MikroTik

JohnTRIVOLTA

There's: 6 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" So if the previous rules in "/ip firewall raw" are still in place, it's covered. You are right, the rules already exist in RAW section ! p.s. I remember...

JohnTRIVOLTA

I don't see this rules on the top of filter section on both routers too: /ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked add chain=forward action=accept place-before=1 src-address=...

JohnTRIVOLTA

Firewall NAT [...@trk-mtk-04] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 1 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 Is not this a NAT...

JohnTRIVOLTA

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!

JohnTRIVOLTA

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to-site-eoip-tu...

JohnTRIVOLTA

whoops. well if you are in a hurry and a bit dumb that's what happens :D . I edited the post. if you can so too. though I 'll change it now. Ok I 'll try what u suggested me and give it a try. i ll come back with the results. thanks for the answer. edit: can you explain me from which menu I can NAT...

JohnTRIVOLTA

Cloud features are used when you have a dynamic public address, not a private one . If you do not have a public address, you can not access your router.

JohnTRIVOLTA

I had such kind of the invasion too. And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion. But i find this string(screenshot) in the terminal window. What is it mean? This note came from a backup when the...

JohnTRIVOLTA

And as for me chain=prerouting is not better way because "prerouting" after "input" in the packet flow diagram. Only for you ... Raw section is first in the packet flow , next is the filter ! P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains an...

JohnTRIVOLTA

Hello everyone. Need a help for newbie. Example section in the documentation say's that I can block everything on input chain with the rule: add chain=input action=drop But. Little bit higher on the same page there are parameters description. And there are words saying that parameter "protocol" has...

JohnTRIVOLTA

> Yes, just change port number with 444 for example on both sides ! Technically this works, but the idea is to offer VPN-Access when traveling: I would like to stick with 443 since this port is open outgoing for clients from just about everywhere. I understand, but I think two services can not use ...

JohnTRIVOLTA

Hi, I found a few hints in the forum about this, but did not spot a solution - sorry in case I overlooked it... I use a RB1100AHx4 with a public IP address at eth1 and a hotspot at eth2 with a private IP Address range. When activating the SSTP Server port 443, it complains: "Couldn't change SST Ser...

JohnTRIVOLTA

I have not - so I would go IP -> Addresses, add .5/32 or the matching Subnet .5/28? Any reason why the /28 isn't covering the entire spread? They should be routed, its a Cable Modem Handoff and the Modem only has 1 Port. Otherwise I wouldnt think the connection would come up if the netmask and scop...

JohnTRIVOLTA

Hello friends, is there a possibility to run two radio modules at the same time on the rbm33g ? I want to run a split signal at 2.4 Ghz and 5 Ghz , i have one AR9380 a/n and one AR9381 b/g/n HP triple chain cards. Now i use only the a/n card! P.S. "Insert the miniPCIe and M.2 cards (not included) an...

JohnTRIVOLTA

Anybody else with actual information? Seems like everyone in Bulgaria drinks heavily all day and should not be allowed near a computer. Every child can run google search engine and the first result gives you answer. I just have added the theoretical number of the vlans to my post ... yes, i drink w...

JohnTRIVOLTA

2007 ssids = 2007 vlans

JohnTRIVOLTA

See this video https://youtu.be/nHcGSGOinR0 .

JohnTRIVOLTA

It's not possible, because I need 3 ethernet port for our project, and a mPCI used for LTE with R11e-LTE.

It is why I need to add a port or a way to communicate with the board.

Regards.
Olivier

Communicate with the board wirelessly through the second mPCI-E wifi adapter !?

JohnTRIVOLTA

Add static route to the L2 vpn server ip address through LTE interface.Add l2tp-out /L2TP client/ and use netwatch to check main gateway , when is on down execute /interface ppp-client enable l2tp-out1 or when is on up - interface ppp-client disable l2tp-out1 !

JohnTRIVOLTA

maybe... did you try to check how many lines you have setup? /system logging action print look for "memory-lines= ..." Or go to System / Logging / Actions / memory / Lines Thank you, I've solved the problem ... System / Logging / Actions / disk / Lines are only 1, but why i don't know - they was se...

JohnTRIVOLTA

I have completly same problem with my RB3011 ! I'm waiting to see at 22 o'clock what log file will send me to the mail automaticly !

JohnTRIVOLTA

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.

Scan this 93.155.148.98 - my IP address and tell me the open ports please!

JohnTRIVOLTA

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it.. Try for your self. OK, try this : ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="...

JohnTRIVOLTA

What do do : 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP ->...

JohnTRIVOLTA

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN. Where is the Cyrillic alp...

JohnTRIVOLTA

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin ! 2.Change the port numbers for ssh , winbox etc. 3.Set strog crypto for ssh 4.Set ACL 5.Set 3 attempts login to black list and deny attempts with RAW 6,Disable all other non-useable servi...

JohnTRIVOLTA

*) wireless - improved compatibility with BCM chipset devices (this includes phones by Xiaomi, Lenovo, etc); SUPER . I try some test and the 20 mb/ps speed problem and 54mb/ps connectivity with mobile phones is resolved ! Test Xiaomi https://s26.postimg.cc/i3qlimq3d/xiaomi_TEST.png Test Nokia https...

