Community discussions

Search found 1795 matches

by sebastia
Thu Jan 17, 2019 4:05 pm
Forum: Beginner Basics
Topic: show how much traffic for every ip in every day
Replies: 3
Views: 322

Re: show how much traffic for every ip in every day

This is what you need: https://wiki.mikrotik.com/wiki/Manual:IP/Accounting
And since you don't have FastTrack, it will work as is.

Set to max 8k pairs, and create snapshots on day (or more frequently if needed)
by sebastia
Thu Jan 17, 2019 4:02 pm
Forum: General
Topic: How to fast track local bandwidth? [SOLVED]
Replies: 6
Views: 467

Re: How to fast track local bandwidth? [SOLVED]

Then you're done!
by sebastia
Thu Jan 17, 2019 3:14 pm
Forum: General
Topic: How to fast track local bandwidth? [SOLVED]
Replies: 6
Views: 467

Re: How to fast track local bandwidth? [SOLVED]

make sure you're bridge is hardware offloaded: that needs to be enabled, and depending on setup will be applied by ROS.
by sebastia
Thu Jan 17, 2019 2:48 pm
Forum: General
Topic: How to fast track local bandwidth? [SOLVED]
Replies: 6
Views: 467

Re: How to fast track local bandwidth? [SOLVED]

These devices are in same subnet? Then it's not fasttrack. Just put them in same bridge, which is probably already the case.
There should be a bridge with wlan & local ports, in it.

Edit: typo
by sebastia
Thu Jan 17, 2019 11:17 am
Forum: General
Topic: Setting TTL for Outgoing Traffic [SOLVED]
Replies: 20
Views: 3621

Re: Setting TTL for Outgoing Traffic [SOLVED]

As visible in in your config in viewtopic.php?f=2&t=144141, I think you have ipv6 active. This mangle is for ipv4 only.
/interface lte apn
add apn=jionet ip-type=ipv4-ipv6 ipv6-interface=lte1 name="Jio 4G"
by sebastia
Thu Jan 17, 2019 11:04 am
Forum: General
Topic: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]
Replies: 11
Views: 1029

Re: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]

Have a look at options applied to them: for download connections are grouped by destination ip, for upload by src ip.
by sebastia
Thu Jan 17, 2019 12:42 am
Forum: General
Topic: Setting TTL for Outgoing Traffic [SOLVED]
Replies: 20
Views: 3621

Re: Setting TTL for Outgoing Traffic [SOLVED]

bytes are off too. all counters reset on at same time?
by sebastia
Wed Jan 16, 2019 11:26 pm
Forum: General
Topic: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]
Replies: 11
Views: 1029

Re: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]

You mean I should do it like this? Consulted doc and it says: pcq-total-limit (integer [1..4294967295]; Default: 2000) Max amount of bytes queued (in kilobytes) for all sub-streams per PCQ instance. Note that each queue tree entry has its own PCQ instance. so set it so that you don't buffer to much...
by sebastia
Wed Jan 16, 2019 11:07 pm
Forum: Beginner Basics
Topic: need help maybe hack on VPN?
Replies: 1
Views: 307

Re: need help maybe hack on VPN?

TCP connection is just first step of establishing vpn, then the authentication starts.

So it doesn't mean that they can get it, just that "they" are trying.
by sebastia
Wed Jan 16, 2019 10:51 pm
Forum: General
Topic: CCR Mikrotik Bandwidth Test - Urgent...-Important
Replies: 8
Views: 869

Re: CCR Mikrotik Bandwidth Test - Urgent...-Important

Mikrotik has mentioned few times, bandwidth test should not be performed on the router itself.
In your case, maybe some changes were done to generator logic making it more heavy...
by sebastia
Wed Jan 16, 2019 9:44 pm
Forum: General
Topic: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]
Replies: 11
Views: 1029

Re: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]

I expected something with FastTrack, but it's not applicable as it's disabled. And that's a GOOD thing as simple queues won't work with it enabled. But * "add max-limit=4M/4M name=PCQ-Queue queue=PCQ_download/PCQ_upload target=192.168.86.0/24" The order of limits is upload / download, it's reversed ...
by sebastia
Wed Jan 16, 2019 8:34 pm
Forum: General
Topic: Setting TTL for Outgoing Traffic [SOLVED]
Replies: 20
Views: 3621

Re: Setting TTL for Outgoing Traffic [SOLVED]

The lte itself is not in passthrough, is it? If no then above is correct.

About the pass-through on mangle, that depends if you want to apply any more actions? If you don't then you don't need pass-through.
by sebastia
Wed Jan 16, 2019 8:33 pm
Forum: SwOS
Topic: Forward rule vs acl rule precedence
Replies: 5
Views: 761

Re: Forward rule vs acl rule precedence

My bad, didn't notice that it's posted under swos... I don't use swos myself, so won't be of much help. The documentation https://wiki.mikrotik.com/wiki/SwOS/CSS106 doesn't mention any order or flow diagram (@Mikrotik that's a must! It's available for ROS). The doc does mention what Access Control L...
by sebastia
Wed Jan 16, 2019 8:27 pm
Forum: General
Topic: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]
Replies: 11
Views: 1029

Re: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]

Please post your config: /export compact hide-sensitive
by sebastia
Wed Jan 16, 2019 7:09 pm
Forum: Beginner Basics
Topic: Question on configuration of src-nat on bridge with trunk ports [SOLVED]
Replies: 9
Views: 556

Re: Question on configuration of src-nat on bridge with trunk ports [SOLVED]

POC, so performance is not a consideration at this time right? "Just make it work"
by sebastia
Wed Jan 16, 2019 6:59 pm
Forum: General
Topic: Setting TTL for Outgoing Traffic [SOLVED]
Replies: 20
Views: 3621

Re: Setting TTL for Outgoing Traffic [SOLVED]

Hey

In pre-routing, the routing hasn't been performed yet, so the outgoing interface is not known yet.

change to chain=postrouting.
by sebastia
Wed Jan 16, 2019 6:50 pm
Forum: General
Topic: Router for a newbie
Replies: 4
Views: 367

Re: Router for a newbie

Hi Alan but when I read more I feel more lost and overwhelmed The software running on Mikrotik routers is "same" for all. They all have same and steep learning curve, altough producer is helping with default configurations for some typical use-cases. * OpenVPN client: not a strength of RouterOS at t...
by sebastia
Wed Jan 16, 2019 6:28 pm
Forum: SwOS
Topic: Forward rule vs acl rule precedence
Replies: 5
Views: 761

Re: Forward rule vs acl rule precedence

... And where do you configure that ACL?
by sebastia
Wed Jan 16, 2019 6:16 pm
Forum: Beginner Basics
Topic: Question on configuration of src-nat on bridge with trunk ports [SOLVED]
Replies: 9
Views: 556

Re: Question on configuration of src-nat on bridge with trunk ports [SOLVED]

Hello Gerret Do you need src- / dst-nat-ing? Can't it be just routed? Performance, might be an issue, but if you can avoid NAT, you have two options: * fast-path: disable firewall completely, if needed remove ip on switch and access CRS over MAC, for added isolation (with some consequences) * fast-t...
by sebastia
Wed Jan 16, 2019 6:03 pm
Forum: General
Topic: Mikrotik as VPN-server access to 1 Lan Device
Replies: 6
Views: 483

Re: Mikrotik as VPN-server access to 1 Lan Device

Firewall: in Filter:Forward, only allow VPN network to connect to camera ip.
by sebastia
Wed Jan 16, 2019 2:06 pm
Forum: General
Topic: Dual wan fail over, fail back not working
Replies: 8
Views: 722

Re: Dual wan fail over, fail back not working

So should I be using action=src-nat for both WAN entries? That depends on how stable the assigned ip is. One ISP I use, assigns ip for 24h and allows extensions, so from my point of view that is practically static, and for that config I use src-nat. (That's my primary by the way). The backup line I...
by sebastia
Wed Jan 16, 2019 12:31 pm
Forum: SwOS
Topic: Forward rule vs acl rule precedence
Replies: 5
Views: 761

Re: Forward rule vs acl rule precedence

What exactly do you mean by "ACL rule"?
by sebastia
Tue Jan 15, 2019 10:23 pm
Forum: General
Topic: Dual wan fail over, fail back not working
Replies: 8
Views: 722

Re: Dual wan fail over, fail back not working

The associated video: https://www.youtube.com/watch?v=3LmQYIQ5RoA the Internet stops working, and it does not seem to come back until I disable the port for wan2 It would start to work on its own, after tcp connections have timed-out... Possible safe-guards were already given in the presentation: * ...
by sebastia
Tue Jan 15, 2019 9:24 pm
Forum: Beginner Basics
Topic: Forcing single URL to use specific WAN
Replies: 9
Views: 647

Re: Forcing single URL to use specific WAN

Which is more efficient. both the "/ip route rule" and "route using /32" are using normal routing functionality, so from efficiency pov are same for these two approaches there is no need for mangling, so these can be combined with FastTrack, but with "route-mark" in mangle table there is much more ...
by sebastia
Tue Jan 15, 2019 8:05 pm
Forum: Beginner Basics
Topic: Forcing single URL to use specific WAN
Replies: 9
Views: 647

Re: Forcing single URL to use specific WAN

ARE YOU SAYING THERE IS A BETTER WAY to ... different way, one of many.. Can you break down how that works. the "additional" routing table will function as normal routing table, but will be applied to select packets only, with the matching routing-mark (which implies mangling) or as directed by the...
by sebastia
Tue Jan 15, 2019 7:55 pm
Forum: General
Topic: Dual wan fail over, fail back not working
Replies: 8
Views: 722

Re: Dual wan fail over, fail back not working

That's normal consequence of masq & fail-over. When your primary comes back, existing connections gets routed over primary, but connection state is still linked to secondary. This results in masquerade not being applied, and leakage of private ip's to ISP. By manually disabling wan2, these connectio...
by sebastia
Tue Jan 15, 2019 3:46 pm
Forum: General
Topic: Mangles PCC Question [SOLVED]
Replies: 4
Views: 343

Re: Mangles PCC Question [SOLVED]

You need to adjust your PCC rules to only do it for not marked connections.
Reply will be linked to same connection, which is already connection-marked for specific wan.
by sebastia
Tue Jan 15, 2019 3:43 pm
Forum: General
Topic: Routes for VPN access
Replies: 4
Views: 339

Re: Routes for VPN access

Adding route over VPN on client side, is client OS dependent.

