MikroTik

sindy

From my understanding, vlan tags are not sent over WiFi, right? They are, but I am not sure (shame on me) whether there is a standard for it or whether Mikrotik has implemented that in a proprietary way. I only know it wasn't there, say, 7 years ago and the manual was recommending to use VPLS when ...

sindy

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum?

Maybe because people run into that issue, google it up, find this topic, and don't read my post #4

sindy

First, I am a bit confused about your in-interface=out-interface matching. If out-interface is the name of the WAN interface, then this rule can only match on the response packets from the server, and I hazily remember the server name in plaintext is in the request packet from the client. Second, th...

sindy

May be that SMB is expecting a connection from 172.20.1.1 and not 172.20.1.2? Nope. This shows the IP address of the connecting client, not of the SMB server (the router) itself. If you can afford it temporarily, remove bridge from the list of interfaces in the SMB settings and try with wireguard1 ...

sindy

I'm afraid it is actually unrelated. Being out of RAM could be related (although it usually causes a reboot quite soon), being out of file space is not really likely. What often happens is that after reboot of the initiator or some NATing router on the path between the initiator and the responder, t...

sindy

@Amm0, if you want MITM protection (and I do know why I mention it) when using SSTP, you must use a certificate at least at server side, which requires importing of the CA certificate to each client; if you plan to enable also access from the client sites to the core network, you should generate an ...

sindy

Or use a script to pull the IP from a webpage every xx mins/hours. I'm not sure what the purpose should be? If it was enough to have command line access to the remote Tiks, the Telegram solution alone would be sufficient (but I fully agree with @Amm0's remark regarding it's fragility). But the OP w...

sindy

@vitaly2016, forget about Surfshark. Surfshark and other similar services are called VPN because they use the same technologies like "real" VPNs, but their purpose is different. Even though you have an own router with a public address, in your case, spawning a virtual Mikrotik somewhere in...

sindy

I'm not sure we are at the same page. First, we don't discuss the case where there is no NAT and you can use dynamic routing protocols to advertise your subnets to multiple neighbors - we are dealing with the "home power user" scenario where there is one or multiple layers of NAT between e...

sindy

You cannot use matching on tls-host to affect routing because if NAT is involved (which is your case), all packets of the same TCP session must take the same route, so the "final" (and only) route has to be chosen already for the initial packet of that session whereas the TLS host informat...

sindy

The statistics shows that you have marked 6 outgoing connections and translated the connection-mark to routing-mark for them, but it doesn't show any responses to come via ether1. So what are the routes and nat rules? I.e. did those 6 initial packets leave via ether1, and did they get src-nated to i...

sindy

You should have open a new topic rather than piggy-backing one with a loosely related title. I need Safe Mode to remotely enter the MAC Addresses of the CPEs that can associate with the Access Point so as to make it impossible for clients that are not on that list to associate. How can I use Safe Mo...

sindy

connection-state=!new is missing from this rule, because it already has connection-state=established,related

Yes, sorry, I don't know where I was looking. I'll go through that again later today.

sindy

Current mangle:

The very first mangle rule shadows all the subsequent ones, so no connection-mark is ever assigned. I assume connection-state=!new is missing in that rule?

sindy

I rewrote the DST-NAT rules and removed the filter rules as follows, with my public IP address where it says "my_public_ip" in the dst-nat rules. I assumed my wan ip for my router is my public IP. It's not clear from what you have posted so far whether your Mikrotik has a public IP direct...

sindy

viewtopic.php?t=134048#p659676

sindy

In both your dst-nat rules, dst-address (match condition) is the same like to-addresses (parameter of the dst-nat action), and dst-port is the same like to-ports , so the rules effectively do nothing. Correct rules should say something like dst-address=wan.ip.of.the.router dst-port=44695 action=dst-...

sindy

I cannot spot anything in the configuration that would block the traffic between the subnets, so the reason can be either a bug in RouterOS 7.5 or the behaviour of the devices in the two subnets. How do you test that they can "communicate"? E.g. the default setting of Windows firewall bloc...

sindy

If you really need the topmost rule for IP packets from 10.153.4.2 to work, it is a bug. Even the fact that you could add dst-address without specifying mac-protocol=ip is not nice, but I hesitate to call it a bug. If you want to restrict traffic towards the customer address, you can add rules match...

sindy

Try adding ports=ether2 switch=switch1 mac-protocol=arp anywhere before the last rule, does it make a difference?

sindy

Still nothing?

sindy

That's exactly the address I've used - I've copied this new one to the search field for "recipient", removed the extra text (" then you get an "etc.), and it has found the message I've send.

The title of the message was "from the mikrotik forum".

sindy

RouterOS doesn't handle CRLs automatically by default:
[me@MyTik] > certificate settings print
crl-download: no
crl-use: no
crl-store: ram
You have to set both crl-download and crl-use to yes.

sindy

Just for the case, I have sent you an e-mail and got nothing back, neither an error nor a response - maybe I have deciphered your e-mail address wrong?

sindy

routing bgp instance set 0 routing-table=""

sindy

1) Can I specify which device that connected to wlan use Ether1 or Ether2 as internet connection? For example my cellphone use Ether1 and my laptop use Ether2. Yes. You can use dedicated SSIDs as @anav suggests, or you can use the hotspot functionality of Mikrotik or the WPA2-enterprise authenticat...

sindy

OK, let's try then. First, remove routing-mark=hamnet from the /routing bgp instance row - I still think it is strange that your 44.../28 subnet gets advertised to the peer when this routing-mark is in place. Next, add the following three routes: /ip route add dst-address=44.0.0.0/9 gateway=gre09 ad...

sindy

Your assumptions are correct - only the initial packet of each connection is handled by the rules in the NAT table. The final outcome of this treatment is stored in the context of that connection, and the corresponding NAT operations are then repeated on every subsequent packet of that connection as...

