MikroTik

zuku

Hi,
how could I install zerotier on 7.9 on all extra packages https://download.mikrotik.com/routeros/ ... be-7.9.zip there is not zerotier package?

zuku

Hello, I have created ipsec tunnel (tunnel mode) with remote fortigate router, the problem is the mikrotik create multiple SAs for this connection, I have over 1000 SAs created with the same Src. Address (fortigate router) and Dst. Address (Mikrotik) https://i.postimg.cc/KYqCZrz2/multiple-SAs-2.jpg ...

zuku

Problem resolved, was not related to mikrotik config.

zuku

Hi, I would to configure Mikrotik IPSEC, to forward all local subnet throught remote site, so created Ip Ipsec Policy: /ip ipsec policy add action=none dst-address=192.168.5.0/24 src-address=192.168.5.0/24 add action=none dst-address=10.11.0.0/20 src-address=10.11.0.0/20 add dst-address=0.0.0.0/0 pe...

zuku

could anyone help me? my Phase1 between FGT and mikrotik is established, problem is with match selectors on both sides, as this is ipsec in Transport mode, my selectors are simply set as wan ip addresses of this two sites. please look what FGT debug shows: ike 0:dusz_wan1_ipsec:1877:2363: TSr_0 0:x....

zuku

ok I did this, but problem was not here, I removed this settings from Fortigate Phase1: set local-gw x.x.x.85 (where this ip is PublicIP2 of Mikrotik in front of FGT) after that my Phase1 with remote Gre Ipsec is established ;) Now I have problem because Phase2 in transport mode won't go up. ( x.x.x...

zuku

I did: ;;; FGT - src-nat to MIKROTIK-PublicIP2-InfrontOf-FGT chain=srcnat action=src-nat to-addresses=MIKROTIK-PublicIP2-InfrontOf-FGT src-address=10.x.x.2 log=no log-prefix="" when I log in to Fortigate device, on dashboard I see that my wan address is "MIKROTIK-PublicIP2-InfrontOf-F...

zuku

Can't recall it right now but I had to set some "peer-identity-type" or "localid-type address" on the Fortigate to make a regular IPSec tunnel work at least. It's was the Mikrotik that simply denied the setup, not the Fortigate. added this one to Fortigate Phase1: set peertype a...

zuku

I tell you how I configured this, I have on my WAN 5 more routable Public IP, so I pick-up one of these and did port forward to customer Fortigate router that is located behind my ether7 port 22 ;;; FGT chain=dstnat action=dst-nat to-addresses=10.x.x.2 protocol=udp dst-address=MIKROTIK-PublicIP2 dst...

zuku

I have corrected Hash Algoritm in Ipsec Profiles, was sha512, should be sha256, now it is the same as on Fortigate, but still no success 1 name="FGT" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-fa...

zuku

I've done some progress, but still no success. Fortigate debug: ike 0: comes MIKROTIK:500->FGT:500,ifindex=22.... ike 0: IKEv2 exchange=SA_INIT id=24040f12e74e1c2d/0000000000000000 len=300 ike 0: in 24040F12E74E1C2D000000000000000029202208000000000000012C2900001C00004005AF6CFBCBE080BF0056BB0221242A3...

zuku

Hi, I'm trying to connect Mikrotik with Fortigate using Gre over Ipsec but I'm stuck already on Ipsec Phase 1 exchange, maybe anyone is familiar with Fortigate devices? Fortigate config: config vpn ipsec phase1-interface edit "ipsec_p1" set interface "port16" set ike-version 2 se...

zuku

Hi,
I have open ports (47, 500, 4500, esp) for my GRE IPSEC tunnels on my firewall, is any way to forward these port at the same time for a customer router which is behind one of my ether port (customer also need to have their gre ipsec tunnels)?

zuku

If the general approach is the one I prefer, "allow exceptions, deny the rest", you'll need more permissive rules. You'd have to post the current firewall configuration to get a more detailed advice. My firewall approach is that I have most specific allow or block rules at the beginning s...

zuku

Thank you Sob for now I have only one customer so two usable IP is OK for me. My customer also what to have full access to their Mikrotik on this public IP, if they want to open mikrotik winbox access they should have, if they would open ports to WWW server they should have this possibility etc. How...

