MikroTik

sindy

When you say the issue does not show up if you connect some other switch than the CRS354, does it mean you move the S-RJ01 to that other switch or you use copper port (or another model of copper SFP) there? Does the issue show up if you use a copper port on the CRS354 instead of the S-RJ01? As it so...

sindy

Can you elaborate on what a voice pppoe is? Does your ISP provide a dedicated PPPoE account for a Voice over IP service? If yes, do you have the credentials you need to register your phone number with their voice exchange once the data channel to it gets established?

sindy

[me@myTik] > system/health/print
Columns: NAME, VALUE, TYPE
#  NAME             VALUE  TYPE
0  cpu-temperature     56  C

Where have you found the hardware part of the path? The above is from ROS 7.16.2, but I cannot remember any other form of the command for past several years.

sindy

Your configuration is a bit confusing to me. The only action=masquerade rule in the srcnat chain of /ip firewall nat matches on out-interface-list=WAN , and the only member of interface list WAN is ether_isp , to which a DHCP client is also attached. So if this is the actual WAN, the LAN hosts shoul...

sindy

I'm not sure you followed the first response of @mkx - what does /interface/lte/firmware-upgrade lte1 upgrade=no show?

sindy

would it actually make any real world benefit for using bypass mode Unless you consider availability of IPv6 a real world benefit (it makes you independent on wthe BTH ifrastructure), and unless you suffer from the double-NAT-phobia, it wouldn't. How and do the firmware updates work for antenna rou...

sindy

Indeed. Using DHCP, the antenna always hands out an IPv4 address from the 100.64.0.0/10 range and a /56 global prefix. If the router is active, it only requests an IPv4 address from the antenna, and only hands out IPv4 addresses from 192.168.1.0/24 on its LAN side; if it is set to bypass mode, it ac...

sindy

As for StarLink, I presume bypass works only for business models, or? It works also for the consumer grade service. As for the antenna, it draws a lot of power. From what I understand the ethernet cable they provide is out of standard, as is power delivery, as it needs to supply up to 100W+ to the ...

sindy

According to this: https://help.mikrotik.com/docs/spaces/ROS/pages/136839241/RouterBOOT it looks like RouterBOOT, is updated alongside "RouterBoard" correct ? "alongside" as in "is downloaded as part of RouterOS", yes. "alongside" as in "is actually inst...

sindy

Whhy is there such a reluctance to reboot the router?

On my side, it is not a reluctance to reboot the router, it is an experience that a software-initiated reboot of the router was in too many cases not sufficient to resolve an issue with an LTE modem that itself needed a power cycle.

sindy

to combat this i have just written this script which we will run 5 mins after any reboot and every hour just in case Have you tested that a reboot of the router is indeed necessary to recover from the "LTE not seen" state, i.e. whether power cycling the USB is not a sufficient way to make...

sindy

I usually use a slightly different approach, I monitor traffic flow via the LTE interface and power-cycle it (they are actually USB ones) if there is none, granting it a recovery period of some minutes after each power cycle. The pros are that this way can handle also weird hangs during operation po...

sindy

if my Kubernetes nodes announce svc addresses (via BGP) and I can connect to them from an IoT network, it loses the connection?

Please review and maybe reword this sentence, I am not sure what actually happens under what circumstances.

sindy

Maybe I do not understand what you want to achieve or how the wireguard tunnel is set - is the endpoint address of the only Wireguard peer on the RB750 set to the public address of the CHR? Because the log row you've just posted says that the initial packet towards TCP port 8297 has arrived via pppo...

sindy

On the RB750, the IP address attached to interface wireguard1 is 172.16.7. 19 ; on the CHR, the allowed-address on the wireguard peer representing the RB750 says 172.16.7. 7 , and the to-addresses in the only dst-nat rule on the CHR is set to 172.16.7. 21 . All these three addresses have to be the s...

sindy

I've noticed that the problem is less likely to happen with lower CPU frequency. Also, there is a slightly swollen capacitor, that hasn't been changed, unlike all of the other ones. If this wasn't happening before, the chance that the "swollen" capacitor is related are quite high, especia...

sindy

I noticed the port forward is stuck in RB5009 where load balancing is done. If you do the port forwarding on the CHR properly (from the public address to the private one that is attached to the Wireguard interface on the 750), the Wireguard tunnel as such is working properly, the routing on the 750...

sindy

So basically i should call my ISP and hopefully they can do changes on their side and it should fix the issue? Is that how it is? That, or they will send you "behind a NAT" instead. Has the ASUS been provided by them back then or you've bought it yourself? If it is just a MAC address issu...

sindy

It starts sounding to me as if the ISP was doing something... "unusual" to put it softly. So far I've seen such things to happen only in France and the U.S.. But first, your export says the version is 7.17rc3, did the router indeed come out of the box with a release candindate version inst...

sindy

What would be the right way to ... Well... the right way... I'm probably too old to issue statements this strong. What I personally prefer is to drop everything (using the last rule in each filter chain) and only explicitly accept the necessary exceptions. Because if you do it that way, your legal ...

sindy

IPv6: in filter/forward, there is no rule allowing dst-nated connections to get through before the final "drop whatever did not come in via LAN" one. IPv4: since you have disabled the "drop whatever did not come in via LAN" rule in filter/input rather than keeping it at the end o...

sindy

For the setup you describe (untagged Windows connected to sfp-sfpplus1 and tagged Linux connected to sfp-sfpplus4), provided that it is on the same device (doesn't matter which one), the pvid on the /interface bridge port row for sfp-sfpplus1 must be set to 100 and frame-types must be set to admit-o...

sindy

Just out of curiosity, what makes you manually define Option 6 rather than just setting the DNS server list on the /ip dhcp-server network row?

sindy

On my CRS310-8G+2S+IN, the default admin password is on the sticker directly on the device - is that not the case for the hAP ax³?

