MikroTik

lenart

Hi there, I came to this thread after trying the directions on the NordVPN site, and got excited because its working for so many people, but the configuration isn't working for me. I would like to have two devices on my network, an Apple TV and a laptop access the VPN connection, and the rest to no...

lenart

Short answer: You can't. Long answer: Yes but it's not easy and definitely not free. Mushroom Networks offers a product that will do this. Obviously your millage may vary depending on your location. For good performance your ISP should be close to mushroom networks servers. You can roll your own by ...

lenart

@lenart, thanks, it worked for me! Great, I've revised my configuration after monitoring the firewall rules though, turns out that in this particular setup you don't need any no-track rules generated at all, so removing the no-track completely is the best advice. It's empty be default when creating...

lenart

Found the solution for my setup, turns out I had the [notrack-chain] option set to [prerouting] and that didn't work at all. I changed it to [output] and suddenly everything started working like a charm. peer=NordVPN peer auth-method=eap eap-methods=eap-mschapv2 mode-config=NordVPN notrack-chain=&qu...

lenart

Hi, Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again. add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=Nord...

lenart

I've been trying to implement this particular setup (specifically number 3) but I don't seem to be having any luck whatsoever, every time I add an IP address to my list, that particular device cannot connect to the internet anymore. I'm out of options when it comes to debugging steps so I would like...

lenart

Ok Yes for VDSL we can configure Mikrotik for use VLAN. For ADSL we need to chhose couple VPI/VCI which need, if we can configure it, to provide hard coded inside. Do ypou know if all reseller sell modules form same manufacturer ? Can I have to ask them ? I'm afraid I don't know if all resellers se...

lenart

Do you know if VDSL Vlan 835 is managed. I haven't been able to find any information about a management option from the DSL side of the device. Given its form-factor, I think it's very unlikely that this device offers such an option though. Since the device acts as a bridge between xDSL and SFP, an...

lenart

I've just received the Proscend 180-t from Duxtel in Australia. I've installed the module in my RB 2011 and switched over my config to the SFP port. So far so good, I've been able to measure speeds of 70/30 up/down which seems to indicate that vectoring is active. I'm on the Dutch KPN VDSL network a...

lenart

You cannot state that routing has a better performance then bridging. It would be akin to saying that taking the plane is better then taking the car. While I would certainly prefer a flight over a drive if I want to travel from New York to LA, I'd much rather take the car to go to my local supermark...

lenart

I know that my connection to/fom my ISP (using PPOE) is heavily censored :( on their site and they are blocking some ICMPv6 traffic :shock: , which of course breaks PMTU discovery, hence my attempt on the tcp-mss rule, but this effort was in vain, or possibly incorrect implemented (I am after all a...

lenart

Using a subnet prefix length other than a /64 will break many features of IPv6, including Neighbor Discovery (ND), Secure Neighbor Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of Mobile IPv6 [RFC4866], Protocol Independent Multicast - Sparse Mode (PIM-SM) with Embedded-RP [RFC3956...

lenart

Yes, since IPv6 is a layer 3 protocol, your first order of business would be to determine the layer 2 MTU. That will allow you to calculate the appropriate MTU. Furthermore, any MTU you select should be at least 1280 as specified in chapter 5 of RFC 2460. Start with that as your MTU and increase ste...

lenart

well, the RB1100AHx2 has three ports with dedicated connections to the CPU making it a more capable router then the RB3011 for some scenario's. And, to add to chechito's points, the RB1100AHx2 has been around for a while. Some might require replacements and not all customers might be as keen to move...

lenart

You can set the current WAN ip address as source address in any firewall rule. It will be hardcoded so if your IP address changes on a regular or semi-regular basis, you would have to change it in every single firewall rule. You could get around this issue by using an address-list as the source, as ...

lenart

I'm not sure if my config would help because my setup uses PPPoE as an interface and has extra NAT rules to account for VPN connections. In addition to that, I've got some firewall rules for IPSec VPN's. I've got two RB2011 in the field and both of them have no problem with dstnat rules. To be hones...

