umount -l /dev/sda1 curl -L https://download.mikrotik.com/routeros/7.9/chr-7.9.img.zip | funzip | dd of=/dev/sda bs=1M sync reboot Does it really work to "lazy" umount the root of a running system and overwrite the underlying block device with `dd`ing the CHR image to it? I have tried som...

Shon post complete config and will look.

The issue is solved now - see my EDIT in comment above.
The solution came from this thread: viewtopic.php?t=200074

EDIT: SOLVED. The sudden connection speed after upgrade to v7.12 led me to a bit more googling. It seems, that Fasttrack is not compatible with Mangle. After applying Fasttrack firewall rule only to connections with "no connection mark", all started to work again :-) And it also means that...

While drawing the diagrams, I have eventually decided on simplifying the network setup to minimise the complications.

Thanks a lot, @Sob, for feedback re. the routing marks - I will re-use the info in the new setup and if I fail, I may come back again

All the best to 2024!

Another try to find out if route marking works for me as it should. I set route from main to rtr1 table: /ip/route/add dst-address=78.136.141.22 gateway=wg1 routing-table=rtr1 Tunnel stops working, packets to 78.136.141.22 are sent via default route instead via gw1. This time, this new modified fw r...

Thanks for the hints. You were right, that this rule: /ip firewall mangle add chain=prerouting connection-mark=rtr1 action=mark-routing new-routing-mark=rtr1 passthrough=yes actually catched the incoming packets. However, my setup is a bit more complicated - the remote client (78.136.141.22) connect...

Hi, In RouterOS 7.6, I would like to setup a route, which would catch all reply packets RELATED to connection coming from a given interface wg1 and route such packets via wg1 rather than the default route. In other words, if an incoming connection appears on iface wg1, I need the response to be rout...

In that case, It is a very weird scenario that I will have to think about...... I do not find it that weird. Many ISPs are not able to provide their customers with public IP. So one way to deal with it if I want to have my home servers reachable from internet is to get a cheap VPS with a dedicated ...

Thanks for the 3rd solution. I also use Pi-Hole, but only for ad blocking. So I let MikroTik to be the single DNS server for all DHCP clients and only use your script to modify MikroTik's single DNS upstream server to be either Pi-Hole or Quad9+Google, and flush DNS cache on each change. No need to ...