Community discussions

MikroTik App

Search found 52 matches

by almdandi
Sat Oct 31, 2020 5:45 pm
Forum: General
Topic: Is it DDoS Attack, Or Something Else?
Replies: 3
Views: 442

Re: Is it DDoS Attack, Or Something Else?

Hey

it sound like a ddos attack.

You can check with the Profiler Tool witch processes are loading up your cpu. And you should also capture same packets on your WAN port to identify what kind of ddos attack it is.
by almdandi
Mon Sep 07, 2020 4:19 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 953

Re: blocking windows update (both ipv4 and ipv6)

If you only need a way the cache windows updates for an entire network, ware you don't have active directory or even a windows server, you can try lancache. Check out the FAQ page.
by almdandi
Fri Sep 04, 2020 2:53 pm
Forum: General
Topic: Dot1X
Replies: 12
Views: 2037

Re: Dot1X

Is it shipped with routeros
no, Router os does not include the ca bundle. Maybe you need to supply all certificates in the trust chain (root ca, intermediate ca, server cert), not only the server cert.
by almdandi
Fri Sep 04, 2020 11:24 am
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 598

Re: WOL over VPN

I think both ends need to support BCP the bridge L2 over a PPP link. The a look at the wiki page . One option would be to use the WoL tool from RouterOS it self. Second options would be to setup a ARP entry with a the MAC address set to FF:FF:FF:FF:FF:FF on the vlan interface. Set the IP address to ...
by almdandi
Sun Aug 30, 2020 12:54 pm
Forum: General
Topic: mDNS and WoL across VLANs
Replies: 3
Views: 825

Re: mDNS and WoL across VLANs

For multicast reflection you can use a PI with same piece of software. To use WoL across Layer 3 you can add a static arp entry on the home automation vlan interface on the router. You use a free ip address from the subnet and set the mac address to FF:FF:FF:FF:FF:FF. Now if you send a packet to thi...
by almdandi
Tue Aug 25, 2020 6:28 pm
Forum: General
Topic: split tunnel in vpn remote access
Replies: 4
Views: 2888

Re: split tunnel in vpn remote access

Or just
Set-VpnConnection -ConnectionName "MyFluffyBunny" -SplitTunneling $true
Add-VpnConnectionRoute -ConnectionName "MyFluffyBunny" -DestinationPrefix "193.110.29.0/27"
by almdandi
Tue Jun 30, 2020 12:56 am
Forum: General
Topic: Dual stack PPPoE (IPV6) not routing
Replies: 11
Views: 2436

Re: Dual stack PPPoE (IPV6) not routing

Did you ever tried a traceroute from the windows pc to same host in the internet. And can you post the routing tables of all your devices. I think that would help to trace the problem.
by almdandi
Sun Jun 14, 2020 11:14 pm
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 1056

Re: Block ICMP tunnel - best practice

You could try something like that. This will drop icmp ping request pakets where the ip packet is bigger then 92 bytes and sets a rate limit with 3 pakets per second with a 10 packets burst. /ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 pro...
by almdandi
Thu Jun 11, 2020 2:44 am
Forum: General
Topic: Forum giving ERROR 500 [SOLVED]
Replies: 17
Views: 2599

Re: Forum giving ERROR 500 [SOLVED]

i have also sometimes a odd error when i open the forum. Reopening the forum solves the problem.
mikrotik-forum-fehler.JPG
by almdandi
Mon Jun 08, 2020 1:21 pm
Forum: General
Topic: Request: PUBG Address List
Replies: 2
Views: 2324

Re: Request: PUBG Address List

Hallo, Blocking only PUBG Mobile is difficult. You will probably block other games too, no matter whether you block IP addresses or domains. You should make a packets capture while playing and build up your rules on that. If you want to block steam completel, there is a support page , witch ports an...
by almdandi
Thu Jun 04, 2020 1:47 am
Forum: General
Topic: How to block AnyDesk (TeamViewer analog)?
Replies: 3
Views: 1628

Re: How to block AnyDesk (TeamViewer analog)?

