Community discussions

Search found 4451 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 90
by pe1chl
Sat Jul 21, 2018 9:53 pm
Forum: Wireless Networking
Topic: Why sxt lite5 cosumes data itself?
Replies: 5
Views: 170

Re: Why sxt lite5 cosumes data itself?

I suggest a firewall at your internet connection that allows only established/related traffic and new outgoing traffic and blocks all new incoming traffic. In fact this is installed by default after a reset. Of course you need to make sure that the router is configured correctly so it knows what the...
by pe1chl
Sat Jul 21, 2018 1:31 pm
Forum: Wireless Networking
Topic: Why sxt lite5 cosumes data itself?
Replies: 5
Views: 170

Re: Why sxt lite5 cosumes data itself?

It looks like you have no firewall. Of course then your network becomes the playground of the bad guys...
by pe1chl
Sat Jul 21, 2018 1:28 pm
Forum: General
Topic: OpenVPN problem
Replies: 1
Views: 47

Re: OpenVPN problem

Is that 10.10.1.0/24 also the network used by your other systems?
Don't do that... change your VPN network e.g. to 10.10.2.253/254
Then it will route correctly (assuming your systems already use the MikroTik as their default gateway)
by pe1chl
Sat Jul 21, 2018 1:26 pm
Forum: General
Topic: PROXY HTTPS
Replies: 6
Views: 166

Re: PROXY HTTPS

Well, a better proxy can handle CONNECT commands and it can log the hostname the client connects, but RouterOS cannot do that as mrz already explained. You would have to setup an additional computer with e.g. squid as a proxy. However before you do that, please note: such a proxy can NOT operate as ...
by pe1chl
Sat Jul 21, 2018 11:09 am
Forum: RouterBOARD hardware
Topic: Capacitors in CCR1036 board
Replies: 4
Views: 234

Re: Capacitors in CCR1036 board

Also remember the value of such decoupling caps is not at all critical.
Check what voltage is across them (5v, 12v, 24v) and get a capacitor with a suitable voltage rating and same physical
size, and you will be OK. But the value is likely at the other side.
by pe1chl
Fri Jul 20, 2018 9:29 pm
Forum: RouterBOARD hardware
Topic: Capacitors in CCR1036 board
Replies: 4
Views: 234

Re: Capacitors in CCR1036 board

1209 means manufactured in 9th week of 2012.
by pe1chl
Thu Jul 19, 2018 7:45 pm
Forum: Forwarding Protocols
Topic: Routing filter order
Replies: 8
Views: 681

Re: Routing filter order

When you add a new rule it is added at the bottom by default, when you do not want it there (because it has to be processed somewhere between the existing rules) you can move it, but that move will not make the software re-process the filters, as it should. Disable/enable does that. This is the sour...
by pe1chl
Thu Jul 19, 2018 2:25 pm
Forum: Beginner Basics
Topic: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]
Replies: 14
Views: 592

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]

I'll add a 3rd one: 3. use of a specific VLAN on the internet interface as required by the provider. Fiber or VDSL internet is usually carried on a VLAN, other VLANs being used for TV, Telephony etc. so I need to create a VLAN 6 on my ether1 port to talk to my ISP (with PPPoE on top of that, but tha...
by pe1chl
Thu Jul 19, 2018 2:21 pm
Forum: General
Topic: Specify src-address when using /tool e-mail send
Replies: 6
Views: 164

Re: Specify src-address when using /tool e-mail send

Just add a routing filter in the the ospf-in chain without any matching criteria and set the Action to "set pref src." with the local loopback address on each router. When you look in the IP routes you will see the pref. src in all routes received via OSPF. (which should include your default route) ...
by pe1chl
Thu Jul 19, 2018 2:16 pm
Forum: General
Topic: Port forwarding issue, unable to nc to the port. [SOLVED]
Replies: 6
Views: 151

Re: Port forwarding issue, unable to nc to the port. [SOLVED]

