Community discussions

Search found 31 matches

by manelfl
Tue Feb 26, 2019 3:45 pm
Forum: General
Topic: SOLVED - L2TP IPSEC stoped working after Upgrade to 6.18
Replies: 19
Views: 65146

Re: SOLVED - L2TP IPSEC stoped working after Upgrade to 6.18

But Like you all see I got failure with message above. Reason for this was obvious. In new MikroTik (mine is RB750Gr2 / hEX) when adding L2TP you can choose to select "Use IPsec" and the secret password and you have section ip ipsec configured too. But, it's dynamic and you can add those *FFFF in t...
by manelfl
Fri Oct 19, 2018 11:35 am
Forum: Scripting
Topic: Allow internet access only to users that are ACTIVELY using a certain application
Replies: 2
Views: 453

Re: Allow internet access only to users that are ACTIVELY using a certain application

ip firewall address-list add list=AllowInternet address=192.168.1.1-192.168.1.254 timeout=15m

Did you try timeouts on the address list entries?
-Chris
by manelfl
Wed Sep 12, 2018 10:39 am
Forum: Beginner Basics
Topic: Understanding IPSec Road Warrior setup with Mode Conf
Replies: 4
Views: 1239

Re: Understanding IPSec Road Warrior setup with Mode Conf

I have created next route and runs OK: 1 A S 192.168.77.0/24 10.0.1.99 1 But 10.0.1.99 is client public address, dynamic IP usually. I can get this IP from /ip ipsec remote-peers print # ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME 0 R user1 established 10.0.1.99 192.168.77.254 13m48s Do I need an...
by manelfl
Tue Sep 11, 2018 5:07 pm
Forum: Beginner Basics
Topic: Understanding IPSec Road Warrior setup with Mode Conf
Replies: 4
Views: 1239

Re: Understanding IPSec Road Warrior setup with Mode Conf

Hi emils! I have checked a router in operation configuration with a IPSec site to site. There isn't a route in routing table (/ip route). Dynamic address in IPSec remote peer is 0.0.0.0 In this case, road warrior, remote address is assigned by Mikrotik: /ip pool print 1 ipsec-RW 192.168.77.2-192.168...
by manelfl
Tue Sep 11, 2018 3:55 pm
Forum: Beginner Basics
Topic: Understanding IPSec Road Warrior setup with Mode Conf
Replies: 4
Views: 1239

Understanding IPSec Road Warrior setup with Mode Conf

Hi! I need help because I have not traffic between Shrew VPN Client and Mikrotik X86 v6.42.2 I have followed this link: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf Configuration VirtualBox PC=10.0.1.99/24 (simulating internet) VirtualBox Mikrotik ether1=10.0.1.1/...
by manelfl
Mon Jun 18, 2018 12:30 pm
Forum: Beginner Basics
Topic: Windows Domain Controller blocked by Mikrotik firewall?
Replies: 9
Views: 1057

Re: Windows Domain Controller blocked by Mikrotik firewall?

First, I think you need to learn some Forum Etiquette, do not hijack someone else's topic / thread Sorry, it was not my intention. I didnt take manelfl's post as hijacking but more as a tip in terms of finding potential sources of information about what is going in router flow using the tools avail...
by manelfl
Thu Jun 14, 2018 3:49 pm
Forum: Beginner Basics
Topic: Windows Domain Controller blocked by Mikrotik firewall?
Replies: 9
Views: 1057

Re: Windows Domain Controller blocked by Mikrotik firewall?

Hi.
When I have problems with traffic throwing mikrotik, tool sniffer help me to solve it.
by manelfl
Tue Jun 05, 2018 2:17 pm
Forum: Beginner Basics
Topic: IPSec tunnel connectivity
Replies: 7
Views: 619

Re: IPSec tunnel connectivity

Hi.
I think with this nat rule before masquerade rule is enough because firewall is open.

The src-nat passarelli mentions needs to go above the masquerade rule. So when a local-lan-ip packet goes to remote-lan-ip, it's src stays as the local-lan-ip (and thus will match the ipsec policy).
by manelfl
Fri Jun 01, 2018 12:40 pm
Forum: General
Topic: Two mikrotik NAT to NAT
Replies: 15
Views: 1146

Re: Two mikrotik NAT to NAT

Hi. Mikrotik Internal I think mikrotik is the gateway. So, any machine in 192.168.200.0/24 network can reach 192.168.1.0/24 network The question is: does it exists a nat rule on outgoing traffic on 192.168.1.120 interface? If yes, machines in 192.168.1.0/24 network can answer traffic form 192.168.20...
by manelfl
Wed May 30, 2018 3:51 pm
Forum: General
Topic: Two mikrotik NAT to NAT
Replies: 15
Views: 1146

