MikroTik

Mehrdadx

no one knows anythink ?

Mehrdadx

Hello and happy new year I have a weird problem with 6to4 tunnel and i hope you help me to fix this I have a CHR vps in France, there is a 6to4 tunnel between my home in Iran to France, problem is i have 50% packet lost on my 6to4 tunnel (tunnel ipv6 is "2002:808:801::2/126") but not even ...

Mehrdadx

Hi i have 3 prerouting rules (Telegram and Whatapp IPs) that use mark routing (for VPN) chain=prerouting action=mark-routing new-routing-mark=VPN passthrough=yes dst-address-list=Telegram IPs chain=prerouting action=mark-routing new-routing-mark=VPN passthrough=yes dst-address-list=WhatsAPP chain=pr...

Mehrdadx

Unless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR. But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too). yea, that's why i dont ...

Mehrdadx

hello again

i have a RouterOS vm in OVHCloud, can i install OpenWRT on that ?

Mehrdadx

The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the g...

Mehrdadx

hello again

GRE and IPIP tunnels are blocked in iran, what is alternative solution for these tunnels ? i think we dont have alternative, right ?

Mehrdadx

just a clean install of windows can fix this...

thank you guys

Mehrdadx

One side has to have a public IP address. I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address. The office is behind Starlink with carrier grade NAT. Connection has been running for months at this point. The warehouse is the rela...

Mehrdadx

Yes, It could be secured with IPsec.

i will try ip tunnel tonight

Mehrdadx

viewtopic.php?t=182340

thank you

Mehrdadx

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.

are you iranian ?

and IP Tunnel is encrypted ?

Mehrdadx

No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better :D in fact Router A is a Mikrotik VM (Wireguard vpn server) in France and Router B is a mikrotik router in Iran, as you know our...

Mehrdadx

PPPOE ?

yes

Mehrdadx

@Mehrdadx

A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.

my random IP will stay on my router if i dont turn it off or disable the connection, right ?

Mehrdadx

Of course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topolog...

Mehrdadx

Hello

how we can setup a Wireguard Client on routeros ? i have two Router, Router A is Wireguard VPN Server and Router B must be Wireguard client. its possible ?

Mehrdadx

Hi

i have two wan interfaces with load balancing method and i want to receive an email notification if i lost one of them or when downed link comes up again.
i dont know anything about scrip and schedule tools.

Mehrdadx

What devices do you have, and how are you connecting your laptop to these devices?

radios and routers like 951 and with ethernet cable of course

Mehrdadx

Hello

Almost always my laptop cant discover mikrotik devices in winbox, i tried disabling firewall, OS in-place upgrade and ...

i dont know what is the problem ! winbox can discover devices if i use a switch between my laptop and mikrotik device.

Mehrdadx

Perhaps some ideas from here?
https://blog.zabbix.com/monitoring-netw ... bix/10093/#

thank you, it can help me

Mehrdadx

It's been a while since I played with Zabbix but have you enabled SNMP on your Mikrotik with proper trap version ? Winbox / IP / SNMP And most likely (depending on your config) you should also allow in your firewall input for port 161/UDP (to be safe: allow only src IP address from Zabbix server). ...

Mehrdadx

Hello

i want to add my mikrotik devices to zabbix with snmpv3, but i don't know how and i cant find a good tutorial for that, can someone help me ?

Mehrdadx

A prerequisite to my fail2ban setup is getting the logs off the router using rsyslog . That can help with unexpected reboots since you get “last dying gasp” type messages that can help you diagnose the cause. i dont have linux server but i think i can do that with writing logs on routeros disk, rou...

Mehrdadx

oh, no...
again the xyproblem....

you destroyed me

)))

Mehrdadx

the main issue is this:

system,error,critical router was rebooted without proper shutdown

my routeros is crashing 3 or 4 times per day, i think these login attempts is causing this, so its not related right ?

and maybe i should use l2tp

Mehrdadx

VPN server? And what you expect if the service is reachable from worldwide? Ignoring the obsolescence and the vulnerability of the PPTP, on your rules where you permit pptp, simply add one address lists that is ckecked against if the IP is allowed or not. Check twice when your clear private info......

Mehrdadx

Hello i use my routeros as vpn server but the problem is there's too many login attempts, how can i block them ? # may/ 6/2022 13:48:13 by RouterOS 7.1.5 # software id = TI09-7WK3 # 09:55:20 system,error,critical router was rebooted without proper shutdown 09:55:27 interface,info wireguard link up 0...

Mehrdadx

viewtopic.php?t=180838

but modified for your particular needs.
which means add input chain rules and forward chain rules as necessary.

Thank you all

Mehrdadx

and i want to say Thank you for Help :) Dear Mehrdad, As an Iranian to another, You should include the "Route" in the OpenVPN config file. Furthermore, you should open a ticket at the reseller website and ask them to mount your own ISO such as Pfsense. However, You should know that OpenVP...

