MikroTik

howdey57

Sorry all. I decided I should try the mangle rule - just in case - and, or course it worked! chain=forward action=change-mss new-mss=1300 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=no-mark out-interface=Wireguard tcp-mss=1301-65535 log=no log-prefix="" Taken from the last s...

howdey57

I think this is going on the wrong direction. The speed is ok. It's the ability to connect to some websites which, to me, indicates DNS. As soon as I turn off the routing rule and the machine uses the local French exit point, the websites are available. Is there anything special I should have in wir...

howdey57

Hi anav, I love a bit of bloatware! Your questions: Firstly which router is server for handshake --- France is behind CGNAT so initiates the connection to the UK Which end needs to access the internet of the other. --- France needs to come out of the UK IP (so it looks like I'm in the UK) Are those ...

howdey57

Thanks for the reply.

I tried that - no change!

howdey57

I have a frustrating situation. I have a working wireguard connection between the UK and France except that when I use Routing to push some clients through the vpn, those clients cannot see particular websites (eg bbc.co.uk, bbc.com). If I don't use Routing, those clients can see sites (eg bbc.com)....

howdey57

I made the nat changes suggested but i still can't ping from router to pihole. I think those changes are for a different purpose from my op. However if i restart the pihole, i CAN ping for about 20 seconds before the ping starts to timeout. I presume that is a firewall rule on the pihole taking effe...

howdey57

First things first.... I need to fix why I can't ping the pihole (192.168.64.10) from the router (192.168.64.1) I followed anav's suggestion and put in the srtnat and dstnat rules in (see below) but still cannot ping from router to pihole ("ping 192.168.64.10" from the router). I get a tim...

howdey57

I was thinking of using a Pihole behind my Mikrotik DNS server? The potential reason for this is to take advantage of the speed of the mikrotik DNS (~6ms) vs Pihole on a small RaspeberryPi (~40ms). The topology would look like this: Client >> MK DNS >> Pihole >> Google (or another DNS) I have tried ...

howdey57

anav I've got it to work. I removed all but one wireguard server and pointed all peers to that. I changed the 10.255.255. addresses to 10.64.0. (just because) I rebooted everything The only thing I can think of is that v7.7 didn't allow traffic between wireguard servers. The configs I ended up with ...

howdey57

Still not working!! Very Strange. Can't get from 192.168.64.15 to 192.168.65.1 Have I got the AllowedIPs correct, especially the 10.2555.255.0/30 - 10.2555.255.1/32 - 10.2555.255.2/32 ones? Thanks Charles London ip/firewall/filter/ export terse /ip firewall filter add action=accept chain=input comme...

howdey57

anav, No Joy!! I still can't get to 192.168.65.1 from 192.168.64.15. I also attach a snip of the traceroute back. Screenshot 2023-02-26 170558.jpg To remind you, the French router is behind another one provided by the ISP. It's not sophisticated and whilst I can port forward, I can't Route. Any othe...

howdey57

anav, I took up your suggestion of redoing my firewall rules - a job I had been meaning to do for a while. I followed your firewall post. However the same issue remains: when connected via Roadwarrior (on 10.200.0.3), I can get to the French router on 192.168.65.1, but when using a laptop on the Lon...

howdey57

Thanks Anav. I have confused us both. I apologise. I checked the Roadwarrior Allowed IPs and realise my diagram was wrong!! I was puzzled by your response because Roadwarrior is the bit that actually works! I've amended the diagram to reflect the config above. The bit that doesn't work is the HTML/w...

howdey57

I have been staring this problem for many days and am stuck and would like some help if possible please. I have a Wireguard VPN connecting successfully between London (RB4011) and France (HAP ^2) both on v7.7.The config hasn't changed since I went to v7.7 I can: Get to a RPi on 192.168.65.5 serving ...

howdey57

rextended. It works for me. Perhaps you might suggest how to selectively disable/enable log rules rather than leaving a slightly passive-aggresive comment.

howdey57

This is a script that fetches a script from a RPi on my home network. I do this so I can use Notepad++ with Mikrotik highlightng to make it easier to get the code correct - scripting is not easy and very fragile in Mikrotik. Also: It uses global variables for my Pi username and password It has a swi...

howdey57

Please can you provide a link to your "no fetch log entry" post.

