Community discussions

MikroTik App

Search found 64 matches

by almdandi
Sun Oct 22, 2023 4:19 pm
Forum: General
Topic: DNS via IKEv2 on iOS
Replies: 2
Views: 800

Re: DNS via IKEv2 on iOS

Hey,

here a quote from the IPsec Wiki
Both Apple macOS and iOS will use the DNS servers from system-dns and static-dns parameters only when 0.0.0.0/0 split-include is used.
by almdandi
Tue Sep 26, 2023 4:17 pm
Forum: General
Topic: Routing to another side of IPSec Tunnel
Replies: 4
Views: 1068

Re: Routing to another side of IPSec Tunnel

There is no need for l2tp. Technically speaking, there is even no need for the 192.168.4.254 router, if your switches a vlan capable. To get the ipsec tunnel work for the 192.168.4.0/24 subnet, you just need to add policies an both ends of the tunnel. A litte catch. If you try to ping for example fr...
by almdandi
Fri Apr 08, 2022 8:10 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 148
Views: 44619

Re: Feature Request: IPSEC Improvements

+1 for VTI Support
by almdandi
Mon Mar 21, 2022 12:16 am
Forum: General
Topic: Feature requests
Replies: 1739
Views: 624676

Re: Feature requests

Would it be possible to have a flag to display firewall filter comments in winbox not as a new line before the filter rule, but as a column ? It would greatly improve the readability of the UI IMHO. Thank you.
In Winbox -> Settings -> "Inline Comments"
by almdandi
Wed Feb 16, 2022 2:15 pm
Forum: General
Topic: how does L3HW actually works?
Replies: 128
Views: 32043

Re: how does L3HW actually works?

So i also unterstund the limitation table wrong. For example the CRS317 can hold up to 240k routes and can route packets in hardware for all routes that a stored in the routing table of the switch chip. There is no connection limit because there is no connection tracking? The limitation for fastrack...
by almdandi
Sat Nov 06, 2021 1:19 am
Forum: General
Topic: Does Mikrotik IPSec implementation sucks or am I missing something?
Replies: 4
Views: 1097

Re: Does Mikrotik IPSec implementation sucks or am I missing something?

The problem is. If you send a paket from 10.20.30.x to the router 10.20.30.1, the paket will match the ipsec policy and is send out the ipsec tunnel. You need an ipsec policy with action none for the local traffic because your remote subnet overlaps with the local one /ip ipsec policy add dst-addres...
by almdandi
Wed Aug 11, 2021 5:05 pm
Forum: General
Topic: Modem/Router behind the MikroTik
Replies: 26
Views: 2717

Re: Modem/Router behind the MikroTik

@rextended In the case of our customer. The fritzbox routes the traffic normal between the public subnet (port 4) and the 3 lan ports (192.168.178.0/24). As sindy said, a package capture on the wan port would be a good idea with the the sniffer tool. I thing i forgot to mention. The ISP support said...
by almdandi
Wed Aug 11, 2021 2:37 am
Forum: General
Topic: Modem/Router behind the MikroTik
Replies: 26
Views: 2717

Re: Modem/Router behind the MikroTik

Hallo, we have a customer that has a similar setup. The ISP put a Fritzbox after the ONT, to provide VoIP Service to one VoIP phone in the 192.168.178.0/24 subnet. The use your own firewall the ISP configured an expose host and a second /30 subnet on port 4 or port 1, i can't rembemer. The firewall ...
by almdandi
Wed Jul 07, 2021 7:24 pm
Forum: General
Topic: Public IP Block over SSTP
Replies: 7
Views: 1110

Re: Public IP Block over SSTP

yeah such a prerouting rule will do the trick. I don't know your full setup but in my obinen the two output rules a useless. For incoming packets you can route everything with the main routing table because 1x.168.109.28/30 is locally connected. No need for a mangle rule. But for packets heading out...
by almdandi
Wed Jul 07, 2021 4:26 pm
Forum: General
Topic: Public IP Block over SSTP
Replies: 7
Views: 1110

Re: Public IP Block over SSTP

Hi, i think the static arp entry with the published checkbox checked should be engoth. No need for a arp proxy. From the arp wiki page Static proxy-arp entry for individual IP address. When an ARP query is received for the specific IP address, the device will respond with its own MAC address. No nee...
by almdandi
Thu Jun 10, 2021 9:06 pm
Forum: General
Topic: Multiple RADIUS servers
Replies: 8
Views: 3621

