MikroTik

sebus46

And how to check if Mikrotik AS CLIENT itself connects to the remote server? (as in 3rd party VPN service) ?

sebus46

Same setup but using Surfshark VPN (private key needs to be specified on WG interface) I use DoH only on MT, any idea how to deal with DNS for the LAN iOS clients? (when only certain ones are to use the tunnel via routing rules) If they are normal devices with DHCP reservations then I can do a diffe...

sebus46

Surfshark VPN finally works with my Hex S and Wireguard These instructions are incomplete, at least missing private key part and DNS entries (as one gets from Surfshark account configuration download) One must create WG-Surfshark interface with private-key="YOUR PRIVATE KEY as generated on Sur...

sebus46

Exactly the same USI

Make sure you have check-gateway="none"

sebus46

Experienced the exact same today. From client can ping 8.8.8.8, but NOT from Mikrotik itself [admin@MikroTik] > ping 8.8.8.8 SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 timeout 1 8.8.8.8 timeout 2 8.8.8.8 timeout 3 8.8.8.8 timeout sent=4 received=0 packet-loss=100% Cludflare works [admin@MikroTik] > pin...

sebus46

Thank you!

sebus46

I assume these gateway addresses are just VERY BAD examples
You cannot route via Google/Cloudflare DNS servers! (unless I am missing something or not understanding it)

sebus46

I will test it (but had zero attempts in last few days after locked my router to only UK addresses - as the "attacks" normally come from elsewhere further East)
Would still like to know why the other script does the odd input of 0.0.0.0

sebus46

Can't do it

/ip route remove [find where immediate-gw="ether10-HeyB"]
no such item (4)

sebus46

Definitely the same, script inputs 0.0.0.0 to the list

sebus46

I have no issue applying it (and it works) but Winbox GUI cannot handle the display of it!

The prefix is not displayed. It is 0 but even zero ideally should show

sebus46

That is really nice, thanks

But Winbox GUI cannot handle the display of this rule

sebus46

Had to use Routing / Rules to "lookup only" in WAN2 table for specific addresses to go out to internet using WAN2 But also had to add additional rules for the same addresses, ABOVE, using main table for the local network access for these devices that are set to use WAN2 table Otherwise the...

sebus46

...make an existing IP static then take out the MAC address and enter a client ID there and save. Either way, iOS devices get their IP with no issues here on both ROS 6 and 7. Worth a try at least? Will test more (with all devices), but quick test seems to have worked. Thanks edit 1: No dice, next ...

sebus46

17.4.1 no, no security apps (and what would any do anyway in case of dynamic vs static IP from same DHCP server?)

sebus46

No, sorry, does NOT work (with any iPhone in the house) Each & every one fails the exactly same (as per first post) Dynamic works, Static never allows connection (Offer/Bound/Declined) It does happen with ANY address (ie one that could have NEVER previously be issued/used like 192.168.88. 250 ) ...

sebus46

Just in case anybody ever comes across it Of course the "gods" here can say that I have this or that wrong etc, but the fix was to get one extra rule in IP Firewall/Filters as first in forward chain ;;; voip2 allow chain=forward action=accept protocol=udp src-address=VOIP_SERVER_IP dst-por...

sebus46

Anybody eny ideas? This is not a RoS Issue ... this is an Apple Setting that you must change if you want the Apple device to get a static IP I will use an iPhone as an example: On the iPhone Go to Settings and Wi-Fi THEN touch the i that is encircled turn off ==>> Private Wi-Fi Address This will en...

sebus46

Ok, with such an attitude I guess you are not seriously trying to resolve the issue then. If you are serious, be nice towards people who are trying to help you and read up on https://debug.guide/. Debugging like that guide specifies is part of real life for technicians too! Thanks for this (not tha...

sebus46

Oh well, not much help here (not that I expected any) I lost faith in this community some time ago. No, I have no extenders. Each & any other device (but iOS) work perfectly fine Same iOS device(s) on another network work perfectly fine. So I am remaining unbias, but if you have only 2 devices i...

sebus46

Can you reproduce the issue on a clean RouterOS install with a minimal configuration? Do you have Private Wifi enabled on iOS? Also latest iOS installed, I think that's 17.4.1? Answers already in first post (if one reads all) Well, it is called real life. One does not have luxury of clean router se...

sebus46

Am I the only one with this issue?

