MikroTik

jamthejame

Hi, So, I'm running l2tp/client on LTE RB 935 as a failover.... after a few weeks, i lost connection on primary ISP and it tried to connect to RB935... however, there was no connection.. So I investigated further and found that the l2tp/ipsec client interface was disabled... so then i tried to enabl...

jamthejame

So, I'm in the midst of implementing monitoring solution, Security Onion OS. Now, my plan is to monitor specific Ethernet ports on Mikrotik via port mirroring. The Problem: The system is very tight and allows only few things (by design). Now, if I connect Security Onion OS and the 'seniors' into mir...

jamthejame

This RB3011 has 8 different networks where every single one is configured very differently... I decided not to confuse people, and then to obfuscate everything would take me hours. So yeah... thank you for point me out to other rules. I went through them so many times that it made me blind to the ve...

jamthejame

Found the issue. Had a Layer7 rule and within the set had a word, which was being matched with one of the platforms, thus was blocking connection way before the mentioned rule set.

jamthejame

So I just triple checked the permitted-local-sources and its IP, which is a match, also the same with other IPs. The odd thing is that if I 'disable' the 'drop' rule, i see packets processed in the other rules. If I would have mistaken IPs and dst-list or src-list, those rules would have 0 packet tr...

jamthejame

My dilemma, is that I have RB3011 and on ether5 I want to put a network with is to be used for specific few IPs: /ip firewall filter add action=accept chain=forward comment="FORWARD Chain - Packets towards Mikrotik itself (Established,Related)" connection-state=established,related add acti...

jamthejame

Ok, so recently had a few conversations/arguments regarding RouterOS firewall, and because of my novice knowledge level of network engineering, I would like to find clarification on the following: The firewall is built on the idea that only specific IPs have access to Internet to specific Internet I...

jamthejame

Sindy, I just tried last time to connect with rebooted Mik and all rules enabled and it connected. Did a few more times thereafter and it seems to connect now. Now sure why. Was thinking maybe it was an issue with a server on the other side. I know it has to be online for sure in 5 hours from now. I...

jamthejame

Sindy, sorry about yesterday, but i got to the point with everything, that I was doing more harm than good, so had to walk away and reboot. Furthermore, because I'm not at the central location, don't have all the programs required to get access to servers and their IP, with another layer being that ...

jamthejame

Unfortunately, I had ISP issues before, so the log i ran on Device#3 which is configured exactly to Device#1. When I was rebuilding, I missed it. 10.10.10.5 was another interface I created to test for another device, which is removed. Thus obfuscation error. #Device#1 [admin@MikroTik] > export /inte...

jamthejame

I believe you must be testing my patience :) I suggest you to do something, you do the opposite and ask me to confirm it :-) Unfortunately, I was told that on a few occasions, which usually happens after too much coffee, thus pardon and glad you brought it up. Sometimes I need someone to remind me ...

jamthejame

I believe this is the right way... /ip route add distance=1 dst-address=8.8.8.8/32 gateway=10.22.6.1 scope=10 add distance=1 dst-address=208.67.220.220/32 gateway=10.22.6.1 scope=10 add check-gateway=ping distance=1 dst-address=100.64.0.1/32 gateway=8.8.8.8 scope=10 target=scope=10 add check-gateway...

jamthejame

/ip route add distance=1 dst-address=8.8.8.8/32 gateway=10.22.6.1 scope=10 add distance=1 dst-address=208.67.220.220/32 gateway=10.22.6.1 scope=10 add check-gateway=ping distance=1 dst-address=100.64.0.1/32 gateway=8.8.8.8 scope=10 target=scope=10 add check-gateway=ping distance=1 dst-address=100.6...

jamthejame

Regarding GW failover. Would it make a negative inpact if i would have different distance for GW, as I preferred GW1 to be used all the time if available and GW2 just a failover. Also, I notice, that when both work and traffic moves to 2 and then 1 comes back online, if the session/connection was op...

