Community discussions

MikroTik App

Search found 83 matches

by ulysses
Fri Jun 12, 2020 6:06 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke [SOLVED]
Replies: 69
Views: 22194

Re: hAP AC2+cAP AC Roaming is a joke [SOLVED]

Hello Access lists are only useful for cheap or old sticky clients. For rest is will make thing worse if you do not know how wifi works or there are special cases for using access lists but they are not for roaming... Try CWNA - 107 for the beginning, ( or hire CWNP engineer) otherwise wifi will no...
by ulysses
Fri Jun 12, 2020 3:34 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke [SOLVED]
Replies: 69
Views: 22194

Re: hAP AC2+cAP AC Roaming is a joke [SOLVED]

A user of Mikrotik for about 10 years already. I love Mikrotik for many things, but this one is a very painful topic to me. I have been able to set up some decent roaming at home with two three access points but that took unbelievably many hours for the far-from-perfect user experience. Until now I ...
by ulysses
Fri Jun 12, 2020 2:36 pm
Forum: RouterOS v7 BETA
Topic: Feature requests: improve dot1x and others
Replies: 8
Views: 2987

Re: Feature requests: improve dot1x and others

A bold plus one here
by ulysses
Fri Jun 12, 2020 12:30 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Nice!
In the rule with two peers, you are listing the sa-dst-address as for just one of the peers. Will that work with the second route as well?
by ulysses
Fri Sep 14, 2018 7:18 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 45
Views: 18633

Re: SFP module is extremely hot

I have eventually switched provider and have a different fiber technology. Installed a different module Vendor Name ATOP Vendor Part Number APSB43123CDL10 However it's still heating up. My hAP ac is standing inside a wall box with limited air flow. The system board temperature is *53* degrees, and t...
by ulysses
Wed Jun 27, 2018 11:42 am
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 45
Views: 18633

Re: SFP module is extremely hot

I have eventually switched provider to one who uses point to point FTTH and installed a different SFP module into my hAP ac. Currently the temperature is 59 at the module and 53 system. The unit is standing inside a plastic enclosure so that could reduce by a number of degrees if I put is into a ven...
by ulysses
Fri Jun 01, 2018 11:40 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 45
Views: 18633

Re: SFP module is extremely hot

We have the same issue with mikortik SFPONU plugged in to hex poe (RB960PGS) we are around 80° celsius Wow. Well I guess it's the same here, really hot! Do you consider this normal? For how long have you been using the SFPONU in this condition? Were you given any support for the case from Mikrotik ...
by ulysses
Fri Jun 01, 2018 12:12 am
Forum: General
Topic: Mikrotik GPON ONU
Replies: 10
Views: 5046

Re: Mikrotik GPON

If you are considering using the Mikrotik GPON module in a production environment , perform some extended acceptance testing first. I had about a dozen test outdoor installs with Mikrotik routerboards and the Mikrotik GPON Module. They worked OK during the winter. However when summer hit and the te...
by ulysses
Thu May 31, 2018 11:44 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 45
Views: 18633

Re: SFP module is extremely hot

Hey! My SFPONU module from Mirkotik is also super hot when plugged into hAP ac. Not sure if that's a problem or not. Doesn't matter if the cable is connected, it heats up immediately after installation and doesn't cool down. Don't have any suitable thermometer, but subjectively it's > 60 C since I c...
by ulysses
Thu May 31, 2018 7:20 pm
Forum: RouterBOARD hardware
Topic: SFPONU configuration
Replies: 4
Views: 956

Re: SFPONU configuration

Hey, thanks much for replying. Meanwhile as much as I have researched by now the EEPROM with the values may be programmable, this isn't too rare to do that, there are tools available. However the EEPROM may be locked by the manufacturer to disallow reflashing. This is my first question - whether it ...
by ulysses
Wed May 30, 2018 5:14 pm
Forum: RouterBOARD hardware
Topic: SFPONU configuration
Replies: 4
Views: 956

