Community discussions

Search found 143 matches

by JohnTRIVOLTA
Tue Jan 29, 2019 10:23 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 544

Re: block inter VLAN traffic

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!
by JohnTRIVOLTA
Mon Jan 28, 2019 10:54 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 544

Re: block inter VLAN traffic

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...
by JohnTRIVOLTA
Mon Jan 28, 2019 8:57 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 544

Re: block inter VLAN traffic

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs
by JohnTRIVOLTA
Sat Jan 26, 2019 8:32 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 357

Re: Reduce Wi-Fi transmitter power on schedule

Oh man thank you! I did it wrong first time. Then I tried as you said but I cannot succeed. I made this to show how I did it. but it doesn't change anything .. i think https://ibb.co/RzVRqpW You forgot RUN in schedule : /system script run number=1 But this is not the main setup error. You must chan...
by JohnTRIVOLTA
Sat Jan 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 357

Re: Reduce Wi-Fi transmitter power on schedule

Did you do this?
Аdd the script in the system section - scripts with changed values ​​as desired . Then add a schedule in system - schedule to run the script at a certain interval - an example of 15 minutes. That is all !
Image
by JohnTRIVOLTA
Sat Jan 26, 2019 12:54 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 357

Re: Reduce Wi-Fi transmitter power on schedule

Simply set a minimum value /10dbm/ for the transmitting power of the wireless interface in the tx power section - all rates fixed and the script will work! Change the desired values in the script too !
by JohnTRIVOLTA
Fri Jan 25, 2019 7:10 am
Forum: General
Topic: IKEv2 Site-To-Site VPN
Replies: 4
Views: 382

Re: IKEv2 Site-To-Site VPN

Hello, the things you want can be configured, but you also need to set some settings in location A if you want a L2 level or extend transparently the LAN , if I understood right !
by JohnTRIVOLTA
Tue Jan 22, 2019 7:20 pm
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 675

Re: IKEv2 site to site between 2 Mikrotik

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.
by JohnTRIVOLTA
Tue Jan 22, 2019 6:57 am
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 675

Re: IKEv2 site to site between 2 Mikrotik

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!
by JohnTRIVOLTA
Mon Jan 21, 2019 6:30 pm
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 675

Re: IKEv2 site to site between 2 Mikrotik

really hoping someone can point out what I'm doing wrong :(
I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?
by JohnTRIVOLTA
Sun Jan 20, 2019 4:26 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 441

Re: how to do Dynamic nat 100 private ip with /24 public ip

I think this rules will work : /ip firewall address-list add address=192.168.0.1-192.168.0.100 list=100private_addresses #just add your private ip addresses in address list# /ip firewall nat add action=accept chain=srcnat src-address-list=!100private_addresses add action=netmap chain=srcnat src-addr...
by JohnTRIVOLTA
Sun Jan 20, 2019 12:52 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 441

Re: how to do Dynamic nat 100 private ip with /24 public ip

Hi
Can you please help me how to do Dynamic nat of apporx 100 private ip with /24 public ip pool . thanks
Use NETMAP for source nat !?
by JohnTRIVOLTA
Sun Jan 20, 2019 10:23 am
Forum: General
Topic: No country [SOLVED]
Replies: 4
Views: 397

Re: No country [SOLVED]

Try Debug and then russia2 for other frequencies .
by JohnTRIVOLTA
Mon Jan 07, 2019 3:51 pm
Forum: Beginner Basics
Topic: SSTP VPN speed is too slow between MT router and client
Replies: 3
Views: 286

Re: SSTP VPN speed is too slow between MT router and client

30/5 Mbps respectively only you have maximum 5 Mbps on client downstream !
by JohnTRIVOLTA
Thu Dec 20, 2018 10:19 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 382

Re: Ipsec Site to Site with certificate

Hi I try to configure a connection between two ccr1009 and encrypt this with ipsec. If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this. So I wanna ask would this be possible? Thanks Just try , use IK...
by JohnTRIVOLTA
Mon Dec 17, 2018 12:25 am
Forum: Wireless Networking
Topic: wAP ac is slow with manager forwarding and high CPU
Replies: 9
Views: 608