sindy

that's why I googled if I could somehow post a more complete configuration. Have you ever noticed the contents of my automatic signature :) ? From here, there are two significantly different paths depending on how you want to deal with the response traffic in connections that come from the internet...

sindy

I suspect you want to know about traffic from and to the router. therefore here are the results of different tracerts so that the exact problem will hopefully become clear. It wasn't immediate, but OK. What happens is that you have configured BGP to add the routes into routing table hamnet , but yo...

sindy

Definitely show the export of the configuration, and the exact row from the log regarding the "could not determine local ip address", as it is not clear whether it is indeed related to PPPoE,and if it is, whether L2TP is relevant to that error at all. What steps do you have to take to make...

sindy

The DHCP implementation of Mikrotik is quite smart, so if you run two DHCP servers on the same L2 segment, they can work simultaneously without interfering with each other. Before leasing an address, the server checks whether the address doesn't respond to pings, so if one of them assigns an address...

sindy

Not all of the traffic is forwarded between the pppoe interfaces and the bridge. On ether7, you should see the IP traffic from hosts connected to the bridge towards the internet with some PPPoE overhead (so if there was only this traffic between the bridge hosts and the internet, ether7 out would sh...

sindy

What about the other parts, i.e. the access to 44.137.83.64/28 from the internet and the export of the complete configuration?

sindy

- 44.137.83.64/28 is one hamnet ip ranche. where 44.137.83.65 to 44.137.83.69 are reachable both via the internet and via hamnet ... what do I ultimately want to have as an end goal. - that I can serve both to the internet and to hamnet addresses via my local network (lan). - that I can make port f...

sindy

this may not work and outgoing traffic will still be blocked. ... if I do a trace to eg: 44.137.0.1 then I get a nice response from mikrotik itself but the rest just time outs. Post the complete configuration. the ip address is also not viewable via the 44 network while it works from the outside. a...

sindy

the question still remains how can I ensure that traffic from network 192.168.200.0/24 or one LAN network is hidden so that hamnet (the 44.x network) does not see one's local IP address, but only the address of the router. For that, you need a src-nat rule: /ip firewall nat add chain=srcnat out-int...

sindy

I'm running into 2 problems. both are dhcp related and they appear as i have followed sindy der advices from post: Sun Jan 01, 2023 8:45 pm. That's strange. For IP(v4), DHCP is hooked "closer to the wire" than the firewall, so neither the handling of DHCP responses of the server on ether1...

sindy

The only question I still have with l2tp - whether it's possible to authenticate server side with certificates? So to make client sure it connects to the right place. Because configuration of l2tp has PSK, while no ideas whether it can check remote certificate. It is possible, but you have to confi...

sindy

Thanks. I thought that with vpn i can use the ip cloud of mikrotik. There is not possibility of use it for connect to ipcamera from external ? The "ip cloud" is a just a DNS server - it resolves the fqdn of your router to the public IP from which it has received the update message. But it...

sindy

I have now created 2 rules at nat to open the ports of the proxmox https web interface on 1 external ip address. I don't have much experience running bare metal in public DCs so I have no idea about the network topology. How is the management interface of the Proxmox connected to the internet, if i...

sindy

I have other problem. How i can use the vpn for see the ipcamera from internet ? If you have in mind this NordVPN tunnel, I would suppose it is not possible unless you can agree with NordVPN to dedicate one of their public IP addresses for you. The src-nat rule shows they have assigned you a privat...

sindy

That's what I was afraid of. Unlike the SOHO-grade devices, the CHR has no firewall rules by default because it is assumed that only people who know something about networking use it. And your CHR not only runs on a public IP but it even acts as a gateway to another network, so you shouldn't have ev...

sindy

Before even getting to the topic, what are the firewall rules of your CHR? Ideally, export the configuration and post it after obfuscating all public IP addresses, serial number, and any logins to external services.

sindy

OK, so this rule added when the VPN comes up doesn't care about out-interface and thus it src-nats any connections from addresses matching the address list local to addresses not matching it, and after the src-nat operation, the packets start matching the IPsec policy so they get redirected to the I...

sindy

After enable VPN i can't ping device of LAN 2. Can you show me the output of /ip firewall nat print where dynamic ? Can you configure the same VPN on the second RB951 for resolve the problem ? Of course you can configure the same VPN if you have another NordVPN account or if you can connect twice u...

sindy

Do you have any solution for whis problem of speed ? Yes, replace the 951G by something that supports IPsec in hardware and has a decent CPU. You can make the fasttrack rule selectively ignore traffic that becomes IPsec payload (which is what the default firewall rules do), but your configuration s...

sindy

can i do it with software or better automatically? Yes, sure you can (although I don't get what is the exact difference between "in software" and "automatically" :) ). As @BartoszP states, there are lots of topics on this here on the forum - e.g. this one . But if you use some U...

sindy

Before digging any deeper, disable the rule action=fasttrack-connection chain=forward connection-state=established,related in /ip firewall filter and try the connection again.

sindy

I do not understand why fragmentation is such big a problem For two reasons. The first one is intrinsic - if a router receives a packet that doesn't fit into the MTU of the outgoing interface, it has to send it as two or more fragments. For all the subsequent routers on the path to the destination,...

sindy

#4 and #5 are after (below) #3, so they cannot prevent packets from reaching #3. The smaller number of matches on #3 than on #1 is caused by the fact that as compared to #1, the #3 additionally matches on ether1.

sindy

now let's see if I can convert it to a static address I would avoid that - if for some reason Strato changes the IP address they want to assign, you will lose connectivity if the CHR won't adjust to that. so that I can also assign my 2nd ip address because it wants the same mac address as the prima...

sindy

action=fasttrack-connection is not a final verdict, i.e. a match on that rule does not terminate processing of the packet in the firewall chain, similarly like action=passthrough or action=log don't. This action just sets the flag in the connection context in the conntrack module so that most subse...

sindy

I'm not familiar with Proxmox, but in general you cannot have multiple interfaces with the same MAC address in an L2 network as the bridges/switches dynamically learn through which port a given MAC address is reachable - once they receive a frame from a given MAC address, they send frames for that M...