Re: Multiple RADIUS servers

the realm field adds an attribute (MT-Realm). I'm not 100% sure if the domain field adds a radius attribute. RouterOS automatically adds a "MS-CHAP-Domain" attribute if it discovers a domain in the username. For ppp connections both styles domain/username and username@domain works. For IKE...
by almdandi
Thu Jun 10, 2021 12:43 am
Forum: General
Topic: Multiple RADIUS servers
Replies: 8
Views: 3621

Re: Multiple RADIUS servers

I think you can use the "domain" property on the radius client for that. Create one radius client for each domain you have.
by almdandi
Sat Oct 31, 2020 5:45 pm
Forum: General
Topic: Is it DDoS Attack, Or Something Else?
Replies: 3
Views: 844

Re: Is it DDoS Attack, Or Something Else?

Hey

it sound like a ddos attack.

You can check with the Profiler Tool witch processes are loading up your cpu. And you should also capture same packets on your WAN port to identify what kind of ddos attack it is.
by almdandi
Mon Sep 07, 2020 4:19 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 3524

Re: blocking windows update (both ipv4 and ipv6)

If you only need a way the cache windows updates for an entire network, ware you don't have active directory or even a windows server, you can try lancache. Check out the FAQ page.
by almdandi
Fri Sep 04, 2020 2:53 pm
Forum: General
Topic: Dot1X
Replies: 12
Views: 2836

Re: Dot1X

Is it shipped with routeros
no, Router os does not include the ca bundle. Maybe you need to supply all certificates in the trust chain (root ca, intermediate ca, server cert), not only the server cert.
by almdandi
Fri Sep 04, 2020 11:24 am
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 3020

Re: WOL over VPN

I think both ends need to support BCP the bridge L2 over a PPP link. The a look at the wiki page . One option would be to use the WoL tool from RouterOS it self. Second options would be to setup a ARP entry with a the MAC address set to FF:FF:FF:FF:FF:FF on the vlan interface. Set the IP address to ...
by almdandi
Sun Aug 30, 2020 12:54 pm
Forum: General
Topic: mDNS and WoL across VLANs
Replies: 3
Views: 2822

Re: mDNS and WoL across VLANs

For multicast reflection you can use a PI with same piece of software. To use WoL across Layer 3 you can add a static arp entry on the home automation vlan interface on the router. You use a free ip address from the subnet and set the mac address to FF:FF:FF:FF:FF:FF. Now if you send a packet to thi...
by almdandi
Tue Aug 25, 2020 6:28 pm
Forum: General
Topic: split tunnel in vpn remote access
Replies: 5
Views: 4165

Re: split tunnel in vpn remote access

Or just
Set-VpnConnection -ConnectionName "MyFluffyBunny" -SplitTunneling $true
Add-VpnConnectionRoute -ConnectionName "MyFluffyBunny" -DestinationPrefix "193.110.29.0/27"
by almdandi
Tue Jun 30, 2020 12:56 am
Forum: General
Topic: Dual stack PPPoE (IPV6) not routing
Replies: 11
Views: 4283

Re: Dual stack PPPoE (IPV6) not routing

Did you ever tried a traceroute from the windows pc to same host in the internet. And can you post the routing tables of all your devices. I think that would help to trace the problem.
by almdandi
Sun Jun 14, 2020 11:14 pm
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 2128

Re: Block ICMP tunnel - best practice

You could try something like that. This will drop icmp ping request pakets where the ip packet is bigger then 92 bytes and sets a rate limit with 3 pakets per second with a 10 packets burst. /ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 pro...
by almdandi
Thu Jun 11, 2020 2:44 am
Forum: General
Topic: Forum giving ERROR 500 [SOLVED]
Replies: 17
Views: 8464

Re: Forum giving ERROR 500 [SOLVED]

i have also sometimes a odd error when i open the forum. Reopening the forum solves the problem.
mikrotik-forum-fehler.JPG
by almdandi
Mon Jun 08, 2020 1:21 pm
Forum: General
Topic: Request: PUBG Address List
Replies: 2
Views: 3934

Re: Request: PUBG Address List

Hallo, Blocking only PUBG Mobile is difficult. You will probably block other games too, no matter whether you block IP addresses or domains. You should make a packets capture while playing and build up your rules on that. If you want to block steam completel, there is a support page , witch ports an...
by almdandi
Thu Jun 04, 2020 1:47 am
Forum: General
Topic: How to block AnyDesk (TeamViewer analog)?
Replies: 3
Views: 5876

Re: How to block AnyDesk (TeamViewer analog)?