Re: SFPONU configuration

Anyone from Mikrotik team? Could you at least tell me whether the EEPROM there is protected or not, and also - would be awesome - provide with the EEPROM bit layout. Please!
by ulysses
Tue May 29, 2018 6:30 pm
Forum: RouterBOARD hardware
Topic: SFPONU configuration
Replies: 4
Views: 956

Re: SFPONU configuration

I can see there's this eeprom field, can I maybe update that field somehow?
by ulysses
Tue May 29, 2018 6:20 pm
Forum: RouterBOARD hardware
Topic: SFPONU configuration
Replies: 4
Views: 956

SFPONU configuration

Hi, I have bought the SFPONU extension port but can't get it to work. It shows that there is link but it doesn't receive any packet back. I assume that the problem is that the ONU device is not having the correct ONI ID and probably other configuration. How do I configure the SFPONU device? Is there...
by ulysses
Wed Mar 14, 2018 7:31 pm
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 5788

Re: No internet router Mikrotik

Not sure if it's already fixed, but for me usually the problem with no internet on the ROS itself is one of the two things: 1. There is no DNS server set up for the ROS itself (see /webfig/#IP:DNS) 2. There is no reachable default route in the main routing table which is consulted for outgoing packe...
by ulysses
Sun May 14, 2017 10:56 pm
Forum: Scripting
Topic: Instantaneous failover
Replies: 0
Views: 816

Instantaneous failover

Hi, I have suffered from an unexpected latency when failing over to a second WAN based on a simple recursive routing setup. Both WANs are NATed. My application would take 1-3 minutes to start using the new route while if restarted it would pick up the new connection immediately The issue was that wi...
by ulysses
Tue May 02, 2017 4:14 pm
Forum: Announcements
Topic: v6.39 [current]
Replies: 89
Views: 40137

Re: v6.39 [current]

So, what should we do with the bricked devices? Downgrade? I am still to follow the netinstall route... Honestly, last thing I was planning to do on my holiday
by ulysses
Mon May 01, 2017 5:41 pm
Forum: Announcements
Topic: v6.39 [current]
Replies: 89
Views: 40137

Re: v6.39 [current]

Same here. Bricked my 2011. VERY frustrating. Had to work additional time to restore config on another router, it's on 6.34.5. What's happening? haven't you guys at Mikrotik tested it on the hardware?
by ulysses
Mon May 01, 2017 10:48 am
Forum: Scripting
Topic: Configure rules for dynamic interface before it appears
Replies: 1
Views: 559

Configure rules for dynamic interface before it appears

Hi, I am using ROS in customer setup and often need to configure routers in advance. We are using 3G modem for failover and I have a set of scripts to support that. However my problem is that I can't seem to enter any {{lte}} related rules before the devices is actually plugged into the usb port and...
by ulysses
Mon May 01, 2017 10:43 am
Forum: Scripting
Topic: Syntax highlighting and completions for Sublime Text
Replies: 39
Views: 34121

Re: Syntax highlighting and completions for Sublime Text

Great! please keep up!
by ulysses
Mon Apr 24, 2017 2:49 pm
Forum: General
Topic: Port Mirroring
Replies: 6
Views: 38233

Re: Port Mirroring

It seems like mirroring the master port also mirrors traffic for the slave ports on a switch. So, if you set eth2 master for eth3, eth4 and then configure mirroring of eth2 to eth5 then eth5 will receive packets from 2, 3 and 4
by ulysses
Sun Mar 05, 2017 11:41 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 97154

Re: v6.39rc [release candidate] is released

:put [ /ip dhcp-server network get [ find $leaseActIP in address ] gateway ]; Thanks for the hint, Chupaka, used it to make the code that actually works for the usecase. :local gatewayAddress [/ip dhcp-client get [find dhcp-server=$"server-address"] gateway] @Mikrotik team Paste is not working in t...
by ulysses
Sat Mar 04, 2017 6:34 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 97154