sindy

1. fasttracking is a special behaviour of the firewall. Its purpose is to reduce the CPU load caused by firewall processing by skipping some steps of that processing for some packets. So with firewall processing (including NAT) completely disabled, the throughput is always better than with fasttrack...

sindy

It is OK that an ARP ping to an own IP address gives a timeout. But if even an ARP ping to the IP address of the gateway gives a timeout, something is wrong with the network. Please elaborate on the "I have cloned the mack address from the host to the router": do you use x86 (bare metal) o...

sindy

Referring to tutorials (i.e. how it should be done) is useless. Post the export of your configuration (how it is actually done) when it doesn't work. Open a command line window (using the [New Terminal] button in Winbox or [Terminal] in WebFig, type /export hide-sensitive file=somename , press Enter...

sindy

and a ping to 85.214.48.1 returns
0 timeout
1 timeout
2 85.214.62.188 time 982 replay 78 ttl 64 host unreachable

Was it mere ping or the ARP ping as I've suggested (ping 85.214.62.188 arp-ping=yes interface=ether1)?

sindy

There is nothing wrong about having a gateway IP address outside the subnet of the own address as such, but the rest of the configuration must correspond to that. What is the output of /ip dhcp-client print detail and of /ip address print on the Mikrotik? Can you ping the 85.214.48.1 from the router...

sindy

So for case 2., you have to cheat. The address and route added dynamically look as follows: [me@myTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE ... 2 D 100.111.95.31/32 100.111.95.31 lte1 [me@myTik] > ip route print Flags: X - disabled, A - active,...

sindy

If I did want to get the recursive routing working, how would I go around it, perhaps it will help others that come across the same issue That's the second part of my post... but there are several ways how RouterOS adds the LTE address and default route. What I have seen so far was 1. a DHCP client...

sindy

Is that a Private network switch? You can move all of them to internal networks (even all three into the same one) for a test, but I don't think it is related. I can switch the interfaces between networks and it doesn't make them disappear from the CHRs. I suppose you have already tried to add anot...

sindy

Unless there is some traffic that has to prefer the LTE uplink even when the wired one is available, the easiest way is to simply not monitor the LTE. If it fails, there is nothing you could do anyway. If you indeed need to monitor the transparency of the LTE uplink, you have to use a scheduled scri...

sindy

but i disable all routing rules and everything seems to work fine, is it really necessary to add them ? The only reason to add the routing rules is that the router itself would respond to incoming requests from the internet using the proper uplink. This basically boils down to pinging it from the i...

sindy

first problem : i cannot ping from the router itself and from LAN devices my 2 external public IP addresses given by my ISPs (from wan1 and wan2). The current routing rules say that whatever is sent from one of the WAN addresses must use one of the two ISPx_route tables, and these tables have no ro...

sindy

with no distance param in each route table != main. "no distance parameter" actually means distance=1 . All parameters have some value, but like with many other vendors, configuration export doesn't show parameters with default values unless explicitly asked to do so (using the verbose pa...

sindy

Are you sure that there is no need for this route to be recursive because in Anav guide and milkrotik help site, these exist and are recursive. Don't trust my opinion, trust mere logic: What is the purpose of the recursive routing in your case? To let the traffic use a backup path if the primary on...

sindy

/ip routing rule ———- is it necessary ???? ————— routing-mark=ISP1_route action=lookup table=main routing-mark=ISP2_route action=lookup table=main —————————————————- No, just remove these rules. And if i do this ... The route as unreachable Setting check-gateway to none should help, I hazily rememb...

sindy

/ip routing rule
src-address=own-IP-at-wan1 action=lookup table=ISP1_route
src-address=own-IP-at-wan2 action=lookup table=ISP2_route

sindy

In the ISP1_route table, there is no point to use the recursion to monitor the uplink state - this table is used for responses that must use wan1 and if wan1 doesn't work, sending those packets via wan2 won't help. So the default route in ISP1_route can use directly PrimaryISP-gatewayIP as gateway a...

sindy

Yes. Does your LTE backup have a public IP address? If not, you cannot get inbound connections on it, unless you create a tunnel through it to some external router that does have a public address. As for prerouting/output, the latter would be necessary to translate the connection mark to a routing m...

sindy

will work as expected, and is BETTER than the following flat : In your simple application, the nested approach is not better than the flat one, it is just different. In more complicated applications, the nested one becomes better because it makes the overall configuration simpler than the flat one....

sindy

In this case we use a fictitious _ ahhh this is what Sindy means by canary!! address to force the router to resolve it via two recursive routes. Nope. What @sindy means by canary is an address that is used as an indicator that the uplink is working all the way to the internet. The term is not mine,...

sindy

But, will I be able to join 8.8.8.8, 1.1.1.1. And 9.9.9.9 from wan2 ? No. You can use 8.8.4.4 instead of 8.8.8.8, 1.0.0.1 instead of 1.1.1.1, and 149.112.112.112 instead of 9.9.9.9 - same companies, different addresses. What does check-gateway arp and bfd ? arp means that ROS uses ARP protocol rath...

sindy

1) In the WinBox program only one of the SXT units appears when I am connected to it directly through my ethernet port. The other SXT does not appear. The howto you've referred to places both devices into the same bridge and assigns them addresses from the same subnet, so it should work. But the ho...

sindy

right ? Right. but i do not understand why you choose in your example to add a route to 8.8.8.255 ? Mostly to illustrate that there may be multiple levels of recursion and how they are related. But a typical approach when using multiple "canary addresses" looks as follows: dst-address=1.1...

sindy

If so, try to use an older CHR image (7.2 or so) to create a new VM and add the NICs to it. If it succeeds that way, report a bug and upgrade the new CHR to 7.6. If it doesn't, I have no more ideas.