Can someone please explain to me how to hardcode the public IP address if it's dynamic? I don't get it and there isn't a single example out there... You don't need to specify the dst-address when you use another selector to make the rule match only the cases you want to match. Your comment indicate...
by pe1chl
Thu Jul 19, 2018 11:43 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 815
Views: 141919

Re: Feature requests

@TomjNorthIdaho RoMON RoMON works only over L2 transparent links. A proxy could be operating at IP level. A nice feature would be to add an IP-level layer to RoMON so you can extend the RoMON network like this: PC <---------IP link--------------->Router1<----------L2 link ----------->Router2 and th...
by pe1chl
Thu Jul 19, 2018 11:38 am
Forum: Beginner Basics
Topic: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]
Replies: 14
Views: 592

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]

Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by d...
by pe1chl
Wed Jul 18, 2018 8:45 pm
Forum: General
Topic: It's not possible to disable Default route for LTE
Replies: 14
Views: 302

Re: It's not possible to disable Default route for LTE

2. lte1 interface always adds default route
No, you configure that in the DHCP Client for the lte1 interface.
by pe1chl
Wed Jul 18, 2018 6:02 pm
Forum: General
Topic: Specify src-address when using /tool e-mail send
Replies: 6
Views: 164

Re: Specify src-address when using /tool e-mail send

There is the generic solution of putting a preferred source address in your routes, either static or via route filters. Set the preferred source address to your loopback address in a route filter you use when receiving routes. Of course this topology will still cause problems, because router-generat...
by pe1chl
Wed Jul 18, 2018 5:22 pm
Forum: Beginner Basics
Topic: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]
Replies: 14
Views: 592

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall? [SOLVED]

Or did I do something wrong? It is impossible to know what you did and what is wrong because you did not include a /export of your config. Do a /export and include at least the sections about bridge, interface, address and firewall to see what you have and why it does not work as you want. Remember...
by pe1chl
Wed Jul 18, 2018 2:35 pm
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 8
Views: 291

Re: VLANS between Mikrotik Devices

You assign IP address/subnet to the VLAN interfaces.
Unless you have firewall rules, this automatically means they are routed.
by pe1chl
Wed Jul 18, 2018 2:33 pm
Forum: General
Topic: Site-to-site VPN with same subnet [SOLVED]
Replies: 15
Views: 347

Re: Site-to-site VPN with same subnet [SOLVED]

When you want to connect between a dynamic and a static IP you can use L2TP/IPsec with the server on the static IP and the client on the dynamic IP. You can configure the address of the client in the "PPP secrets" and you will have a fixed (local, like 10.0.0.x) IP on the L2TP client interface, and ...
by pe1chl
Wed Jul 18, 2018 2:28 pm
Forum: General
Topic: Web filtering/whitelisting
Replies: 3
Views: 114

Re: Web filtering/whitelisting

Please note that such requests, which usally are posted in an obfuscated way like you are doing (*.acme.com) in reality usually refer to some "website". E.g. "we only want to allow CNN.COM". However, a website normally uses many more domainnames than the one you type in the URL bar, including many n...
by pe1chl
Wed Jul 18, 2018 12:46 pm
Forum: General
Topic: Site-to-site VPN with same subnet [SOLVED]
Replies: 15
Views: 347

Re: Site-to-site VPN with same subnet [SOLVED]

When you want to setup a routed VPN with MikroTik routers at both ends, an easy setup is this: - create GRE interfaces at each end, with the public IP of the remote end configured, and an IPsec key (say 32 random characters) the same at each end - set a network address on these interfaces, e.g. 10.0...
by pe1chl
Wed Jul 18, 2018 12:02 pm
Forum: Beginner Basics
Topic: VLANS between Mikrotik Devices
Replies: 8
Views: 291

