MikroTik

manojlovicl

Hi!

Something changed from beta firmware(s) (at least 7.11beta2) to RC in relation to OpenVPN - RC version has problems with more than 170 OVPN connections ...
I reverted to 7.11beta2 and everything works great.

Luka

manojlovicl

add action=dst-nat chain=dstnat dst-address=PUBLICIPOVERVPN dst-port=443 \
protocol=udp to-addresses=PRIVATEIPININTERNALNETWORK

manojlovicl

Hi!

It is a simple DST-NAT where DST address is my public IP that I am receiving over VPN (udp on port 443) that is DST NATed to IP I am receinving in "hosting network".

Luka

manojlovicl

OVPN works much better!!

I can confirm it too... Waiting so long for this fix! Thank you MikroTik!

Luka

manojlovicl

I have CHR with 10 CPU cores and 4GB memory on Hyper-V and 190 OVPN connections and 190 EoIP tunnels with 10 Bridges - the OVPN is really unstable - sessions get duplicated and in couple of hours router is stuck (unresponsive - in console there was an message about bug, cpu... (I was unable to creat...

manojlovicl

I would like to thank Anav who helped me solving it out. Long story short - Wireguard (service) that runs on MikroTik prefer main routing table and binds to IP address that is in the same subnet as gateway in main routing table, even if you try to use mangle rule to make it go via other routing tabl...

manojlovicl

Old school tools still can do wonders.

Pen and paper.
Make a drawing.

manojlovicl

A diagram would have made this much clearer. :-( For example, is the SSTP VPN a connection to the MT device/router? or to the Router in front of the MT and then the VPN connection is fed to the MT as a WAN port with an IP address and gateway?? This router is a standalone router connected with 1 cab...

manojlovicl

I will provide one last opportunity. Diagram and more importantly FULL CONFIG. Including firewall rules!! etc.... /export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc.) THIS DOES NOT MEAN cover up every private IP, just the info the ISP provides that is...

manojlovicl

Since you have multiple wan, mangle might be needed. Read this thread from anav. Section 9 B https://forum.mikrotik.com/viewtopic.php?t=182340 Do you think - as there is UDP that I will need a combination of packet mark + routing mark? I already have a "general" output routing mark mangle...

manojlovicl

Wireguard shouldn't need mangle. I also thought it will be simple... But look - this is output filter rule for logging only: output: in:(unknown 0) out:br-lan, connection-state:new proto UDP, 10.x.y.z:443->PUBLICIPOFMYPHONECLIENT:7736, len 120 Instead of private IP there should be public IP as a so...

manojlovicl

Why this ? /ip address add address=10.xxx.xxx.1/24 interface=br-lan network=10.xxx.xxx.0 add address=PUBLICIP interface=sstp-kate-wing network=PUBLICIPNetwork add address=10.xxx.xxx.1/24 interface=br-lan network=10.xxx.xxx.0 add address=10.xxx.xxx.1/24 interface=wireguard1 network=10.xxx.xxx.0 Ever...

manojlovicl

Diagram of network and full config
/export file=anynameyouwish ( minus router serial # and any public WANIP information keys etc. )

With this info should be quick to fix.

manojlovicl

It is a router (A) currently located as guest in a NAT-ed network. It has (private) IP in that network. From here I do a VPN to another router (at our ISP) where I have the option to route public IP to the router (A) - this part works. I can access router (A) via Winbox by using public IP so output ...

manojlovicl

Hi! I have a case, that router routes some traffic over VPN (over which I get public IP address) - I want to use this public IP as Wireguard endpoint. The problem is that clients try to connect to IP (I can see packets) but responses from MT Wireguard service are going back by using default routing ...

manojlovicl

- CHR freezes after 2 hours with 180+ OVPN connections - unresponsive also in console - OVPN connections are duplicating (it happened before but now it happens sooner) - OVPN server and client change cipher from null to aes 128 gcm - it somehow changed the path for my container from disk2 to slot1-p...

manojlovicl

Hi! In this great video (https://www.youtube.com/watch?v=T1Dyg4_caa4), colleague Druvis Timma explains how to configure Let's Encrypt on MikroTik and also touches the problem about renewal and opening of the router's port 80 for Let's Encrypt verification. After following the instructions I found ou...

manojlovicl

No, it is completely fine - I also think that revealing such information could lead to bigger problems. Do not worry, my first thought was that maybe anyone knows if I do not know maybe by going through SNMP with DUDE can give any better results... All good! Thank you! Tutto bene!