sindy

You can have multiple virtual Ethernet interfaces on a free CHR, so the issue must be something else. Does the Hyper-V administration center currently show all three interfaces, but the CHR itself shows only one? Or have the ones you've added "disappeared" also in the Hyper-V administratio...

sindy

Could you please confirm that it is better to do this : dst-address=0.0.0.0/0 -> scope=30 Yes. dst-address=x.x.x.x/32 -> distance=3 I don't say that having the distance values of the /32 routes as you had them before is wrong ; what I say is that it doesn't matter what those distance values are bec...

sindy

Do I have to check-gateway ping the failover wan too ? You don't exactly have to, but any backup solution is almost useless if it is not monitored - as it stays unused for months or even years, it may silently fail and when the primary one fails, the backup is not available. I prefer to use the Tel...

sindy

Is it correct ? The general idea is OK, but the implementation details are not. The purpose of scope and target-scope is to define the hierarchy of the routes for the recursive next-hop search or, in another words, to prevent looping. So set the scope of all the routes with dst-address=0.0.0.0/0 to...

sindy

Could you please confirm me the configuration in my context to make recursive routing work ? Sorry, I don't understand what you ask (and my French is really bad). Your current configuration doesn't contain anything related to recursive routing, so I cannot confirm anything. To make it work, you hav...

sindy

No that's learned from port 11 But that highlights the issue... The sniff shows that a packet from SRC-MAC 90:E2:BA:85:31:81 to DST-MAC 78:FE:3D:A7:A7:C3 has arrived from outside to 11-TNSR2, so the DST-MAC 78:FE:3D:A7:A7:C3 should indeed be learned at 15, but it is not the case - your /interface b...

sindy

how to define a routing-table with ping command on ROS ? Oops... not possible in ROS 7 (hopefully it's a temporary state). So you'd have to use a routing rule matching on a src-address (the one attached to the wan in question) and specify a src-address as a parameter of the ping. In the export I ca...

sindy

Does /interface bridge host print show 78:FE:3D:A7:A7:C3 as learned on port 15?

sindy

from a another router (a custom archlinux based router), it works as expected and i have no issue at all. In both case, the adjacent router is the same. Why on mikrotik it does not work ? One possibility I can think of is that the ping with specification of interface works different on the two oper...

sindy

From your answer I assume L2-Broadcasts are being forwarded to the WAN without filtering? Hard to say, it mostly depends on how exactly the bridge mode of the particular ISP device works. Those I have seen kept communicating on the LAN IP address even after switching to bridge mode, which kind of m...

sindy

Just a suggestion for investigation, as I could only test part of it on a remote device I cannot afford to tamper with too much. If you specify an interface as a parameter of the ping command, RouterOS doesn't look for the best route out of those whose gateway interface is the specified one, but it ...

sindy

When I had this issue (I wanted to switch the ISP device to bridge mode and still use it as a switch for the LAN), I had to use ACL rules on that device to prevent other than pppoe and pppoe-discovery frames from being forwarded between the WAN port and the rest. Of course not every IPS device allow...

sindy

Všetko najlepšie do nového rocku

sindy

GIven that there's almost no traffic yet, I'd set hw=no for both ports, run /tool/sniffer/quick ip-address=10.192.1.121 and start pinging 10.192.1.121 to see whether the frames are dropped on the bridge (i.e. they ingress but don't egress) or whether the issue is external.

sindy

Except Cisco PVST+, BPDU frames are never tagged, and also the ingress filtering doesn't affect them - incoming BPDU frames do not ingress the bridge, they are "link local" ones. So yes, since you are sending BPDU, you may trigger a BPDU guard at the ISP side (but it is strange that the sa...

sindy

Yes, the neighboring bridge may have its port disabled by STP. That's why I was asking regarding the monitor. What kind of device is the neighboring one?

sindy

OK, and if you start pinging each other from devices connected to both ports (11, 15), what does /interface bridge host print where !local show?

sindy

What do /interface bridge monitor bridge1 once and /interface bridge port monitor [find where bridge=bridge1] once show while the bridge does not pass traffic?

sindy

The rule assigning the routing mark SSTP is fine as it is - it is the last one in the prerouting chain, so no further rule can change its verdict, and all the previous rules in that chain that match on the same traffic and assign any routing mark have passthrough set to yes , so even if they match a...

sindy

As far as I understand about GPON, that is impossible. Am I right? Mikrotik has apparently withdrawn their own GPON SFP (the one you have found on their website) for overheating reasons, but there seem to be other SFPs that are in fact miniature GPON modems, except that their electrical interface f...

sindy

so my isp's ip stays visible for 5 minutes.

If the reconnection doesn't matter, it's indeed the only harm.

I corrected it above. It was a copy paste error.

OK. Since the rule assigning the routing mark SSTP is the last one, nothing can rewrite that routing mark.

sindy

the connection of the host remains unencrypted for that period but it's not a problem. Once the tunnel goes down, the remote server starts receiving packets coming from your local client with a different source address (the public IP from your ISP range instead of the public IP from the VPN server ...

sindy

Hm, so it means that something else happens when it fails "spontaneously". Only sniffing during a "spontaneous" failure can tell us more. But as you seem not to mind a 5 min. outage, the current version of the script may be a sufficient workaround? In any case, don't forget to re...

sindy

The good news is that the script of Amm0 modified with a delay of 300s between disable and enable works fine, this morning I found the vpn perfectly connected, but I don't find any traffic marked SSTP; in firewall --->connections, I have only connection mark wan 1 and wan2,(I have two wan of which ...

sindy

Is there an SFP in the Huawei box, or is its optical port integrated? Other than that, the Huawei setup shows that your ISP uses a VLAN to provide internet. QuickSet doesn't support this (yet?), so you'll have to use the advanced configuration methods. To give you the necessary commands, we'll need ...

sindy

I've uploaded the pcap files in a zip file here if you want to take a look: OK, this time the Working one indeed shows some normal HTTPS conversations. What attracts attention is that the client sometimes terminates the TLS handshake with Alert Message Level: Fatal (2) Description: Certificate Unkn...

