MikroTik

JohnTRIVOLTA

/ip fi n add chain=srcnat place-before=0 src-address=XXX.XXX.XXX.XXX

JohnTRIVOLTA

This routerboard is not arm based and this is more like a problem from shocks during transport ! Show the original packaging of the product?

JohnTRIVOLTA

Does anyone know if MikroTik plans on releasing an updated outdoor WiFi AP anytime soon? Something similar to the wAP AC but on ARM and not MIPSBE? I'm planning on installing an additional AP at home for the backyard and it seems the best option available is the wAP AC. I'd happily wait for an upda...

JohnTRIVOLTA

It doesn't matter which ip address you use . If necessary, allow the required port on input chain with accept action !
P.S. And use SSH instead telnet !

JohnTRIVOLTA

bematft , i have rb433ah too with 2 ar9223 wifi cards . My ISP gives me 100/100mb/ps pppoe client . I achieve real 95/95 with 80-85% cpu load with fasttracking enabled over lan ethernet . Over wifi the load increase much more - same load only ~60mb/ps . https://i.postimg.cc/pXZVCGS7/rb433ah-speed.png

JohnTRIVOLTA

Can you check the rule "add action=drop chain=input comment="Drop All Incoming Connections" in-interface=ether1" is last on input chain in filter section and same rules on both sites?

JohnTRIVOLTA

Add accept rule for ipsec-esp too .

JohnTRIVOLTA

Unfortunately, that didn't work for me. /interface bridge add name=bridge_trunk add name=bridge_vlan10 add name=bridge_vlan20 add name=bridge_vlan30 /interface ethernet set [ find default-name=ether1 ] comment="-- WAN --" /interface vlan add interface=bridge_trunk name=vlan10 vlan-id=10 add interfa...

JohnTRIVOLTA

Bandwidth test from client 192.168.1.131 to internet, but connected to wlan 5GHz Vodafone on AP place ? Do you use station pseudobridge mode !

JohnTRIVOLTA

Live streaming of empty room? :D Can't open a beer in front of your computer and can't put a question under the streaming? 8) P.S. Presentations attendees should use some conferencing software platform, and streaming should be as before or what is being projected from the platform /the mikrotik pre...

JohnTRIVOLTA

Is there anything planned like a virtual mum /VMUM/ - like live streaming ?

JohnTRIVOLTA

https://i.mt.lv/cdn/rb_files/INSTR-CAPG ... 095453.pdf

JohnTRIVOLTA

This switch model have only ROS installed for now ! Maybe in future will be added and SWOS too !

JohnTRIVOLTA

This is not true ! I'm with such a two wifi card !

JohnTRIVOLTA

The network 192.168.199.0/24 last ip address is 192.168.199.254 not 255/broadcast network address/ . Change it .
P.S. You can use ppp connection with Multilink protocol with minimum MRRU 1542 /EoIP tunnel adds at least 42 byte overhead/ instead using tcp mss clamping in EoIP !

JohnTRIVOLTA

Your config seems wrong, hence I posted the links. i.e. you have 2 routes with a scope of 10, so how must the recursive route decide which route to use? In this case, what I did for review should be properly inactive, not invalid ... but any other configuration with multiple WANs and recursive path...

JohnTRIVOLTA

https://wiki.mikrotik.com/wiki/Manual:I ... hop_lookup
https://wiki.mikrotik.com/wiki/Manual:U ... attributes

The route rule works under ROS v6.xx and does not work with ROS v7.xx?

JohnTRIVOLTA

Hi guys, how can i configure recursive route for failover ? Directly connected route rule to public address is active(with scope 10), but the second route rule with dst. all nets with the getaway set with same public address is invalid - red color !? https://i.postimg.cc/wj1GP7pc/recursivertoutes.png

JohnTRIVOLTA

I moved the question in ros v7.0beta4 topic !

JohnTRIVOLTA

If I understand correctly, you should use bridge ! Add and set the ip address of the bridge for WAN and put ether2 and ether3 into it.

JohnTRIVOLTA

MAC connection is fragile and is only to be used for setting up IP address. Then you can reconnect and use the device normally. MAC is only for emergency access.

Hi Normis,
Do you plan on implementing Pseudo Ethernet in next betas ?

JohnTRIVOLTA

Thank you SOB for your comprehensive answer!

JohnTRIVOLTA

It seems that it's possible to misuse VRRP for that: /interface vrrp add interface=ether1 name=vrrp1 vrid=1 add interface=ether1 name=vrrp2 vrid=2 add interface=ether1 name=vrrp3 vrid=3 # VRRP interface needs some static address to come up: /ip address add address=127.0.0.2/32 interface=vrrp1 netwo...

JohnTRIVOLTA

Or just do source nat for specific destination address only ! Example? Disable or delete the gobal nat rule first, after that you can add: /ip firewall nat add chain=srcnat dst-address=AAA:BBB:CCC:DDD action=masquerade out-interface=WAN\ AAA:BBB:CCC:DDD - replace with CHMS(Cloud Hospital Management...