Thanks

howdey57

Ok. That is what I was trying to achieve, so it's a shame I can't do that. But thanks for your help. I was also trying to figure out how to access array elements, so now I know. The mikrotik site is pretty bad for things like that. Have you thought of doing a Confluence site or wiki to capture all y...

howdey57

Your working example cannot log the variable itself. I've added the variable to the end of your example (I use Scripts to test, not the console). You try it. :local myArray {"Confidence"="100";"mylist"="myblacklist";"mytimeout"="static"} :g...

howdey57

Thanks but my version of it doesn't work. The variable is set but it is not output to the log in the last line. Does it need to be declared before use? :local myArray {"Confidence"="100";"mylist"="myblacklist";"mytimeout"="static"} :global ...

howdey57

I'm tyring to write a script for managing my blacklists. There is one part I am stuck with and would be grateful for some help. The code below does not work and I just cannot find any appropiate examples of how to solve it. I need to know how to create the variable. Notice that I need to create the ...

howdey57

This is my script that I use in both the Up and Down of any Netwatch I have. I hope this is useful to someone. ######################################################################### #A single script to manage Netwatch ######################################################################### /tool...

howdey57

Check the date on the post, are for v6, there is another topic, if you search from @chupaka than explain at the end the v7 version I see this topic https://forum.mikrotik.com/viewtopic.php?p=814682 Is it the one you mean? But it starts in 2020, so spans the v6 to v7 period and is long and inconclus...

howdey57

rextended I'm trying to use your recursive method here but your "B" add creates an invalid entry. I'm using the isp1gateway directly (192.168.1.1 - I'm behind another router) and am using the dynamically created ppp route (a 4g dongle) wiht distance 20. I turn off the dynamically created ...

howdey57

Thank you. That makes sense.

howdey57

Yes, your assumption is wrong. Fasttracked connections don't hit the firewall anymore except for rule 0. If you look at your rule 0 in your firewall in your screenshot above you see 25.5MiB of data. That is the counter rule ("special dummy rule to show fasttrack counters") that shows how ...

howdey57

I wanted winguard on my router so went to v7. Today has knocked my confidence in the upgrade process so I'm going to lag behind from now on.

howdey57

Hiya, I upgraded both my RB4011 and my parents RB3011 last night from 7.2.3 to 7.3 and the dhcp client no longer receives and address from Virgin media. I have eth1 as the upstream internet facing interface with dhcp client on it nothing out of the ordinary. I could see traffic on the external inte...

howdey57

sindy, Thank you! I've removed the NAT and RAW rules. All is connecting ok. Speed is, as ever, subjective but it seems ok now. I will leave it for a couple of days to settle down (ie to see what doesn't work). The only things I can't do yet are: I can't get to the French Router from a Road Warrior -...

howdey57

Getting closer! I now have access but it's slower that expected. I'm wondering whether I disable the NAT and RAW rules that I used for the IPSec tunnel too? Do I actually need those still? And what about the Bridge proxy-arp?

Charles

howdey57

sindy, I'm not sure what this means. Hopefully you do. I think, though, there are other config items apart from the wireguard items that are messing this up. The IPSec config has raw and nat rules. Could they be the problem? Charles London bridge 207.116 144 <- 2C:DB:07:E9:71:DB C4:AD:34:60:79:47 19...

howdey57

sindy, Thanks for the reply. I hope you are well! Could I ask why you used one ip address .3 rather than a range? Is that an important point for me? I have made one change. I think the rest is as you suggest. I took the 192.168.65.0/24 out of IP/Address and put it directly in a Route, pointing it at...

howdey57

Hi all but particularly sindy, I'm changing my VPN from IPSec to WireGuard. I have followed this https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-SitetoSiteWireGuardtunnel. I've got my Road Warrior connections working, but not my site to site connections. I appear to be able to ping fr...

howdey57

Thanks both. Really basic question!! When you talk about "vlan bridge filtering", how do I know I am doing that rather than anything else? I have one bridge and 2 VLANs. When you talk about "vlan bridge filtering", I presume you mean the "VLAN Filtering" on the Bridge m...

howdey57

Anav,

I don't understand your response. Please could you expand?

