Community discussions

MikroTik App

Search found 209 matches

by jvanhambelgium
Sun May 31, 2020 3:13 pm
Forum: Scripting
Topic: [Script] Automatically change DNS if Pi-hole is no longer working
Replies: 4
Views: 381

Re: [Script] Automatically change DNS if Pi-hole is no longer working

This will not work for all clients that have received their DHCP-lease. I don't know how many hours of lease-time you provide so these clients don't really benefit from the switchover you make on RouterOS. If their (only) DNS-server fails it is over & out. Multiple DNS would be a / the only true "re...
by jvanhambelgium
Sun May 31, 2020 12:12 pm
Forum: Beginner Basics
Topic: Missing HTTP packets
Replies: 3
Views: 316

Re: Missing HTTP packets

It is very normal that you do not "see" this traffic on the Raspberry Pi on a SWITCHED environment. (and a CRS is a switch) Broadcasts still "flood" out of the ports, that is why you see them arriving at the Raspberry. The Mikrotik does allow you to see this, since this is where everything comes tog...
by jvanhambelgium
Sat May 30, 2020 7:20 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 968

Re: How to make Port knocking working on vpn/pptp connection ?

Concerning some config lines. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp add action=accept chain=input com...
by jvanhambelgium
Sat May 30, 2020 5:09 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 968

Re: How to make Port knocking working on vpn/pptp connection ?

How to make Port knocking working on vpn/pptp connection ? I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection Anyone could help ? Port knocking is intended and used primarily with normal/usual connections. I really don't see a reason why one would ...
by jvanhambelgium
Sat May 30, 2020 1:15 pm
Forum: General
Topic: DDos protection
Replies: 4
Views: 502

Re: DDos protection

You should also drop traffic on your LAN-side (so "forward" chain, interface depending on your model & topology) that is not originated from the effective IP address of the VM/Client itself! So at least you try to stop facilitating "spoofed" traffic towards the internet! Normally if you run a PPPoE ...
by jvanhambelgium
Sat May 30, 2020 12:26 am
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1083

Re: Routing of live IP

So you have separate wireless AP's ? I would take a look at the Wiki's for the different topics you need : 1) Routing https://wiki.mikrotik.com/wiki/Manual:Simple_Static_Routing 2) Securing services https://wiki.mikrotik.com/wiki/Manual:IP/Services (so really make sure you add your "LAN" subnet in t...
by jvanhambelgium
Fri May 29, 2020 10:20 pm
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1083

Re: Routing of live IP

Just like this ? 1) Make bridge and group all you interfaces and give this bridge the IP of 172.20.18.1 255.255.255.224 (this will become the "default gateway" for all you PC/devices connected on LAN) Then plug what whatever device you want on the ethernet-ports (all member of the bridge) and you ca...
by jvanhambelgium
Fri May 29, 2020 5:25 pm
Forum: General
Topic: Help with AirPrint network printer over VPN on the same subnet
Replies: 6
Views: 767

Re: Help with AirPrint network printer over VPN on the same subnet

Wow Thank you! You have to understand that things like Airprint/Bonjour/mDNS/whatever where NEVER designed to "leave" the local LAN of your home. So yes, it is very normal these things just don't work so easily with more complex setups like home VLAN's, remote VPN's etc,etc. There might be ways, bu...
by jvanhambelgium
Thu May 28, 2020 11:41 am
Forum: General
Topic: Port forwarding to External OpneVPN Server [SOLVED]
Replies: 4
Views: 678

Re: Port forwarding to External OpneVPN Server [SOLVED]

Would that rule work? /ip firewall nat add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445 Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed ...
by jvanhambelgium
Wed May 27, 2020 2:09 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I don't use "tarpit". It will only consume more resources (cpu/mem) on your side with the idea to slow the attacker down by holding the connection, but... For metered connections, only your upstream ISP can truly provide some useful action. If the packet hits your interface, it consumed already band...
by jvanhambelgium
Wed May 27, 2020 1:30 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port. This gives me an access list with from 2000 to 15000 IPs at any time. If this for some reason is me that has been blocked from outside, I can use port knock to whitelist ...
by jvanhambelgium
Wed May 27, 2020 7:46 am
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else. There is no such thing as "a hardware firewall" . Sure there are brands with ...
by jvanhambelgium
Sun May 24, 2020 12:12 am
Forum: Beginner Basics
Topic: How can i pass my Lan network withouth having to make NAT [SOLVED]
Replies: 4
Views: 457

Re: How can i pass my Lan network withouth having to make NAT [SOLVED]

Are you sure this is going to work ? Many "home" grade routers for example will only perform NAT (I mean the Alcatel box) when packets arrive in the range of their own LAN-interface. Or is the Alcatel configured that it will do NAT for 10.15.165.0/24 ?? Well, now you just need simple routing (and po...
by jvanhambelgium
Sun May 24, 2020 12:05 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 63
Views: 12796

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
by jvanhambelgium
Sat May 23, 2020 8:38 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 63
Views: 12796

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
by jvanhambelgium
Sat May 23, 2020 1:09 pm
Forum: Beginner Basics
Topic: The extra packages in RouterOS [SOLVED]
Replies: 21
Views: 2055

Re: The extra packages in RouterOS [SOLVED]

Don't think you can specify a specific version. Just upgrade (to the latest) or downgrade (to previous) within the channel chosen (eg. stable/long-term/...) (and I'm not even sure on the channel-flag)
by jvanhambelgium
Sat May 23, 2020 12:32 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2151

Re: Flooding UDP port 1194

Why not change the port (port translation in router) to your customers. like use 54332 dydns name/url:54332 add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=54332 protocol =tcp? to-addresses=IPserver to-ports=1194 Why would udp scans be stopped by a TCP rule (title of thread- "FLOODIN...
by jvanhambelgium
Sat May 23, 2020 8:23 am
Forum: Beginner Basics
Topic: Deny ip PUBLIC traffic
Replies: 10
Views: 1556

Re: Deny ip PUBLIC traffic

Sorry, but what should I look for in the nat, since basically I tag the traffic, I redirect traffic to other services that are not the mail, and finally it forwards it to my linux firewall. If the rule worked, the traffic coming from those IPs would not have to be sent to this Linux server, and the...
by jvanhambelgium
Fri May 22, 2020 9:46 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2151

Re: Flooding UDP port 1194

Problem is the source IP + source port remain the same. Don't think the PSD attributed are going to be very useful here...they operate on the DESTINATION PORT and (same) SOURCE-IP but does not look at the SRC-PORT of the SOURCE-IP. If your OpenVPN needs to be really .... open and globally accessibl...
by jvanhambelgium
Fri May 22, 2020 9:38 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2151

Re: Flooding UDP port 1194

I still want users with a valid certificate to connect, so just closing port 1194 is not really an option. Moving to port 1196 for example is just a matter of time.. That is the issue with running a full public service... Off course I don't know your userbase, but perhaps a script before the connec...
by jvanhambelgium
Fri May 22, 2020 9:34 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2151

Re: Flooding UDP port 1194

Problem is the source IP + source port remain the same. Don't think the PSD attributed are going to be very useful here...they operate on the DESTINATION PORT and (same) SOURCE-IP but does not look at the SRC-PORT of the SOURCE-IP. If your OpenVPN needs to be really .... open and globally accessible...
by jvanhambelgium
Fri May 22, 2020 8:15 pm
Forum: Beginner Basics
Topic: Deny ip PUBLIC traffic
Replies: 10
Views: 1556

Re: Deny ip PUBLIC traffic

Check your NAT rules...
by jvanhambelgium
Thu May 21, 2020 11:59 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1043

Re: Firewall Rule not work with Microsoft DHCP server

Same outcome. Your "unmanaged switch" is a simple L2-switch right ? With a design like this, it is IMPOSSIBLE to intervene/filter/capture/firewall traffic between PC1/PC2/PC3/PC4/SERVER because they all share the same IP-SUBNET. A device will only "contact" the Mikrotik if it needs to reach somethin...
by jvanhambelgium
Thu May 21, 2020 11:15 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1043

Re: Firewall Rule not work with Microsoft DHCP server

Well ... drawn like this the Mikrotik will NOT "see" any DHCP or DNS requests from clients fly by. These PC's can communicate DIRECTLY with the server (because they are in the IP-network) For DHCP, the clients will yell with a "broadcast" and the DHCP will answer that. Also, impossible to limit the ...
by jvanhambelgium
Thu May 21, 2020 9:54 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1043

Re: Firewall Rule not work with Microsoft DHCP server

I use "forward" now but it seem like the router rule doesn't work. I see the Byte and Package doesn't counted. Can you make small drawing ? Reading your post is very weird. You say PC's & servers are on the SAME IP-network, but perhaps you made a typo in writing. All the IP's below are in the same ...
by jvanhambelgium
Thu May 21, 2020 8:30 am
Forum: General
Topic: Best way to prevent attack from external
Replies: 9
Views: 1255

Re: Best way to prevent attack from external

Not really a problem to keep adding to the list but obviously this takes some time (administration) and is always reactive! You should review your management strategy. - Allow Winbox only from inside ? - If over Internet, your remote location/office does not have a STATIC IP so you can build your fi...
by jvanhambelgium
Wed May 20, 2020 6:11 pm
Forum: General
Topic: BLOCK TORRENT w/ ROUTER OS 6.45.9
Replies: 1
Views: 313

Re: BLOCK TORRENT w/ ROUTER OS 6.45.9

Hi, Is there a way to totally block torrent using the mentioned router OS version. If not, can we apply download limit for torrent traffic only. Many thanks, Gerry You could go quite aggressive : -> Deny any inbound traffic not part of client-initiated sessions. (but with exceptions that are applic...
by jvanhambelgium
Mon May 18, 2020 3:39 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 63
Views: 12796

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Don't think so. That Wiki page states : This page was last edited on 18 October 2017, at 10:37.
As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice
by jvanhambelgium
Mon May 18, 2020 3:37 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

I use dynu and it works great, and it has the ability to assign a C-name, so I point my FREE service at the MT CLOUD. Perhaps in Belgium you like to torture friends or businesses with a long ass winded name to use to reach servers :-PPP, but I prefer being human!! :-) Well I have my own domain too ...
by jvanhambelgium
Mon May 18, 2020 1:47 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

After spending 2 days searching for a working script to update my wan IP to Namecheap, I want to say this script is excellent. Short and precise. thx a lot @mattsawatzky Why not use the built-in feature in RouterOS ? I use this for years now without any issues or need for 3e party services. https:/...
by jvanhambelgium
Sun May 17, 2020 8:55 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 63
Views: 12796

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

How do we get around this 63KiB limit? can we ask mikrotik about this We are trying to automate the download and add of https://www.ipdeny.com/ipblocks/data/countries/gb.zone which is 124KiB Perhaps the only way is to have some really smart script parse this list further into large(r) CIDR-blocks ....
by jvanhambelgium
Sat May 16, 2020 11:14 am
Forum: General
Topic: Using CGNAT (NAT444) to contain an flooding attack
Replies: 1
Views: 354

