MikroTik

Uqbar

Some of the new features from 6.48.x are not yet present in 6.47beta4 (ex. LLDP-MED Voice VLAN) - any idea when those will be available?

This thread is for v7betas, not v6!

Uqbar

There is no such thing as a "default certificate" that will be usable with modern browsers.
You need to provide a certificate or it will be marked as unsafe. Nothing you can do about that.

So rest api are HTTP by default?
I understood from previous posts that is was HTTPS...

Uqbar

You have to provide a certificate, so looks like it won't be default.

Why not using the same for REST-API?
If the customer wants to use her own, then they will install and use it.

Uqbar

Documentation of the REST API https://help.mikrotik.com/docs/display/ROS/REST+API

Will we then have "HTTPS by default" web UI as well?

Uqbar

I have two nRAYG-60ad and have followed the instructions at the site . Did the upgrade but still the two units don't "see each other": the wireless link doesn't come up. If I do a scan from station bridge, I can see the other device's "frequency" (which I setup at 64800 MHz), the...

Uqbar

When connecting to CRS (or any ROS device) after factory reset, device expects management connection through first copper interface (ether1). After initial setup is done, management connection is usually possible on all other interfaces except for ether1. Not sure how this correlates with what you ...

Uqbar

After the last upgrade to v6.47.6 I did a configuration reset from Winbox. Now I am not able to reach the box anymore. An arp scan done with a Linux machine and netdiscover doesn't give me any IP. Winbox can connect with the MAC address found in its discovery, but it get disconnected within a few se...

Uqbar

I still wonder why ed25519 aren't suported yet... even dropbear supports it!

Uqbar

Hi I have the same problem. The problem was that blocking rules in firewall were at the very top. I moved it lower without disabling, and everything started to work :) I think there actually are two different types of problem here. One is user-created, the other one is (could be?) a bug. If the use...

Uqbar

Hi I had the following rule in /ip firewall filter ;;; defconf; drop all not coming from LAN chain=input action=drop in-interface-list=!LAN Where LAN was defined as my LAN addresses. Temporarily disabling this rule fixed it, and allowed me to update. I just enabled it again after. Note that the abo...

Uqbar

I would not advise setting a static address, especially one not tracable to MikroTik.
As I see that advise mainly/only from 1-time posters, let's assume they have bad intentions and ignore them.

I fully agree.
I'd like mikrotik to investigate and fix.

Uqbar

One of the issues is that Mikrotik wrote a lot of their own proprietary kernel modules, they likely aren't compatible with newer kernels. It's a shame as a lot of the included drivers with newer kernels are much higher quality than Mikrotik's implementations (eg the QCA driver supports Wave 2 802.1...

Uqbar

Plenty. Do you have any link, or it is "word of mouth"? ROSv7's main hold up is developing to new kernel. Major kernel's have major changes, especially from what ROS is currently based on to new, the whole networking stack has been re-worked (I believe), so requires a lot of re-developmen...

Uqbar

I see the current ROS is based upon a rather old Linux v3 kernel. More or less the same as Android. I see a number of reasons for keeping an old kernel instead of jumping on a v4 one (v5 is next to be launched), and also a number of reasons for doing an upgrade. For sure it gets more and more diffic...

Uqbar

Sure a SXTsq Lite 5AC can do the job, just reduce the TX power on both sides to have around -50dbm on both sides and you should be able to pass over around 100mbps with those equipments. regards. Would you please elaborate a little bit more on your suggestion? I am not really an expert on WiFi and ...

Uqbar

60ghz (wireless wire) will give plenty of bandwidth, and at 100m shouldnt have any issues with bad weather.

The V-band is not freely available in Italy. Unluckily.

Uqbar

I need no less than 50 Mbps. Stability is better than bandwidth, in my scenario.

Uqbar

Hi all.
I need to implement a 100m PtP link. The two antennas have unimpeded air view.
I think a couple of SXTsq Lite5 should do great.
Is there any experience in similar setups?
Any advice?

Thanks in advance.

Uqbar

Reset means blank, completely blank in my experience.

Uqbar

Maybe I am wrong, but a router that's been reset should simply not be sending anything out. Period. If I enable a "cloud" feature, I can expect some traffic getting out. If I enable NTP, I also expect some traffic getting out. An "empty" router should not be sending any traffic a...