Do the following.
  • Block Port 6568 tcp and udp
  • Block *.net.anydesk.com Doamins
  • Block other DNS Servers
  • Block hardcoded ip's
In my test the static ip's ware 5.9.51.75 and 37.61.223.15. But this may change.

viewtopic.php?t=152973
by almdandi
Wed Apr 01, 2020 2:11 am
Forum: General
Topic: IPv6 offload needed
Replies: 4
Views: 3219

Re: IPv6 offload needed

I think the problem here is the missing fasttrack support for IPv6. So either you buy a stronger router or switch router vendor with ipv6 offload support. The a look here: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack EDIT: Btw, no mikrotik router has offloading support for routing ipv4 nor ipv...
by almdandi
Tue Nov 05, 2019 11:05 pm
Forum: General
Topic: Not full gigabit speed
Replies: 3
Views: 1379

Re: Not full gigabit speed

Hey,

also you can take a look at the Profiler tool to find maybe a performance bottleneck.

https://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
by almdandi
Sun Oct 27, 2019 2:32 pm
Forum: General
Topic: Block Anydesk
Replies: 17
Views: 44335

Re: Block Anydesk

Also you need to block dns request to other dns server. In my tests anydesk used 1.1.1.1, 8.8.8.8 and 9.9.9.9 beseide my local dns server. I had to block two ip addresses, 5.9.51.75 and 37.61.223.15. But i'm not sure if they are hardcoded or just cached.
by almdandi
Mon Jun 24, 2019 10:40 pm
Forum: Beginner Basics
Topic: CGNAT with VLAN!!
Replies: 1
Views: 1101

Re: CGNAT with VLAN!!

Hey, without configuration export is difficult to say was the problem is. A "export hide-sensitive" would be nice. A good idea to start with, would be to run a traceroute from the client to the main router or an IP address in the internet. Or even try to ping the main router. And for testi...
by almdandi
Wed Oct 24, 2018 7:08 pm
Forum: RouterBOARD hardware
Topic: Wish: 60GHz Pro Model
Replies: 12
Views: 4305

Re: Wish: 60GHz Pro Model

+1

I don't care about a 1G or a 10G port, if the wireless link is "only" 1G but yes a integradet SXTsq 5 ac would be nice.
by almdandi
Wed Jul 25, 2018 7:40 pm
Forum: Wireless Networking
Topic: "banned" - what does it mean?
Replies: 3
Views: 2440

Re: "banned" - what does it mean?

Looks like your mac access is not listed in the wlan acl

https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List
by almdandi
Fri Jun 22, 2018 12:21 pm
Forum: General
Topic: hAP-AC2 6.42.4 - HWOffload [solved]
Replies: 13
Views: 6347

Re: hAP-AC2 6.42.4 - HWOffload

The hAP ac² dose have a switch chip (Atheros 8327) with vlan switching support and is supported in routeros. The RB750Gr3 have also a switch chip (MT7621) with vlan switching support but is on yet implemented in routeros. So on the RB750Gr3 you only can use software switch if you need vlans. See the...
by almdandi
Sat Jun 16, 2018 5:00 pm
Forum: General
Topic: Passing public IPs to some PPPoE Users
Replies: 4
Views: 2406

Re: Passing public IPs to some PPPoE Users

Hallo I think, as victorsoares said, assign one of the /27 ips to your customer, exclude the /27 from your nat rule to the internet and check your firewall rules, so they allow the traffic. Maybe it's a problem that the local end of the pppoe tunnel uses a private address, for further routing but i ...
by almdandi
Fri May 25, 2018 1:20 am
Forum: Wireless Networking
Topic: wAP 60G experience
Replies: 313
Views: 92723

Re: wAP 60G experience

@MonkeyDan
What software are you using for the grath visualization?
by almdandi
Fri May 25, 2018 12:11 am
Forum: Beginner Basics
Topic: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.
Replies: 6
Views: 3795

Re: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.