sindy

It works as designed. The apostrophe syntax can handle a single IP address but not a list, however, you can concatenate elementary items. So the correct "spelling" looks like this:
/ip dhcp-server option add code=6 name=AlternateDNS value="'192.168.1.105''8.8.8.8'"

sindy

The command line syntax is just another way to describe the same things, so translating the command line commands to corresponding mouse clicks is a legitimate approach. It's just that the text representation is much more concise, i.e. provides more bits of information per screen pixel. "admit-...

sindy

Reauthentication and rekeying is not the same thing. The term reauthentication is related to Phase 1 (the "control connection") that transports relatively small data volumes, the term rekeying is related to Phase 2 that transports the actual encrypted payload. Since breaking a ciphering ke...

sindy

I want the ISP port on the switch to only allow tagged vlan 100 traffic from the other ports and have no other comminication. In that case: /interface bridge vlan add bridge=bridge1 tagged= bridge1, ether1 vlan-ids=100 /interface bridge set bridge1 vlan-filtering=yes /interface bridge port set [fin...

sindy

If you want it in Cisco terms, there is that switch module plug-in card for routers, this is closest to the bridge concept in Mikrotik. The equivalent of the subinterface for VLAN 100 attached to the internal port to which the switch module is connected is /interface vlan add vlan-ids=100 name=bridg...

sindy

My Fortigate is using IKE2, so I can't find peer ID and any option about this. There is a row in the /ip ipsec peer table on your Mikrotik that represents the Fortigate. That's the "peer" I wanted you to disable first and re-enable after starting mirroring the log into the ipsec-start fil...

sindy

I'm not sure I'd call the possibility to have more than one bridge on a device a fatal flaw. However, I do not understand why you would need to use separate bridges to achieve what you described, why is just setting up the VLAN filtering properly on a single bridge not sufficient for your desired us...

sindy

The description below only deals with Wireguard and SSH/Winbox, and is aimed to illustrate how the firewall works. So you need to adjust it to your actual environment and add whatever additional accept rules are necessary for other things (like the IPsec) to work before applying the last steps. The ...

sindy

it looks like a lot of processing power is being wasted due to the architectural design.. It's actually not that bad, and most things in life are tradeoffs. It is useful to filter traffic after a routing decision has been made (and thus after dst-nat has been made) because an out-interface has beco...

sindy

the connection is unstable which keep to drop the connection. On mikrotik side, an IPsec connection may be mistakenly reported as up for a second whilst it actually did not succeed, so when you say "keeps dropping", what exactly does it mean? Drops every few seconds, or every 25 minutes? ...

sindy

I was just checking - if I get it right the pfs algorithm in Phase 2 proposal must either be the same like the one used for D-H exchange in Phase 1 proposal or none (which kind of raises a question why it is not just a boolean value). But this apparently was the case in your settings initially and i...

sindy

BTW what is the dh-group used in Phase 1 proposal (in Mikrotik structure, /ip ipsec profile)?

sindy

@TheCat12 already suggested to remove those dst-nat rules before me, so the [SOLVED] mark should have gone to his post, not mine. Regarding the certificate - Windows need the same type of encryption to be used in the certificate and in the Phase 1/ Phase 2 proposals, either both must be RSA or both ...

sindy

By default, the native Windows VPN client does not like the IPsec server to run on a private address behind a NAT. But before suggesting the possible solutions for that - you've got an IPsec peer on the Mikrotik itself and presumably another one running at 192.168.10.11. Can you elaborate on the top...

sindy

I feel something else is the problem here. I don't say the rekey initiated by MacOS should not work, but the experience I've referred to shows it does not, so there is an issue on MacOS side. So far the only difference between your case and the one already spotted is the time until the first rekey ...

sindy

processing payload normally means that the packet carrying the payload came from the other peer, can you double-check that on the few rows just before the 11:21:28 ipsec ipsecdebug: IKE SA rekey 11:21:28 ipsec ipsecdebug: processing payload: SA ones? Other than that, can you show me the log from th...

sindy

the thing is i can ping from sophos to mikrotik When you do that, you should see both the installed-sa to count packets and bytes; if the pings from the Sophos are the only traffic and you run /ip ipsec installed-sa print detail interval=1s , you should see the packet counters in both directions to...

sindy

The rekey proposal comes from the MacOS, Mikrotik accepts it, and the MacOS sends DELETE nevertheless. It looks very similar to the 24-minute behavior, maybe the SA lifetime is 3 times shorter for IPv6? So try limiting the lifetime to 7m49s at Mikrotik side so that it would initiate the rekeying pro...

sindy

Actually mostly asking cause it pains me to see Sindy guessing.

@sjoram has been around for a while, so I figure he enjoys the journey as much as the goal, so I play along.

sindy

OK. According to your configuration export, xxx.xxx.xxx.78 is the Sophos and yyy.yyy.yyy.174 is your Tik. The /ip ipsec installed-sa print detail shows that the security association from the Tik to the Sophos does carry traffic (there is the S indicator in the leftmost column, and there are the curr...

sindy

you seem to be in a bad mood That's the state of my mind most of the time, nothing to worry about. i reposted the ipsec config - are these what u r talking about ? or am i still missing something else ? I gave you an itemized list of the steps aimed to check what is actually going on here . More ma...

sindy

Since the src-nat rule is correct, it means the packet that did hit the dst-nat one has never reached the src-nat one. Routing, firewall filter, ipsec policy, or rp-filter setting may cause this.

sindy

The configuration in the original post does not configure the policy template you declare to be present in response to the suggestion of @TheCat12. So one of those must be wrong - either you actually did not add the template and misunderstood @TheCat12's suggestion to add a template for a plain stat...

sindy

How exactly does the src-nat rule look like, i.e. what are its match conditions?

