Community discussions

Search found 130 matches

by JohnTRIVOLTA
Mon Jan 07, 2019 3:51 pm
Forum: Beginner Basics
Topic: SSTP VPN speed is too slow between MT router and client
Replies: 1
Views: 147

Re: SSTP VPN speed is too slow between MT router and client

30/5 Mbps respectively only you have maximum 5 Mbps on client downstream !
by JohnTRIVOLTA
Thu Dec 20, 2018 10:19 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 332

Re: Ipsec Site to Site with certificate

Hi I try to configure a connection between two ccr1009 and encrypt this with ipsec. If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this. So I wanna ask would this be possible? Thanks Just try , use IK...
by JohnTRIVOLTA
Mon Dec 17, 2018 12:25 am
Forum: Wireless Networking
Topic: wAP ac is slow with manager forwarding and high CPU
Replies: 9
Views: 526

Re: wAP ac is slow with manager forwarding and high CPU

I have same issue ! With netbox 5 , 1 client /my laptop/ achieved max only 46 mbit/s when i transfer some file/s/ via ftp from my local nas. The laptop wireless adapter AR5BWB222 300/300 connectivity .
Image
by JohnTRIVOLTA
Sun Dec 16, 2018 10:59 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 430

Re: Connect three locations

I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules: In one of remote routers: 0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24 dst-address=192.168.11.0/24 log=no log-prefix="" In other remote router: 0 chain=srcnat actio...
by JohnTRIVOLTA
Sun Dec 16, 2018 9:30 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 430

Re: Connect three locations

My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ... + must select outgoing interface in ...
by JohnTRIVOLTA
Sun Dec 16, 2018 8:35 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 430

Re: Connect three locations

I do nor heva any limitations in filter
You don't have rules in the routers at all ?
by JohnTRIVOLTA
Sun Dec 16, 2018 8:02 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 430

Re: Connect three locations

May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers
by JohnTRIVOLTA
Sun Dec 16, 2018 9:20 am
Forum: Beginner Basics
Topic: Blocking traffic on the same NAT doesn't work
Replies: 10
Views: 448

Re: Blocking traffic on the same NAT doesn't work

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering. Remove the hardware offload of the desired bridgeports /ether2 and ether4/ ! https://i.postimg.cc/5...
by JohnTRIVOLTA
Tue Dec 11, 2018 11:22 pm
Forum: General
Topic: 6.43.7 bootloop on hAP AC
Replies: 2
Views: 192

Re: 6.43.7 bootloop on hAP AC

ixirion has the same issue ! After downgrade to 6.43.4 the routerboard works normally again! The reboots were in a different range from 1 minute to 5 .
by JohnTRIVOLTA
Mon Dec 10, 2018 12:07 am
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 334

Re: ikev2 ports [SOLVED]

Okay.... never easy with MT. There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy. When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... a...
by JohnTRIVOLTA
Sun Dec 09, 2018 12:04 am
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 334

Re: ikev2 ports [SOLVED]

Okay, 50% of mystery solved :)
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?
Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !
by JohnTRIVOLTA
Sat Dec 08, 2018 4:47 pm
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 334

Re: ikev2 ports [SOLVED]

I have a working ikev2 vpn connection setup on my ros. Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain. Than why is my connection working completely even if I don't allow 1701 nor IPSec esp...
by JohnTRIVOLTA
Wed Nov 21, 2018 11:29 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 230

Re: Bridge Filter works on independent vlan ?

Now everything works after I added in-bridge and out-bridge on bridge filter rule: /interface bridge filter add action=drop chain=forward dst-port=68 in-bridge=bridge1 ip-protocol=udp mac-protocol=ip out-bridge=bridge1 src-address=!172.16.222.254/32 My configuration is less complex. I have one openv...
by JohnTRIVOLTA
Wed Nov 21, 2018 9:46 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 230

Re: Bridge Filter works on independent vlan ?

Oh, I'm sorry, I'm very .... Ethernet1 is part of the bridge1 ! This may be the answer ! /interface bridge add arp=proxy-arp comment="-- LAN --" fast-forward=no name=bridge1 add fast-forward=no name=bridge2 add name=bridge3 add name=bridge4 add igmp-snooping=yes name=bridge5 add fast-forward=no name...
by JohnTRIVOLTA
Wed Nov 21, 2018 7:49 pm
Forum: Beginner Basics
Topic: Bridge Filter works on independent vlan ?
Replies: 5
Views: 230

Bridge Filter works on independent vlan ?