Charlie

howdey57

I am very much an amateur enthusiast wrt networking. I've used a single subnet for years on my Mikrotik and want to move to using VLANs for Guest (VLAN 66) and IoT (VLAN 68). I want to isolate the VLANs from each other so machines on one cannot see the machines the other VLANs, yet have internet acc...

howdey57

There was mention of v7 having proper date formatting (ie YYYY-MM-DD HH:MM:SS) but I cannot find it in on WinBox, this forum or the documentation. Does anyone know if it has happened?

Charles

howdey57

@jotne That works! How did you know to do that?

howdey57

This does NOT work for me. Has anyone else made this work?

/tool netwatch
:local myStatus  [get [find where host=$host] status]

howdey57

I had tried that but without the "double quotes" and it didn't work. I'll try with them tomorrow.

howdey57

Wisdom of the crowd!!
Thanks

howdey57

So this is what I produced - a single script to manage both Up and Down. I put the name of the machine in the Netwatch comment. If someone knows how to look up the Netwatch entry directly, could they tell me? Charles ######################################################################### # A singl...

howdey57

Just thinking. .. how about
1. Look up the $host IP address on your DHCP leases. Give the lease a name. (I do that)
2. Look up the netwatch using the $host to see the current status and get the comment. (I'm going to try that).
Charles

howdey57

So I now have 2 Scripts (with no permissions required) called NetwatchUp and NetwatchDown which are called by Netwatch. I could have one script if I could get to $status. The scripts are very simple. NetwatchDown is: :log error "Connection lost to $host" /tool e-mail send to="x@y"...

howdey57

@merlinthemagic7

Thanks - where did you discover that? Is there any documentation?

howdey57

Thank you. That works very well.

Once I've done my whole script, l'll share it here.

Charles

howdey57

Has anyone got a ROS script they could share that checks IP addresses against APIv2 on AbuseIPDB? The documentation is here: https://docs.abuseipdb.com/#check-endpoint and I need to write a fetch command to mimic this curl command: curl -G https://api.abuseipdb.com/api/v2/check \ --data-urlencode &q...

howdey57

@Sindy, I notice you have helped others with Strongswan VPNs before. Would you recommend to use that or another variety of VPN client on my Raspberry Pi? Should I wait for ROS7 and use Wireguard?

Charles

howdey57

I only have one router so won't be putting a beta on it.

Is there no other easy-to-set-up raspberry pi VPN client that can connect directly to a mikrotik VPN server?

Charles

howdey57

Thanks for the reply. Have you used Wireguard as a client on a Raspberry Pi wtih the Mikrotik acting as the VPN Server? Or is your experience of Wireguard behind Mikrotiks?

I'm trying to use the Mikrotik as the VPN server.

Charles

howdey57

Please could someone point me at the best VPN client to use on a Raspberry Pi (in a remote location) to create a permanent VPN back to my Mikrotik (where "best" in simplest and most secure to set up). I have an IPSec/L2TP vpn already working between two offices, but want to put a RPi somew...

howdey57

Thanks, that worked. Perhaps I should have thought of that!

howdey57

I'm trying to send myself a notification when the DHCP-client reconnects to my ISP. However that doesn't work because the script runs before the DHCP conversation has finished and therefore the email action fails. I presume a splunk message would also fail. Does anyone have a suggestion about how to...

howdey57

Isn't the other option to get Mikrotik to create another firewall action to run a script?

Charles

howdey57

So for completeness and to help others.... The problem was the ISP Virgin Media in London. After lots of investigation of my network I came to the conclusion it was their cable modem (actually a cable router "Super Hub 4" in modem mode). After the usual long wait time I spoke to a tech who...

howdey57

OK, got that. Option 51 gives IP Address Lease Time: (400209s) 4 days, 15 hours, 10 minutes, 9 seconds The order of the packets is: Log Entry @ Apr/26/2021 06:37:05 -> "dhcp-client on ether1 lost IP address x.x.235.129 - lease stopped locally" From my router: Discover @ Arrival Time: Apr 2...

howdey57

@anav. I didn't try Sindy's advice because it looked like what you would do on the upstream router to me to mimic the behaviour of my ISP. Sindy has posted on the other thread, so I'm heading over there because I assume I am not able to set a static IP address. Thanks for your help everyone. As ever...

howdey57

Oops, sorry. No, not a politician, just an amateur techie! I knew I probably couldn't fix the occasional drop out issue so thought I'd try the fixed IP route. Sorry for any confusion, or rabbit holes.

But help via the other post would be much appreciated!