sindy

Sorrry for messing up iOS and MacOS, I'm even not sure which one of those had the 24-minute issue in my case. As for the need to use EC-based DH-groups if you use an EC certificate, I know this to be an issue with Windows, but I have never encountered that anywhere else - as you can see from the abo...

sindy

Perhaps also a policy template is advisable alongside the tunnel one you've created which would be added to the identity: this was already done before and is crucial for the ipsec tunnel connection success If you had to set up a template (which is missing in your original configuration export, so h...

sindy

Do you use /tool sniffer on the router itself for packet capturin, and if you do, do you specify a particular interface to sniff at? If the answers are "yes" to the first one and "no" to the second, the capture may contain the same packet/frame multiple times - once captured on t...

sindy

I'm not an iOS specialist so I have no clue whether the type of certificate (which is only used in Phase 1) affects the parameters for Phase 2, but Mikrotik only requests RSA certificates from Let's Encrypt. For me it was also exactly 24 minutes until I've implemented that workaround where Mikrotik ...

sindy

Anyone knows how to configure ipsec logging to have more meaningful information? Setting up ipsec,debug,!packet includes lots of hexadecimal sorcery but no useful information Scattered among the "hexadecimal sorcery" is actually a lot of useful information, just ignore the rows with the h...

sindy

I cannot spot anything wrong, even anything too unusual (the order of firewall rules in ipv4 firewall filter is not optimal but neither is it wrong) in the configuration; the sniffing is a good idea but you should do it on the Mikrotik itself without filtering by interface, only by the remote addres...

sindy

/ip firewall mangle add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 passthrough=yes This is the rule that makes traceroute show you that "strange" result. The principle of operation of traceroute is that it sends packets to the destination with TTL set to 1, 2, 3...

sindy

Most likely yes, but if you haven't created a supout.rif file while it was still misbehaving, chances that gents in Riga will be able to do anything about it are way lower.

sindy

Does it look the same from the terminal window?
/tool/traceroute 1.1.1.1 use-dns=yes

sindy

Try
/interface ethernet switch rule
add switch=switch1 ports=ether3,ether5,ether7 vlan-id=852 mac-protocol=arp new-vlan-priority=6
add switch=switch1 ports=ether3,ether5,ether7 vlan-id=852 protocol=udp dst-port=67 new-vlan-priority=6
At worst it will just not work.

sindy

OK, these tests seem much more realistic to me; even though the difference is not big, it is surprising that the throughput is better when the server is connected to hEX Gr3 than when it is connected to Audience, but that may be related to interference unless you live in the countryside without any ...

sindy

In my above test both: the PC acting as the Tamosoft server (192.168.1.11 / 192.168.90.11) and the test laptop acting as the Tamosoft client (192.168.1.x / 192.168.90.x) were connected to hybrid ports and got IPs from both network on their physical and virtual NICs. I assumed that the tests in this...

sindy

Did you disable the 192.168.1.11 address on the test PC when you've told the client to connect to 192.168.90.11, or change it to some address in another subnet than 192.168.1.0/24 and 192.168.90.0/24? I don't know the Tamosoft product so I want to be sure it does not take shortcuts - a "normal&...

sindy

And if you connect the PC to ether2 of the same Audience to which the wireless client is connected (still with local forwarding of course), what are the results of the throughput test, and what does the /interface ethernet monitor ether2 once show?

sindy

While the PC is connected to etherX of the hEX, what does /interface ethernet monitor etherX once show?

sindy

OK, so change bridge from none to bridge-lan on all three and try with local-forwarding=yes on the datapath row again. What is above my head is why it worked at all with none - again, I would expect a 100 % loss with this misconfiguration.

sindy

On the CAPs (the audiences), what does /interface wireless cap print show?

sindy

It is a PITA, but would you be able to start capturing traffic using Wireshark at both the RDP server and the RDP client (filtering on tcp to/from the address of the remote one as seen locally plus icmp from any source), set up the connection, stop the sniffing once the connection breaks, and then c...

sindy

You have configured the only datapath row for capsman forwarding, which means that the CAP receives a wireless frame, encapsulates it into an Ethernet transport one and sends the result to the CAPsMAN device; the CAPsMAN device extracts the Ethernet frame from the transport one on a virtual wireless...

sindy

A brief description along with a complete export between [ code] and [ /code] tags usually doesn't repel people who know what they are doing - at least this is my experience on this forum. I technically do not really understand why it is not working with routing tables, but can live with setting it ...

sindy

first, I just want to make sure that everything is properly configured on the ether2 interface on the server.

That's a proper approach but I'm not sure how is that related to what I wrote.

sindy

While ASCII-art is normally OK, here, I am not sure even how many sites in total we are talking about. So unless the PC1 and the Mikrotik are located at Site A whereas PC 2 and the "VPN server" are located at Site B, can you attach a photo of a handmade sketch with a more detailed structur...

sindy

I don't think it makes sense to post the whole configuration (...) I am sure no one is analyzing the complete configuration. Both wrong, actually. Leaving aside very "beginner basic" issues, if something does not work as expected, it typically means that something else in the configuratio...

sindy

The server has four interfaces: the first one is connected directly to the ONU unit with a public IP, and the second is connected to the MikroTik with the IP address 192.168.88.200. (...) I assume they know how to configure the network interface for it. Assumption is good, knowledge is better. Prof...

sindy

is this the right way to open ports? Of course it is not the right way to open ports, but it is the right way to analyze the issue you experience, and I've suggested it for the latter purpose. You have got an issue somewhere on a complex network path between the client application and the server ap...

sindy

I'm not good in Windows, but I'd say you can make use of to-ports and use a single service you know to work alright on the server (e.g. SSH at TCP port 22) and use one dst-nat rule at a time to forward the individual "outer" ports to it, like chain=dstnat in-interface=ether1 protocol=tcp d...

sindy

1. how comes that the fact that there are two other public addresses, probably attached to another WAN, was not visible from your configuration export? Did you remove some rows you've assumed not to be relevant? 2. the srcnat rules in your export that only differ from each other by the to-addresses ...

