Community discussions

Search found 119 matches

by Larsa
Tue Feb 12, 2019 9:07 pm
Forum: Useful user articles
Topic: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved
Replies: 234
Views: 74094

Re: Using Splunk to analyse MikroTik logs 2.6 (Graphing everything) Topic is solved

Not sure if I could help with this. But when you have a lot of data, its sometime better to do a summary indexes that is based of for example 1 hour reports. Then you get less data to search trough.I do recommend that you start a thread about your problem over here: https://answers.splunk.com/index...
by Larsa
Mon Feb 11, 2019 12:35 pm
Forum: General
Topic: SXT LTE Kit (R11e-LTE) - to lock on 3G 900Mhz
Replies: 8
Views: 1283

Re: SXT LTE Kit (R11e-LTE) - to lock on 3G 900Mhz

We operate LTE as backup in some rural areas and always force the CPE to utilize 800/900 Mhz since the higher frequency bands are much to sensitive for trees, rain and snow in longer distances and when you don't have LIS.
by Larsa
Mon Feb 11, 2019 12:04 pm
Forum: Useful user articles
Topic: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved
Replies: 234
Views: 74094

Re: Using Splunk to analyse MikroTik logs 2.6 (Graphing everything) Topic is solved

Since I'm not a Splunk expert I wonder if anyone has some bright ideas how to optimize Splunk / Mongodb? We have about 15.5 million entries and the reports are getting really slow to produce. In a regular SQL database you can run a "Query Execution Plan" and then add indexes to columns that performs...
by Larsa
Sat Jan 19, 2019 10:33 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

According to firehol Linux ipsets are affected only by the number of different subnets ". I suppose this also applies to RoS since it utilize iptables, right?? " If you are going to use this IP list as a blocklist / blacklist at a firewall, its size can be important for the performance of the firewa...
by Larsa
Fri Jan 18, 2019 8:35 pm
Forum: Wireless Networking
Topic: LTE modems - Compatibility list?
Replies: 4
Views: 733

Re: LTE modems - Compatibility list?

Not sure how many operators that will actually upgrade till Cat-12. 5G r15 will be release in April and initial test starts sometime this summer nearby where I live.
by Larsa
Tue Jan 15, 2019 3:59 pm
Forum: General
Topic: v7 routeros
Replies: 12
Views: 3163

Re: v7 routeros

죄송합니다.이 포럼은 영어로되어 있습니다. RouterOS v7이 개발 중에 있습니다. CHR에서 x86 버전의 현재 한계를 해결하기 위해 노력하는 것이 좋습니다.

나는 유창한 한국어를 할 줄도 몰랐다. 당신은 진정한 다재다능한 예술가입니다! :-디
by Larsa
Mon Jan 14, 2019 11:55 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Thanks for the info and walk of shame for me :oops: If one care to read carefully, It's actually stated with clear text regarding firehol_level1

"To accomplish this, we include the following IP lists:
. . .
spamhaus drop and edrop - Don't Route Or Peer IPs
. . .

"
by Larsa
Mon Jan 14, 2019 11:24 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Yeah, hope they plan to do something about it or create a more manageable/flexible solution in the future. How many lines (give or take) is the end result? I'm wondering since I'm interested to use the Spamhaus drop/edrop "real-time" lists. Will the total aggregate work on a CCR do you think? My CC...
by Larsa
Mon Jan 14, 2019 11:11 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Absolutely brilliant, altering the block-rules is of course the fastest and most secure way to do it! :idea: Why didn't I think about it myself! :lol: Now I only need to perform some tests to figure out the actual storage limitation on a CCR as I need room for both current and new lists simultaneou...
by Larsa
Mon Jan 14, 2019 10:19 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? why not...
by Larsa
Mon Jan 14, 2019 9:43 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? Untill ...
by Larsa
Mon Jan 14, 2019 9:21 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

I remeber seeing somewhere that addresslist can be feed an dns and it will do resolution on it's own (basically keeping itself updated) Documented (a big word for just small syntax note) in the meantime: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list Thanks for the tip but unfortuna...
by Larsa
Mon Jan 14, 2019 7:23 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Thanks! :) Regarding MT blocking capabilities, I take it you've been there, done that and found the bitter dead end! :lol:

Besides MT, did you solve it any other way?
by Larsa
Mon Jan 14, 2019 7:10 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

@anav: I have absolutely no opinion about MOAB since I really don't know anything about it :!: and furthermore it's not the subject of this discussion. With respect, please keep focus to my original question regarding how to manage problems related to huge address lists in RoS, etc. Many thanks in a...
by Larsa
Mon Jan 14, 2019 6:36 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes.

Btw, what lists are you using from FireHOL (iplists.firehol.org) ?
by Larsa
Mon Jan 14, 2019 6:24 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Re: Firewall: dynamic ip lookup instead of static address list?

Insofar as ip address lookup within the firewall (with eg DNSBL check) --- IMO that would impose a significant performance hit plus setting something like that up locally requires significant time and resources adding another point of failure. Well, IMO some few ms really doesn't really matter duri...
by Larsa
Mon Jan 14, 2019 5:15 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1199

Firewall: dynamic ip lookup instead of static address list?