Charles

howdey57

@mkx I am beginning to suspect that. Virgin Media in the UK don't give out static IP addresses to residential customers. However, my address has not changed in 2 years so thought I could fixed it to that. The real reason I tried to fix it is because of this post: https://forum.mikrotik.com/viewtopic...

howdey57

@loloski - The ping from my router to my internal IP 192.168.x.1 works. The ping to x.x.235.129 also works. Ping to 8.8.8.8 does not work.
@sindy - hi sindy! Good to see you here. Yes, that's what happens. I copy the IP data into static entries and it doesn't work.

Charles

howdey57

I'm trying to set a static IP address on my WAN (ether1). I turn off DHCP Client I add an address x.x.235.129/22 which picks up network x.x.232.0 I add a route to Gateway x.x.232.1 I've made sure my nat is pointing at the correct interface. Then nothing happens. No internet access, no ping or tracer...

howdey57

I'm on a RB4011 on 6.48.2 and get the same problem. DHCP "Lease stopped locally" on my WAN connection through a Virgin Media router in modem mode. Seemingly randomly approx once an hour.

I have put in a new cable so I don't think it is hardware related.

Did you find anything out?

Charles

howdey57

doneware, Did you ever get a response about this? My Up script is but I keep on forgetting to change the target and the email text. :local target 192.168.0.2 :log error "Connection back to $target"; /tool e-mail send to="x@y" subject="Connection back $target" body="...

howdey57

Over the few years I've been using Mikrotik products at home, I have written some scripts and built configs with help from this forum. I would like to share them so that other home users can copy what I have done. Is there a site I can put these things on? Could that be the wiki? Could it be the new...

howdey57

Sindy, Good to see you have replied! I first tried putting that rule in the France router (ie the sub-office), but it killed the VPN so I presumed I put the rule on the wrong end. I then put the rule on the London end (ie main office) but that killed the VPN too As you will see, I only send the rang...

howdey57

Any pointers as to what I can do?

Charles

howdey57

Thanks.

I suspect I asked the wrong question. I had a go at the answer (thinking the L7 Hack would help) but it didn't solve by pages not resolving issue. I have redone the question here. viewtopic.php?f=2&t=164704

howdey57

I thought I had the answer to my VPN issue with my question https://forum.mikrotik.com/viewtopic.php?f=2&t=164604 about the L7 Hack a few days ago, but I was wrong. That deals with when you want to intercept DNS requests. My issue is that, when I connect my IPsec VPN from the remote office and d...

howdey57

DNS does not work well for me over my IPsec VPN between two offices. When I put all traffic through the main office, DNS does not work in the remote office. I read that the L7 Hack, that seems to address this, has been formalised in 6.47beta60 but I cannot find instructions on where that config is o...

howdey57

So, I am connected!! Brilliant!!!! In France and London - I used the fqdn in the Peer address and left the local-address blank - Disabled the scripts that previously update them (or not, in France!!!) In France: - I updated the Policy to use the right Peer I have learned: 1. I now have a back door v...

howdey57

Ah, never heard them called dwarfs before. I did wait overnight, but no change. I then ssh'd into the french router and found the Peer ip for London had not been updated (so I changed it). I also stopped London initiating the link because France is doing that. Now, the "FRANCELondon-Laptop"...

howdey57

If you mean DDNS (not dwarfs ;-) ), quite a while. I checked the DNS using mxtoolbox and it found the same IP address. Also, I have left the RB4011 in for hours and it still doesn't connect. Do you think it could be something about not setting the Policy sa-src-address or the Peer local-address?. I ...

howdey57

No, I checked that for both the UK and France. I look on Winbox quick set and it says the wan address.

howdey57

That's a good thought, but I use the DDNS from my Synology box behind the router so I don't have to change the DDNS name in France if I change the router (ie the dedicated DDNS name would change when I changed the router). This is what I see in the RB4011 lg file 18:34:31 ipsec ike2 starting for: FR...

howdey57

Hopefully all here! Here is the London RB4011 - This is the one that does not connect to France. # may/04/2020 11:54:59 by RouterOS 6.46.6 # software id = YCNI-BQ6N # # model = RB4011iGS+5HacQ2HnD # serial number = /caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=dis...