Uqbar

Also, the problem about disabling IP Cloud DDNS sending packets after disabled - it sent "remove my IP from DDNS" packets to IP Cloud servers. Also, if you print in that menu, it could trigger check - if DDNS is disabled check and if disabled - "delete my IP address" packet was ...

Uqbar

UDP#15252 is everything related to cloud - Time-zone detection, time (if not set in SNTP/NTP), DDNS, backup management frames. TCP#15252 is IP Cloud backup Did some magic with PTR It's OK: there's reverse DNS now. That's not really a trick, though: PTR records have been "invented" just fo...

Uqbar

Soon after the upgrade to v6.43.1 I DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:38962-> 159.148.147.201 :15252, len 66 DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:49614-> 159.148.172.251 :15252, len 66 $ host cloud2.mikrotik.com cloud2.m...

Uqbar

Those settings all get actualized ONLY after a reboot. Only after the reboot all that UDP traffic stopped. Which is really weird: a router shouldn't never be rebooted, unless a firmware update has been done or a huge bug is freezing it. I would treat this a bug and file a ticket for it if there was ...

Uqbar

This is happening on v6.43.1 but not in v.6.42.x.
I have disabled both the "Time Zone Autodetect" and all the "IP could" stuff.
I still see those UDP packets trying to go out every two minutes.
I'd say, if that's legitimate, then please document it.

Uqbar

Read here: https://forum.mikrotik.com/viewtopic.php?t=137708 I really don't expect a default "blank" router configuration to enable outbound connections over unknown protocols. So I've also disabled that "Time Zone Autodetect" setting. I still see those outbound UDP:15252 connect...

Uqbar

Hi all. I've setup a new Mikrotik box. My policy is to only allow traffic that's meant to be allowed and dropping anything else. Soon after the upgrade to v6.43.1 I am finding a number of events in the logs like this one: DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:389...

Uqbar

btw Safari still has Gopher support

There's still people using Internet Explorer, Windows and even DOS. And even PDP-11s.

Uqbar

For anyone who stumbles upon this as I do for the third time: it is possible to use WinBox via SSH tunnel. If you use PuTTY, go to Connection, SSH, Tunnels and add a tunnel: Source port: your-local-port (say, 8090) Destination: mikrotik.local:8291 (i.e, 10.0.0.1:8291) Local Auto OpenSSH is more str...

Uqbar

I've found the cause in the wrong DNS settings. Using Google's DNS server solved it for me. Enter the next in your terminal: /ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=2048KiB max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4 Do you think Google DNSes have better answers? I do...

Uqbar

The directions by quicky2g didn't work on v6.42.6. First, the certificate to be used by www-ssl service isn't named "cert_2" but rather "mikrotik_ssl_.crt_0". I presume this is just a copy+paste error. Second, whatever certificate file I select for www-ssl I get this error on Fir...

Uqbar

This is why I aim at identifying the P2P traffic (BitTorrent, DHT-based protocols and the likes). If I succeed I can do something: blocking, limiting ... If I cannot, then I have little to discuss. Again, downloading a torrent file is NOTHING. Have you tried to use a recent BitTorrent client with &...

Uqbar

It seems to me if an ISP offers a customer bandwidth, say 1M up and 10M down for example, then the ISP is obligated to deliver 1M up and 10M down 99% of the time. After all, that's what the customer was sold. If an ISP can't deliver promised bandwidth in aggregate due to oversubscription, overutili...

Uqbar

I am not an ISP. I manage a company network with BYOD policy.

Uqbar

I have 100mbps symmetrical.
One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth.
This is why I mind about p2p!

Uqbar

Hello from the US. Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy. The ISP cannot know if a torrent is legal or illegal without confr...

Uqbar

This will only block the download of a torrent file, not the torrent traffic itself. Try to first download the torrent file, then enable the rules and finally ask your torrent client to load the torrent file to start the p2p exchange. You will see the p2p traffic bidirectionally flowing unimpeded! ...

Uqbar

Hi! I followed your tutorial and it's perectly work on my router ! Thank you a lot ! (I work for a small french ISP and we receive letters from Hadopi, so we are searching a solution to limit the illegal download ^^ ) I have a question, maybe it will sounds stupid for you, but this code : /ip firew...

Uqbar

Hello, i have the some problem, i have configured my routerboard from default mode and on my pc i have network access with dhcp, i have updated dns to google default, and i have tried to add a static redirect to mikrotik ip dns but On the routerboard still dont have internet. Can you help? https://...