Is there any way to use some kind of "dynamic" ip address lookup within the firewall (with eg DNSBL check) in the instead of using the build-in static address lists? The objective is to move out all the static address lists to a server since they've grown to big for RoS. Background to my question is...
by Larsa
Wed Nov 21, 2018 5:45 pm
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 977

Re: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]

Excellent thank you!
by Larsa
Wed Nov 21, 2018 1:51 pm
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 977

Re: Product info regarding LHG LTE [SOLVED]

Any sales folks that are willing to answers questions in this forum or someone who can comment on how the product works?
by Larsa
Tue Nov 20, 2018 10:27 am
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 977

LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]

The LHG LTE kit ( https://mikrotik.com/product/lhg_lte_kit ) looks promising. Some questions I couldn't find info about from the product page: 1. Can someone please supply somewhat more detailed info regarding the antenna characteristics like radiation patterns as lobe angles, mimo, etc. Doesn't nee...
by Larsa
Mon Nov 12, 2018 10:11 am
Forum: Announcements
Topic: Newsletter 85
Replies: 30
Views: 9950

Re: Newsletter 85

The LHG LTE kit (with a high gain 17dBI parabolic antenna) looks really promising. A few questions though: 1. Where can you find more detailed info regarding the antenna characteristics like MIMO, radiation patterns as lobe angles, etc. Doesn't need to be precise, a general descrioption will do. 2. ...
by Larsa
Fri Aug 31, 2018 3:22 pm
Forum: RouterBOARD hardware
Topic: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?
Replies: 6
Views: 908

Re: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?

I was more thinking about the actual routerboards. This is for a LTE-solution with 18 dBi tube mimo antennas. I'm a bit concerned about the 16MB flash on RBM11G and if in any way will force ROS to run in a limited way?
by Larsa
Wed Aug 29, 2018 7:40 pm
Forum: RouterBOARD hardware
Topic: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?
Replies: 6
Views: 908

Re: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?

I was thinking about the same. Which did you pick?
by Larsa
Mon Jun 25, 2018 8:21 pm
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 1087

Re: Format of certificate "subject-alt-name" ? [SOLVED]

Many thanks, exactly what I was looking for!
by Larsa
Sun Jun 24, 2018 8:36 pm
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 1087

Re: Format of certificate "subject-alt-name" ? [SOLVED]

Anyone? Any ideas are welcome!
by Larsa
Sun Jun 24, 2018 11:09 am
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 1087

Format of certificate "subject-alt-name" ? [SOLVED]

Can someone please point out where the various formats for certificate "subject-alt-name" (IP, DNS, etc) are defined and how to add multiple alternative names? Didn't manage to find any detailed info regarding this in the wiki...
--

Thanks in advance!
by Larsa
Wed Jun 20, 2018 8:50 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Yes indeed!

Rumors say some of the co workers got very puzzled when their personal hotspot stopped working but were still able to use their laptop on the same connection.
by Larsa
Tue Jun 19, 2018 12:06 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Well, the regular access is somewhat limited because of previously misuse and someone got the brilliant idea to bypass that limitation. So i'm not quite convinced regarding the business case this time! :lol:
by Larsa
Mon Jun 18, 2018 4:28 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Well, it's good enough to prevent a "normal" ad hoc installation and not for the professional villain with deeper technical knowledge :-)
by Larsa
Mon Jun 18, 2018 11:23 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Excellent, thanks for the pointer! Since it's "flat switched" (like the term btw ;-) it should probably work in this case.
by Larsa
Mon Jun 18, 2018 10:57 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Thanks, I'll try TTL to start with!

Any suggestion on a decent value to start filtering on? Btw, is the internal TTL translated/terminated in src-nat and gets another TTL on the outbound side?
by Larsa
Mon Jun 18, 2018 10:22 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 1032

Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Is there a any way to prevent people to setting up "personal hotspots" using SMHO WiFi-routers on an enterprise office network? Presume the SOHO-router is assinged a correct ip-address from corporate DHCP-server and is using its own srs-nat, is there a way to detect and block thees kind of connectio...
by Larsa
Tue Jun 05, 2018 5:55 pm
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 44
Views: 13714

Re: MikroTik News June 2018 (Issue #83)

A reflection regarding the "new" LTE SXT. What purpose does higher speeds have if the downlink still just is 100 Mbit?

Please give us a LTE CAT6 SXT with a MIMO pointing antenna + GbE downlink. Thanks ;-)
by Larsa
Tue Apr 17, 2018 12:22 pm
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 86
Views: 19990

Re: Future of LTE products, user feedback requested

First of all, please make the transceiver module exchangeable thus do not limit the solution to some specific bands. In that way we can future-proof our customer installations for emerging transmission technologies only by replacing the transceiver module. Think a SXT LTE with a M2 or PCI-SIG compat...
by Larsa
Wed Dec 13, 2017 4:26 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Thanks for the thorough answer and hands-on guidance is always much appreciated as well!
by Larsa
Tue Dec 12, 2017 11:08 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

dead peer detection should be enabled by default (interval 120 tries 5)

