If the router is providing NTP services, then one simply sets the client to the path to the router which is the vlan gateway, so that is expected behaviour! All my smart devices are on the same management vlan and I set their NTP server to the vlan gateway. For example if my vlan is 192.168.0.1/24 ...

I'm trying to use the Mikrotik as an NTP server for various VLANs. It only works if the respective client uses the gateway IP of its VLAN. Example: Client: 10.0.20.10 ntpdate 10.0.1.1 tcpdump: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on enp6s0, link-type EN...

If you bought hardware that only supports OpenVPN (and you need the VPN client on the phone for some reason?) go with something that supports OpenVPN properly.
Or find another solution to your setup.

Very wise words. Your answers are very valuable and well thought out.

Legacy tunnels can be migrated to something else. I've migrated from OpenWrt/OpenVPN to RouterOS/IKEv2 without issues, they ran in parallel until migration was complete. You just have to take the time to do it. You'll have to at some point anyway. Oh really? Migrate a SIP Phone to RouterOS. Any par...

What are the usage scenarios? Was the OpenVPN server only implemented to be able to advertise with it? Who really uses OpenVPN servers on routeros and for what? I never considered using it because it doesn't support UDP. Now I realize that you can't push routes. At the moment I use PFSense boxes for...

+1
The SIP telephones that we sell do not support wireguard. It would be nice if I could use Mikrotik across the board for my customers.

Okay correct me please if I'm wrong. when I set the SAN in strongswan as "leftid" and in routeros: Remote Certificate "none" Remote ID Type "fqdn" Remote ID "$SAN" Match by "remote id" will it checked against the SAN of the certificate? Even if I ent...

Is it possible to match an identity via the SAN that contains the certificate? I would like to avoid having to keep all certificates on the gateway, but still not using the id set by the client. Each client gets its own mode config in which it is assigned a static IP, so it is important to different...

The reasons are also mentioned in the topic linked above. The question "Is blackhole or unreachable better?" cannot be answered clearly for all users. My concern is that the DECISION whether you WANT blackhole or unreachable should be in the hands of the respective network administrator. ...

There is a good option here (and discussion below it) it's for ipv4, presumably similar is applicable to v6 https://forum.mikrotik.com/viewtopic.php?t=173567#p853978 Thank you for your answer, but using a bridge looks like a bloody hack/ugly workaround to me. I can't understand why mikrotik removes...

* Routes are for fast traffic black-holing. If you want to return specific ICMP messages then you will have to use firewall. Sorry for my maybe stupid question. But how can i mimic this behaviour as simply as possible as a firewall rule? Flags: X - disabled, A - active, D - dynamic, C - connect, S ...

I actually want to use my Mikrotik router as a router. But the "type" option has been omitted for the routes as an example. How do I set a network block to be unreachable? # DST-ADDRESS GATEWAY DISTANCE 0 A SU xxxx:xxxx:xxx::/48 1 /ipv6 route add distance=1 dst-address=xxxx:xxxx:xxx::/48 t...