zuku

Hi, I have on Mikrotik WAN connection with mask /30 (connection to modem) and I have two other routed public IP x.x.x.80 - x.x.x.83 on the same link. My goal is how could I share my Public IP (this routed) to a customer router behind my mikrotik, their Mikrotik should be visible on internet on this ...

zuku

I have problem accessing MGMT devices that are on my DMZ network. First I added bridge: /interface bridge add name=MGMT-DMZ /interface bridge port add bridge=MGMT-DMZ interface=vlan15 /interface bridge port add bridge=MGMT-DMZ interface=ether5 and disabled filtering at the end of my firewall rules, ...

zuku

Unfortunately I don't have no more free ethernet ports on server, and I would like to divide network traffic on dmz side to another ethernet port as on my LAN I have already other VLANS and quite high network traffic. OK will try with creating bridge in your way.

zuku

Only when you have untrusted hosts in the DMZ that can tag their traffic with the MGMT Vlan tag. When you want to guard against the possibility that someone hacks one of your DMZ hosts to get root access and is able to add VLAN interfaces, you should not do that config. But that is a result of your...

zuku

If I put MGMT Vlan with Ether5 interface in the same bridge, will not the unsecure DMZ subnet get access to my MGMT Vlan?

zuku

ah sorry, CCR1009 on 6.44.6 I just have configured tagged MGMT Vlan on interface LAN /interface vlan add comment=MGMT interface=ether1 name=vlan101 vlan-id=101 and on firewall side I have rule to allow new and established connections from Ether1 to DMZ: /ip firewall filter add action=accept chain=fo...

zuku

Hi,
I have already Management Vlan placed on my ETH1 lan interface, now I need to have the same VLAN on ETH5 DMZ interface.
Vlans should talk to each other, but ETH1 and ETH5 should not. How to achieve this?
Now I have MGMT Vlan just put on ETH1 interface without using bridge.

zuku

Device from which backup was exported is CCR1009 Long Term 6.44.6
New one is CCR1009 with Long Term 6.45.9

Can I use binary backup if new device is exactly the same model (CCR1009-8G-1S-1S+) ?

zuku

I'm trying to verbose import RSC file exported from CCR1009 device into new the same model device CCR1009 but I have errors like: 1 set discover-interface-list=discover input does not match any value of discover-interface-list so I moved this section on .rsc file to the end, but then again next erro...

zuku

Hi,
Is any way in mikrotik for PPP users to have valid password for some time e.g.30 days, then lock it out?

zuku

You have 1 "flat" network ? So 1 large IP-space and the Mikrotik is the default gateway ? If that malware is targeting internal servers you will not see it with this rule. This rule would log packets going out to Internet hosts for example on TCP/449 What Mikrotik device ? Are you using a...

zuku

I have malware in my LAN connecting to outgoing 449 TCP Port and I cannot locale it, I have created log firewall rule: chain=forward action=log protocol=tcp dst-port=449 log=yes log-prefix="MALWARE" after a few days I have exported log to file, and when I search any "MALWARE" tex...

zuku

problem resolved, I configured as Radius Client Mikrotik with native Vlan IP address, and should configure in on new vlan101 IP address, after change NPS is working.

zuku

Hi, I'm using Windows NPS as Radius to authenticate VPN users by domain controller. I just moved my DC on VLAN, and now I cannot authenticate users: "user ... authentication error, radius timeout" Radius stats give me 35 request and 35 timeout, 0 accepts. On windows 2012 NPS on firewall lo...

zuku

The easiest way to handle this is to give the computer in question a static lease and then create a separate DHCP network for that computer, as shown below: /ip dhcp-server network #this will be used by all computers except 192.168.88.229 add address=192.168.88.0/24 comment=defconf dns-server=192.1...

zuku

Yes I have in IP-->DHCp Server-->Networks configured: address, gateway and DNS servers - and every client getting this settings.
But one pc should not get DNS IP - how could I do this?
This PC is blocked for standard user so anybody cannot change IP settings.

zuku

Hi,
I have DHCP server configured using static reservations, I need that one specified computer should get IP address but without DNS entry. Is any way to do this?

