Thanks. Regrading the log message, "in:" denotes ingress interface, not direction. But the direction is still _in_, as all incoming IP packets that were not bridged or MPLS-switched are hitting prerouting chain. But how can router LOCALY originating packet hit prerouting chain? It should hit RAW OUT...

May be something with firewall, exactly rule "RELATED, ESTABLISHED"?
Both sides send packets and awaiting reply, so incoming packet is treated as reply.
Also, do you try only ping or some other traffic?

You can try add additional address to L2TP on site A (and of course corresponding on site B) and NAT client-b to this address. On site B simple route this address to isp-c.

Your firewall stops traffic comming from GRE (GRE in WAN list and not NATed).

Not only Win10 but all prev WinNT bases Windows (2000, XP, 7, .

I suppose it must be TFTP.

Are your Mikrotik and management computer in one broadcast network or routed?

Hello. I have such configuration: Two Mikrotik routers (call them "Router1" and "Router2") with white external IP each. There is IPSEC policy in transport port between them and also IPIP tunnel, so I have interface for dynamic routing and etc. Of course tunnel's interface on both routers have IP fro...

According https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction MT7621 based devices (hEX, hEX S) don't have VLAN table in switch chip, but MT7621 datasheet http://www.trolink.cn/UploadFiles/Product/20160419152925_77763.pdf indicates: "Supports 4K VLAN entries". Also https://wiki.m...

When start new winbox (either 32bit or 64bit) I get message: "ERROR: Colud not save conffiguration". If I start with administrative privileges - no such error. Also without administrative privileges I can't connect to router. And with administrative privileges - without problem OS - Windows 7 Prof S...

IPsec accelerator (HW acceleration) RB3011UiAS-RM ??? Когда, сколько ждать? When, how long to wait? IPsec accelerator support for RB3011 is still being worked on, the HW acceleration is not yet supported for this model. The CPU is much faster than RB2011 even without HW accelerator. But HW accelera...

Ok, The source of question is video from last MUM
https://www.youtube.com/watch?v=nJr77a1rWRI
At 10:53 there is slide with two different rules for established and related states.

Hello As I understand in IP Firewall and Mangle conditions for rule to work are combined with "AND" operator. But is is still true for "Connection state" options (established, invalid, new ...)? As I see almost everywhere there are such rules "For NEW packet with some conditions action allow" and "F...

Yes. There are several tracked connections (IPsec, IPIP and some kind of "usefull" -ICMP, TCP etc). But it's for case when all is good. But I'm talking about broken IPSec router-to-router connection and moment of establishing IPIP tunnel. So for beginning there are no IPSec now and no IPIP. Then "fi...

You should create address list with allowed IPs from 10.23.40.0/24 subnet. Then you should first allow access to internet fo this address list and second disable access for all 10.23.40.0/24 subnet. To force wireless clients to use another subnet you should primarily assign address from 10.23.50.0/2...

Thanks. Using RAW table helps. Another solution is to move IPSec rules above "established, related" rules.
I don't dig IPSec address subst now, but it also can work.

In any case it's oddly that ROS always treats IPIP packets as "established, related" even when creating tunnel.

I need securely connect two routing networks, so I decide to use IPIP tunnel over IPSec running in transport mode between gateways. Also it's needed not to run unencrypted traffic between networks. So I configure IPSec and IPIP tunnel. Also on both gateways I make filter rules to prevent not IPSec t...

Good day.

I don't find in wiki descriptions of following parameters seemed in my RB750GR3 (6.40.5):
"firewall" - maybe it replacement for absent "notrack-chain" ?
"compatibility-options" - only find, that is ignored in ikev2 exchange mode.

Hello. In CAPSMAN where is tab "Rates" in which we can configure wifi rates. Also where are tabs "Rates" in "Configurations" and in "CAP interfaces" in which I can select from named rateset configured in "Rates" and also manualy set some rates. How do this settings work together? What takes preceden...

Ok. I missed this because this desc in part for established peer connections. So we can use this field for selecting IP address (for example fro multihome interface)?

What does parameter "Local address" in IPsec/Peer configuration?
Where are no info in wiki.

Problem resolved. Source was in network adapter in my computer. All was fine till today morning, when problem began, I don't know what triggered it - there was no changes for some months. But when I turn off all default turned on offloads for TCP/IP in onboard Realtek based network card problem disa...

I have RB3011. It's working fine, but when I connect by Winbox it shows all pages empty (no interfaces, no addresses and so on). For SSH connection I can see all. Also I have some wAPs - WInbox connection for them works fine. I connect to IP address, not MAC. WInbox version 3.10. I deleted 'Mikrotik...

About *) wap-ac - fixed performance problems with 2.4GHz wireless (additional reboot after upgrade required); I have same issue with wAP (RBwAP2nD) - in the same place there are D-Link DAP-2310 and just buyed wAP. I connect from the same device and run iperf. D-Link gives about double speed above wA...