Re: Using CGNAT (NAT444) to contain an flooding attack

This gives 499 ports for traffic going out from clients and you can make the source port range changing every so much time to avoid that an attacker is targeting your port range. But if I have 1500 people behind the Mikrotik I will have a problem with exhausted ports on the source-side to choose fr...
by jvanhambelgium
Sat May 16, 2020 8:38 am
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 882

Re: Network topology for portable test rig

He's asking me what I need, I'm not sure what to tell him, but I don't think mapping a bunch of IPs 1:1 is the right way to go, since if I change my IP addresses it'll break. So here's what I'm thinking: All the stuff on the test rig is 192.168.0.x, and the stuff on the LAN is 172.16.x.x. Can I ask...
by jvanhambelgium
Fri May 15, 2020 8:20 pm
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 882

Re: Network topology for portable test rig

Thanks, I'll give it a try. I was wondering if it's possible, if the factory network is 192.168.1.x, to have my sub-network to be 192.168.2.x, and still be able to get in from remote computers on the 192.168.1.x network? (Assuming the local IT will do anything for me, I know them well.) I have logg...
by jvanhambelgium
Fri May 15, 2020 2:07 pm
Forum: RouterBOARD hardware
Topic: Testing Methodology differs for Switches and Routers [SOLVED]
Replies: 12
Views: 3769

Re: Testing Methodology differs for Switches and Routers [SOLVED]

CCR's with full 100% CPU utilization seem not really usable to have this in production under these kinds of load...nice for a lab-stress-test to max it out but...
Do you have stats on effective packet drops under these loads ?
Hard to believe it is "0" with all cores at 100% etc.
by jvanhambelgium
Thu May 14, 2020 12:26 pm
Forum: General
Topic: Strange behavior when host is down.
Replies: 1
Views: 311

Re: Strange behavior when host is down.

I don't have this behavior.
Tested on Linux, running 6.46.4 on RB3011
by jvanhambelgium
Wed May 13, 2020 7:43 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved
Replies: 295
Views: 111145

Re: Tool: Using Splunk to analyse MikroTik logs 2.9 (Graphing everything) Topic is solved

Is it "normal" that Splunk is quite slow? I have it running since 4-5 hours and the Traffic Accounting Dashboard takes 2 minutes until some results are shown... No that seems not normal... The "Traffic" dashboard show here in about 2 seconds when selecting "Time Range = last 4 hours". I run Splunk ...
by jvanhambelgium
Wed May 13, 2020 10:43 am
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 882

Re: Network topology for portable test rig

The possibilities depend a bit on what the local IT will allow! So you have already some "VPN" services that connect you to the factory network ? You speak about connecting the CRS as a wireless-client onto the corporate network right ? Perhaps you could ask localIT if they can provide you with a ST...
by jvanhambelgium
Wed May 13, 2020 10:35 am
Forum: General
Topic: Firewall Rule against Botnet Attacks?
Replies: 6
Views: 1090

Re: Firewall Rule against Botnet Attacks?

Hello everyone, we are an little Internetprovider from Germany and use Mikrotik Routers. In the last Time our costumers get attacks from i think that are botnets. The Botnets are attacking one address from the pppo pool with most from port 389 and 53, so that we added some firewall rules in raw to ...
by jvanhambelgium
Wed May 13, 2020 9:13 am
Forum: Beginner Basics
Topic: Linking 2 switches (2 LANs) directly with each other
Replies: 8
Views: 1341

Re: Linking 2 switches (2 LANs) directly with each other

@jvanhambelgium, the router creates automatically routes to the attached 2 LANs, as normal/usual. But the goal with this direct link approach between the two Switches is that local traffic between them (LAN1 and LAN2) shall not go over the router, e xcept when WAN is explicitly involved , then the ...
by jvanhambelgium
Tue May 12, 2020 7:07 pm
Forum: Beginner Basics
Topic: Linking 2 switches (2 LANs) directly with each other
Replies: 8
Views: 1341

Re: Linking 2 switches (2 LANs) directly with each other

I'm no real expert. 1.) can these two switches (ie. the two LANs) also be linked directly with each other over a spare port on each switch, so that the local traffic between them then does not go over the router? >> How are these interface on the router configured ? Are these routed-interfaces ? So ...
by jvanhambelgium
Tue May 12, 2020 4:35 pm
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1409

Re: Address range in firewall address list

jvan - would you capture the offenders in the regular firewall (add to firewall address list) and then drop them in raw? Depends on the current load on your box. Sure if you drop them raw they consume the least amount of resources on your box. Here on my small home network I have them all in ACL's ...
by jvanhambelgium
Tue May 12, 2020 12:52 pm
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1409

Re: Address range in firewall address list

Thanks again for the feedback. Yes, the server is a public SMTP server. It is handligng emails for just a handful of people - providing web and imap email as well as schedule to users both in the LAN and "on the road". The reason for running it ourselves is that we've been selling the mailserver so...
by jvanhambelgium
Tue May 12, 2020 9:12 am
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1409

Re: Address range in firewall address list

These types of issues cannot really be solved with networking/firewall equipment like Mikrotik. Especially if you are dealing with SMTP you need to take other criteria into mind (eg. reputation). In essence SMTP is a general public service so IF you decided to run your own public SMTP-host, you shou...
by jvanhambelgium
Mon May 11, 2020 8:28 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1433

Re: ssh connection to mikrotik not working (timeout)

I can be many reasons why it does not work... I advise you to start over, re-deploy the VM again with only 1 interface and make sure this interface is effectively in the LAN as your Ubuntu VM 192.168.15.x In your config you posted I cannot find a single interface having any 192.168.15.x assigned to ...
by jvanhambelgium
Mon May 11, 2020 5:51 pm
Forum: Beginner Basics
Topic: Unable to connect to Microsoft Teams when using RB4011IGS+5HACQ2HND-IN [SOLVED]
Replies: 7
Views: 1120

Re: Unable to connect to Microsoft Teams when using RB4011IGS+5HACQ2HND-IN [SOLVED]

What are your DNS settings ? Your clients use some direct ISP DNS servers or is the Mikrotik intermediate ?
All other web-access works fine I guess ?
by jvanhambelgium
Mon May 11, 2020 5:22 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1433

Re: ssh connection to mikrotik not working (timeout)

I expected this somewhat ... There is some confusing aspects 1) "ether1" yet it seems connected to some Wifi WLAN adapter ? Since you run the Mikrotik as a VM, I guess you have BRIDGED networking onto the network on which the Ubuntu (=HOST) is running ?? 2) I see 2x the gateway of 192.168.15.1 using...
by jvanhambelgium
Mon May 11, 2020 4:21 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1433

Re: ssh connection to mikrotik not working (timeout)

Everytime I see you post jvan I get hungry for belgium chocolates :-) They are indeed not bad ;-) Are you effectively residing in Nova Scotia Canada ? We have excellent chocolates (and beers etc), you have some awesome outdoors & nature... To the topic-starter : yes, draw up a little diagram too! :D
by jvanhambelgium
Mon May 11, 2020 3:35 pm
Forum: General
Topic: Advanced ideas you can't do with MikroTik products...
Replies: 8
Views: 1024

Re: Advanced ideas you can't do with MikroTik products...

@jvanhambelgium, we need max security in and out, as well max possible performance at the same time, obviously. We have multiples of such small but for us important in-house projects in the pipeline, for example an Advanced Application Layer Firewall that operates as a C/S solution: the S part bein...
by jvanhambelgium
Mon May 11, 2020 3:00 pm
Forum: General
Topic: Advanced ideas you can't do with MikroTik products...
Replies: 8
Views: 1024

Re: Advanced ideas you can't do with MikroTik products...

Any other alternatives? Cisco Catalyst 3650 Series Switches This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine. :-) I doubt a Cisco device will meet my listed requirements , as it is IMO even more closed-source than MikroT...
by jvanhambelgium
Mon May 11, 2020 11:28 am
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1433

Re: ssh connection to mikrotik not working (timeout)

Clearly we need more info. What is the IP address of the system ("speedio-26") you are launching the SSH-command from ? Because it could be caused by something in between, we have no clue. This is a wired system ? Wireless ? If wired, is it directly connected to the Mikrotik, switches in between ? e...
by jvanhambelgium
Sun May 10, 2020 8:24 pm
Forum: Beginner Basics
Topic: "sandboxed" network
Replies: 2
Views: 601

Re: "sandboxed" network

Are these embedded boards also isolated ? Or sitting in some network with lots of other gear? I guess simple L2TP VPN, then a simple firewall-rule only allowing access to IP addresses X,Y,Z (the embedded systems). And you can additional specify protocols that can be used, eg. https/http and ssh or s...
by jvanhambelgium
Sun May 10, 2020 3:02 pm
Forum: Beginner Basics
Topic: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)
Replies: 13
Views: 3771

Re: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)

It's just a shame that a capable os doesn't have a process to handle multicast across bridge/vlans! No, it's not. The topic is about link-local multicast and that's the way it is supposed to work. routerOS does in fact offer "real" multicast routing with PIM and multicast package. -Chris Hi Chris C...
by jvanhambelgium
Sun May 10, 2020 8:17 am
Forum: General
Topic: Bidirectional Load Balancing for 2 LANs using 2 WANs
Replies: 8
Views: 1278

Re: Bidirectional Load Balancing for 2 LANs using 2 WANs

No way to handle load-balancing on another layer ? Just thinking out loud here. Depending on the application-design, you could build out the LAN-network using some multihomed HPC systems yet keep the LAN rather straightforward and have more capable products (eg. haproxy,nginx,traefic) handle it. htt...
by jvanhambelgium
Sat May 09, 2020 6:10 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 1574

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

@jvanhambelgium, thx for the explanation. Exactly the very same use-case I was meaning. Btw, in the said example, the ACL action copy-to-cpu=yes is used. Do you happen to know what this action or the other one named redirect-to-cpu=yes practically means? I try to understand these two ACL CPU action...
by jvanhambelgium
Sat May 09, 2020 4:01 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 1574

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-( I guess that's why ;-) MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level. IEEE also has a concept of a registry wit...
by jvanhambelgium
Sat May 09, 2020 2:51 pm
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 1665

Re: port forwading

I can ping from 192.168.10.8(pc/Xammp) to 192.168.10.1(router) and it works fine. I can't ping from 192.168.10.8(pc/Xammp) to 192.168.6.1(hotspot) I can ping from 192.168.10.8(pc/Xammp) to 192.168.10.1(router) and it works fine. >> You don't need any routes/gateway for that. Its considered "Direct ...
by jvanhambelgium
Sat May 09, 2020 11:22 am
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 1665

Re: port forwading

(http(s)://192.168.10.8 ) When I enter this on local machine web-browser it doesn't work but if I enter this (http://192.168.10.8) it works. And another very stupid but essential question : your Windows machine does have a default-gateway set back to the AP/router right ? As you are doing DNAT, the...
by jvanhambelgium
Sat May 09, 2020 9:15 am
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 1665

Re: port forwading

Stupid question, you are sure your Xammp services are not bound to 127.0.0.1 (=localhost) only on the PC ? That might explain a lot. You are running this on Windows OS I read ? Are you sure no host-side firewall is active ? On that local machine, when opening a webbrowser to test it, do you issue so...
by jvanhambelgium
Fri May 08, 2020 8:59 pm
Forum: General
Topic: router randomly drops WAN connection
Replies: 9
Views: 2344

Re: router randomly drops WAN connection

You have a small LAN-switch you could put between them ?
Perhaps there is some interoperability issues between the ethernet-port in Mikrotik and the device of your ISP.