sindy

Ah, now it makes more sense. 37008 is the source port of the TZSP packets that are used to deliver the copies of the "real" packets across a routed network; the drop rule must match on the source TCP port of the SSTP transport packets the Mikrotik sends to the SSTP server. Whereas their de...

sindy

when I activate the firewall rule the capture doesn't stop. It is perfectly OK that the capture doesn't stop - all traffic keeps going, except the SSTP transport packets sent by the Mikrotik itself. Even the SSTP transport packets from the server that are not responses to ones sent by the Mikrotik ...

sindy

Is there a reason I would still want a bridge in this case? No. To my understanding, I should be able to ping 172.16.50.3 (the IP on the VLAN interface on the CCR) from 172.16.50.103 (Linux PC) and vice-versa. Is this assumption correct? Yes. So, in short, what am I missing here? Hard to say. As th...

sindy

I started sniffing, filtered on ports 443 and 53 but for now wireshark didn't catch anything even if I tried to open https pages. By sniffing on sstp-out1 , you sniff the payload traffic of the tunnel - that's useless. You have to sniff the SSTP transport packets and the DNS traffic on the WAN inte...

sindy

I've never need a script with SSTP– does automatically restart, just slowly as @sindy points out. By "slow" meaning a minute or so - not 10+ minutes. Actually, my experience is that it takes the server side those 10 minutes to give up on the connection if the client is really dead; the cl...

sindy

Regarding the retransmissions, the timestamps and the mutual order of the packets strongly suggest that you haven't followed my recommendation to limit the sniffing to a single interface, so every packet made it to the sniff file three times - presumably from the L2TP interface, from the bridge inte...

sindy

a way to diagnose strange bug ... winmtr, mikrotiks traceroute or pingplotter dont show abnormal behaviour Do you specify protocol=udp and port=ppp when running Mikrotik's traceroute ? As for diagnosing, run /tool sniffer at Mikrotik to see whether the delay is caused by the Mikrotik itself (I supp...

sindy

You mention LTE, now that can "stuck" and maybe the VPN is just a side-effect. The OP says that a manual restart of the SSTP helps, so it should not be caused by a frozen LTE. But if the enable=yes etc. doesn't work Surprisingly, /interface sstp-client enable xyz does restart the SSTP int...

sindy

Not enough brackets, you need :if ( (some expression) != "some value" ) do={some commands}
Because the complete command is something like :if condition=( (some expression) != "some value" ) do={some commands}

sindy

/interface sstp-client monitor sstp-out1 once can give you plenty of information. If ([interface sstp-client monitor sstp-out1 once as-value]->"status") differs from connected , you know the tunnel is down; if it says connected , you can ping the address returned by ([interface sstp-clien...

sindy

It is unclear from your post whether HTTPS is the only management access to the router you currently have or whether at least one of (Winbox via IP address, Winbox via MAC address, mac-telnet, SSH) is still available, i.e. whether you need to regain access to the router or just make it work also via...

sindy

My advice is "sniff when it works and sniff when it doesn't", as it is totally unclear whether it is an issue of the iLO itself, of the connection tracking in the Mikrotik, or something else. So I'd set /tool sniffer set file-name=iLO.pcap on the 2116, then run /tool sniffer quick ip-addre...

sindy

With some mobile ISPs, disconnection every 8h is a normal behaviour. It can take up to two minutes to re-establish. With other mobile ISPs, the connection stays up for several weeks. Regardless whether that's the root cause of the VPN disconnections or not, one possibility to speed up the failure de...

sindy

The address of your PC is 192.168.88.x, but the RBM11G doesn't know how to deliver its responses to that subnet. So you have to add a route to 192.168.88.0/24, or maybe even better a default one, to the RBM11G, with gateway=10.10.10.10 . Or instead you may add vlan1337 as a member of the interface l...

sindy

Please advise how to send a private message to a forum user.

You can use non-symmetric cryptography to hand over contact information, I've done that successfuly more than once, e.g.: viewtopic.php?t=175289#p857898 .

sindy

If your ISP happens to be UPC (now Vodafone): it used to be necessary to reboot the cable modem to make it accept a different MAC address on its LAN side.

sindy

Here my programmer brain logic: If connect to IP fails then RouterOS has to check whether IP is in address list. If yes, then it shall check whether IP has changed, and if yes then try to connect to the new IP, and if that is ok then update the local DB incl. the the entry in the address list... Bu...

sindy

I cannot spot anything wrong in the configuration. So the next step is sniffing. First, set hw=no on all the /interface bridge port rows on the 4011. Then, open a command line window on the 4011, make it as wide as your screen allows, and while trying to access 10.0.1.x from 10.0.0.y (none of them b...

sindy

I have no clue what you mean when you say "every time you resolve DNS, it changes IP" I guess you mean the round-robin mechanism of the resolver when a domain name has multiple IPs. The thing is that the root DNS server for the domain may behave inconsistent and change the response before...

sindy

The configurations look OK to me (in terms that the IPsec should work - as it is a lab setup I won't comment on absence of firewall rules). IPsec-wise, the notrack rules in raw are redundant to the accept rules in nat, but that's not the reason why it doesn't work. So the next questions are: what do...

sindy

The way you describe it it is indeed an issue with the Mikrotik firewall. So post the complete configuration of the Mikrotik, not just the few bits you assume to be related. Don't forget to remove the serial number and other personal information (public IP addresses, login names to external services...

sindy

My primary concern is redundancy. Don't really pay attention or care about the whole "speeding things up". Regarding "speeding things up" - you do need to speed things up as compared to what OSPF alone can give you, in order to make the failover faster than the application timeo...

sindy

What I've seen in the export was that the default route in the WAN2 routing table was disabled, is that a debug setting or the cause of your issue? If it doesn't work even with that route enabled, you'll have to run /tool sniffer quick ip-address=a.a.a.a port=22 while trying to connect from remote a...