Normally, you set stuff like DPD and Lifetime using the ipsec peer config but what settings are used for the GRE dynamic IPSec tunnels? The GRE Wiki seems pretty brief (or actually completly empty) on this subject ...
by Larsa
Tue Dec 12, 2017 10:10 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Don't do it that way! Delete the IPsec Peer and Policy you have now, create a GRE interface, specify source and destination address (the public IPs of the routers) and set an IPsec secret. Then put a /30 network on the GRE interfaces (e.g. 10.0.0.1/30 and 10.0.0.2/30) and route the networks on each...
by Larsa
Tue Dec 12, 2017 7:20 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Sorry for the delay- I was a bit more than just busy. So I tested everything again and it is definitely working and I am passing traffic through the tunnel. What I noticed is that the tunnel breaks if one or both of the routers do not have a default route. That was new to me too. -Chris Chris, than...
by Larsa
Tue Dec 12, 2017 7:16 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Packet flow diagram will illustrate why you need route for destination even if gateway of that route will not be used: https://wiki.mikrotik.com/images/6/68/IpsecFlow.png So if I understand it correcly, then the only way to set the outbound address of the tunnel is to control pref-src by for exampl...
by Larsa
Tue Dec 12, 2017 6:40 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Now you mention it... that makes sense. Thanks.
And I second the proposal for GRE/IPsec
-Chris

I concur, but even if you put GRE/L2PT on top of the tunnel you'll probably get the same issue with the outbound address as before...
by Larsa
Fri Dec 08, 2017 12:00 am
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Sorry, but I forgot to mention that the tunnel gets established but cannot pass any packets since the remote peer gets pref-source from the sending side as the return address i.e outbound address = pref-source. If possible, please enable logging for protocol 50 (ESP) and check for the same behavior....
by Larsa
Thu Dec 07, 2017 2:28 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Not back in the office, but I have an idea to check in the mean time: Do you have any masquerade rules configured in /ip firewall nat? I could bet you have. Masquerade always uses the lowest address on the interface, no matter what is defined beforehand. Convert this rule to src-nat (and to-address...
by Larsa
Thu Dec 07, 2017 1:04 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Dumb questions -just to be sure: Did you specify that desired address as local-address in the peer definition? Is that address actually really assigned to the router? I have a couple of IPsec tunnels running here with multiple WAN addresses and they're running just fine as expected... -Chris Our tu...
by Larsa
Thu Dec 07, 2017 12:33 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

You need to set the "prefered source" on the route - it will set the outbound router ip address. Ok, so if I understand you correctly pref-source is the only way you can control the outbound address for a IPsec tunnel. So in case you have a "/29" subnet defined for your WAN, then you need to assign...
by Larsa
Thu Dec 07, 2017 12:05 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Instead of a direct IPsec tunnel, use GRE over IPsec or L2TP over IPsec to establish a tunnel, and route your LAN traffic via that tunnel. That will end all your problems with NAT avoidance etc. Hi! Thanks for the suggestion, but In this case it's not the NAT avoidance that is the main issue, but r...
by Larsa
Wed Dec 06, 2017 11:16 am
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outgoing subnet address on WAN? [SOLVED]

Any suggestion how this can be solved?
by Larsa
Tue Dec 05, 2017 6:54 pm
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1512

Re: Outbound Port 25

I recommend you skip the router and hook up a PC directly to the WAN port where you have your mail server. If you are using Windows download nc.exe and then run an outbound test using: C:\> nc -v smtp.gmail.com 25 gmail-smtp-msa.l.google.com [64.233.161.108] 25 (smtp) open 220 smtp.gmail.com ESMTP w...
by Larsa
Mon Dec 04, 2017 9:47 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Re: Setup IPSec to use specific outgoing subnet address on WAN? [SOLVED]

I have picked a number off the 5 of a block and it works fine. Well, thats what we tried. But the outbound ip address always defaults to Pref Source i.e first usable address in the subnet. Since you have to use "accept srcnat Src.Addresse Dst.Adresses" as the first entry to bypass any further NAT-t...
by Larsa
Mon Dec 04, 2017 8:36 pm
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1512

Re: Outbound Port 25

It quite normal nowadays that operators block outbound smtp port 25 on consumer connections to prevent spam-bots. Test outbound port 25 using Netcat (nc) with verbose and debug flags (usually -D -and -v) from a computer connected directly to the WAN-port. For example use the following command line: ...
by Larsa
Mon Dec 04, 2017 6:48 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2204

Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Is it possible to setup an IPSec tunnel to use a specific public address on a WAN interface that consist of a "/29" subnet (i.e any of the 5 public IP addresses) ? I'm asking since we had some issues with IPsec and the only way to resolve the problem was to pick to the lowest address from the public...
by Larsa
Sun Mar 12, 2017 11:26 am
Forum: Scripting
Topic: Generate random users in hotspot
Replies: 3
Views: 660

Re: Generate random users in hotspot

Ya i really do .... life continue anyway ..
Yeah, it sure does! Hope you soon will have peace so you can continue your life and business in prosperity. And maybe you can ask MikroTik for a big discount while doing so! :D

Good luck!!
by Larsa
Sat Mar 11, 2017 6:20 pm
Forum: Scripting
Topic: Generate random users in hotspot
Replies: 3
Views: 660

Re: Generate random users in hotspot

Great script, thanks! Wow, you actually live and run a WISP in Mosul/Iraq ?? Brave man! :-)
by Larsa
Fri Mar 10, 2017 12:19 am
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 43998