Re: VLANS between Mikrotik Devices

There is no real difference between the master/slave stuff, when you setup a bridge and put a couple of ports in it with hw accel on that behaves mostly like a master with some slave ports. When you add a VLAN subinterface to the bridge, the tagged VLAN will appear on all the member ports of the bri...
by pe1chl
Tue Jul 17, 2018 11:03 pm
Forum: General
Topic: No Traffic across IPSEC Site to Site VPN
Replies: 3
Views: 77

Re: No Traffic across IPSEC Site to Site VPN

When you have connections that were already attempted before you finished your configuration of the firewall, they won't start working when the configuration is completed. In that case it is best to reboot the router to clear all tracking and NAT. Apparently that has already happened or the bad entr...
by pe1chl
Tue Jul 17, 2018 10:47 pm
Forum: General
Topic: Web filtering/whitelisting
Replies: 3
Views: 114

Re: Web filtering/whitelisting

In such cases it is always best to turn down the request. It is very hard to implement it and very easy to work around it when your users are creative... but when you really think you want to pursue this and your filter fails to catch https traffic you can experiment further with the new "TLS host" ...
by pe1chl
Tue Jul 17, 2018 10:43 pm
Forum: General
Topic: Weird Lan behaviour with RB750Gr3
Replies: 11
Views: 320

Re: Weird Lan behaviour with RB750Gr3

Great!
by pe1chl
Tue Jul 17, 2018 10:04 pm
Forum: General
Topic: strange connection problem with Dynadish PTP...
Replies: 7
Views: 183

Re: strange connection problem with Dynadish PTP...

A dead switch? Maybe after (nearby) lightning strike?
by pe1chl
Tue Jul 17, 2018 7:02 pm
Forum: General
Topic: Don't push remote gateway to windows VPN clients [SOLVED]
Replies: 6
Views: 189

Re: Don't push remote gateway to windows VPN clients [SOLVED]

Next step is usually a lot of googling, disbelief, dissapointment, head banging, ... and no real happy end. Yes, it is surprisingly difficult. Everyone seems to have their own proprietary solution and nothing is really standardized. For main/subsidiary VPN I normally use BGP which works OK, but it ...
by pe1chl
Tue Jul 17, 2018 5:44 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 815
Views: 141919

Re: Feature requests

And install of a clean new RouterOS in an inactive partition on a router with 2 or more partitions. Router running from Active partition part0, download new npk files and do "install into part1", optionally copy config from part0 to part1, set part1 to Active and reboot: new clean install without do...
by pe1chl
Tue Jul 17, 2018 3:59 pm
Forum: General
Topic: Site-to-site VPN with same subnet [SOLVED]
Replies: 15
Views: 347

Re: Site-to-site VPN with same subnet [SOLVED]

The problem is in this: The only problem I get is that the switching a location should be as painless as it can be, so I want not to change anything in the addresses configuration. Don't do that. Change the server addresses to a different subnet like 10.0.11.0/24 and make a routed VPN between the se...
by pe1chl
Tue Jul 17, 2018 3:35 pm
Forum: General
Topic: Site-to-site VPN with same subnet [SOLVED]
Replies: 15
Views: 347

Re: Site-to-site VPN with same subnet [SOLVED]

It would be better to invest in some knowledge about networking and how to manage addresses in an environment like that. Especially when you are developing software. We have read before on this forum about users of software they do not control that makes unreasonable assumptions about network layout...
by pe1chl
Tue Jul 17, 2018 2:47 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 815
Views: 141919

Re: Feature requests

We are operating an amateur radio network and we do not control the manufacturer of equipment chosen by the users. And in fact, the product gamma of the two main manufacturers has been varying over time to give preference to one or the other. e.g. before the LHG there was no cheap MikroTik user devi...
by pe1chl
Tue Jul 17, 2018 11:18 am
Forum: General
Topic: Port forwarding issue, unable to nc to the port. [SOLVED]
Replies: 6
Views: 151

Re: Port forwarding issue, unable to nc to the port. [SOLVED]