lenart

There's a FreeBSD program called mpd that can act as an MLPPP server. In addition you could buy a Juniper router but I guess that's not any better price wise then getting yourself a Cisco router.

lenart

If you are planning to use a VPS server, please verify with the hosting provider that they assign IP address blocks to VPS servers. With the current IPv4 shortage, they tend to be stingy with things like that. I know that there is a service here in the Netherlands that offers a GRE tunnel with an IP...

lenart

Here's an interesting question, are you sure that traffic actually passes through NAT? Since you are getting a dynamic internal IP from your cable modem, it could be that your RB2011 just knows how to route packets between the internal RFC 1918 address range of your RB2011 and the internal RFC 1918 ...

lenart

IPv4 and IPv6 are two very different protocols that work on OSI level 3. Translating between these two protocols is not a trivial matter. Technically it is indeed possible but there's a very, very, very limited number of implementations out there. These implementations focus mainly on web services (...

lenart

The layer 2 protocol (or layer 2.5 protocol as PPPoE is sometimes referred to) you are running does not factor into the capabilities that users have on your network. In addition to that, it's virtually impossible to stop your customers/clients from downloading AND provide them with fast web surfing ...

lenart

The exact implementation of the routing depends on how your servers are connected to the router but the basic setup should involve an entry in the route list for the IP addresses where you set the gateway to the appropriate interface(s). So if you have all your servers connected to ether2 through a ...

lenart

Are you sure that the modem is sending you tagged traffic? In the screenshots I noticed that you have a PPPoE vlan. Under [Tagged Ports] I can only see [wan] and [Untagged Ports] seems to be empty. It seems no other ports are part of that vlan. Would it not be an idea to either add an Ethernet port ...

lenart

Have you tried removing ether5-gateway from the switch group by setting the [master-port] variable to [none]? I just tested that part of your config on my own setup and I couldn't get a PPPoE connection while my gateway port was part of the switch group.

lenart

Your thinking isn't off to be honest. The increased timeout will make it harder for brute force attacks with increased timeouts between login attempts to succeed. The question I'd ask myself is whether this type of attack is a bigger problem then the potential that users lock themselves out as descr...

lenart

I find it very peculiar that your ISP is assigning you a different prefix every time your modem refreshes it's DHCP lease. In addition, I find it very peculiar that the CPE (ISP modem) runs a DHCPv6 server. Could you provide some information on the router? I'd be curious to learn more as this is the...

lenart

In the setups I've seen, the ISP assigns a prefix to the CPE. This can be done through DHCPv6 or through router advertisement messages. Once your router has a prefix, all it needs to do is advertise that prefix to the local broadcast domain. Any IPv6 enabled systems will use stateless autoconfigurat...

lenart

Here's the list: L2TP over IPSec - Connect this FRITZ!Box with a company's VPN IPSec - Connect your home network with another FRITZ!Box network (LAN-LAN linkup) PPP - Not listed (it's not a VPN protocol) If the employee does not have a fixed IP address you're better off using the L2TP option. If the...

lenart

All I can come up with is a service offered by a company called Mushroom Networks but they provide their own hardware for the bonding so you wouldn't be able to take advantage of your Mikrotik hardware with this solution. Any Mikrotik based solution would require bonding support on both ends of the ...

lenart

I don't understand what you're trying to accomplish with the difference in timeout. Timeout only affects the amount of time an IP address is present in a list. This could create the rather unexpected situation that someone ends up in the 20 minutes timeout list due to problems logging in. If they lo...

lenart

I'm not sure what your userbase is like so it might not be an option but you could setup port knocking to allow users to give themselves access if they lock themselves out. You could use the port knocking as a trigger to add the IP to a specific 'allowed' list for a limited time (1 day for instance)...

lenart

The add-to-[xxx]-address-list actions do not stop traffic from being analyzed by the next rule when a packet matches. So you need to reverse the order or the rules for this to work. So this is a logical issue rather then a software (or firmware) issue.