That is perhaps the reason the problem remained even after getting a new router from the same vendor ;-)
Give it a try.
by jvanhambelgium
Fri May 08, 2020 7:14 pm
Forum: Beginner Basics
Topic: Building a 500+ apartment network for internet access
Replies: 7
Views: 962

Re: Building a 500+ apartment network for internet access

Hi. I have a task of building a 500+ user network using mesh technologies The 500+ apartments are located in 62 different buildings. My plan is to create a backbone of 10Gbit fiber supplying a switch in every apartment staircase with 10Gbit fiber, and supplying all flats with 1Gbit either fiber or ...
by jvanhambelgium
Fri May 08, 2020 8:46 am
Forum: Beginner Basics
Topic: Blocking all unused/unneeded protocols, keeping only bare minimum essential ones [SOLVED]
Replies: 24
Views: 3183

Re: Blocking all unused/unneeded protocols, keeping only bare minimum essential ones [SOLVED]

Finally solved! Doing tests now. Reason was that this switch device uses besides the shown few L2 protocols also some IP L3 protocols internally. Will analyze them later. Whatever you are doing might be "fun" and you are probably learning a lot (always good), but let me tell you this is absolutely ...
by jvanhambelgium
Thu May 07, 2020 11:28 pm
Forum: Beginner Basics
Topic: Block Intervlan one direction but not other? [SOLVED]
Replies: 3
Views: 821

Re: Block Intervlan one direction but not other? [SOLVED]

I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked. This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across. Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to V...
by jvanhambelgium
Thu May 07, 2020 10:19 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 1574

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-( I guess that's why ;-) MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level. IEEE also has a concept of a registry wit...
by jvanhambelgium
Thu May 07, 2020 9:18 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 1574

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

There is no such thing as a "MAC subnet" and if you have several MAC's almost identical is this pure luck or by intent because eg these are VM's of which you can craft the MAC's. Just create the list you want filtered : tcpdump ether src D0:50:99:84:01:36 or ether src D0:50:99:84:01:36 or ether src ...
by jvanhambelgium
Thu May 07, 2020 5:15 pm
Forum: General
Topic: Intelligent port forwarding rule
Replies: 10
Views: 1370

Re: Intelligent port forwarding rule

Confusing request? Simply give users for RDPA - a unique dyndns name give users for RDPB - a different name give users for RDPC - a different name. This would not solve anything as there is only 1 public IP-address to my understanding. IF there are multiple public IP's available sure you could alre...
by jvanhambelgium
Thu May 07, 2020 4:34 pm
Forum: General
Topic: Intelligent port forwarding rule
Replies: 10
Views: 1370

Re: Intelligent port forwarding rule

I would not expose "N" RDP servers directly (to Internet?). In stead use some loadbalancing/frontend like HAProxy or something. https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/ Then your RouterOS requires a single D-NAT entry pointing to HAProxy where you c...
by jvanhambelgium
Thu May 07, 2020 11:23 am
Forum: General
Topic: Many attempt to log in from "winbox" [SOLVED]
Replies: 11
Views: 1154

Re: Many attempt to log in from "winbox" [SOLVED]

Thank you for your replay Normis. I only want to access winbox from my work. If i disable winbox from the internet how can i log in only from my work's? Appreciate your help! Best, If "your work" has a set of fixed public IP's you could add them to the Winbox service so you are allowed from there. ...
by jvanhambelgium
Thu May 07, 2020 8:09 am
Forum: Scripting
Topic: How to update more than one port by scripting to one rule?
Replies: 2
Views: 503

Re: How to update more than one port by scripting to one rule?

I would : -> Disable uPNP all together. -> Configure fixed rules using a set of FIXED ports that you also configured on your torrent application. Eg. I have 2 rules (for UDP & TCP) for my Deluge torrent environment using ports 6800 to 6900 and fixed the Deluge config accordingly. Then when these rul...
by jvanhambelgium
Wed May 06, 2020 9:43 am
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 2350

Re: Accessing my server outside of the LAN network

Tried what all of you guys were saying, and exausted most of the internet, still cannot get it to work... But again, "I run on my server tcpdump and saw that my server is reciving SYN packiet but the SYN ACK from my server is not returning" DO you see this SYN-ACK packet leave the server back to th...
by jvanhambelgium
Mon May 04, 2020 5:11 pm
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 2350

Re: Accessing my server outside of the LAN network

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests. In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened. And on the router, port 80/tcp to...
by jvanhambelgium
Mon May 04, 2020 8:21 am
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 2350

Re: Accessing my server outside of the LAN network

For sure you need at least 1 rule in the FORWARD chain for the traffic returning from the webserver back out to the Internet. In your config ... I see this rule but DISABLED ?? add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,relat...
by jvanhambelgium
Sat May 02, 2020 2:56 pm
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 2350

Re: Accessing my server outside of the LAN network

So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it. I have set ...
by jvanhambelgium
Sat May 02, 2020 8:33 am
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 2695

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

As said: the answer seems to be "Dot1x". In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet). Then now I'm missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplica...
by jvanhambelgium
Fri May 01, 2020 6:51 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 2695

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used. Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day). So, what happens next? Does he need to login to the RADIUS server...
by jvanhambelgium
Fri May 01, 2020 2:27 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 2695

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Port-based security, 802.1X will prevent this. Basically only after authentication/authorization the port can be used. Sure on RouterOS you can do a lot with scripts, you could collect the MAC/ARP entries on a regular basis, process this, compare it, do something with it. On the other hand, MAC-addr...
by jvanhambelgium
Fri May 01, 2020 8:54 am
Forum: General
Topic: VLan data center management
Replies: 6
Views: 1748

Re: VLan data center management

Sure I have experience, but not with Mikrotik and not in such specific context. It is very important to understand that we are talking about LAN-ports changing state (eg. server with MAC-address 11:22:33:44:55:66) so plugged onto your network right ? DOT1X cannot be used on a device to work on "inte...
by jvanhambelgium
Thu Apr 30, 2020 8:51 am
Forum: Beginner Basics
Topic: 2 LAN Cables from Mikrotik to Switch
Replies: 24
Views: 3195

Re: 2 LAN Cables from Mikrotik to Switch

Will there be 100mbps x 2 bandwidth between Mikrotik and the switch? > Yes if you configured some form of link-aggregation / bonding. Obviously your LAN-switch needs to support this. If yes, then will all traffic be divided equally between 2 LAN cables? > Probably not so easy to really get 50/50 exa...
by jvanhambelgium
Tue Apr 28, 2020 8:33 am
Forum: General
Topic: How it help to play digital menu boards?
Replies: 2
Views: 837

Re: How it help to play digital menu boards?

It cannot specifically help you (more then hundreds of other type of home/soho routers can do) This menu board (app/software) seems to only need internet connectivity. Any router will do. Its a cloud-based signage solution. So what is your current network setup? You have some wired/wireless solution...
by jvanhambelgium
Mon Apr 27, 2020 11:28 am
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 1890

Re: Port forward with webserver

Do you use your Mikrotik as DNS-server ? Then simply add some "static" entries that point "www.mydomain.pl" to "192.168.1.210" Test it by doing "ping www.mydomain.pl" on your PC and see if reply comes from 192.168.1.210 Alternative is simply adapt your host file on your PC, on Linux box simply edit ...
by jvanhambelgium
Fri Apr 24, 2020 10:18 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1511

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Advice from previous poster for hairpin nat is close but there is no TO rule for that config line. Should be add action=masquerade chain=srcnat comment="Mikrotik Hairpin NAT" dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24 Interesting finding indeed. So my Webfig/Winbox have in...
by jvanhambelgium
Fri Apr 24, 2020 6:21 pm
Forum: Beginner Basics
Topic: Hacker attacks on CCR [SOLVED]
Replies: 9
Views: 2431

Re: Hacker attacks on CCR [SOLVED]

Hello, you can add the following lines into a script which will create and address-list will all the IP address from Bulgaria ( just an example ) and based on that you can create a firewall rule to drop the connections from those ip's. /tool fetch url=http://www.iwik.org/ipcountry/mikrotik/BG /impo...
by jvanhambelgium
Fri Apr 24, 2020 4:42 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1511

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Disable webfig simple in the ip -> services and disable "www" and "www-ssl" to disable webfig. In CLI this would be something like /ip service set www-ssl address=office.internal.IP-range disabled=yes set www address=office.internal.IP-range disabled=yes Then for the hairpin (to be able to access yo...
by jvanhambelgium
Fri Apr 24, 2020 2:04 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1511

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Disabling Webfig alone will not fix it.
What you need is HAIRPIN NAT (aka "NAT Loopback")
There are dozens of examples on this forum, basically you needs to add a specific rules to make it work.

https://wiki.mikrotik.com/wiki/Hairpin_NAT
by jvanhambelgium
Wed Apr 22, 2020 1:01 pm
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

Hmm, strange.
Not really too much anymore I can think of, perhaps a full reset and start from scratch...
I've in the past tested TCP/80/443 DNAT pointing to my NGINX which worked just as predictable as dozens of other DNAT's I have on my RB3011
by jvanhambelgium
Wed Apr 22, 2020 11:51 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

You have the capability to also capture CLIENT-side ? To see if anything actually arrives there ?? Because you have several (4x) SYNACK's coming from your server, then followed by the remote client that retries and issues another SYN and again the same sequence....the timing between them is very sh...
by jvanhambelgium
Wed Apr 22, 2020 10:45 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

Why do you have following ??

add admin-mac=C4:AD:34:49:5F:81 arp=proxy-arp auto-mac=no comment=defconf name=bridge

My Bridge-interface is just using "arp" ;-)
by jvanhambelgium
Wed Apr 22, 2020 10:12 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

I can see the NAT rule counter going up but I haven't set on the logs for drop rules. Reason being is that I have temporarily disabled all of these and tried and it didn't make any difference. Can I log all the packets coming from an IP/HW Addr on the Mikrotik? I would like to know if the SYN/ACK r...
by jvanhambelgium
Wed Apr 22, 2020 9:10 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