The Cleint sends his HTTP reqeust to your router, with the worng host header. The router forwards the request to the http reverse proxy. The proxy rewrites the host header and sends a reqeust to the iptv provider. I used nginx a couple of time as a reverse proxy. Just google "nginx reverse prox...
by almdandi
Wed May 23, 2018 9:00 pm
Forum: Beginner Basics
Topic: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.
Replies: 6
Views: 3795

Re: The NAT rule for viewing IPTV from a provider's UDP-to-HTTP server from outside the provider's network.

You can try it with a http reverse proxy that rewrites the host header to the correct one (unitv.xxxxxx.net).
by almdandi
Tue May 22, 2018 1:24 pm
Forum: General
Topic: A router for home - capable of 300Mb/s
Replies: 17
Views: 4205

Re: A router for home - capable of 300Mb/s

The Hap ac^2 and the RB750GR3 have 4 cores compared to the Hap ac and RB2011 only 1 core and the RB3011 2 cores. So the Hap ac^2 and the RB750GR3 are the most powerful routers before the CCR series. RouterOS provides a tool to analyze the system load, called Profiler . So you can check whats the bot...
by almdandi
Fri May 18, 2018 5:04 pm
Forum: General
Topic: How to configure multiple vlan with hw-offload
Replies: 30
Views: 8174

Re: How to configure multiple vlan with hw-offload

Hallo,

i think you need a vlan interface for each for your vlans under the bridge, so the cpu can access the traffic and can NAT it. Then assign your ip address to the vlan interfaces.
by almdandi
Sat Apr 14, 2018 12:57 pm
Forum: Beginner Basics
Topic: CCR - Mikrotik Bridge usage with multiple Vlans
Replies: 6
Views: 2858

Re: Mikrotik Bridge usage with multiple Vlans

Here is a presentation from the MUM in Berlin, explaining the new bridge implementation pretty well: https://www.youtube.com/watch?v=ZMMpza-O7_w&
by almdandi
Thu Mar 22, 2018 3:44 pm
Forum: General
Topic: L2TP VPN with Raduis authentication
Replies: 0
Views: 666

L2TP VPN with Raduis authentication

Hallo, i trying to configure the mikrotik router to authenticate L2TP Users through an ADS (NPS). I followed the this video but it seem like that the router need contraction the NPS (see screenshot). In the Event Log on the Server, i also see no authentication attemps. Config: /radius add address=19...
by almdandi
Fri Mar 09, 2018 2:00 pm
Forum: Forwarding Protocols
Topic: IPSEC Symmetric Routing
Replies: 1
Views: 1060

Re: IPSEC Symmetric Routing

I'm a littlebit confused what you trying to achieve and what your setup is. Maybe a config export (export compact hide-sensitive) would be helpful. If i understand you correctly, you want that site A (192.168.0.0/24) and site B (10.0.0.0/24) can access each other. For that i would use a IPSec Site 2...
by almdandi
Mon Mar 05, 2018 10:26 pm
Forum: General
Topic: Netflix and Hulu over VPN
Replies: 3
Views: 3858

Re: Netflix and Hulu over VPN

What about the new tls-host matcher. It is possible to use it in the mangle table to set a routing-mark. So maybe, i'm not tested it, you mark all packets which hits the mangle rule with the netflix and hulu domains and route it through the vpn gateway. Something like this: /ip firewall mangle add a...
by almdandi
Sun Feb 18, 2018 11:24 am
Forum: General
Topic: How to properly setup IPV6 over PPPoE?
Replies: 5
Views: 7231

Re: How to properly setup IPV6 over PPPoE?

Hallo

Under IPv6 -> ND you can set the prefered lifetime und the valid lifetime for every prefix or globally. Maybe this will help
by almdandi
Wed Jan 17, 2018 3:13 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 6220

Re: IPv6 router settings

Hallo, i also got a static /56 prefix form my ISP last December but I hadn't really time to set it up yet and I am also really new to IPv6. In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. ...
by almdandi
Tue Oct 31, 2017 9:44 pm
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 4179

Re: Ipsec Site to Site, again...

Oh. I mist the "X". But i had the same problem in the past where fasttrack was introduced. To be able to ping from the rooter to the other subnet you need the add a static route. Here is an example. dst-address is your remote subnet and gateway is your interface with the local subnet attac...
by almdandi
Tue Oct 31, 2017 12:23 am
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 4179

Re: Ipsec Site to Site, again...