It works OK when you use the default configuration and just add a dst-nat entry to the NAT table as you have done.
I suggest resetting the router to defaults and add the entry again, do not change the firewall filters until you understand how it works.
by pe1chl
Tue Jul 17, 2018 11:13 am
Forum: General
Topic: Don't push remote gateway to windows VPN clients [SOLVED]
Replies: 6
Views: 189

Re: Don't push remote gateway to windows VPN clients [SOLVED]

This gateway is not pushed to the client, it is assumed by the client. There should be a config setting in the client setup to set default gateway to the newly created VPN or not. Indeed you will find that once you disable that setting, you are faced with the difficulty to route one or more subnets ...
by pe1chl
Tue Jul 17, 2018 10:36 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 815
Views: 141919

Re: Feature requests

Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.
by pe1chl
Mon Jul 16, 2018 10:09 pm
Forum: Beginner Basics
Topic: Firewall wildcard object - IP ends with .101
Replies: 3
Views: 110

Re: Firewall wildcard object - IP ends with .101

Only in very specific situations. In general this is not really useful. You can fill an address list with the addresses you need, when desired you can use a loop in a script to add many entries to the list without having to type them all. Or you can use a powerful text editor or shell to create the ...
by pe1chl
Mon Jul 16, 2018 7:07 pm
Forum: Beginner Basics
Topic: Firewall wildcard object - IP ends with .101
Replies: 3
Views: 110

Re: Firewall wildcard object - IP ends with .101

No, this is not possible. RouterOS only supports contiguous netmasks from the top.
However, you can use Address List to match several addresses with a single rule.
by pe1chl
Mon Jul 16, 2018 2:18 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 815
Views: 141919

Re: Feature requests

A WiFi TDMA mode that is compatible with UBNT airMAX.
We usually have a mix of MikroTik/UBNT access points and clients in our network so we can only use bare 802.11 even when TDMA would perform much better.
Alternative: an IEEE standard for this mode that is implemented by both companies.
by pe1chl
Mon Jul 16, 2018 11:13 am
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

Ok, thanks. I thought the fields in the NAT-OA packet maybe could be part of an incomplete solution to work around that problem.
by pe1chl
Mon Jul 16, 2018 10:51 am
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 38
Views: 4390

Re: Winbox v3.16 released!

That could well be an MTU issues. Those routed subnets on cable are in fact delivered as a VPN and have quite low MTU, like 1456 or so.
You need to set that on your interface or you will have strange issues.
by pe1chl
Mon Jul 16, 2018 10:48 am
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

Ticket#2018071422001752 has been created for this issue. Of course there is another issue with this: the MikroTik implementation is unable to serve more than one L2TP/IPsec over NAT client behind the same remote IP. This is a regularly recurring complaint, mainly when people try to setup a VPN from ...
by pe1chl
Sun Jul 15, 2018 1:34 pm
Forum: General
Topic: Weird Router RB951 [SOLVED]
Replies: 11
Views: 360

Re: Weird Router RB951 [SOLVED]

As I said, it is easy to make mistakes in this procedure. The installed RouterOS is not used during netinstall, this is done using the bootloader only. Unfortunately there is only a netinstall program for Windows, which really isn't a suitable platform for this because too many different versions ex...
by pe1chl
Sun Jul 15, 2018 12:43 pm
Forum: General
Topic: DNS server changed automatically [SOLVED]
Replies: 14
Views: 1439

Re: DNS server changed automatically [SOLVED]

dam! i thought i'm the only one. currently running v6.39.3 x86 routerOS.
There is your problem! You should update it!
And another thing: you should fix your firewall so people cannot login from internet.
Allow login only from your local network or via a VPN when that is not possible.
by pe1chl
Sun Jul 15, 2018 12:35 pm
Forum: General
Topic: Weird Router RB951 [SOLVED]
Replies: 11
Views: 360

Re: Weird Router RB951 [SOLVED]