Did you add some logging to all drop rules so at least in the RouterOS logs you see when & why packets are dropped ?? What about the "counters" you can which counter is "going up" when you try ??? Perhaps one of these default rules you have drop packets marked "invalid" ? and for some reason you hit...
by jvanhambelgium
Wed Apr 22, 2020 8:34 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2281

Re: Port forwarding partially working on ports 80, 22, 443

Does this mean the HTTP/HTTPS service "ports" are still active ? Did you also added that only internal IP's are allowed to call these www & www-ssl services? (www & www-ssl services) I wonder if they muck up somehow? Dunno, just guessing. In my config anyway, any of these ports are strictly limited ...
by jvanhambelgium
Mon Apr 20, 2020 8:24 am
Forum: Scripting
Topic: delete address list old than 7 days
Replies: 14
Views: 2342

Re: delete address list old than 7 days

sorry, yes i need to delete a existing entries... i think plan to use dynamic but they dont persist at reboot... thank you Hmm, that is going to be not so easy I think... Can't help you with the script, but out of curiosity I've been searching through the forums about this. (no real hits on THIS sp...
by jvanhambelgium
Sun Apr 19, 2020 8:21 pm
Forum: Scripting
Topic: delete address list old than 7 days
Replies: 14
Views: 2342

Re: delete address list old than 7 days

Can i set a script to delete all items older than 7 days in a specific address list?

thank you
Why don't you specify, at the moment you place a IP on a address-list, that it has a lifetime of 7 days ? It will be removed automatically.
Or do you want the script for existing entries ?
by jvanhambelgium
Fri Apr 17, 2020 9:40 am
Forum: Beginner Basics
Topic: Extend Remote SSH Connection Time
Replies: 1
Views: 794

Re: Extend Remote SSH Connection Time

Best thing is perhaps to handle it CLIENTSIDE. If you’re on Mac or Linux, you can edit (or create if it does not exist) your local SSH config file in ~/.ssh/config and add the following line: ServerAliveInterval 120 This will send a “null packet” every 120 seconds on your SSH connections to keep the...
by jvanhambelgium
Thu Apr 16, 2020 8:34 pm
Forum: Beginner Basics
Topic: Cannot login, asks for a password [SOLVED]
Replies: 2
Views: 1241

Re: Cannot login, asks for a password [SOLVED]

Hmm, perhaps not so brand new ;-)
Probably already test / demo'd or something ?
Just perform a system reset I guess, can't do no harm in that.
by jvanhambelgium
Thu Apr 16, 2020 2:31 pm
Forum: General
Topic: vpn attacks and how to block these connections
Replies: 8
Views: 1696

Re: vpn attacks and how to block these connections

pptp is only for a few tests. i use l2tp with ipsec. Since the blacklist configuration in address list and the RAW firewall rule i had no attacks. I believe this was the solution Good it was fixed. Probably indeed because the pre-routing/RAW is very early after the packet arrives in your router int...
by jvanhambelgium
Wed Apr 15, 2020 3:54 pm
Forum: General
Topic: vpn attacks and how to block these connections
Replies: 8
Views: 1696

Re: vpn attacks and how to block these connections

This is what i get in the log file : https://ibb.co/Gsq8cps i mean reach it as they can still try to connect using various usernames. Im not sure what im doing wrong. there were a few other IPs in the past which attempted to login with admin/root whatever user/pass to the mikrotik and since i block...
by jvanhambelgium
Wed Apr 15, 2020 2:00 pm
Forum: General
Topic: vpn attacks and how to block these connections
Replies: 8
Views: 1696

Re: vpn attacks and how to block these connections

Hi guys, my vpn server is being attacked by a /24 subnet, not just a single ip. i created a filter rule which is input, and source address is the whole subnet 92.63.194.0/24 and the action is dropped. Few hours later the same person still tries to connect with failed attempts, so i changed the acti...
by jvanhambelgium
Mon Apr 13, 2020 11:12 pm
Forum: General
Topic: Port knocking with URL
Replies: 12
Views: 2658

Re: Port knocking with URL

I do not see the need of a URL to port knock. I will add more components to run the network. To use normal port knock, you do not need any tools if its TCP to open the ports. Eks port 1600, 2500 and 3456 needed to open. Offcourse this will work too, but nice simple Windows, Android & IOS apps exist...
by jvanhambelgium
Mon Apr 13, 2020 8:58 pm
Forum: General
Topic: Port knocking with URL
Replies: 12
Views: 2658

Re: Port knocking with URL

Although I understand the idea, there is a couple of possible issues. - Continuous open-to-anyone-everywhere attack-vector of the DNAT-entry pointing to your web-page. - Un-encrypted "admin" credentials in the Python files ; if ever compromised you have full power on the Mikrotik - Only 1 "stage" , ...
by jvanhambelgium
Sat Mar 28, 2020 1:13 pm
Forum: Beginner Basics
Topic: Can't find my printer..
Replies: 3
Views: 1416

Re: Can't find my printer..

Thank you for the fast response, yes I get a message is offline / error while printing I have disabled the windows FW My printer is wireless one. Even I had serious problems with this, and they are on the same LAN ;-) I had to add FW-rules to the Win10 firewall for it to work, and then even dependi...
by jvanhambelgium
Sat Mar 28, 2020 12:31 pm
Forum: General
Topic: IP streser atack prevent
Replies: 13
Views: 2034

Re: IP streser atack prevent

You really need to talk to your UPSTREAM provider too! They still route those requests to you, so consuming bandwidth on the link. Offcourse DDOS-protection through your upstream, IF they offer such thing, is not cheap. In the company I work for we have an Arbor powered solution that we operate for ...
by jvanhambelgium
Sat Mar 28, 2020 12:24 pm
Forum: Beginner Basics
Topic: Can't find my printer..
Replies: 3
Views: 1416

Re: Can't find my printer..

Hello! so I am trying to print a document, in windows 10 im going on the add a printer and tcp/ip but I cant find it. my printer is connected to the isp modem/router via wps with an ip 192.168.1.7 network 192.168.1.0/24 my computer is connected to the mikrotik with an ip 10.10.3.231 in the network ...
by jvanhambelgium
Fri Mar 27, 2020 6:30 pm
Forum: SwOS
Topic: Design Assistance
Replies: 5
Views: 1991

Re: Design Assistance

> My goal is to have maximum throughput with HA

So where is the secondary Palo and secondary 328 ?
Is the 328 acting as L3 and the 317's solely L2 connectivity ?
Palo is connected to Internet/ISP ? Secondary circuit ?
by jvanhambelgium
Fri Mar 27, 2020 2:24 pm
Forum: General
Topic: IP streser atack prevent
Replies: 13
Views: 2034

Re: IP streser atack prevent

But even if you block, the packet has traveled across your link and thus consuming bandwidth. It might be not much, but still some bytes... In order to safeguard this, you really need support from "upstream" , so the ISP that is providing you services! You have enough bandwidth to support your downs...
by jvanhambelgium
Thu Mar 26, 2020 2:55 pm
Forum: Beginner Basics
Topic: Port nocking [SOLVED]
Replies: 10
Views: 2241

Re: Port nocking [SOLVED]

Keep it simple ... Winbox or any web browser cheers, For management that is true, however I use port-knocking to "open" my Mikrotik to other services I run at home (eg. Plex for video streaming, Logitech Media Server for my audio streaming etc, accessing my Splunk etc) I do not perform any sort of ...
by jvanhambelgium
Thu Mar 26, 2020 8:43 am
Forum: Beginner Basics
Topic: Port nocking [SOLVED]
Replies: 10
Views: 2241

Re: Port nocking [SOLVED]

Keep it simple ... Winbox or any web browser cheers, For management that is true, however I use port-knocking to "open" my Mikrotik to other services I run at home (eg. Plex for video streaming, Logitech Media Server for my audio streaming etc, accessing my Splunk etc) I do not perform any sort of ...
by jvanhambelgium
Thu Mar 26, 2020 8:41 am
Forum: RouterBOARD hardware
Topic: Here's a networking quiz for you :-)
Replies: 2
Views: 1680

Re: Here's a networking quiz for you :-)

School question of some sort ? Sure a L2 switch can be use to "segment" your LAN somewhat in the way you describe, but you will loose quite some physical ports. "Trunking" is only applicable for the "uplink" part. If you do NOT want any form of trunking, the only way is to "uplink" 1 physical cable ...
by jvanhambelgium
Wed Mar 25, 2020 9:25 pm
Forum: Beginner Basics
Topic: Port nocking [SOLVED]
Replies: 10
Views: 2241

Re: Port nocking [SOLVED]

In theory this is possible. You are using UDP or TCP knocks ? Portknocks might not always be very robust, but for me it works fine. My app on my phone that performs the knocking transmits the packets with some time in between. I've had a another app that was not working well. So might be also depen...
by jvanhambelgium
Wed Mar 25, 2020 7:39 pm
Forum: Beginner Basics
Topic: Port nocking [SOLVED]
Replies: 10
Views: 2241

Re: Port nocking [SOLVED]

In theory this is possible. You are using UDP or TCP knocks ? Portknocks might not always be very robust, but for me it works fine. My app on my phone that performs the knocking transmits the packets with some time in between. I've had a another app that was not working well. So might be also depend...
by jvanhambelgium
Tue Mar 24, 2020 10:23 pm
Forum: General
Topic: DSL is cool again?
Replies: 6
Views: 1481

Re: DSL is cool again?

But now some telcos are avoiding home visits and calls are being made to portpone non-essential work.
Sure that is (temporary) true.
These are unprecedented times with COVID-19 flying around the globe...
by jvanhambelgium
Tue Mar 24, 2020 9:03 pm
Forum: General
Topic: DSL is cool again?
Replies: 6
Views: 1481

Re: DSL is cool again?