Uqbar

You would have put all these in the original post and perhaps in the general forum instead of beginner basics. I did put them in the original post. They are mentioned between the words "support" and "keys". I don't need any help any more on this topic, though. Also this is in th...

Uqbar

Not sure your particular target but in general yes, you can use /system ssh xx.xx.xx.xx from Mikrotik router terminal to establish an SSH session to the IP address that the router can reach. My particolar target is ... elliptic curve keys . I already know SSH is working fairly well. I already know ...

Uqbar

I am wondering whether the SSH server bundled with the rest of the RouterOS software is modern enough to support elliptic curve keys.

Any idea?

UPDATE
Neither Ed25519 nor ECDSA are supported. I tried to import both, but failed.
What a pity!

Uqbar

Maybe I am wrong, but this issue is going too far. Adding an entry into the /etc/hosts file to fix a DNS issue sounds like childish to me. I understand this is among the rarest issues with this otherwise marvelous product, but there needs to be a reason and, of course, a solution. Is there any loggi...

Uqbar

The torrent file download is not the torrent traffic. I don't really mind about downloading torrent files: they can be a few megs, even a dozen, and then it's done. Torrent traffic is about large movies (from a few gigas to a hundred), mostly all pirated contents. And you can bring torrent files int...

Uqbar

The Quickset page is meant to be a useful tool, a "first glance" view of the box. As of now it's a real nightmare. Have you ever tried the "design skin" with that page? You will get the details (internet, local network, bridge, system) repeated several times. The page itself is d...

Uqbar

I started by dropping all incoming TCP and UDP traffic (all of it) but those services that go to DMZ. So there's no traffic going to LAN, which means "low ID" in the P2P lingo. Then I started throttling (I'd like to drop, actually) all outgoing traffic from LAN with UDP ports other than 53...

Uqbar

Added static entry in IP/DNS for upgrade.mikrotik.com 52.85.184.245 and now works perfectly. Sometimes things just happen with no explanation :) That indeed works! But I cannot accept that "it just happened"! Something in the resover path was wrong, and was wrong only there. I have 7 of t...

Uqbar

We already have a (powerful) serial console. We already have XModem via console in the "BIOS", even if uploading 16+ MB via 115.2K console takes some time. If that is not possible there could be a way to restart the unit in "single user mode", setup an ethernet port, download an ...

Uqbar

If you are linux savvy, you could do this: http://www.cyberciti.biz/tips/running-x-window-graphical-application-over-ssh-session.html and then run Netinstall in Wine In remote sites, besides all application servers and storage we only have a single tiny Linux machine for support we access with SSH ...

Uqbar

Yes

Just to understand: what'd the XModem upgrade procedure be for?

Uqbar

Xmodem has no relation to my suggestion. I suggested to use Netinstall. You must start the device in Etherboot mode, not in Xmodem mode. Follow instructions here: http://wiki.mikrotik.com/wiki/Manual:Netinstall As I have no IP connection any more to the CCR, I need to use the Xmodem. Isn't it worki...

Uqbar

OK. I'll follow your suggestion and will post the news here. I am going to use XModem as there's no IP connectivity any more. Is the "main package" just enough to bring it back to normal operations (provided that there's no other major reason for failure)? Paldies! Xmodem has no relation ...

Uqbar

Upgrade packages comes in .npk extension. Check this I have got this after the lengthy XModem transfer: press any key to continue... | file transfer ok invalid upgrade file id I was using the file "routeros-tile-6.35.2.bin" I downloaded from Mikrotik website. Now what? If I go here , I re...

Uqbar

I have got this after the lengthy XModem transfer: press any key to continue... | file transfer ok invalid upgrade file id I was using the file "routeros-tile-6.35.2.bin" I downloaded from Mikrotik website. Now what?

Uqbar

OK. I'll follow your suggestion and will post the news here.
I am going to use XModem as there's no IP connectivity any more.
Is the "main package" just enough to bring it back to normal operations (provided that there's no other major reason for failure)?
Paldies!

Uqbar

I didn't do that, as it sounded "scary"

What about the configuration file? Will be it kept?
TIA.

Uqbar

Hi all. My box is a: Board type: CCR1009-8G-1S Firmware version: 3.27 Since a few days I had to put it offline as it was not working anymore. Once I connected the serial console, the boot shown the following messages: RouterBOOT booter 3.27 CCR1009-8G-1S CPU frequency: 1200 MHz Memory size: 1024 MiB...