Re: wAP ac is slow with manager forwarding and high CPU

I have same issue ! With netbox 5 , 1 client /my laptop/ achieved max only 46 mbit/s when i transfer some file/s/ via ftp from my local nas. The laptop wireless adapter AR5BWB222 300/300 connectivity .
Image
by JohnTRIVOLTA
Sun Dec 16, 2018 10:59 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 488

Re: Connect three locations

I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules: In one of remote routers: 0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24 dst-address=192.168.11.0/24 log=no log-prefix="" In other remote router: 0 chain=srcnat actio...
by JohnTRIVOLTA
Sun Dec 16, 2018 9:30 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 488

Re: Connect three locations

My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ... + must select outgoing interface in ...
by JohnTRIVOLTA
Sun Dec 16, 2018 8:35 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 488

Re: Connect three locations

I do nor heva any limitations in filter
You don't have rules in the routers at all ?
by JohnTRIVOLTA
Sun Dec 16, 2018 8:02 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 488

Re: Connect three locations

May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers
by JohnTRIVOLTA
Sun Dec 16, 2018 9:20 am
Forum: Beginner Basics
Topic: Blocking traffic on the same NAT doesn't work
Replies: 10
Views: 498

Re: Blocking traffic on the same NAT doesn't work

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering. Remove the hardware offload of the desired bridgeports /ether2 and ether4/ ! https://i.postimg.cc/5...
by JohnTRIVOLTA
Tue Dec 11, 2018 11:22 pm
Forum: General
Topic: 6.43.7 bootloop on hAP AC
Replies: 2
Views: 214

Re: 6.43.7 bootloop on hAP AC

ixirion has the same issue ! After downgrade to 6.43.4 the routerboard works normally again! The reboots were in a different range from 1 minute to 5 .
by JohnTRIVOLTA
Mon Dec 10, 2018 12:07 am
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 396

Re: ikev2 ports [SOLVED]

Okay.... never easy with MT. There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy. When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... a...
by JohnTRIVOLTA
Sun Dec 09, 2018 12:04 am
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 396

Re: ikev2 ports [SOLVED]

Okay, 50% of mystery solved :)
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?
Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !
by JohnTRIVOLTA
Sat Dec 08, 2018 4:47 pm
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 396

Re: ikev2 ports [SOLVED]

I have a working ikev2 vpn connection setup on my ros. Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain. Than why is my connection working completely even if I don't allow 1701 nor IPSec esp...
by JohnTRIVOLTA
Wed Nov 21, 2018 11:29 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 256

Re: Bridge Filter works on independent vlan ?

Now everything works after I added in-bridge and out-bridge on bridge filter rule: /interface bridge filter add action=drop chain=forward dst-port=68 in-bridge=bridge1 ip-protocol=udp mac-protocol=ip out-bridge=bridge1 src-address=!172.16.222.254/32 My configuration is less complex. I have one openv...
by JohnTRIVOLTA
Wed Nov 21, 2018 9:46 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 256

Re: Bridge Filter works on independent vlan ?

Oh, I'm sorry, I'm very .... Ethernet1 is part of the bridge1 ! This may be the answer ! /interface bridge add arp=proxy-arp comment="-- LAN --" fast-forward=no name=bridge1 add fast-forward=no name=bridge2 add name=bridge3 add name=bridge4 add igmp-snooping=yes name=bridge5 add fast-forward=no name...
by JohnTRIVOLTA
Wed Nov 21, 2018 7:49 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 256

Bridge Filter works on independent vlan ?