Probably not

sebus46

Apple iOS

sebus46

iOS 17.4.1, tried with 3 separate devices If I try to either convert existing lease to static OR create brand new entry ( it does not matter if MAC is real or Private WiFi Address ) the behaviour is always the same In DHCP I see: offer, bound, declined dhcp-vlan1 (defcon) client 2E:CE:6B:FC:93:A6 de...

sebus46

My two cents. The use of ! is tricky and should be avoided by new users as its a powerful tool (using a chainsaw when a butter knife is needed). Being cool is not a reason to use it. Do not want to upset higher powers. The 3 rules are indeed clear & logical, but that is 3 lines of code. Was the...

sebus46

Looking at that last diagram was that from your PHONE?? The GUI picture???? Reason is there is an address that doesnt fit on it what is........ 192.168.77.2/24 Which device is that? To be clear ITS NOT EVEN THE WIREGUARD ADDRESS schema ?????????? That address somehow is auto generated by RouterOS i...

sebus46

Github specific repo is gone, but the plugin from NPP++ installs fine

Other repo exists here https://github.com/vladk1973/npp-plugins-x64

sebus46

deleted

sebus46

Is that (QR code) available? Cannot find it on 7.14.1

sebus46

Thank you. Appreciate (even if you consider hosed, a basic clean config which fully works - just because something could be done different, that is very authoritarian view)

sebus46

OK, will muddle through it

sebus46

If you have a home subnet .88, then call it vlan88 and make it a vlan and then the config will make sense. and where is VLAN50 ???? /ip address add address=192.168.88.1/24 interface= bridge network=192.168.88.0 { wrong } add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0 add address=...

sebus46

Grateful for the comments, but I was not asking about my current config. I was asking how to make use of dual-wan (when it is here): - external traffic to the router itself?? aka VPN to stay on ISP1 (unchanged) - and that works just fine - traffic entering/leaving the router by VPN to stay on ISP1 (...

sebus46

deleted

sebus46

7.14.1 on RB4011iGS+ r2 (not complicated setup) # 2024-03-23 10:05:45 by RouterOS 7.14.1 # software id = 5WSQ-IVBW # # model = RB4011iGS+ # serial number = /interface bridge add arp=proxy-arp ingress-filtering=no name=bridge port-cost-mode=short \ vlan-filtering=yes /interface ethernet set [ find de...

sebus46

Trying to power Yealink W70B IP phone base from port 10 (PoE out) But no dice, "force on", but getting no power on the unit Via proper PoE switch or injector, it works with no issue Anybody any ideas? I hope this - https://forum.mikrotik.com/viewtopic.php?t=161635&sid=de5d72217af234f3c...

sebus46

As per full config, there is nothing UNTAGGED on Mikrotik (that is done on the switch to where the unit(s) actually connect (because they are PoE) Bridge is tagged for all required VLANs, I do not need VLAN filtering [admin@MikroTik] /interface/vlan> print Flags: R - RUNNING Columns: NAME, MTU, ARP,...

sebus46

Yes, and it is above

Flags: X, D - DYNAMIC
Columns: BRIDGE, VLAN-IDS
# BRIDGE VLAN-IDS
0 bridge 1

I do NOT use it in my setup, VLANs are on bridge, I use ONLY 1 interface (ether2)
Everything is in full config on original post

sebus46

Incoming SIP rules do not matter, we are talking about OUT connection for now (Register) I have posted full config (which is always what is asked for), but here are the bits: Flags: R - RUNNING; S - SLAVE Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS # NAME TYPE ACTUAL-MTU L2MTU MAX...

sebus46

Nobody has any idea?

sebus46

It is EXTERNAL VoIP provider on the internet (nothing local)

sebus46

Anybody?

sebus46

SIP phone --> D-link DGS-1210 switch --> Mikrotik RB4100 --> DSL modem If SIP (Yealink W70B) is on default LAN, it gets 192.168.88.20 & Registers fine at VoIP provider on Internet via DSL line out If I make the port on D-link untagged VLAN 21, W70B gets 192.168.21.2 and Registration FAILS (yet f...

sebus46

Had very similar issue recently on Yealink W70B Outgoing calls fine, Incoming impossible , only error: this person's phone is currently unavailable Turned out that my provider used one server for Registration and another for Incoming calls So in Yealink had to disable : Accept SIP Trust Server Only ...