JohnTRIVOLTA

Or just do source nat for specific destination address only !

JohnTRIVOLTA

which one is better BCP or EOIP? i run layer 2 network BCP with some PPP Multilink Protocol is better choice for me .I choose L3 reconstruction against L4 re/segmenting. Pros = bigger MTU, smaller CPU usage, no issues due to MSS for some services , one ppp tunnel for transport many EoIPs respective...

JohnTRIVOLTA

I dont need connect to router, i can do it. I need connect to last router LAN.
I need two VPN connections on one IP, but for two devices.

First vpn is working fine, it is my management vpn. But i need another connection directly to last routers lan.

Try to allow gre on 941 input chain too !

JohnTRIVOLTA

maybe TCP MTU/MSS issue check this https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle#Change_MSS I'm stuck almost for months now looking for the solution but still no luck. Just set L2TP MRRU=1580 on both sites and reconnect the tunnel ! I've tried it all but still no luck. And now what is th...

JohnTRIVOLTA

Set RoMON on all devices for example .

JohnTRIVOLTA

I'm stuck almost for months now looking for the solution but still no luck.

Just set L2TP MRRU=1580 on both sites and reconnect the tunnel !

JohnTRIVOLTA

I hope in new ROSv7 have a lot of improvements, optimization and other protocol aviability in wireless part ! The Roaming works well, but only for reconnecting to device with strongest signal like 802.11k !

JohnTRIVOLTA

Do you want to let us know with this post that you have found the right brand of wireless networking devices for you? This is CapsMan with а few of cAP ac with connected and powered by them mAP Lites. Same SSID, roaming, shaper with QOS etc...no packet loss , just no problems !!! https://i.postimg.c...

JohnTRIVOLTA

Thanks for your suggestion, but sadly it did not help.

No firwall /filter, nat, etc/ = no internet !

JohnTRIVOLTA

Can anyone post a single export file of basic configuration when Audience connecting to the other audience device with mesh setup? I have to know out exactly what is configured in ROS !

JohnTRIVOLTA

What speeds do you expect to reach ? For me, you need to fix - channel-width=20/40mhz-Ce frequency-mode=superchannel installation=indoor !
After all, it all depends on whether there is radio interference and how strong it is!

JohnTRIVOLTA

Hmmm, try to use RS232 serial port !

JohnTRIVOLTA

Is there plugged any additional peripheral devices - wifi, Lte pci-e card or usb etc...If answer is Yes, remove them and try again .

JohnTRIVOLTA

Reset the router and try again !

JohnTRIVOLTA

Yes for all questions !

JohnTRIVOLTA

I created some config - test it ! /ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether11 use-peer-dns=no use-peer-ntp=no /ip address add...

JohnTRIVOLTA

The correct method is to allow the necessary services and then block all other traffic on forward chain!

JohnTRIVOLTA

/interface bridge filter add action=drop chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=ether2 add action=drop chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst-port=67 ip-protocol=udp mac-protocol=ip o...

JohnTRIVOLTA

/interface bridge filter add action=drop chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=ether2 add action=drop chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst-port=67 ip-protocol=udp mac-protocol=ip ou...

JohnTRIVOLTA

I use a similar configuration for L2 transparent connectivity. I use L2TP IPsec with BCP on bridges to the both sides. I usе DHCP on main office with address XX.XX.XX.1/24/respectively gateway for network/ with dhcp-pool from 2-99, and on remote office with address XX.XX.XX.254/24 /respectively gate...

JohnTRIVOLTA

The easy solution - https://wiki.mikrotik.com/wiki/Advanced ... _Scripting !

JohnTRIVOLTA

I think the board is the same like nonAC Groove with different cpu and ethernet port !

JohnTRIVOLTA

Try to hard reset the device by shorting special hole of board . After that try netinstall or try after few of days.
I have several boards / mipsbe based / groove, 951 series with same issue... for me this issue comming from bad flash memory and only full format/netinstall/ may solve the problem .

JohnTRIVOLTA

This seems to be a common pattern, looks like it's pretty much impossible to achieve more than 250-300 Mbit/s real world single client throughput with Mikrotik ac WiFi.
In case you ever manage to break this limit please let me know how you did it

For exemple this test
.

JohnTRIVOLTA

Hi friends, I have a router RBM33G with two full-size mpci-e cards / AR9380 for 2.4GHz and AR9880-WLE900VX for 5GHz /. All works just fine. My laptop have Intel AC7260. The connectivity is perfect at 5GHz ~ 40dBm, but I only achieve about max 300Mb/ps - average 250Mb/ps. I expected some speeds in th...

JohnTRIVOLTA

Fix the channel and change with no EU country for example Canada !

JohnTRIVOLTA

I have a large network deployed with lots of hAP AC2 with CAPsMAN and I have no such problems!
https://i.postimg.cc/3RF708fz/ccr-7.png

P.S.
You ask for AC models only - my mistake! But with old version of ROS about 6.42/3.XX stable , there is no such problem i mean ?!

