Community discussions

Search found 96 matches

  • 1
  • 2
by bramwittendorp
Wed Mar 27, 2019 9:07 pm
Forum: Beginner Basics
Topic: Solution for VPN into company network
Replies: 3
Views: 334

Re: Solution for VPN into company network

Hi,

I assume those remote workers are road warriors, so I would suggest either SSTP (this is an SSL-based VPN) or L2TP with IPsec.

The RB2011 doesn't support IPSec hardware acceleration, so throughput might be a bit slow, but I think for general use it will be fine
by bramwittendorp
Tue Mar 12, 2019 6:53 pm
Forum: Beginner Basics
Topic: OVPN disconnect after few seconds
Replies: 9
Views: 367

Re: OVPN disconnect after few seconds

The subject of your post is it disconnents after a few seconds, but I can see in the log it's connected for 1 minute at least. So what is your issue? Not being able to ping or getting disconnects?

Are you allowing the traffic coming in from the OVPN trough your firewall?
by bramwittendorp
Mon Mar 11, 2019 8:33 pm
Forum: General
Topic: EoIP/IPsec & L2TP/IPsec on the same router
Replies: 4
Views: 313

Re: EoIP/IPsec & L2TP/IPsec on the same router

Hi!

I have been using EoIP/IPsec & L2TP/IPSec on multiple environments just fine.

Can you share your config to see what might cause the issues?
by bramwittendorp
Tue Feb 26, 2019 9:31 pm
Forum: General
Topic: public subnet routing
Replies: 2
Views: 488

Re: public subnet routing

Hi, You have to choose: either use transparante mode (which I will be explaining) or use the subnet with NAT. I would suggest the following configuration, remove the config you have made before (as you specified in your post): 1) Add the first usable IP-address from the routed-subnet on the Bridge2....
by bramwittendorp
Mon Feb 25, 2019 8:55 pm
Forum: General
Topic: Forward VPN to Synology NAS
Replies: 1
Views: 720

Re: Forward VPN to Synology NAS

Hi, What kind of firewall have you configured on the MikroTik? If it is not the default (https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router) you might need additional access rules to allow the traffic. These rules should then be placed in the forward chains. For the port forwarding part you'...
by bramwittendorp
Mon Feb 25, 2019 8:48 pm
Forum: Beginner Basics
Topic: Split tunneling
Replies: 7
Views: 676

Re: Split tunneling

Hi Khavale, Welcome on the forum! I am sure it is possible to use split-tunneling for YouTube traffic. But you'll need to find out the IP-address being used by YouTube, it might be easier to access the sites you want to access by VPN by additional routes. Also please share you config, so we can have...
by bramwittendorp
Wed Jan 23, 2019 7:44 pm
Forum: General
Topic: Setting a secondary PPPOE Connection
Replies: 9
Views: 584

Re: Setting a secondary PPPOE Connection

I am sorry. I haven't taught of one part of the configuration. You should also mark the traffic that is ment to use the Secondary PPPoE. So add something for that as well under /ip firewall mangle /ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=secondary-pppoe passthrou...
by bramwittendorp
Tue Jan 22, 2019 7:54 pm
Forum: General
Topic: Setting a secondary PPPOE Connection
Replies: 9
Views: 584

Re: Setting a secondary PPPOE Connection

Your gateway is not an IP-adress for the specified routing mark /ip route add distance=1 gateway=pppoe-secundar routing-mark=secondary-pppoe In order for it to work, you'll need to find the IP-adress the ISP uses on the other end of the PPPoE-interface. No next-hop lookup is performed when using thi...
by bramwittendorp
Tue Jan 22, 2019 5:20 pm
Forum: General
Topic: Setting a secondary PPPOE Connection
Replies: 9
Views: 584

Re: Setting a secondary PPPOE Connection

If you could go to the Terminal. This is an option in both Webfig and Winbox

and there do an export: /export hide-sensitive

And past it here between the tags. That would be great
by bramwittendorp
Tue Jan 22, 2019 4:06 pm
Forum: General
Topic: Setting a secondary PPPOE Connection
Replies: 9
Views: 584

Re: Setting a secondary PPPOE Connection

I think one option that would suit you is make use of routing-marks. Routing marks give you an additional routing table where you can store your config. First of all: under /ip firewall mangle add a rule in the prerouting chain. In the rule specify the secondary PPPoE interface and under Action spec...
by bramwittendorp
Sun Jan 13, 2019 2:57 pm
Forum: Beginner Basics
Topic: Mikrotik Client OpenVPN Only For 1 Destination
Replies: 1
Views: 215