zuku

Hi, I have TP-LINK switch TL-SG2452 connected to mikrotik 6.42.11. On mikrotik I have OSPF enabled for remote networks. Once if I enable RSTP on TP-LINK switch immediately my network became unstable (I loose many pings to my lan devices, to mikrotik, and remote devices) On mikrotik I have this error...

zuku

OK, I excluded ETH10 from bridge, (bridge had ports from ETH1 to ETH10) -created in "Interface list" new list 'winbox' and added ETH10 to that list. -assigned in Neighbors-->Discovery Inerface: "winbox" -assigned in Tools-->Mac Server-->Mac Winbox Server: "winbox" resul...

zuku

Hi, I have RB2011 and would use it as switch so my ETH2 to ETH10 ports are bridged with uplink port ETH1. But now I need to have Winbox Mac address access only on ETH1 - how to do that? I have in IP-->Neighbors-->Duscovery Inerface: "WAN" (ETH1) and in Tools-->Mac Server-->Mac Winbox Serve...

zuku

I'm giving up and I'm switching to static IP addresses. The problem concern the same devices from one manufacturer - Posiflex, all they have the same etnernet card "Realtek PCIe GBE Family Controller" as I read this card is very problematic, and I think here is the problem, but for now don...

zuku

I connected laptop to vlan13 switchport T2600G and it getting IP 10.10.13.76 from windows DHCP server - it is so weird because rest of vlan devices can't do this - faulty switch? I have question, I do dhcp packet analyze with wireshark connected to T2600G switch, if I connect ethernet cable to vlan1...

zuku

I created dhcp only for testing purposes, my main DHCP is on windows domain server and there is scope for vlan13.

zuku

If I create DHCP server on vlan13, then pos terminals getting IP from DHCP, so there is problem with mikrotik relay or windows dhcp server.

zuku

My config is: Pos terminals<--------->tp-link T2600G ports with pvid 13 untagged of vlan13<---------tagged vlan13----------->tp-link TL-SG2452<--------tagged vlan13---------->vlan13 on interface sfp-sfpplus1 Mikrotik /interface vlan add comment="vlan_13 - POS - 10.10.13.0" interface=sfp-sf...

zuku

On mikrotik with ROS 6.38.7 I have configured vlan13 subnet (10.10.13.0/24) for pos terminals. On my main lan subnet (10.1.0.0) I have domain server 2012 with DHCP and scope for this VLAN13. My problem is that some POS terminals getting IP from DHCP some not, but if anyway any terminal will get it's...

zuku

strange, I removed from wlan1 interface VLAN tagging, so now are:

vlan-id=1 vlan-mode=no tag

and my guest wifi on vlan16 working now, I get proper subnet from my CCR.
Why it sould't be there vlan tagging settings, as I use vlan for that wireless network?

zuku

Be careful not to have ether1 on RB2011 part of any of bridges (if it's part of one now, you have to remove it before performing the configuration). The answer to your final question is in the text about point 2 (number 3). how can I achieve my setup without bridge RB2011 eth1 with the rest eth2-et...

zuku

My goal is: on endpoint wifi device (RB2011UiAS) have access to my CCR lan 10.1.0.0/16 on ethernet interfaces, and one separated guest wifi. so using VLAN I do: 1.on CCR lan interface I add vlan16 172.16.0.1/24, on RB2011UiAS eth1 add vlan16 172.16.0.2/24 2. on RB2011UiAS create guest wifi with vlan...

zuku

Hi, I'm looking for config advice, I have lan with main mikrotik CCR ( lan ip 10.1.0.1), one ISP, multiple switches. Now I need to add two RB2011 in two separate buildings (this is still the same lan), on every of them I need to have two WIFI networks, one with access to private lan (after radius, n...

zuku

I use notepad++ on windows 10, do you thing this is problem related to ROS 6.37.5 & 6.38 differences?
E.g import ends at very simple config like:

/ip neighbor discovery
set ether7 comment="WAN2 - DSL" discover=no

zuku

Hi, My problem is when I do export to file, and then import from file on new mikrotik (source mikrotik has 6.37.5. ROS and destination have 6.38 ROS) I can't import this config because of errors: "expected end of command (line.... column...)". If I edit this rsc file and remove this line, ...