sindy

here is the result after I set hw to off in the target port. This sniffing result clearly shows that the port forwarding on Mikrotik works as expected and the issue is somewhere else. Look at the packets with timestamps 13.3xx (from the 3rd packet from the top on the picture): a packet to ..123:338...

sindy

The route to 9.9.9.9 is indeed active even if Starlink is dead because it does not check the gateway availability, that's OK. What is important that 9.9.9.9 cannot be actually pinged via 192.168.1.1 once Starlink dies, so the check-gateway ping fails. First, remove the script that adds and removes t...

sindy

@Paternot, the first sniff result shows that the initial packet for port 3389 did arrive to ether1, so the ISP does not block it. @Techsystem, @jvanhambelgium's suggestion made me realize I may have jumped to conclusions too quickly - for the bridge port via which the server at .88.200 is reachable,...

sindy

When 9.9.9.9 is not pingable any more, the default route via 9.9.9.9 should stop being "active" after those 30 seconds (the A letter in the leftmost column should disappear). Is that not the case? Your configuration looks OK to me, but better show the complete output of /ip route print det...

sindy

If I got your intention correctly and you want to send all traffic except that for the "internal networks" via the Wireguard tunnel, remove all the three mangle prerouting rules and use a single one instead: /ip/firewall/mangle/add chain=prerouting dst-address-list= ! INTERNAL_NET action=m...

sindy

Have you ever modified the dst-nat rules or have you put them in exactly the way they look now? In recent ROS 7 versions, there is a nasty bug with some configuration items - if you modify them, the changes do not make it from the "visible" configuration to the "running" one. In ...

sindy

What does /ip arp print where address=192.168.88.200 show? The firewall rules are OK, there are no IPsec policies, no routing tables except main, no rules in raw... so unless there is a typo in the .123 address in the dst-nat rules, if the server at 192.168.88.200 can be pinged from the router itsel...

sindy

1-I am testing from outside, but that doesn't matter—it should work from both sides. I have the exact same setup with my CCR2004, and I can see the port is open from both outside and inside. Open a command line window, make it as wide as your screen allows, run /tool sniffer quick port=3389 in it, ...

sindy

There is nothing unusual in your configuration, so since it "doesn't work", my first question is how do you test it. If you try to connect to x.x.x.123 from a device in 192.168.88.0/24, you would have to set up a "hairpin NAT" to make it work when the server is also in 192.168.88...

sindy

To me, it doesn't seem correct. On 7.14.3, I have got the following: [me@myTik] > ipv6/dhcp-client/print Columns: INTERFACE, STATUS, REQUEST, PREFIX, ADDRESS # INTERFACE STATUS REQUEST PREFIX ADDRESS 0 ether1 bound address 2xxx:xxxx:xxxx:4a63::/64, 56w2d8h8m8s 2xxx:xxxx:yyyy:yyyy:0:ffff:a0c:4a63, 56...

sindy

Simplifying SLAAC to the bare bone: the router advertises the upper 64 bits of the address, the device uses its own, slightly mangled, MAC address as the lower 64 bits, and the combination of those two makes the 128 bits of the device's own IPv6 address. So the router does not even know the address ...

sindy

@vingjfg, I am a bit confused regarding how you expect these two rules to eliminate the RDP outages. The connection tracking normally identifies all ICMP messages that provide feedback regarding packets that belong to existing TCP or UDP connections, applies the appropriate src-nat and/or dst-nat tr...

sindy

Yes and no. The summary is that with that action=none policy in place, the ICMP "packet too large" messages were indeed sent to the LAN host, but it was not enough to make the traffic pass through the tunnel. The action=change-mss ... new-mss=clamp-to-pmtu rule in mangle wasn't enough eith...

sindy

In my understanding, "check-gateway=ping" and "recursive next-hop search" mostly only make sense together. Using netwatch is fine as long as you use only a single canary IP per WAN; as soon as you want more of them, it requires quite some scripting to aggregate the results, so a ...

sindy

Where do I insert this script? On the command line: /system script add name=housekeeper /system script edit housekeeper source paste the script copied from my edited post above and press Ctrl-O to save it. Then imitate the outage of Starlink and its recovery, and use /system script run housekeeper ...

sindy

Tomorrow try to reset and start again from scratch...

If they cannot even connect to the WiFi, I don't think it is a Mikrotik issue any more. So before starting from scratch, I'd suggest to save a backup and an export of the current configuration so that you have something known good to return to.

sindy

The IP addresses are all the private ones (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the dst-address attribute of a tracked connection is typically a socket (ip.add.re.ss:port), so the only possible way of matching is a regular expression. In regular expressions, a dot represents "any symb...

sindy

/interface bridge settings set use-ip-firewall-for-vlan=no then try again. I did not analyze all @anav's recommendations as most of them are not relevant to the primary issue, but I agree with him on the above one, the purpose of this setting is different from what you assume - its name is misleadi...

sindy

OK, so it comes alright from the Unifi, but I cannot spot an issue in the configuration. Post the current output of /interface bridge export after all the changes you've made so far, please.

sindy

I have three PPTP clients, namely Huawei pad, Honor phone and Windows 10. The tests were carried out using Huawei pad and got failure results. When I changed it to Honor phone and Windows 10, both tests were successful. I made another PPTP test using Huawei pad to my friend's DDWRT PPTP server with...

sindy

Yes, there are GRE packets to and from the client. OK, so what type of machine is the client? Can you also run Wireshark or tcpdump or any other kind of sniffer on it to see whether the GRE makes it back to it? Also, what is the client behavior, does it show a connection attempt and then reports a ...

sindy

The next step would be to run /tool sniffer quick interface=ether1 ip-address=114.xx.xx.xx and make a connection attempt again, to see whether any GRE packets arrive from the address of the client. It may also make sense to save the sniffed data into a file and use Wireshark to inspect the initial a...

sindy

OK, so the PPTP helper is enabled, which should be sufficient to make the firewall accept GRE.