For windows:
route ADD 172.16.0.0 MASK 255.240.0.0  172.31.1.1 METRIC 10
             ^destination      ^mask      ^gateway      
by sebastia
Tue Jan 15, 2019 1:53 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

Don't forget that you also have max-limits on each of subqueues...You need to remove all limit definitions except on the top queue and rely on priority, which you have defined. Note: a queue will use all of it's *limit-at*, independent of any limits on parent queues (corrected) Then you can change w...
by sebastia
Tue Jan 15, 2019 1:47 pm
Forum: General
Topic: dual with sstp
Replies: 2
Views: 203

Re: dual with sstp

Hey actions: * firewall inbound over eth1 / allow over eth5 (for sstp) * mark connection coming in over eth1: connection mark * set default route over eth5 (default table) * sstp server on router itself: then in output, otherwise preroute: route mark outgoing traffic which has been connection-mark-e...
by sebastia
Tue Jan 15, 2019 11:37 am
Forum: General
Topic: Mangles PCC Question [SOLVED]
Replies: 4
Views: 343

Re: Mangles PCC Question [SOLVED]

Hey

You need to mark incoming traffic and apply correct routing mark before routing.
by sebastia
Tue Jan 15, 2019 11:34 am
Forum: Beginner Basics
Topic: Forcing single URL to use specific WAN
Replies: 9
Views: 647

Re: Forcing single URL to use specific WAN

Some remarks: * in mangle you only need to mark connections once: for new only is enough, it will stick for the remainder of connection's life (so no need for established & related marking) * marking in prerouting covers both input & forward * (remove duplicates: mangle) * for pcc you should assign ...
by sebastia
Tue Jan 15, 2019 10:58 am
Forum: General
Topic: Routes for VPN access
Replies: 4
Views: 339

Re: Routes for VPN access

Hi Is the vpn server running on the router itself? If so it will know all the networks involved, and you don't need to do anyting there. Then all that remains is to tell your client OS how to reach these networks. Two options: * make vpn de default route (with exception of the vpn server itself, so ...
by sebastia
Tue Jan 15, 2019 10:45 am
Forum: General
Topic: Need idea on setting up dual WAN connection
Replies: 6
Views: 787

Re: Need idea on setting up dual WAN connection

Wouldn't a "route check" (ex ping check) of the gateway on 192.168.10.1 to 172.16.10.1 solve the issue? Once unavailable, it would become inactive and fallback on second connection.
by sebastia
Tue Jan 15, 2019 10:34 am
Forum: General
Topic: EoIP per connection limit?
Replies: 4
Views: 488

Re: EoIP per connection limit?

Hey

which one is it? ;-)
by sebastia
Mon Jan 14, 2019 10:43 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1286

Re: Firewall: dynamic ip lookup instead of static address list?

Absolutely brilliant, altering the block-rules is of course the fastest and most secure way to do it! :idea: Why didn't I think about it myself! :lol: Now I only need to perform some tests to figure out the actual storage limitation on a CCR as I need room for both current and new lists simultaneou...
by sebastia
Mon Jan 14, 2019 8:40 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1286

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? why not...
by sebastia
Mon Jan 14, 2019 8:27 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1286

Re: Firewall: dynamic ip lookup instead of static address list?

I remeber seeing somewhere that addresslist can be feed an dns and it will do resolution on it's own (basically keeping itself updated)

Documented (a big word for just small syntax note) in the meantime: https://wiki.mikrotik.com/wiki/Manual:I ... dress_list
by sebastia
Mon Jan 14, 2019 8:00 pm
Forum: Beginner Basics
Topic: Route vlans
Replies: 3
Views: 253

Re: Route vlans

Hey

The two vlans are available (accessible, with ip) on the router? Then all you need to do is allow traffic from one to other and/or vice-versa in ip(v6) firewall filter.
The router will already take care of routing between them (assuming ip(v6) forwarding is enabled).
by sebastia
Mon Jan 14, 2019 5:21 pm
Forum: Beginner Basics
Topic: Resolving local DHCP hosts using DNS
Replies: 2
Views: 832

Re: Resolving local DHCP hosts using DNS

Why not copy the relevant commands from that script into the dhcp server script, executed on assignment?
see lease-script https://wiki.mikrotik.com/wiki/Manual:I ... er#General
by sebastia
Mon Jan 14, 2019 3:29 pm
Forum: General
Topic: SSH WAN port first time
Replies: 3
Views: 343

Re: SSH WAN port first time

with default config no, you'll need to allow that first.
by sebastia
Mon Jan 14, 2019 1:00 pm
Forum: Beginner Basics
Topic: Forcing single URL to use specific WAN
Replies: 9
Views: 647

Re: Forcing single URL to use specific WAN

Hey

Please post what you have done / tried already. What are the ip's involved? What is your current routing table like? Any routing mangling applicable?
by sebastia
Mon Jan 14, 2019 12:02 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

A single pppoe is: up 800k / down 1600k You have two of these, so bridge on download could receive for download as much as 3200k. That would be it's max for QoS. Now if one link goes down, max on brdige will still be 3200k, but the remaining link would already be saturated at 1600. In such situation...
by sebastia
Mon Jan 14, 2019 12:46 am
Forum: Beginner Basics
Topic: Can't get full Gigabit download speed on RB4011 [SOLVED]
Replies: 10
Views: 2032

Re: Can't get full Gigabit download speed on RB4011 [SOLVED]

When with isp modem, it's also connecting with same diagram "Fiber from ISP -> ONT -> Ubi Switch SFP port on VLAN 35 -> Ubi Switch SFP+ port on VLAN 35 -> ISP modem" ? Wondering if it's not related to MTU fragmentation? The MTU on uplink (1450) is lower than local lan (1500). Have you tried to set b...
by sebastia
Sun Jan 13, 2019 9:34 pm
Forum: Beginner Basics
Topic: Can't get full Gigabit download speed on RB4011 [SOLVED]
Replies: 10
Views: 2032

Re: Can't get full Gigabit download speed on RB4011 [SOLVED]

Is that with single connection or multiple?
by sebastia
Sun Jan 13, 2019 9:31 pm
Forum: Beginner Basics
Topic: Priority-only VLAN tags (VLAN-ID 0)
Replies: 8
Views: 784

Re: Priority-only VLAN tags (VLAN-ID 0)

@anav: driving it daily indeed, why do think I don't post that much ;-)

@muetsekoeln: not sure what you're after, but it could be as simple as this
/interface bridge filter add action=set-priority new-priority=from-ingress
by sebastia
Sun Jan 13, 2019 12:18 am
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4724

Re: Mark the traffic for YouTube, Facebook, etc.

Interesting approach. Just need to determine most "basis" name structures used for streaming.
by sebastia
Sun Jan 13, 2019 12:05 am
Forum: Beginner Basics
Topic: Port forward
Replies: 2
Views: 343

Re: Port forward

Hi

the firewall filter rule should be in chain=forward, and remove the "src-port=..." condition

Are you on fixed ip? then ignore following: in dst-nat rule, you can improve it by dst-adress=... -> dst-address-type=local
by sebastia
Sat Jan 12, 2019 11:41 pm
Forum: General
Topic: update error - not enough disk space
Replies: 2
Views: 4733

Re: update error - not enough disk space

see also this thread: viewtopic.php?f=3&t=143853
by sebastia
Sat Jan 12, 2019 11:38 pm
Forum: General
Topic: Connecting another router to my MT
Replies: 8
Views: 567

Re: Connecting another router to my MT

Hence my "but not sure what's possible configuration-wise on Asus". Best solution would be if you could disable NAT if destination network is .1. or .6., and otherwise do nat.
by sebastia
Sat Jan 12, 2019 11:11 pm
Forum: Scripting
Topic: Suggestions for getting WAN IP from interface with multiple IPs
Replies: 7
Views: 830

Re: Suggestions for getting WAN IP from interface with multiple IPs

Ok, I understand now.

myip.opendns.com is a special feature of opendns servers to give the requester's ip back. That's a then a way to determine the routeable ip.
by sebastia
Sat Jan 12, 2019 2:20 pm
Forum: Beginner Basics
Topic: Priority-only VLAN tags (VLAN-ID 0)
Replies: 8
Views: 784

Re: Priority-only VLAN tags (VLAN-ID 0)

Hey

On brdige port level you can set VLAN frame type to "admit only untagged and priority tagged".
by sebastia
Sat Jan 12, 2019 1:59 pm
Forum: RouterBOARD hardware
Topic: RB4011 wireless performance?
Replies: 26
Views: 3958

Re: RB4011 wireless performance?

Isn't that almost same numbers as for OpenWRT?
by sebastia
Sat Jan 12, 2019 1:51 pm
Forum: General
Topic: Connecting another router to my MT
Replies: 8
Views: 567

Re: Connecting another router to my MT

hey Theoretically it should be doable, but not sure what's possible configuration-wise on Asus. MT can do "anything" * Asus needs to know how to reach 192.168.1 & 192.168.6 This means additional route entries for both networks pointing to ip of MT (xxx.xxx.xxx.233) you need to disable NAT for these ...
by sebastia
Sat Jan 12, 2019 1:42 pm
Forum: General
Topic: hAP ac2 - port knocking doesn't work (kind of)
Replies: 7
Views: 638

Re: hAP ac2 - port knocking doesn't work (kind of)

Lol, don't be harsh on yourself, happens to all of us
by sebastia
Sat Jan 12, 2019 1:33 pm
Forum: Scripting
Topic: Suggestions for getting WAN IP from interface with multiple IPs
Replies: 7
Views: 830

Re: Suggestions for getting WAN IP from interface with multiple IPs

Hey @Jotne, I would suggest to read the question and answer again. problem: update DDNS there was nothing said about DNS, but one can only assume that it's working... and there was also no mentioning of VRF routing, so that won't work either AND if I run ":put [toip [resolve myip.opendns.com server=...
by sebastia
Sat Jan 12, 2019 1:25 am
Forum: General
Topic: Strange ethernet autonegotiation problem on RB1100AHx4
Replies: 6
Views: 529

Re: Strange ethernet autonegotiation problem on RB1100AHx4

Hi

First to do: upgrade software if possible. Including the firmware.

Some thoughts:
Have you tried other ports on both devices?
What if you set them both to fixed 1G? can they communicate?
Physical review of ports?
by sebastia
Fri Jan 11, 2019 9:53 pm
Forum: General
Topic: Can't Upgrade router mikrotik because hacked
Replies: 7
Views: 2252

Re: Can't Upgrade router mikrotik because hacked

There were a number of known bugs on versions up to and including 6.42. Some of these exploits could lead to low level system access, below what an administrator has access to.
Which version were you at?