Do the following.
  • Block Port 6568 tcp and udp
  • Block *.net.anydesk.com Doamins
  • Block other DNS Servers
  • Block hardcoded ip's
In my test the static ip's ware 5.9.51.75 and 37.61.223.15. But this may change.

viewtopic.php?t=152973
by almdandi
Wed Apr 01, 2020 2:11 am
Forum: General
Topic: IPv6 offload needed
Replies: 4
Views: 1860

Re: IPv6 offload needed

I think the problem here is the missing fasttrack support for IPv6. So either you buy a stronger router or switch router vendor with ipv6 offload support. The a look here: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack EDIT: Btw, no mikrotik router has offloading support for routing ipv4 nor ipv...
by almdandi
Tue Nov 05, 2019 11:05 pm
Forum: General
Topic: Not full gigabit speed
Replies: 3
Views: 943

Re: Not full gigabit speed

Hey,

also you can take a look at the Profiler tool to find maybe a performance bottleneck.

https://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
by almdandi
Sun Oct 27, 2019 2:32 pm
Forum: General
Topic: Block Anydesk
Replies: 11
Views: 17404

Re: Block Anydesk

Also you need to block dns request to other dns server. In my tests anydesk used 1.1.1.1, 8.8.8.8 and 9.9.9.9 beseide my local dns server. I had to block two ip addresses, 5.9.51.75 and 37.61.223.15. But i'm not sure if they are hardcoded or just cached.
by almdandi
Mon Jun 24, 2019 10:40 pm
Forum: Beginner Basics
Topic: CGNAT with VLAN!!
Replies: 1
Views: 656

Re: CGNAT with VLAN!!

Hey, without configuration export is difficult to say was the problem is. A "export hide-sensitive" would be nice. A good idea to start with, would be to run a traceroute from the client to the main router or an IP address in the internet. Or even try to ping the main router. And for testi...
by almdandi
Wed Oct 24, 2018 7:08 pm
Forum: RouterBOARD hardware
Topic: Wish: 60GHz Pro Model
Replies: 12
Views: 2998

Re: Wish: 60GHz Pro Model

+1

I don't care about a 1G or a 10G port, if the wireless link is "only" 1G but yes a integradet SXTsq 5 ac would be nice.
by almdandi
Wed Jul 25, 2018 7:40 pm
Forum: Wireless Networking
Topic: "banned" - what does it mean?
Replies: 3
Views: 1490

Re: "banned" - what does it mean?

Looks like your mac access is not listed in the wlan acl

https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List
by almdandi
Fri Jun 22, 2018 12:21 pm
Forum: General
Topic: hAP-AC2 6.42.4 - HWOffload [solved]
Replies: 13
Views: 4454

Re: hAP-AC2 6.42.4 - HWOffload

The hAP ac² dose have a switch chip (Atheros 8327) with vlan switching support and is supported in routeros. The RB750Gr3 have also a switch chip (MT7621) with vlan switching support but is on yet implemented in routeros. So on the RB750Gr3 you only can use software switch if you need vlans. See the...
by almdandi
Sat Jun 16, 2018 5:00 pm
Forum: General
Topic: Passing public IPs to some PPPoE Users
Replies: 4
Views: 1275

Re: Passing public IPs to some PPPoE Users

Hallo I think, as victorsoares said, assign one of the /27 ips to your customer, exclude the /27 from your nat rule to the internet and check your firewall rules, so they allow the traffic. Maybe it's a problem that the local end of the pppoe tunnel uses a private address, for further routing but i ...
by almdandi
Fri May 25, 2018 1:20 am
Forum: Wireless Networking
Topic: wAP 60G experience
Replies: 304
Views: 62046

Re: wAP 60G experience

@MonkeyDan
What software are you using for the grath visualization?
by almdandi
Fri May 25, 2018 12:11 am
Forum: Beginner Basics
Topic: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.
Replies: 6
Views: 2579

Re: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.

The Cleint sends his HTTP reqeust to your router, with the worng host header. The router forwards the request to the http reverse proxy. The proxy rewrites the host header and sends a reqeust to the iptv provider. I used nginx a couple of time as a reverse proxy. Just google "nginx reverse prox...
by almdandi
Wed May 23, 2018 9:00 pm
Forum: Beginner Basics
Topic: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.
Replies: 6
Views: 2579

Re: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.