So the next step is to run /tool sniffer quick interface=ether1 port=1723 on the server and try to connect from the PPTP client. If you do that, can you see packets in both directions?

sindy

If it works when you enable wlan2 on the Mikrotik itself, the IP configuration seems to be ok. So as the next step, disable wlan2 again, open a command line window as wide as your screen allows, and do the following: /interface bridge port set [find interface=ether2] hw=no /tool sniffer quick interf...

sindy

@rextended is a very meticulous guy, and my script actually follows his other solution to the same issue, i.e. to use a foreach cycle rather than applying the remove command on the whole list, and to make sure that a failed attempt to remove an already non-existent individual item will not break the...

sindy

Please note the firewall filter rule was located in the first line in the table.

Please provide the output of
/ip firewall filter print chain=input
/ip firewall service-port print

sindy

Both the changes I have asked you to do were necessary, just apparently not sufficient. Does it behave the same if you try to connect using the wlan2 interface of the Mikrotik itself?

sindy

/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2

sindy

Unfortunately, all the devices where I have this script are currently offline, so I cannot copy-paste it. So the following is not tested: :if ([:len [/ip route find where dst-address=0.0.0.0/0 active distance=1]]>0) do={ :foreach conn in=[/ip firewall connection find where !srcnat !(dst-address~&quo...

sindy

If /interface bridge port set bridge=BR1 [find interface=ether2] frame-types=admit-all doesn't help, post the export of the complete configuration.

sindy

Starlink indeed gives you a/56 global subnet, but only in "bypass" mode (or how do they call the bridge mode of their router), or if you connect your own router directly to the dishy, bypassing their router that way. So along with a Hurricane Electric tunnel that allows you to get a global...

sindy

Have you noticed this post?

sindy

...and sorry, in the policy with action=none you have added, change the src-address to 0.0.0.0/0, my mistake. It does not explain why the PC can bypass the tunnel, but the 192.168.88.0/24 as src-address was incorrect.

If it still does not work, consider using this way.

sindy

Wait - are you saying that the IPsec connection is active but the PC bypasses it?

What does /ip ipsec policy print detail show?

sindy

Not @Amm0 but if I may, these are the issues I've mentioned a few posts ago. The following is an assumption that needs to be confirmed, but: echo requests (pings) have an ID which stays the same as long as the particular ping command is running, so the firewall treats them (and the responses to them...

sindy

Thanks @infabo. @yhfung, let's go step by step for both PPTP and L2TP. I will save the lecture regarding PPTP not being secure any more and get to the technical point. PPTP: the complete protocol consists of two parts, the session negotiation and authentication using TCP where the server listens at ...

sindy

OK, let's try another way, but keep the fasttrack rule disabled until we get further. Disable the only mangle rule ( action=change-mss ) and apply the following command: /ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=none place-before=[find where group=FRBD] Then...

sindy

PPTP is no longer in v7.x
...
Please place PPTP client caller in Internet, and try to connect to RouterOS v7, find out what is WRONG.

@yhfung, please create a dedicated topic in forum general for further discussion.

sindy

I have a RB 5009 OK, so we may completely forget about the L3HW as a possible cause. Having said that I was curious, why I have issues with fasttracking WAN connections. I was thinking that it would work pretty much the same. At the moment I can only say that I am curious too, as it makes little se...

sindy

What is your device model, i.e. does it actually support routing in hardware? WAN<->LAN traffic can normally indeed be fasttracked, and fasttracking is indeed compatible with ECMP load balancing, so one thing to come to my mind is that ECMP in hardware might not work on your device, as the table in ...

sindy

I am planning to use 03 APs with Wifi 7 or 6E connected directly to the Router WiFi 7 or 6E routers can deliver more than 1 Gbit/s per direction, so they are typically equipped with at least 2.5 Gbps ports, so you may need to add a corresponding switch rather than connecting them directly to the 50...

sindy

Radosnych Świąt. This kind of errors is very easy to make and miss, and sniffer is the best tool to find them

sindy

OK. I have missed this one. Change the own address of the router from just 192.168.10.1 to 192.168.10.1/24 and you should be OK.

sindy

You won't be able to aggregate the bandwidth of the two uplinks for a single connection (like a TCP session) - you can distribute the total traffic among both WANs, but every individual connection will use either one WAN or the other. Throughput-wise, unless you expect some unusual traffic patterns,...

sindy

You don't need to enable auto-isolate. You are not specific enough regarding what means "network hangs", so I can only speculate that there is some incompatibility between RSTP versions so the L2 loop does not get cut and broadcast traffic exhausts all the bandwidth. Hence I would make the...

sindy

Try adding an exception IPsec policy for local traffic from the router to the LAN devices as described here . Without this policy, PMTUD does not work so many TCP connections won't be able to deliver data unless you use action=change-mss rules in mangle to manually adjust the MSS to match the actual...

sindy

I didnt say that vpn works. I only said that i have 1000 routers on VPN and f something broke and need to fix maybe with routes, etc, and try to find a way to solve it. The usual approach for this is to have a kind of a "first aid kit" consisting of a LTE router or a combination of a WiFi...

sindy

What does /interface bridge port print show? It makes me slightly nervous that you have a datapath configured for wifi1 and at the same wifi1 has been added as a port to the bridge manually, but it may be harmless, I just have nowhere to test right now. Other than that, I cannot spot any misconfigur...

sindy

Hi sindy, if winbox is security risk, which option for remote management ? It's not "winbox", it's "any software used for remote management" :) The commonly used term for the proper approach is "security onion", expressing the idea of multiple layers of security. So ty...