Hallo, All wrong. You have a fasttrack rules in your filter table. Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to admi...
by almdandi
Sat Oct 14, 2017 12:49 pm
Forum: General
Topic: Mikrotik IPV6 Network, IPV4 ISP
Replies: 4
Views: 1848

Re: Mikrotik IPV6 Network, IPV4 ISP

You can have a dynamic ip and use the he.net tunnelbroker. I use it with one and also in compinations with pppoe. 1. Setup to tunnel. You can copy the configuration for RouterOS from the "Example Configurations" tab. 2. Next i added a ppp profile for my pppoe connection and i added a scrip...
by almdandi
Tue Oct 10, 2017 3:30 am
Forum: General
Topic: Public & Private IP on PPPOE LAN
Replies: 1
Views: 1209

Re: Public & Private IP on PPPOE LAN

Hey. 1.) Setup a ip pool for from 192.168.1.1 to 192.168.1.255 2.) Setup a ppp profile for the pppoe server. Local address should be 20.15.64.81 and remote address should be to ip pool. 3.) With the ppp secrets you can then assign your special customers a public address otherwise they will get a pri...
by almdandi
Mon Oct 09, 2017 12:26 pm
Forum: General
Topic: L2TP/IPSEC client-to-client [SOLVED]
Replies: 8
Views: 3814

Re: L2TP/IPSEC client-to-client [SOLVED]

Hey How far did you got with your l2tp setup? Maybe a thing. Did you added a route back on each router? Maybe because you want to add more sites, you should consider to use a dynamic routing protocol. Try this. Router 172.16.1.1 /ip route add dst-address=10.0.2.0/24 gateway=172.16.1.2 /ip route add ...
by almdandi
Mon Oct 09, 2017 3:09 am
Forum: General
Topic: L2TP/IPSEC client-to-client [SOLVED]
Replies: 8
Views: 3814

Re: L2TP/IPSEC client-to-client [SOLVED]

Hey I don't know exactly what you try to accomplish but i would recommend you a simple ipsec site 2 site tunnel from each site to the others. So all private networks are connected to each other. One important point in such a setup is to have different subnets on each site but as your diagram shows t...
by almdandi
Mon Oct 09, 2017 2:41 am
Forum: Beginner Basics
Topic: PPPOE with a /29 ip range? [SOLVED]
Replies: 4
Views: 1992

Re: PPPOE with a /29 ip range? [SOLVED]

Hey

Try this. Add to your ether2 interface your x.230.119.41/29 address. Than assign your mail server for example x.230.119.42/29 and try it again.
The gateway for the mail server should be x.230.119.41.

Greetings
by almdandi
Mon Oct 09, 2017 2:16 am
Forum: Beginner Basics
Topic: Trying to set up VLAN per port with DHCP on hEX 5 port router
Replies: 2
Views: 1484

Re: Trying to set up VLAN per port with DHCP on hEX 5 port router

Hey

The hEX (RB750Gr3) with the MT7621 switch chip doesn't support vlans at the current router os version. The a look a this and this.

What you can do is, configure one subnet per port the ship around the missing functionality or use software based vlan switching.

Greetings
by almdandi
Mon Oct 09, 2017 1:59 am
Forum: General
Topic: IKEv2 client trouble [SOLVED]
Replies: 2
Views: 1917

Re: IKEv2 client trouble [SOLVED]

Hey

Here is a note from the IPSec Wiki. First result form google.
Note: Currently RouterOS does not support any of EAP authentication methods
Greetings
by almdandi
Thu Jun 29, 2017 4:07 pm
Forum: General
Topic: Give out Public IPs Using PPPoE Server
Replies: 9
Views: 7004

Re: Give out Public IPs Using PPPoE Server

Maybe a little be late but i tried it today in GNS3 and it worked. https://i.imgur.com/JT7wpov.png ISP Router /ip address add address=1.2.3.1/29 interface=ether2 network=1.2.3.0 PPPoE Server /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp /ip pool add name=pool-pppoe ranges=1.2.3....
by almdandi
Sun Jun 25, 2017 3:55 pm
Forum: General
Topic: Give out Public IPs Using PPPoE Server
Replies: 9
Views: 7004

Re: Give out Public IPs Using PPPoE Server

Why is that not possible? I think it is possible. You have 6 usable ip addresses. For example: 1.2.3.0 - Network Address 1.2.3.1 - ISP Gateway 1.2.3.2 - WAN Router 1.2.3.7 - Broadcast Address So the ip's from 1.2.3.3 to 1.2.3.6 are free. In the ppp profile configuration for the pppoe server, you set...
by almdandi
Sun Jun 25, 2017 3:17 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 3745