Tips: follow security blog and upgrade...
by sebastia
Fri Jan 11, 2019 9:17 pm
Forum: General
Topic: DHCP Setup on two ports
Replies: 7
Views: 538

Re: DHCP Setup on two ports

My comment was purely on form and manner, if it wasn't obvious enough...
by sebastia
Fri Jan 11, 2019 9:12 pm
Forum: General
Topic: Connecting another router to my MT
Replies: 8
Views: 567

Re: Connecting another router to my MT

Hey

Few questions:
* "MT allowing the xxx.xxx.xxx.234 address into my MT LAN": does the asus do nat for traffic to Lan?
* "MT Cannot Ping xxx.xxx.xxx.233 eth1 port or gateway for Asus router": that's pining itself no?
by sebastia
Fri Jan 11, 2019 8:55 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

Few remarks: * I assume your pppoe's are asymmetric, with download speed >> upload speed? if so max on download doesn't reflect this. * define priority (>2) on maison-* queues * (unrelated to this thread: that's a risk "add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp") *...
by sebastia
Fri Jan 11, 2019 5:22 pm
Forum: General
Topic: IP Accounting Opinions
Replies: 17
Views: 6063

Re: IP Accounting Opinions

On this test setup, did you use fasttrack? It bypasses accounting, and will result in inaccurate reporting of the last.
https://wiki.mikrotik.com/wiki/Manual:I ... escription
by sebastia
Fri Jan 11, 2019 4:51 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

What criteria do you use to mark connections?

post your config, will have a look. /export hide-sensitive compact
by sebastia
Fri Jan 11, 2019 3:56 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

That should work. It's a bit after the fact, as it already passed the isp pipe, but by controlling the internal "gate" one can also shape the overall throughput. So you just need to make sure your classification is working. What I do: * connection-mark all VOIP related connection (which are not alre...
by sebastia
Fri Jan 11, 2019 3:12 pm
Forum: General
Topic: Filtering Malicious Traffic
Replies: 6
Views: 590

Re: Filtering Malicious Traffic

How about an "abuse policy"? action -> reaction
by sebastia
Fri Jan 11, 2019 3:10 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

"..you can make requests, ask favors, to an incoming stream of TCP traffic.." -> we are not being nice about it ;-), we just drop some packets from that stream and the tcp will resend and slow down...
by sebastia
Fri Jan 11, 2019 2:48 pm
Forum: General
Topic: Inbound routing with 2 ISP lines
Replies: 3
Views: 319

Re: Inbound routing with 2 ISP lines

Not-natting through connection B could theoretically work, but if ISP does source based filtering, it won't...
by sebastia
Fri Jan 11, 2019 2:45 pm
Forum: RouterBOARD hardware
Topic: hap lite not enough space for update [SOLVED]
Replies: 16
Views: 5668

Re: hap lite not enough space for update [SOLVED]

files under flash are in flash storage. See screenshot: the "large_file" is to big for flash sotrage (only 5m free) but it fits just fine in ramdrive part.
example.jpg
Files not within "flash" path are indeed in ramdrive.
by sebastia
Fri Jan 11, 2019 2:33 pm
Forum: Beginner Basics
Topic: VoIP traffic shaping doesn't works
Replies: 22
Views: 1249

Re: VoIP traffic shaping doesn't works

Where is that "downstream queue" attached to? What is it's parent?
by sebastia
Fri Jan 11, 2019 12:52 pm
Forum: RouterBOARD hardware
Topic: hap lite not enough space for update [SOLVED]
Replies: 16
Views: 5668

Re: hap lite not enough space for update [SOLVED]

files under flash are in flash storage. See screenshot: the "large_file" is to big for flash sotrage (only 5m free) but it fits just fine in ramdrive part.
by sebastia
Fri Jan 11, 2019 12:08 pm
Forum: General
Topic: Inbound routing with 2 ISP lines
Replies: 3
Views: 319

Re: Inbound routing with 2 ISP lines

Hi That is indeed the case. You can solve it by * marking the connection coming over A, and ensuring that each packet in prerouting linked to connection over A gets routing-mark to route it out over A. * if it's ipv4 based, use policy based routing (/ip route rule): all packet from servers in A rang...
by sebastia
Fri Jan 11, 2019 12:03 pm
Forum: Wireless Networking
Topic: High ping to router HAP AC2
Replies: 33
Views: 2545

Re: High ping to router HAP AC2

What interface is the client? I've seen that too with some intel cards and some driver versions, where it would show spikes in response.
by sebastia
Fri Jan 11, 2019 11:52 am
Forum: General
Topic: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???
Replies: 7
Views: 979

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Hi On input/output I always set default policy of drop/reject, and only allow selective & known traffic. On forward, inbound is denied by default, for outbound it can be tricky. If such a filter set was used for outbound, a hit could mean: * an actual threat communicating out * some valid applicatio...
by sebastia
Thu Jan 10, 2019 9:39 pm
Forum: General
Topic: redirect ip pool to specific DNS server [SOLVED]
Replies: 7
Views: 720

Re: redirect ip pool to specific DNS server [SOLVED]

That's probably redirection to the same subnet, then you'll need to src-nat too -> "hair-pin": look at that
Otherwise the dns will send responses directly to client, and client will reject it as it's unknown traffic to it
by sebastia
Thu Jan 10, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: hap lite not enough space for update [SOLVED]
Replies: 16
Views: 5668

Re: hap lite not enough space for update [SOLVED]

don't use the flash dir or subdirs. these are on limited flash, rest is in memory and you'll be able to write more but limited to your available mem.

Edit: see the attachment in additional post below
by sebastia
Thu Jan 10, 2019 9:32 pm
Forum: General
Topic: Migrating self signed CA
Replies: 9
Views: 1427

Re: Migrating self signed CA

Hi

Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID." https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?
by sebastia
Thu Jan 10, 2019 4:49 pm
Forum: Scripting
Topic: Strange behavior [SOLVED]
Replies: 2
Views: 379

Re: Strange behavior [SOLVED]

:execute runs the command in separate thread. it's completion is not waited on. So the parameter configured by execute may not be set yet.
by sebastia
Wed Jan 09, 2019 11:18 pm
Forum: General
Topic: how websites are blocked in big companies & countries
Replies: 2
Views: 512

Re: how websites are blocked in big companies & countries

From my experience, i've encountered two:
either dns based or
L7 firewall, with wildcard certificates, allowing full decryption of traffic
by sebastia
Wed Jan 09, 2019 9:43 pm
Forum: General
Topic: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule ( SOLVED )
Replies: 9
Views: 956

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Hey

I would suggest to copy your current config, and then reset to default configuration, and then only selectively add some rules. The default config is "compatible" with vpns, and I think will be the easiest route.
by sebastia
Wed Jan 09, 2019 9:23 pm
Forum: Forwarding Protocols
Topic: ECMP settings for Outgoing packets uses same routing decision
Replies: 3
Views: 554

Re: ECMP settings for Outgoing packets uses same routing decision

For routing management only routing-mark is needed.
by sebastia
Wed Jan 09, 2019 9:00 pm
Forum: Beginner Basics
Topic: Redo home routing and WiFi with mikrotik
Replies: 3
Views: 374

Re: Redo home routing and WiFi with mikrotik

3011 does have it's virtues: ex better switch chips.
by sebastia
Wed Jan 09, 2019 8:51 pm
Forum: General
Topic: How to mark http video streams with firewall mangle rules
Replies: 3
Views: 1143

Re: How to mark http video streams with firewall mangle rules

Hi

The sites you've referred to are over ssl: you won't be able to see theirs content.
You mentioned that youtube "works", but as it also over ssl i would be surprised if it did.
by sebastia
Mon Jan 07, 2019 8:53 pm
Forum: General
Topic: CRS326 VLAN leakage to CPU?
Replies: 8
Views: 871

Re: CRS326 VLAN leakage to CPU?

Thx for the info lapsio!
by sebastia
Mon Jan 07, 2019 8:35 pm
Forum: General
Topic: Firewall in Interface - Bridge or Physical
Replies: 4
Views: 400

Re: Firewall in Interface - Bridge or Physical

Interface list is what tik default config is using. It's flexible (and somewhat friendly to future changes), as it can support multiple entries for a target group.
But if you know "there can be only one", no point in using lists.
by sebastia
Mon Jan 07, 2019 1:05 pm
Forum: General
Topic: What outbound connection does the Router does besides DNS?
Replies: 1
Views: 256

Re: What outbound connection does the Router does besides DNS?

There are some other: cloud service, internet discovery.
But you do have full control over the outgoing connections: block whatever you don't like in output chain.
by sebastia
Mon Jan 07, 2019 12:44 pm
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 603

Re: Receiving lots of ACK

I didn't mean tot post your config here. If you have it, you could do a netinstall to the latest version, to make sure it's really back to normal code, and restore your config. You have the latest version (43,8) there most (all?) known sec issues have been fixed. It is possible that you got hached b...
by sebastia
Mon Jan 07, 2019 11:28 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 603

Re: Receiving lots of ACK

It's one of the possibilities, what version of ROS do you use? When did you notice these connections?
Do you have a config export?
by sebastia
Mon Jan 07, 2019 11:15 am
Forum: General
Topic: Receiving lots of ACK
Replies: 8
Views: 603

Re: Receiving lots of ACK

Whois says: inetnum: 124.104.0.0 - 124.107.255.255 netname: IPG descr: IPG descr: Philippine Long Distance Telephone Company country: PH tech-c: JG149-AP tech-c: NT80-AP admin-c: RR5-AP mnt-by: APNIC-HM mnt-lower: PHIX-NOC-AP status: ALLOCATED PORTABLE remarks: --------------------------------------...
by sebastia
Mon Jan 07, 2019 1:43 am
Forum: General
Topic: CRS326 VLAN leakage to CPU?
Replies: 8
Views: 871

Re: CRS326 VLAN leakage to CPU?

Hi Just wondering if these are correct? And if so what is the effect? Are multiple subnets mixed on these interfaces? add bridge=br-hardware tagged=bond-crs untagged=ether15,ether16 vlan-ids=4000,4001,4002,4003,4004,4005,4006,4007,4008,4009 add bridge=br-hardware tagged=bond-crs untagged=ether17,eth...
by sebastia
Mon Jan 07, 2019 1:13 am
Forum: General
Topic: IPv6 Link-Local Addresses
Replies: 6
Views: 714

Re: IPv6 Link-Local Addresses

Hey

To my knowledge no. Alternative: script it after boot?
by sebastia
Mon Jan 07, 2019 1:04 am
Forum: General
Topic: Spam filtering - how to improve my antispam system
Replies: 9
Views: 1253

Re: Spam filtering - how to improve my antispam system

Nice out of the box thinking!
by sebastia
Mon Jan 07, 2019 12:56 am
Forum: RouterBOARD hardware
Topic: Recommended 3G modem for RB2011
Replies: 2
Views: 342

Re: Recommended 3G modem for RB2011

Hey

If it doing better with active hub, could it be that the modem needs more power and isn't getting enough? There are USB cables where you can plug a second connector for extra power, if you have one, give it a try?
by sebastia
Sun Jan 06, 2019 3:13 pm
Forum: General
Topic: VRRP with VLAN -> problem
Replies: 4
Views: 598

Re: VRRP with VLAN -> problem

Hi

If you consult the documentation https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP, you'll notice that vrrp routers are supposed to be each other backups, and hence need to reside in same broadcast domain / subnet.
by sebastia
Sun Jan 06, 2019 2:40 pm
Forum: Beginner Basics
Topic: Config 8 IP Route of ISP
Replies: 3
Views: 413

Re: Config 8 IP Route of ISP

hey

What do you mean by "And now, I want to use 2 Block IP Route of ISP to config the Servers." ?
by sebastia
Sun Jan 06, 2019 2:28 pm
Forum: General
Topic: much difference between tx / Rx
Replies: 4
Views: 418