Hi friends, I had to configure a VLAN on my board and put it on virtual wlan interface. I found out that customers do not receive an ip address. Аfter thorough investigation of the problem, I realized that a rule in the bridge for DHCP stops the packages also in the vlan. My question - Why is it so ...
by JohnTRIVOLTA
Wed Jun 13, 2018 11:26 pm
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1276

Re: Confused about L2TP and IPSec VPNs

There's: 6 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" So if the previous rules in "/ip firewall raw" are still in place, it's covered. You are right, the rules already exist in RAW section ! p.s. I remember...
by JohnTRIVOLTA
Wed Jun 13, 2018 10:14 pm
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1276

Re: Confused about L2TP and IPSec VPNs

I don't see this rules on the top of filter section on both routers too: /ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked add chain=forward action=accept place-before=1 src-address=...
by JohnTRIVOLTA
Wed Jun 13, 2018 10:12 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1276

Re: Confused about L2TP and IPSec VPNs

Firewall NAT [...@trk-mtk-04] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 1 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 Is not this a NAT...
by JohnTRIVOLTA
Wed Jun 13, 2018 6:26 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1276

Re: Confused about L2TP and IPSec VPNs

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!
by JohnTRIVOLTA
Tue Jun 12, 2018 6:35 am
Forum: Beginner Basics
Topic: Confused about L2TP and IPSec VPNs
Replies: 21
Views: 1276

Re: Confused about L2TP and IPSec VPNs

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to-site-eoip-tu...
by JohnTRIVOLTA
Tue Jun 05, 2018 8:59 pm
Forum: Beginner Basics
Topic: Mikrotik hAP lite As Wifi Extender with different SSID and WPA
Replies: 6
Views: 598

Re: Mikrotik hAP lite As Wifi Extender with different SSID and WPA

whoops. well if you are in a hurry and a bit dumb that's what happens :D . I edited the post. if you can so too. though I 'll change it now. Ok I 'll try what u suggested me and give it a try. i ll come back with the results. thanks for the answer. edit: can you explain me from which menu I can NAT...
by JohnTRIVOLTA
Mon Jun 04, 2018 11:54 am
Forum: General
Topic: Cannot Access VPN from Outside
Replies: 4
Views: 302

Re: Cannot Access VPN from Outside

Cloud features are used when you have a dynamic public address, not a private one . If you do not have a public address, you can not access your router.
by JohnTRIVOLTA
Sat Jun 02, 2018 10:52 am
Forum: RouterOS v6 RC and v7 BETA
Topic: The security flaw for Hajime is closed by the firewall
Replies: 37
Views: 12663

Re: The security flaw for Hajime is closed by the firewall

I had such kind of the invasion too. And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion. But i find this string(screenshot) in the terminal window. What is it mean? This note came from a backup when the...
by JohnTRIVOLTA
Thu May 31, 2018 11:39 pm
Forum: Beginner Basics
Topic: Firewall rules: deny any traffic
Replies: 9
Views: 480

Re: Firewall rules: deny any traffic

And as for me chain=prerouting is not better way because "prerouting" after "input" in the packet flow diagram. Only for you ... Raw section is first in the packet flow , next is the filter ! P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains an...
by JohnTRIVOLTA
Thu May 31, 2018 10:49 pm
Forum: Beginner Basics
Topic: Firewall rules: deny any traffic
Replies: 9
Views: 480

Re: Firewall rules: deny any traffic

Hello everyone. Need a help for newbie. Example section in the documentation say's that I can block everything on input chain with the rule: add chain=input action=drop But. Little bit higher on the same page there are parameters description. And there are words saying that parameter "protocol" has...
by JohnTRIVOLTA
Fri May 25, 2018 11:07 pm
Forum: General
Topic: SSTP Server Problem (port used by another service)
Replies: 6
Views: 374

Re: SSTP Server Problem (port used by another service)

> Yes, just change port number with 444 for example on both sides ! Technically this works, but the idea is to offer VPN-Access when traveling: I would like to stick with 443 since this port is open outgoing for clients from just about everywhere. I understand, but I think two services can not use ...
by JohnTRIVOLTA
Fri May 25, 2018 10:28 pm
Forum: General
Topic: SSTP Server Problem (port used by another service)
Replies: 6
Views: 374

Re: SSTP Server Problem (port used by another service)

Hi, I found a few hints in the forum about this, but did not spot a solution - sorry in case I overlooked it... I use a RB1100AHx4 with a public IP address at eth1 and a hotspot at eth2 with a private IP Address range. When activating the SSTP Server port 443, it complains: "Couldn't change SST Ser...
by JohnTRIVOLTA
Fri May 25, 2018 9:46 pm
Forum: General
Topic: Src-nat internal subnets to different public IPs not working - v6.42.2
Replies: 8
Views: 359