zuku

I asked about that because I do redirect remote desktop from internet to my computers on lan, so I use 'dst-nat' with 'to-addresses' but the problem is that every PC have dynamically allocated IP, so my port forwarding rule working until pc not change its IP address. I could use a script: /ip firewa...

zuku

I have the same problem on mikrotik 6.40.9 bugfixes, my other mikrotik routers with older ROS do not have this error, I had to switch to static route to work on this router. Is any way to fix this?

zuku

I have Windows 2012 domain server with DNS and DHCP, all computers with leased IP are registered on my DNS so I have proper hostname resolution on my LAN. On DNS server as forwarder I have set Mikrotik LAN IP, and on Mikrotik I have OpenDNS servers configured. Everything work as expected but on mikr...

zuku

I have problem and don't know how resolve it. I need sometimes to copy files around 80-100MB between two sites with Mikrotik routers on both side. On Main site I have fiber 100mbit/s and on remote fiber 50mbit/s. When I start copy files using SMB protocol between shared folder from main site to shar...

zuku

Hi, I have configured standard Tunnel site-to-site IPSEC connection: Src.Address=172.16.8.0/24 Dst.Address=192.168.0.0/24 Protocol=255 (all) everything works OK, full access between these two LAN, but I need to filter this connection that remote network 192.168.0.0 could connect to my network only o...

zuku

ahh good that you mentioned this Queue is creating only when client is connected, and now when client is connected in Simple Queues I have pptp-profile queue with order number 0 (don't have anything else here). So will test this setup and will you know. thanks.

zuku

I don't see anywhere in "Queues" any automatically created PPP queue, I have like this:
- Simple Queues is empty
- Interface Queues:

-Queue Tree - empty
-Queue Types:

I don't use fastrack.

zuku

I have configured PPTP profile ans set here rate-limit

but when client is connected it's getting full bandwidth of my WAN connection:

My ROS is 6.37.5. How could I troubleshoot this issue?

zuku

Hi, I have already configured on mikrotik couples of IPSEC tunnel VPNs, one of them have destination subnet 192.168.1.0/24 now I need to connect new customer and they have the same local subnet 192.168.1.0/24 as my other VPN already configured. Can I simply create new Peer and new Policy with the sa...

zuku

Hi, I'm trying to do full active failover between my branch office and HQ main office, mikrotiks on both side have two WANs and on this WANs are running ovpn tunnels. Now I had to do setup to prevent any failure of any WAN on both sides, no matter which WAN fail connection should switch to other, so...

zuku

but on this second WAN used for port forwarding this block of 16 Public IP are used only for forwarding nothing more so I don't use NAT (masquerade) on these addresses.
So should I use NETMAP or something to do 1:1 translation ?

zuku

yes I understand how it works, but wonder how could this work earlier through my linux box which was part of my mikrotik LAN subnet, it has 10.1.0.36 address, and it's own WAN and on this WAN do port forwarding even for remote subnets https://s26.postimg.org/b5r9qnrs9/Untitled_Diagram.jpg I added to...

zuku

hmm before I connected WAN2 to mikrotik this link was in my linux box which do port forwarding, and with this config where 10.1.0.1 is Mikrotik LAN GW: route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.1.0.1 eth0 route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.1.0.1 eth0 iptables -t nat ...

zuku

I have access to every my remote network, problem is I think with mangle because I have only this for port forward: add action=mark-routing chain=prerouting comment="PFW WAN IN -- > WAN OUT" connection-mark=WAN1 in-interface-list=Lan+ETH5 new-routing-mark=to_WAN1 passthrough=no add action=...

zuku

address 87.X.X.153 is one of 16 public addresses on my newly added WAN2 on mikrotik, every of this Public addresses will be redirected to my servers on LAN but also on remote ovpn subnets connected to my mikrotik. So let's say: 87.X.X.151 --> 10.1.0.140 (Mikrotik-Lan) this DST_NAT working 87.X.X.153...

zuku

life is not so simple, because new problems occurs :) when I do port forwarding on my WAN2 to my lan on mikrotik it works without problems, but when I need to do port forwarding to remote OVPN network I don't get connection: add action=dst-nat chain=dstnat dst-address=87.X.X.153 dst-port=3315 protoc...