Re: v6.39rc [release candidate] is released

I LOVE the new script property of DHCP client. But something very basic seems to be missing - in my case the DHCP server is _not_ the gateway. However I don't see the gateway-address or like variable available. Any chance this can be added soon? as a workaround: :put [ /ip dhcp-server network get [...
by ulysses
Thu Mar 02, 2017 1:26 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 97154

Re: v6.39rc [release candidate] is released

Hi, I LOVE the new script property of DHCP client. But something very basic seems to be missing - in my case the DHCP server is _not_ the gateway. However I don't see the gateway-address or like variable available. Any chance this can be added soon? BTW, although offtopic, is there a way to inspect ...
by ulysses
Sun Dec 25, 2016 10:31 am
Forum: Wireless Networking
Topic: WiFi + short DHCP lease = problem?
Replies: 5
Views: 1936

Re: WiFi + short DHCP lease = problem?

But the logs and packet sniffing show that it's the Mikrotik that sends deauth
by ulysses
Sat Nov 19, 2016 10:42 pm
Forum: Wireless Networking
Topic: WiFi + short DHCP lease = problem?
Replies: 5
Views: 1936

Re: WiFi + short DHCP lease = problem?

A note from some knowledgeable people would be highly appreciated. Thanks
by ulysses
Sat Nov 19, 2016 10:39 pm
Forum: General
Topic: Incorrect Gratuitous ARP Reply
Replies: 2
Views: 2066

Re: Incorrect Gratuitous ARP Reply

Hey, any ideas, anyone?
by ulysses
Thu Nov 17, 2016 11:13 pm
Forum: General
Topic: Incorrect Gratuitous ARP Reply
Replies: 2
Views: 2066

Re: Incorrect Gratuitous ARP Reply

Hey, I have the same issue with my mac book pro and 962UiGS-5HacT2HnT Every time I connect to the network and have a secondary WiFi interface defined I receive this error on my mac that another system on the network is using this ip address - of course no one does. I see the same picture as you do S...
by ulysses
Fri Nov 04, 2016 7:57 pm
Forum: Wireless Networking
Topic: WiFi + short DHCP lease = problem?
Replies: 5
Views: 1936

WiFi + short DHCP lease = problem?

Hi I have been having really bad experience with my RB2011UiAS-2HnD-IN WiFi in the office. My apple laptop and my colleagues iPad kept disconnecting regularly. I have been struggling much with the logs on the router like 12:13:33 wireless,info A4:5E:60:xxx@wlan-practi-office: reassociating 12:13:33 ...
by ulysses
Sun May 01, 2016 9:00 pm
Forum: Scripting
Topic: "startup" script runs too early
Replies: 13
Views: 2343

"startup" script runs too early

Hey, I have dumped 2 hours today to find out that a scheduler script with "startup" time runs *before* wlan and bridge interfaces are configured. RouterBOARD 941-2nD 6.35.1 log in the script brings this: :log info [/interface find]; *1;*2;*3;*4 Isn't it a bug? Is there a good workaround for that? I ...
by ulysses
Thu Feb 04, 2016 12:47 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Sorry if I am bumping an old thread here, I can't see a date on the thread from my phone... Odd. Regardless, does setting level=unique get around the MikroTik Limitation?? Nope :(. Even otherwise, it is recommended against, since AWS explicitly states that it will only allow two SAs per VPN channel...
by ulysses
Wed Nov 25, 2015 3:48 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Nice.. But it has to be tested well, since I am afraid there may be positive loopback between the activation of the correct IPSec policy and the automatic active BGP route selection. It may even get into constant oscillation switching back and forth. Probably that is the reason you have a loop with ...
by ulysses
Wed Nov 25, 2015 2:32 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Quick and dirty but seems to work. :global activeGatewayAWS [/ip route get [/ip route find dst-address=172.31.0.0/16 bgp active] gateway] :global saDstAddress :if ($activeGatewayAWS=ACTIVE_BGP_GATEWAY_ADDR) do={:global saDstAddress ADDR_GW_1} else={:global saDstAddress ADDR_GW_2} /ip ipsec policy s...
by ulysses
Tue Nov 03, 2015 8:31 am
Forum: General
Topic: How to get traffic to hosts with VPN but not NAT?
Replies: 1
Views: 656

Re: How to get traffic to hosts with VPN but not NAT?