Re: CIA exploits against Mikrotik hardware

https://www.linkedin.com/pulse/cia-hack ... craig-dods
"Due to unforeseen circumstances, the technical details of this article have been removed" appeared really, really fast!!
Well, in these cases archiving service is your best friend: http://archive.is/ecWw0
by Larsa
Mon Feb 27, 2017 10:37 am
Forum: General
Topic: Hairpin nat weirdness
Replies: 24
Views: 2855

Re: Hairpin nat weirdness

Main problem is source ip of hairpined connection, all these connects coming with router ip and i'm unable to understand who is connected. This is by design when using hairpin-nat , i.e. source ip is always the router interface. If you try to explain what you are trying to accomplish, it might be e...
by Larsa
Sat Feb 25, 2017 6:07 pm
Forum: General
Topic: Hairpin nat weirdness
Replies: 24
Views: 2855

Re: Hairpin nat weirdness

i just want to have access to nated ports via external_ip:port from my lan without masquerading like in any other routers Ok. But you still need to masquerade the external wan traffic, right? So, what's the difference to masquerading the internal traffic as well. I mean, all traffic still needs to ...
by Larsa
Sat Feb 25, 2017 7:58 am
Forum: General
Topic: Firewall rules
Replies: 9
Views: 1016

Re: Firewall rules

Sorry, but a hidden SSID adds no extra security and MAC address can easily be spoofed as pointed out earlier. Use WPA2/AES and choose a password with at least 10 long and mixed characters. In case you need even stronger secure you can utilize WPA2-Enterprise with certificates using PEAP/TTLS, (i.e. ...
by Larsa
Sat Feb 25, 2017 12:21 am
Forum: General
Topic: Hairpin nat weirdness
Replies: 24
Views: 2855

Re: Hairpin nat weirdness

Just curious, why do you want to NAT the internal traffic?
by Larsa
Thu Feb 23, 2017 5:15 pm
Forum: General
Topic: Hairpin nat weirdness
Replies: 24
Views: 2855

Re: Hairpin nat weirdness

In short, use-ip-firewall=yes makes bridged traffic behave very differently from switched traffic. Yeah, it's basically like forcing the firewall to manage all ethernet traffic to the bridge. When using "use-ip-firewall=no", all traffic will be transferred directly between the bridge ports in the s...
by Larsa
Thu Feb 23, 2017 3:42 pm
Forum: General
Topic: Hairpin nat weirdness
Replies: 24
Views: 2855

Re: Hairpin nat weirdness

But i still can't understand why I can access nated ports in my wired connected pc from laptop via wifi or from vpn without hairpining? Yes, it's possible. See one example down below. Basically you have two choices which are not specifically related to Mikrotik: 1. Use routing for the internal netw...
by Larsa
Sat Feb 18, 2017 2:58 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2392

Re: CCR1009/RB3011, recommended settings for best VPN performance?

That's easier then. Use AES over DES. 3DES is notoriously slow in software, and it's unlikely to be optimized in hardware. As far as 3011 support, it does not seem to be in the firmware suite yet, despite being a capability on the chip: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encrypt...
by Larsa
Fri Feb 17, 2017 11:01 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2392

Re: CCR1009/RB3011, recommended settings for best VPN performance?

So if I understand it correctly, by using HW acceleration on a CCR you may instead encounter a reorder problem? Yay! :-) Unfortunately I didn't find anything on the RB3011...
by Larsa
Fri Feb 17, 2017 9:15 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2392

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 co...
by Larsa
Fri Feb 17, 2017 3:12 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2392

CCR1009/RB3011, recommended settings for best VPN performance?

Can anyone please recommend the best possible vpn procol type and encyption algorithm that possibly can utilize hardware acceleration on CCR1009 <=> RB3011 (Ros 6.37.4) to obtain maximum VPN performance. They are hooked up with SFP to a 500 Mbit fiber line...

Thanks in advance!
by Larsa
Mon Feb 13, 2017 9:49 pm
Forum: Virtualization
Topic: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard
Replies: 20
Views: 11950

Re: HOWTO: Dual-booting RouterOS and OpenWRT on RouterBoard

I posted an update to the MIPSBE architecture patches with the following changes... Nathan Hi Nathan! I'm currently working on a 4.9 kernel for the B2011UiAS and I wonder if " http://www.nconx.com/~nathan/openwrt-rb_mipsbe/kamikaze-rb_mipsbe-2.6.35.txz " might be the latest available patchset? Btw,...
by Larsa
Mon Feb 13, 2017 9:46 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

RFC 3021
What about this workaround? http://forum.mikrotik.com/viewtopic.php?t=7367#p32149. You might even save some addresses...
by Larsa
Sat Feb 11, 2017 6:42 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

Btw, are there currently any big showstoppers in regards of bugs or missing features that would actually force people to pick other vendors even if they preferred MT?
by Larsa
Sat Feb 11, 2017 6:15 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

The trouble with working prototypes is that while you can create one in couple of days, you then need couple of months to turn them into something you can share with others, and much more if you want to reliably tackle all corner cases. I imagine there are quite a few in something with RouterOS siz...
by Larsa
Sat Feb 11, 2017 1:22 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