Luka

manojlovicl

Well, it can be even more complicated - that you need to help a company where someone left and there is no documentation but yes, I understand what you intended to say. It is quite a basic thing so I think I will be able to resolve most of the things by snmp walk output. Thank you colleagues for you...

manojlovicl

[…] is possible to recover router configuration if you […]you do have SNMP read-only password and router access ? […] If for "and router access" you mean that you can query by SNMP the device, simply, not. So you think that I need to find things out by checking the output of snmp walk and...

manojlovicl

SNMP walk is what I did but I am not completely sure there is everything - I was thinking if there is any other way to somehow use this SNMP read-only community string to get to full config... Thank you for your answer!

manojlovicl

Hi!

I would like to know if anyone can tell me if it is possible to recover router configuration if you do not have (winbox, ssh...) password but you do have SNMP read-only password and router access?

Thank you,
Luka

manojlovicl

I understand that but it would be much nicer to have it "integrated" ...

manojlovicl

I would like to run it on CHR - the space and ram is not a problem there but do you have any idea how to solve this chown issue?

Thank you!
Luka

manojlovicl

*) netwatch - fixed string variable values in script;

Colleagues, can you please implement the option to declare host down only after some failed checks? So can Failed tests be used as trigger for Down? That would be great.

Luka

manojlovicl

Hi! I would like to run UptimeKuma on my MikroTik devices but I have problem as this software has a startup script that wants to change some permissions on app data folder. Is it possible to overcome this problem? https://github.com/louislam/uptime-kuma Problem: https://github.com/louislam/uptime-ku...

manojlovicl

Hi! *) ppp - improved stability when handling large amount of connections simultaneously; I am still having problems with PPP sessions - CCR that is running as PPP Server (OVPN) suddenly starts to duplicate sessions without eliminating old ones ... I found out that also configuration changes that ar...

manojlovicl

Thank you very much for the answer! I am getting some of those tomorow!

Izredno me je razveselilo tole sporočilo!

Za enkrat vse deluje super tako, da gremo dalje, naj živi in se razvija MikroTik!

Pozdrav,
Luka

manojlovicl

Great, thank you for the reply - so you are using USB stick that has metallic enclosure? Like https://www.mimovrste.com/usb-kljuci/ki ... e9g2-32-gb ?

Yes, Nova Gorica!

Luka

manojlovicl

Hi! Thank you for explanation - what a pity - I need Dude to do some local SNMP monitoring that will not grow more than 500K the database ... Well I will go for a USB fit stick. Can you suggest any do you have any experience with USB fit sticks and Mikrotik?

Thank you,
Luka

manojlovicl

Hi! I would like kindly ask you if it possible to run / install and use Dude on standalone hAP ac²? I am getting strange results - I setup a device and parameters but after rebooting the route everything is lost and I need to configure it again - so I am asking - am I doing something wrong by leavin...

manojlovicl

I managed to open DB with DB Browser for SQLLite and I am able to find data but: Does anyone know how to get date/time from sourceIDandTime column? I have value like: 130899289405392 in this column and some value in column value (which is OK). But I would like to know how to "decrypt" sour...

manojlovicl

Hi! I am running DUDE just to make a simple SNMP query to some device by using data source. It works great - I am getting the graph. I would like to ask if it is somehow possible to export the raw data to csv or some other table - for example for some time interval (like between 18:30 and 22:00)? Th...

manojlovicl

I have two routers that are doing BGP (they are made redundant by using VRRP ...) Since update on 6.45.5 IPv6 static routes are simply ignored and after BGP becomes stable (after rebooting that was needed for update) I was forced to change gateway to some dummy IP on all static routes in my routing ...

manojlovicl

Just don't forget you need to use policy routing to properly choose an outgoing route via the corresponding WAN for each of the two server processes (SSTP and HTTPS). /ip route rule is enough, you don't need to fiddle with /IP firewall mangle. What if I have two public IPv4 addresses on same WAN in...

manojlovicl

Hi! I would like kindly ask if anyone knows if it is possible to run SSTP VPN server on Mikrotik if there are multiple WAN IPv4 addresses (let say 2) but on first I would like to have port forwarding to internal HTTPS server on second I would like MikroTik to terminate SSTP VPN connections. Is it po...

manojlovicl

I just recycled the concept that I am using with Powershell scripts - yes as far as I can read in documentation I could user username / password combination as well.