sindy

OK, this looks much better, but it also shows that everything works as it should - the src-nat rule pops up at the beginning of the srcnat chain in accord with the mode-config settings, and the SA carries traffic in both directions. So did the pings to 9.9.9.9 get a response? If yes, disable the onl...

sindy

This cannot be the output while the IPsec connection is up.

sindy

@erlinden, your suggestion is for another type of connection - according to their own instruction specific for Mikrotik, Surfshark uses bare IKEv2. @burca, the log only confirms that the IPsec connection sets up successfully, plus it reveals that at least while taking the log, you have disabled some...

sindy

Regarding making the Wireguard respond via the interface through which the request came in, you following settings on Router B are necessary: /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN (this one is already in place, I just reiterate it here because it is essential for...

sindy

The next thing to deal with are the recursive next hop search issues. Taking Router B as an example as there is only one roaming Wireguard peer so messing up on that router should causes less people to suffer. You have configured the following routes in table main that are relevant for the failover ...

sindy

And to attach a vlan interface to the switch-facing interface of the router is to attach the vlan interface to the bridge right? Right. This means that Ether1 and Ether5 has to be a part of a bridge in order to work with vlan? To be able to work with VLAN - no, to conform to the example - yes. Any ...

sindy

@haianh, before diving any deeper into the topic of Wireguard on dual WAN, there is a serious security flaw in your configurations - you have got no firewall at all. By design, the default handling of packets in firewall is "accept". So whatever is not explicitly dropped is accepted. When ...

sindy

What is new is that now there are other Wireguard peers than just "the other router" for at least one of the routers, and these are the generic roaming ones that may drift from one address to another.

sindy

@anav said that is a bug with wireguard on secondary WAN, I wonder when does it fixed? I am afraid it is an intentional behavior, not a bug. Wireguard is written that way for a reason (to allow connections to adapt to address changes at both peers) and trying to "fix" it would break other...

sindy

1. As @mkx has already kindly explained, the switch chip is integrated into the operation of the software bridge as seamlessly as was possible, so the overall functionality does not depend on whether the switch chip is present or not and whether hardware forwarding is enabled on a particular port or...

sindy

main hAP ax2 has an EoIP tunnel. The EoIP tunnel interface is a member of that main LAN bridge. The EoIP interface itself has 1378 actual MTU. For a reason I don't understand, the main LAN bridge was adopting the same MTU - 1378. The reason is actually very simple. For the router itself, the IP int...

sindy

I have some client connect to 2 site via wireguard but still using wan1, any suggestion to make all wireguard traffic on wan2? And here we go :D It was simple right until this point. As soon as you want the router to always use WAN2 not just for a single remote address known in advance, regardless ...

sindy

So if I issue my Router these command /ip add add interface=ether2 address=192.168.1.254 /interface vlan add vlan-id=10 interface=ether2 I intentionally avoid the subject of VLANs in this topic to prevent it from becoming even more complex. So please create a new topic with a copy of the above post...

sindy

So we must clarify what business use means. If the BTH is used for occasional management access for a support company, then support intervention is not possible if the BTH infrastructure is unavailable. That's definitely unpleasant but it is not the same like if BTH was hypothetically used to provid...

sindy

I'm pretty sure that it shouldn't matter whether the same APN name is used in multiple profiles as that field must match what the mobile network expects (so your current mobile operator probably doesn't care about APN name at all), but other than that, great. I just could not see @carl0s to respond ...

sindy

Sorry, as usually with DHCP, you most likely have to make the client explicitly ask for the Option 64. If no dhcp-options are specified, the Mikrotik IPv6 DHCP client requests just the DNS server address; to make it request also the AFTR name, you must add an option named e.g. optreq, code=6 , value...

sindy

Unless you need Wireguard, OpenVPN over UDP, chacha20poly1305 encryption in IPsec, or json serialization/deserialization (or some other one of the many little improvements of the scripting language), I can see no reason to switch to ROS 7.

sindy

As it seemed that @carl0s had lost interest back then, let's continue here. A wild guess - maybe the modem (or the operator?) provides IPv4 connection via "Dual Stack lite" (RFC6333)? Can you attach a DHCPv6 client to lte1, configure it to request a prefix and/or an address, and sniff the ...

sindy

/system resource print

sindy

The second, the "main" IP will be obtained using the DHCP client attached to the OPNsense WAN IP itself, via untagged frames. VLAN-tagged frames use the same cable but provide logical separation.

sindy

By the way, any issue with the DHCP client on the WAN once I set it up in the bridge? Well - multiple ones. A client should not be attached to a member port of a bridge, that's first, so if it wasn't for the rest, you would have to move the DHCP client from wlan1 to the bridge. I don't think it is ...

sindy

No public IP. The wan is on another private subnet Why Do I need to change the wireless interface mode from station to station-pseudobridge-clone? Just to learn something new. The design of 802.11 did not expect any L2 networks to exist behind STAtions (clients), hence whilst there are separate fie...

sindy

Thanks, but what I need is the ability to record every real internal or external IP address You can make the srcnat rule only act if the source address is from server's own subnet, as the server will send responses to requests coming from any other subnet via the router anyway. You only need the sr...

sindy

It should be enough to bridge the wireless interface on the 911 with ether1, remove any IP configuration from it, and change the wireless interface mode from station to station-pseudobridge-clone . But if your ISP reserves the DHCP lease of the public IP for you based on your MAC address, you may ha...

sindy

If all you want is that the site-to-site Wireguard between A and B would use WAN 2 at both sites, and if you don't plan on any other traffic among the public addresses of Site A and Site B, just add static routes: Site A: dst-address=ip.of.siteB.wan2/32 gateway=ip.or.siteA.wan2-gw Site B: dst-addres...

sindy

hEX RB750Gr3 has enough RAM to run ROS 7, but maybe yours is actually one of the older RB750 versions? 64 MB of RAM is the minimum required. In any case, to upgrade to ROS 7 from ROS 6, you have to set the update channel to upgrade before /system package update install . If successful, the first upg...