JohnTRIVOLTA

Maybe the opposite may happen site to site ipsec over ppp connection !
I have already configured such a set up / site to site ipsec over sstp connection with BCP / and a double aes 256 encoding is obtained - the safest tunnel you can set

JohnTRIVOLTA

Synchronize time on routerboard with ntp client or manually ?
With ntp client!!!

NTP . In ROS this is System-SNTP client .

JohnTRIVOLTA

Synchronize time on routerboard with ntp client or manually ?

JohnTRIVOLTA

Check Interface List ... add other bridges in list LAN ?!

JohnTRIVOLTA

The better choice RB4011iGS+5HacQ2HnD-IN

JohnTRIVOLTA

Change this rule:
/ip firewall nat add action=masquerade chain=srcnat
with
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether13WAN

JohnTRIVOLTA

Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too ! Unsure how to use that setting properly, however with MTU=1420 and MRRU=1600, no clamp in FW nor PPP, I got about 5% less than with MTU=1460. Ser...

JohnTRIVOLTA

After lowering the MTU/MRU to 1420 for L2TP+ipsec to avoid fragmentation, I have some expected results: L2TP+IPSec 280 280 120/120 208 200 80/80 Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too !

JohnTRIVOLTA

Blocking access to proxies doesn't sound like something that would help much. Unless you have some very strict filtering of all outgoing traffic, any worm will just use either custom ports, or if you block those, then regular https. And you pretty much have to allow that, if those 150 clients shoul...

JohnTRIVOLTA

It really depends on what exactly you need it for and how persistent users you have. Maybe if you block the most obvious servers, they will give up. The major thing against you is that all they need is just one working server. Behind a ccr I have a very sensitive network with about 150 clients. The...

JohnTRIVOLTA

I don't follow what happens in public proxy world, but what I got from Google was all without https, just http. But if you have different sources with https, then it's bad for you, because you can't see what's inside https connection, it's the whole point of https. And collecting address, good luck...

JohnTRIVOLTA

For now, this stops traffic to proxies that do not use https / SSL /. Unfortunately, most of the public are over https ! Тhe only solution for now is that I have to collect their ip addresses in lists .

JohnTRIVOLTA

I don't think you can. You can block some with L7 like this:
Code: Select all
/ip firewall layer7-protocol
add name=proxy regexp="^(CONNECT\\ .*|GET\\ https\?:\\/\\/.*)\\ HTTP\\/1\\."
But it's far from perfect.

Тhank you very much Sob !
I will try it ... I hope I will not block with it another traffic?

JohnTRIVOLTA

Hi guys, I have not found a way to effectively block traffic to public proxies so as not to bypass the rules in the firewall ! If anyone has such a solution, please share their experience ! P.S. I want to ask, if i can add a firewall rule in filter section on forward chain with conten=https and one ...

JohnTRIVOLTA

Your client wireless card may not be configured correctly to use 40MHz channel ?! Sometimes signal noise is the cause of the inability to use a wider frequency length !

JohnTRIVOLTA

Have you forgotten to put a gateway address on the computer to which we forward(dst-nat) the port ?

JohnTRIVOLTA

Thanks JohnTrivolta for replying. I tried that but, I'm running a dhcp server and clients under the bridged interface can't obtain an ip from server. Played around with mtu's but can't get it working. If you have properly configured your BCP, you must successfully expand transparently /L2/ the hots...

JohnTRIVOLTA

When i need some ppp based VPN i use multilink feature instead clamp mss ! You must set the MRRU = 1600 for example on both sides - try it !

JohnTRIVOLTA

Just use L2TP client with BCP on every clients router!

JohnTRIVOLTA

An important difference - cAP AC has separate antennas for each chain /4/ and better wireless performance for that! hAP AC2 has 2 combined antennas for both frequencies!

JohnTRIVOLTA

I think the hAP ac2 / RBD52G-5HacD2HnD-TC / is the right choice !

JohnTRIVOLTA

Don't expect more than 10 mb/ps with AES 128 CBC , the eoip tunnel use lot of cpu resources too!

JohnTRIVOLTA

Since I upgraded to 6.44.*, I currently have patch 6.44.1 and device CCR1036-12G-4S, can not connect Windows 10 clients with IPSEC, get error when trying to connect and I have not changed at all the configuration in the clients or router I have the same problem. I reverted it with version 6.43.13 L...

JohnTRIVOLTA

Does nobody have any Idea ;(

Just set MRRU=1610 on ppp connection on both sides !On the ppp profile dont use Change TCP MSS - put NO .

JohnTRIVOLTA

Sorry this discussion is NOT to include mangling LOL.

Ooo sorry .... by the way, all is clear and there is nothing to discuss, but I will follow the topic .

JohnTRIVOLTA

Requirement: There is only one IP used in vlan55, I want to direct this ip 129.168.55.25 to go out my ether1 cable WANIP. Right now the cable WANIP is my secondary fail over wanip, the primary is fibre bell. For my email on cable I simply create a route rule with the mail server IP as the destinati...