Without NAT on SSTP router it is possible in three ways: - (preferred) add route to the customer router 10.0.1.0/24 via 172.16.100.4. Otherwise the response packet from 172.16.100.6 will not find it's way to the SSTP client, since it will be forwarded to the customer router. - Add 10.0.1.0/24 via 17...
by ulysses
Sun Nov 01, 2015 11:38 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

As a rule-of-thumb for using Mikrotik ipsec VPNs to differing vendors equipment (Cisco, Juniper, AWS, or unknown), I always set level=unique before troubleshooting the tunnel. This simply makes the tunnel much more compliant with the RFC. AWS requires that you aren't creating more than two SA per t...
by ulysses
Mon Oct 19, 2015 10:36 am
Forum: Scripting
Topic: Two route with same gateway and dst-addres but different routing mark
Replies: 14
Views: 1907

Re: Two route with same gateway and dst-addres but different routing mark

So, have you checked where exactly the packets go with the sniffer?
by ulysses
Mon Oct 19, 2015 10:33 am
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

the router sees the packet, but there's never a response.
Make sure you accept the packets in the /ip firewall filter forward chain
by ulysses
Sat Oct 17, 2015 9:59 pm
Forum: General
Topic: serial port on 951G-2HnD
Replies: 9
Views: 4093

Re: serial port on 951G-2HnD

Maybe you mean special login? http://wiki.mikrotik.com/wiki/Serial_Po ... mac-telnet No, I am talking about this: http://wiki.mikrotik.com/wiki/Manual:Port#Remote_Access, or, in the same document you have referenced, this http://wiki.mikrotik.com/wiki/Serial_Port_Usage#Accessing_a_serial_device_as_...
by ulysses
Fri Oct 16, 2015 4:44 pm
Forum: General
Topic: serial port on 951G-2HnD
Replies: 9
Views: 4093

Re: serial port on 951G-2HnD

Well, again, usb to serial adapter is a known thing, however it has nothing to do with remote connection. It will require me to physically connect to the other side of the usb to serial adapter, and I wanted to utilize remote connection and control mikrotik from my host which is wirelessly connected...
by ulysses
Fri Oct 09, 2015 10:14 pm
Forum: Scripting
Topic: Two route with same gateway and dst-addres but different routing mark
Replies: 14
Views: 1907

Re: Two route with same gateway and dst-addres but different routing mark

Did you use sniffer to look at the packets?

you should set src-address on ping in case you have multiple ip addresses assigned to the router interfaces. In that case it would select some of the ip addresses and it may be one that is going to break your policy routing rules.
by ulysses
Mon Oct 05, 2015 9:54 pm
Forum: Beginner Basics
Topic: Trying (and failing) at port forwarding.
Replies: 40
Views: 4406

Re: Trying (and failing) at port forwarding.

first of all, with a sniffer you can also set filter-port to not miss the packets. Secondly, are you sure your provider is assigning you a white ip address? I have seen providers performing NAT on their side as well, in which case you will not be able to use your WAN address from outside. And again,...
by ulysses
Mon Oct 05, 2015 1:23 pm
Forum: General
Topic: serial port on 951G-2HnD
Replies: 9
Views: 4093

Re: serial port on 951G-2HnD

No, I haven't yet had a chance to play with one. Actually, my point was to make use of the remote connection since it opens up lots of fun applications, by providing appropriate services on some remote host side, while using just wireless or wired LAN connection to the host.
by ulysses
Mon Oct 05, 2015 12:01 pm
Forum: Beginner Basics
Topic: Trying (and failing) at port forwarding.
Replies: 40
Views: 4406

Re: Trying (and failing) at port forwarding.