Uqbar

This is what worked for me:

https://blog.a2o.si/2015/08/11/mikrotik ... ble-https/
...

Which RouterOS version?

Uqbar

From "PC": support@server:/home/support > ping -c 5 upgrade.mikrotik.com PING d355q2xs8kb5oj.cloudfront.net (54.192.131.180) 56(84) bytes of data. 64 bytes from server-54-192-131-180.ams50.r.cloudfront.net (54.192.131.180): icmp_req=1 ttl=53 time=44.1 ms 64 bytes from server-54-192-131-180...

Uqbar

in my case i have identified torrent traffic by discard Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent? If so, which protocols are you considering? If not, please elaborate. As I cannot really block P2P in general, I am trying ...

Uqbar

How can I test from within the Mikrotik whether I can resolv upgrade.mikrotik.com?
It's clearly not working!
So the real question is how can I troubleshoot it?
I can resolv from lan, but not from the router itself.

Uqbar

in my case i have identified torrent traffic by discard Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent? If so, which protocols are you considering? If not, please elaborate. As I cannot really block P2P in general, I am trying ...

Uqbar

I agree with chechito. The only "small problem"™ is to correctly identifying the torrent traffic.
Blocking the download of the torrent file itself is useless as torrents can be added manually from other sources.
I think that only Deep Packet Inspection can help.
Any ideas?

Uqbar

In your example, if ip firewall address-list is empty, then [/ip firewall address-list find ] will return nothing - "", so conditions for: :if ( [/ip firewall address-list find ] = "") will be TRUE. Maybe I have been unclear. If you read the wiki script I linked, the address lis...

Uqbar

Hi all. I am new to the syntax/semantics of the Mikrotik scripting language. I stumbled upon the Block access to specific websites script in the wiki. I am willing to understand and not to blindly use it and the documentation seems not to be clear to me. Very likely it's my fault. 1. At line no.12 I...

Uqbar

Is there anyone out there that knows anything about this?
The RouterOS HTTPS stuff needs an undate!!!

Uqbar

I made it (almost) working with these two rules in NAT: 0 chain=dstnat action=dst-nat to-addresses=10.74.1.222 to-ports=80 protocol=tcp dst-address-type=local in-interface=ether2-LAN dst-port=80 1 chain=srcnat action=masquerade protocol=tcp src-address=10.74.1.0/24 dst-address=10.74.1.222 out-interf...

Uqbar

I am having the same problem.
I would have expected a dst-nat, not src-nat, though. Something to change my destination public address to my private LAN server address when accessing the LAN server through its public IP!

Uqbar

We are back to the original point.
1. I have a dst-nat rule with a few TCP ports available from internet
2. I have a dst-nat rule with all TCP ports available from LAN

But it doesn't work.

Uqbar

i did not understand well what you said . but you can only forward the ports you need to dmz. like ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip if you want you can define "to-ports=80,443,3128" so that it wil...

Uqbar

That works. But it's interfering with the filtering dst-nat rule that comes before. I have a first dst-nat rule to allow the access from internet to the DMZ server only with a few protocols. While the second one that you suggested (and works) allows all protocols, as it should be. What happens is th...

Uqbar

That's not working yet.
I want to be able to access the local DMZ server by means of its public IP...

Uqbar

I have a server on my LAN that I have exposed in DMZ with a couple of src-nat/dst-nat. Its public IP address is different from the mikrotik WAN IP. I added a NAT rule like this (sorry, I use winbox): Chain: dst-nat Dst-address: DMZ public IP In.Interface: LAN Action: dst-nat to address: LAN private ...

Uqbar

Why else would e.g. all current web browsers still support it?.
Modern browsers still have a field to enter "Gopher proxy" address, but that was not so much popular after 1993

Which browser are you using?

Uqbar

SOCKS5 is too new for MikroTik, look at SOCKS server in RouterOS, still limited to SOCKS4 only. ;) It would be nice to see it upgraded one day too. But that's OT here. The SSH server running into RouterOS v6.32 already supports it. Connect to it with a "dynamic forwarder" (a nickname for ...

Uqbar

You see, I open an SSH connection through which I access the HTTP webfig and ftp.
Are you saying you have already got this working, or you wish to do it?

Yes: my browser and my ftp client support SOCSKv5 proxy.