JohnTRIVOLTA

Hello, I managed to configure ovpn connection to my router. I set remote address of some user on 192.168.88.195. He is able to connect with every device in 192.168.88.0 network. How i can restrain his access and allow him only to connect only with one specific IP ? For instance, the user should be ...

JohnTRIVOLTA

So if I put a vpn server under a public ip pc or routerboard I could connect the sxt routerboard to that server and example Android phone to same server and then with this" kind of bridge " see sxt contents with Android phone and viceversa ?

Еxactly !

JohnTRIVOLTA

The ISP say that is possible by vpn. If would not possible to connect outside then why I can access with some proprietary app as synology or xiaomi to my nas or hub.? I think these app create a tunnel similar or equal to a vpn. A vpn tunnel would be as the vpn server goes outside of lan /internet a...

JohnTRIVOLTA

ROS Version 6.X no longer supports WiFi USB adapters ! You can only use Woobm for management purpose or an older version of ROS !

JohnTRIVOLTA

Wow, okay that is good to know. I wonder why hotspot functionality bypasses NAT rules??

This is my question too !

JohnTRIVOLTA

Hello Anav, thanks for the quick answer! I already use these rules and work well, but they do not work on the hotspot network unfortunately. There are clients who put a static DNS address and thus jump my router and resolve to the their DNS. I think there must be some rule/s/ between the dynamic one...

JohnTRIVOLTA

Hello friends. I have a router that has multiple networks and the router has a roll for dns. I have a problem with the hotspot, and can not intercept and redirect the different dns server addresses manually seted from clients. The standard rule can not intercept addresses from hotspots network only....

JohnTRIVOLTA

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!

JohnTRIVOLTA

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...

JohnTRIVOLTA

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs

JohnTRIVOLTA

Oh man thank you! I did it wrong first time. Then I tried as you said but I cannot succeed. I made this to show how I did it. but it doesn't change anything .. i think https://ibb.co/RzVRqpW You forgot RUN in schedule : /system script run number=1 But this is not the main setup error. You must chan...

JohnTRIVOLTA

Did you do this?
Аdd the script in the system section - scripts with changed values as desired . Then add a schedule in system - schedule to run the script at a certain interval - an example of 15 minutes. That is all !

JohnTRIVOLTA

Simply set a minimum value /10dbm/ for the transmitting power of the wireless interface in the tx power section - all rates fixed and the script will work! Change the desired values in the script too !

JohnTRIVOLTA

Hello, the things you want can be configured, but you also need to set some settings in location A if you want a L2 level or extend transparently the LAN , if I understood right !

JohnTRIVOLTA

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.

JohnTRIVOLTA

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!

JohnTRIVOLTA

really hoping someone can point out what I'm doing wrong

I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?

JohnTRIVOLTA

I think this rules will work : /ip firewall address-list add address=192.168.0.1-192.168.0.100 list=100private_addresses #just add your private ip addresses in address list# /ip firewall nat add action=accept chain=srcnat src-address-list=!100private_addresses add action=netmap chain=srcnat src-addr...

JohnTRIVOLTA

Hi
Can you please help me how to do Dynamic nat of apporx 100 private ip with /24 public ip pool . thanks

Use NETMAP for source nat !?

JohnTRIVOLTA

Try Debug and then russia2 for other frequencies .

JohnTRIVOLTA

30/5 Mbps respectively only you have maximum 5 Mbps on client downstream !

JohnTRIVOLTA

Hi I try to configure a connection between two ccr1009 and encrypt this with ipsec. If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this. So I wanna ask would this be possible? Thanks Just try , use IK...

JohnTRIVOLTA

I have same issue ! With netbox 5 , 1 client /my laptop/ achieved max only 46 mbit/s when i transfer some file/s/ via ftp from my local nas. The laptop wireless adapter AR5BWB222 300/300 connectivity .

JohnTRIVOLTA

I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules: In one of remote routers: 0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24 dst-address=192.168.11.0/24 log=no log-prefix="" In other remote router: 0 chain=srcnat actio...

JohnTRIVOLTA

My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ... + must select outgoing interface in ...

JohnTRIVOLTA

I do nor heva any limitations in filter

You don't have rules in the routers at all ?

JohnTRIVOLTA

May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers

JohnTRIVOLTA

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering. Remove the hardware offload of the desired bridgeports /ether2 and ether4/ ! https://i.postimg.cc/5...

JohnTRIVOLTA

ixirion has the same issue ! After downgrade to 6.43.4 the routerboard works normally again! The reboots were in a different range from 1 minute to 5 .

JohnTRIVOLTA

Okay.... never easy with MT. There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy. When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... a...

JohnTRIVOLTA

Okay, 50% of mystery solved
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?

Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !

JohnTRIVOLTA

I have a working ikev2 vpn connection setup on my ros. Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain. Than why is my connection working completely even if I don't allow 1701 nor IPSec esp...

JohnTRIVOLTA

Now everything works after I added in-bridge and out-bridge on bridge filter rule: /interface bridge filter add action=drop chain=forward dst-port=68 in-bridge=bridge1 ip-protocol=udp mac-protocol=ip out-bridge=bridge1 src-address=!172.16.222.254/32 My configuration is less complex. I have one openv...