Hi friends, I had to configure a VLAN on my board and put it on virtual wlan interface. I found out that customers do not receive an ip address. Аfter thorough investigation of the problem, I realized that a rule in the bridge for DHCP stops the packages also in the vlan. My question - Why is it so ...
by JohnTRIVOLTA
Wed Jun 13, 2018 11:26 pm
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1400

Re: Confused about L2TP and IPSec VPNs

There's: 6 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" So if the previous rules in "/ip firewall raw" are still in place, it's covered. You are right, the rules already exist in RAW section ! p.s. I remember...
by JohnTRIVOLTA
Wed Jun 13, 2018 10:14 pm
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1400

Re: Confused about L2TP and IPSec VPNs

I don't see this rules on the top of filter section on both routers too: /ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked add chain=forward action=accept place-before=1 src-address=...
by JohnTRIVOLTA
Wed Jun 13, 2018 10:12 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1400

Re: Confused about L2TP and IPSec VPNs

Firewall NAT [...@trk-mtk-04] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 1 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 Is not this a NAT...
by JohnTRIVOLTA
Wed Jun 13, 2018 6:26 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1400

Re: Confused about L2TP and IPSec VPNs

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!
by JohnTRIVOLTA
Tue Jun 12, 2018 6:35 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1400

Re: Confused about L2TP and IPSec VPNs

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to-site-eoip-tu...
by JohnTRIVOLTA
Tue Jun 05, 2018 8:59 pm
Forum: Beginner Basics
Topic: Mikrotik hAP lite As Wifi Extender with different SSID and WPA
Replies: 6
Views: 785

Re: Mikrotik hAP lite As Wifi Extender with different SSID and WPA

whoops. well if you are in a hurry and a bit dumb that's what happens :D . I edited the post. if you can so too. though I 'll change it now. Ok I 'll try what u suggested me and give it a try. i ll come back with the results. thanks for the answer. edit: can you explain me from which menu I can NAT...
by JohnTRIVOLTA
Mon Jun 04, 2018 11:54 am
Forum: General
Topic: Cannot Access VPN from Outside
Replies: 4
Views: 326

Re: Cannot Access VPN from Outside

Cloud features are used when you have a dynamic public address, not a private one . If you do not have a public address, you can not access your router.
by JohnTRIVOLTA
Sat Jun 02, 2018 10:52 am
Forum: RouterOS v6 RC and v7 BETA
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 13380

Re: The security flaw for Hajime is closed by the firewall

I had such kind of the invasion too. And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion. But i find this string(screenshot) in the terminal window. What is it mean? This note came from a backup when the...
by JohnTRIVOLTA
Thu May 31, 2018 11:39 pm
Forum: Beginner Basics
Topic: Firewall rules: deny any traffic
Replies: 9
Views: 538

Re: Firewall rules: deny any traffic

And as for me chain=prerouting is not better way because "prerouting" after "input" in the packet flow diagram. Only for you ... Raw section is first in the packet flow , next is the filter ! P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains an...
by JohnTRIVOLTA
Thu May 31, 2018 10:49 pm
Forum: Beginner Basics
Topic: Firewall rules: deny any traffic
Replies: 9
Views: 538

Re: Firewall rules: deny any traffic

Hello everyone. Need a help for newbie. Example section in the documentation say's that I can block everything on input chain with the rule: add chain=input action=drop But. Little bit higher on the same page there are parameters description. And there are words saying that parameter "protocol" has...
by JohnTRIVOLTA
Fri May 25, 2018 11:07 pm
Forum: General
Topic: SSTP Server Problem (port used by another service)
Replies: 6
Views: 433

Re: SSTP Server Problem (port used by another service)

> Yes, just change port number with 444 for example on both sides ! Technically this works, but the idea is to offer VPN-Access when traveling: I would like to stick with 443 since this port is open outgoing for clients from just about everywhere. I understand, but I think two services can not use ...
by JohnTRIVOLTA
Fri May 25, 2018 10:28 pm
Forum: General
Topic: SSTP Server Problem (port used by another service)
Replies: 6
Views: 433

Re: SSTP Server Problem (port used by another service)

Hi, I found a few hints in the forum about this, but did not spot a solution - sorry in case I overlooked it... I use a RB1100AHx4 with a public IP address at eth1 and a hotspot at eth2 with a private IP Address range. When activating the SSTP Server port 443, it complains: "Couldn't change SST Ser...
by JohnTRIVOLTA
Fri May 25, 2018 9:46 pm
Forum: General
Topic: Src-nat internal subnets to different public IPs not working - v6.42.2
Replies: 8
Views: 388