Re: much difference between tx / Rx

Are the transmitters on both end same? If not, isn't that the expected result, as transmit energy will be emitted / concentrated differently?
by sebastia
Sat Jan 05, 2019 9:31 pm
Forum: Beginner Basics
Topic: ovpn ... terminating nothing received for a while
Replies: 4
Views: 706

Re: ovpn ... terminating nothing received for a while

ISP disconnect lte session regularly, for me it's every 24h for lte. Was (is?) the case for pppoe too...
Don't know why...
by sebastia
Sat Jan 05, 2019 3:02 pm
Forum: General
Topic: Private IP NAT log issue
Replies: 7
Views: 408

Re: Private IP NAT log issue

And can you see these in log of Mikrotik router?
by sebastia
Sat Jan 05, 2019 2:28 pm
Forum: General
Topic: Private IP NAT log issue
Replies: 7
Views: 408

Re: Private IP NAT log issue

Hello

I don't understand your issue. The syslog will "mirror" log messages as they are logged on the router.
by sebastia
Sat Jan 05, 2019 1:10 pm
Forum: Beginner Basics
Topic: set deafult internet source
Replies: 8
Views: 502

Re: set deafult internet source

The whole thing, and enclose it in [ code ][/ code ] tags
by sebastia
Fri Jan 04, 2019 11:22 pm
Forum: Beginner Basics
Topic: set deafult internet source
Replies: 8
Views: 502

Re: set deafult internet source

Please post your current config: /export hide-sensitive compact terse
by sebastia
Fri Jan 04, 2019 8:57 pm
Forum: General
Topic: CRS326 Management Port [SOLVED]
Replies: 34
Views: 1835

Re: CRS326 Management Port [SOLVED]

So that's where (CCR) you need to do your routing: define vlan10 on eth7 (if needed) and route / nat as normal
by sebastia
Fri Jan 04, 2019 8:30 pm
Forum: General
Topic: CRS326 Management Port [SOLVED]
Replies: 34
Views: 1835

Re: CRS326 Management Port [SOLVED]

I would advise to isolate mgmt network... But if you insist ;-): where do you do your routing? what is your "uplink" / trunk? There is no routing here (rightfully so) add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
by sebastia
Fri Jan 04, 2019 8:15 pm
Forum: General
Topic: CRS326 Management Port [SOLVED]
Replies: 34
Views: 1835

Re: CRS326 Management Port [SOLVED]

Lost internet, from which device?
by sebastia
Fri Jan 04, 2019 8:10 pm
Forum: Beginner Basics
Topic: Combine 2 ISP and use IP Public
Replies: 3
Views: 433

Re: Combine 2 ISP and use IP Public

Hey A vlan behaves as any other subnet with regards to routing: you'll need ip on both vlans on the router and have all devices use router's ip on vlans as gateway. Router should just forward using normal routing process (+ src-nat see lower). Subnet that depends on the subnet definition as it's don...
by sebastia
Fri Jan 04, 2019 5:00 pm
Forum: Beginner Basics
Topic: set deafult internet source
Replies: 8
Views: 502

Re: set deafult internet source

There is possibly an even simpler solution. The vpn dedicated interface, is that for "client" side, so your device is making a connection to vpn server on internet? If "client": then the solution could be simplified: * route to 0.0.0.0/0 to internet gateway (default) * route to <ip of vpn> over vpn ...
by sebastia
Fri Jan 04, 2019 3:49 pm
Forum: General
Topic: CRS326 Management Port [SOLVED]
Replies: 34
Views: 1835

Re: CRS326 Management Port [SOLVED]

ssh service enabled? on right port, from config "set ssh port=xxxxx"

also the user needs right to ssh. and user can be limited to a range, check that too
by sebastia
Fri Jan 04, 2019 3:24 pm
Forum: General
Topic: CRS326 Management Port [SOLVED]
Replies: 34
Views: 1835

Re: CRS326 Management Port [SOLVED]

Hey

You need to create a vlan interface on bridge with vid=10. This will be the interface by which you'll access the crs from vlan10.

Currently the switch is accessible through: eth1, 2, 22, 23, 24, sfp1 & 2 (untagged)
by sebastia
Fri Jan 04, 2019 2:27 pm
Forum: Beginner Basics
Topic: DHCP and VLAN
Replies: 3
Views: 308

Re: DHCP and VLAN

don't think vlan10/20/30 should be part of bridge vlan config

see https://wiki.mikrotik.com/wiki/Manual:I ... _Bridge.29
by sebastia
Fri Jan 04, 2019 2:12 pm
Forum: Beginner Basics
Topic: It is possible to disable dhcp in a single ether
Replies: 3
Views: 279

Re: It is possible to disable dhcp in a single ether

Hi

I'm guessing all the interfaces are in a bridge, and the dhcp server is defined on that bridge. Then no.

If you really don't want dhcp offers there, isolate the interface and assign it a different range, with no dhcp server for it.
by sebastia
Fri Jan 04, 2019 2:06 pm
Forum: Beginner Basics
Topic: set deafult internet source
Replies: 8
Views: 502

Re: set deafult internet source

Example of routing with mangle for routing mark: https://wiki.mikrotik.com/wiki/Policy_Base_Routing There is a bit more stuff there, vpn ..., which you can ignore. The steps are: 1a: routing rule (or 1b) /ip route rule add action=lookup src-address=1.2.3.4/32 table=WAN1 1b: packet mark (or 1a) /ip f...
by sebastia
Fri Jan 04, 2019 12:17 pm
Forum: Beginner Basics
Topic: set deafult internet source
Replies: 8
Views: 502

Re: set deafult internet source

Hi It can be done for IPv4 but not for IPv6. IPv4 using policy based routing * based on routing rules (/ip route rule) * based on route marking on packet level (/ip firewall mangle) For both approaches above you'll need to define new routing table for each other than default route: /ip route for eac...
by sebastia
Fri Jan 04, 2019 12:10 am
Forum: General
Topic: /tool e-mail send start-tls seems insecurable, need advice.
Replies: 3
Views: 529

Re: /tool e-mail send start-tls seems insecurable, need advice.

and if you encrypt the backup itself? and transmit it in the clear ...
/system backup save password=
by sebastia
Thu Jan 03, 2019 10:18 pm
Forum: General
Topic: Forwarding traffic inside the same subnet without replacing the source MAC
Replies: 4
Views: 369

Re: Forwarding traffic inside the same subnet without replacing the source MAC

Indeed, since Mt is the router it forwards packets on behalf of others, which translates into replacing macs.
by sebastia
Thu Jan 03, 2019 10:08 pm
Forum: Beginner Basics
Topic: Routing between VLANs and DHCP Relaying
Replies: 1
Views: 241

Re: Routing between VLANs and DHCP Relaying

Yello

KISS! Keep it simple ...

If you have dedicate interfaces, there is no need for vlans.
* remove eth1 from bridge
* remove mm bridge
* assign eth1 an ip and setup dhcp on it directly

Further you don't need dhcp relay, just straight server on Mikrotik to eth1.
by sebastia
Thu Jan 03, 2019 10:00 pm
Forum: General
Topic: Can't see IP camera stream Tx/Rx rates
Replies: 1
Views: 308

Re: Can't see IP camera stream Tx/Rx rates

Hi

I'm guessing the camera and nvr are on same subnet and their traffic is switched. This means it doesn't pass through router.

Best way to monitor traffic would be on the nvr itself.
by sebastia
Thu Jan 03, 2019 8:25 pm
Forum: General
Topic: Cannot remotely connect via WinBox. [SOLVED]
Replies: 13
Views: 932

Re: Cannot remotely connect via WinBox. [SOLVED]

eth1 is multihomed? fixed & dhcp * which ip are you trying to access router with: .21.138 or dhcp clients one? * which ip will masq select for src-nat then? if fixed: * adj the masq -> src-nat * remove dhcpc config on wan Edit: or is that somehow PtP hence "network" removed? "/ip address add address...
by sebastia
Thu Jan 03, 2019 4:45 pm
Forum: General
Topic: Cannot remotely connect via WinBox. [SOLVED]
Replies: 13
Views: 932

Re: Cannot remotely connect via WinBox. [SOLVED]

Do you allow all in output?
multiple routes? and response gets routed over other connection?

If not try posting full config, maybe something pops up: /export hide-sensitive compact terse
by sebastia
Thu Jan 03, 2019 4:24 pm
Forum: General
Topic: Cannot remotely connect via WinBox. [SOLVED]
Replies: 13
Views: 932

Re: Cannot remotely connect via WinBox. [SOLVED]

First rule accepts winbox on wan indeed.

Do you limit winbox service to specific ip / range?
Do you limit user to specific ip / range?
by sebastia
Thu Jan 03, 2019 4:01 pm
Forum: General
Topic: Cannot remotely connect via WinBox. [SOLVED]
Replies: 13
Views: 932

Re: Cannot remotely connect via WinBox. [SOLVED]

Are you trying on a "lan" port? "Wan" won't allow it out-of-the-box.

What rules do you have? is the winbox service enabled?
by sebastia
Thu Jan 03, 2019 3:12 pm
Forum: General
Topic: VLAN is to complicated
Replies: 21
Views: 1957

Re: VLAN is to complicated

It's a feature in transition, and complicated as result: was originally on switch and is being move now to bridge.
Now, Vlans can be done on bridge and on switch, for one chip in hw on bridge for other in hw on switch only ...
by sebastia
Thu Jan 03, 2019 1:59 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1237

Re: Passive FTP to outside FTP Server

Hey Based on your previous posts I was under the impression that the ftp server was internal & behind nat... So if you want to access external ftp with passive data connection, all connection will be from in to out-side. Then you don't need dst-nat to internal network. The masq in place will be enou...
by sebastia
Thu Jan 03, 2019 12:21 pm
Forum: General
Topic: PPPoE Rate Limiting / Shaping
Replies: 2
Views: 308

Re: PPPoE Rate Limiting / Shaping

Hey Combining limiting & classification can get very complicated fast. If the two could be split on multiple levels, it would be more manageable: ex shaping on ccr & classification+prio decentralised. See: https://www.youtube.com/watch?v=loaVBWq6cWA https://splynx.com/3474/mikrotik-bandwidth-manager/
by sebastia
Thu Jan 03, 2019 9:59 am
Forum: General
Topic: cAP AC VLAN Switching - Hardware Offload
Replies: 2
Views: 306

Re: cAP AC VLAN Switching - Hardware Offload

Hello

The block diagram for cap ac is available: https://i.mt.lv/cdn/rb_files/cAP_ac-180525112621.png

There you'll notice that the two bands are independent and any communication needs to go through cpu.
by sebastia
Thu Jan 03, 2019 2:19 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1237

Re: Passive FTP to outside FTP Server

So to reiterate: * the ftp server is behind nat/firewall * dst-nat rule to forward 21 to ftp server is in place on nat/firewall * forward rule is in place on nat/firewall to accept new_established_related traffic to ftp server Could you try this: #Filter add action=accept chain=forward connection-st...
by sebastia
Wed Jan 02, 2019 11:34 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1237

Re: Passive FTP to outside FTP Server

You mentioned "server is trying to communicate back", that's an active data connection. Passive is when the client initiates the data connection. So the direction is opposite for active & passive. Another problem of ftp: security. Have you considered using scp (ssh copy) for file transfers? Since th...
by sebastia
Wed Jan 02, 2019 9:13 pm
Forum: Beginner Basics
Topic: Good documentation for R11e-LTE ?
Replies: 14
Views: 1727

Re: Good documentation for R11e-LTE ?