howdey57

I haven't tried it yet. I was not sure about Safe Mode. If I make the change in France, I imagine the VPN will go down and (hopefully) reconnects. However, Safe Mode recognises that the connection has been lost and undoes my changes!! Therefore I never know if my change will work. Is that how Safe M...

howdey57

Sindy, you helped me before. You may remember I have the router in France. I think it may be because I am not setting the sa-src-address (via the Peer local address). I think I must have set it up before v6.44. It seems to continue to work on the old pairing (RB951 - France) but not on the new pairi...

howdey57

Thanks for your responses, very helpful. I went back to basics for the new RB4011. I used the default config and then added in the things I need. The CAPSMAN now works. I suspect it was a firewall rule issue. The IPSec VPN doesn't work. I have copied the exact VPN config and I think I've got the Fir...

howdey57

I've just bought an RB4011 to replace my RB951G-2HnD. The RB951G has firewall, CAPSMAN, IPSec VPN etc all working well - I have 2 APs in my house too. I exported the config from the RB951G and carefully duplicated it on the RB4011 through the Winbox terminal bit by bit, getting rid of errors as I we...

howdey57

Sindy, Sorry for the delay in responding. This now works. Thanks for your help and spending so much time on this. You are very generous with your time and knowledge. The things I had to do were: In the UK, put ipsec-policy=in,ipsec in all rules that might stop the French traffic. Stop traffic from t...

howdey57

I did a tracert with the NAT rule turned on. Looks like you are correct: The tracert seems REALLY slow - not just the 51ms below. Tracing route to 8.8.8.8 over a maximum of 30 hops 1 3 ms 1 ms 1 ms 192.168.65.1 2 51 ms 49 ms 56 ms 192.168.64.1 3 * * * Request timed out. 4 * * * Request timed out. 5 ...

howdey57

I added ipsec-policy=in,none to the UK rule. I then enabled the chain=srcnat action=accept src-address=192.168.65.79 rule in France but the laptop still can't get to the internet (via the UK?) Do I need to disable the Raw rules as well? My firewall rules have built up over a number of years and may ...

howdey57

Complicated! I've exported both sides, /ip only. Hopefully that is enough. And hopefully, nothing sensitive! And thanks for your help! Charles France # apr/07/2019 19:36:45 by RouterOS 6.44.2 # software id = 65FW-3KRA # # model = 2011UiAS-2HnD /ip ipsec profile add dh-group=modp4096 enc-algorithm=ae...

howdey57

The suggested NAT Rule seems to kill the connection from the laptop. I do already have exceptions for the existing 64.0 to 65.0 VPN so perhaps that's ok. However that doesn't explain my French external IP address. Any other ideas? DNS perhaps? I added the exception to the fast-track firewall rule - ...

howdey57

Sindy, Sorry, I should have put the print in my response. Here it is: [admin@Red MikroTik] > /ip ipsec installed-sa print Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0x6F3F16 src-address=x.x.x.x:4500 dst-address=192.168.1.38:4500 state=mature auth-algorithm=sha512 enc-algorithm=aes-cbc enc-key-size=...

howdey57

Sindy, Thanks for the prompt reply. There are two pairs. The first has a large number of packets (current-packets=148443) whilst the other has much less (current-packets=796). I know I'm not going through the VPN because bbc.co.uk gets redirected to bbc.com (the BBC only serves .co.uk if you are in ...

howdey57

Sindy, I'm having a go with this. I thought I'd try with just one IP address (192.168.65.79). I have put in the following Policies. The second Policy is the existing VPN. Branch Office /ip ipsec policy add comment="FranceLondon-Laptop " dst-address=0.0.0.0/0 sa-dst-address=\ x.x.x.x sa-src...

howdey57

OK. Tried that and it worked.

Thanks.

howdey57

Is this one for Sindy? I have just swapped the config from a HAP AC2 to a HAP AC. I exported from one and ran the script on the second. On the AC2, I've been using L2TP successfully for a year but am having difficulty getting the AC to work. The thing I've noticed is that the Dynamic Peer, created w...

howdey57

Sindy, I was about to do this but then had a further thought. Is there a way to use address lists to say which specific machines should go via the head office VPN, rather than them all? If that is possible, then all i need to do is add or take off ip addresses from that address list. The use case is...

howdey57

I've just got a new Pixel 3 and am having difficulty keeping a VPN connected to my MK router. The VPN does after about a minute. Very frustrating. I don't have the same problem with a Pixel 2 which has been working will for ages.