FYI: the tool you are using is showing me that my open and working port forwarding is "closed". As well as the other one I checked, http://ping.eu/port-chk/. At the same time, I see correct network activity on the ports, see below. Bottom line: to prove that your port forwarding is working, please u...
by ulysses
Mon Oct 05, 2015 11:00 am
Forum: Beginner Basics
Topic: Trying (and failing) at port forwarding.
Replies: 40
Views: 4406

Re: Trying (and failing) at port forwarding.

Just in case - is your service on the local computer running when you are checking for open ports?
by ulysses
Sun Oct 04, 2015 10:30 pm
Forum: Beginner Basics
Topic: Trying (and failing) at port forwarding.
Replies: 40
Views: 4406

Re: Trying (and failing) at port forwarding.

jarda wrote: Accept port 8096 in forward chain. TomosRider wrote: Yes, create a new rule with action accept on those ports. This advice is useless, because DST-NAT occurs before 'forward' chain firewall rules. This is a great advise, since it won't work without an accepted forward. If you look at t...
by ulysses
Sun Oct 04, 2015 10:14 pm
Forum: General
Topic: Wireless Devices Cant Talk or Ping Each Other
Replies: 4
Views: 2757

Re: Wireless Devices Cant Talk or Ping Each Other

Wait, so are all your wireless clients (including printer) connected to the same subnet? Or printer is on another subnet?

To start with, did you try setting default-forwarding to "yes" on all your wireless interfaces?
by ulysses
Sun Oct 04, 2015 10:07 pm
Forum: Scripting
Topic: Two route with same gateway and dst-addres but different routing mark
Replies: 14
Views: 1907

Re: Two route with same gateway and dst-addres but different routing mark

Try setting a correct src-address during ping, you may have some troubles if the packet is not masqueraded, for example. In other words, the behavior is absurd as you are describing it, so I assume that since you are not disclosing the full picture, there are other reasons for the ping to timeout. A...
by ulysses
Sun Oct 04, 2015 10:00 pm
Forum: General
Topic: [SOLVED] - Cable modem, multiple dynamic public IPs through one cable.
Replies: 4
Views: 1182

Re: Cable modem, multiple dynami public IPs through one cable.

Are you sure that the different IPs are operational at once? You would observer this behavior if you had a dynamic IP plan, and connected your PPPoE client device to different ports one ofter another. Cable modem (when operating in bridge mode) simply relays ethernet frames to all ports since they a...
by ulysses
Sun Oct 04, 2015 9:48 pm
Forum: Scripting
Topic: Two route with same gateway and dst-addres but different routing mark
Replies: 14
Views: 1907

Re: Two route with same gateway and dst-addres but different routing mark

May I ask how are you testing your setup? What do you mean by "looses connectivity"?
by ulysses
Sun Oct 04, 2015 9:35 pm
Forum: General
Topic: serial port on 951G-2HnD
Replies: 9
Views: 4093

Re: serial port on 951G-2HnD

Bump? Anyone?
by ulysses
Sun Oct 04, 2015 6:37 pm
Forum: General
Topic: No ping from one side, successful ping from other side
Replies: 5
Views: 907

Re: No ping from one side, successful ping from other side

Seems like a problem with the wireless link, probably it doesn't deliver packets in the 951 -> 1100 direction.
What about other types of traffic, do you have any connectivity?
by ulysses
Sun Oct 04, 2015 5:56 pm
Forum: Forwarding Protocols
Topic: Assign public IP's to computers in LAN
Replies: 10
Views: 3013

Re: Assign public IP's to computers in LAN

As long as you are not blocking forward the router will relay packets. However, you are lacking in this case one important point: you should advertise the netwrok behind mikrotik to your provider, which in turn will advertise it further. That's the only way how computers on the internet will be able...
by ulysses
Fri Oct 02, 2015 10:54 pm
Forum: General
Topic: hAP Lite for IPSec Tunnel + trivial BGP
Replies: 4
Views: 942

Re: hAP Lite for IPSec Tunnel + trivial BGP

BGP is a requirement from AWS side, which is the tunnel peer
by ulysses
Fri Oct 02, 2015 10:22 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