It's on the linked page: Cell monitor https://wiki.mikrotik.com/wiki/Manual:I ... ll_Monitor
by sebastia
Wed Jan 02, 2019 8:03 pm
Forum: Beginner Basics
Topic: Basic VLAN setup
Replies: 2
Views: 308

Re: Basic VLAN setup

Hi

It's possible, but not recommended. The cpu of CRS226 is not fast enough for routing duties.
by sebastia
Wed Jan 02, 2019 7:49 pm
Forum: Scripting
Topic: Fetch via proxy
Replies: 5
Views: 668

Re: Fetch via proxy

If the proxy can be setup as transparent proxy (can be done www.google.be/search?q=3proxy+transparent+proxy ), then a tunnel/vpn to remote vps should do the trick. You'll need to disable to authentication, as that requires browser support, and only allow traffic from vpn, so it can't be abused remot...
by sebastia
Wed Jan 02, 2019 7:34 pm
Forum: General
Topic: About bridge vlan (and bridge vlan filtering)
Replies: 2
Views: 268

Re: About bridge vlan (and bridge vlan filtering)

Hi

I don't immediately see issues.

Just a though, since you're using the first router as "dumb" switch, why bother defining the vlans on bridge / vlan filtering. With vlan filtering, you loose hw-offloading on hex.
Further, I guess you would want the mgmt interface/ip on first, but also 'data' ip?
by sebastia
Wed Jan 02, 2019 7:11 pm
Forum: General
Topic: Hacked Board
Replies: 15
Views: 1663

Re: Hacked Board

But if it's 6.43.x how can it be exploited as to my knowledge there are no open security bugs?
by sebastia
Wed Jan 02, 2019 5:52 pm
Forum: Scripting
Topic: Fetch via proxy
Replies: 5
Views: 668

Re: Fetch via proxy

No detail about the proxy so hard to tell, but transparent proxy should just work if traffic is directed it's way.
by sebastia
Wed Jan 02, 2019 5:06 pm
Forum: Scripting
Topic: Fetch via proxy
Replies: 5
Views: 668

Re: Fetch via proxy

Hey

Policy based routing: "for specific ip go that route". Define a routing rule in for the ip in question and make sure you have additional routing table for proxy.
under /ip route & /ip route rule
by sebastia
Wed Jan 02, 2019 1:58 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1237

Re: Passive FTP to outside FTP Server

Hey

Do you have the ftp helper in /ip firewall service ports enabled?
With that helper the data connection would be classified as "related" and allowed by firewall rules. Normally you wouldn't need the explicit rules for ftp-data.
by sebastia
Wed Jan 02, 2019 12:54 pm
Forum: General
Topic: My firewall block dns\ntp\google- can someone see why?
Replies: 11
Views: 952

Re: My firewall block dns\ntp\google- can someone see why?

Can internal clients access say google? I would be surprised, as it's not allowed now in the rules. There is the added "accept est&rel" in forward, but there no initial accept for new connections from lan. Correction: the deny on forward is linked to public network, rest (ex from lan) is accepted i...
by sebastia
Wed Jan 02, 2019 12:38 am
Forum: Beginner Basics
Topic: OVPN Help .... 2 tunnels
Replies: 6
Views: 486

Re: OVPN Help .... 2 tunnels

Hey

It should be possible, just make sure you have the proper routes defined. Mikrotik doesn't support route push, so there are two options: make opvn default route or add route for garage network over ovpn tunnel.
by sebastia
Tue Jan 01, 2019 5:34 pm
Forum: General
Topic: My firewall block dns\ntp\google- can someone see why?
Replies: 11
Views: 952

Re: My firewall block dns\ntp\google- can someone see why?

I meant the requests, not replies. I'm guessing the dns & ntp will be coming from the router: since there is no limit on output & input allows established&related, that should work forwarding currently allows only the cam1, cam2 & repeater. rest is blocked. suggest you allow there: 1. forward establ...
by sebastia
Tue Jan 01, 2019 3:31 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

Hey * STP will indeed result in cpu processing https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading * VLAN filtering will also result in cpu processing, but do you need it? you could just make sure the right vlan is untagged... The limitation is the "cable failover" ...
by sebastia
Tue Jan 01, 2019 2:54 pm
Forum: General
Topic: My firewall block dns\ntp\google- can someone see why?
Replies: 11
Views: 952

Re: My firewall block dns\ntp\google- can someone see why?

where are your dns/ntp/google connections coming from? clients on network or firewall? Anyhow, you should be allowing "establisched, related" connections before you block all... and I don't see that for forward. You probably want to allow connections from inside network to internet => in forward fro...
by sebastia
Tue Jan 01, 2019 4:42 am
Forum: Scripting
Topic: ":put" problem in scripting [SOLVED]
Replies: 4
Views: 730

Re: ":put" problem in scripting [SOLVED]

:put outputs in current session, but since the script is run in separate thread with it's own environment, the output won't be visible.
If you were to call on it from a shell you have open, it will output: "/system script run script1"
Another option: use :log
by sebastia
Mon Dec 31, 2018 2:41 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3890

Re: Redirect requests from HTTPS

I dug a bit further into it, and there is no way to tell the HTTPS client to connect to different login url first, what I thought was happening. So what current solutions end up doing is destination natting. That will naturally trigger SSL warning in the browser. Some browsers, provide a solution he...
by sebastia
Mon Dec 31, 2018 3:26 am
Forum: General
Topic: Feature request: Include Wanproxy to wireless systems
Replies: 3
Views: 701

Re: Feature request: Include Wanproxy to wireless systems

Since most of the traffic online is encrypted nowadays, compression is not possible.
by sebastia
Mon Dec 31, 2018 2:00 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3890

Re: Redirect requests from HTTPS

If a TCP connection request for 4.3.2.1:443 (=yourdomain.com) (state=new and all following) is redirected to say 1.2.3.4:443, which is mydomain.com, with a cert validated by root certificate authority for that ip, how can the browser complain about presented data? Explain that to me? Please don't co...
by sebastia
Mon Dec 31, 2018 1:47 am
Forum: Beginner Basics
Topic: CAKE or other network algorithms to be used?
Replies: 4
Views: 1123

Re: CAKE or other network algorithms to be used?

What CoDel & Cake offer is "automatic" classification and scheduling of traffic on up/down-load. Unfortunately the "automatic" part is not "magic": it relies on connection meta-data and packet priotisation flags (DSCP). The last condition is where it hurts: little applications actually use these... ...
by sebastia
Mon Dec 31, 2018 12:48 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3890

Re: Redirect requests from HTTPS

You both are talking about different things: @Jotne: this involves wildcard certs installed on client, and allows a proxy to decrypt and verify traffic. It's indeed used @companies. @R1CH: you're thinking about taking over an already setup and running ssl session. And that IS NOT what is being asked...
by sebastia
Sun Dec 30, 2018 9:32 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

Why not keep things as simple as possible? * 1 bridge on both 4011, linked together. The linkage would be of the spf+ (and optionally eth1). If over both, the bridges on both sides would need to have stp enabled to handle the loop: spf+->eth1->spf+. * multiple vlans on that bridge with different ass...
by sebastia
Sun Dec 30, 2018 8:43 pm
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3890

Re: Redirect requests from HTTPS

The linked wiki page and numerous articles on-line disagree with you...
by sebastia
Sun Dec 30, 2018 1:05 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

Hey A thought: why not use a single bridge with STP enabled, as you have loops, and multiple vlans, across the two devices? The sfpplus/eth1 would become trunk linking them both. 1. that's just routing setup (how to get to specific network) and optional firewall forward limitations you may want (how...
by sebastia
Sun Dec 30, 2018 11:14 am
Forum: Wireless Networking
Topic: wAP LTE Kit International APN problem [SOLVED]
Replies: 24
Views: 6128

Re: wAP LTE Kit International APN problem [SOLVED]

Support mentioned: "To upgrade the firmware your LTE connection should be active as the upgrade happens over LTE network - it will download approx 5.5MB firmware file."
by sebastia
Sun Dec 30, 2018 3:01 am
Forum: General
Topic: reset mikrotik password
Replies: 2
Views: 267

Re: reset mikrotik password

Sad news: it can't be done...
Your best path: netinstall it with same version and restore the backup.
If you have the export of configuration, you could netinstall with latest version and reapply configuration.
by sebastia
Sat Dec 29, 2018 11:53 pm
Forum: The User Manager
Topic: How Hide the DNS?
Replies: 2
Views: 593

Re: How Hide the DNS?

Please clarify your goal, as it's unclear (to me).
by sebastia
Sat Dec 29, 2018 11:21 pm
Forum: Beginner Basics
Topic: Issues with PCC load balancing [SOLVED]
Replies: 2
Views: 405

Re: Issues with PCC load balancing [SOLVED]

Hi

These are incompatible:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

/ip firewall mangle
...
Fast-tracked connections don't get mangled.

Conclusion: PCC & Fast-track can't be used together
by sebastia
Sat Dec 29, 2018 12:49 pm
Forum: General
Topic: dnat on ouput chain
Replies: 4
Views: 415

Re: dnat on ouput chain

No, only external traffic entering router will pass through preroute.
by sebastia
Sat Dec 29, 2018 1:22 am
Forum: General
Topic: Redirect requests from HTTPS
Replies: 13
Views: 3890

Re: Redirect requests from HTTPS

Hi

Not sure what is supported on v5. On current release I would advise you have a look at hotspot. It redirects http & -s depending on what is allowed. Basically to redirect https, you would need a ssl enabled server with valid / recognised cert (by clients certificate store).
by sebastia
Sat Dec 29, 2018 12:52 am
Forum: General
Topic: dnat on ouput chain
Replies: 4
Views: 415

Re: dnat on ouput chain

I agree with you, can't be done.
Another option: do port forwarding on the target system
by sebastia
Sat Dec 29, 2018 12:42 am
Forum: General
Topic: Could you provide some info about simple queues?
Replies: 2
Views: 344

Re: Could you provide some info about simple queues?

Hey

have a look at https://wiki.mikrotik.com/wiki/Manual:Queue
and here https://www.youtube.com/watch?v=loaVBWq6cWA

you have option of using simple queues (w/o hierarchy)
by sebastia
Sat Dec 29, 2018 12:24 am
Forum: Beginner Basics
Topic: measure bandwidth from me to some domains
Replies: 3
Views: 267

Re: measure bandwidth from me to some domains

A function on MT (and other routers) to send meta data on traffic passing router to some central server.
See https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
by sebastia
Fri Dec 28, 2018 4:28 pm
Forum: Beginner Basics
Topic: Firewall is blocking FORWARDING? WHY??
Replies: 9
Views: 730

Re: Firewall is blocking FORWARDING? WHY??