Re: Mikrotik Client OpenVPN Only For 1 Destination

This would definitely be possible by adding a static route for a /32 address (ex.: 1.1.1.1/32) specifying the next-hop address as the other end of the OVPN tunnel.
by bramwittendorp
Fri Jan 11, 2019 8:48 pm
Forum: General
Topic: Connecting another router to my MT
Replies: 8
Views: 505

Re: Connecting another router to my MT

Are you sure the traffic isn't being blocked by the MikroTik? Maybe you could post the output of your firewall config here? (/ip firewall export). Another issue I can think of is NAT, where traffic isn't being forwarded to the correct host. Maybe perform an traceroute as well, to identify where traf...
by bramwittendorp
Fri Jan 11, 2019 8:34 pm
Forum: General
Topic: Unable to connect using MAC address and Winbox
Replies: 1
Views: 396

Re: Unable to connect using MAC address and Winbox

I have seen some strange behaviour with regards to neighbor discovery not working because the network interface isn't active because it has no IP-configuration. But that doesn't explain why it works when connecting trough a switch.
by bramwittendorp
Thu Jan 10, 2019 4:04 pm
Forum: Beginner Basics
Topic: WISP AP DHCP server does not work [SOLVED]
Replies: 2
Views: 311

Re: WISP AP DHCP server does not work [SOLVED]

Your config is incomplete if this is your full configuration. Please use the DHCP Server setup option in Winbox or follow the guide found in the Wiki: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server. You're now just running a DHCP server, without any Pool (addresses to hand out) or any other op...
by bramwittendorp
Wed Jan 09, 2019 8:07 pm
Forum: General
Topic: Apple devices flooding DHCP server
Replies: 7
Views: 968

Re: Apple devices flooding DHCP server

I have a lot of Apple Gear, and haven't seen the problem so far. I think it is caused by the devices in question, but not due to some widespread issue, but rather to the individual device. I found the following topic in the Apple Forum: https://discussions.apple.com/thread/8193574 Maybe the suggesti...
by bramwittendorp
Wed Jan 09, 2019 1:36 pm
Forum: Beginner Basics
Topic: Google Home Mini / ICS-2000
Replies: 3
Views: 265

Re: Google Home Mini / ICS-2000

Hi, From your config, you have multiple IP-addresses assinged to ether2, which is your lan interface: /ip address add address=10.166.14.254/24 interface=ether2-LAN network=10.166.14.0 add address=192.168.2.1/24 interface=ether2-LAN network=192.168.2.0 add address=172.16.16.254/24 interface=ether2-LA...
by bramwittendorp
Tue Jan 08, 2019 7:30 pm
Forum: Beginner Basics
Topic: Google Home Mini / ICS-2000
Replies: 3
Views: 265

Re: Google Home Mini / ICS-2000

Hi, I have a couple more questions in order to understand your problem better: - Are both devices actually connected (eg.: do they show up in the registration list of any WiFi-interfaces; is the ethernet-interface running)? Do they have an IP-address assigned for the servers? - Can you use torch to ...
by bramwittendorp
Tue Jan 08, 2019 7:22 pm
Forum: Beginner Basics
Topic: Multiple EoIP\IPsec tunnels
Replies: 1
Views: 217

Re: Multiple EoIP\IPsec tunnels

I suspect this is normal behaviour. All four IPSec policies use the same-endpoint, so it is only necessary to have one of the policies active. Since they are created dynamically I think MikroTik creates the policy for every EoIP interface you create.
by bramwittendorp
Thu Jan 03, 2019 10:16 pm
Forum: Beginner Basics
Topic: ARP vs DHCP| Packs vs RBversion|PPPoE [SOLVED]
Replies: 6
Views: 526

Re: ARP vs DHCP| Packs vs RBversion|PPPoE [SOLVED]

Hi, I am making an attempt to answer you as good as I can: This one is pretty easy. The ARP table is used for the lookup of MAC-Addresses (OSI Layer 2) based on IP-adresses (OSI-Layer 3). This is needed for the transport from the IP-packets towards an client. For more info on ARP you can look in the...
by bramwittendorp
Mon Nov 26, 2018 8:18 pm
Forum: Beginner Basics
Topic: Windows 7 L2TP Ipsec error 789
Replies: 2
Views: 713