JohnTRIVOLTA

Oh, I'm sorry, I'm very .... Ethernet1 is part of the bridge1 ! This may be the answer ! /interface bridge add arp=proxy-arp comment="-- LAN --" fast-forward=no name=bridge1 add fast-forward=no name=bridge2 add name=bridge3 add name=bridge4 add igmp-snooping=yes name=bridge5 add fast-forward=no name...

JohnTRIVOLTA

Hi friends, I had to configure a VLAN on my board and put it on virtual wlan interface. I found out that customers do not receive an ip address. Аfter thorough investigation of the problem, I realized that a rule in the bridge for DHCP stops the packages also in the vlan. My question - Why is it so ...

JohnTRIVOLTA

There's: 6 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" So if the previous rules in "/ip firewall raw" are still in place, it's covered. You are right, the rules already exist in RAW section ! p.s. I remember...

JohnTRIVOLTA

I don't see this rules on the top of filter section on both routers too: /ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked add chain=forward action=accept place-before=1 src-address=...

JohnTRIVOLTA

Firewall NAT [...@trk-mtk-04] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 1 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 Is not this a NAT...

JohnTRIVOLTA

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!

JohnTRIVOLTA

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to-site-eoip-tu...

JohnTRIVOLTA

whoops. well if you are in a hurry and a bit dumb that's what happens :D . I edited the post. if you can so too. though I 'll change it now. Ok I 'll try what u suggested me and give it a try. i ll come back with the results. thanks for the answer. edit: can you explain me from which menu I can NAT...

JohnTRIVOLTA

Cloud features are used when you have a dynamic public address, not a private one . If you do not have a public address, you can not access your router.

JohnTRIVOLTA

I had such kind of the invasion too. And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion. But i find this string(screenshot) in the terminal window. What is it mean? This note came from a backup when the...

JohnTRIVOLTA

And as for me chain=prerouting is not better way because "prerouting" after "input" in the packet flow diagram. Only for you ... Raw section is first in the packet flow , next is the filter ! P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains an...

JohnTRIVOLTA

Hello everyone. Need a help for newbie. Example section in the documentation say's that I can block everything on input chain with the rule: add chain=input action=drop But. Little bit higher on the same page there are parameters description. And there are words saying that parameter "protocol" has...

JohnTRIVOLTA

> Yes, just change port number with 444 for example on both sides ! Technically this works, but the idea is to offer VPN-Access when traveling: I would like to stick with 443 since this port is open outgoing for clients from just about everywhere. I understand, but I think two services can not use ...

JohnTRIVOLTA

Hi, I found a few hints in the forum about this, but did not spot a solution - sorry in case I overlooked it... I use a RB1100AHx4 with a public IP address at eth1 and a hotspot at eth2 with a private IP Address range. When activating the SSTP Server port 443, it complains: "Couldn't change SST Ser...

JohnTRIVOLTA

I have not - so I would go IP -> Addresses, add .5/32 or the matching Subnet .5/28? Any reason why the /28 isn't covering the entire spread? They should be routed, its a Cable Modem Handoff and the Modem only has 1 Port. Otherwise I wouldnt think the connection would come up if the netmask and scop...

JohnTRIVOLTA

Hello friends, is there a possibility to run two radio modules at the same time on the rbm33g ? I want to run a split signal at 2.4 Ghz and 5 Ghz , i have one AR9380 a/n and one AR9381 b/g/n HP triple chain cards. Now i use only the a/n card! P.S. "Insert the miniPCIe and M.2 cards (not included) an...

JohnTRIVOLTA

Anybody else with actual information? Seems like everyone in Bulgaria drinks heavily all day and should not be allowed near a computer. Every child can run google search engine and the first result gives you answer. I just have added the theoretical number of the vlans to my post ... yes, i drink w...

JohnTRIVOLTA

2007 ssids = 2007 vlans

JohnTRIVOLTA

See this video https://youtu.be/nHcGSGOinR0 .

JohnTRIVOLTA

It's not possible, because I need 3 ethernet port for our project, and a mPCI used for LTE with R11e-LTE.

It is why I need to add a port or a way to communicate with the board.

Regards.
Olivier

Communicate with the board wirelessly through the second mPCI-E wifi adapter !?

JohnTRIVOLTA

Add static route to the L2 vpn server ip address through LTE interface.Add l2tp-out /L2TP client/ and use netwatch to check main gateway , when is on down execute /interface ppp-client enable l2tp-out1 or when is on up - interface ppp-client disable l2tp-out1 !

JohnTRIVOLTA

maybe... did you try to check how many lines you have setup? /system logging action print look for "memory-lines= ..." Or go to System / Logging / Actions / memory / Lines Thank you, I've solved the problem ... System / Logging / Actions / disk / Lines are only 1, but why i don't know - they was se...

JohnTRIVOLTA

I have completly same problem with my RB3011 ! I'm waiting to see at 22 o'clock what log file will send me to the mail automaticly !