Re: Two mikrotik NAT to NAT

Hi.
I think sindy supposes that mikrotik is the gateway for 192.168.1.0/24 network. So traffic from 192.168.1.0/24 to 192.168.4.0/24 would flow through gateway.
For 192.168.4.0/24, I think gateway is internet. So you need route specify by sindy.
by manelfl
Wed May 30, 2018 3:42 pm
Forum: General
Topic: Port forwarding to a web server
Replies: 7
Views: 2201

Re: Port forwarding to a web server

Hi.
But the destination ip address request by ip in X.X.X.0/mask is 88.88.88.88, no?
So, dst-address should be 88.88.88.88, no?
by manelfl
Tue May 29, 2018 12:57 pm
Forum: General
Topic: sniffer loses packages [SOLVED]
Replies: 7
Views: 625

Re: sniffer loses packages [SOLVED]

Hi.
I found problem in RB23011, but I have reproduced issue in virtual environment. My question was about this virtual environment.

Stormshield has one interface for all policies.

Thanks! You have helped me a lot.
by manelfl
Tue May 29, 2018 12:29 pm
Forum: General
Topic: sniffer loses packages [SOLVED]
Replies: 7
Views: 625

Re: sniffer loses packages [SOLVED]

Hi. No, mikrotik is right router. Left router is a Stormshield model. Yes, it's a mismatch: tool sniffer quick port=22 Witch icmp I have found same issue. I think you're right. Packet is encrypted by mikrotik and it doesn't match sniffer filter. IPSec: ipsec-protocols=esp tunnel=yes Communication is...
by manelfl
Tue May 29, 2018 11:08 am
Forum: General
Topic: sniffer loses packages [SOLVED]
Replies: 7
Views: 625

Re: sniffer loses packages [SOLVED]

Hi. Sorry for the lack of information. I detected this issue on Mikrotik RB3011UiAS v6.39.2 I created a virtual environment to test the issue with virtual mikrotik v6.42.2. This is net diagram: https://photos.google.com/share/AF1QipP5SYyjFA_iUk6fO5vNhLaxt4tYoJb8BbPX8e54ShMjAmNxEI-A-T50CfxlLd4zSw/pho...
by manelfl
Mon May 28, 2018 5:04 pm
Forum: General
Topic: sniffer loses packages [SOLVED]
Replies: 7
Views: 625

Re: sniffer loses packages [SOLVED]

Nobody with the same issue?
by manelfl
Mon May 28, 2018 1:09 pm
Forum: General
Topic: Port foward HTTPS
Replies: 30
Views: 1561

Re: Port foward HTTPS

I like this configuration.

Thanks for your explanation.

Forward
accept/related
add drop invalid
add connection-state=dstnat
drop all
by manelfl
Fri May 25, 2018 5:40 pm
Forum: General
Topic: Port foward HTTPS
Replies: 30
Views: 1561

Re: Port foward HTTPS

Hi. I apologize if my question is not directly related with the topic, but I am interested in this filter rule: /ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat I understand this rule allow all destination nat defined in nat rules. Is it corr...
by manelfl
Fri May 25, 2018 5:12 pm
Forum: Beginner Basics
Topic: Several isolated networks
Replies: 20
Views: 2000

Re: Several isolated networks

Hi. I always have a block filter rule to block all that is not allowed. In this environment, I would configure in router modem: - delete interfaces eth1 to eth4 from bridge - nat src-nat on outgoing interface eth1 - filter rules accept from eth2 to eth1 accept from eth3 to eth1 accept from eth4 to e...
by manelfl
Fri May 25, 2018 1:46 pm
Forum: General
Topic: Default Route Problem
Replies: 2
Views: 253

Re: Default Route Problem

PPPoE client gets ip automatically and other parameters; gateway, dns's So it is a good reply from CZFan. I am guessing you are using PPPoE for ADSL connection, so maybe disable "Add default gateway" in PPPoE config which might solve your one problem. I am a bit confused to what is happening here an...
by manelfl
Fri May 25, 2018 12:42 pm
Forum: Beginner Basics
Topic: Combination of two networks
Replies: 6
Views: 566

Re: Combination of two networks

Hi.
It's a routing question.