Re: Src-nat internal subnets to different public IPs not working - v6.42.2

I have not - so I would go IP -> Addresses, add .5/32 or the matching Subnet .5/28? Any reason why the /28 isn't covering the entire spread? They should be routed, its a Cable Modem Handoff and the Modem only has 1 Port. Otherwise I wouldnt think the connection would come up if the netmask and scop...
by JohnTRIVOLTA
Fri May 18, 2018 7:03 pm
Forum: Wireless Networking
Topic: RBM33G + two Wireless mpci-e cards ?
Replies: 3
Views: 463

RBM33G + two Wireless mpci-e cards ?

Hello friends, is there a possibility to run two radio modules at the same time on the rbm33g ? I want to run a split signal at 2.4 Ghz and 5 Ghz , i have one AR9380 a/n and one AR9381 b/g/n HP triple chain cards. Now i use only the a/n card! P.S. "Insert the miniPCIe and M.2 cards (not included) an...
by JohnTRIVOLTA
Mon May 07, 2018 10:23 pm
Forum: Wireless Networking
Topic: Where to find # of WIFI VLANS [SOLVED]
Replies: 14
Views: 937

Re: Where to find # of WIFI VLANS [SOLVED]

Anybody else with actual information? Seems like everyone in Bulgaria drinks heavily all day and should not be allowed near a computer. Every child can run google search engine and the first result gives you answer. I just have added the theoretical number of the vlans to my post ... yes, i drink w...
by JohnTRIVOLTA
Mon May 07, 2018 8:53 pm
Forum: Wireless Networking
Topic: Where to find # of WIFI VLANS [SOLVED]
Replies: 14
Views: 937

Re: Where to find # of WIFI VLANS [SOLVED]

2007 ssids = 2007 vlans
by JohnTRIVOLTA
Thu Apr 26, 2018 9:45 pm
Forum: Wireless Networking
Topic: CPE And AP on Same Router
Replies: 4
Views: 348

Re: CPE And AP on Same Router

by JohnTRIVOLTA
Thu Apr 26, 2018 6:23 pm
Forum: RouterBOARD hardware
Topic: How to add a ethernet port to RBM33G (mpcie)
Replies: 8
Views: 715

Re: How to add a ethernet port to RBM33G (mpcie)

It's not possible, because I need 3 ethernet port for our project, and a mPCI used for LTE with R11e-LTE.

It is why I need to add a port or a way to communicate with the board.

Regards.
Olivier
Communicate with the board wirelessly through the second mPCI-E wifi adapter !?
by JohnTRIVOLTA
Tue Apr 24, 2018 10:04 pm
Forum: Scripting
Topic: Establish a L2L tunnel on wan failover
Replies: 1
Views: 228

Re: Establish a L2L tunnel on wan failover

Add static route to the L2 vpn server ip address through LTE interface.Add l2tp-out /L2TP client/ and use netwatch to check main gateway , when is on down execute /interface ppp-client enable l2tp-out1 or when is on up - interface ppp-client disable l2tp-out1 !
by JohnTRIVOLTA
Tue Apr 24, 2018 7:27 pm
Forum: Beginner Basics
Topic: don't write logs
Replies: 5
Views: 337

Re: don't write logs

maybe... did you try to check how many lines you have setup? /system logging action print look for "memory-lines= ..." Or go to System / Logging / Actions / memory / Lines Thank you, I've solved the problem ... System / Logging / Actions / disk / Lines are only 1, but why i don't know - they was se...
by JohnTRIVOLTA
Tue Apr 24, 2018 6:52 pm
Forum: Beginner Basics
Topic: don't write logs
Replies: 5
Views: 337

Re: don't write logs

I have completly same problem with my RB3011 ! I'm waiting to see at 22 o'clock what log file will send me to the mail automaticly !
by JohnTRIVOLTA
Mon Apr 23, 2018 3:12 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 133854

Re: Advisory: Vulnerability exploiting the Winbox port

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs.
Scan this 93.155.148.98 - my IP address and tell me the open ports please!
by JohnTRIVOLTA
Mon Apr 23, 2018 2:50 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 133854

Re: Advisory: Vulnerability exploiting the Winbox port

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it.. Try for your self. OK, try this : ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="...
by JohnTRIVOLTA
Mon Apr 23, 2018 2:12 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 204
Views: 133854