JohnTRIVOLTA

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.

Scan this 93.155.148.98 - my IP address and tell me the open ports please!

JohnTRIVOLTA

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it.. Try for your self. OK, try this : ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="...

JohnTRIVOLTA

What do do : 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP ->...

JohnTRIVOLTA

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN. Where is the Cyrillic alp...

JohnTRIVOLTA

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin ! 2.Change the port numbers for ssh , winbox etc. 3.Set strog crypto for ssh 4.Set ACL 5.Set 3 attempts login to black list and deny attempts with RAW 6,Disable all other non-useable servi...

JohnTRIVOLTA

*) wireless - improved compatibility with BCM chipset devices (this includes phones by Xiaomi, Lenovo, etc); SUPER . I try some test and the 20 mb/ps speed problem and 54mb/ps connectivity with mobile phones is resolved ! Test Xiaomi https://s26.postimg.cc/i3qlimq3d/xiaomi_TEST.png Test Nokia https...

JohnTRIVOLTA

I have hap lite /smips/ with 6.41.2 . With 6.42 in station mode and WEP security /40bit/not work - can not connect. I downgrade to bugfix 6.40.7 and everything is fine - the routrboard is connected !

JohnTRIVOLTA

Allow in firewall filter sectionon port udp 500,4500 and GRE /47/ with in-interface WAN and put the rules on top of the section !

JohnTRIVOLTA

GENERAL TAB chain:forward protocol:6(tcp) dst.port:3389 ACTION TAB Action:accept And my remote desktop still not works:( thanks in andvance for help. Add same rule with chain INPUT -put this rule to the top on filter section ! You don't need to add input rules for dst nat to work... Why ? If you ha...

JohnTRIVOLTA

GENERAL TAB
chain:forward
protocol:6(tcp)
dst.port:3389
ACTION TAB
Action:accept
And my remote desktop still not works:( thanks in andvance for help.

Add same rule with chain INPUT -put this rule to the top on filter section !

JohnTRIVOLTA

I think strong crypto enforcing ssh connection to use aes 256 algorithm for encryption !

JohnTRIVOLTA

I dont want a given Mac Address to get an IP Address from my DHCP pool Use bridge filter - /interface bridge filter add mac-protocol=ip src-address=192.168.88.1/32 dst-port=68 dst-mac-address=XX:XX:XX:XX:XX:XX 192.168.88.1/32 - replace with actual dhcp ip address XX:XX:XX:XX:XX:XX - replace with re...

JohnTRIVOLTA

Hello,

How can I block DHCP lease for specific mac addresses?

Block or not use lease time ? Just make static addresses for this specific mac addresses in leases table in dhcp server menu !

JohnTRIVOLTA

Hi Boris, in your case you must set some ppp server on the main router with public ip and route over this ppp link the both lans . If you want to extend transparent lan on main router , just use BCP on bridges on both sites ! if you want to explain in detail you can post a theme in kaldata, аt least...

JohnTRIVOLTA

Hello, i have two offices. The local LAN 192.168.0.0/24 is bridged between both offices. (eoip tunnel + eth ports) Office1 provides the DHCP server and the default gateway. Now i would like clients in Office2 to use the local internet, instead of going through the brigde. It seems an easy task, but...

JohnTRIVOLTA

Hey thanks for the reply!
I will need like 30 - 40Mbit/s.
Do you guys think that I will achieve this speeds?

Many thanks to all.
Kind regards

Rather around 20Mbit/s with aes128cbc !

JohnTRIVOLTA

i dream an rb750GR4 on this chipset

Why, the router has five ports ... rather we are waiting for a flagship with 8+ Geternet ports , SFP+, hdd bay sata3, HighPower radios 802.11ac/ax 8/4-stream Dual-band with combo /5GHz and 2.GHz /
external antennas ... maybe based on Qualcomm IPQ8074 !

JohnTRIVOLTA

Hi,

Would you mind explaining me a little what these ratio does?

The connections across the router alternate respectively three connections through the first wan and one connection through the second !

JohnTRIVOLTA

You dont need nat or static routes !!! Just add in firewall filter 2 rules:
/ip fi fi
add chain=forward src-address=192.168.12.0/24 dst-address=192.168.110.0/24 action=accept
add chain=forward src-address=192.168.110.0/24 dst-address=192.168.12.0/2 action=accept

JohnTRIVOLTA

I'm a bit noob. How do I do that?

https://wiki.mikrotik.com/wiki/Hairpin_NAT
or
/ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

JohnTRIVOLTA

If you want to access it/web server/ from the local network , you must set Hairpin NAT , or if the board have DNS role you must add a static entry on DNS section !

JohnTRIVOLTA

he just has to place up the rules and the last input rule must be - /add action=drop chain=input comment="Drop everything else"

JohnTRIVOLTA

Just add accept rule for port tcp 8123 in filter section:
/ip fi fi add action=accept chain=input comment="allow WEB" dst-port=8123 protocol=tcp place-before=3

JohnTRIVOLTA

I have similar issue with proxy-arp . I have build sstp connection with BCP between 2 routerboards. After upgrade ROS to 6.41 i lost the network discovery between bridges!