With regards to your first post:
rule 0: was accepting already established connections
rule 2: was rejecting any new connections

second post: you need to select type of protocol such as udp or tcp to be able to select which port to use. Port is meaningless for icmp as example
by sebastia
Fri Dec 28, 2018 3:50 pm
Forum: General
Topic: how to drop udp attack without port in mikrotik?
Replies: 3
Views: 494

Re: how to drop udp attack without port in mikrotik?

UDP is a port oriented protocol just like tcp. these may be invalid packets / spoofed or just not reported.
by sebastia
Fri Dec 28, 2018 1:17 pm
Forum: Scripting
Topic: IFUP/IFDOWN Trigger ?
Replies: 2
Views: 420

Re: IFUP/IFDOWN Trigger ?

Could be simulated with netwatch, not exactly same but ...
by sebastia
Fri Dec 28, 2018 12:44 pm
Forum: General
Topic: The "output" chain and VRFs/routing marks
Replies: 4
Views: 1564

Re: The "output" chain and VRFs/routing marks

Correct, route markings in output chain for locally generated traffic will be taken into account in the "route adjustment", last phase of output chain, as mentioned.
by sebastia
Fri Dec 28, 2018 2:44 am
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 99
Views: 14876

Re: RB2011 slow internet even with fasttrack

2011 is not as fast as 4011, but with the suggested change it can do much better.
by sebastia
Fri Dec 28, 2018 2:02 am
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 99
Views: 14876

Re: RB2011 slow internet even with fasttrack

Hey I'm guessing the test was for forwarded traffic? And I'm hoping the test was not over wifi?!? And also not over the 100mbit ports? Any cpu usage data? Do note that the gbit switch is connected over 1gbit line: so max you'll be able to do is 500 up + down = 1gbit total Block diagram: https://i.mt...
by sebastia
Fri Dec 28, 2018 1:54 am
Forum: Beginner Basics
Topic: measure bandwidth from me to some domains
Replies: 3
Views: 267

Re: measure bandwidth from me to some domains

Hey One possibility I think of, is to use net flow data to account for total volume from these mentioned domains. But to prove that it's your ISP and not somewhere uplink that packet drops happen... not easy. Maybe if you could detect / observe a clearly arbitrary and artificial limit on bandwidth...
by sebastia
Fri Dec 28, 2018 1:46 am
Forum: General
Topic: QoS for VoIP without routing
Replies: 7
Views: 526

Re: QoS for VoIP without routing

With 10mbit upload, not a lot is needed to fill it...

But you could give it a try: see https://www.youtube.com/watch?v=6eeYac5xBrE
by sebastia
Fri Dec 28, 2018 12:21 am
Forum: General
Topic: QoS for VoIP without routing
Replies: 7
Views: 526

Re: QoS for VoIP without routing

Hi For QoS to function propertly, one needs to control the full data stream. Controlling only wired and not the wireless, doesn't make sense. Illustration: suppose that upload will be shaped to 95% of upload bandwidth with priority for VoIP. All is good, until wireless upload bandwidth is added whic...
by sebastia
Thu Dec 27, 2018 2:18 pm
Forum: General
Topic: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?
Replies: 7
Views: 535

Re: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?

Yes, it covers both scenarios. No, no issues. No need for port part, auto managed. Probably not, just forwarding the received packets to router down the line. 22. are all local either on your router or on direct link, hence reachable. "22.22.100.158" would need to be a router to forward the traffic ...
by sebastia
Thu Dec 27, 2018 4:01 am
Forum: General
Topic: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?
Replies: 7
Views: 535

Re: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?

You're to use the range of ip's assigned to you. Since that range is fixed, use src-nat instead of masq. and one of the ip's at hand.
And that for both forwarded and local traffic.
by sebastia
Thu Dec 27, 2018 3:23 am
Forum: General
Topic: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?
Replies: 7
Views: 535

Re: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?

Normally this is an ISP appliance communicating within ISP internal network only. It won't use clients ip's. Since you got them merged ...you can have scenario where client communication would originate from that merged point. What about src-nat-ing the outgoing traffic from the router only? The for...
by sebastia
Thu Dec 27, 2018 3:08 am
Forum: General
Topic: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?
Replies: 7
Views: 535

Re: How to make outgoing WAN use a specified public IP, when two blocks IPs are assigned to the same interface?

The "pref source" can be defined on the default route too, but I'm not sure if that will do the trick.
by sebastia
Thu Dec 27, 2018 2:45 am
Forum: Beginner Basics
Topic: Relay a subnet, not being part of it
Replies: 18
Views: 864

Re: Relay a subnet, not being part of it

Glad to hear that you went with my first recommendation.

For future requests, please state your requirements & constraints clearly...
by sebastia
Thu Dec 27, 2018 2:38 am
Forum: General
Topic: Strange internet issue with Sony TV
Replies: 9
Views: 597

Re: Strange internet issue with Sony TV

Is your tv going over the torguard vpn connection? Current setup is relying in mangling for route selection, BUT once it's fasttracked mangling can't be applied and connection will die... Some other remarks: * "local-forwarding=no" intentional? all traffic needs to go through capsman * "/interface d...
by sebastia
Thu Dec 27, 2018 2:08 am
Forum: General
Topic: pptp server/client
Replies: 3
Views: 238

Re: pptp server/client

If you have control over the MT routers AND there is not ip range clash, you could simply add routes to all relevant networks to all MT routers. That would be the best approach not requiring any additional natting. It's best to work with network ranges, so it will more for more than one pc/ip
by sebastia
Thu Dec 27, 2018 12:45 am
Forum: General
Topic: slow file transfer rates between vlans on RB750Gr3 6.43.7
Replies: 13
Views: 886

Re: slow file transfer rates between vlans on RB750Gr3 6.43.7

FYI: you're hitting the hardware limitations with that, see block diagram
Depending on which interface, you might not surpass 50MB, if both are on same 1gb/s link.
Image
by sebastia
Thu Dec 27, 2018 12:35 am
Forum: General
Topic: pptp server/client
Replies: 3
Views: 238

Re: pptp server/client

Hi

Do you nat the traffic going over the vpn? If there is no nat, how is the other end going to know where to send the reply?
Either they need to have your internal ip range in their routing tables or you should nat the traffic.
by sebastia
Wed Dec 26, 2018 11:59 pm
Forum: General
Topic: Strange internet issue with Sony TV
Replies: 9
Views: 597

Re: Strange internet issue with Sony TV

Please list your configuration (/export hide-sensitive compact) so it's clear what config you've got.

FYI: based on your description, sounds like a config issue.
by sebastia
Wed Dec 26, 2018 4:11 pm
Forum: General
Topic: help understanding firewall rules
Replies: 2
Views: 359

Re: help understanding firewall rules

It's a port knocking scheme based on length op ping packets, based on which ip's are added to allowed list.
by sebastia
Wed Dec 26, 2018 3:12 am
Forum: RouterBOARD hardware
Topic: SXT LTE kit antenna [SOLVED]
Replies: 3
Views: 572

Re: SXT LTE kit antenna [SOLVED]

As I've understood it, the kit can be used with one sim at a time, even though there are two slots available. One can easily switch between sims, but use two at the same time.
by sebastia
Tue Dec 25, 2018 1:52 pm
Forum: Beginner Basics
Topic: user interface -> lan-bridge -> another-bridge2 -> wlan interface [SOLVED]
Replies: 9
Views: 643

Re: user interface -> lan-bridge -> another-bridge2 -> wlan interface [SOLVED]

it only makes sense to fasttrack heavy traffic and that one needs to be accounted in queues, not make them inpossible to use. This can be done already (and I'm doing it in my configs). Only mark bulk traffic as fast-tracked. Any traffic of value, goes the normal / "full" / "slow" path, with full co...
by sebastia
Tue Dec 25, 2018 1:23 pm
Forum: Beginner Basics
Topic: VLAN hell - NOOB :)
Replies: 3
Views: 506

Re: VLAN hell - NOOB :)

Hi

Congrats on your purchase.

Your intent is not entirely clear to me:
* "all ports of CRS are bridged on all ports": do you intent for all ports to behave like trunk ports?
* "eth15 and eth16 get ip in the range 192.168.50.0/24": should these be access ports for some specific VLAN tag?
by sebastia
Tue Dec 25, 2018 4:34 am
Forum: Wireless Networking
Topic: Google Chromecast
Replies: 4
Views: 1071

Re: Google Chromecast

Thx for sharing !
by sebastia
Tue Dec 25, 2018 4:18 am
Forum: Beginner Basics
Topic: user interface -> lan-bridge -> another-bridge2 -> wlan interface [SOLVED]
Replies: 9
Views: 643

Re: user interface -> lan-bridge -> another-bridge2 -> wlan interface [SOLVED]

Hi The queue tree attached to an interface will see only traffic linked to the declared packet marks. So if you mark a packet as say "internal" and there is no class for it in queue tree, it will not be accounted. BUT, fasttracked packets bypass (most of the time) mangling and hence will have no mar...
by sebastia
Tue Dec 25, 2018 4:06 am
Forum: Beginner Basics
Topic: VNC Port Forward [SOLVED]
Replies: 2
Views: 781

Re: VNC Port Forward [SOLVED]

Hi This shouldn't be to hard: if you're running (close to) default config, just define a dst-nat rule in NAT table, dst-nat chain. In the filter table, forward chain there should be a rule to allow all "new & dstnat" connection. If that filter rule is not there add it or add one specific for your ca...
by sebastia
Mon Dec 24, 2018 12:44 pm
Forum: Beginner Basics
Topic: Relay a subnet, not being part of it
Replies: 18
Views: 864

Re: Relay a subnet, not being part of it

"I mean R1 should be able to relay the subnet 192.168.0.0/24 without having an IP part of it." Above is not correct: a router needs to be addressable by clients on that subnet, so it could relay traffic. Why don't you setup the R1 & R2 as wireless AccessPoints? that's basically wireless bridges. You...
by sebastia
Mon Dec 24, 2018 11:44 am
Forum: Beginner Basics
Topic: Relay a subnet, not being part of it
Replies: 18
Views: 864

Re: Relay a subnet, not being part of it

A bridge / switch will relay any packet it receives, independent of it's ip configuration. You can assign an ip to the switch/bridge belonging to one of the subnets passing through so you could manage the router. What do you mean by "relaying a different subnet"? There is only one: 192.168.0/24. But...
by sebastia
Mon Dec 24, 2018 7:17 am
Forum: General
Topic: Adblocking with address lists
Replies: 4
Views: 601

Re: Adblocking with address lists

You're correct, OpenDNS doesn't do it. I did a quick search and got the impression they did, in error.
by sebastia
Mon Dec 24, 2018 7:13 am
Forum: Beginner Basics
Topic: Relay a subnet, not being part of it
Replies: 18
Views: 864

Re: Relay a subnet, not being part of it

Hey I'm wondering why does it have to be so complicated? Remove R1 & R2, or make them function as bridges. If I understood right, what you're after is a single broadcast domain for PC, so just make it one. /<--> (PC-1, PC-2, ...) Internet <--> GW <--> Sw <-- \<--> (PC-3, PC-4, ...) PS: /30 is not po...
by sebastia
Mon Dec 24, 2018 6:55 am
Forum: General
Topic: slow file transfer rates between vlans on RB750Gr3 6.43.7
Replies: 13
Views: 886

Re: slow file transfer rates between vlans on RB750Gr3 6.43.7

Hi Sebastia, I thought if one had only one bridge HW offloading did work??
Correct, but it also depends on functions used. Some of these bridge functions can be done in hardware (as listed on wiki) and others can be only achieved by software.
by sebastia
Mon Dec 24, 2018 6:51 am
Forum: Scripting
Topic: Action Timed Out only on startup, not subsequent runs of script
Replies: 4
Views: 978

Re: Action Timed Out only on startup, not subsequent runs of script

Hey

I think that the IP stack may not be ready yet when this script is run, either internally or externally.
by sebastia
Sun Dec 23, 2018 10:34 pm
Forum: Forwarding Protocols
Topic: How listen to local forward traffic on the bridge?
Replies: 1
Views: 406

Re: How listen to local forward traffic on the bridge?