You can try it with a http reverse proxy that rewrites the host header to the correct one (unitv.xxxxxx.net).
by almdandi
Tue May 22, 2018 1:24 pm
Forum: General
Topic: A router for home - capable of 300Mb/s
Replies: 17
Views: 2570

Re: A router for home - capable of 300Mb/s

The Hap ac^2 and the RB750GR3 have 4 cores compared to the Hap ac and RB2011 only 1 core and the RB3011 2 cores. So the Hap ac^2 and the RB750GR3 are the most powerful routers before the CCR series. RouterOS provides a tool to analyze the system load, called Profiler . So you can check whats the bot...
by almdandi
Fri May 18, 2018 5:04 pm
Forum: General
Topic: How to configure multiple vlan with hw-offload
Replies: 30
Views: 5496

Re: How to configure multiple vlan with hw-offload

Hallo,

i think you need a vlan interface for each for your vlans under the bridge, so the cpu can access the traffic and can NAT it. Then assign your ip address to the vlan interfaces.
by almdandi
Sat Apr 14, 2018 12:57 pm
Forum: Beginner Basics
Topic: CCR - Mikrotik Bridge usage with multiple Vlans
Replies: 6
Views: 1770

Re: Mikrotik Bridge usage with multiple Vlans

Here is a presentation from the MUM in Berlin, explaining the new bridge implementation pretty well: https://www.youtube.com/watch?v=ZMMpza-O7_w&
by almdandi
Thu Mar 22, 2018 3:44 pm
Forum: General
Topic: L2TP VPN with Raduis authentication
Replies: 0
Views: 468

L2TP VPN with Raduis authentication

Hallo, i trying to configure the mikrotik router to authenticate L2TP Users through an ADS (NPS). I followed the this video but it seem like that the router need contraction the NPS (see screenshot). In the Event Log on the Server, i also see no authentication attemps. Config: /radius add address=19...
by almdandi
Fri Mar 09, 2018 2:00 pm
Forum: Forwarding Protocols
Topic: IPSEC Symmetric Routing
Replies: 1
Views: 724

Re: IPSEC Symmetric Routing

I'm a littlebit confused what you trying to achieve and what your setup is. Maybe a config export (export compact hide-sensitive) would be helpful. If i understand you correctly, you want that site A (192.168.0.0/24) and site B (10.0.0.0/24) can access each other. For that i would use a IPSec Site 2...
by almdandi
Mon Mar 05, 2018 10:26 pm
Forum: General
Topic: Netflix and Hulu over VPN
Replies: 5
Views: 2637

Re: Netflix and Hulu over VPN

What about the new tls-host matcher. It is possible to use it in the mangle table to set a routing-mark. So maybe, i'm not tested it, you mark all packets which hits the mangle rule with the netflix and hulu domains and route it through the vpn gateway. Something like this: /ip firewall mangle add a...
by almdandi
Sun Feb 18, 2018 11:24 am
Forum: General
Topic: How to properly setup IPV6 over PPPoE?
Replies: 5
Views: 4441

Re: How to properly setup IPV6 over PPPoE?

Hallo

Under IPv6 -> ND you can set the prefered lifetime und the valid lifetime for every prefix or globally. Maybe this will help
by almdandi
Wed Jan 17, 2018 3:13 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 4454

Re: IPv6 router settings

Hallo, i also got a static /56 prefix form my ISP last December but I hadn't really time to set it up yet and I am also really new to IPv6. In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. ...
by almdandi
Tue Oct 31, 2017 9:44 pm
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 2902

Re: Ipsec Site to Site, again...

Oh. I mist the "X". But i had the same problem in the past where fasttrack was introduced. To be able to ping from the rooter to the other subnet you need the add a static route. Here is an example. dst-address is your remote subnet and gateway is your interface with the local subnet attac...
by almdandi
Tue Oct 31, 2017 12:23 am
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 2902

Re: Ipsec Site to Site, again...