JohnTRIVOLTA

First , i thank you for the help !
I understand that the power adapter has been changed inadvertently with less than 0.2A 24v and may be the problem!
I will write by replacing it if everything is all right, at 99% I'm sure this is the solution.

JohnTRIVOLTA

I have all 3chains enabled and no problems with restart. Maybe you have problem with power?

On Sys/Health i see 23.1v ... this is normal ?

JohnTRIVOLTA

Hi all, i have a problem with wAP AC 5GHz radio , when I test the speed with the phone the board is always restarted, and when I uncheck one of the chains /second or third/ everything is fine and i get maximum speed ! In conclusion, the board works with only 2 chains regardless of which one we chose...

JohnTRIVOLTA

You talking about wireless isolation ? Do not use a "default forward" on the radio interface settings!

JohnTRIVOLTA

Hi yeah thanks for pointing that bit out, thats the bit I already know how to do

What main crux of my question was how to do this with a dynamic public IP address at both ends.

Choose the one of routers for vpn server and use cloud /ddns/ for establish the ppp connection !

JohnTRIVOLTA

Put addresses at both ends of the ppp link /examp. 10.100.0.1/30 and 10.100.0.2/30 /.Route home networks over this addresses / add static route in main routing table for each home network respectively/ and make an exception in filter section on firewall for accepting the traffic between them .

JohnTRIVOLTA

EoIP can carry L2 frame for transparent bridge purpose, the other two can use for routing purpose !

JohnTRIVOLTA

I have already. I would just like to know if it possible and how to do it. I have managed to do the Facebook block but I need to know if the WhatsApp Desktop Client can be blocked. I tried blocking it through Windows Firewall but I am still able to open WhatsApp, send and receive messages. Try with...

JohnTRIVOLTA

Use only your routerboard for clients DNS server, drop udp and tcp 53 in forward chain , finally make static dns enty for facebook with regex ^(.*)(facebook)(.*)$ on address 172.0.0.1 !
Don't remember to flush dns cashe.

JohnTRIVOLTA

Remove in-interface on the forward drop rules !

JohnTRIVOLTA

L2TP is layer 3.

Are you sure ? How then can this tunnel (or all ppp tunnels) carry EoIP or all ppp tunnels with BCP carry L2 traffic?

Тo topic author :
Use bcp on bridges on both sites !

JohnTRIVOLTA

just try this :
/ip fi service-port disable sip,h323

JohnTRIVOLTA

The rules in a filter section are read in sequence for their execution. For that we first allow, and then we drop everything else! the firs allow connection with the router from external host through that ports (22,8291,80,443) - Yes because we have drop on input chain on ether6 on rule 4 ! the seco...

JohnTRIVOLTA

Problem with SSTP. RB2011 here. I have 22 clients connecting to various services from their homes using SSTP with cert. After upgrading to v6.40.4 I'm able to establish the connection, but for example - I can't RDP to Windows PCs. I can't ping any internal address from my IP pool. After downgrade t...

JohnTRIVOLTA

Also, I changed the IP pool to the grade nat 100.64.0.0/24 and it's working. Do you think that I can bring any trouble? because generally it's the opossite. The private ip pool and then the grade nat pool. In this case is grade nat pool and a nat to a private pool. But with this implementation I ca...

JohnTRIVOLTA

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

Fix this with ether6 !

P.S. The routes are enough, you do not have to add others!
P.P.S. I want to see too:
/ip dhcp-server network print
and
/ip dhcp-server lease print detail

JohnTRIVOLTA

if you have ttl=1 the packet will die on the wan interface... some ISP still use this limitation ! ОК now you try to use private network not carrier network for your lan - example: 172.16.0.0/24 Dont use master port for ether 6 remoove my firewall rule and paste this basic rules: /ip firewall add ch...

JohnTRIVOLTA

Use ping in tool menu in winbox or in gui for ping 8.8.8.8 using interface ether6 and tell me the ttl value !

JohnTRIVOLTA

When you ping 8.8.8.8 what value is there for ttl ?

JohnTRIVOLTA

If you have access to Any Router, make routing , just set another nat rule with youre network.If yo have not access, respectivly setup nat on second router !
In this setup just add this rule in firewall and tell us what's happened :
/ip fi fi add chain=forward
use Terminal

JohnTRIVOLTA

Why should I use firewall rules? The only thing I want to do is a nat and the host OS take care of the firewall. Or it's necesary to make a nat? I use rip because the router will learn the network. I can't make an static route because I don't know the public network. do I? First, you will not route...

JohnTRIVOLTA

I want to see firewall rules too ! Ping to 8.8.8.8 on lan pc's?
P.S. You can update the routerboard to final bugfix release of ROS after firmware update of course!
P.P.S. Why you use RIP mostly on LAN?

JohnTRIVOLTA

/ ip fi nat add chain=src-nat action=masquerade out-interface=ether6
When we have dhcp client for wan, we must use masquerade action !!!