Nice list, but you have to ask yourself - do you want to see RouterOS v7 before or after 2020? ;) Well, most definitely not before 2020 if they choose to develop everything from scratch. :lol: It's actually possible to create a working prototype with most of the features from the wishlist on a smal...
by Larsa
Sat Feb 11, 2017 2:19 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

RoS v7 wishlist

RoS v7 wishlist 2017-02-11 I’m rather new to the MT-world since about a year ago and it’s probably way too late to influence R&D at this stage but anyhow, here is my wish list for v7: - A good object oriented scripting language with a small “footprint” for embedded system such as Lua (eLua), Python,...
by Larsa
Sat Feb 11, 2017 1:00 am
Forum: General
Topic: Loopia dynamic DNS
Replies: 7
Views: 923

Re: Loopia dynamic DNS

My favourite way:
myrouter.mydomain.tld CNAME xxxxx.sn.mynetname.net
No need for any scripts or involving other parties.
Simple, yet very smart and elegant! I like :-D
Do you think it will work with resource records like SPF and DKIM too?
by Larsa
Fri Feb 10, 2017 9:59 pm
Forum: General
Topic: ROS failure rules are not accurate.
Replies: 6
Views: 1133

Re: ROS failure rules are not accurate.

Once the interface is active, then the rule will be valid. The problem with this is that it's not intuitive or expected behaviour. At all. Condition out-interface=!xxx clearly says "not interface xxx". The fact that "xxx" is inactive or unknown should not matter. If RouterOS sees that out-interface...
by Larsa
Fri Feb 10, 2017 9:20 pm
Forum: General
Topic: Loopia dynamic DNS
Replies: 7
Views: 923

Re: Loopia dynamic DNS

There's no need for those services, you have one already built in at IP > Cloud. See http://wiki.mikrotik.com/wiki/Manual:IP/Cloud Well, that's not quite the same thing. You still need a script to update the DNS server of a particular provider, Loopia in this case. I would use the free DNS-O-Matic ...
by Larsa
Fri Feb 10, 2017 5:09 pm
Forum: Scripting
Topic: Check Connections per Host (src-address) for firewall rule/address list
Replies: 7
Views: 2184

Re: Check Connections per Host (src-address) for firewall rule/address list

. . . we have troubles in our LAN with one or more hosts which randomly tries to establish 16k+ connections LAN->WAN yeah i know, the client needs to be fixed. we are on it (but it's a bit complicated because it's the CEOs laptop ... oh the irony...) . . . Trojan or/and backdoor perhaps? I would be...
by Larsa
Fri Feb 10, 2017 3:27 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps? yes Great, any chance we'll see acl's (filter groups) as well? what is that? ACLs are IP Firewall (Filter, Mangle, NAT). what else do you need? The ability to utilize grouping of for example firewall filters is a matter of making netw...
by Larsa
Fri Feb 10, 2017 11:37 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

Is Route-Filter equivalent (or similar) to the Cisco Route-Maps?
yes
Great, any chance we'll see acl's (filter groups) as well?
by Larsa
Thu Feb 09, 2017 10:54 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208272

Re: Feature requests

Another good one, IMHO... Route-Filters - have the ability to synchronize prefixes received/withdrew to dynamic access-lists. This gives us the ability to very easily match entire ASNs in firewall rules :) This has been requested, and confirmed by Mikrotik for routing filters in v7. Is Route-Filter...
by Larsa
Thu Feb 09, 2017 9:02 pm
Forum: Scripting
Topic: Script to Test WAN and Reset USB Power on Down?
Replies: 6
Views: 1758

Re: Script to Test WAN and Reset USB Power on Down?

I'm brand new to scripting and could use some help... . . . I've found a few improved Netwatch scripts in the wiki pages, but they're designed for failover and are just way too complicated for me to understand and therefore modify. Well, http://wiki.mikrotik.com/wiki/Improved_Netwatch_II is the way...
by Larsa
Thu Feb 09, 2017 2:18 pm
Forum: Scripting
Topic: Possible to remotely gather information on a backup link?
Replies: 0
Views: 298

Possible to remotely gather information on a backup link?

Is it in some way possible using a script in a CCR, to remotely gather information such as link status or otherwise perform a health check on a backup-link consisting of a SXT LTE or a BasBox?

Thanks in advance!
by Larsa
Thu Feb 09, 2017 10:51 am
Forum: General
Topic: ** WE WANT A LTE BRIDGE-MODE **
Replies: 80
Views: 22554

Re: ** WE WANT A LTE BRIDGE-MODE **

If you want us to make the LTE bridge more we need more information on the requirements for that. For example, when the LTE interface is in the bridge mode, do you need connection to the Router as well as the Router now just passes the IP from the LTE network to the ethernet host? Another business ...
by Larsa
Tue Feb 07, 2017 4:51 pm
Forum: Wireless Networking
Topic: The LTE interface, automatic support for Direct-IP without NAT?
Replies: 1
Views: 1055

The LTE interface, automatic support for Direct-IP without NAT?

