion is the only way. Also consider firewall input rules to protect router service ports from the untrusted computer.
by Van9018
Wed Mar 06, 2019 4:29 am
Forum: Beginner Basics
Topic: Dropping from non-DHCP clients
Replies: 1
Views: 98

Re: Dropping from non-DHCP clients

In the interface settings, set ARP to enabled (or arp-proxy if your Mikrotik is a VPN Server). You probably have arp set to reply only. Reply Only is a feature that prevents devices with statically set IPs from communicating on the network. For a statically set IP, you'd have to then manually the ma...
by Van9018
Wed Mar 06, 2019 4:25 am
Forum: RouterBOARD hardware
Topic: Problem to choose the right hardware
Replies: 5
Views: 548

Re: Problem to choose the right hardware

Your RB450Gx4 has enough performance and AES hardware acceleration for all 3 situations.l I used a Hex Lite, a very cheap Mikrotik router, for 80 PCs and one IPSec tunnel for site-to-site. The Hex Lite does not have AES hardware acceleration so I had to slow Microsoft DFS to 3 mbit/s otherwise the C...
by Van9018
Wed Mar 06, 2019 4:13 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 462

Re: ARP/DHCP issue [SOLVED]

If the Alarm system has an IP statically set and it's not on the same subnet as statically set in the alarm system, then the alarm system will do ARP requests for the gateway that's statically set in the Alarm system. Since no device on your network will have that IP, you will only see ARP requests ...
by Van9018
Wed Mar 06, 2019 4:00 am
Forum: General
Topic: ARP/DHCP issue [SOLVED]
Replies: 9
Views: 462

Re: ARP/DHCP issue [SOLVED]

You're a bit off on ARP. On an Ethernet network, every device has a mac address. When packets get sent out over Ethernet, they are actually routed only by their mac address. Not IP address. Since your PC will connect to remote devices by IP, then it needs to find out who on the network has an IP ass...
by Van9018
Wed Mar 06, 2019 3:08 am
Forum: Beginner Basics
Topic: port forwarding - can't figure it out
Replies: 2
Views: 137

Re: port forwarding - can't figure it out

Issue 1 & 2: You are looking at the firewall rules. You need to go to IP > Firewall and then click the NAT tab. Then when you create a rule you'll see chain=dst-nat and action=dst-nat

Issue 3: Your action should be dst-nat, not dns-nat
by Van9018
Thu Jan 10, 2019 3:01 am
Forum: Beginner Basics
Topic: Cannot access RouterOS using WebFig
Replies: 8
Views: 484

Re: Cannot access RouterOS using WebFig

You can reset the device configuration back to default to make it back into a managed switch. Or if you want to do it manually anyway: - Remove your bridge - Set master-port to ther1 for ports 2-24. - Remove all port forwarding from firewall > NAT, also remove any mangle rules. Delete firewall rules...
by Van9018
Thu Jan 10, 2019 2:48 am
Forum: General
Topic: Apple devices flooding DHCP server
Replies: 7
Views: 771

Re: Apple devices flooding DHCP server

Have you tried using a different Mikrotik to rule out the Mikrotik as the problem? Disable the DHCP Service, try obtaining an IP. Is there another DHCP service on the network? In Winbox, capture packets with Tools > Packet Sniffer. Save packets to a file. Let the problem happen for a minute. Stop th...
by Van9018
Fri Nov 09, 2018 6:08 am
Forum: General
Topic: DHCP issue
Replies: 4
Views: 550

Re: DHCP issue

The default config of an 951G-2HnD is: Port 1 = WAN Port 2-5 & WIFI = LAN So to accomplish what you're doing, you should plug cables in like this.. R1 Port 1 -> Internet R1 Port 2 -> Client 1 LAN R1 Port 3 -> R2 Port 1 (You probably have this going to a different port?) R2 Port 2 -> Client 2 LAN The...
by Van9018
Wed Oct 10, 2018 1:25 am
Forum: General
Topic: Two of Three Mikrotik router became unreachable after few days
Replies: 1
Views: 263