Switching focus from FTTP to vectoring? Not at our company no. We still do a lot of R&D on vectoring so "copper" remains very important, but the "fiber program" that was started up some years ago keeps increasing momentum & streamlined and hundreds of millions of euro's are budgeted on this yearly....
by jvanhambelgium
Tue Mar 24, 2020 3:28 pm
Forum: Beginner Basics
Topic: Blocking TikTok [SOLVED]
Replies: 6
Views: 2554

Re: Blocking TikTok [SOLVED]

Hello, I have a small home network with a Mikrotik hap ac router OS 6.46.4. I would like to block tiktok.com across the network. I've tried many ways and instructions, but the Ticktok on the LAN is still running. I have no problem blocking other domains. Thanks RM What are you blocking ? All domain...
by jvanhambelgium
Sun Mar 22, 2020 9:43 pm
Forum: General
Topic: Help with Microsoft Teams QoS
Replies: 5
Views: 1894

Re: Help with Microsoft Teams QoS

Rate-limiting / capping / traffic-shapen is often done on the EGRESS interface. So in your case the most easy perhaps to work with queues or something ? https://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ_Examples https://wiki.mikrotik.com/wiki/Bandwidth_Managment_and_Queues This should give you a go...
by jvanhambelgium
Sun Mar 22, 2020 10:03 am
Forum: Beginner Basics
Topic: DSCP CHANGE
Replies: 1
Views: 1004

Re: DSCP CHANGE

What do you think to accomplish ? Is your home connected to a Internet Service Provider ? If so, do not bother trying to set DSCP46 (= EF , Expedited Forwarding) in the hope your packets would be better handled because the ISP will not act on this DSCP-value when it concern Internet traffic. btw, yo...
by jvanhambelgium
Thu Mar 19, 2020 4:00 pm
Forum: General
Topic: Help with Microsoft Teams QoS
Replies: 5
Views: 1894

Re: Help with Microsoft Teams QoS

Are you the ISP ? I don't see any real-world value on INBOUND QoS for such Internet application ? For me, QoS is as much as possible an "end2end" story, not just on a single device. You should at least be able to signal your upstream node to hold back some of the packets before they are placed on th...
by jvanhambelgium
Tue Mar 17, 2020 11:51 am
Forum: General
Topic: Port Forwarding issue
Replies: 4
Views: 1216

Re: Port Forwarding issue

You test this from WITHIN your own network ? You have HAIRPIN NAT configured ? Without this your test will not work.
Did you try from the real "outside" ? (eg. using 4G Phone or something)
by jvanhambelgium
Tue Mar 17, 2020 8:29 am
Forum: General
Topic: Mikrotik for cloud DDNS
Replies: 2
Views: 848

Re: Mikrotik for cloud DDNS

Correct.
Your RouterOS box will register its "serial number" at "sn.mynetname.net"
Eg. 819f055bdb11.sn.mynetname.net

I use this for years now, but on a Mikrotik router device. Not 100% sure for AP's, do not have one to test with.
by jvanhambelgium
Sat Mar 14, 2020 8:52 pm
Forum: General
Topic: Accessing modem only
Replies: 3
Views: 1263

Re: Accessing modem only

Your Microtik is having an active PPPoE connection then ? This goes THROUGH the Zyxel straight to your ISP. This that configured & up/running ?? If so, then it is understandable that you cannot ping the LAN-side of Zyxel 1) What about NAT on the Microtik ? It will inject all traffic into its default...
by jvanhambelgium
Sat Mar 14, 2020 7:39 pm
Forum: General
Topic: Packet sniffer : how to stream RTP packets ?
Replies: 5
Views: 1391

Re: Packet sniffer : how to stream RTP packets ?

Hello, Thanks for answering my topic :) Actually, I do capture everything going out of my IPBX, and send it to a file. But, the issue is not here, if I do the same packet capture directly to a file in the Mikrotik router, it works nice, I have both SIP and RTP packets. But when I stream to Wireshar...
by jvanhambelgium
Fri Mar 13, 2020 4:51 pm
Forum: General
Topic: Packet sniffer : how to stream RTP packets ?
Replies: 5
Views: 1391

Re: Packet sniffer : how to stream RTP packets ?

In WireShark (as of 2.0) -> Go to Analyze -> Enabled Protocols -> RTP and activate rtp_udp checkbox

Give that a try.
by jvanhambelgium
Wed Mar 11, 2020 9:52 pm
Forum: General
Topic: Coronavirus quarantine impact on network traffic
Replies: 14
Views: 4426

Re: Coronavirus quarantine impact on network traffic

Now you see the traffic levels at the MIX climbing the last days/week, so it is definitely visible.
Italy is definitely taking a beating, other EU countries will follow to some degree probably in max +- 2 weeks.
by jvanhambelgium
Mon Mar 09, 2020 2:05 pm
Forum: General
Topic: Is it looping with the following network diagram
Replies: 7
Views: 1704

Re: Is it looping with the following network diagram

Ok, thx your replies. Actually I intend to connect serverA and ServerB with straight cable without switch(10G network). It use to synchronize files between two servers (about 80TB hardisk) 192.168.1.0 only have 1G speed Sure "multihomed" servers are still a common practice. Your example on 10G link...
by jvanhambelgium
Mon Mar 09, 2020 1:35 pm
Forum: General
Topic: How to stop sharing internet connection with "baidu"
Replies: 8
Views: 2299

Re: How to stop sharing internet connection with "baidu"

This kind of policy control cannot be handled at network layer anymore. As I see it , you will never be able to tell who coming in through "Baidu" "wireless AP" app and who is a regular wireless/wired user on you network. You will have to think about some PROXY system granting access to Internet for...
by jvanhambelgium
Mon Mar 09, 2020 10:00 am
Forum: General
Topic: Is it looping with the following network diagram
Replies: 7
Views: 1704

Re: Is it looping with the following network diagram

Don't see a problem in this. As far as I know, "servers" do not participate in any bridging and will not be passing frames across 2 different NIC's.
by jvanhambelgium
Sun Mar 08, 2020 10:49 pm
Forum: General
Topic: Coronavirus quarantine impact on network traffic
Replies: 14
Views: 4426

Re: Coronavirus quarantine impact on network traffic

At MIX (Milan Internet eXchange) there is no real visual indicator concerning this.

https://www.mix-it.net/en/statistiche/

But perhaps the coming days it can become more clear or something.
by jvanhambelgium
Sun Mar 08, 2020 7:49 pm
Forum: General
Topic: How to stop sharing internet connection with "baidu"
Replies: 8
Views: 2299

Re: How to stop sharing internet connection with "baidu"

Will be difficult, if not impossible. 1) As this is an application, you should talk to the system guys. It is not the "task" of the network-guy to plug the holes caused by mis-managed desktop systems! Being able to install this software so your PC performs ICS (Internet Sharing Connection) should b...
by jvanhambelgium
Sun Mar 08, 2020 12:41 pm
Forum: RouterBOARD hardware
Topic: Using a RB3011 in 2020?
Replies: 8
Views: 3610

Re: Using a RB3011 in 2020?

RB3011 will handle this just fine.
Just make sure that you do not create bridges voor all these VLAN's !! because then CPU will be taxed a lot.
Since 2016 my RB3011 is working flawlessly, never any issue when upgrading.
The RB3011 is becoming "an oldie" that is true...
by jvanhambelgium
Sun Mar 08, 2020 12:33 pm
Forum: RouterBOARD hardware
Topic: Using a RB3011 in 2020?
Replies: 8
Views: 3610

Re: Using a RB3011 in 2020?

i guess the RB3011 should do this trick just fine. i was running a RB2011 500/500 with 2/3 vlans, caps ,multiple vpns and +- 8 users. without setup of igmp, i dont see a problem here. The VLAN capabilities on switches varies, from one Mikrotik router to another. Take a careful look, and check if (I...
by jvanhambelgium
Sun Mar 08, 2020 10:37 am
Forum: General
Topic: How to stop sharing internet connection with "baidu"
Replies: 8
Views: 2299

Re: How to stop sharing internet connection with "baidu"

Will be difficult, if not impossible. 1) As this is an application, you should talk to the system guys. It is not the "task" of the network-guy to plug the holes caused by mis-managed desktop systems! Being able to install this software so your PC performs ICS (Internet Sharing Connection) should be...
by jvanhambelgium
Thu Mar 05, 2020 8:02 am
Forum: General
Topic: Simple Port Forwarding
Replies: 5
Views: 1785

Re: Simple Port Forwarding

Without 3e rule it could never have worked from the outside. 1) Chain=srcnat; Out Interface=ether1-gateway; Action=Masquerade ; 2) Chain=dstnat; Protocol=6 (tcp); Dst. Port=80; Action=dst-nat; To Address=192.168.1.207; To Ports=80; 3) Chain=forward; Protocol=6 (tcp) ; Dst Port=80 Action=Accept ; To ...
by jvanhambelgium
Mon Mar 02, 2020 5:27 pm
Forum: General
Topic: Router slows down randomly
Replies: 1
Views: 1209

Re: Router slows down randomly

50% chance it is related to "Internet" or your ISP if you ping it from the outside.
From the Mikrotik tools you can perhaps launch a continuous ping to the PPPoE server IP at your ISP and have it run serveral days to see if anything strange turns up ?
by jvanhambelgium
Sun Mar 01, 2020 3:08 pm
Forum: General
Topic: Content and malware filter for Mikrotik
Replies: 3
Views: 1729

Re: Content and malware filter for Mikrotik

Hi guys, even if I'm biased, let me share our experience in DNS Content and Malware Filtering at FLASHSTART. We are based in Europe, we have a global BGP network and we can also integrate granular filtering through MS-Active Directory. The initial Mikrotik integration takes just 23 seconds to compl...
by jvanhambelgium
Sat Feb 29, 2020 1:55 pm
Forum: RouterBOARD hardware
Topic: Port Forwarding problems
Replies: 11
Views: 3655

Re: Port Forwarding problems

Did you manually specify the port in Plex ? I've selected that box and I'm using port 32400 for Plex. Hmm, very difficult to troubleshoot through some forum posts. But I'm sure the Mikrotik config should do it. I have exactly the same. Make sure the firewall-rules in the FORWARD chain are above in t...
by jvanhambelgium
Sat Feb 29, 2020 1:05 pm
Forum: RouterBOARD hardware
Topic: Port Forwarding problems
Replies: 11
Views: 3655

Re: Port Forwarding problems

Hi guys and thanks for the fast reply. So, I tried with these advices but without any result. Everything seem to be identical as before. I didn't understand very well the "Hairpin NAT" but all I want to do is open a specific port, in order to make Plex server (or an OpenVPN server) reachable from a...
by jvanhambelgium
Sat Feb 29, 2020 12:39 pm
Forum: RouterBOARD hardware
Topic: Port Forwarding problems
Replies: 11
Views: 3655

Re: Port Forwarding problems

Make that a FORWARD rule and things will work. Do not provide a "source-IP" for this rule or something. Just make a rule in the forward-chain pointing to IP + PORT of your server for the tcp-protocol. I have similar setup. For the Transmission/Torrent , you don't have UPNP activated on the Mikrotik ...
by jvanhambelgium
Tue Feb 25, 2020 11:07 pm
Forum: General
Topic: Forward (proxy / redirect / retransmit) NetFlow (Traffic Flow) to external "server"
Replies: 2
Views: 1147

Re: Forward (proxy / redirect / retransmit) NetFlow (Traffic Flow) to external "server"

A free & good Netflow Collector is not that easy to find (anymore) Configuring the Mikrotik (or several) to forward Netflow info to your collector is quite easy. It is not a problem that this collector is "remote". It may even be on Internet and then you make sure you have some NAT in place and FW-r...
by jvanhambelgium
Tue Feb 25, 2020 3:45 pm
Forum: RouterBOARD hardware
Topic: Which CCR? Need Advice / Recommendation [SOLVED]
Replies: 22
Views: 6056