JohnTRIVOLTA

I have hap lite /smips/ with 6.41.2 . With 6.42 in station mode and WEP security /40bit/not work - can not connect. I downgrade to bugfix 6.40.7 and everything is fine - the routrboard is connected !

JohnTRIVOLTA

Allow in firewall filter sectionon port udp 500,4500 and GRE /47/ with in-interface WAN and put the rules on top of the section !

JohnTRIVOLTA

GENERAL TAB chain:forward protocol:6(tcp) dst.port:3389 ACTION TAB Action:accept And my remote desktop still not works:( thanks in andvance for help. Add same rule with chain INPUT -put this rule to the top on filter section ! You don't need to add input rules for dst nat to work... Why ? If you ha...

JohnTRIVOLTA

GENERAL TAB
chain:forward
protocol:6(tcp)
dst.port:3389
ACTION TAB
Action:accept
And my remote desktop still not works:( thanks in andvance for help.

Add same rule with chain INPUT -put this rule to the top on filter section !

JohnTRIVOLTA

I think strong crypto enforcing ssh connection to use aes 256 algorithm for encryption !

JohnTRIVOLTA

I dont want a given Mac Address to get an IP Address from my DHCP pool Use bridge filter - /interface bridge filter add mac-protocol=ip src-address=192.168.88.1/32 dst-port=68 dst-mac-address=XX:XX:XX:XX:XX:XX 192.168.88.1/32 - replace with actual dhcp ip address XX:XX:XX:XX:XX:XX - replace with re...

JohnTRIVOLTA

Hello,

How can I block DHCP lease for specific mac addresses?

Block or not use lease time ? Just make static addresses for this specific mac addresses in leases table in dhcp server menu !

JohnTRIVOLTA

Hi Boris, in your case you must set some ppp server on the main router with public ip and route over this ppp link the both lans . If you want to extend transparent lan on main router , just use BCP on bridges on both sites ! if you want to explain in detail you can post a theme in kaldata, аt least...

JohnTRIVOLTA

Hello, i have two offices. The local LAN 192.168.0.0/24 is bridged between both offices. (eoip tunnel + eth ports) Office1 provides the DHCP server and the default gateway. Now i would like clients in Office2 to use the local internet, instead of going through the brigde. It seems an easy task, but...

JohnTRIVOLTA

Hey thanks for the reply!
I will need like 30 - 40Mbit/s.
Do you guys think that I will achieve this speeds?

Many thanks to all.
Kind regards

Rather around 20Mbit/s with aes128cbc !

JohnTRIVOLTA

i dream an rb750GR4 on this chipset

Why, the router has five ports ... rather we are waiting for a flagship with 8+ Geternet ports , SFP+, hdd bay sata3, HighPower radios 802.11ac/ax 8/4-stream Dual-band with combo /5GHz and 2.GHz /
external antennas ... maybe based on Qualcomm IPQ8074 !

JohnTRIVOLTA

Hi,

Would you mind explaining me a little what these ratio does?

The connections across the router alternate respectively three connections through the first wan and one connection through the second !

JohnTRIVOLTA

You dont need nat or static routes !!! Just add in firewall filter 2 rules:
/ip fi fi
add chain=forward src-address=192.168.12.0/24 dst-address=192.168.110.0/24 action=accept
add chain=forward src-address=192.168.110.0/24 dst-address=192.168.12.0/2 action=accept

JohnTRIVOLTA

I'm a bit noob. How do I do that?

https://wiki.mikrotik.com/wiki/Hairpin_NAT
or
/ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

JohnTRIVOLTA

If you want to access it/web server/ from the local network , you must set Hairpin NAT , or if the board have DNS role you must add a static entry on DNS section !

JohnTRIVOLTA

he just has to place up the rules and the last input rule must be - /add action=drop chain=input comment="Drop everything else"

JohnTRIVOLTA

Just add accept rule for port tcp 8123 in filter section:
/ip fi fi add action=accept chain=input comment="allow WEB" dst-port=8123 protocol=tcp place-before=3

JohnTRIVOLTA

I have similar issue with proxy-arp . I have build sstp connection with BCP between 2 routerboards. After upgrade ROS to 6.41 i lost the network discovery between bridges!

JohnTRIVOLTA

First , i thank you for the help !
I understand that the power adapter has been changed inadvertently with less than 0.2A 24v and may be the problem!
I will write by replacing it if everything is all right, at 99% I'm sure this is the solution.

JohnTRIVOLTA

I have all 3chains enabled and no problems with restart. Maybe you have problem with power?

On Sys/Health i see 23.1v ... this is normal ?

JohnTRIVOLTA

Hi all, i have a problem with wAP AC 5GHz radio , when I test the speed with the phone the board is always restarted, and when I uncheck one of the chains /second or third/ everything is fine and i get maximum speed ! In conclusion, the board works with only 2 chains regardless of which one we chose...

JohnTRIVOLTA

You talking about wireless isolation ? Do not use a "default forward" on the radio interface settings!

JohnTRIVOLTA

Hi yeah thanks for pointing that bit out, thats the bit I already know how to do

What main crux of my question was how to do this with a dynamic public IP address at both ends.

Choose the one of routers for vpn server and use cloud /ddns/ for establish the ppp connection !

Search found 115 matches