lenart

You do not have to create the address-lists, they are created automatically by the rule. If no address-lists are being created, check in WinBox whether any traffic is hitting the last rule. If no traffic is making it to the last rule, you should figure out which rule is matching the traffic and eith...

lenart

Sorry, I didn't explain the rules correctly. The ruleset presented gives you 3 attempts in 3 minutes before you are blocked for 10 days. If you create one rule that times out in 3 minutes, you get 1 attempt every 3 minutes. That way, you'll block yourself for 10 days if you accidentally mistype your...

lenart

These rules give any user 3 minutes to properly authenticate. After that, the IP address that is used will not be able to get a connection to the SSH service for 10 days. While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incent...

lenart

I've solved this issue by adding a masquerade rule to my srcnat chain. That way, my Mikrotik replaces my LAN ip address with the IP address of the interface facing the DSL modem. That way my DSL modem just has to deal with the subnet between the modem and the Mikrotik. /ip firewall nat add chain=src...

lenart

I was not suggesting that 4G/LTE does not require a simcard, I am disputing the suggestion that there are simcards that are specifically made for 4G/LTE. A simcard that you got before 4G/LTE was invented will work perfectly fine in a device that supports 4G. As such, I recommended the exact same rou...

lenart

Sim cards specifically designed for 4G/LTE don't exist so I don't think you'll find any device with such a slot. You are better off looking for devices with SIM slots (drop the specific 4G/LTE part). You do have 4G/LTE modems out there that fit into mini-PCI-e slots on devices like the RB912UAG-2HPn...

lenart

I've got a Mikrotik setup with an IPSec VPN to an AVM Fritzbox. I've added a few IPSec policies to route some of my internet traffic through that VPN connection. If I would have to route traffic for 10.112.0.0/16 through that tunnel, I'd add a policy with the following settings /ip ipsec policy add ...

lenart

It seems that the new path has a max MTU that is 8 bytes smaller then the previous path. Your MTU tests show that between 1390 and 1398, packets are disappearing. That's cos they are rejected because the packet is not completely transferred (between 1 and 8 bytes are sent but never arrive as it's ch...

lenart

Based on the information you provided, it's hard to judge if somebody gained access to your router. The fact that your password did not work for a short time is worrying but it seems that you were eventually able to login using your password. This suggests that whatever was going on has resolved its...

lenart

You could try routing. If all hosts are connected to the same port on the Mikrotik router (through a switch for instance) you would add an entry for your public IP addresses to your route table (IP->Routes) and set the gateway to the port that connects to the hosts. Using your example: Address range...

lenart

Quite simply because you are using port forwarding. Your router is translating the IP address of the host that's trying to connect to your SSH server to it's own internal LAN ip address. And since your firewall rule allows connections from any IP on the internet to IP addresses in the range 75.64.26...

lenart

I have found out the solution to this problem myself It is because my VLAN MAC Addresses are the same In my case I had my vlans attached to an INTERFACE BOND so they all had the same MAC address I am not sure the best way to get around this however Doesn't seem like I can change the MAC address on ...

lenart

Hi Milos, Call your ISP and check if they can see your Mikrotik's MAC address from xDSL port on DSLAM. I have seen couple of issues with only 1 MAC allowed on xDSL port. That's a good idea, it could provide some insight into where this is breaking down. I would however start by using the laptop MAC...

lenart

There is a staggering lack of documentation about your particular modem on the internet so I'm afraid I can't provide you with reliable info specific to that make and model. Usually, an ADSL link is built up using the following encapsulation chain: DSL( ATM( AAL5( RFC1483/RFC2684( Ethernet/802.3( PP...

lenart

If you are using IPv4 with NAT/Masquerade, you should add a [dst-nat] rule to your firewall's NAT chain (the NAT tab in the IP->Firewall sub-menu). Set the Dst-Address to the IP address of the network that doesn't have direct access to the AP (most likely your public IP address) and set the [Action]...