Uqbar

Yes. Same applies to Dude. To be honest, this is the first time I have heard a similar request. The use of SSH TCP Port forwarding and SOCKSv5 proxy is very popular among system and network administrators, AFAIK. Especially when "standard" SSH implementations are available. It's not a hig...

Uqbar

Winbox uses TLS, it is in the manual.

OK. I saw it, though it's optional.
It's TLS 1.2, right?

Uqbar

What is the purpose of your request? Is the router in some private LAN, accessible only over SOCKS proxy? Otherwise, use direct connection. I am sorry for not having been clear enough. My purpose is to always connect to the MikroTik with known security levels. This is mandatory in my environment so...

Uqbar

1) SOCKSv5 is ancient history - RFC is from 1996. I do not see any need for it in modern networking. Really? A lot of people like me finds that feature really useful so OpenSSH is STILL supporting and maintaining it since looong time now. Latest proposals for FTP (supported by RouterOS) are from 19...

Uqbar

https://en.wikipedia.org/wiki/EdDSA
http://ed25519.cr.yp.to/

as it's part of OpenSSH since v6.5 (http://www.openssh.com/txt/release-6.5)
Anyone can see the pros of such a choice and there seems to be no cons so far.

Uqbar

A SOCKSv5 proxy can be used, when created with a capable SSH client like OpenSSH and PuTTY, to securely access the GUI of the router.
Currently it can be used for webfig as all major HTML browsers support it.

Uqbar

I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.. what have winbox to do with SOCKSv5 proxy?? Winbox is only for conneccion to RouterOS devices. You don't know what a SOCKSv5 proxy is for, do you? Have you ever used a "-D" option in OpenSSH? For example I...

Uqbar

where is the problem adding another key in the way you added the first one? /user ssh-keys print Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 D admin 1024 1 D admin 2048 2 R admin 2048 No problem at all. Simply it seems to me it's not stated that I can set up more ssh keys. So I was scared to &q...

Uqbar

Anyway, with those rules in place I don't see any address list being created.
Should I create them manually?

Uqbar

I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.
As far as I've seen neither v2 nor the v3beta allow it.
Is this a missing feature or am I missing something?
TIA.

Uqbar

These rules give any user 3 minutes to properly authenticate. After that, the IP address that is used will not be able to get a connection to the SSH service for 10 days. While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incen...

Uqbar

I am experiencing a rather annoying brute force attack on my WAN over the SSH TCP port. To try to mitigate such a problem I've read this wiki page , second chapter about SSH. It's not clear to me how those rules can discern from the various SSH handshake stages, especially with the order that's bein...

Uqbar

Safe Mode only protects you from yourself. Other sessions are not checked. So no, SSH will not be monitored. It only checks what you personally do in Webfig when the Safe Mode is activated (also by you) I am the one who's typing commands via SSH! I cannot see (my fault) the difference (apart of the...

Uqbar

I need to load more than one SSH key for a single user.
Is this possible just like plain OpenSSH? How to?

Uqbar

It looks like this is a top secret.

Uqbar

I fear the problem is in the choice of available SSL cyphers. aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks eNULL contains null-encryption ciphers (cleartext) EXPORT are legacy weak ciphers that were marked as exportable by US law...

Uqbar

Yes, it does work. It checks if anything you do in the config will not block you. If it does, it makes "Undo". For example, click on "Safe mode" then go to IP Firewall filter and add a new rule, chain "input" action "drop". You will be blocked from Webfig, bu...

Uqbar

There are hardly any connection-state=new connections that you need to accept from public port. basically only managment tools like winbox and ssh rest should be dropped, ether by default configuration or custom - something like this: /ip firewall filter add chain=input connection-state=established...

Uqbar

Sorry, but networking is not a guessing game...
Use /tool torch or sniffer to see what traffic is that.

I do know which traffic was it: DNS and NTP.
My question is about the difference in behaviours between two products.

Uqbar

One big question. As my previous firewall solution was not allowing such a behaviour, isn't it possible there's something missing in the RouterOS? Or is it the "old" one to be much smarted than Mikrotik? As I said, if I replaced the Mikrotik with the old one, everything went back to normal...

Uqbar

Hi all.
I do understand these can be seen as a silly questions.
Does the "safe mode" work in webfig?
Is the 9 minutes timeout in force?
Can it be configured?
Is it working with HTTPS as well?

Thanks in advance.