Luka

manojlovicl

Hi! I somehow managed to succeed getting SMS sent from my MikroTik device by using tool fetch. /tool fetch http-method=post mode=https http-header-field=”content-type:application/json,Authorization:Basic key23123832″ http-data=”{ \”from\”:\”MyMonitoring\”, \”to\”:[\”386xxyyyzzz\”], \”text\”:\”HOST x...

manojlovicl

Netwatch is a great feature but sometimes there is a need to wait more than just one lost ping to trigger some action ... I managed to solve it by scripting an "extension" to Netwatch - hope it is useful to someone: https://luka.manojlovic.net/2019/06/01/mikrotik-netwatch-enhanced-updated-...

manojlovicl

http-header-field="Header1: Value1,Authorization: Basic dXNlcjpwYXNz" But for basic authentication you can also use: user=user password=pass Hi! I managed to do it: http-header-field="content-type:application/json,Authorization:Basic SomeString1234" and it works! :) Thank you!

manojlovicl

you can now specify many headers, separated by comma:

http-header-field=h1:fff,h2:yyy

Hi! Does anyone know how you can add a header that has a space inside? For example: http-header-field=Authorization:Basic test123

Thank you!

manojlovicl

Yes, it works like policy based VPN now (even though I am using IKE2). But unfortunately there is no possibility to use ipip or something like that ...

manojlovicl

Hi! I want to use 2 on-prem MikroTik routers to connect to Azure Virtual network - to do so I need to choose route based VPN (attachment multiple-active-tunnels.png). It uses IKE2 which is good and it works with MikroTik - I am also able to configure BGP so I get routes announced from Azure - and I ...

manojlovicl

Oh! I did not do that... I will try again. Thank you, thank you!

manojlovicl

Hi! I would like to know which extensions must a certificate have to work with SSTP VPN. Currently I have created a self-signed cert on Mikrotik and deployed it to my Local Machine certificate store on Windows and it works but I would like to buy a certificate from a trusted public certification aut...

manojlovicl

Hi! For all those who would like to execute massive software update (/system packages update install) and after that massive firmware upgrade (/system routerboard upgrade (and reboot)) on your MikroTiks, now we have a solid solution. I run a network of free public hot-spots in Slovenia called wlan.n...

manojlovicl

Hi!

I was testing netwatch today and I have increased the timeout to 30000 = 30 seconds... But I found out that it only makes a second ping (after first one timeout) after one minute and 30 seconds in stead of 30 seconds only?
Using latest firmware - 6.38.1

Luka

manojlovicl

I would use switch indepedent teaming as MT is not good with LACP/Static teaming. And by the way - you must know that you will not have 2 gigabit per one TCP session. Only multiple sessions will be loadbalanced between cards - by the way I suggest to use load balancing algorithm: dynamic And the sec...

manojlovicl

Hi! Maybe someone Will find this useful: http://luka.manojlovic.net/2016/07/17/mikrotik-netwatch-enhanced/ I have created a script that does some additonal pinging after netwatch UP/DOWN is triggered so you do not change things (change configuration / trigger actions) until you are "sure" ...

manojlovicl

Hi! I try to setup hotspot to be transparent (only use with advertise feature (hotspot user profile / advertise) so it should not popup login page - I want users to be automaticaly authenticated by using MAC address. So on Server profiles / hsprof1 configuration I selected only Login by: MAC and MAC...

manojlovicl

Hi! I have a strange situation - my scenario is like this: CCR1036-12G-4S - Cloud core router 1 (vrrp) CCR1036-12G-4S - Cloud core router 2 (vrrp) connected to: CRS125-24G-1S - Cloud core switch (no vlans - access mode) in which I have connected 3 other routers: 1100AHx2 1100AHx2 1100AH after some t...

manojlovicl

Ok - how can I restrict vlan 1 not to be on all ports - but only on port 24 (untagged + other tagged vlans) and only on port 4 not on other 3 ports?

Did not I do that with VLAN tab - if you check my config?

manojlovicl

Hi! The example is not the same - in this example you have 3 tagged vlans going into - and no default untagged vlan (like in my example - vlan 1). I would like to know how can I be 100% shure that everything is isolated completely - for example I would like to force Access ports to be only for untag...

manojlovicl

Hi! Can someone please help me out with an example of vlan config? I would like to make souch setup: Port 24 - untagged vlan 1 + tagged vlan 10 + tagged vlan 11 + tagged vlan 12 Port 1 - untagged vlan 10 Port 2 - untagged vlan 11 Port 3 - untagged vlan 12 Port 4 - untagged vlan 1 I have configured S...

manojlovicl

Hi!

If we take a look at first example @ http://wiki.mikrotik.com/wiki/Manual:CRS_examples

In my scenario I would like to have also native (untagged) vlan (1) passing through ether2 and going to let say ether5

Is it possible to somehow get it trough?

manojlovicl

Hi! I would like to kindly ask you if it possible to pass native vlan (1) from Trunk port to an Access port on CRS? So if you take a look at example 1: http://wiki.mikrotik.com/wiki/Manual:CRS_examples In my scenario I have untagged (vlan1) that I would like to pass through port Ether2 (that has onl...

Search found 56 matches