lenart

Did anyone find a solution? Hi Milos, I have no clue whether they found any solution. Regardless, I am doubtful if any solution they found for their specific setup would guarantee a solution for you. While I can't call myself an expert, I do have some experience with bridging xDSL connections. If y...

lenart

You could try to adapt the firewall rules in this wiki article. If you omit the drop rule, (the first rule in the SSH section), you'll get a neat list of IP addresses that are attempting to connect using SSH.

lenart

Well, for starters, DON'T use masquerading when you have two IP's assigned to your WAN interface but use src-nat and specify the internet routable IP address as the 'to-address'. From the documentation : masquerade - replace source address of an IP packet to IP determined by routing facility. src-na...

lenart

*Check cabling ( MT - modem), maybe cable is damaged If this was the root cause, you would expect the issue to exist if the modem is doing the PPPoE authentication. This doesn't seem to be the case though. *Try to ping some local IP ( if your provider is not blocking ICMP to default gateway obitain...

lenart

+1 for IGMP snooping

lenart

Did you use src-nat instead of masquerade to setup the natting? Masquerade uses the interface address for the address translation. If you happen to have two addresses configured on the interface, I'm not sure which one takes priority but I am reasonably sure that there isn't any code in there that w...

lenart

Do you need all 254 addresses in your routed subnet for the systems on the second interface? Cos I don't really understand why you haven't tried using an IP address from your routed subnet, especially since there should not be any need to use metarouter in this case. It should be as simple as just a...

lenart

That should be as simple as disabling the DHCP server on your TP-Link device. From what I remember from TP-Link devices, that shouldn't be to hard to accomplish.

lenart

Any changes to MMS using the mangle rule won't affect ICMP messages as they rarely grow to a size where they are dropped because they are to big. That makes it more likely that the cause of the packet drop is something else. I have a RB2011UiAS-2HnD hooked up to an ADSL2+ link via a Draytek Vigor 13...

lenart

You can use a firewall-mangle rule to change the MSS but since MSS is specific to the TCP protocol and you are experiencing issues with packet loss when using ICMP, I'm doubtful that this will solve your problem. Could you provide more insight into your setup? What type of access are you using (ADSL...

lenart

The guides are right that masquerading is the easiest solution. I don't see however how src-nat adds any security if you set it up on an IP level as masquerading and src-nat work in similar ways (there are some subtle differences but none that I would consider as added security). Setting up src-nat ...

lenart

First off, you will need to connect your Mikrotik directly to the rj45 fiber jack for everything to work. You can't test the Mikrotik configuration by connecting it to the Cisco router. Secondly, let's examine the Cisco config and try to understand what they've done: interface FastEthernet0/1 descri...

lenart

I'm pretty sure that people who are interested in an implementation of RFC 4638 are fully aware that you can set the MTU to 1500 but honestly, that is not what we are asking for. RFC 4638 requires an additional attribute in two packets (the PADI and PADR) sent by the client to enable both sides to s...

lenart

Any news on support for RFC 4638 in the PPPoE client? I realize that it's an informal standard but it's finding significant adoption with broadband providers. I would be very happy to see this feature included in RouterOS.

lenart

Did you manage to solve this issue? I've had the same experience. I've been tinkering with this problem for a while now and I've found a solution that works in my particular case. I've put the responsibility of the creation of the tunnel on the Fritzbox by setting the option send-initial-contact=no ...

lenart

I have traffic flowing over my tunnel between a FritzBox 7360 with FritzOS 6.20 and a Mikrotik RB2011UiAS-2HnD with RouterOS 6.27. I am however having connection issues. Sometimes I can't connect to any host behind the FritzBox from the Mikrotik side. I am still trying to figure out what is going on...

lenart

Hi all, I'm having a strange issue with my RB 2011UiAS 2HnD on RouterOS 6.27. I've setup a DHCP server using the wizard. This as resulted in the following settings: DHCP Server Settings.PNG DHCP Network Settings.PNG IP Pool Settings.PNG Yet I can't get most of my devices to accept DHCP offers from m...

Search found 64 matches