sindy

Before digging any deeper, what's your reason for setting use-ip-firewall under /interface bridge settings to yes?

sindy

In my experience, all you need is a virtual server in some hosting where you can choose the country, which is a matter of $6 per month, running the Mikrotik CHR. And then create one L2TP/IPsec tunnel to that machine per each uplink ISP connected to the on-site Mikrotik, and use OSPF with BFD to take...

sindy

routing-mark and routing-table mean almost the same. You can use mangle rules for precise selection of traffic to send via the tunnel, and there the routing-mark name is used. Routing rules are somewhat faster but their match conditions are not that detailed, and there the routing-table name is use...

sindy

Windows machine in last test was windows 10 installed on laptop and I make l2tp vpn connection on it and use it for test. That doesn't say much about the network topology. I assume the ultimate goal is that the L2TP clients connect from outside your enterprise network, i.e. from some home networks ...

sindy

i think "all the traffic, except mikrotick's own and wireguard transport packets" is true.. Wireguard transport traffic is part of Mikrotik's own traffic - the other part being at least Mikrotik's download of new RouterOS versions, and if Mikrotik serves as a DNS proxy for the LAN clients...

sindy

The PoE power is limited for fire safety - over a wire of a given cross-section, you can only allow a certain amount of current to prevent overheating. Many factors come into play, such as number of cables running in parallel and whether they are in a solid wall, free running, or in some sort of the...

sindy

if this needs to be turned off in your setup in order to WORK, the setup is messed. Unfortunately, that's how GRE keepalives have been designed by Cisco. The aim is that the keepaliving would work for each peer even if the other peer doesn't support it. So the setup is not messed, but the implement...

sindy

Sure, but first you have to specify what exactly means "my traffic". All the traffic except the Mikrotik's own one? All the traffic including Mikrotik's own one, except the wireguard transport packets? Only the traffic from a given local IP address range (subnet)? Also, do you specify the ...

sindy

... also, your action=mark-routing rule matches on the range for VPN clients; if you want that also LAN clients were routed via the L2TP server tunnel, you have to add another such rule matching on src-address=192.168.88.2-192.168.88.255 or use an address-list.

sindy

When l2tp connected i got: Local Address 192.168.89.1 Ah, now I can see where the mistake is. Instead of creating a custom /ppp profile item for each use, you've modified the default-encryption one and configured local-address=192.168.89.1 in it. So the L2TP client, which also uses this profile unl...

sindy

You cannot have two active default routes in the same routing table (except ECMP load distribution but that's not what you want here). If you want all your traffic to go through Wireguard, you have to add a route towards the individual (/32) IP address of the Wireguard peer; if that address is not s...

sindy

cAP and cAP ac have significantly different power requirements. On the product drawing, you never see a cAP ac behind another cAP ac, it's always only cAP that is powered from cAP ac's PoE-out port. A cAP ac powered from the PoE port of another cAP ac may work if the traffic is low, but once you con...

sindy

For others brought here by searching for similar issues, the Mikrotik is a virtual one and the virtualization environment strips VLAN tags on reception.

sindy

So in case of Windows, the response also doesn't return via ether3/MGMT and leave via the L2TP tunnel towards Windows, so it must be taking some other path. So check that first. Windows network card drivers strip VLAN IDs on received frames. How is the Windows machine you use for the test connected ...

sindy

Instead of the [ quote ] tag (the ["] button), use the [ code] tag (the [</>] button) - see the output below. Also, there is no need to quote the whole previous post. To the topic - the sniff shows you that the ping request packets come in via <l2tp-m.faridi-1> (the tunnel interface that gets c...

sindy

I am not averse to assigning multiple vlans to a single port.............. AKA bridging is not necessary. It just makes sense if multiple vlans are going over multiple ports. Sindy, you should use port vlans more often ;-) Vlan tagging is overrated....... is it ok for you to anydesk my router and s...

sindy

after add route 192.168.90.0/23 via ppp0 I have ping of 192.168.91.222 and I can connect to remote desktop by remmina but I do not have ping of 192.168.90.76 , I have ping of 192.168.91.0/16 but I do not have ping of 192.168.90.0/16 You probably mean 192.168.91.0/ 24 and 192.168.90.0/ 24 , but that...

sindy

I'm not sure I understand the description well. Please confirm whether I get it right: the VPN client on your PC connects to the hAP lite, which acts as a VPN server, and gets an address from the 192.168.89.x range the hAP lite itself connects as a client to some remote L2TP server you expect the PC...

sindy

As the CRS326 complains about own address as the source address of a received frame, the most likely explanation is that the bridge (or the sfp-sfpplus10 interface itself) on the CRS has the same MAC address like the cAP ac. One possibility is a mistake in production, a more likely possibility is a ...

sindy

If indeed talking about hEX (and not about hEX S), then the only extras are the Micro-SD slot, USB port, and beeper. Plus what a user has stated here as an important thing, it has a "professional look" (as compared to the "consumer electronic look" of the hAP ac lite TC/ac²/ax²)....

sindy

if u want to access my desktop with application "anydesk" ,is it ok for u?