Sorry for the cross-posting in http://forum.mikrotik.com/viewtopic.php?f=3&t=117944 but I wasn't sure if this question belonged to the hardware forum or not. Anyhow, here is the question again: Regarding the 4G LTE mPCIe cards found in " http://wiki.mikrotik.com/wiki/Supported_Hardware#4G_LTE_cards_...
by Larsa
Tue Feb 07, 2017 4:41 pm
Forum: RouterBOARD hardware
Topic: Minimum length of a MHF4-RPSMA pigtail for Basebox?
Replies: 0
Views: 367

Minimum length of a MHF4-RPSMA pigtail for Basebox?

What's the minimum length for a MHF4-RPSMA antenna cable to be able to connect to a 4G LTE card in the BaseBox? I've looked everywhere on routerboard.com but a couldn't find any info related to antenna cable length and there were no MHF4 pigtails for sale either.
by Larsa
Tue Feb 07, 2017 2:11 pm
Forum: RouterBOARD hardware
Topic: The LTE interface, automatic support for Direct-IP without NAT?
Replies: 0
Views: 504

The LTE interface, automatic support for Direct-IP without NAT?

Regarding the 4G LTE mPCIe cards found in " http://wiki.mikrotik.com/wiki/Supported_Hardware#4G_LTE_cards_and_modems " If you install a 4G card using the LTE interface, does it imply you have automatic support for Direct-IP or are those things totally unrelated? Regarding cards with possible built-i...
by Larsa
Tue Feb 07, 2017 12:56 pm
Forum: RouterBOARD hardware
Topic: RB suitable for high speed LTE?
Replies: 6
Views: 882

Re: RB suitable for high speed LTE?

Thank you very much, done deal! :D
by Larsa
Tue Feb 07, 2017 12:34 pm
Forum: RouterBOARD hardware
Topic: RB suitable for high speed LTE?
Replies: 6
Views: 882

Re: RB suitable for high speed LTE?

You can use the Basebox out of the box:
https://i.mt.lv/routerboard/files/baseb ... 113721.pdf

As you see, it has a SIM slot
Excellent, that was actually the solution I preferred. Any tips about where you can find info regarding which Cat-4 cards that supports direct-ip?
by Larsa
Tue Feb 07, 2017 12:15 pm
Forum: RouterBOARD hardware
Topic: RB suitable for high speed LTE?
Replies: 6
Views: 882

Re: RB suitable for high speed LTE?

We currently do not support any Cat6 cards, but many Cat4 work in any RouterBOARD model with miniPCIe slot and SIM slot (like the RB922). That sounds promising. A couple of more questions if you don't mind: 1. Does the RB912 in the BaseBox offer the same capabilities or is it possible to put a RB92...
by Larsa
Tue Feb 07, 2017 11:43 am
Forum: RouterBOARD hardware
Topic: RB suitable for high speed LTE?
Replies: 6
Views: 882

RB suitable for high speed LTE?

Are there any routerboards that are suitable to host high speed LTE Cat 4-6 cards i.e. can cope with 150-300Mbps ? The plan is to put together a fast fail-over solution for a customer that's running a CCR.
--
Thanks in advance!
by Larsa
Mon Feb 06, 2017 1:30 pm
Forum: RouterBOARD hardware
Topic: SXT LTE - wireless module replacement to cat 4?
Replies: 4
Views: 941

Re: SXT LTE - wireless module replacement to cat 4?

We will have LTE products soon that will have LTE modules removable or available separately, but the SXT LTE that you have, can't be upgraded that way.
Thanks for the feedback, looking forward to the new version!
by Larsa
Mon Feb 06, 2017 9:36 am
Forum: RouterBOARD hardware
Topic: SXT LTE - wireless module replacement to cat 4?
Replies: 4
Views: 941

Re: SXT LTE - wireless module replacement to cat 4?

Open it up and take a look! If you can integrate your own driver in RouterOS - no problem. I don't have one so I can have a look in the inside. I'm looking for Cat-4 solution to be used as fail-over, that's why I'm asking. Won't any of these mini-pci LTE cards work "out of the box": http://wiki.mik...
by Larsa
Sun Feb 05, 2017 3:43 pm
Forum: RouterBOARD hardware
Topic: SXT LTE - wireless module replacement to cat 4?
Replies: 4
Views: 941

Re: SXT LTE - wireless module replacement to cat 4?

They don't think like that.
Ok, is it possible to replace the wireless module?
by Larsa
Sun Feb 05, 2017 10:38 am
Forum: Forwarding Protocols
Topic: CISCO route-map equivalent
Replies: 9
Views: 2919

Re: CISCO route-map equivalent

Hi, sorry but there is no equivalent of acl's or "routing groups" aka route-map in ros, you have to setup them up manually. I recommend scripting using address-lists and interface-lists for volume based number of vlans...
by Larsa
Sun Feb 05, 2017 1:56 am
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Is there a bridge or/and vlan interface assigned to port 5 or perhaps a dhcp-server that's still running on it? Maybe this can shed some more light on the problem: http://forum.mikrotik.com/viewtopic.php?t=94098
by Larsa
Sat Feb 04, 2017 10:18 pm
Forum: RouterBOARD hardware
Topic: RBSXT LTE
Replies: 59
Views: 20712