Is anyone else having the same problem?

Charles

howdey57

I wanted a way to monitor log files for certain entries. I have created a script based on the various log monitoring scripts I have found. I thought I might share this in case others wanted an alternative. The only challenge is that, due to an issue with how ROS displays time in log files around mid...

howdey57

Chupaka

You are correct about log entries not directly being about functions but the flip side is that you need lots of other functions to be built to manipulate the inconsistent log date formats.

I'll try support@.

Thanks

Charles

howdey57

Thanks. Commas it will be! The date challenge is twofold: 1. Dates in the log file are not consistent. The date is excluded from entries for today and the year is missed out for entries this year. Ideally there would be a switch to set all log date/times to YYYYMMDDHHMMSS format. Machine readable an...

howdey57

Thanks. I'll try those. Are they mentioned in the wiki?

Any thoughts on the dates?

howdey57

I'd like to have a debug function that helped with basic syntax. When writing code I spend most of my time getting the basics in place. I write my logic then comment most of it out then uncomment line by line to make sure each line is working. With ros code, if it doesn't work, you get nothing to sa...

howdey57

Does anyone from MikroTik have anything to say about this? It looks to me like a software error.

Charles

howdey57

Any views on why the log is so weird around midnight?

It looks like the internal date processor doesn't work. Could it be to do with the time zone?

The log file produced at 02:05:00 behaves properly.

Charles

howdey57

Mkx

I've never seen your first point. When you access the log programmatically, the datetimes come in the 3 flavours.

+1 for your second point.

Charles

howdey57

I am trying to track new log entries. I have a script that works except around midnight. Overarching Issue: Ideally log entries would have Date Time written consistently as YYYY-MM-DD HH:M:SS. I cannot understand why it is done in a way that is not machine readable (and in US format too). Is there a...

howdey57

Sindy Thanks for this and sorry for the delay in letting you know how I am getting on. 1. Worked. Thanks. 2. Still plucking up the courage to do this. Just don't want to cut myself off from the remote office. I'll let you know. I'm currently battling with chatty Chinese security cameras that want to...

howdey57

Sindy, and I thought this would be easy!! Thanks for looking. There are two problems: 1. How to ping from one router to another - The ping says "Host Unreachable" and names the WAN address 2. How to default the Sub Office so all internet traffic goes though the main office. The two router ...

howdey57

Newbie Question (perhaps I will always be a newbie with Mikrotik!!). I have two mikrotik routers connected via IPSec. I want to force all traffic from the remote site to go through the VPN and out of the Head Office WAN connection. There are lots of long posts that offer lots of ways, all of which s...

howdey57

Thank you sindy. That worked. I changed the pool to the same subnet and changed the profile to proxy-arp on the bridge only and things seem to work now.

Charles

howdey57

Noobie question: I don't yet have a config problem. I just don't know where to start. I have 2 networks with different subnets joined by a new IPsec VPN. When away from the network, i connect using my laptop using a L2TP VPN. My question is: what do I need to use to be able to get to the "far&q...

howdey57

There is an active discussion https://forum.mikrotik.com/viewtopic.php?f=3&t=104109&e=1 here but no summary list of compatible SFP modules that allow MT kit to connect to ADSL/VDSL. It should be here https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table but has yet to be don...

howdey57

This is a very long thread now. Is there a summary in the Mikrotik documentation that describes the SFP dsl hardware that works with Mikrotik routers (with settings)?

Charles

howdey57

I know. I originally put it as a question that i could find the answer to myself, then thought better of it but couldn't delete it. I then changed it to the anodyne response above!

My bad.

-end-

howdey57

Thanks for the response.

Maybe I have. I will investigate.

howdey57

Hi All, I installed 6.40.3 over the weekend and seem to have a problem. I use passthrough firewall rules to track Bytes used by IP addresses in an Address List. Before the update I was using about 2 GB per day, but since the upgrade that has fallen to approx 10MB. I know I am using more! Has anyone ...

howdey57

pukkita, Thanks for the response. Your guesses were correct. I added the /interface L2TP server binding and the static interface to the Interface List and, after a delay, saw the L2TP connections using those rather than dynamic ones. The only issue is that I need to add a L2TP Server binding and a n...

