Post a complete config and I will take a look. /export hide-sensitive file=anynameyouwish Hi anaz, Here is the config: # may/17/2022 12:16:20 by RouterOS 6.48.6 # software id = BE1E-SC82 # # model = RouterBOARD 750G r3 # serial number = 6F3A07AFA21C /interface bridge add name=LAN-WIFI add name=SEC-...

As per my note in the previous post................... Thanks anav. I've noted that, but it doesn't matter where I place the forward rule, I can access both side of the connection from either side. It doesn't make sense. I've even placed this rule last and still can access both sides. Am I missing ...

Hi Anav, Thanks. I've tried that, but the SEC-CAM bridge can still access the LAN-WIFI side. Is there a way to make it one way only? Here are the rule as they stand now. /ip firewall filter add action=accept chain=input comment=\ "M7 Default Rule: Accept established, related, untracked" \ ...

Sorry to be a pain, but I have one more question regard the multi subnet setup. If I wanted to have the LAN subnet (bridge LAN-WIFI), let's say 10.0.10.0/24 have one way access to the Security Camera subnet of 192.168.18.0/24 (bridge SEC-SYS) how can this be achieved? I don't want the security syste...

Mkx is in the right track. However be aware that using a drop rule on the input chain has to be done carefully so you dont lock yourself out.
viewtopic.php?t=180838

Thanks anav, most informative and I've bookmarked that page.

As it is now, rule /ip firewall filter add action=drop chain=input comment=\ "M7 Default Rule: Drop all NOT coming from LAN" in-interface=!LAN-WIFI can be transcribed to two rules: /ip firewall filter add action=accept chain=input comment="M7 Default Rule: allow all coming from LAN&q...

Hi Everyone, I'm relative newby to Mikrotik, so this maybe a simple question, but I hope someone can help me out. I'm trying to create a base setup that I can use in multiple environments and am currently playing around on my 750G r3 to increase my knowledge. I have setup the Filter Rules to allow a...

So your RDP server is behind the pfsense? Are you double NATTED? Sounds like a MTU problem, can you do a MTU test?

Yes, the RDP server is behind pfSense. When you say double NATTED, do you mean on the Mikrotik?

Do an MTU test between the Mikrotik and pfSense do you mean?

Hi Everyone, I'm trying to figure out how to best configure a setup where we have pfSense behind a Mikrotik RB3011. The setup is as follows: Mikrotik Port 1 - Internet/WAN Port 6 - LAN 192.168.10.254/24 Port 7 - pfSense WAN. The Mikrotik is set to provide a static DHCP address to pfSense of 10.0.88....

Thank you everyone for all your help and suggestions. I finally have gotten to the bottom of the issue. A bit of background: The reason we started using this 4G connection at this location was because the ADSL had gone down and the Telco was looking at about a 1 week lead time to repair. Obviously t...

Yes, both ends.

I set this up at both ends and still can't get it to work. I could still ping, but basically nothing changed. I have removed the changes to revert back to my original setup.

Any other suggestions?

thanks

Duke

Yes, both ends.

One final question, what do I do with my existing masquerade policy? Do I put your before mine, after mine or simply delete mine?

Thanks...

1. IPSec traffic should not be masqueraded, replace your masquerade rule with this one (change eth according your needs): /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" ipsec-policy=out,none out-interface=ether1 2. Allow IPSec traffic in forward chain ...

If you can ping from a pc one side to a printer other side and vice versa, then routing is working. Then problem is probably due to Windows firewall as they drop connections coming in from different subnet than LAN address by default Sorry, I think you've mis-read what I've said. If I open a Termin...

Hi Everyone, I'm really struggling with a site-to-site L2TP VPN that I hope someone can shed some light upon. The setup is as follows: Head Office: > Static WAN IP Address > Mikrotik IP: 10.0.0.254/24 > L2TP IP: 10.0.10.254 > Static Route Created: 10.0.2.0/24 GW: 10.0.20.253 Remote Site: > Dynamic I...

Hi, I hope someone can help me with this issue. I'm trying to get my RB3011 to power up via the POE-In ether1 port from an HP 1920S switch. I am having difficulty finding any info on this so hopefully someone has managed to get this to work somewhere along the line. Is there something special I need...

Just an update for anyone else experiencing this issue.

Since downgrading the RouterOS to 6.42.12 the Site to Site VPN has been stable.

Thank you to Audrey for the suggestion. There must be a bug in the IPSec setup for the 6.44 RouterOS.

Same here. Just upgraded routeros to the new 6.44 firmware and got the same "ready to send" status for the one of my L2TP/IPSec connections. This connection based on Ubuntu Strongswan+xl2tpd service. All other Routers that work on old 6.43.12 firmware connecting to this L2TP-server withou...

Hi Everyone, I'm a Mikrotik newb and inherited this configuration so please bear that in mind when tearing me a new one. :) Not sure if anyone has ever come across this, but I have an Site to Site IPSec VPN issue that recently started causing me headaches. This must have started after a recent updat...

Hi Everyone, We are planning on rolling out a wireless network that can cater for up to about 1000 connections. I'd like our Mikrotik router to act as a DHCP for the Ubiquiti wireless network, but I have no idea how to configure the IPv4 DHCP Server to handle more than one subnet because obviously w...

Sindy,

Thank you so much. Sorry it has taken a while for me to get back to you, but I've been away.

I will give these rules a go when I get an opportunity. Thank you so much again.

Duke

Sindy that is one amazing reply. Thank you so much for your attention to detail and taking the time. I can confirm that add this to the NAT table works: add action=accept chain=dstnat comment="This Works" \ dst-address-list=Private ipsec-policy=in,ipsec src-address-list=Private I'm a bit c...

grrr... I haven't written that "hide-sensitive" should be given as a parameter to the "/export" because I've told you to export only the firewall rules. So I hope you have modified the secrets before posting as otherwise you have to modify them now to stay secure once you've lea...

Please provide the mapping between "local" and "remote" on one hand and "https server side" and "https client side" on the other one. Mapping is trying access HTTPS from local to the Remote. You can access HTTPS from local to remote, but because the NAT takes...

You haven't stated at which end of the VPN connection you had to apply your "suspicious" dstnat rule. And you're right, it is suspicious, because it doesn't actually dst-nat anything as the action is "accept" rather than "dst-nat", so it must be shadowing some other ru...

Hi Everyone, I’ve come across an issue and I’m not sure I’ve solved it in the way it should be solved. My issue is I have an IPSec VPN between two sites and the connection is established and I can ping from each location. Problem is when I want to HTTPS to a specific IP at the remote location throug...