zuku

so I think I can say that my problem is solved :D I've done this in Sob way (short version): /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=sfp1 new-connection-mark=WAN1 passthrough=no add action=mark-connection chain=prerouting connection-mark=n...

zuku

I deleted all mangle rules, rebooted mikrotik and voila everything start working, I have ping on WAN2 this is so strange for me because everything working without any mangle and mark rules :o even port forward on WAN2 to internal lan server working so I'm asking myself if I need these rules if every...

zuku

mangle output log with src-address as WAN2 is clear I leave it couple of minutes while pinging from outside - nothing. If I remove src-address, then I have many ICMP replies but only from my ovpn tunels and my main WAN1 - SFP1, nothing about ether8 (WAN2) 19:16:34 firewall,info output: in:(none) out...

zuku

Can you do an export of your ip route as well. sure: /ip route add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=x.x.x.57 routing-mark=google add disabled=yes distance=1 gateway=x.x.x.245 routing-mark=from_WAN2 add disabled=yes distance=1 gateway=x.x.x.57 routing-mark=to_WAN1 add dis...

zuku

when I enable torch o WAN2 I see that something is going on here, I see my incoming connection from 83.x.x.130, but this not shows as connection mangle mark "WAN2" https://s26.postimg.org/u9p9pbos9/torch.jpg additionally I see that counters on WAN2 prerouting increasing this time, earlier ...

zuku

RP Filter changed to "no" or "loose" but still can't ping WAN2 IP, any "WAN2" connections marks doesn't show in mikrotik firewall connections while pinging. Remote IPSEC networks doesn't have access to my server, it's java based application on this server, application l...

zuku

Yes, link that I'm trying connect as WAN2 working for 100% I switched it to my other tp-link router and everything works there.
Now I see in IP --> setting that I have RP filter - Strict .
My IPSEC are in tunnel mode, and my OVPN tunnels have OSFP so do not have any route roules.

zuku

OK so I have changed setup with yours, and even rebooted mikrotik: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=sfp1 new-connection-mark=WAN1 passthrough=no add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether8...

zuku

I giving up with this, because even this first rule: add action=mark-connection chain=input connection-mark=no-mark in-interface=ether8 new-connection-mark=WAN2->ROS passthrough=no should show on firewall connections connection mark "WAN2->ROS" when I ping mikrotik to WAN2 from outside, bu...

zuku

I'm done with tutorial I can't add this load balancing part: add chain=prerouting connection-mark=LAN->WAN src-address-list=LAN action=mark-routing new-routing-mark=to_WAN1 comment="Load-Balancing here" because then all my ovpn tunnels disconnecting and I loose connectivity with my remote ...

zuku

could anyone help me with that?

zuku

I've changed my setup with this provided on Tomas Kirnak presentation: add action=mark-connection chain=input comment="WAN1 IN -- > WAN1 OUT" in-interface=sfp1 new-connection-mark=WAN1 passthrough=no add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=to_WAN1 passthr...

zuku

Hi, I'm trying to add to mikrotik second WAN, because ISP gave me on this WAN link another subnet block of 16 Public IP addresses, these IP should forward for my internal services on LAN, but now I'm stuck with problem even accessing my mikrotik through this second WAN, if I figure this out then wil...

zuku

@boldsuck it's small problem that not all my customers have public IP so I don't know every IP they have, and I have also staff members connecting to SSH services. At the beginning I had whitelist firewall rule with all safe known IP and this rule was before my firewall DST-NAT rule that allowing an...

zuku

I have RDS server my customers connecting to it on standard port, but I have so many scans on it and brute force attacks, so I added add to src-list and then block too many login attemps: add action=drop chain=forward disabled=yes \ dst-port=3389 log-prefix=RDP protocol=tcp src-address-list=rdp_ssh_...

zuku

Hi, I have redirected RDS users to connect to non-default 3345 port to my mikrotik and then forwarded to standard port 3389 on internal RDS server. Now my question is how to block users connecting to standard 3389 and allow these connecting to changed 3345 port, because every of them finally going t...