Re: Windows 7 L2TP Ipsec error 789

According to this page of Microsoft the error 789 is an generic error, which could be caused by the IPSec connection not being established, you could check this by watching the IP > IPSec menu-items in Winbox, you would see a remote peer when IPSec is establishing a connection. How is your traffic f...
by bramwittendorp
Tue Nov 20, 2018 2:33 pm
Forum: Beginner Basics
Topic: Windows Firewall and Sub-Network question
Replies: 6
Views: 843

Re: Windows Firewall and Sub-Network question

It depends on what you're trying to do. It's not the MikroTik in your way, the Windows Firewall is blocking the traffic. You'll need to add the other networks as trusted in your Windows Firewall if you wish to communicate while having Windows Firewall enabled. You can certainly create work-around on...
by bramwittendorp
Tue Nov 13, 2018 7:14 pm
Forum: General
Topic: Third Party (SonicWall) to MikroTik Aggressive IPSec tunnel Interface
Replies: 0
Views: 281

Third Party (SonicWall) to MikroTik Aggressive IPSec tunnel Interface

Hi guys, I am working on a project where I have to build a setup where all traffic gets routed trough an IPSec tunnel. Since I need routing I figured out I need to use a tunnel interface either GRE or IPIP to be able to use this interface in the routing table. On the main site we have an SonicWall f...
by bramwittendorp
Sun Oct 28, 2018 4:21 pm
Forum: General
Topic: SRC-NAT --> NETMAP Incorrect Public IP [SOLVED]
Replies: 4
Views: 489

Re: SRC-NAT --> NETMAP Incorrect Public IP [SOLVED]

Hi Jim, The order you have is correct as is, the rules would be triggered correctly for this rule to work properly. Consider replacing it for the following rule. This is less specific but might work better, because in your current config your only applying the rule to TCP-traffic. /ip firewall nat a...
by bramwittendorp
Sun Oct 28, 2018 1:53 pm
Forum: General
Topic: SRC-NAT --> NETMAP Incorrect Public IP [SOLVED]
Replies: 4
Views: 489

Re: SRC-NAT --> NETMAP Incorrect Public IP [SOLVED]

Are you sure these rules are actually the first rules under the IP > NAT configuration. The way MikroTik walks to the NAT-table is from top to bottom, so if there is for instance a masquerare rule for traffic leaving on ether1-WAN first, that rule is applied. Also under IP > Firewall > Service Port ...
by bramwittendorp
Sat Oct 27, 2018 4:50 pm
Forum: Beginner Basics
Topic: Port mapping
Replies: 2
Views: 399

Re: Port mapping

Hi, Could you post your config? There might be an issue with firewall configuration why traffic is dropped. Also: port 80 is used for webfig. In order to forward it towards a LAN-device it might be good practice to disbale the web-service under IP > Services. Also, make sure you aren't double natted...
by bramwittendorp
Wed Oct 24, 2018 9:55 pm
Forum: Beginner Basics
Topic: Send two untagged vlan from trunk uplink to access port..
Replies: 4
Views: 526

Re: Send tvo untagged vlan from trunk uplink to access port..

You can only have 1 untagged vlan on a port or trunk. All additional ports need to be tagged.
by bramwittendorp
Wed Oct 24, 2018 9:50 pm
Forum: Beginner Basics
Topic: Routing to the designated ISP [SOLVED]
Replies: 4
Views: 511

Re: Routing to the designated ISP [SOLVED]

Hi, Depending on your exact needs I think it can be done. So, assuming from your description we have two separate locations; location A with the 192.168.1.0/24 network and location B with both a 192.168.2.0/24 network and a 192.168.3.0/24. In order for the user1 in location B, which has an IP-addres...
by bramwittendorp
Tue Oct 23, 2018 10:59 pm
Forum: Beginner Basics
Topic: Routing to the designated ISP [SOLVED]
Replies: 4
Views: 511

Re: Routing to the designated ISP [SOLVED]

Could you be more specific about your design choices? For starters I am wondering why you use 2 routers, which would then lead to a third router leading towards a switch leading towards the clients. To me it seems you make things more complicated than it needs to be. You could configure both ISPs on...
by bramwittendorp
Tue Oct 23, 2018 10:48 pm
Forum: General
Topic: Firewall remote log doesn't contains all
Replies: 2
Views: 275