JohnTRIVOLTA

hello, John Intranetwork is work fine but there is some issue causes while browsing internet to the client pc is there any rule to be apply. To work both internet and intra-network If you want the "slave" site to use its own Internet instead of using the master router tunnel, do not use the dhcp se...

JohnTRIVOLTA

Are you sure the eoip and lan/ether/ are in bridge on both sites ?You can put lan segment addresses on bridges , for example 192.168.2.1/24 and other 192.168.2.2/24 and set dhcp serv on bridge in the main router .Be sure the input rule is at the top in filter section !Are you using IPSEC with eoip?

JohnTRIVOLTA

On the two routers in firewall filter you have to allow GRE protocol on input chain !
You do not need to put addresses on EoIP interfaces, only if you have some routing solution!

JohnTRIVOLTA

Just add 2 rules in firewall filter on the top of the forwards rules:
These are completely unnecessary. You should NOT add them because they don't do anything that isn't done already.

Because i don't know full firewall setup ,let try to set them !

JohnTRIVOLTA

Hi people, i´m wondering if i need to set statics routes for comunicate two subnets in the same router RB-951G Here is the thing: Bridge_work=ether 2 and ether 3 / DHCP server=10.2.3.0/24 / Bridge_home=wlan1 / DHCP server=10.2.1.0/24 So, my cuestion is : do i need to set static routes for get a goo...

JohnTRIVOLTA

Remove the fasttrack connection rule on firewall filter and reboot the board !
This rule only helps to unload the processor for best performance!

JohnTRIVOLTA

Pls write it in our forum http://www.mikrotik-bg.net to solve the problem ! P.S. Keep the Bulgarian tradition of putting a minus on a person who wants to help you, I was easier to explain the settings in our native language! Anyway, check the routes and see the firewall of the main router Ванчо ! I...

JohnTRIVOLTA

Pls write it in our forum http://www.mikrotik-bg.net to solve the problem !

P.S. Keep the Bulgarian tradition of putting a minus on a person who wants to help you, I was easier to explain the settings in our native language! Anyway, check the routes and see the firewall of the main router Ванчо !

JohnTRIVOLTA

try adding the routes:
for Router 2.2.2.2 - /ip route add dst-address=10.0.3.0/24 gateway=172.16.1.1 ,
for Router 3.3.3.3 - /ip route add dst-address=10.0.2.0/24 gateway=172.16.1.1

JohnTRIVOLTA

The answer is here : https://wiki.mikrotik.com/wiki/Manual:C ... Connection !

JohnTRIVOLTA

This is a right rule for hairpin nat if you use http for access :
/ip firewall nat
add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.40 protocol=tcp dst-port=80 out-interface=LAN action=masquerade

JohnTRIVOLTA

add action=dst-nat chain=dstnat dst-address=77.162.238.*** to-addresses=\
192.168.10.40

Remove this nat rule , because you are forward all ports to the local address 192.168.10.40 , that is, they become visible to the public !

JohnTRIVOLTA

/interface vlan add interface=ether2 name=eth2-vlan10 vlan-id=10 add interface=ether2 name=eth2-vlan20 vlan-id=20 add interface=ether3 name=eth3-vlan10 vlan-id=10 add interface=ether3 name=eth3-vlan20 vlan-id=20 add interface=ether4 name=eth4-vlan10 vlan-id=10 add interface=ether4 name=eth4-vlan20 v...

JohnTRIVOLTA

Thank you. That improves the performance a little, up to ~3 Mbps, but still nowhere near the bandwidth test results. When I have the Torch tool enabled performance goes up?! Could you post your settings? Which settings you are interested in? I use 5GHz for vAP , because there is much interference a...

JohnTRIVOLTA

You can try to add new bridge interface and put there VirtualAP ! Put ip and dhcp on this bridge and change in-interface respectively in the mangle rule . I have this setup and works fine !
VPN srcnat is 1st rule in the nat section with defined src addresses/network/ !

JohnTRIVOLTA

Not that the previous decisions are wrong, but I think this is the right one :
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=udp

JohnTRIVOLTA

JohnTRIVOLTA - This problem is already fixed in 6.41rc version. However, I recommend to fix the script. E-mail tool does not have a full file name in your script so if there will be two files with similar names, then you will still get an error. For example, now you specify file=test, but actual fi...

JohnTRIVOLTA

RB3011 stop sending logs to email when upgrade the board to 6.40.3 "error handling file" .After that i revert the board to 6.39.2 and problem is gone !

JohnTRIVOLTA

Do you have a rule in the filter section for accepting traffic over the general drop rule:
/ip fi fi add chain=input in-interface=wan protocol=tcp dst-port=119

JohnTRIVOLTA

Do you have an example of configure a EoIP with IPSEC? example: side A ip wan address - 111.111.111.111 , ip address LAN bridge 192.168.0.1/24 dhcp pool 192.168.0.100-192.168.0.200 side B ip wan address - 222.222.222.222 , ip address LAN bridge 192.168.0.2/24 , without DHCP server Side A: /ip ipsec...

Search found 227 matches