Before eventually doing that, I'd prefer to get the answers to my doubts regarding what you actually want to do as stated in post #5.

sindy

would want to switch all ports to sfp to offload the cpu

The block diagram shows that this is not possible:

sindy

Create vlans on Mikrotik in bridge section @anav is popular for this approach of asking the OP to redo the configuration completely just to make it match the "perfect" one, regardless the actual needs. The OP has no bridge in his configuration, and there is no need to add it since he's go...

sindy

I'm a bit confused by the discrepancy between your drawing where the Cisco switch is connected to the Mikrotik using a single cable but with two subnets, 10.0.50.0/24 and 192.168.208.0/24, whereas in the configuration export, these two subnets are attached to two different physical interfaces - 10.0...

sindy

Post the complete configuration of the Mikrotik, except the public address(es) and serial number: /export hide-sensitive file=somename . Also post the configuration of the Cisco trunk ports - 208 may not be among allowed-vlans somewhere. If ether2 is a member port of some bridge, you cannot attach /...

sindy

To me it sounds like an issue at the ISP side. What I would try in this case would be to change the MAC address of ether1 of Mikrotik to the one of the TP-Link's WAN; if the latter is not on the type shield of the TP-link, connect the TP-Link to Mikrotik's LAN and see the DHCP lease it gets.

sindy

When I type that command I see ┌──(mostafa㉿fedora)-[~] └─$ ip route get 192.168.90.76 192.168.90.76 dev br-915ddc20fc78 src 192.168.80.1 uid 1000 cache We use 192.168.90.0 range for servers and use 192.168.91.0 range for desktop client It is a combination of two distinct issues. One issue is that t...

sindy

When the L2TP is running and you add the route to 192.168.0.0/16 via ppp0, what does ip route get 192.168.90.76 show? The thing is that when the destination address of a packet matches the destination prefixes of multiple routes, the route whose destination prefix is the longest one is chosen among ...

sindy

Add ipsec-policy=out,none to the only action=masquerade rule at the Client side, and then use /ip/firewall/connection/remove [find where protocol=ipencap] to remove the src-nated connection. What is the result?

sindy

First of all, only use EoIP tunnel if you need to bridge L2 segments together. For your purpose, an IPIP tunnel seems to be sufficient. Second, in RouterOS, the stateless tunnels (GRE = IP over GRE, EOIP = proptietary version of Ethernet over GRE, IPIP = IPencap) interfaces are set to the Running st...

sindy

In Winbox, press the [New Terminal] button to open a command line window within Winbox.

sindy

To solve the problem, you have to debug it. You've said you've added a route and that it didn't help, but you haven't shown the address plan at the server side, the route you've added itself, and you haven't sniffed on the various interfaces when the route was in place while trying to access the ser...

sindy

It's again not the complete configuration - your action=mark-connection mangle rule might be responsible for the issue depending on the contents of the address list local . But if there is indeed no mangle rule with action=mark-routing , we can wave that off. I deleted fasttrack rules If fastrack ru...

sindy

So there are two ways to achieve ipsec server behind nat? One using ESP with NAT traversal (as mentioned also by @sindy) and also by using protocol 50? If yes, are both options supported by mikrotik? ESP is IP protocol 50. As it has no notion of ports, there would be a problem if two initiators con...

sindy

Yes, Mikrotik does support NAT traversal for IPsec. The setting for IKE(v1) is nat-traversal=yes on /ip ipsec profile row; in IKEv2, NAT traversal support is part of the standard. If you have in mind that the Mikrotik would not act as an IPsec responder itself but would just forward IPsec traffic be...

sindy

What you describe is really strange. I have seen cases where any connection becomes impossible after some time of silence and these have a perfectly logical explanation, but I hear for the first time that ping remains possible but normal connections don't. At the moment I can only imagine some load ...

sindy

What means
If the "bridge" port is in pure trunk mode,

It means that ingress-filtering is set to yes and frame-types is set to admit-only-vlan-tagged on that port.

sindy

There is no response from the remote IPsec responder in the log. So there are multiple possibilities: a routing issue at your end a firewall issue at your end (if you use mangle rules, these two points may actually be one as the interpretation of the routing-mark has changed somewhere between ROS 7....

sindy

but if you use (multiple) VLAN(s) in the same Bridge, the VLAN Interfaces are the door to L3? but bridge-facing interface is the Bridge CPU port, if you don't work with VLANs, so you put an IP on etc. on "bridge-... ", so it become the door to L3? The items under /interface vlan are "...

sindy

You use a bridge interface whenever you want to connect multiple devices to the same IP subnet. Whether you use VLANs or not is a separate thing. You can use a dedicated bridge for each (V)LAN, you can use multiple bridges with multiple VLANs on each, or a single bridge for all your VLANs - it's up ...

sindy

any interface logical or physical has to have an IP to allow >=L3 services on it. As the bridge interface ( “new” way of handling multiple VLANs ) must not have an IP, so you don't use it anywhere, except handling L2 things for devices/ports connected to it Sorry, I did not understand what you are ...

sindy

The strange part is, in IPV6 the mangle rules works for dhcp. It's not that strange - the IPv6 stack is quite separate from the IP(v4) one, and the concepts have changed. One last question do you have any idea why fastrack seems still not working ? I mean the fastrack rules counters increase, but n...

sindy

The fact that IP matchers do not work on VLAN-encapsulated traffic is really annoying, but if marking of all traffic is slowing down your router noticeably, I'm not sure whether there is a solution at all. The bridge filter rules are common for all bridges, so even if you make them match on bridge n...

sindy

The following items are relevant (but it was absolutely correct that you've posted a complete one!): /interface vlan add interface=bridge-LAN name=vlan832-wan vlan-id=832 /interface bridge port add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged interface=sfp-wan /interface brid...

sindy

I suspect some ISPs enforce the requirement of DHCP requests having a specific 802.1Q priority to prevent any other devices a client has from acquiring an address if misconnected directly to the WAN. Requiring a specific DHCP option in the request would be a more friendly way of them achieving this...

sindy

Thank you for your fist feedbacks. Did it hurt :-) ? @sindy, sadly when using only one bridge like you said it, the filter rule is never applied… Show me the actual configuration where it does not work, please. It may be the bug I've referred to, or another bug, or a misconfiguration. Unfortunately...

sindy

Very frustrating ... What? What the OP is asking is how to address a very specific misuse of available packet fields - the ISP discourages people from using their own routers by making the core network equipment assign much lower bandwidth limit to devices that do not send their DHCP requests with ...

sindy

If the switch chip rules do not support setting of the priority field, there is no other way to achieve your goal than to use a bridge filter. The presence of bridge filter rules as such does not disable hardware acceleration of bridging (or at least it did not on RouterOS 6), it just doesn't handle...