Re: RBSXT LTE

please please add Band 20 ( 800MHz ) to the SXT LTE line, it is very popular in the UK and Europe ! +1. Please. The more band you add, the higher the licensing will be for the devices, which have to be reflected in the price as well. We all know that. However, missing widely accepted and used bands...
by Larsa
Sat Feb 04, 2017 9:44 pm
Forum: General
Topic: Mikrotik resource verify (Solved)
Replies: 8
Views: 870

Re: Mikrotik resource verify (Solved)

Well, all kind of security measures will definitely bring MikroTik closer to the requirements that most enterprise customers have nowadays. That includes even small steps like to securing the download areas...
by Larsa
Sat Feb 04, 2017 9:09 pm
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Well, you can of course a bridge to a group of ethernet ports together but let's start with keeping it as simple as possible. Since both ports are connected to the switch through access ports there is no need to tag/untag traffic through a vlan-interface on the MikroTik and we can instead use the or...
by Larsa
Sat Feb 04, 2017 12:04 am
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

I have read the wiki for what seems like hours trying to put the pussle together. I think that me working with one vendor for so long have scarred me for life :) Haha, no sweat mate! I know the feeling :D Btw, normally you don't have to alter anything on the physical interfaces. You just have to ad...
by Larsa
Fri Feb 03, 2017 6:59 pm
Forum: General
Topic: 450Mhz LTE card for Mikrotik
Replies: 4
Views: 1407

Re: 450Mhz LTE card for Mikrotik

Here is a list of tested cards: http://wiki.mikrotik.com/wiki/Supported_Hardware#4G_LTE_cards_and_modems We have also recently added support for Altair Semiconductor alt3800 LP41 which works on FDD Band 3, 7, 20, 31, https://altair-semi.com/product/fourgee-3800-6300/ Is it possible to put any of th...
by Larsa
Fri Feb 03, 2017 5:34 pm
Forum: RouterBOARD hardware
Topic: SXT LTE - wireless module replacement to cat 4?
Replies: 4
Views: 941

SXT LTE - wireless module replacement to cat 4?

Is it possible to replace the wireless module in SXT LTE with for example a cat-4 module from Sierra (or from whatever supplier) that works with RB? Btw, just a thought. Why not sell SXT LTE and the LTE modules separately? In that way you could supply LTE solutions that covers all future categories ...
by Larsa
Fri Feb 03, 2017 3:04 pm
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 2913

Re: Do any queue types respect Priority markings?

a two seconds search in RavenWing71 posts would have told you that: http://forum.mikrotik.com/viewtopic.php?f=2&t=116754&p=577464#p577464 Well, I'm not that well educated forum user but thank you anyhow! ;-) Just a thought - will that also capture the actual p2p traffic that is initiated in a step ...
by Larsa
Fri Feb 03, 2017 1:50 pm
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Good picture, now I think I understand the objective (sort of anyhow) :-) If the MikroTIk is using only untagged traffic to/from vlan 100 and 200 it's probably a piece of cake. Then you only need to setup the MikroTik to use two regular ether-ports with DHCP on the "vlan-100" side plus a basic firew...
by Larsa
Fri Feb 03, 2017 9:47 am
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Im using one port in the mikrotik on my local LAN, the other port that i want to assign to vlan 100 is supposed to collect an externa IP from my ISP. My goal is to route some traffic from my local LAN out with another public IP than the rest of my local LAN. Is this making any sense? :) Ok, I assum...
by Larsa
Fri Feb 03, 2017 12:12 am
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Now im stuck with how the port should be configured. I have configured the port in the cisco to be an accessport and send all packets without the vlan tag. In the mikrotik router I want to tag all packets with vlan 100. . Sorry, but I don't grasp the logic here. If you're connecting to an access po...
by Larsa
Thu Feb 02, 2017 11:53 pm
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 2913

Re: Do any queue types respect Priority markings?

Notes: I mark the MSDO packets with ToS-Bulk...
Oh, you've already found a way how to identify MSDO traffic. Do you mind sharing how it's done?
by Larsa
Thu Feb 02, 2017 11:41 pm
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 2913

Re: Do any queue types respect Priority markings?

.. The majority of our customers are residential, and there's hundreds of them, so WSUS is not a feasible solution... Ok, I was totally wrong there who assumed you meant a company that was hooked up but now I see your point. Yeah, that kind of p2p traffic might be a beast in that regards. Is it pos...
by Larsa
Thu Feb 02, 2017 6:23 pm
Forum: General
Topic: IP-address dhcp on SVI interface
Replies: 15
Views: 1791

Re: IP-address dhcp on SVI interface

Cisco IOS originates from a declarative environment versus Mikrotik ROS which relies more on explicit commands but you can basically do anything found in IOS (or even more). Process: 1. create a vlan interface, set name to VLAN-100, use vlan id 100 and assign it to ethernet port 5. 2. create a dhcp ...
by Larsa
Thu Feb 02, 2017 12:35 pm
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 2913

Re: Do any queue types respect Priority markings?

I don't know to tell radius about this, you should contact who built that radius and ask if such thing can be made from radius. Good idea, worth checking out! And if you are lucky it might be possible to apply some kind of RADIUS custom attributes. Links to MikroTik Specific RADIUS Attributes http:...
by Larsa
Thu Feb 02, 2017 12:07 am
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 2913

Re: Do any queue types respect Priority markings?