Re: Which CCR? Need Advice / Recommendation [SOLVED]

@jvanhambelgium, r u suggesting I go with a consumer router? As it is right now, my ASUS AX-11000 cannot handle more than 253 clients (according to the box and manual). Unless I rethink the entire smart home automation (and I’m making sure as much of it is wired instead of WiFi dependant), I’m kind...
by jvanhambelgium
Tue Feb 25, 2020 2:14 pm
Forum: RouterBOARD hardware
Topic: Which CCR? Need Advice / Recommendation [SOLVED]
Replies: 22
Views: 6056

Re: Which CCR? Need Advice / Recommendation [SOLVED]

On a side note, you are going to have a lot of fun getting everything to work stable once separated...eg. your media-app on your Wifi mobile on SSID-X / VLANX that wants to interact with some media-player/iot device in VLAN-Y to play music, video etc. mDNS, Bonjour, ... all these protocol never desi...
by jvanhambelgium
Sat Feb 22, 2020 6:32 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

With several routers in the network, you really will have to look at the routing. Because basically adding an "Internet" router means that this Internet router device should become the Default Gateway for the PC's etc to keep things simple. Offcourse on this hEX S you can add serveral static-routes ...
by jvanhambelgium
Sat Feb 22, 2020 3:35 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

This is one of 3 ap we have. We may add 2 other.. https://i.ibb.co/KK17FVL/860-EEE28-4-B57-4-E7-B-A71-F-C52-CE8-DF124-E.jpg And this is the switch we have. https://i.ibb.co/37DSXnY/BC2-ADAA0-ED9-B-42-A0-9287-27-AB8-DDADFED.jpg The LAN switch (HP Procurve 2626) seems to be an oldie with 24*100Mbps p...
by jvanhambelgium
Fri Feb 21, 2020 10:02 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

Does a switch slow/retard my network?
No it will not.
by jvanhambelgium
Fri Feb 21, 2020 4:20 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

RB2011 should IMO NEVER be recommended in 2020 - at least not for routing purposes.. it's close to 10 years old and will only do 50-100megabit internet routing with basic firewall. As soon as you try to do anything else you will have unstable link. OP asks for queues (which is needed for the limit ...
by jvanhambelgium
Fri Feb 21, 2020 3:14 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

I read you already have good LAN-switches, so the Hex S can also be used if you do not need the ports on the RB2011. More then powerful enough as you have "low internet" speed. The hEX S is actually faster than the RB2011. Indeed it is, but the RB2011 would still be a good match for the low speed 5...
by jvanhambelgium
Fri Feb 21, 2020 2:49 pm
Forum: RouterBOARD hardware
Topic: Router Advice Needed
Replies: 41
Views: 7906

Re: Router Advice Needed

Hi, I would go for RB2011UiAS-RM and have the wireless/AP separate from the box. I read you already have good LAN-switches, so the Hex S can also be used if you do not need the ports on the RB2011. More then powerful enough as you have "low internet" speed. -users will be manually added by me from t...
by jvanhambelgium
Fri Feb 21, 2020 2:32 pm
Forum: General
Topic: Feature Request: IP Multicast Routing/mDNS/Zeroconf/Bonjour
Replies: 22
Views: 14854

Re: Feature Request: IP Multicast Routing/mDNS/Zeroconf/Bonjour

Can y'all please do this? Moved from Cisco to Mikrotik and this is a much-needed feature for us. Apart from cost , why did you even consider such a move ? Mikrotik is no where near in the same league as Cisco in the "ip" space. Looking at these forums, many interesting feature-requests just never h...
by jvanhambelgium
Fri Feb 21, 2020 2:10 pm
Forum: Beginner Basics
Topic: How could I detect malware in my LAN
Replies: 6
Views: 1827

Re: How could I detect malware in my LAN

You have 1 "flat" network ? So 1 large IP-space and the Mikrotik is the default gateway ? If that malware is targeting internal servers you will not see it with this rule. This rule would log packets going out to Internet hosts for example on TCP/449 What Mikrotik device ? Are you using a model with...
by jvanhambelgium
Wed Jan 22, 2020 6:27 pm
Forum: General
Topic: My public IP is getting raped by port scanners - is that normal?
Replies: 24
Views: 3586

Re: My public IP is getting raped by port scanners - is that normal?

whatever static or dynamic, I think it can be quite normal.
I have an ordinary "home" subscription with a pseudo-static IP (almost never changes) and today my Splunk indicates about 3800 such packets have been dropped.
Sometimes I also see these sweeps pass by.

Just noise...
by jvanhambelgium
Sun Jan 19, 2020 4:40 pm
Forum: Beginner Basics
Topic: VPN recommendations (security over ease/speed)
Replies: 5
Views: 1288

Re: VPN recommendations (security over ease/speed)

My service is set up with self signed HTTPS, but I really don't know enough about encryption and certificates to know whether that is good enough to prevent snooping. Do you have a rule example or tutorial link for a port knocking example? There is de standard example on Port-knocking. https://wiki...
by jvanhambelgium
Sun Jan 19, 2020 9:26 am
Forum: Beginner Basics
Topic: VPN recommendations (security over ease/speed)
Replies: 5
Views: 1288

Re: VPN recommendations (security over ease/speed)

Is the web-interface of your password-vault also TLS/SSL or plain HTTP ? If TLS/SSL you could even discard the VPN and simply use a port-knocking construction to allow you access to your password vault. I don't use VPN but have port-knocking construct for accessing basically 2 (secured) services fro...
by jvanhambelgium
Fri Jan 17, 2020 9:14 am
Forum: General
Topic: how to minimize CGNAT LOGGING
Replies: 4
Views: 1148

Re: how to minimize CGNAT LOGGING

Hi, Don't think you can do anything on the Mikrotik side. The fields of logging etc are what they are and you cannot mangle with it as far as I know. I'm not sure if some script running on the Mikrotik side could be an "alternative" source and pre-process some logging. This will for sure take resour...
by jvanhambelgium
Fri Jan 17, 2020 8:22 am
Forum: Beginner Basics
Topic: Home IoT and guest wifi not working [SOLVED]
Replies: 6
Views: 1701

Re: Home IoT and guest wifi not working [SOLVED]

I still need help, but just one note: - I can actually ping 192.168.1.2 from the Iot net (homeaut) wifi, but not 192.168.1.1 (the internet gateway router) - However, if I enable the masquerading rule (that's in the attached config), I can even ping 192.168.1.1, so all the 192.168.1.0/24 local subne...
by jvanhambelgium
Sun Jan 12, 2020 9:00 am
Forum: General
Topic: Can't Access specific site
Replies: 4
Views: 625

Re: Can't Access specific site

hello mkx,,, this site working through another router except Mikrotik Does not work for me. Testing from Europe/Belgium. "Refused to connect" . Really, that website or its infra is either having a problem or actively denying access. Down for Everyone or Just Me Short URL @ downfor.io Muqeem.sa Stat...
by jvanhambelgium
Sun Jan 05, 2020 12:44 am
Forum: Beginner Basics
Topic: is this really a "cloud router" ?
Replies: 26
Views: 3644

Re: is this really a "cloud router" ?

Are you sure about that? I think with Teamviewer all data passes through the Teamviewer servers. How else could it work between 2 sites that both are behind firewalls and even proxies? One time I used the TeamViewer dashboard to make a connect to a host on my own LAN. Once it was established, I dis...
by jvanhambelgium
Sun Jan 05, 2020 12:01 am
Forum: Beginner Basics
Topic: is this really a "cloud router" ?
Replies: 26
Views: 3644

Re: is this really a "cloud router" ?

That sounds like a great solution. Does it only work on AWS? Or could I set up a server at my own company with a public IP address and accomplish the same thing? The ideal situation would be one where the server is only used to make the initial connection. After that, I would prefer to be directly ...
by jvanhambelgium
Sat Jan 04, 2020 11:54 pm
Forum: Beginner Basics
Topic: is this really a "cloud router" ?
Replies: 26
Views: 3644

Re: is this really a "cloud router" ?

VPN is not equal to a server... it can be configured as a VPN client that connects to a VPN server and then accessed through that server... as simple as that... Also why Open VPN? No need at all... What is wrong with the easy port forward? I do not understand..Instead of suggesting people a paid se...
by jvanhambelgium
Sat Jan 04, 2020 8:10 pm
Forum: Beginner Basics
Topic: is this really a "cloud router" ?
Replies: 26
Views: 3644

Re: is this really a "cloud router" ?

You can do it with either portforward or VPN...
Yes, but the requirement was clearly to view the intermediate ComCast device as non controllable/not configurable.
An easy port-forward or (open)VPN could indeed solve this, but that requires the ComCast devices to be altered too.
by jvanhambelgium
Sat Jan 04, 2020 8:01 pm
Forum: Beginner Basics
Topic: is this really a "cloud router" ?
Replies: 26
Views: 3644

Re: is this really a "cloud router" ?

In that case yes. Some form of VPN is needed. And then you can only hope the Comcast device does not block any of that. I see some possible options, 1) Payed service if you need to manage multiple of such routers : https://www.cloutik.com/ 2) Have a VPS/VM running somwhere in AWS or Azure and setup ...
by jvanhambelgium
Sat Jan 04, 2020 5:56 pm
Forum: General
Topic: firewall vs nat packet flow
Replies: 8
Views: 1515

Re: firewall vs nat packet flow

Wonderful, where did you get this one? Isn't this the one they (mikrotik) originally had on their wiki? But according to this, raw happens before nat and can be used to do blocklists. Or not? There are *a lot* of very interesting presentations that are shared during the MUM meetings. Some of then a...
by jvanhambelgium
Fri Jan 03, 2020 7:59 pm
Forum: General
Topic: firewall vs nat packet flow
Replies: 8
Views: 1515

Re: firewall vs nat packet flow

This one not clear ?

Image
by jvanhambelgium
Thu Jan 02, 2020 3:31 pm
Forum: General
Topic: Winbox display scaling on Linux/Wine for HiDPI screens
Replies: 5
Views: 1470

Re: Winbox display scaling on Linux/Wine for HiDPI screens

Same "issue" here. Mostly since some time I now use WebFig which cover 95% of the requirements but sometimes also behaves funny on a Chrome browser during add/editing FW-rules.
Winbox on a Linux system is such a pain in the *ss.
by jvanhambelgium
Thu Jan 02, 2020 3:29 pm
Forum: RouterBOARD hardware
Topic: Help choosing hardware
Replies: 1
Views: 2152

Re: Help choosing hardware

Define "some VPN connections" ?
IPSEC ? Site2Site ? Mobile Clients with L2TP/IPSEC ?
1Mbits/sec ? 100Mbits/sec (or more) internet services ?