sindy

there is not too much of performance difference compared to Bonding/EoIPs I wasn't expecting the throughput to be higher - my sole expectation from this approach was that a single stream connection would be distributed among multiple UDP sessions at the lowest transport level (which is the same for...

sindy

You've said the /interface l2tp-client was running, haven't you? If so, /interface l2tp-server print at the server side should show an <l2tp-username> interface as well. You have to set the remote-address and local-address on the /ppp secret row, but you have to use yet another pair of addresses tha...

sindy

Because max-mtu has a different meaning if MLPPP is enabled.

sindy

I tried to make 3 code blocks but the other two wouldn't become a separate thing You probably have to place some separating text between them - the markdown -> html rendering engine is not perfect. To the actual topic - both (actually, all three) routers have public IP addresses (what a luxury thes...

sindy

A sticker applied over the hole in the beeper should change the intensity of the sound (ideally, use the foamy double-sided sticking tape), so if it remains the same, look for something else. Unsoldering the beeper from the board is a bullet-proof proof of the hEX being the culprit, but it would voi...

sindy

To get a useful help, you have to provide the exports of configuration of all three routers. Before posting the exports, remove the serial numbers if the routers use the cloud service to update a dynamic DNS as the serial number is part of the domain name; remove any login names to other services, a...

sindy

I'm trying to bond these 4 EOIP tunnels running over WireGuard for testing out faster internet. Not sure how encapsulating traffic into a tunnel and then sending it via the same uplink should make the connection faster - it will actually make it slower due to part of the bandwidth being wasted on t...

sindy

I'm not sure what you want to achieve. If you force the BOND interface as the source one for the ping, the system bypasses the routing process and chooses BOND as the out-interface for the ping packets. As BOND is an L2 interface, tre router sends ARP requests "who has 1.1.1.1? Tell 10.100.100....

sindy

so you are telling me that i could not use the hap mini as a repeater? It may work, or it may not. The thing is that the WiFi standard did not expect stations (clients) to be bridges, so the MAC address of the WiFi station is expected to always be the same as the one of the actual sender/recipient ...

sindy

To elaborate on @chechito's hint - connection tracking inspects every single packet and finds it to fit into one of the following categories (connection tracking states): new (doesn't match any known connection) established (belongs to one of the known connections) related (doesn't belong to any kno...

sindy

At the server side, forget about L2TP server bindings and L2TP secrets, use just regular PPP secrets, the server binding will be created dynamically. You can create a static binding between the (user)name of the secret and the server binding interface name later if needed. At the client side, if the...

sindy

I'm a bit lost on these: The payload packet enters a tunnel interface; the tunneling process encapsulates the payload packet into a transport one and sends it to the remote-address configured for that tunnel interface; the source address is chosen by routing if no local-address is specified, or the...

sindy

I understand there is no such thing in MikroTik as MLPPP, and I have to do it manually. This sounds like an understandable misunderstanding :) MLPPP indeed stands for "Multi-Link PPP", but nevertheless it can be used even on a single link. The benefit of using MLPPP on a single link is th...

sindy

Setting the wireless interface to bridge mode is not the same as bridging the Ethernet and wireless interfaces together, so that step may be missing. To get a more useful advice, post the export of the configuration of both LHG5.

sindy

I can imagine two ways: a periodically scheduled script that would enable and disable individual accounts or the whole VPN server according to a time schedule. This would prevent the user from establishing the VPN connection at all use of the time match condition in firewall rules would allow the us...

sindy

This may help understand the bridge settings.

sindy

I also get your point, and I would myself also like to see many more trigger events you could hook script execution to than those currently available, but: you can schedule the script to be executed every second, the router has enough CPU power to do that; if even that is not sufficient, you can let...

sindy

As the /ip route output shows you, the default route stays on gateway 192.168.1.1 via device wlp0s20f3, and all the other routes are only to connected networks (your bunch of bridges and the Mikrotik address on the L2TP tunnel). So you have to add route(s) to the subnet(s) behind the Mikrotik via pp...

sindy

And then, attach the IP address and DHCP server to the vlan interface eth2-vl16 (which I would rename to LAN-Bridge.guest.4) instead of *11 (which stands for a removed interface).

sindy

/interface bridge vlan remove [find where vlan-ids=5]
/interface bridge vlan set [find where vlan-ids=4] tagged=LAN-Bridge,sfp3,sfp4,sfp5,sfp6

sindy

The script below sends each received SMS message to Telegram and removes it from the input buffer if successful. You have to use a scheduler to run it every minute or so. :local token "0000000000:AAAAAAAAAAAAAAAAAAAAAAAAAAA" :local chatId "-11111111" :local escapeUrl do={ :local ...

sindy

A quick guess is that you haven't completely grasped the VLAN settings in RouterOS yet and there is a missing step. But to know for sure, we need to see the export of your router configuration (see my automatic signature for a hint). It is also a good idea to remove the serial number and eventual lo...

sindy

I tested my VPN account first on Windows and it was good and I can use Remote desktop for connect to office box, then I reboot to Fedora Linux and test VPN connection, it seems OK but I can not connect to remote office and I can not connect to servers by SSH. This confirms my assumption that the is...

sindy

You can only manually choose a network operator if the account linked to your SIM supports roaming. I.e. your operator supports intra-national roaming or you use a SIM from another country that has roaming agreements with both operators in question. These pre-requisites are the same on a mobile phon...

sindy

To avoid any doubt, make a test using the same user account - first connect a Windows client, then disconnect it and connect a Linux one. If the Windows one works fine and the Linux one doesn't, the issue is not the settings at the Mikrotik side but at the Linux side. My quick guess is that whereas ...

sindy

If so, use port mirroring and another Mikrotik device to sniff on the mirror port to see what is actually going on. Be aware that most Windows network card drivers and some Linux ones strip the VLAN headers so the sniff may be misleading in these cases, that's why I recommend to use a second Mikroti...

Search found 9923 matches