zuku

21:10:16 firewall,info MAIL-ADM dstnat: in:sfp-sfpplus1 out:(none), src-mac 74:d0:2b:2c:24:4d, proto TCP (SYN), 10.1.1.12:51238->X.X.X.60:1005, len 52 So if connection flow would really be: LAN [sfp-sfpplus1] -> WAN [sfp1] {DST-NAT}- > DMZ [ETH5], then originating interface would be in:sfp1 [wan] ?

zuku

Sob you told me earlier that if my LAN users go to my webmail server on DMZ using FQDN so Public WAN IP, then data flow is like: LAN [sfp-sfpplus1] -> DMZ [ETH5] I can't agree with you, because when I'm trying access from LAN to webserver on DMZ to its management port let say: http://mail.mydomain.c...

zuku

if You could a look at my firewall rules, I had to give some forward drop rules e.g. Facebook, MalwareDrop,Youtube.. on top of other forward allow rules because if these were below they didn't worked: 0 ;;; block: DMZ invalid chain=forward action=drop connection-state=invalid log=no log-prefix="...

zuku

have problems with this setup, after enabled rule: 61 chain=forward action=drop log=no log-prefix="" I have lost on connection with my remote connected IPSEC networks, so I added: 16 ;;; dmz: allow from LAN to remote networks chain=forward action=accept src-address=10.1.0.0/16 dst-address-...

zuku

so It's time to deploy this scenario, and we will see how it goes.
Thanks Sob I have rated your profile

zuku

First of all, even if LAN users will catch mail server thru Mikrotik WAN IP I want that all traffic stay locally on router not go out to internet and then return. Something is unclear to me, if I point on domain DNS or Mikrotik DNS https://mail.mydomain.com to x.x.x.60 then traffic will flow like th...

zuku

Hello, I need your advice about mikrotik configuration like NAT, DMZ, Firewall for internal mail server. Here is how it's looks: LAN - 10.1.0.0/16 [SFp-sfpplus1] DMZ - 10.10.14.0/24 [ETH5] Mail server - 10.10.14.10 Domain server - 10.1.0.190 WAN - [sfp1] WAN aliast IP x.x.x.60 Mail server will be ac...

zuku

ohh "Interface list" I didn't see this before, now it's all clear, but digging little more into this, could be this done using jump feature in firewall chain, like here:? chain=forward action=jump jump-target=vpn src-address=192.168.10.0/24 log=no log-prefix="" chain=vpn action=d...

zuku

I have simple question how in firewall drop forward source subnet 192.168.10.0/24 except two outgoing interfaces ETH7 & ETH8 ? I can configure rule with exclamation "!" Out Interface and can choose only one interface here, and if I divide this rule into two chains so one chain will hav...

zuku

Hi, I have two ovpn client interfaces, first going thru default route this mean WAN1, but second should go thru WAN2, I don't know how to configure prerouting and output for routing mark, when I configure like this: ;;; openvpn not ready chain=prerouting action=mark-routing new-routing-mark=ovpn pas...

zuku

unfortunately your suggestion didn't help, I reconfigured IPSEC that is applied on Gre interface between twho sites to have protocol=47 but when IPSEC is down on remote site so near gre interface there isn't "R" statement sow gre is down, then I can't connect from main site to remote site,...

zuku

heh looks better now, even If I force down IPSEC between sites, with protocol=gre I can access remote from main site,
but is a little problem, pings from MainSite To Remote not working, so I can't checking if on remote WAN is UP is any remedy for that?

zuku

Hi, between my MainSite and RemoteSite I have configured backup gre link, on this link is applied IPSEC with transport mode so src-address is MainSite IP dst-address: RemoteSite IP and vice-versa and protocol=all. And because this setting "protocol=all" I have problem accesing Remote site ...

zuku

Hello, I have standard config from Wiki PCC (but without any load balancing) but I can't access mikrotik from second WAN, so if WAN1 is default then I can't ping and connect to mikrotik WAN2 interface, when WAN2 is default then I can't ping and winbox connect to it's WAN1. WAN1 is SFP1, WAN2 is ethe...

zuku

I had to connect my part of lan (second building) using EOIP tunnel, so I have created PPTP server on main mikrotik, and PPTP client on remote, and created on that EOIP tunnel, then on two sites I added LAN interfaces and eoip interfaces to bridge. So in bridge LAN is root port and eoip is designate...