Hallo, All wrong. You have a fasttrack rules in your filter table. Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to admi...
by almdandi
Sat Oct 14, 2017 12:49 pm
Forum: General
Topic: Mikrotik IPV6 Network, IPV4 ISP
Replies: 4
Views: 1253

Re: Mikrotik IPV6 Network, IPV4 ISP

You can have a dynamic ip and use the he.net tunnelbroker. I use it with one and also in compinations with pppoe. 1. Setup to tunnel. You can copy the configuration for RouterOS from the "Example Configurations" tab. 2. Next i added a ppp profile for my pppoe connection and i added a scrip...
by almdandi
Tue Oct 10, 2017 3:30 am
Forum: General
Topic: Public & Private IP on PPPOE LAN
Replies: 1
Views: 774

Re: Public & Private IP on PPPOE LAN

Hey. 1.) Setup a ip pool for from 192.168.1.1 to 192.168.1.255 2.) Setup a ppp profile for the pppoe server. Local address should be 20.15.64.81 and remote address should be to ip pool. 3.) With the ppp secrets you can then assign your special customers a public address otherwise they will get a pri...
by almdandi
Mon Oct 09, 2017 12:26 pm
Forum: General
Topic: L2TP/IPSEC client-to-client [SOLVED]
Replies: 8
Views: 2251

Re: L2TP/IPSEC client-to-client [SOLVED]

Hey How far did you got with your l2tp setup? Maybe a thing. Did you added a route back on each router? Maybe because you want to add more sites, you should consider to use a dynamic routing protocol. Try this. Router 172.16.1.1 /ip route add dst-address=10.0.2.0/24 gateway=172.16.1.2 /ip route add ...
by almdandi
Mon Oct 09, 2017 3:09 am
Forum: General
Topic: L2TP/IPSEC client-to-client [SOLVED]
Replies: 8
Views: 2251

Re: L2TP/IPSEC client-to-client [SOLVED]

Hey I don't know exactly what you try to accomplish but i would recommend you a simple ipsec site 2 site tunnel from each site to the others. So all private networks are connected to each other. One important point in such a setup is to have different subnets on each site but as your diagram shows t...
by almdandi
Mon Oct 09, 2017 2:41 am
Forum: Beginner Basics
Topic: PPPOE with a /29 ip range? [SOLVED]
Replies: 4
Views: 1254

Re: PPPOE with a /29 ip range? [SOLVED]

Hey

Try this. Add to your ether2 interface your x.230.119.41/29 address. Than assign your mail server for example x.230.119.42/29 and try it again.
The gateway for the mail server should be x.230.119.41.

Greetings
by almdandi
Mon Oct 09, 2017 2:16 am
Forum: Beginner Basics
Topic: Trying to set up VLAN per port with DHCP on hEX 5 port router
Replies: 2
Views: 1020

Re: Trying to set up VLAN per port with DHCP on hEX 5 port router

Hey

The hEX (RB750Gr3) with the MT7621 switch chip doesn't support vlans at the current router os version. The a look a this and this.

What you can do is, configure one subnet per port the ship around the missing functionality or use software based vlan switching.

Greetings
by almdandi
Mon Oct 09, 2017 1:59 am
Forum: General
Topic: IKEv2 client trouble [SOLVED]
Replies: 2
Views: 1208

Re: IKEv2 client trouble [SOLVED]

Hey

Here is a note from the IPSec Wiki. First result form google.
Note: Currently RouterOS does not support any of EAP authentication methods
Greetings
by almdandi
Thu Jun 29, 2017 4:07 pm
Forum: General
Topic: Give out Public IPs Using PPPoE Server
Replies: 9
Views: 4212

Re: Give out Public IPs Using PPPoE Server

Maybe a little be late but i tried it today in GNS3 and it worked. https://i.imgur.com/JT7wpov.png ISP Router /ip address add address=1.2.3.1/29 interface=ether2 network=1.2.3.0 PPPoE Server /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp /ip pool add name=pool-pppoe ranges=1.2.3....
by almdandi
Sun Jun 25, 2017 3:55 pm
Forum: General
Topic: Give out Public IPs Using PPPoE Server
Replies: 9
Views: 4212

Re: Give out Public IPs Using PPPoE Server

Why is that not possible? I think it is possible. You have 6 usable ip addresses. For example: 1.2.3.0 - Network Address 1.2.3.1 - ISP Gateway 1.2.3.2 - WAN Router 1.2.3.7 - Broadcast Address So the ip's from 1.2.3.3 to 1.2.3.6 are free. In the ppp profile configuration for the pppoe server, you set...
by almdandi
Sun Jun 25, 2017 3:17 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 2665