CRS is no powerhouse when running RouterOS, IPSEC VPN is probably a killer for that box if you required high throughput.
by jvanhambelgium
Mon Dec 30, 2019 9:23 pm
Forum: General
Topic: Possible to reach Mikrotik DynDNS behind NAT? (through upnp or something else?)
Replies: 30
Views: 3825

Re: Possible to reach Mikrotik DynDNS behind NAT? (through upnp or something else?)

I like the DynDNS feature of Mikrotik. Specially, that it allows the 1 minute refresh interval time. However, I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it. A- Is there anything built...
by jvanhambelgium
Thu Dec 19, 2019 10:03 am
Forum: Beginner Basics
Topic: add destination to address list not working
Replies: 1
Views: 608

Re: add destination to address list not working

I've tested this on my box RB3011and it works perfectly, with exact the same settings that you tried! I'm on the 6.46 STABLE Did you enable LOG to see if any pack hits this rule ?? It is positioned OK in the ruleset ? I've create the rule in FORWARD and moved it all the way to the top. Do you see tr...
by jvanhambelgium
Sun Dec 15, 2019 1:48 pm
Forum: Forwarding Protocols
Topic: Routing Issue : Redirect Host(New nexthop: Gateway IP)
Replies: 12
Views: 4508

Re: Routing Issue : Redirect Host(New nexthop: Gateway IP)

The Server 192.168.0.11 is able to reach/connect Host 192.168.0.70 without any issues. But my concern is what changes shall i make to make the routing proper as this is just the scenario in the LAB. But don't wan't these things to happen when configured for the clients. Difficult question to answer...
by jvanhambelgium
Sun Dec 15, 2019 9:31 am
Forum: Beginner Basics
Topic: access MT router over the internet [SOLVED]
Replies: 2
Views: 711

Re: access MT router over the internet [SOLVED]

Not much options I'm afraid. Either a payed service, like https://www.cloutik.com/features/ or you are going to have to be creative. Can you have this "remote" Mikrotik setup a connection your side where you HAVE more control ? Is it just 1 remote Mikrotik, are you looking at managing multiple ones ?
by jvanhambelgium
Sun Dec 15, 2019 9:00 am
Forum: Beginner Basics
Topic: PC behind RB can't connect to VPN server
Replies: 9
Views: 1902

Re: PC behind RB can't connect to VPN server

Why is your RB4011 configured as PPTP-server itself ?? This box should do only "passthrough" connections that are created from the Windows PC's behind it right ? /interface pptp-server server set enabled=yes Could you disable this on the RB4011? For the rest I see the "pptp helper" active so that is...
by jvanhambelgium
Fri Dec 13, 2019 7:01 pm
Forum: Forwarding Protocols
Topic: Routing Issue : Redirect Host(New nexthop: Gateway IP)
Replies: 12
Views: 4508

Re: Routing Issue : Redirect Host(New nexthop: Gateway IP)

You will have to experiment a bit, as it looks like the ICMP redirect are not accepted/processed by the Linux host. As you can read, perhaps you need to disable secure_redirects or something. I think in the trace-route finally the 192.168.0.1 should be visible anymore. But remember this is dynamic. ...
by jvanhambelgium
Fri Dec 13, 2019 6:20 pm
Forum: Forwarding Protocols
Topic: Routing Issue : Redirect Host(New nexthop: Gateway IP)
Replies: 12
Views: 4508

Re: Routing Issue : Redirect Host(New nexthop: Gateway IP)

If ICMP does its work I don't think anything should be done. Your server 192.168.0.11 receives the ICMP messages from the Mikrotik and must act accordinly. It could alter its routing-cache and install a route to destination 192.168.0.68/30 with next-hop 192.168.0.5 (this is dynamic and probably not ...
by jvanhambelgium
Fri Dec 13, 2019 6:05 pm
Forum: Forwarding Protocols
Topic: Routing Issue : Redirect Host(New nexthop: Gateway IP)
Replies: 12
Views: 4508

Re: Routing Issue : Redirect Host(New nexthop: Gateway IP)

Thank you for the diagram. Are all of these ip addresses for real, or just example ones you're providing us with? The x.x.0.5 router should be routing a different ip scheme behind it like 192.168. 88 .0. Otherwise, you will need to manually (I think) maintain an optimal route table. Change you netw...
by jvanhambelgium
Fri Dec 13, 2019 5:48 pm
Forum: Forwarding Protocols
Topic: Routing Issue : Redirect Host(New nexthop: Gateway IP)
Replies: 12
Views: 4508

Re: Routing Issue : Redirect Host(New nexthop: Gateway IP)

Not really a dramatic problem I would say, more a not-so-optimal situation. Your server 192.168.0.11 has its default gateway set to the Mikrotik 192.168.0.1 right ? So basically you ping, the gateway is looking for the destination and sees it actually on the same interface where the ICMP came from ?...
by jvanhambelgium
Fri Dec 13, 2019 5:02 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

Maybe I am paranoiac, I was thinking about some infected/compromised internet core routers be able to track/detect connections that are going to different ports between two identical IP addresses in short time and can detect and extract the port knocking sequence? And in this case would be better t...
by jvanhambelgium
Fri Dec 13, 2019 3:57 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

Is it also not better to only use UDP for knocking? I see no reason why that would be? It is a choice and offers you 64K TCP x 64K UDP = 4million possibilities Hell, you could even include ICMP even (some port-knock programs allow you to craft certain ICMP packet type) but I remain on the TCP+UDP s...
by jvanhambelgium
Fri Dec 13, 2019 1:47 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

I actually time out after 2 seconds at each step, and only last address list takes a bit longer so the script to trigger the action don't need to run too often. Actually a question: Do you think it is better to "knock" in bigger time distance (and its hard to trace / see that those knocks are relat...
by jvanhambelgium
Fri Dec 13, 2019 1:36 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

Out of curiosity, how can a 2nd knock be wrong ? This is not about your own knocks, but about an attacker penetrating your security. Guess you have a knock sequence of three ports in random order. The attacker issues three port scans et voilà... That's why acting on wrong knocks is important. But t...
by jvanhambelgium
Fri Dec 13, 2019 12:36 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

What I would want to do is: after first port knocked, if 2nd knock is wrong, remove source IP from the address list. Out of curiosity, how can a 2nd knock be wrong ? You don't do that manually no ? Any port-knock tool out there just follows a sequence you saved so quite deterministic. If you set a ...
by jvanhambelgium
Fri Dec 13, 2019 12:28 pm
Forum: General
Topic: Remove IP address from address-list within Firewall
Replies: 15
Views: 2074

Re: Remove IP address from address-list within Firewall

I also have a multi-stage portknock sequence and I use a timer. The first port-knock packet hits my router and is place on a list valid for 30 seconds. So within that time-frame I expect the second port-knock packet from the same remote public IP (offcourse!) And so on for some more stages. On Andro...
by jvanhambelgium
Wed Dec 11, 2019 3:52 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34050

Re: v6.46 [stable] is released!

Updated my RB3011 on this release. No issues! (...so far ;-))
by jvanhambelgium
Sun Dec 01, 2019 10:32 am
Forum: Beginner Basics
Topic: Strange DNS Entries in cache even when remote requests are denied. [SOLVED]
Replies: 2
Views: 646

Re: Strange DNS Entries in cache even when remote requests are denied. [SOLVED]

That might be pretty alarming I think, especially since these are quite strange entries. Especially if indeed you disable "Allow Remote Request" this means Mikrotik is only acting as DNS-client, for lookups for itself and if these entries still popup after a flush. So...did you check if any script i...
by jvanhambelgium
Wed Nov 27, 2019 8:47 pm
Forum: General
Topic: Odd GRE connection in ConnTrack [SOLVED]
Replies: 5
Views: 942

Re: Odd GRE connection in ConnTrack [SOLVED]

Hmm...it seems that this is looking bad...
You might have some internal issue...
Perhaps connections are established from some internal infected host ?
You don't have UPNP active ?

https://www.abuseipdb.com/check/141.98.80.128

https://www.abuseipdb.com/check/46.161.27.122
by jvanhambelgium
Wed Nov 27, 2019 7:56 am
Forum: General
Topic: Web Cache.. but behind a proxy !!!!!!!
Replies: 1
Views: 342

Re: Web Cache.. but behind a proxy !!!!!!!

Sure, there is field "Parent Proxy" so you can configure "Upstream proxy" I think that is what you look for. Under the /ip proxy context parent-proxy (Ip4 | ip6; Default: 0.0.0.0) IP address and port of another HTTP proxy to redirect all requests to. If set to 0.0.0.0 parent proxy is not used. paren...
by jvanhambelgium
Sun Nov 24, 2019 11:44 pm
Forum: General
Topic: Block a huge list of IP-addresses [SOLVED]
Replies: 17
Views: 1842

Re: Block a huge list of IP-addresses [SOLVED]

/ip firewall raw add chain=prerouting action=drop src-address-list=blacklist Just 1 more question please. How can I revert it back? Just using action=accept would be enough? Sure, or simply take the whole rule away ? /ip firewall raw remove numbers=X (the number of this rule) You could also tempora...
by jvanhambelgium
Sun Nov 24, 2019 10:13 am
Forum: General
Topic: Block a huge list of IP-addresses [SOLVED]
Replies: 17
Views: 1842

Re: Block a huge list of IP-addresses [SOLVED]

Thank you guys for your replies. Sorry, I didn't know you might need more details. Those are IPs of advertisement servers and some others. The addresses are mostly independent from each other, so they don't belong to the same network. I need to add new values to that list in future. So how should I...
by jvanhambelgium
Sat Nov 23, 2019 3:09 pm
Forum: Beginner Basics
Topic: Port forwarding online game
Replies: 3
Views: 1495

Re: Port forwarding online game

Thank you for your detailed reply, I will try it! my PC is connected to the mikrotik In subnet 10.10.3.0 with an open 10.10.3.231 And the router/modem is the subnet 192.168.1.0. Will I have to port forward the mikrotiks IP with the specific ports in the router/modem? Yes, from the ISP-router/modem ...
by jvanhambelgium
Sat Nov 23, 2019 2:07 pm
Forum: Beginner Basics
Topic: Port forwarding online game
Replies: 3
Views: 1495

Re: Port forwarding online game

Remember that you will have to ALSO adapt your ISP modem/router. The reason why it works when you connect your PC directly to the ISP-router/modem is because of UPNP. Basically your PC gives instruction to "open" the required ports on the ISP-router/modem. By default I don't think Mikrotiks have thi...
by jvanhambelgium
Fri Nov 22, 2019 12:40 pm
Forum: Beginner Basics
Topic: static ip forwording
Replies: 4
Views: 723