Re: Firewall remote log doesn't contains all

[admin@R1] > /ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic ...shortened 30 ;;; BLOCK TROJANS chain=input action=drop src-address-list=Trojans log=no log-prefix="" 31 chain=forward action=drop src-address-list=Trojans log=no log-prefix="" Maybe change the log=no to log=yes,...
by bramwittendorp
Mon Oct 22, 2018 7:44 pm
Forum: Beginner Basics
Topic: Upgrade 802.11 version in repeater mode
Replies: 1
Views: 214

Re: Upgrade 802.11 version in repeater mode

I would like to know - whether it is possible or not, to configure Microtik router in such a way, when, in repeater mode - LAN devices would be connected on higher speeds, than when running on main router's network? No, it is not possible, and it won't work with any other vendor, before you run off...
by bramwittendorp
Mon Oct 22, 2018 7:05 pm
Forum: Beginner Basics
Topic: Router works. However websites don't open at first attempt
Replies: 1
Views: 319

Re: Router works. However websites don't open at first attempt

Hi, In your DHCP-settings I noticed you're using two public DNS-caching servers, but you have enabled DNS-request to your router as well, so it might be better to put your router's LAN-IP on the DHCP-server network set-up in order to use it as a DNS-caching server. This way DNS can reply quicker, wh...
by bramwittendorp
Tue Oct 09, 2018 3:05 pm
Forum: Beginner Basics
Topic: No internet connection on my switch
Replies: 9
Views: 1058

Re: No internet connection on my switch

To check if the correct interface has an IP-address, you'll need to do an /ip address export from the terminal and check whether the correct IP-address has been assigned to ether1. Alternatively you could also use the IP > Address tab in WinBox of Webfig. If you want proper help, please post the con...
by bramwittendorp
Sun Oct 07, 2018 3:43 pm
Forum: General
Topic: MacOS Winbox features and limitations
Replies: 4
Views: 909

Re: MacOS Winbox features and limitations

Hi WeWiNet, I personally use the WinBox for Mac from Joshaven.com, which can be found on: http://joshaven.com/resources/tools/winbox-for-mac/. No file drag and drop >> I have this problem as well, but that is not a WinBox issue, but an dependency in Wine No windows like copy via CTRL-C/CTRL-V in Win...
by bramwittendorp
Fri Sep 28, 2018 11:45 am
Forum: General
Topic: something is wrong with my DNS resolving...
Replies: 8
Views: 641

Re: something is wrong with my DNS resolving...

Which DNS servers have you configured under IP > DNS (/ip dns export OR /ip dns print)?

Try with different DNS-servers to make sure the problem isn't in your current set of DNS servers.
by bramwittendorp
Tue Sep 04, 2018 5:27 pm
Forum: Beginner Basics
Topic: DHCP server not handing out IP's
Replies: 10
Views: 1027

Re: DHCP server not handing out IP's

You're only running a DHCP-server on ether2. From your config it says servers are connected on ether3. So it seems legit that you don't recieve a dhcp-address on your server if it's connected on ether3. /ip dhcp-server add add-arp=yes address-pool=dhcp_pool1 disabled=no interface="ether2 (LAN)" name...
by bramwittendorp
Tue Sep 04, 2018 7:45 am
Forum: Beginner Basics
Topic: L2tp error 789
Replies: 5
Views: 1377

Re: L2tp error 789

Hi Marco, I was troubleshooting VPN-issues on Windows (10) earlier today with Mac OS working fine, but Windows giving me shit. I saw similar error messages. I found this post very useful (https://superuser.com/questions/1298513/l2tp-ipsec-vpn-fails-to-connect-on-windows-10-works-fine-on-ios). I also...
by bramwittendorp
Sun Sep 02, 2018 6:27 pm
Forum: General
Topic: L2TP routing issue - SOLVED
Replies: 5
Views: 408

Re: L2TP routing issue

You should post your router configuration with an
/export hide-sensitve
We than can walk trough it and guide you towards a solution.

Are the L2TP-clients also MikroTik, if so please post the config of it as well
by bramwittendorp
Fri Aug 31, 2018 7:48 pm
Forum: Forwarding Protocols
Topic: Mikrotik DDNS and NVR
Replies: 10
Views: 1195

Re: Mikrotik DDNS and NVR

You're NAT-export looks incomplete of the MikroTik. The NAT-rules aren't matching any ports right now. That could be an issue You'll need either a catch-all rule: this one will catch all traffic and forward it to the NVR. /ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.109 Or...
by bramwittendorp
Wed Aug 29, 2018 7:12 pm
Forum: Forwarding Protocols
Topic: Mikrotik DDNS and NVR
Replies: 10
Views: 1195

Re: Mikrotik DDNS and NVR

Can you post your current configuration; an /ip firewall nat export would be sufficient?

