MikroTik

JohnTRIVOLTA

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!

JohnTRIVOLTA

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...

JohnTRIVOLTA

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs

JohnTRIVOLTA

Oh man thank you! I did it wrong first time. Then I tried as you said but I cannot succeed. I made this to show how I did it. but it doesn't change anything .. i think https://ibb.co/RzVRqpW You forgot RUN in schedule : /system script run number=1 But this is not the main setup error. You must chan...

JohnTRIVOLTA

Did you do this?
Аdd the script in the system section - scripts with changed values as desired . Then add a schedule in system - schedule to run the script at a certain interval - an example of 15 minutes. That is all !

JohnTRIVOLTA

Simply set a minimum value /10dbm/ for the transmitting power of the wireless interface in the tx power section - all rates fixed and the script will work! Change the desired values in the script too !

JohnTRIVOLTA

Hello, the things you want can be configured, but you also need to set some settings in location A if you want a L2 level or extend transparently the LAN , if I understood right !

JohnTRIVOLTA

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.

JohnTRIVOLTA

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!

JohnTRIVOLTA

really hoping someone can point out what I'm doing wrong

I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?

JohnTRIVOLTA

I think this rules will work : /ip firewall address-list add address=192.168.0.1-192.168.0.100 list=100private_addresses #just add your private ip addresses in address list# /ip firewall nat add action=accept chain=srcnat src-address-list=!100private_addresses add action=netmap chain=srcnat src-addr...

JohnTRIVOLTA

Hi
Can you please help me how to do Dynamic nat of apporx 100 private ip with /24 public ip pool . thanks

Use NETMAP for source nat !?

JohnTRIVOLTA

Try Debug and then russia2 for other frequencies .

JohnTRIVOLTA

30/5 Mbps respectively only you have maximum 5 Mbps on client downstream !

JohnTRIVOLTA

Hi I try to configure a connection between two ccr1009 and encrypt this with ipsec. If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this. So I wanna ask would this be possible? Thanks Just try , use IK...

JohnTRIVOLTA

I have same issue ! With netbox 5 , 1 client /my laptop/ achieved max only 46 mbit/s when i transfer some file/s/ via ftp from my local nas. The laptop wireless adapter AR5BWB222 300/300 connectivity .

JohnTRIVOLTA

I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules: In one of remote routers: 0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24 dst-address=192.168.11.0/24 log=no log-prefix="" In other remote router: 0 chain=srcnat actio...

JohnTRIVOLTA

My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ... + must select outgoing interface in ...

JohnTRIVOLTA

I do nor heva any limitations in filter

You don't have rules in the routers at all ?

JohnTRIVOLTA

May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers

JohnTRIVOLTA

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering. Remove the hardware offload of the desired bridgeports /ether2 and ether4/ ! https://i.postimg.cc/5...

JohnTRIVOLTA

ixirion has the same issue ! After downgrade to 6.43.4 the routerboard works normally again! The reboots were in a different range from 1 minute to 5 .

JohnTRIVOLTA

Okay.... never easy with MT. There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy. When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... a...

JohnTRIVOLTA

Okay, 50% of mystery solved
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?

Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !

JohnTRIVOLTA

I have a working ikev2 vpn connection setup on my ros. Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain. Than why is my connection working completely even if I don't allow 1701 nor IPSec esp...

JohnTRIVOLTA

Now everything works after I added in-bridge and out-bridge on bridge filter rule: /interface bridge filter add action=drop chain=forward dst-port=68 in-bridge=bridge1 ip-protocol=udp mac-protocol=ip out-bridge=bridge1 src-address=!172.16.222.254/32 My configuration is less complex. I have one openv...

JohnTRIVOLTA

Oh, I'm sorry, I'm very .... Ethernet1 is part of the bridge1 ! This may be the answer ! /interface bridge add arp=proxy-arp comment="-- LAN --" fast-forward=no name=bridge1 add fast-forward=no name=bridge2 add name=bridge3 add name=bridge4 add igmp-snooping=yes name=bridge5 add fast-forward=no name...

JohnTRIVOLTA

Hi friends, I had to configure a VLAN on my board and put it on virtual wlan interface. I found out that customers do not receive an ip address. Аfter thorough investigation of the problem, I realized that a rule in the bridge for DHCP stops the packages also in the vlan. My question - Why is it so ...