Re: static ip forwording

hello there im new to network. i need some help regarding static ip. my isp is providing pppoe username and password for internet acces which ihave dialup in my mikrotik now they have provided me some static ips to use for dvr or nvr and my personal plex server pppoe-out 1 is there in my mikrotik f...
by jvanhambelgium
Wed Nov 20, 2019 10:35 pm
Forum: Beginner Basics
Topic: Change the default webfig ip address
Replies: 3
Views: 644

Re: Change the default webfig ip address

By default it will be accessible on any IP of you box on port 80
Simply go to "IP" -> "Services" -> then double-click on the "www" (=Webfig) and put 10.10.20.0/24 in the "Available From" box.
Now only access is permitted when coming from these ranges.Problem solved no ?
by jvanhambelgium
Sun Nov 17, 2019 9:28 am
Forum: Forwarding Protocols
Topic: 'Correct' Method of Public IP assignment [SOLVED]
Replies: 10
Views: 3110

Re: 'Correct' Method of Public IP assignment [SOLVED]

Add this : (see Wikie examples below) The masquerading will change the source IP address and port of the packets originated from the network automagically. No need to set "src-address" (masq = special form of src-nat) /ip firewall nat add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-add...
by jvanhambelgium
Sat Nov 16, 2019 11:26 am
Forum: General
Topic: BLock ip When login error [SOLVED]
Replies: 4
Views: 1158

Re: BLock ip When login error [SOLVED]

But why would you open up your routers' management interfaces (Webfig/Winbox/SSH) in the first place to the whole world ? No way to "narrow down" SOURCE_IP that allowed to do management ? (eg. centralised jumphost or something) Personally for some DNAT-services I use a complex "port-knocking" sequen...
by jvanhambelgium
Sat Nov 16, 2019 12:13 am
Forum: RouterBOARD hardware
Topic: RB3011UiAS-RM and CRS24P-4S+RM with S+DA0001 ?
Replies: 6
Views: 2428

Re: RB3011UiAS-RM and CRS24P-4S+RM with S+DA0001 ?

Ok, thanks! there are any benefits for me to use the S+DA0001? no or? maybe that i have one free port more on the switch thats not bad. is the response time or something better ? i need to go in the next year to RB4011 or something faster... but jet my isp connection dont need more speed than the g...
by jvanhambelgium
Fri Nov 15, 2019 7:03 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved
Replies: 295
Views: 111145

Re: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved

Jotne,Great, I did it according to your script, and the beautiful chart shows normal. I tried to add scripts to my multiple ccr and routerboards, so my interface has a lot of duplicate names, such as bonding1 and bridge1, how can I distinguish between them, or change the name for each interface. 4....
by jvanhambelgium
Fri Nov 15, 2019 12:10 pm
Forum: RouterBOARD hardware
Topic: RB3011UiAS-RM and CRS24P-4S+RM with S+DA0001 ?
Replies: 6
Views: 2428

Re: RB3011UiAS-RM and CRS24P-4S+RM with S+DA0001 ?

Well, the 3011 has only a SFP slot, NOT SFP+ slot! This means that whatever you plug in it (see compatible list of optics & cables for the 3011) you only ever will get 1Gbps link for Ethernet type of traffic! SFP specifications are based on IEEE802.3 and SFF-8472. They are capable of supporting spee...
by jvanhambelgium
Wed Nov 13, 2019 5:36 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved
Replies: 295
Views: 111145

Re: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved

Hi Jo, Great set of dashboards! All working just fine. In order to customize them further, when can I take out some complete dash-boards ? (pressing "Dashboards" in Splunk gives you the overview) Don't need any Wireless or Upnp stuff and I would like to get it off the list. Under the actions-button ...
by jvanhambelgium
Wed Nov 13, 2019 8:16 am
Forum: General
Topic: no ping from onprem to Azure
Replies: 7
Views: 1059

Re: no ping from onprem to Azure

My case is slightly different as I do not allow any new/originated traffic from Azure to my home-lab. From my home-lab Linux boxes, I can reach Azure machines just fine with all the rules & settings above. Slightly changes some IP's for sanitation reasons. I do see some settings are slightly differe...
by jvanhambelgium
Tue Nov 12, 2019 8:08 pm
Forum: Forwarding Protocols
Topic: Drop all NEW connections from the input chain
Replies: 6
Views: 2182

Re: Drop all NEW connections from the input chain

I'm pretty sure this is coming from your ISP equipment...however strangely enough the 5e:aa:8e:zz:xx:yy is not from any known vendor today. Apart from that, the 224.0.0.1 is a non-routable, multicast on the local subnetwork. Your Mikrotik will not "leak" them further onto your network ever. But I se...
by jvanhambelgium
Mon Nov 11, 2019 10:08 pm
Forum: General
Topic: no ping from onprem to Azure
Replies: 7
Views: 1059

Re: no ping from onprem to Azure

First question : is your VPN working ?!
On the Mikrotik side, give some info on the PH2-state ? It is established ?
You have 2 SA's / SPI's "installed" ? (1 in each direction) to form the IPSEC-tunnel ?

I have such IPSEC VPN running to Azure for months now without any issue actually.
by jvanhambelgium
Mon Nov 11, 2019 5:05 pm
Forum: General
Topic: Winbox security/access using FW lists and/or IP service [SOLVED]
Replies: 8
Views: 1500

Re: Winbox security/access using FW lists and/or IP service [SOLVED]

On Question2 : Remember there is no "deny any" rule! So your firewall rule was not "hit" when trying for 192.168.89.1 and therefore without a last "deny any any" rule you pass... From the WIKI : When processing a chain, rules are taken from the chain in the order they are listed there from top to bo...
by jvanhambelgium
Wed Sep 11, 2019 10:00 am
Forum: General
Topic: Is the RB3011 a good fit?
Replies: 8
Views: 1410

Re: Is the RB3011 a good fit?

My RB3011 never let me down in the past years. In terms of performance, when blasting iperf-traffic across the Bridge/CPU (client <> server on 2 ports that need to traverse the CPU) I only hit about 17% CPU while doing a consistent 950Mbps across it. No worries there. My Internet link is "only" 100M...
by jvanhambelgium
Fri Sep 06, 2019 2:46 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 203
Views: 53794

Re: RouterOS v7.0beta1 (ARM)

Have any special instructions been given? I see a netinstall and an npk, do you need to use netinstall or is it enough to upload the npk and reboot? Is it limited to certain ARM devices or can it be used on all of them? (I have an unused LHG ac that I could try it on) Currently running it on a RB30...
by jvanhambelgium
Tue Aug 13, 2019 12:27 pm
Forum: General
Topic: router without vlan CAN WORK with Mikrotik?
Replies: 2
Views: 685

Re: router without vlan CAN WORK with Mikrotik?

No default VLAN as far as I can see. Ports are "untagged" In my case (RB3011) different ports are "grouped" into a bridge-group and that bridge has an IP that functions as the default-gateway for my devices on the LAN. So sure it can work with any other router connected without VLAN's, it will be ju...
by jvanhambelgium
Sun Aug 04, 2019 11:26 pm
Forum: RouterBOARD hardware
Topic: Advice for new Unit
Replies: 6
Views: 1560

Re: Advice for new Unit

I don't think your "off the shelf" will be that easy :D
The combination of PoE(+) on multiple ports , X amount of gigabit ports AND wireless is not easy to find!

Let me know if you find a single-box solution.
by jvanhambelgium
Thu Jun 27, 2019 12:18 am
Forum: General
Topic: Route based on latency?
Replies: 3
Views: 726

Re: Route based on latency?

Well with the Mikrotik you do have some fancy scripting options. There are quite some examples where the box has 2 links and with a script the default-route is switch is 1 of the links is down. Offcourse, here we want to play with the response-time above X ms , then switch to other link. Partial exa...
by jvanhambelgium
Tue Jun 25, 2019 8:17 am
Forum: General
Topic: Loud Balance
Replies: 11
Views: 1185

Re: Loud Balance

Some 3e party L2TP/PPTP "client" would be interesting so it would choose an available gateways. Commercial VPN-clients often have this function. (eg. Cisco AnyConnect or something) This is a long shot, but perhaps you might consider implementing it not on Mikrotik directly ? Take a look at https://w...
by jvanhambelgium
Tue Aug 08, 2017 6:45 pm
Forum: General
Topic: RB3011 - 6.40.1 - SMB seems to remain "active"
Replies: 0
Views: 588

RB3011 - 6.40.1 - SMB seems to remain "active"

Hi, I was doing a remote port-scan to my RB3011 and the scanning tool reports various SMB-ports to be open ?! I disabled SMB anyway on the Mikrotik [jvanham@GATEWAY] /ip smb> /ip smb print enabled: no domain: WORKGROUP comment: MikrotikSMB allow-guests: no interfaces: Bridge [jvanham@GATEWAY] /ip sm...
by jvanhambelgium
Tue Jan 17, 2017 10:15 pm
Forum: RouterBOARD hardware
Topic: POE problem with RB3011 and wAP AC
Replies: 11
Views: 3328

Re: POE problem with RB3011 and wAP AC

Rather sh*t that is broken already. Wonder what caused it. Not even 5 months in service. Might go and look out for a not to expensive POE switch with more than 1 POE port. Any recommendation? Any fix for this ? Or what have you done ? I'm having the same problem on my RB3011UIA ... I tried to power...
by jvanhambelgium
Tue Jan 17, 2017 10:08 pm
Forum: RouterBOARD hardware
Topic: POE problem with RB3011 and wAP AC
Replies: 11
Views: 3328

Re: POE problem with RB3011 and wAP AC

Rather sh*t that is broken already. Wonder what caused it. Not even 5 months in service. Might go and look out for a not to expensive POE switch with more than 1 POE port. Any recommendation? Any fix for this ? Or what have you done ? I'm having the same problem on my RB3011UIA ... I tried to power...
by jvanhambelgium
Sun Jul 17, 2016 3:28 pm
Forum: General
Topic: usb drive performance
Replies: 10
Views: 5218

Re: usb drive performance

Extremely old thread, but nevertheless my info. Routerboard :  RB3011UiAS-RM Installed a Sandisk 64GB card in the unit (mainly for logging purposes etc, not really planning to make my Mikrotik a fileserver Version 6.35.4 (stable) SCP performance, when copy (either read/write) is consistantly about 9...
by jvanhambelgium
Thu Jul 14, 2016 10:23 pm
Forum: Beginner Basics
Topic: RB3011UiAS-RM Configuration
Replies: 4
Views: 5867

Re: RB3011UiAS-RM Configuration

Greetings I purchased this router, and wanted to do this configuration: ETH1 = WAN ISP ETH2= WAN ISP Backup ETH3=  WIRELESS SECTOR1 IP 10.20.0.3 ETH4= WIRELESS SECTOR2  IP 10.20.0.4 ETH5= WIRELESS SECTOR3 IP 10.20.0.5 ETH6= PTZ CAM IP 10.20.0.6 MIKRTIK LOCAL IP 10.20.0.1 this also is the DHCP Serve...