jamthejame

Ok... I probably made a mess with obfuscation (actually not ' probably ' but actually). If we go back, it will be 10.10.19.145. Also, taking down the rule from 'forward' chain, allows me to go online, easily... as I'm writing this message from laptop going thru Dev1 and Dev2, but the minute i put th...

jamthejame

log output for firewall with rules, seems as it is trying to SYN but gets nothing back, this is the address that's relevant ' 100.200.300.238:443 ' 12:12:04 firewall,info forward: in:ether2 out:vpn, src-mac XX.XX.XX.XX.XX.XX, proto TCP (SYN), 10.10.10.73:52437->100.200.300.238:443, len 52 12:12:04 f...

jamthejame

On top of that, you have default routes only in non-default routing tables, named ISP1 and ISP2. So unless you assign routing-marks ISP1 or ISP2 to packets, they cannot be routed anywhere. Do you assing routing-marks to packets or not? I'm not, went by as it was written, and was wondering why just ...

jamthejame

So this is great.... My IPS1 just stopped, so my Failover device was support to swtich me to ISP2, but its not... nothing is coming out of it. Worked well with ISP1, but eventhough ISP1 Mik is identical in config and ISP2 (for testing purposes), but traffic not flowing so now before i do the log, i ...

jamthejame

right below the "accept related, established" one in chain=forward on Device 1.

Can you clarify, please

jamthejame

I think this is the export fault as it didnt print the default routes as the VPN interface is checked with default ' route. This is the routing table via 'p rint ': [admin@MikroTik] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m ...

jamthejame

Sindy, unfortunately, patience is not my strongest suite, but there is always a price to pay ;) So, wanted to get your opinion on the last matter about IPs not going through. I attached the one with changed 's', so see if there is something else that might be missing. I do have to say that having th...

jamthejame

Creative.... sent a test one...

By the way, i think its worth mentioning that over the last few days you got this 'forum thread' on 'FIRE", with something like 900 views

jamthejame

jamthejame

Extremely impressive... you're quite an interesting individual. I dont know if it is forum rules... might get banned, but would share might email, as there are not that many competent individuals around where I'm in USA. Would like to hear how you got into it with Mikrotik. I haven't spoken to anyon...

jamthejame

I'm not even going to try to speculate on the last part, as you sound like someone I spoke earlier today. Last time i remember you mention that you're in Czech? Correct me if I'm wrong. Yeah, I tend to be sometime trigger happy, especially when i speak with someone competent. P.S. Seems like google ...

jamthejame

Those ending issues, I noticed and changed... but still have 'sometimes' part.

P.S. Ukrainian, Russian, some Polish, and some English

UPDATE***: oddly, i can ping all the addresses from DNS List...

BTW: you never answered to me about your specialty..

jamthejame

Pardon, Sindy. I did not set up the failover on "Device 2' simply because i haven't done it on this new setup. I tested it on the old one and it worked. What I've shows is where everything stops. I figured no need to put 'bla bla' which isn't relevant. The issue is with the 'Device 1' firewall....

jamthejame

Frankly, I had to rethink the whole approach after tonight's "DefCon 4 " disaster. In short, people decided to shift from ' DHCP ' completely to ' static '. Which created a lot of issue, as all devices where not tested. Bottom line, complete collapse. Additionally, I had false positive wit...

jamthejame

Sindy, I was thinking on ' editing ' my previous post, but i did that already 4 times today... so the only reason why i leave it, is because of Congratulation on getting " Guru " status. So I did manage to adopt the script into a failover backup, and what I mean by that is, sometime its be...

jamthejame

Fantastic... It seems to work now... I'll testing it further and let you know, but so far seems to work for both interfaces as intended. Also, about the DNS pings from client through Mikrotik, just sharing with you the firewall, maybe you can see something i'm missing: Unfortunately, you have posted...

jamthejame

Ok... did make the changes, however, when VPN interface is disabled, nothing happens. It doesnt see that change in ' status '. When VPN interface is disabled i do get ' dynamic ' timeout in 'address-list' for 'watch-vpn-responses ' and the ' address ' is LTE interface IP for some reason. I also chan...