Uqbar

I once had a similar issue in the long past but mine was such a high traffic from the hotspot interface, meanwhile no one was online at the time. Solution was to navigate to ip - hotspot - host and i locates and block the mac address that is doing the transmission. Instantly, the traffic went down....

Uqbar

Unless DNS cache is turned on by default, I don't have it.
Thanks for the hint.

Uqbar

possible amplification attack check incoming dns,ntp,telnet and ssh connections (to the router) Any hint on how to "check for incoming dns, ntp ..."? I mean, I do know about UDP:53, TCP:53, UDP:123, TCP:23 and the likes . But I am new to Mikrotik and have no idea on how to "check&quo...

Uqbar

Do you have SSH on port 22 accessible from WAN? Show us a firewall rules & services running. Also it can be wireless interface traffic. My device has no wireless interface, as you can see from screenshot. My network is not a trivial one. LAN (10.16.16.x) connects to 10.72.5.0/24 and a gateway (...

Uqbar

All of a sudden I am experiencing the strange behaviour I can show with one screenshot. The eth1 (wan1) is sending about 2 Mbps of traffic, while the overall traffic from the other interfaces is actually negligible. The only services available are webfig, api and www only available from inside. I ha...

Uqbar

I also need to translate the outgoing traffic of the "servers" each with its own public IP.
Thanks for the clarification.

Uqbar

I have multiple public IPs on WAN available and I need to "hairpin" a couple of them to two servers on LAN.
One of those will be used for the router alone, the other ones for servers.
I have tried the Hairpin wiki page with no luck.
Any hint?

Thanks in advance.

Uqbar

Hi all. I am having problems with Webfig main screen (aka "QuickSet") "Local network" section. To which interface are those data related to? At the moment I see the data for eth4 but, if I simply hit "apply configuration" button that configuration is applied to eth2. If...

Uqbar

Maybe I am wrong, but the proposed solution blocks the downloads of the .torrent files (GET) from known torrent repositories. This is of course important but not effective. But it won't block the torrent protocol (file sharing) itself. Which is what I'd like to block, as torrent files can be exchang...

Uqbar

You should add exception rules not to mark local traffic. Please be more specific: I am new to the mikrotik world. I followed the Manual:PCC page and there I already set dst-address-type=!local . Is this the exception you are talking about? [UPDATE]: I did it. I added an "accept" for the ...

Uqbar

It works ... almost.
I have a second LAN interface (that doesn't need to go to the Internet) that routes to another network.
As soon as I enable the rule for mark-routing=to_ISP2 I loose the connectivity on this second LAN.
Where should I start checking?

Uqbar

Using PCC is part of the equation (to force spread outgoing connections amongst available Internet uplinks). As multiple default gateways will be used, duplicating routes with connection marks while increasing its distance to the opposite gateway will take care of failover w/o the need of scripts. ...

Uqbar

WebFig operations along with command line instructions?

Uqbar

Nice. Thanks.
But I don't see where the fail is detected...
Should I need a script for that?

Uqbar

There where spurious firewall rules interfering with the setup.
Once I cleaned them up, everything worked fine.ù
Thanks to you all.

Uqbar

Hi all. As far as I've understood, the NTH load balancing technique (http://wiki.mikrotik.com/wiki/NTH_load_balancing_with_masquerade) cannot cope with a failing link. This should mean that 50% of the requests will fail. Is there any way to work this limitation around? (Yes, I am new to the MikroTik...

Uqbar

I need to connect my LAN (eth2) to another LAN via an external router (not mine) on a different interface (eth3). It is already working with a different router we need to phase out in favour of the Mikrotik. See schema for a better idea (I hope). It all looked simple: two interfaces and a static rou...

Uqbar

An HTTP proxy can do it, but I haven't set it up yet.
Try give it a read on http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

Uqbar

What's the packet loss rate for the used connectivity?
What's the packet loss rate in the main tunnel?
Which type of "tunnel" are you using?
Is there any log detail you can provide?

Uqbar

I also noticed that WAN (static IP address) needs to be on ETH1.
I fear there is some nailed in configuration... I hope I am wrong.

Uqbar

I am trying to create a site-to-site IPSec VPN between a Mikrotik v6.28 and a Gateprotect v9.4. I managed to make a site-to-site IPSev VPN between two Mikrotiks. On the Mikrotik side I have: PROPOSAL : Auth. Algo : SHA1; Encr. Algo : 3DES; Lifetime : default (00:30:00); PFS : Modp1024 PEER : Destina...

Search found 118 matches