Just curious, what does "MSDO" stand for? As regards the other, just set the minimal queue-rate for A and the rest of the bandwith will be available for B. If nothing happens at A, then B will get it all. If the bandwidth requirement is changing during the day you probably need some scripting to alt...
by Larsa
Tue Jan 31, 2017 11:00 pm
Forum: General
Topic: [SOLVED] General NAT access between local networks using multiple public WAN address?
Replies: 9
Views: 3486

Re: General NAT access between local networks using multiple public WAN address?

It's really quite obvious when you think about it in peace and quiet, right? :-) I was totally focused on the wrong areas looking for a solution. Partly because I was informed that a “Double-NAT“ (:-) or “logical loop-back” was very difficult and required a substantial work effort to implement and s...
by Larsa
Mon Jan 30, 2017 11:49 pm
Forum: General
Topic: [SOLVED] General NAT access between local networks using multiple public WAN address?
Replies: 9
Views: 3486

Re: General NAT access between local networks using multiple public WAN address?

Correction, you need one extra rule to specifically allow all forwarded ports and it needs to be before the one blocking direct communication between subnets (I'm just not used to this reversed logic of blacklist-style firewall where everything is allowed by default): /ip firewall filter add action...
by Larsa
Sun Jan 29, 2017 10:04 pm
Forum: General
Topic: Using Splunk to analyse MikroTik logs
Replies: 98
Views: 16778

Re: Using Splunk to analyse MikroTik logs

would love some more info on the searches you have used to build the graphs etc here, they look great.
A very brief MikroTik-Splunk wiki perhaps? ;-)
by Larsa
Sun Jan 29, 2017 5:56 pm
Forum: General
Topic: [SOLVED] General NAT access between local networks using multiple public WAN address?
Replies: 9
Views: 3486

Re: General NAT access between local networks using multiple public WAN address?

[Placeholder]
Example of a working solution based on the picture above is coming soon...
by Larsa
Sat Jan 28, 2017 12:33 am
Forum: General
Topic: Subnet on interface
Replies: 11
Views: 1034

Re: Subnet on interface

You could set 94.146.42.241/28 as IP address and add a dst-nat rule on that interface so that 94.146.42.240/28 is D-NATed to 94.146.42.241. Connection tracking should take care of the reverse NAT. My only doubts are about if this will cope with ARP for the other IPs. We are using a subnet on the WA...
by Larsa
Sat Jan 28, 2017 12:10 am
Forum: General
Topic: [SOLVED] General NAT access between local networks using multiple public WAN address?
Replies: 9
Views: 3486

Re: General NAT access between local networks using multiple public WAN address?

Can anyone please verify if the following argument is correct: If I understand the packet flow diagram correctly, Source-NAT will never be reached since the packet path takes a shortcut directly to Dest-NAT in the prerouting step and will set the Guest Network 172.16.0.0 as the source address. This ...
by Larsa
Fri Jan 27, 2017 9:02 pm
Forum: General
Topic: Default priority DSCP and ToS
Replies: 2
Views: 1960

Re: Default priority DSCP and ToS

Unfortunately there is no default priority for DSCP/ToS (or for anything else), you have to create your own queues. As default Ros treats everything at the highest level of priority. Basically you have to create a queue for DSCP/ToS and lower everything else. General info: http://wiki.mikrotik.com/w...
by Larsa
Fri Jan 27, 2017 4:57 pm
Forum: General
Topic: [SOLVED] General NAT access between local networks using multiple public WAN address?
Replies: 9
Views: 3486

[SOLVED] General NAT access between local networks using multiple public WAN address?

NAT between local networks.png Problem: At the moment we can’t use the Guest Network (1) to reach the services at the Office Network (3) through NAT. The reason is that the local networks are totaly isolated (internal routing disabled) to prevent possible leaks thus hairpin-nat is not possible. Wor...
by Larsa
Thu Sep 24, 2015 11:49 pm
Forum: Beginner Basics
Topic: Connecting more geographic sites: wich vpn ?
Replies: 13
Views: 1646

Re: Connecting more geographic sites: wich vpn ?

. . .

3. Routing protocols, since you have about 15 sites, you should run somekind of dynamic routing protocols, like RIP or OSPF. OSPF is suitable on L2TP links.
Try to avoid RIP or at least make sure you are using RIPv2. Ref: Understanding RIP Routing
--

Regards, Lars.
by Larsa
Wed Sep 09, 2015 9:18 pm
Forum: General
Topic: [Feature Request] WinBox Port Knocking
Replies: 2
Views: 746

Re: [Feature Request] WinBox Port Knocking

Would be nice if port knocking was built in to winbox.

-Eric
port knocking with client certificate
by Larsa
Mon Aug 31, 2015 7:15 pm
Forum: Beginner Basics
Topic: Dual WAN load balancing with failover to 4G without scripting ??
Replies: 0
Views: 461

Dual WAN load balancing with failover to 4G without scripting ??

Hello all! Does anybody know if it's possible to configure RouterOS "out of the box" using Winbox to utilize dual WAN with load balancing (WAN1+WAN2) and in case of failure automatic trigger a failover (with failback) to 4G (WAN3) as well as updating DDNS accordingly. Another feature that would be n...