Mehrdadx

That is a client issue then and not germane to Mikrotik.

yes exactly.

and i need help for protecting my mikrotik. can you introduce some security rules for my firewall ? the only rule i know is for bogons addresses

Mehrdadx

Ah, yes, I need better glasses :) But as the CHR is running somewhere in France, I didn't even think that the "in Iran the sites that sells VPS doesn't provide Pfsense" statement could be related to the hosting. maybe is related to the hosting companies like OVH or... but pfsense have mor...

Mehrdadx

You can try Wireguard instead of OpenVPN, or you can run a linux VM instead of CHR in France. But I've just tried the "OpenVPN for Android" application - it allows to configure routing of everything via the tunnel no matter whether the server pushes a route list. In fact, it is even the d...

Mehrdadx

Hello again guys

i tried uncheck kill switch and procustodibus.com solution, both works.

forward chain is not working for my case, that two networks are connected to client not server, they must separate their ways at client side.

Mehrdadx

Perhaps in case its you who misunderstood then.................. The OP wants to from his client peer laptop to connect to the server in France via wireguard. He wants to access the internet through his connection to France (not locally) and in addition he wants to access some subnets existing off ...

Mehrdadx

RouterOS does not support pushing routes in OpenVPN. You have to configure the route manually - after the client connects, run route add 0.0.0.0 MASK 0.0.0.0 ip.of.the.gw from command line. You may have to add a route to your Mikrotik in France and remove the existing default route. so bad :( probl...

Mehrdadx

i want all traffic go trough tunnel except these networks: 192.168.80.0/24, 172.17.17.0/24 Wait a second here.......... We described an MT server in France that you had several mobile devices attached that would use the internet of the MT through the wireguard tunnels. Where do these subnets NEW on...

Mehrdadx

now i have another question, i want to exclude some network addresses from goings trough wiregaurd tunnel, can you help me ? Don't add those addresses in the allowed addresses, then. Or narrow down the allowed range, split it up in one or more parts, so the addresses you want to exclude, are not al...

Mehrdadx

hello again

no any solution ?

Mehrdadx

This is rather bizarre for input chain rules......... /ip firewall filter add action=accept chain=input comment=Winbpx dst-port=1993 protocol=tcp add action=accept chain=input comment=VPN dst-port=\ 1993,1945,1994,500,4500,1701 protocol=udp add action=accept chain=input dst-port= 1993, 1945,1994,17...

Mehrdadx

i set all prefixes to /32, until now everything is good. my server is mikrotik cloud version on OVH datacenters, incoming traffic is going to the gateway (internet). now i have another question, i want to exclude some network addresses from goings trough wiregaurd tunnel, can you help me ? thank you...

Mehrdadx

my server is in France and i am using this server as a vpn server. Wiregaurd port is 1994, firewall rules are correct and in fact my config is simple. its my server config: # apr/06/2022 13:29:26 by RouterOS 7.1.3 # software id = TI09-7WK3 # /interface wireguard add listen-port=1994 mtu=1420 name=wi...

Mehrdadx

Hi i have a problem with wiregaurd, most of times when peers try to establish a connection to the server they receive this error: "Receiving keepalive packet from peer 1" until i disable related interface and then enable it again in Peers window. you can see log file: 2022-04-06 08:29:20.9...

Mehrdadx

Seems using SOCKS5 is a popular approach in OP's region, must be some reason. But if WG is allowed, is there a need for SOCKS5? I can see an easy of deployment of SOCKS5 argument (DHCP+WPAD auto-config), but SOCKS seems more identifiable, especially using default port, than E2E encryption offered b...

Mehrdadx

It's not very clear what exactly you do, try to provide more details. For start, if you're using WG to connect to this device from elsewhere, you'd need another rule for it in input chain. my server is in france and i (from iran) want to use it as a vpn server my WG port is 1994 and firewall rule i...

Mehrdadx

Are these all your firewall rules? Because if they are, clients would be able to connect, but all responses to connections initiated by SOCKS server would be blocked. Start your firewall with these two rules: /ip firewall filter add action=accept chain=input connection-state=established,related,unt...

Mehrdadx

Hello to all members At first let me show you my little config my socks5 config: Port: 1945 Version:5 Authentication method: Password my firewall rules is: - Action=Accept, Chain=Input, Prorocol=17(udp), Dst. Port= 1945 - Action=Accept, Chain=Input, Prorocol=6(tcp), Dst. Port= 1945 - Action=Drop, Ch...

Mehrdadx

how can i enable "Push redirect-gateway def1" command in mikrotik ?

Mehrdadx

Hi guys i live in iran and here we need to use vpn to reach free internet, so i bought a mikrotik server in france and configured it for Open VPN. but i have a problem: i can connect to server (windows and android) but i cant open censored websites, in fact my ip wont change to vpn server's IP and s...

Search found 49 matches