jamthejame

OK... Do you think there is a way to resolve it, or do we have a logic error? Do you we should look into ' scope '? Also, have a client device that is connected to the BRIDGE (LAN) and needs ICMP to certain DNS server. I tried adding a rule to allow Pings on the ' forward '' chain, but its not letti...

jamthejame

Ok.. so when i change: /ip route add distance=1 dst-address=8.8.4.4/32 gateway=VPN check-gateway=ping add distance=1 dst-address=208.67.220.220/32 gateway=VPN check-gateway=ping #and change to add distance=1 dst=address=8.8.4.4/32 gateway=23.XXX.XXX.83 add distance=1 dst=address=208.67.220.220/32 ga...

jamthejame

I think the issue above was cause by faulty and amature firewall setup, with blocking ICMPs etc. After using the suggested approach in the other thread, everything seems to get back online so far. We'll see how it will work. I do agree with you, that 'Dynamic' state for those interfaces doesnt help ...

jamthejame

#UP [admin@MikroTik] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADS 0.0.0.0/0 VPN 1 1 S 0.0.0.0/0 LTE 2 2 A S 8.8.4.4/32 VPN 1 3 A...

jamthejame

Ok... removed the addresses from 'address-list'. Initial issue with the script was that i kept on getting disconnected from the internet every few minutes. Than you suggested to check the times for mangle rule: /ip firewall mangle add action=jump chain=prerouting icmp-options=0 jump-target=netwatch-...

jamthejame

Haven't added any addresses to DNS-address-list.. and /ip firewall address-list manually (or, better to say, remove that part from the configuration can you be more specific? Ok...so made the change to Mangle=15s, Netwatch=5s and Scrip=1m5s. It did resolve the disconnection issue... but not it doesn...

jamthejame

So I keep on testing firewall + the failover. So far firewall seems to do what its suppose to. Will keep on working during the night on it and tomorrow to make further adoptions to devices etc. thus truly appreciate you setting my logic and approach to it straight. Also, added your suggestion regard...

jamthejame

RE: Question#2 I'm glad that you found value in helping me through this process. I took yesterday's mangle rule and today. There was one little issue 'address-list-timeout' which the system wasnt taking as it required 'timeout', thus here is the setup that i added: /ip firewall address-list add list...

jamthejame

RE:Question#1: Regarding 'output' /ip firewall filter add action=drop chain=forward comment=KillSwitchVPN_LTE in-interface=BRIDGE out-interface=LTE add action=drop chain=forward comment=KillSwitchVPN_MGT out-interface=LiquidVPN src-address=192.XXX.XXX.5 add action=drop chain=forward comment=KillSwit...

jamthejame

Sindy, you are correct. I didn't get it to the extend as you've explained in the last post, thus thank you. That post helped me resolve certain issues with which I've been struggling earlier today. This is a simplified prototype of firewall built: Questions#1: /ip firewall filter 1. add action=drop ...

jamthejame

See, Sindy, that exactly that for 'output' chain. I want a client to my router to be only able to initiate connection to selected IPs, the rest of application, windows or linux updates etc to be unable to go online. Therefore, if I just use the 'input' chain, it will not stop the inner network machi...

jamthejame

So I've been testing LTE for the past few days and notice and if left overnight, in the AM i usually get the DHCP client with status 'stopped'. The only way to re-enable it is to restart LTE interface. Why is it happening and is there way around it? Also, setting netwatch or script to monitor connec...

jamthejame

Sindy, I'm coming back to thank you again, and breaking down the logic behind it. Unfortunately, in the last few days i was heavily medicated due to spring allergies, so wasnt thinking clearly. Your observation along with suggestion worked 100%. Now, I would create another threat for the question, b...

jamthejame

Got a new device with LTE, Siera MC7700. Works fine, however, when i try to set up L2TP/IPSEC client it connects to the server (have no control over the server side). Then i try to ping but it shows me 'not reachable', and then a few seconds latter it collapses and tries to reconnect again: Here is ...