Whoa, that's indeed strange

Please examine the firewall settings on the workstations, if they only allow for ICMP on the local network. Just turn the firewall off for the sake of testing
by ulysses
Fri Oct 02, 2015 6:14 pm
Forum: General
Topic: hAP Lite for IPSec Tunnel + trivial BGP
Replies: 4
Views: 942

Re: hAP Lite for IPSec Tunnel + trivial BGP

Yes, and I already took care of that, but that will take time. And I need it now. In any case, I went to the official distributor here in Israel and he suggested that I should buy cAP, since it has more memory and a better wifi chip, whereas all my clients are going to be WiFi. This is what I have n...
by ulysses
Fri Oct 02, 2015 12:45 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

No, All machine are dynamic except mine and 5 other, Those who are static are from 3.100-3.106, I am 3.101 First of all, you have to be careful with this setup to not plug yourself in the wrong interface, cause then you will observe problems. Secondly, what I see from the sniffed packets looks like...
by ulysses
Thu Oct 01, 2015 11:07 am
Forum: General
Topic: No ping from one side, successful ping from other side
Replies: 5
Views: 907

Re: No ping from one side, successful ping from other side

I am a bit confused with the overlapping prefix routes on the LAN 2 side, 192.168.0.0/16 via wireless and 192.168.125.0/25 connected, although the largest fitting mask should be selected... I would suggest that you start /tool sniffer on both devices and observe the ping packet flowing. Usually that...
by ulysses
Thu Oct 01, 2015 10:38 am
Forum: General
Topic: netwatch improvements
Replies: 1
Views: 1018

netwatch improvements

It seems that according to the number of use cases here on forums it would be nice to have additional setting in netwatch that would limit the ping test to particular interface, or even better, a way to route-mark or packet-mark packets originating from the netwatch process. The idea behind is that ...
by ulysses
Thu Oct 01, 2015 8:54 am
Forum: Forwarding Protocols
Topic: BGP peer refusing connection
Replies: 1
Views: 1226

BGP peer refusing connection

Hi guys, I have a setup with one BGP instance and 2 peers. One peer has max prefixes limitation, and the other one advertises 15k prefixes. Both peers work fine separately. However the limiting peer doesn't connect if the beefy one is connected - this is how I knew about the prefix limiting. So I ad...
by ulysses
Thu Oct 01, 2015 8:33 am
Forum: Scripting
Topic: reboot LTE interface
Replies: 2
Views: 1969

Re: reboot LTE interface

It means that either you always have access to 8.8.8.8 or the interface 3g disable / enable does not work for you first, confirm that interface 3G disable; :delay1; interface 3G enable does help next, make sure to policy-route icmp from the device to 8.8.8.8 via the LTE link, this way if the LTE con...
by ulysses
Wed Sep 30, 2015 11:59 pm
Forum: General
Topic: Limiting clients to 1 IP address from DHCP
Replies: 1
Views: 507

Re: Limiting clients to 1 IP address from DHCP

Not sure of how you distinguish between your customers and how you manage them, but what you are talking about seems to me like a MAC binding use case. Maybe this will help http://wiki.mikrotik.com/wiki/User_Manager/MAC_binding Or, a semi-automated option, where you will need to collect the MAC some...
by ulysses
Wed Sep 30, 2015 11:51 pm
Forum: General
Topic: hAP Lite for IPSec Tunnel + trivial BGP
Replies: 4
Views: 942

hAP Lite for IPSec Tunnel + trivial BGP

I am considering a setup for a small office where I would need to create an IPSec tunnel with BGP syncing several routes (<10 in total). I am having up to 15 WiFi clients and an internet channel of 10/4 Mbps. I am planning to use ~ 20 rules in all firewall tables. I may also want to allow several (m...
by ulysses
Wed Sep 30, 2015 11:37 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

well for now the only problem I see with your config is add action=drop chain=forward comment=\ "Block All Trafic for Computer in warehouse ( virus ) Except Remote Desktop" dst-port=\ !3389 protocol=tcp src-address=192.168.1.20 This rule doesn't work as it should by the comment, as it will not match...
by ulysses
Wed Sep 30, 2015 11:19 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