Re: Advisory: Vulnerability exploiting the Winbox port

What do do : 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP ->...
by JohnTRIVOLTA
Sat Apr 21, 2018 9:54 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 8048

Re: winbox vulnerable! Unusual login to routers [SOLVED]

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN. Where is the Cyrillic alp...
by JohnTRIVOLTA
Sat Apr 21, 2018 7:38 pm
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 8048

Re: winbox vulnerable! Unusual login to routers [SOLVED]

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin ! 2.Change the port numbers for ssh , winbox etc. 3.Set strog crypto for ssh 4.Set ACL 5.Set 3 attempts login to black list and deny attempts with RAW 6,Disable all other non-useable servi...
by JohnTRIVOLTA
Fri Apr 20, 2018 8:33 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 93248

Re: v6.43rc [release candidate] is released!

*) wireless - improved compatibility with BCM chipset devices (this includes phones by Xiaomi, Lenovo, etc); SUPER . I try some test and the 20 mb/ps speed problem and 54mb/ps connectivity with mobile phones is resolved ! Test Xiaomi https://s26.postimg.cc/i3qlimq3d/xiaomi_TEST.png Test Nokia https...
by JohnTRIVOLTA
Wed Apr 18, 2018 7:29 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 147
Views: 21904

Re: v6.42 [current]

I have hap lite /smips/ with 6.41.2 . With 6.42 in station mode and WEP security /40bit/not work - can not connect. I downgrade to bugfix 6.40.7 and everything is fine - the routrboard is connected !
by JohnTRIVOLTA
Tue Apr 10, 2018 10:56 am
Forum: Forwarding Protocols
Topic: EoIP Tunnel is Running but not passing traffic
Replies: 3
Views: 844

Re: EoIP Tunnel is Running but not passing traffic

Allow in firewall filter sectionon port udp 500,4500 and GRE /47/ with in-interface WAN and put the rules on top of the section !
by JohnTRIVOLTA
Tue Mar 27, 2018 10:42 pm
Forum: Beginner Basics
Topic: Problem with port forwarding for RemoteDesktop
Replies: 17
Views: 2102

Re: Problem with port forwarding for RemoteDesktop

GENERAL TAB chain:forward protocol:6(tcp) dst.port:3389 ACTION TAB Action:accept And my remote desktop still not works:( thanks in andvance for help. Add same rule with chain INPUT -put this rule to the top on filter section ! You don't need to add input rules for dst nat to work... Why ? If you ha...
by JohnTRIVOLTA
Tue Mar 27, 2018 6:14 am
Forum: Beginner Basics
Topic: Problem with port forwarding for RemoteDesktop
Replies: 17
Views: 2102

Re: Problem with port forwarding for RemoteDesktop

GENERAL TAB
chain:forward
protocol:6(tcp)
dst.port:3389
ACTION TAB
Action:accept
And my remote desktop still not works:( thanks in andvance for help.
Add same rule with chain INPUT -put this rule to the top on filter section !
by JohnTRIVOLTA
Mon Mar 26, 2018 8:00 pm
Forum: Beginner Basics
Topic: ssh settings
Replies: 3
Views: 345

Re: ssh settings

I think strong crypto enforcing ssh connection to use aes 256 algorithm for encryption !
by JohnTRIVOLTA
Tue Mar 13, 2018 6:51 am
Forum: The Dude
Topic: Mac Address Block
Replies: 3
Views: 420

Re: Mac Address Block

I dont want a given Mac Address to get an IP Address from my DHCP pool Use bridge filter - /interface bridge filter add mac-protocol=ip src-address=192.168.88.1/32 dst-port=68 dst-mac-address=XX:XX:XX:XX:XX:XX 192.168.88.1/32 - replace with actual dhcp ip address XX:XX:XX:XX:XX:XX - replace with re...
by JohnTRIVOLTA
Mon Mar 12, 2018 9:32 pm
Forum: The Dude
Topic: Mac Address Block
Replies: 3
Views: 420

Re: Mac Address Block

Hello,

How can I block DHCP lease for specific mac addresses?
Block or not use lease time ? Just make static addresses for this specific mac addresses in leases table in dhcp server menu !
by JohnTRIVOLTA
Mon Mar 12, 2018 2:52 pm
Forum: General
Topic: Tunnel between two routers
Replies: 2
Views: 280

Re: Tunnel between two routers

Hi Boris, in your case you must set some ppp server on the main router with public ip and route over this ppp link the both lans . If you want to extend transparent lan on main router , just use BCP on bridges on both sites ! if you want to explain in detail you can post a theme in kaldata, аt least...