zuku

I need to provide the same addresses from LAN subnet for some users because they don't have configured to use "default gateway on remote network" in theirs VPN connections, and without that I can't provide for them other subnet because it won't work. For the rest, separate scope (subnet) i...

zuku

So how have I reconfigure NPS and Mikrotik that users connecting using L2TP getting their IP from DHCP server?
When they are at work and connecting locally to the LAN they getting IP from DHCP (Windows Server).

zuku

Hello, I have VPN L2TP domain users which are authenticated by Windows Server 2012 NPS (Radius), so I don't have profiles for them created in Microtik but these users are in Windows Security Group then this group have access to Specified IP Pool from Mikrotik. Mikrotik have proxy-arp enabled on LAN ...

zuku

thanks for answer,
If I would switch dhcp from windows server to mikrotik, if mikrotik DHCP server will be authorized in AD so any client IP change will change IP in domain DNS?

zuku

Hi, I use Mikrotik as router gateway, DHCP server is on Windows 2012 R2 - here I have configured clients based on Allow filtr where all allowed MAC are here. Now I need to find any way to block all non dhcp clients with static IP configured. I know that i can enable ARP reply-only on mikrotik interf...

zuku

I know how to reach Userman,
I simply don't want to access my mikrotik by WWW WebFig, because after Userman installation I had to enable www services. So now administration access is also throught www - I don't need this, I'm using only standard Winbox App.

zuku

I have installed Userman package because I will start my hotspot system, so I have to enable in IP-->Services WWW.
OK everything working but now I have also access to my router trought http://mikrotik_ip
Hot to disable completely Winbox HTTP but have Userman working?

zuku

Hello, I have on mikrotik ROS 6.32.1 L2tP w/Ipsec server configured with keepalive timeout = 30, now I have configured profile for it named l2tp-profile inside I have option Idle Timeout - 10m. Also I use remote authorisation server NPS Radius on W2K server for Domain Users, and there I have also in...

zuku

but I have on top of my firewall:

 chain=input action=accept connection-state=established,related log=no log-prefix=""

zuku

yes, I have already many firewall input access rules already configured like icmp, ipsec, gre, nat-t, remote winbox access, so is better for me I thing to allow what I need, and for the end block everything else. I discovered on other mikrotik when the configuration is the same but only with one WAN...

zuku

I have Dual WAN setup (WAN7 & WAN8) with firewall at the end with statement: chain=input action=drop log=no log-prefix="" so I could not use something like that: chain=input action=accept protocol=udp in-interface=!ether8 dst-port=53 log=no log-prefix="" chain=input action=ac...

zuku

I have two sites: -site A with LAN 192.168.5.0 -Site B with 10.50.0.0 on site B there is mikrotik and here is also other LAN with address 192.168.1.0 for wifi clients. Now beetwen site A and B there is ipsec tunnel (192.168.5.0-10.50.0.0) I don't have access to site A router, how configure mikrotik ...

zuku

Hello, I would ask why DHCP server configured on VLAN interface when DNS Server is configured as this VLAN interface gateway not work? e.g. I have VLAN subnet 172.16.10.0/24 with dns-server configured as 172.16.10.1 (vlan gateway), I have in in IP-> DNS entry with google 8.8.8.8, 8.8.4.4 dns and all...

zuku

Need advice, I would filter subnet 10.2.0.0/24 to have access only to 3 PC from subnet 192.168.10.0/24 and should have nternet access, so I created address list with these 3 PC: /ip firewall address-list add list=NAS address=192.168.10.12 add list=NAS address=192.168.10.13 add list=NAS address=192.1...

zuku

Hi, here are my data: mikrotik ccr1009 with newest ROS 6.32.3 I need to create IPIP tunnel between Router_A_ISP1 and Router_B_ISP2, so I have on Router_B where are connected two WAN's, mangle: chain=input action=mark-connection new-connection-mark=WAN1 passthrough=no in-interface=sfp1(WAN1) log=no l...

zuku

Hi,
I have configureg L2TP IPSEC server for windows clients, but local address and pool for PPTP profile have other addressing than my LAN interface. Now when is connected I can't get ping my LAN computers.
Windows client have Split tunneling Enabled so there is no gateway on LT2p interface.

Search found 110 matches