OK. Before i dive into config parsing, first thing I usually do in such cases: /tool sniffer set filter-interface=all filter-ip-address=192.168.0.0/16 filter-ip-protocol=icmp filter-direction=any filter-port="" quick Then i start ping and observe the flow or packets in real time. Please do that and ...
by ulysses
Wed Sep 30, 2015 5:11 pm
Forum: Beginner Basics
Topic: please explain a default firewall rule
Replies: 3
Views: 728

Re: please explain a default firewall rule

In case you do manual dstnat then it will allow forwarding - basically that's what you expect if you set up dstnat.
Note the '!' in front of the dstnat, it means that the packet will be dropped if it is not DNATed
by ulysses
Wed Sep 30, 2015 5:02 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

this is a method of allowing forwarding for packets that are part of session initiated from within your network. If someone from WAN sends a packet with your local network as a destination, then the router with an ALLOW forward policy will simply forward it. This is bad because someone may attack de...
by ulysses
Wed Sep 30, 2015 4:54 pm
Forum: General
Topic: DCOM/RPC traffic over IPSEC VPN?
Replies: 9
Views: 2674

Re: DCOM/RPC traffic over IPSEC VPN?

As far as I'm aware DCOM has nothing to do with UDP and multicast. https://support.microsoft.com/en-us/kb/832017, see Group Policy section In short, i meant it uses layer 3 protocols that should flow fine, but usually whatever in windows relies on SMB may suffer from a not working discovery which d...
by ulysses
Wed Sep 30, 2015 12:06 am
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

Oh right, sorry. Can you please check your firewall filter for an accept on the forward chain for packets from either of the networks? In general, your rules are really hard to read. You are abusing the connection tracking engine, you don't need it at all in your setup - since you don't provide any ...
by ulysses
Tue Sep 29, 2015 10:51 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1968

Re: Unpingable IP's on local network

You forgot to fix this rule
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-type=!local in-interface=5_IntDept new-connection-mark=\
    Primus
by ulysses
Tue Sep 29, 2015 10:36 pm
Forum: General
Topic: DCOM/RPC traffic over IPSEC VPN?
Replies: 9
Views: 2674

Re: DCOM/RPC traffic over IPSEC VPN?

My guess is that it is not working because you don't have multicast over the tunnel. I think so because DCOM is built on top of UDP, so it should work fine otherwise

To have multicast working over a tunnel you will have to set up PIM (IGMP Proxy is easier, but will only work one way)
by ulysses
Tue Sep 29, 2015 4:51 pm
Forum: General
Topic: IPsec site-to-site VPN with WAN backup and NAT
Replies: 4
Views: 2653

Re: IPsec site-to-site VPN with WAN backup and NAT

Mikrotik, look at this, another case of reinventing the wheel instead of fixing the IPSec policy redundancy problem! Here is the non exhaustive list of cases I have encountered recently when stumbled upon the same issue http://forum.mikrotik.com/viewtopic.php?f=2&t=100860&p=501442#p501442 http://for...
by ulysses
Tue Sep 29, 2015 4:37 pm
Forum: General
Topic: IPsec site-to-site VPN with WAN backup and NAT
Replies: 4
Views: 2653

Re: IPsec site-to-site VPN with WAN backup and NAT

But do you see your up script executed? Cause if not, then it's the netwatch problem. I suspect that netwatch may be not working as expected since the default route changes. How do you make sure that your netwatch ping is always using the 192.168.2.1 route? Probably you want to create a separate rou...
by ulysses
Tue Sep 29, 2015 3:56 pm
Forum: The User Manager
Topic: Is there a way to import users from Excel to User Manager?
Replies: 24
Views: 10568

Re: Is there a way to import users from Excel to User Manager?