Re: Two of Three Mikrotik router became unreachable after few days

Try using winbox and connect via MAC address (have to be on the same LAN) I had this issue. Router worked fine but couldn't connect via Winbox to it's IP. But connecting via MAC address worked. I never could get Winbox working again over IP. I replaced it, I have not yet done a factory reset to see ...
by Van9018
Thu Sep 13, 2018 1:01 am
Forum: Beginner Basics
Topic: Got hacked, think I need help with configuring routerOS
Replies: 17
Views: 2349

Re: Got hacked, think I need help with configuring routerOS

For the mikrotik.php virus, Winbox may still work if you connect via mac address. Check IP > Web Proxy, disable it. Go to IP > Firewall, NAT. Delete redirect rule. Go to System > Scripts, delete the bad scripts. Check System > Scheduler too. Even after you secure your router with firewall, upgrade t...
by Van9018
Tue Sep 11, 2018 1:50 am
Forum: General
Topic: Unable to connect to VPN from outside the internal network
Replies: 2
Views: 371

Re: Unable to connect to VPN from outside the internal network

Your firewall rules (500, 4500, 1701) only apply when the routing-mark = DellDsl. Ether4 has a WAN IP. The src-address of packets coming in ether4 would then be a WAN IP. Your mangle rules apply to packets coming in with a private IP - these rules probably don't get triggered.
by Van9018
Tue Sep 11, 2018 1:34 am
Forum: General
Topic: How to block Windows Update on RB2011
Replies: 3
Views: 1210

Re: How to block Windows Update on RB2011

On windows computers you can set the update server. Point it to a non-existent server. You can do that in Group Policy. Then the computers won't get any updates. For the Mikrotik, I think you'd have to resolve all those hostnames to the various IPs in which they may resolve. Then add those IPs to an...
by Van9018
Tue Sep 11, 2018 1:27 am
Forum: Beginner Basics
Topic: DNS for PPTP clients
Replies: 9
Views: 3981

Re: DNS for PPTP clients

If you're trying to resolve hostname only, then your computer goes through various steps to resolve it. 1. It checks the hosts file, this returns immediately. 2. It checks DNS, if any of your adapters has a dns suffix then it'll try and resolve that way. If any DNS servers are slow to respond, this ...
by Van9018
Fri Sep 07, 2018 2:04 am
Forum: Beginner Basics
Topic: Bruteforce prevention Issue
Replies: 14
Views: 896

Re: Bruteforce prevention Issue

How about a Mikrotik as a VPN server. Techs VPN into that router. Then all client routers allow winbox, RDP, etc from the VPN Servers IP. It also gives the ability to cancel the tech's access to all client sites by deleting his login on the VPN server. iPhone, Android, Windows and Mac all support L2...
by Van9018
Fri Sep 07, 2018 1:11 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 420

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Why wouldn't you let your DCs be the DHCP server rather than the router? You have redundancy with 2 DCs. If an IP in the DHCP range is in-use but the DHCP server has no lease for it, Mikrotik will mark it as in-use and try the next IP. Microsoft will give out the in-use IP. Example: Client buys a p...
by Van9018
Thu Sep 06, 2018 9:37 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: IP source guard / arp inspection
Replies: 6
Views: 1057

Re: Feature Request: IP source guard / arp inspection

This exists I believe. For your LAN interface, set arp mode to read-only.
If you want a statically set IP for a client, you'd first have to add his mac to the arp table with desired IP.
Everyone else must use their dynamic IP given by DHCP.
by Van9018
Thu Sep 06, 2018 9:13 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 420

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Probably Windows Server thing. RAAS will hold a bunch of IPs like this.
by Van9018
Sat Aug 04, 2018 4:49 am
Forum: Beginner Basics
Topic: Nat not working
Replies: 4
Views: 571

Re: Nat not working

I find Torch a useful tool to track where packets are being lost. Torch on the WAN to determine if packets are actually hitting your wan, if they are, check dst-nat rule - is the 'packets' field incrementing? Then torch on the LAN side, see if packets are leaving your Mikrotik with the new dest ip (...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 11