jamthejame

Sindy, your competence is impeccable. thank you very much

jamthejame

Ip routes, are all static. "DAC"

jamthejame

cant make those changes... the specs are locked after setting it up through LTE interface. I had simular issue when the router was getting traffic and resolving DNS but clients wouldn't in L2TP/IPSEC situation, Sindy was able to guide me and explain. Now, I'm experiencing similar symptoms but now wi...

jamthejame

that you everyone for earlier support, however, i just got a new device with LTE built in. Everything seems to work fine, i can ping and trace-route from mikrotik, but not traffic to LAN or DHCP-server clients. I'm still learning, thus hoped someone can point me to what I'm missing. Here is the pres...

jamthejame

Thank anav for response. Also, the question about IP and domain name still stands, is there a way to use domain name for pinging?

Also, what does dst-address= in the context mean, given the example?

/ip route
add dst-address=10.1.1.1 gateway=Host1A scope=10 target-scope=10 check-gateway=ping

jamthejame

Thank you, Sindy.

jamthejame

Members and Gurus', This got me good, so i deserve to be laughed on, however, i'll endure the embarrassment for knowledge: Doing multi host failover, used this link https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting#Basic_Setup . Now on host checking per Uplink where: /ip rou...

jamthejame

Thank you much. It worked.

jamthejame

I had a weird phenomena with upgrade. They system came with 6.41.3, so I upgraded it to 6.42. After upgrade, it worked well, but after reboot, i lost DNS Mik to client again. I did the same thing again, downgrade and then upgraded and same happened. You mentioned that you had similar issue, and 6.42...

jamthejame

Mikrotik: Tried setting DNS on each network, no change

Client: set Windows on automatic for DNS and DHCP; also I tried static for both, no change

jamthejame

Past two weeks have been going back and forth with support to resolve the issue of DNS (so far nothing solved), here is the issue: 1. DNS works on default settings 2. Adding L2TP/IPSEC layer, DNS only seems to work by using Tools>Traceroute and able to ping 3. Parallel, from Windows (or Linux), no p...

jamthejame

So i took RB2011, and decided to use it as 'station' instead of 'bridge' for a variety of reasons, nevertheless here is my finding and issue: - when connected Mik to ISP router via Wireless, everything works great - then I wanted to add L2TP/IPSEC for the above-mentioned connection and the tunnel wa...

jamthejame

Thank you Squeez, however, given the above, i was wondering more about the rules above and their effect on slowing down the speed of traffic.

jamthejame

So we decided to use one of the 3011 with USB dongle as failover for connection also being L2TP/IPSEC client. This is LTE connection and poor signal around 0.5mbs which is enough for that it is intended. However, running wireshark and torch for some time, we noticed a lot of 'ping' coming from all t...

jamthejame

Hello guys, Having the following issue: Decided to use RB3011, which is an upgrade from RB2011. However, before I had pfSense with Firewall & Snort setup but with time, as with any open-source software you start to notice bugs and options not always doing what they are suppose to. So I decided t...

jamthejame

Sid, On DHCP server network, I haven't changed anything as I left it the same as from previous config. This is the odd part. Also, all configs for the firewall stayed the same, as they operated well under the previous LAN network config. I kept the same interface names and networks, so i wouldn't ha...

jamthejame

So i have a few Mik devices, same models etc, and use similar configs for ease as the OS was build up with specific preferences necessary and keep backup units ready in case of failure etc. The issue that i came accross, I cant seem to solve so far: Using 6.41 OS, i changed networks on my ports from...

jamthejame

Hello guys, I'm running RB2011 board and broken down the ports to LANs and WANs where each LAN has its corresponding WAN / VPN tunnel. On one of the LANs I have l2tp/ipsec site to site vpn set up for internal use. However, I'm using ip cloud and internal mikrotik DDNS as i have dynamic ip. Question,...

jamthejame

check this link....it should guide you through the process along with the script
https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/

Search found 65 matches