It is very common that people who want or need to do a netinstall report back that it does not work. E.g. when someone reports they have bricked their router due to a mishap when upgrading or configuring, and are told to do a netinstall, I would say in 50% or more of the cases they report back "neti...
by pe1chl
Sat Jul 14, 2018 8:01 pm
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

I have alerted support to this topic. Let's see what happens... I am in a similar situation, I am only debugging this for some people who want to connect to my server and I pulled my old Draytek out of the junkbox to do it. When behind another (MikroTik) router as NAT it does not work, but then I th...
by pe1chl
Sat Jul 14, 2018 7:39 pm
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

Thanks for debugging it :-) So it indeed something that should be fixed on the MikroTik side to be standards compliant. Apparently the used IPsec code does not check this condition. Maybe it is responsible for other L2TP/IPsec trouble as well... From my googling it looks like Strongswan at some time...
by pe1chl
Sat Jul 14, 2018 4:36 pm
Forum: General
Topic: How to prevent communication between two bridges? [SOLVED]
Replies: 7
Views: 272

Re: How to prevent communication between two bridges? [SOLVED]

Maybe it is a dumb question, but is it possible to do this with in interface - out interface? Or interface lists? Yes that is possible by using the bridge as the in- or out-interface. Lists are possible too. It is in fact better (especially for the incoming interface) as it does not rely on the "va...
by pe1chl
Sat Jul 14, 2018 4:02 pm
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

It is in the Draytek log. It only occurs when operating over NAT. The MikroTik believes everything is fine and logs "the packet is retransmitted by x.x.x.x[4500]". I now managed to get a Draytek connected to a public IP and now I can setup a working L2TP/IPsec connection to the MikroTik! But I think...
by pe1chl
Sat Jul 14, 2018 2:47 pm
Forum: General
Topic: Weird IPsec errors when trying L2TP/IPsec from Draytek
Replies: 16
Views: 478

Re: Weird IPsec errors when trying L2TP/IPsec from Draytek

I have updated the Draytek firmware to 3.8.9.1 and RouterOS to 6.42.5 but situation is still the same.

byte 7 of ISAKMP NAT-OA Payload must be zero, but is not

Is this something that could be fixed by MikroTik?
by pe1chl
Sat Jul 14, 2018 1:00 pm
Forum: Beginner Basics
Topic: SSID for kids Zone with OpenDNS
Replies: 14
Views: 486

Re: SSID for kids Zone with OpenDNS

This is what I do, working perfectly: Add static DHCP leases Create firewall FamilyShield list for required static IP addresses Add 2 dst-nat rules for the FamilyShield list to the OpenDNS address The problem with this solution is the "and their friends" part of the question. Sure it is possible to...
by pe1chl
Sat Jul 14, 2018 12:53 pm
Forum: Beginner Basics
Topic: SSID for kids Zone with OpenDNS
Replies: 14
Views: 486

Re: SSID for kids Zone with OpenDNS

Sorry, but publishing more details about a future commercial product goes too far. You know what goes too far? Breaking in on a topic about configuring a MikroTik router with an announcement of an unrelated commercial product. That would normally get your posting removed if not your account banned....
by pe1chl
Fri Jul 13, 2018 6:24 pm
Forum: General
Topic: IPv6 intermittent timeouts to random IPs
Replies: 4
Views: 185

Re: IPv6 intermittent timeouts to random IPs

So that could be an ND issue... Check what is happening in IPv6->Neighbors
(interestingly, the menus "ND" and "Neighbors" are swapped in IPv6)
by pe1chl
Fri Jul 13, 2018 10:57 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 437
Views: 54921

Re: v6.43rc [release candidate] is released!

As you can see in 6.43rc release - we are improving changelog so important notes would be more noticeable. Also, for example, Winbox vulnerability issue was mentioned in changelog and special topics were made. Yes, it has certainly improved! good to see that warnings like that are now also visible ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 90