Re: IPSec Site to Site Firewall

I'm a little bit confused what you want to do. IPSec Site 2 Site, Road Worear VPN.That's two different things. Maybe you can give us a look at our ipsec configuration. That would be very helpful But if i get you corrent from your first post. The traffic form your second site will appear on the WAN i...
by almdandi
Wed May 31, 2017 7:01 pm
Forum: General
Topic: Transparent Bridge - PPPoE
Replies: 7
Views: 7054

Re: Transparent Bridge - PPPoE

I think he means this post: viewtopic.php?t=96047
by almdandi
Sat May 27, 2017 8:13 pm
Forum: General
Topic: Transparent Bridge - PPPoE
Replies: 7
Views: 7054

Re: Transparent Bridge - PPPoE

I do not understand what you want at all and what you already tried because bridging all ports together in a pppoe setup and a nat passthrough rule makes to me no sense?? Can you please explain your problem again and what you want. And more information on your setup would be also gread (interface/ i...
by almdandi
Sat May 27, 2017 12:02 pm
Forum: General
Topic: NAT with Multi-Gateway problems
Replies: 4
Views: 1639

Re: NAT with Multi-Gateway problems

I tested it with the following and it worked. And you will run into a private address leak because you only nat ip address up to 20. To avoid this, you could for example, add a rule in your forwarding chain that allows only traffic from your 40 addresses. /interface ethernet set [ find default-name=...
by almdandi
Mon May 22, 2017 5:22 pm
Forum: General
Topic: NAT with Multi-Gateway problems
Replies: 4
Views: 1639

Re: NAT with Multi-Gateway problems

Your second default route (2.2.2.254) is not active because you already have a default route in your main routing table (1.1.1.254). The key word is Policy Based Routing. Just google it. In short. You create 2 extra routing tables. One with the default gateway points to 1.1.1.254 and one with the de...
by almdandi
Sat May 13, 2017 1:53 pm
Forum: RouterBOARD hardware
Topic: LHG 60G
Replies: 63
Views: 21005

Re: LHG 60G

Yeah, more information about the upcoming 60 Ghz products would be great.
by almdandi
Sun May 07, 2017 2:57 pm
Forum: General
Topic: Port Forwarding from Certain IP's only
Replies: 4
Views: 9665

Re: Port Forwarding from Certain IP's only

Hello mi0tx Try this. The first rule will allow all connection on your wan port for which you have a dst-nat rule defined. This way to filter your port forwardings is much more scalable because you need only one rule for all your port forwardings. The second rule is the destination nat rule. Your mi...
by almdandi
Tue Jul 26, 2016 7:13 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 4938

Re: Set packets marks

Okay, nice. So something like this should work right? /ip firewall mangle chain=forward action=mark-connection new-connection-mark=mitarbeiter-con passthrough=yes in-interface=br-mitarbeiter out-interface-list=gates log=no log-prefix=""  chain=forward action=mark-packet new-packet-mark=mit...
by almdandi
Mon Jul 25, 2016 9:31 pm
Forum: General
Topic: Set packets marks
Replies: 3
Views: 4938

Set packets marks

Hello,

can somebody explain me the difference between setting the mark in the prerouting, postrouting or in the forward chain. Or is it better to set first a connection mark? I need these marks for my queue setup.
by almdandi
Thu May 14, 2015 11:59 pm
Forum: General
Topic: IPSec: Tunnel established but no connection
Replies: 2
Views: 2167

Re: IPSec: Tunnel established but no connection

Wow. Thanks a lot. That was the issue.
I misunderstood the packet flow but when you take a closer look at the IPsec encryption and decryption diagram you see exactly how the packet flows.
by almdandi
Sun May 03, 2015 7:19 pm
Forum: General
Topic: IPSec: Tunnel established but no connection
Replies: 2
Views: 2167

IPSec: Tunnel established but no connection

Hallo everyone I'm trying to setup up an IPSec VPN with a friend. Both are Mikrotik router with the current RouterOS version. Setting up the Polices, the Peer,the proposal and the src-nat exclusion, no problem, the tunnel gets established. But when i try to ping an ip in his network i get a timeout ...