sindy

Have you narrowed the search down to a particular model and software version of the TP-Link ONUs or you just do not have any other ones in your network? Do you have enough disk space on Proxmox so that you could run tcpdump matching on MAC addresses of several ONUs that exhibit this behavior until t...

sindy

Unfortunately, bridge filter rules cannot match on the IP and TCP/UDP headers inside VLAN-tagged frames, so you would have to create a separate bridge for each VLAN to be able to set the priority field value for DHCP in particular. But what Mikrotik model are we talking about? Maybe it supports swit...

sindy

If for some reason you absolutely cannot set up separate subnets for the server and for the local clients, and thus you have to use hairpin NAT, @Sob has suggested a workaround the other day that allows you to learn the address of the local client based on what gets logged: to use action=netmap inst...

sindy

On that particular device model, the following should work but you have to try: /interface ethernet switch rule add ports=ether5 src-mac-address=10:20:30:40:50:60/FF:FF:FF:FF:FF:FF switch=switch1 new-dst-ports="" On devices without switch chip rules support, you would have to create a dedi...

sindy

Have you set any email-to address in the /system/logging/action configuration? There is no default recipient in the /tool/e-mail settings. Can you re-word the "I also tried setting up email logging to use echo" part? I did not understand what you actually did - for me, the target of an act...

sindy

I am afraid you'll have to open a support ticket and wait for months. A PPPoE client interface does not inherit the MAC address from the underlying L2 interface as it is itself an L3 one, so use of macvlan interface changes nothing. If you set use-interface-duid to yes , the DUID of any PPPoE interf...

sindy

Before eventually taking such extreme measures, enable logging using /system logging add topics=ipsec,!packet if you haven't done that yet, then run /log print follow-only file=working where topics~"ipsec" , and let the Android connect with the working settings. Then Ctrl-C the /log print ...

sindy

A few months ago I was dealing with a very similar issue - not the exact same one as the banks were most likely other ones and the issue was affecting devices connected to the "remote" AP. In that case, the culprit was the MTU on the tunnel between the main router and that AP. Your case se...

sindy

Can you replace the identities by s.si and t.tr and try again? I am actually surprised that the first one is found.

sindy

Have you tried the procedure I have suggested above, to disable any connection attempts for 5 minutes and then re-enable them on the Fortigate side? What was the outcome?

sindy

The search in the identity table is done using the criteria I've listed above, so there is no reason why one row should be ignored. mode-config is an "output parameter" of an identity row, not a match one. What does /ip ipsec identity export hide-sensitive show? What ROS version are you ru...

sindy

OK, so if there is no difference between s and k except the name itself on the phone side, there must be some difference between the identity rows on the Mikrotik side, unless it's (e.g.) s.s for "s" but ttt (no dot inside) for "t" - the matcher used to be quite sensitive to the ...

sindy

Two separate issues. One is the firewall setup - the permissive rules for AH and ESP are not necessary at all as the Fortigate is behind a NAT so even ESP will be encapsulated into UDP (and AH cannot be used at all even if you wanted to use it, which is not the case). Also, the permissive rule for U...

sindy

What does /ip firewall export show then? The order of rules withing each chain matters a lot.

sindy

what should i do ? Post the complete export, not just the IPsec part - we need to modify the firewall rules for Problem #1 and check them for Problem #2. Also, 6.43.2 is an "ice age" version from the software development perspective, with lots of security issues found and fixed in the mea...

sindy

So you take the Android 14 device currently configured as "s", you only change the "s" to a "t" on it, and that is enough to make it fail to authenticate? Or it's actually two distinct (but identical) phones you believe to differ only in the "s" and "t&qu...

sindy

I suspect the issue lies with the MikroTik configuration ... If needed, I can share the current configuration for further clarity. Definitely needed. Just an experienced guess: Problem #1 is typically caused by not excluding the traffic initiated from the Mikrotik side from getting src-nated. IPsec...

sindy

Normally this works, you can use multiple remote peers that only differ in their ID and Mikrotik sorts that out just fine. So what exactly means that "mikrotik only checks the first one" - that the second one (t) never authenticates or that both (s as well as t) end up using the same ident...

sindy

The way you describe it, either the "WAN" and "LAN" labels have a far more strict meaning in Draytek in terms of what can and cannot be done using each of them, or maybe the Draytek is not flexible enough when it comes to a multi-WAN setup, i.e. to use of multiple routing tables ...

sindy

wireguard is a stateless, with udp being the underlying protocol which is connectionless. The "connectionless" is the key here. Since UDP is indeed connectionless, the stateful firewalls (and/or NATs) have to emulate the connection state using timers. Which means that retries from either ...

sindy

It is possible to setup a GRE tunnel between ExtraIP and a DrayTek WAN port. The downside is it can only Rx and not Tx. Not sure how to understand this. Does ExtraIP only allow one-way traffc in the GRE tunnel (from the internet towards the extra IPs) and expects the traffic from the public IPs the...

sindy

The configuration suggestion for Mikrotik on the extraip site seems incomplete to me, but the most important point is that GRE is an L3 interface, so you cannot bridge it with anything. You can, however, route the packets for those additional public addresses that you receive via GRE further to the ...

sindy

I'm not sure I understand what you actually need. You can use a Mikrotik LTE product to provide an internet uplink to your IP PBX, allowing it to establish a trunk connection with a VoIP operator over IP, using the data service of the mobile network. You can not use the Mikrotik LTE modem to provide...

sindy

Great. When testing the behavior of the min-prefix parameter of routing rules, I have encountered an issue with similar symptoms that I now suspect to actually have the exact same root cause like yours. Although it makes a lot of sense once you've suggested that, I was creating a new rule and removi...