I think the easiest way is to create some formulas in a separate excel sheet that render the needed commands in the RouterOS CLI format. Then, export the sheet as text and upload to the router. After that execute /import file-name=filename.txt The upload(fetch) and /import can be automated with a ra...
by ulysses
Mon Sep 28, 2015 11:50 pm
Forum: Beginner Basics
Topic: Serious port forwarding problem
Replies: 3
Views: 693

Re: Serious port forwarding problem

Most of options i have involve changing some settings on the other routers. So, assuming you don't have access there, I can only suggest one thing, more or less complicated, depending on if you can change WebServer network settings. The general idea of the steps below is to make Mikrotik(MT) look li...
by ulysses
Mon Sep 28, 2015 8:57 pm
Forum: General
Topic: IPSEC priority?
Replies: 1
Views: 970

Re: IPSEC priority?

Nope, that is a known problem in RouterOS: in case multiple policies are configured with the same src and dest addresses, disregarding the sa addresses, one of the policies will get an "I" ("Invalid" in webfig and "inactive" in console). I have done some tests, and it seems that neither priority nor...
by ulysses
Mon Sep 28, 2015 6:52 pm
Forum: General
Topic: 15k routes?
Replies: 1
Views: 459

15k routes?

Hi all, I have a private network setup where I am routing UA-IX traffic via a point to point tunnel to my remote segment in the Ukraine. Currently I am doing that with a simple policy based routing (manual address list, a mangle rule and a dedicated default route in a separate routing table) UA-IX c...
by ulysses
Mon Sep 28, 2015 3:19 pm
Forum: General
Topic: serial port on 951G-2HnD
Replies: 9
Views: 4093

serial port on 951G-2HnD

Hi, I was wondering if there is a way of getting an (emulated) serial0 port on the 951G-2HnD RB. I would like to play with the /port remote-access to attach some remote modems, but I have no entries in the /port print. I know that serial port is not available on the board, but isn't there an option ...
by ulysses
Mon Sep 28, 2015 3:14 pm
Forum: General
Topic: firewall by MAC address or RSA/DSA?
Replies: 5
Views: 1006

Re: firewall by MAC address or RSA/DSA?

So your best choice should be setting up a simple PPTP server (one that can be accessed by default Wiindows and MacOS VPN clients) and also make sure to add a /ip firewall filter rule that would allow the VPN subnet access to port 80. Then just share the VPN credentials with your support and they wi...
by ulysses
Sun Sep 27, 2015 3:58 pm
Forum: General
Topic: IPsec enchansments
Replies: 2
Views: 1097

IPsec enchansments

Hi all, I would like to ask anyone would agree that the current policy based IPsec management is disabling a number of setups. One with a long history is a 4 year old bug (http://rant.gulbrandsen.priv.no/amazon/mikrotik-aws-ipsec, http://forum.mikrotik.com/viewtopic.php?p=501081#p441037), when two I...
by ulysses
Sun Sep 27, 2015 3:24 pm
Forum: General
Topic: firewall by MAC address or RSA/DSA?
Replies: 5
Views: 1006

Re: firewall by MAC address or RSA/DSA?

You can create an /ip firewall filter rule with chain=input and protocol=tcp, dst-port=80 and src-mac-address=XX:XX:XX:XX:XX:XX It's not clear if you wish to access the config from LAN or WAN, just to make it clear - MAC address of the incoming packet will only be preserved within one network segmen...
by ulysses
Sun Sep 27, 2015 3:11 pm
Forum: General
Topic: Wireless Devices Cant Talk or Ping Each Other
Replies: 4
Views: 2757

Re: Wireless Devices Cant Talk or Ping Each Other

You should simply set your wireless interface default-forward to yes . However, wifi client isolation is a good practice, so there is another way to do that: to make one wifi client accessible to other wifi clients you should create a virtual AP slave to your main WIFI interface, and assign that one...
by ulysses
Fri Sep 25, 2015 2:31 pm
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 43
Views: 33945

Re: Amazon AWS VPN -- A Working Configuration Example and Bug

Year after, this post is still of a great value, thank you very much! Most of the things are straight-forward, but there is one thing that I have struggled to understand for already 20 hours in a row, searched high and low and still can't get my head around it.. First, something minor. 0 ;;; critica...