The RTSP-protocol is likely UDP as it's a continous data-stream.
by bramwittendorp
Tue Aug 28, 2018 3:50 pm
Forum: Forwarding Protocols
Topic: Mikrotik DDNS and NVR
Replies: 10
Views: 1195

Re: Mikrotik DDNS and NVR

It depends on the application I guess. I don't know which protocol and which ports are used by the application. You should forward all the necessary ports for the application by additional NAT-rules and verify that these NAT-rules actually git a hit. You should see packet-counters running when tryin...
by bramwittendorp
Sun Aug 26, 2018 10:18 pm
Forum: Forwarding Protocols
Topic: Mikrotik DDNS and NVR
Replies: 10
Views: 1195

Re: Mikrotik DDNS and NVR

Hi, From my point of view it seems you have too many NAT-rules. You should leave the SRC-NAT (Masqeraude) but you should remove any other rules. It think you'll only need the following rules. I assume port 80 is used for a webpage of the NVR, so that should be TCP (as web is TCP-based). For the port...
by bramwittendorp
Sat Aug 25, 2018 5:54 pm
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

Hi Flynno, Thanks for the reply, the drawing you made shines a better light on your case and what you're trying to do. I'm under the impression you followed some tutorials online to set things up. From my point-of-view it looks crazy difficult. Based on the drawing, and my experience I have given yo...
by bramwittendorp
Sat Aug 25, 2018 4:03 pm
Forum: Forwarding Protocols
Topic: Mikrotik DDNS and NVR
Replies: 10
Views: 1195

Re: Mikrotik DDNS and NVR

Hi, You could definitely use the MikroTik DDNS function for this, start with enabling it under /ip cloud. Then what you'll need to do is add two destination NAT-rules following the documentation (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT). In your firewall filters you sho...
by bramwittendorp
Fri Aug 24, 2018 3:51 pm
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

On the DHCP-client of my WAN-interface (not sure if you can set it on an LTE-device) I changed the default route distance to 10. That way my default route that's get added trough the VPN-connection will always become the more preffered one. My routing table with active VPN looks like this: 2 ADS 0.0...
by bramwittendorp
Fri Aug 24, 2018 2:54 pm
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

Why are you using Mangle anyway? I want to be able to use the office connection as the main internet connect for the mikrotik LTE device, send all traffic from the LTE down the tunnel to the office connection. You want to send all traffic through the VPN-tunnel am I right? It seems to me that you ha...
by bramwittendorp
Fri Aug 24, 2018 8:24 am
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

For the PPP-secret, I use the following configuration on the Main-router: /ppp secret add local-address=192.168.100.6 name=map_bram remote-address=10.9.5.1 routes=10.9.5.0/24 service=pptp This takes care of the whole Site-to-Site VPN tunnel for me. On the remote end it will use the IP-address I setu...
by bramwittendorp
Tue Aug 21, 2018 10:38 pm
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

That should be it I think, does it work?
by bramwittendorp
Tue Aug 21, 2018 8:36 pm
Forum: Forwarding Protocols
Topic: L2TP to remote office
Replies: 27
Views: 2266

Re: L2TP to remote office

Hi, You're correct, there is a issue with the following route, on the LTE-device /ip route add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP Instead of specifying the gateway-interface (l2tp-out1) you'll need to specify the IP-address of the RB on the other end of the tunnel ...
by bramwittendorp
Tue Aug 21, 2018 8:28 pm
Forum: General
Topic: DMZ Routing question (Stuck)
Replies: 17
Views: 889

Re: DMZ Routing question (Stuck)

You'll need Hairpin-NAT lots of good topics on this forum explaining that. Just do a search for Hairpin-NAT.

search.php?keywords=Hairpin+NAT
by bramwittendorp
Tue Aug 21, 2018 8:24 pm
Forum: Beginner Basics
Topic: Limit bandwidth per ether-port
Replies: 1
Views: 251

Re: Limit bandwidth per ether-port

Hi,

I'm running RouterOS 6.42.7 (latest release), and you could just specify the interface on the General tab. At target, instead of specifying an IP-adress you can also select interfaces there.
  • 1
  • 2