Hi

which tool do you use to listen? If packet sniffer, configure it to listen on the actual interface.
by sebastia
Sun Dec 23, 2018 9:45 pm
Forum: Beginner Basics
Topic: pptp over pptp
Replies: 1
Views: 189

Re: pptp over pptp

Hi It's just a question of your pc knowing how to reach the .5. network. Is PPTP to 951 taking over all traffic? So is 951 becoming the default gw/route? If so: then no need to change anything at pc If no: you'll need to add routing entry for .5. to go over the link to 951 Similar story at 951: does...
by sebastia
Sun Dec 23, 2018 9:39 pm
Forum: General
Topic: Wishlist for the new version of RB2011
Replies: 1
Views: 227

Re: Wishlist for the new version of RB2011

Hey

In my opinion 2011 is EOL -> no more development. A direct replacement is available: 4011.
by sebastia
Sun Dec 23, 2018 9:35 pm
Forum: General
Topic: Mikrotik IPSEC VPN with no WAN <SOLVED>
Replies: 10
Views: 409

Re: Mikrotik IPSEC VPN with no WAN

can you disable dhcp on main router? your internal lan range if fixed anyway, have dhcp server active on MT.
by sebastia
Sun Dec 23, 2018 9:34 pm
Forum: General
Topic: Adblocking with address lists
Replies: 4
Views: 601

Re: Adblocking with address lists

Hey

I think doing it on MT directly will be very inefficient, performance & accuracy wise.
Why don't you try:
* opendns allows to block ads
* proxy (other than MT) with ad blocking enabled
* on client, ex Opera does it out of the box
by sebastia
Sun Dec 23, 2018 9:20 pm
Forum: General
Topic: Mikrotik IPSEC VPN with no WAN <SOLVED>
Replies: 10
Views: 409

Re: Mikrotik IPSEC VPN with no WAN

Another option: have MT as default gw, and have it forward to FIOS/main router if needed
by sebastia
Sun Dec 23, 2018 9:09 pm
Forum: General
Topic: Should MikroTik make more powerful antennas and wireless protocols in 2019?
Replies: 19
Views: 1610

Re: Should MikroTik make more powerful antennas and wireless protocols in 2019?

I think it all depends on company's vision, what it wants to achieve / represent, and also business cases for each of the solutions, how big a market is there for it and how much will it cost in R&D. Technically it is just a matter of priority, right knowledge (which you can hire if necessary) & eff...
by sebastia
Sun Dec 23, 2018 8:58 pm
Forum: General
Topic: Mikrotik IPSEC VPN with no WAN <SOLVED>
Replies: 10
Views: 409

Re: Mikrotik IPSEC VPN with no WAN

SRC: 192.168.1.20 DST: 192.168.1.10 DATA: TCP SYN/ACK -> typo here? target should be ".2.10" You seem to have somewhere NAT translation active with that forwarding. You'll need to disable that and then it will work fine. SRC: 192.168.1.1 DST: 192.168.2.10 DATA: HTTP Response The strange part is, if ...
by sebastia
Sun Dec 23, 2018 8:38 pm
Forum: General
Topic: slow file transfer rates between vlans on RB750Gr3 6.43.7
Replies: 13
Views: 886

Re: slow file transfer rates between vlans on RB750Gr3 6.43.7

(FYI: RB750Gr3 uses MT7621 switch chip which doens't support hardware offloading for vlan filtering: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading. enabling vlan filtering will result in cpu processing.) Your vlans are all linked to a single interface, hence I...
by sebastia
Sun Dec 23, 2018 7:46 pm
Forum: General
Topic: Mikrotik IPSEC VPN with no WAN <SOLVED>
Replies: 10
Views: 409

Re: Mikrotik IPSEC VPN with no WAN

Sure, but what did you meant by " that kinda works but not exactly"
by sebastia
Sun Dec 23, 2018 7:32 pm
Forum: General
Topic: Mikrotik IPSEC VPN with no WAN <SOLVED>
Replies: 10
Views: 409

Re: Mikrotik IPSEC VPN with no WAN

Hi

You mentioned "Main Router to kick traffic back to the Mikrotik and that kinda works but not exactly".

Would you mind to elaborate, as this could be the easiest approach.
by sebastia
Sun Dec 23, 2018 7:28 pm
Forum: General
Topic: under attack in port 32231? - help
Replies: 25
Views: 1820

Re: under attack in port 32231? - help

Hey Your default policy on public interfaces should be to black ALL and only allow what you need. To maximally protect the open ports (=> "what your need" from above), one could limit access based on source. Another option is to implement "port knocking": only allow connection after specific sequenc...
by sebastia
Sun Dec 23, 2018 3:01 pm
Forum: Wireless Networking
Topic: redundant wireless ship-to-shore
Replies: 1
Views: 225

Re: redundant wireless ship-to-shore

Hi

Sure, two routers with both communication channels connected to them (900MHz & 5GHz) and redundant route entries would do the trick.
by sebastia
Sun Dec 23, 2018 2:57 pm
Forum: General
Topic: Blocking WebRTC
Replies: 1
Views: 359

Re: Blocking WebRTC

Hi

Found a link on wikipedia to this: https://tools.ietf.org/html/draft-jesup ... rotocol-00
You might be able to block RTC by blocking it's underlying transport layer.
by sebastia
Sun Dec 23, 2018 2:43 pm
Forum: General
Topic: slow file transfer rates between vlans on RB750Gr3 6.43.7
Replies: 13
Views: 886

Re: slow file transfer rates between vlans on RB750Gr3 6.43.7

Hi

I would help to post your config: /export hide-sensitive compact
by sebastia
Mon Dec 17, 2018 11:30 pm
Forum: Beginner Basics
Topic: Winbox stuck logging in
Replies: 9
Views: 3394

Re: Winbox stuck logging in

Some thoughts:
Is the winbox service enabled?
is the firewall filter input allowing connection on the designated port?
does the user have rights to login using winbox?
by sebastia
Mon Dec 17, 2018 11:07 pm
Forum: General
Topic: Ipcloud two Mikrotik
Replies: 9
Views: 760

Re: Ipcloud two Mikrotik

"action=dst-nat chain=dstnat dst-port=8292 in-interface=ether1 protocol=tcp to-addresses=192.168.1.30"
* that's the port forward

* have you check the firewall filter table and forward chain?

* and lastly does the target device (192.168.1.30) allows connection on the 8292 port in filter input?
by sebastia
Sun Dec 16, 2018 10:31 pm
Forum: General
Topic: Unreachable host through IPSec tunnel
Replies: 4
Views: 393

Re: Unreachable host through IPSec tunnel

Don't know what protocol is being used. It may be on top of tcp, but still have some application specific level parameters transmitted within tcp payload. These will not be corrected by src-nat-ing... Do you know how the client is connecting to server? Record with wireshark maybe... so that you can ...
by sebastia
Sun Dec 16, 2018 5:06 pm
Forum: General
Topic: Unreachable host through IPSec tunnel
Replies: 4
Views: 393

Re: Unreachable host through IPSec tunnel

Try with small things:
* does the ping work locally and remotely?
* are there any connection logs on that server?
* is there any firewall on that server? Is it filtering local traffic only?
* not set / wrong default gateway at the server?
by sebastia
Sun Dec 16, 2018 4:06 pm
Forum: General
Topic: Ipcloud two Mikrotik
Replies: 9
Views: 760

Re: Ipcloud two Mikrotik

Hi

You should take care of following
* make dst-nat rule to port-forward traffic from first MT to "repeater"
* ensure that this forwarded traffic is allowed in first MT (with default config should be ok, as there all dst-nat-ed traffic is allowed)
* allow the incoming connection on the "repeater" MT
by sebastia
Sun Dec 16, 2018 1:26 pm
Forum: General
Topic: 2 NAT masquerade
Replies: 11
Views: 967

Re: 2 NAT masquerade

Would you mind listing your config "/export hide-sensitive compact"?
by sebastia
Sun Dec 16, 2018 12:36 pm
Forum: General
Topic: winbox problem
Replies: 1
Views: 272

Re: winbox problem

Hey

have you changed your winbox app config to connect on the changed port (44344)?

Future advice: when exporting config do "/export hide-sensitive compact" so that your authentication data is not exported (ex: Kr____34)
by sebastia
Sun Dec 16, 2018 12:27 pm
Forum: General
Topic: IPSec fragmentation issue
Replies: 1
Views: 274

Re: IPSec fragmentation issue

MTU is os-level configuration at the webserver. Make sure you follow os specific instructions to configure that.
by sebastia
Sun Dec 16, 2018 12:23 pm
Forum: General
Topic: Adding variable to the Web proxy redirection URL
Replies: 2
Views: 353

Re: Adding variable to the Web proxy redirection URL

Hey

Why not just "Your MAC is not yet registered. Please log in to save the new MAC address."