howdey57

I had success to connect "L2TP/IPSec VPN Remote Worker Access" https://forum.mikrotik.com/viewtopic.php?f=13&t=124618 but had a problem connecting Windows 10 machines through the Virgin Media router so I've put that router in modem mode and put the 2011 as router behind it. I've config...

howdey57

doneware, Brilliant, thanks. Both suggestions worked. Adding dns-server=8.8.8.8 to the /ppp profile meant I could access the internet. So the vpn client doesn't know where to go without the DNS address and changing to local-address=192.168.1.203 meant I could see all local addresses. I presume this ...

howdey57

doneware, Thanks for the suggestion. The rule sounds complicated! I thought that if I changed the vpn-pool to 192.168.1.100-110 then I'd be in the same range as the Virgin router (i put proxy-arp on the bridge). That didn't give me access to the internet but when I put in 192.168.1.1 I get to the 20...

howdey57

Thanks for the responses. I agree with pe1chl. Proxy-Arp is not required if on a different subnet. The Virgin Media Router is set up correctly as connections are being made. One other thing I've noticed is that the Windows machine I connect with does not have a "Gateway" for the VPN connec...

howdey57

I've used this set of instructions https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup to create a L2TP/IPSec VPN, I can connect successfully to the VPN and can get to the Webfig of the 2011. The network looks like this. The 2011 is in bridge mode behind a cable router. The cable...

howdey57

Thanks very much troffasky and ZeroByte for the response. #4 sounds complicated, so I will have a think and a try. #5. The NAT rules in my Office 1 Mikrotik are: add chain=srcnat comment="Office 2 to Office 1" dst-address=192.168.0.0/24 out-interface=ether1-gateway src-address=192.168.1.0/...

howdey57

I am having difficulty accessing a RaspberryPi on a remote network. I don't know what I need to do next; is it a route, and address, a mangle?? I have the following network. I have 3 successful things and 2 unsuccessful things and any help to fix these would be gratefully received. Network Diagram v...

howdey57

I am new to the sophisticated world of Mikrotik Routers. Previously, I used a standard Draytek that didn't allow me to do too much. I don't know if I am going to ask this question using the right words, but it would be great if someone could point me in the right direction. I have created an IPSec V...

howdey57

For access to the Router itself from the Internet, I use this firewall rule. For my simple mind, this works because it opens up port 80 on the first thing the internet hits. chain=input action=accept protocol=tcp dst-port=80 log=no log-prefix="" For access to my fileserver from the Interne...

howdey57

After a VERY long time trying to make this work, I have found the solution. In the end, to connect from a Draytek (2830) to a Mikrotik( RB2011) when the Draytek is NATed behind an IP address provided by a 3G mobile operator I had to do the following: 1. On the Draytek, in the IPSec settings, make su...

howdey57

So I managed to figure this out. To access a server within the internal network from outside, you need to set up a NAT rule. To access the router itself from outside, you need to set up a Firewall rule to open up the port you want to use. Perhaps that is obvious to some, but it confused me a lot whe...

howdey57

I have managed to get a request from the Draytek to the Mikrotik by finding the IP address the Draytek is using (by seeing the UDP traffic on Port 500 on the Mikrotik firewall). The problem is that the connection is not made even though I have an identical set up between another Draytek to the Mikro...

howdey57

OK. I found the "Firewall Router" tick box. It was on the "Home AP" Quick set, not the default "WISP AP". As indicated by some posts, I have added a NAT rule on port 443 to get through to my Fileserver and that works whether I have the "Firewall Router" ticked...

howdey57

Will do.

Please could you also point me at the wiki page that describes how to do it.

Thanks

howdey57

Thanks for the response. I don't have that setting on Quick Set. I have a new RB2011 with V6.24.

Where next?

Charles

howdey57

There does not seem to be a definitive method to access Webfig on my RB2011 router from the internet. Is it actually possible? I have tried lots of different ways from many sites but none work (NAT, Firewall etc).

Can someone provide a working example?

Thanks

Charles

howdey57

I am trying to create a VPN from a Draytek router (2830) to a Mikrotik router (RB2011), but cannot . I have previously done this between two Drayteks (one connecting using 3G), so I know it is possible. I also know my VPN settings should work because I have created an identical VPN between another ...

howdey57

Can you tell me how I put in the dynamic address (eg xxx.dyndns.org) into the VPN setup rather than the IP address?

Thanks

Search found 129 matches