Re: IPSec Site to Site Firewall

I'm a little bit confused what you want to do. IPSec Site 2 Site, Road Worear VPN.That's two different things. Maybe you can give us a look at our ipsec configuration. That would be very helpful But if i get you corrent from your first post. The traffic form your second site will appear on the WAN i...
by almdandi
Wed May 31, 2017 7:01 pm
Forum: General
Topic: Transparent Bridge - PPPoE
Replies: 7
Views: 4908

Re: Transparent Bridge - PPPoE

I think he means this post: viewtopic.php?t=96047
by almdandi
Sat May 27, 2017 8:13 pm
Forum: General
Topic: Transparent Bridge - PPPoE
Replies: 7
Views: 4908

Re: Transparent Bridge - PPPoE

I do not understand what you want at all and what you already tried because bridging all ports together in a pppoe setup and a nat passthrough rule makes to me no sense?? Can you please explain your problem again and what you want. And more information on your setup would be also gread (interface/ i...
by almdandi
Sat May 27, 2017 12:02 pm
Forum: General
Topic: NAT with Multi-Gateway problems
Replies: 4
Views: 1246

Re: NAT with Multi-Gateway problems

I tested it with the following and it worked. And you will run into a private address leak because you only nat ip address up to 20. To avoid this, you could for example, add a rule in your forwarding chain that allows only traffic from your 40 addresses. /interface ethernet set [ find default-name=...
by almdandi
Mon May 22, 2017 5:22 pm
Forum: General
Topic: NAT with Multi-Gateway problems
Replies: 4
Views: 1246

Re: NAT with Multi-Gateway problems

Your second default route (2.2.2.254) is not active because you already have a default route in your main routing table (1.1.1.254). The key word is Policy Based Routing. Just google it. In short. You create 2 extra routing tables. One with the default gateway points to 1.1.1.254 and one with the de...
by almdandi
Sat May 13, 2017 1:53 pm
Forum: RouterBOARD hardware
Topic: LHG 60G
Replies: 63
Views: 17236

Re: LHG 60G

Yeah, more information about the upcoming 60 Ghz products would be great.
by almdandi
Sun May 07, 2017 2:57 pm
Forum: General
Topic: Port Forwarding from Certain IP's only
Replies: 4
Views: 5329

Re: Port Forwarding from Certain IP's only

Hello mi0tx Try this. The first rule will allow all connection on your wan port for which you have a dst-nat rule defined. This way to filter your port forwardings is much more scalable because you need only one rule for all your port forwardings. The second rule is the destination nat rule. Your mi...
by almdandi
Tue Jul 26, 2016 7:13 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 3674

Re: Set packets marks

Okay, nice. So something like this should work right? /ip firewall mangle chain=forward action=mark-connection new-connection-mark=mitarbeiter-con passthrough=yes in-interface=br-mitarbeiter out-interface-list=gates log=no log-prefix=""  chain=forward action=mark-packet new-packet-mark=mit...
by almdandi
Mon Jul 25, 2016 9:31 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 3674

Set packets marks

Hello,

can somebody explain me the difference between setting the mark in the prerouting, postrouting or in the forward chain. Or is it better to set first a connection mark? I need these marks for my queue setup.
by almdandi
Thu May 14, 2015 11:59 pm
Forum: General
Topic: IPSec: Tunnel established but no connection
Replies: 2
Views: 1263

Re: IPSec: Tunnel established but no connection

Wow. Thanks a lot. That was the issue.
I misunderstood the packet flow but when you take a closer look at the IPsec encryption and decryption diagram you see exactly how the packet flows.
by almdandi
Sun May 03, 2015 7:19 pm
Forum: General
Topic: IPSec: Tunnel established but no connection
Replies: 2
Views: 1263

IPSec: Tunnel established but no connection

Hallo everyone I'm trying to setup up an IPSec VPN with a friend. Both are Mikrotik router with the current RouterOS version. Setting up the Polices, the Peer,the proposal and the src-nat exclusion, no problem, the tunnel gets established. But when i try to ping an ip in his network i get a timeout ...