The registration is on another page, so the info will be lost anyway and needs to be input by user...
by sebastia
Sun Dec 16, 2018 11:57 am
Forum: Scripting
Topic: Need some directions in how to simplify this hughe script
Replies: 3
Views: 525

Re: Need some directions in how to simplify this hughe script

hey

you can create the name dynamically, ex: {:local i 10; :local port "ether$i"; :put $port;} => ether10
by sebastia
Sun Dec 16, 2018 2:57 am
Forum: General
Topic: 2 NAT masquerade
Replies: 11
Views: 967

Re: 2 NAT masquerade

In short: disable that rule "add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24" and try
by sebastia
Sun Dec 16, 2018 12:25 am
Forum: General
Topic: 2 NAT masquerade
Replies: 11
Views: 967

Re: 2 NAT masquerade

Not sure what that is supposed to do? Lan-to-lan doesn't (normally) pass through firewall. add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24 With "dst-address=!192.168.88.1 dst-address-type=local" you're trying to dynamically determine t...
by sebastia
Sat Dec 15, 2018 11:39 pm
Forum: General
Topic: slicing bandwidth
Replies: 2
Views: 270

Re: slicing bandwidth

Hi

Have a look at this post: viewtopic.php?f=2&t=142733#p703147
by sebastia
Sat Dec 15, 2018 11:35 pm
Forum: General
Topic: 2 NAT masquerade
Replies: 11
Views: 967

Re: 2 NAT masquerade

Is your server addressable using the isp1 ip, then setup hairpin for that ip. If through second, then hairpin for second. If both, then for both.
by sebastia
Sat Dec 15, 2018 4:23 pm
Forum: Beginner Basics
Topic: Basic ROUTING [SOLVED]
Replies: 9
Views: 1002

Re: Basic ROUTING [SOLVED]

Might be possible, I wondered about RP-filtering, but that should be ok.
You'll need to allow traffic in filter / forward from LAN to LAN
by sebastia
Sat Dec 15, 2018 3:30 pm
Forum: Beginner Basics
Topic: Web filter for Childs
Replies: 7
Views: 856

Re: Web filter for Childs

This is what I do. If you use Mikrotik DHCP server just make static DHCP lease for MAC address of iPad from Santa: /ip dhcp-server lease add address=10.0.0.123 mac-address=AA:BB:CC:DD:EE:FF /ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=10.0.0.123 to-addresses...
by sebastia
Sat Dec 15, 2018 2:12 pm
Forum: General
Topic: High CPU load 70+ on queueing alone.
Replies: 8
Views: 840

Re: High CPU load 70+ on queueing alone.

Hey

Just a thought: as it is right now each child queue needs to borrow from parent for each and every packet. If limit-at (& max-limit) were defined, queues could work "internally" most of time and maybe reduce cpu usage?
Do keep in mind that sum of limit-at of children <= Max limit of parent
by sebastia
Fri Dec 14, 2018 6:55 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions
Replies: 10
Views: 1321

Re: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions

try using only eth5, eth6, eth7, eht8, sfp and sfp+, this interfaces have direct and independent access to CPU, using this interfaces improves performance
A nice tip, given the diagram https://i.mt.lv/cdn/rb_files/CCR1009-8G ... 140835.png
by sebastia
Fri Dec 14, 2018 6:49 pm
Forum: Beginner Basics
Topic: Basic ROUTING [SOLVED]
Replies: 9
Views: 1002

Re: Basic ROUTING [SOLVED]

I was afraid you might say that. Right now clients are directly connected to both routers: MT & Cisco. And it's actually them that should make the decision...based on their internal routing tables. It's still possible to route traffic from Client over MT to Cisco, but will require src-nat-ing each c...
by sebastia
Fri Dec 14, 2018 5:04 pm
Forum: Beginner Basics
Topic: Basic ROUTING [SOLVED]
Replies: 9
Views: 1002

Re: Basic ROUTING [SOLVED]

this can be done in /ip route package * "certain IP from my network gets redirected": src based routing rule or mangling * "whomever from my network access a certain ip" normal route definition with distance < default gw (0.0.0.0/0) or routing rule similar to above or mangling for the "routing rule"...
by sebastia
Fri Dec 14, 2018 1:38 pm
Forum: Beginner Basics
Topic: How can i make my Lan stable (low ping latency) when my internet bandwidth is fully utilized
Replies: 2
Views: 362

Re: How can i make my Lan stable (low ping latency) when my internet bandwidth is fully utilized

Hi Do I mean to give priority to lan traffic to/from internet over the hotspot traffic? If so what is needed is queueing, https://wiki.mikrotik.com/wiki/Manual:Queue. There are two options "Simple Queue" & Queue tree.First is incompatible with FastTrack (a method for optimisation of traffic processi...
by sebastia
Fri Dec 14, 2018 1:30 pm
Forum: RouterBOARD hardware
Topic: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions
Replies: 10
Views: 1321

Re: CCR1009-8G-1S-1S+ Can't get more than 350-450 Mbps single session, can get more with multiple sessions

Hey That's the limitation of hardware / design. CCR has 9 cores, and some functionality can be spread over them, but not all can be used by a single session, as you've noticed. As you have also noticed, with multiple sessions you do get the advertised speed. Default config is the most performant one...
by sebastia
Fri Dec 14, 2018 1:09 pm
Forum: General
Topic: 2 NAT masquerade
Replies: 11
Views: 967

Re: 2 NAT masquerade

Have a look at this thread: viewtopic.php?f=2&t=142614&p=703175#p703175

You'll need:
* separate routing table for the other pppoe
* mangle (be careful with fasttrack in that case, as in the linked thread) or routing rule to push traffic over it
by sebastia
Fri Dec 14, 2018 12:58 pm
Forum: General
Topic: Slow internet speed in Hotspot
Replies: 15
Views: 1505

Re: Slow internet speed in Hotspot

If you could provide your config, some observations could be made
by sebastia
Thu Dec 13, 2018 9:07 pm
Forum: Beginner Basics
Topic: Noob Questions for 2 KM PTP and LHG LTE KIT
Replies: 7
Views: 1003

Re: Noob Questions for 2 KM PTP and LHG LTE KIT

that I can answer / point you to: https://i.mt.lv/cdn/rb_files/antenas-160404123306.pdf
=> they are interoperable, but their "reach" won't be same
by sebastia
Thu Dec 13, 2018 9:01 pm
Forum: General
Topic: ipv4 neighbor table overflow
Replies: 6
Views: 1792

Re: ipv4 neighbor table overflow

that log message needs to be corrected :-D

just googled max-nei... => https://wiki.mikrotik.com/wiki/Manual:IP/Settings => ARP table setting

Since you increased it without effect and the actual sizes are nowhere near the limit -> support ticket
by sebastia
Thu Dec 13, 2018 5:30 pm
Forum: General
Topic: ipv4 neighbor table overflow
Replies: 6
Views: 1792

Re: ipv4 neighbor table overflow

Hi
Do you even use it? Just disable altogether...
by sebastia
Thu Dec 13, 2018 4:16 pm
Forum: General
Topic: Performance impact L7 matcher
Replies: 1
Views: 288

Re: Performance impact L7 matcher

I can make an (educated) guess ;-), but unless you try / test it we ;-) won't know for sure
by sebastia
Thu Dec 13, 2018 3:58 pm
Forum: Beginner Basics
Topic: Noob Questions for 2 KM PTP and LHG LTE KIT
Replies: 7
Views: 1003

Re: Noob Questions for 2 KM PTP and LHG LTE KIT

sorry I've little experience with wireless links...
by sebastia
Thu Dec 13, 2018 3:54 pm
Forum: Beginner Basics
Topic: Mikrotik reserving some of my bandwith and I don't want that
Replies: 18
Views: 1492

Re: Mikrotik reserving some of my bandwith and I don't want that

before you were only using the internal switch of the mikrotik, and that will be at "wire-speed" -> theoretical speed of gigabit ethernet.

In default config, there is no queing enabled, so no reserved bandwidth.

(and you already have fasttrck enabled)
by sebastia
Thu Dec 13, 2018 3:35 pm
Forum: Beginner Basics
Topic: Mikrotik reserving some of my bandwith and I don't want that
Replies: 18
Views: 1492

Re: Mikrotik reserving some of my bandwith and I don't want that

The default (out of the box) configuration is the best you can get for normal SOHO environment. The test your performed was a "single connection" test which doesn't utilise all of the available hardware (read cpu's). In normal usage, with multiple devices using the internet, you will be able to get ...
by sebastia
Thu Dec 13, 2018 3:21 pm
Forum: General
Topic: new version 6.42.10(long-term) get high cpu usage after 5 days
Replies: 4
Views: 431

Re: new version 6.42.10(long-term) get high cpu usage after 5 days

And so starts the chaise ;-). External source (under "attack") or internal (ex broadcast storm or loop in network)?
by sebastia
Thu Dec 13, 2018 3:19 pm
Forum: Beginner Basics
Topic: Noob Questions for 2 KM PTP and LHG LTE KIT
Replies: 7
Views: 1003

Re: Noob Questions for 2 KM PTP and LHG LTE KIT

With regards to lte link, check with providers in your area where their masts are: distance and strength. Which mast do they advise you to use. Position them on the map so you'll no where to point your lte antenna to. And of course the higher you can put it the better.
by sebastia
Thu Dec 13, 2018 3:11 pm
Forum: General
Topic: Using queues to limit maximum bandwidth (NOT TO EXCEED)
Replies: 14
Views: 1755

Re: Using queues to limit maximum bandwidth (NOT TO EXCEED)

If you take a look at https://wiki.mikrotik.com/wiki/Manual:Queue, you'll notice that there are two ways to limit/shape traffic: "simple queue" & queue tree. With simple queues one needs to define limits for all targets. With queue tree, usually attached to interface one needs to account for all cla...
by sebastia
Thu Dec 13, 2018 2:24 pm
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 823

Re: IPv6 routing with several interfaces [SOLVED]

Short answer: not.

Policy based routing is not implemented yet for IPv6. A todo...

Fix: don't accept default route from current provider....
by sebastia
Thu Dec 13, 2018 2:14 pm
Forum: General
Topic: HEX S and hardware IPSEC
Replies: 5
Views: 930

Re: HEX S and hardware IPSEC

The quoted throughput is bidirectional, so concurrent up/download. You would also need to optimise ip stack, such as mtu.
In other words, you're quite close with 160mbps in one way.
by sebastia
Thu Dec 13, 2018 2:10 pm
Forum: General
Topic: Shaper / policer
Replies: 3
Views: 439

Re: Shaper / policer

Hey

have a look at https://wiki.mikrotik.com/wiki/Manual:Queue
and here https://www.youtube.com/watch?v=loaVBWq6cWA

you have option of using simple queues (w/o hierarchy) or queue tree (w/o hierarchy).
by sebastia
Thu Dec 13, 2018 12:29 pm
Forum: General
Topic: firewall is pushing the cpu
Replies: 23
Views: 1933

Re: firewall is pushing the cpu

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you? If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings Further make sure FastTrack rule is ...
by sebastia
Thu Dec 13, 2018 12:15 pm
Forum: General
Topic: new version 6.42.10(long-term) get high cpu usage after 5 days
Replies: 4
Views: 431

Re: new version 6.42.10(long-term) get high cpu usage after 5 days

what did cpu profiler tell you? were was that 100% load coming from?
by sebastia
Thu Dec 13, 2018 12:10 pm
Forum: General
Topic: Manage two internet connection - No load balancing needed
Replies: 11
Views: 814

Re: Manage two internet connection - No load balancing needed

That likely hardware limitation, if you take a look at block diagram https://i.mt.lv/cdn/rb_files/RB2011UiAS-160620170308.png total bandwidth from cpu to 1gb switch is 1gb, so you're very close to it. and for natting you need to pass over cpu, so that's your limitation. If you wnat the "last drop", ...