JohnTRIVOLTA

There's: 6 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" So if the previous rules in "/ip firewall raw" are still in place, it's covered. You are right, the rules already exist in RAW section ! p.s. I remember...

JohnTRIVOLTA

I don't see this rules on the top of filter section on both routers too: /ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked add chain=forward action=accept place-before=1 src-address=...

JohnTRIVOLTA

Firewall NAT [...@trk-mtk-04] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 1 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 Is not this a NAT...

JohnTRIVOLTA

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!

JohnTRIVOLTA

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to-site-eoip-tu...

JohnTRIVOLTA

whoops. well if you are in a hurry and a bit dumb that's what happens :D . I edited the post. if you can so too. though I 'll change it now. Ok I 'll try what u suggested me and give it a try. i ll come back with the results. thanks for the answer. edit: can you explain me from which menu I can NAT...

JohnTRIVOLTA

Cloud features are used when you have a dynamic public address, not a private one . If you do not have a public address, you can not access your router.

JohnTRIVOLTA

I had such kind of the invasion too. And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion. But i find this string(screenshot) in the terminal window. What is it mean? This note came from a backup when the...

JohnTRIVOLTA

And as for me chain=prerouting is not better way because "prerouting" after "input" in the packet flow diagram. Only for you ... Raw section is first in the packet flow , next is the filter ! P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains an...

JohnTRIVOLTA

Hello everyone. Need a help for newbie. Example section in the documentation say's that I can block everything on input chain with the rule: add chain=input action=drop But. Little bit higher on the same page there are parameters description. And there are words saying that parameter "protocol" has...

JohnTRIVOLTA

> Yes, just change port number with 444 for example on both sides ! Technically this works, but the idea is to offer VPN-Access when traveling: I would like to stick with 443 since this port is open outgoing for clients from just about everywhere. I understand, but I think two services can not use ...

JohnTRIVOLTA

Hi, I found a few hints in the forum about this, but did not spot a solution - sorry in case I overlooked it... I use a RB1100AHx4 with a public IP address at eth1 and a hotspot at eth2 with a private IP Address range. When activating the SSTP Server port 443, it complains: "Couldn't change SST Ser...

JohnTRIVOLTA

I have not - so I would go IP -> Addresses, add .5/32 or the matching Subnet .5/28? Any reason why the /28 isn't covering the entire spread? They should be routed, its a Cable Modem Handoff and the Modem only has 1 Port. Otherwise I wouldnt think the connection would come up if the netmask and scop...

JohnTRIVOLTA

Hello friends, is there a possibility to run two radio modules at the same time on the rbm33g ? I want to run a split signal at 2.4 Ghz and 5 Ghz , i have one AR9380 a/n and one AR9381 b/g/n HP triple chain cards. Now i use only the a/n card! P.S. "Insert the miniPCIe and M.2 cards (not included) an...

JohnTRIVOLTA

Anybody else with actual information? Seems like everyone in Bulgaria drinks heavily all day and should not be allowed near a computer. Every child can run google search engine and the first result gives you answer. I just have added the theoretical number of the vlans to my post ... yes, i drink w...

JohnTRIVOLTA

2007 ssids = 2007 vlans

JohnTRIVOLTA

See this video https://youtu.be/nHcGSGOinR0 .

JohnTRIVOLTA

It's not possible, because I need 3 ethernet port for our project, and a mPCI used for LTE with R11e-LTE.

It is why I need to add a port or a way to communicate with the board.

Regards.
Olivier

Communicate with the board wirelessly through the second mPCI-E wifi adapter !?

JohnTRIVOLTA

Add static route to the L2 vpn server ip address through LTE interface.Add l2tp-out /L2TP client/ and use netwatch to check main gateway , when is on down execute /interface ppp-client enable l2tp-out1 or when is on up - interface ppp-client disable l2tp-out1 !

JohnTRIVOLTA

maybe... did you try to check how many lines you have setup? /system logging action print look for "memory-lines= ..." Or go to System / Logging / Actions / memory / Lines Thank you, I've solved the problem ... System / Logging / Actions / disk / Lines are only 1, but why i don't know - they was se...

JohnTRIVOLTA

I have completly same problem with my RB3011 ! I'm waiting to see at 22 o'clock what log file will send me to the mail automaticly !

JohnTRIVOLTA

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.

Scan this 93.155.148.98 - my IP address and tell me the open ports please!

Search found 143 matches