Re: Src-nat internal subnets to different public IPs not working - v6.42.2

I have not - so I would go IP -> Addresses, add .5/32 or the matching Subnet .5/28? Any reason why the /28 isn't covering the entire spread? They should be routed, its a Cable Modem Handoff and the Modem only has 1 Port. Otherwise I wouldnt think the connection would come up if the netmask and scop...
by JohnTRIVOLTA
Fri May 18, 2018 7:03 pm
Forum: Wireless Networking
Topic: RBM33G + two Wireless mpci-e cards ?
Replies: 3
Views: 501

RBM33G + two Wireless mpci-e cards ?

Hello friends, is there a possibility to run two radio modules at the same time on the rbm33g ? I want to run a split signal at 2.4 Ghz and 5 Ghz , i have one AR9380 a/n and one AR9381 b/g/n HP triple chain cards. Now i use only the a/n card! P.S. "Insert the miniPCIe and M.2 cards (not included) an...
by JohnTRIVOLTA
Mon May 07, 2018 10:23 pm
Forum: Wireless Networking
Topic: Where to find # of WIFI VLANS [SOLVED]
Replies: 14
Views: 1005

Re: Where to find # of WIFI VLANS [SOLVED]

Anybody else with actual information? Seems like everyone in Bulgaria drinks heavily all day and should not be allowed near a computer. Every child can run google search engine and the first result gives you answer. I just have added the theoretical number of the vlans to my post ... yes, i drink w...
by JohnTRIVOLTA
Mon May 07, 2018 8:53 pm
Forum: Wireless Networking
Topic: Where to find # of WIFI VLANS [SOLVED]
Replies: 14
Views: 1005

Re: Where to find # of WIFI VLANS [SOLVED]

2007 ssids = 2007 vlans
by JohnTRIVOLTA
Thu Apr 26, 2018 9:45 pm
Forum: Wireless Networking
Topic: CPE And AP on Same Router
Replies: 4
Views: 376

Re: CPE And AP on Same Router

by JohnTRIVOLTA
Thu Apr 26, 2018 6:23 pm
Forum: RouterBOARD hardware
Topic: How to add a ethernet port to RBM33G (mpcie)
Replies: 8
Views: 793

Re: How to add a ethernet port to RBM33G (mpcie)

It's not possible, because I need 3 ethernet port for our project, and a mPCI used for LTE with R11e-LTE.

It is why I need to add a port or a way to communicate with the board.

Regards.
Olivier
Communicate with the board wirelessly through the second mPCI-E wifi adapter !?
by JohnTRIVOLTA
Tue Apr 24, 2018 10:04 pm
Forum: Scripting
Topic: Establish a L2L tunnel on wan failover
Replies: 1
Views: 263

Re: Establish a L2L tunnel on wan failover

Add static route to the L2 vpn server ip address through LTE interface.Add l2tp-out /L2TP client/ and use netwatch to check main gateway , when is on down execute /interface ppp-client enable l2tp-out1 or when is on up - interface ppp-client disable l2tp-out1 !
by JohnTRIVOLTA
Tue Apr 24, 2018 7:27 pm
Forum: Beginner Basics
Topic: don't write logs
Replies: 5
Views: 362

Re: don't write logs

maybe... did you try to check how many lines you have setup? /system logging action print look for "memory-lines= ..." Or go to System / Logging / Actions / memory / Lines Thank you, I've solved the problem ... System / Logging / Actions / disk / Lines are only 1, but why i don't know - they was se...
by JohnTRIVOLTA
Tue Apr 24, 2018 6:52 pm
Forum: Beginner Basics
Topic: don't write logs
Replies: 5
Views: 362

Re: don't write logs

I have completly same problem with my RB3011 ! I'm waiting to see at 22 o'clock what log file will send me to the mail automaticly !
by JohnTRIVOLTA
Mon Apr 23, 2018 3:12 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 138349

Re: Advisory: Vulnerability exploiting the Winbox port

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.
Scan this 93.155.148.98 - my IP address and tell me the open ports please!