sebus46

Well, this is their final anwser
Screenshot 2021-11-08 140020.jpg

That is pathetic!

sebus46

Pity RB4011 does not have USB...

sebus46

Still, how can I get correct counters for this (or any other) PC? Unless you disable fasttrack you can't, because packets when are marked for fasttrack they are no longer processed by firewall, see https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack In fact if one inputs a dummy entry IP/Kid-control...

sebus46

Correct again. That was helpful: https://forum.mikrotik.com/viewtopic.php?t=180035 I still cannot get my head around the counters, dummy rule shows xxx, forward fasttrack shows xx, forward accept est/related/untracked shows x No matter how I want to add them, they do not equal, so lots goes through ...

sebus46

Yes indeed, expand in WB makes is as selected, thanks!

In fact scheduler to turn single rule on or off is much cleaner/simpler way to do it! Thanks again

Still, how can I get correct counters for this (or any other) PC?

sebus

sebus46

Well, it is not 24/7, it is daily 22:31 till NEXT day 6am
time=0s-23h59m,sun,mon,tue,wed,thu,fri,sat is INDEED the default (not user specified!)

But as I said, I have NO ISSUE with the rule executing correctly, it is only counters that are not logically correct

sebus46

Nice one, in absence of anything better, that is very good!

sebus46

If the machine starts connection only at ie 15:00 then it is in Allowed timeframe and to my logic: that should be the rule that carries on being used for this access (and the counters should be correct) Up to 15:00 there are NO connections Related to this machine), so no counters moving But once the...

sebus46

Either allow access from your torrent machine by IP or MAC OR figure out all the ports that torrent requires & allow them instead
Just a tiny bit of logic

sebus46

The fast track rule works on connections, not on machines.

But if machine is off, then the connection does not yet exists (to become fastracked)

sebus46

Probably was added in some past version, I was using filter rules since before it existed..
Anyway, not very exciting - viewtopic.php?t=129118
I just would like the normal rule to display the counters correctly...

sebus46

Thanks, did not think that something with no value still has impact add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=jump chain=forward comment="--timerestr2--" \ jump-target=restrict-by-ti...

sebus46

Well, the connection does not exist, the machine is OFF It starts up from cold, so I do not see how it could become fastracked And if dummy rule #0 takes presedence, then what is the point of any rules at all? @rextended, the difference is connection-state="" (which is empty), so I must be...

sebus46

Had to change Speed from AUTO to manual 1Gb FD on both ends

While auto worked on RB2011 (ROS 6.48.x), it did not on RB4011 (RB 7.xx)

sebus

sebus46

In my forward chain I have: 16 ;;; defconf: fasttrack chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 17 ;;; time restrictions upto 10;31 pm chain=restrict-by-time-2 action=reject reject-with=icmp-network-unreachable time=22h31m-23h59m,sun,mon,tue,wed,th...

sebus46

User fault. I had wrong nat rule. This was used as guide: https://blog.dical.org/how-to-reach-ppp ... -mikrotik/

sebus46

I spent some time cleaning up the original script by @dse to incorporate the following:

On ROS 7.10 I get in log few (for various static reservations):

DHCP2DNS (defconf): Failure during dns registration of npi508736.domain_name.home with 192.168.88.39

sebus46

Check this:

https://mikrotik-geoip.com/how-to-use?v ... 40&catid=2

sebus46

The updated link is here:

https://blog.dical.org/how-to-reach-ppp ... -mikrotik/

sebus46

That used to work perfectly on 6.48.7 Now on RB4011 with 7.10 it simply does not. All config was re-created from scratch, using an existing export as help Both unis config for this part are identical I have main LAN on ether2 (192.168.88.0/24) ether1 is direct connection to DSL modem (bridge mode, h...

sebus46

FTLF8524P2BNV-BR I previously used RB2011 with same transceiver to connect to D-Link DGS-1210-16 (using identical module) Had no issue. I expected RB4011 to carry on this setup But while the light shows in the transceiver, and the transceiver is recognized, I simply get no-link name: sfp1 status: no...

sebus46

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate Lets Encrypt client 0.38 le64.exe The created crt does indeed have 2 blank lines at the very end That was not a problem ever up to 6.48.7 ...

Search found 66 matches