Router 1
add route to 192.168.2.0/24

Router 2
add route to 192.168.0.0/24

Add filter rules to accept traffic
by manelfl
Fri May 25, 2018 11:28 am
Forum: General
Topic: DST NAT return from same IP
Replies: 10
Views: 1357

Re: DST NAT return from same IP

I agree with CZFan reply. If you mark connection (connection tracking have to be enable: ip firewall connection tracking set enabled=yes), all packets in this connection will be marked. With this connection mark you mark packet with routing mark. With this routing mark, you say to mikrotik which wan...
by manelfl
Fri May 25, 2018 11:07 am
Forum: Beginner Basics
Topic: Connecting two Networks
Replies: 3
Views: 367

Re: Connecting two Networks

Hi. From PC002 view, mikrotik is the gateway. You should defina a firewall rule to accept trafic from PC002 network (or host) to PC001 network (or host): 0 chain=forward action=accept connection-state=established,related log=no log-prefix="" 1 chain=forward action=accept connection-state=new src-add...
by manelfl
Thu May 24, 2018 5:52 pm
Forum: General
Topic: sniffer loses packages [SOLVED]
Replies: 7
Views: 625

sniffer loses packages [SOLVED]

Hi. This is my test environment: ssh server - firewall - mikrotik - ssh server 172.30.1.99/24 - 172.30.1.1/24, 10.1.1.1/24 - 10.1.1.2/24, 172.30.2.1/24 - 172.30.2.99/24 firewall ipsec ↔ mikrotik ipsec From 172.30.1.99: telnet 172.30.2.99 22 INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST...
by manelfl
Thu May 24, 2018 5:38 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1624

Re: Problem with DHCP Relay & IPSec

Hi. I found the problem. [admin@MikroTik] > ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.233.0/24 dst-address=192.168.112.0/24 log=no log-prefix="" In this nat rule, source net is set. In dhcp request packet, source ip is not se...
by manelfl
Fri Nov 10, 2017 2:17 pm
Forum: General
Topic: Two VPN connections by two different gateways to single destination IP
Replies: 5
Views: 855

Re: Two VPN connections by two different gateways to single destination IP

Hi. I have changed prerouting to output and the problem has solved. Thank you very much. Now look on these mangle chains from wiki and compare them with yours: / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=w...
by manelfl
Thu Nov 09, 2017 1:46 pm
Forum: General
Topic: Two VPN connections by two different gateways to single destination IP
Replies: 5
Views: 855

Re: Two VPN connections by two different gateways to single destination IP

Hi I have problems with oVPN server Mikrotik with 2 lines and oVPN client Mikrotik with 1 line. This is the scheme for my tests: oVPN server ether 1 10.0.1.1/24 WAN1 ether 2 10.0.11.1/24 WAN2 ether3 192.168.1.1/24 LAN Mikrotik in between ether 1 10.0.1.9/24 ether1 10.0.2.9/24 ether 1 10.0.11.9/24 oV...
by manelfl
Thu Sep 10, 2015 1:45 pm
Forum: Beginner Basics
Topic: iptables convert to mikrotik rule
Replies: 2
Views: 907

Re: iptables convert to mikrotik rule

Hi.
An example:
chain=dstnat action=dst-nat to-addresses=<internal ip> to-ports=2525 protocol=tcp in-interface=pppoe-fibra dst-port=25565
by manelfl
Thu Sep 10, 2015 1:37 pm
Forum: RouterBOARD hardware
Topic: Backup file compatibility
Replies: 8
Views: 1634

Re: Backup file compatibility

Hi. I had problems with export and import with two same model mikrotiks. I don't remember firmware version. I had defined IPSec tunnels and order in proposals, peers, policies creation is essential. Same problem with dhcp server. To solve the problems, I had to export section by section a import in ...
by manelfl
Thu Sep 10, 2015 1:31 pm
Forum: General
Topic: How to monitor/alert MikroTik router por
Replies: 4
Views: 1313

Re: How to monitor/alert MikroTik router por

Hi.

Can you access to another mikrotik from the other inside office?
by manelfl
Thu Sep 10, 2015 1:27 pm
Forum: General
Topic: Firewall Best Practise
Replies: 3
Views: 1156

Re: Firewall Best Practise

I think second option is better. Uncontrolled traffic is deny. Access rules to administer mikrotik should be exists. I have find problems dropping traffic in output channel: ipsec, ovpn. In my opinion, it really depends on the administrator on how strict he/she will be regarding impelementing firewa...
by manelfl
Mon May 18, 2015 1:39 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1624

Re: Problem with DHCP Relay & IPSec

Hello. I'm new in this forum and I have a similar problem with dhcp relay and ipsec vpn. I have a central dhcp server and dhcp relay in remote sites. I have a mikrotik routerboard RB2011iL-IN to make tests, but it is the same type of router we have in remote sites. I think problem is that relay pack...