sindy

In the configuration you have just suggested, the action=lookup dst-address=2.2.2.2/32 interface=ether2 table=wan2 rule is not necessary, but should not cause any harm. But you have to remove interface=ether2 from the other rule, as in routing rules, interface refers to the interface through which t...

sindy

Not enough data to agree or disagree.

sindy

Only on the bridge, as that's what the IP stack is linked to. The Ethernet interfaces are just member ports of the bridge in this setup.

sindy

In IPv6, Neighbor Discovery is a protocol (actually, a subset of ICMPv6) that allows the hosts to discover the router reachable through the interface and use the network address (most significant 64 bits) of the router to create their own address. This is an optional approach that can be enabled or ...

sindy

this will not work in production environment. I would say rather the opposite - cloning the configuration from the active device to the standby one, i.e. copying it to the last bit, is the only way to make it work in a production environment without using any external device that would handle the &...

sindy

The log message clearly indicates that it is the Mikrotik itself that initiates the TCP connections to port 25 - it says output which is the firewall chain that handles packets sent by the router itself, and it says in:(unknown 0) which says the same in another way (packets sent by the router itself...

sindy

Even the "free text" description reveals a misunderstanding of the concept. Routing rules do not care about the role of "source" and "destination" in a connection as a whole, they only care about individual packets. So your routing rule must say "if the source addr...

sindy

is this limited to OS v7 or the same in v6 also? If you mean the fact that most fasttracked packets skip mangle rules, that was the case ever since fasttracking has been introduced, if not in ROS 5 then in early ROS 6, as skipping part of packet processing steps is the very essence of fasttracking....

sindy

@Amm0, Yup, but a default route in main is sufficient to meet this requirement. Also, I'm pretty sure that statement in the documentation is a simplification the author has used to avoid the need to explain that this requirement (for some route to exist in main ) is only related to own outgoing traf...

sindy

That's what I do not understand because such a configuration is so unusual that I have never tested it.

sindy

So far the best approach I have seen is that of @nathan1 - https://forum.mikrotik.com/viewtopic.php?p=569009#p569009 . There, VRRP is only used to detect the failure of the active router. As @wiseroute has pointed out, if you want the VRRP to work as designed, i.e. to only move the virtual gateways,...

sindy

Indeed, that's the price to pay for load distribution using mangle rules. By changing that to connection-mark=!WAN2 you can have 50 % of the traffic fasttracked, but you cannot fasttrack all connections. Instead of PCC mangle rules, you can use ECMP to distribute the LAN->internet traffic, as fasttr...

sindy

1. What is the use of these two routes? /ip route add gateway=8.8.8.8 distance=1 check-gateway=ping /ip route add gateway=1.1.1.1 distance=2 check-gateway=ping As you took the effort to monitor the transparency of both uplinks using the recursive next-hop search for the routes you use for load dist...

sindy

OK, simple terms: /interface pppoe-client set [find] default-route-distance=10 /ip route add gateway=8.8.8.8 distance=1 check-gateway=ping /ip route add gateway=1.1.1.1 distance=2 check-gateway=ping To allow the Mikrotik itself to communicate, there must be routes in routing table main , there's no ...

sindy

"The same" including the fact that your enchanted configuration contained a huge amount of address list items and that's the only part that got restored?

sindy

As the configuration without any default route in table main is not very typical, I'm not sure whether this explains why you say that PCC works without it and doesn't without, but: the essence of fastpath & fasttrack handling of packets is skipping of some stages of packet processing, one of whi...

sindy

I've just loaded (restored) a backup saved on a hAP ac² running 7.16.1 on a CHR running 7.16.2 that I have cloned for the purpose and equipped it with 5 Ethernet interfaces. To my surprise, /export shows even the configuration of the wifi interfaces that do not exist on the CHR. For even better resu...

sindy

There are two distinct major issues - the routing of router's own outgoing traffic in general and the unique behavior of the Wireguard stack. The default route in table main is mandatory for the own traffic of the router to get sent due to the way how this locally originated traffic is treated. Any ...

sindy

Slow down, man :D Leaving aside that the topic title has become totally misleading already long ago, and that you have changed the objective all of a sudden, your bold rules are either incomplete or incorrect. The whole idea of using the recursive next-hop search to monitor route transparency is to ...

sindy

I browsed available options and '72 HTTP server' seemed pretty harmless. But after adding it to Option Set, there is no change in packet structure - option 67 containing bootfile name is the last one and option 72 is not passed. According to the standard, a DHCP server only provides the options the...

sindy

Sorry @anav, but your wording is so advanced that it is confusing even for me, although I know what you actually intended to say. So let me try myself in a simpler language with more details: In most cases, we need to prevent the traffic towards local destinations from using other routing table than...

sindy

In your configuration, LAN-1 to LAN-22 are not IP interfaces, they are just member ports of their respective bridges. If you look at the packet and byte counters of those mangle rules, you'll see that they stand at 0 because from the point of view of the IP firewall, there is no traffic that would m...

sindy

So it was a configuration after all. What min-prefix actually does is that it takes a look which route in the indicated table would be used for the packet, and if the length of the dst-address prefix of that route is smaller than or equal to the min-prefix value, the rule returns a non-match so the ...

sindy

So you did filter out some of the configuration previously, but it was indeed unrelated, OK. First I would change the action in the only routing rule from lookup to lookup-only-in-table and remove the min-prefix completely (but using remove and add , for the reason explained before). If that changes...

sindy

I'm not sure if it's affected by other configurations, but for policy routing, I only have the one strategy that we have discussed so far. This remark makes me cautious, but I assume you haven't removed any mangle rules from the export before posting it? I cannot imagine anything else to have an im...

sindy

Both pppoe-out1 and pppoe-out2 are attached to macvlan interfaces You are right, because I need to dial the same interface twice. That's OK, I've even tested that if the pppoe interface is attached to a macvlan, the pppoe-discover frames are indeed sent via the physical interface with the source MA...

Search found 11247 matches