MikroTik

inna

I figured out the issue. I have some default rules in firewall/filter rules, and I disabled them all and I can curl now: [admin@MikroTik] > /ip/firewall/filter/print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1...

inna

If it does not increment, you can run /tool sniffer quick port=1194 in a terminal window - if you can see the TCP SYN packets to arrive from the modem as you try to connect from the outside to the public IP, something else (IPsec policy, a drop rule in raw , or another dst-nat rule in nat ) must pr...

inna

my_server_ip is a public IP somewhere in the internet?

Yes, that's right.
And my_public_ip is my home's static Ip.

inna

First, given your location, I would not be surprised if incoming connections to port 1194 were blocked by your ISP by government order. Oops, I'm so sorry that you know the I.R. with such thing:( They learnt to block by protocol, not by port number only. But connecting to OpenVPN from Iran to Iran ...

inna

This is what I have in /log/print follow output when I have the following firewall nat rules: [admin@MikroTik] > /ip/firewall/nat print Flags: X - disabled, I - invalid; D - dynamic 0 ;;; defconf: masquerade chain=srcnat action=masquerade to-ports=1194 protocol=tcp dst-address=my_public_ip dst-port=...

inna

Try action redirect instead of dst-nst

Thanks, you mean like this?

add action=redirect chain=dstnat dst-port=1194 log=yes log-prefix=mynatishere protocol=tcp to-addresses=192.168.88.1 to-ports=1194

I tried even with dst-address=my_public_ip, but still not working.

inna

Try hairpin NAT https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT Thanks a lot. I tried but that didn't work. This is my NAT export: [admin@MikroTik] > /ip/firewall/nat export /ip firewall nat add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp add action=masquerade ch...

inna

Hello, I did a lot of port forwarding and they worked, but when I'm trying to forward to router itself, I have Connection Timed Out. My network map is: a LAN cable comes from modem and goes to PPPoE In to the MT device (modem is not bridged), and MT creates a WiFi interface and I connect to MT. Mode...

inna

Delete it

inna

Delete it

inna

Thanks, I disabled the keepalive and the GRE tunnel is now running. I can ping both private IPs from both home and the server (office is not important now). My home internet is behind the NAT and I don't have a static IP. I think if required, I can request to obtain a static one. I tried running a W...

inna

In ROS 6, there used to be a firewall issue with GRE, and in ROS 7, there used to be some issues with the keepalive. As the first step, post the export of your configuration. Thanks, it's ROS7. This is the full configuration: [admin@MikroTik] > export # aug/16/2024 08:08:14 by RouterOS 7.6 # softwa...

inna

Hello, I have a problem which is the newly created GRE tunnel is not in R state. The state column is empty. MT1 ==> /interface/gre/add remote-address=2.2.2.2 MT1 ==> /ip/address/add address=10.10.74.1/30 interface=gre-tunnel1 network=10.10.74.0 MT2 ==> /interface/gre/add remote-address=1.1.1.1 MT2 =...

inna

I created a NAT rule and it's solved:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

I did this and it's solved.

inna

Thanks, please close or remove this thread.

I probably enabled an option in the PPPoE interface by mistake and I didn't notice that.
The issue is resolved.

inna

I have an FTTH modem, and I connected a LAN cable from it to the MT device LAN 1(LAN1 == Internet, other LANs are only written LAN in the back of the device). Then I created a PPPoE interface, and its interface is connected to ether1. I have two issues: 1. The new interface is not in Running status....

inna

I have an FTTH modem and an MT device. Since MT is not capable of FTTH, so I connect FTTH cable to my modem, then change my modem settings to bridge (I mean I do not enter any username or password taken from my ISP in my modem). Then I go to the MT, I create a bridge and a port. Then in dial-out tab...

inna

It is solved.

I should have defined NAT and Mangle in both servers.

inna

Thanks, they're attached to this post.

inna

I also googled and read this link: https://help.mikrotik.com/docs/display/ROS/WireGuard I almost have done everything in the given link, and added some firewall rules: MT1's Filters: [admin@MikroTik] > /ip/firewall/filter/print Flags: X - disabled, I - invalid; D - dynamic 0 chain=input action=accep...

inna

Thanks, Home export: # 2024-08-02 22:32:31 by RouterOS 7.13.4 # software id = # /interface ethernet set [ find default-name=ether1 ] disable-running-check=no /interface wireguard add listen-port=14000 mtu=1420 name=wireguard1 /port set 0 name=serial0 set 1 name=serial1 /interface wireguard peers add...

inna

Hello, I have two MTs and I made Wireguard connection between them: MT1's WG IP is 10.74.75.1/30, and MT2's WG IP is 10.74.75.2/30 and they both can ping each other. MT1's internal IP is 192.168.100.8, and MT2's IP is a public IP (it's an MT VPS). My laptop is connected to MT1. I changed my laptop's...

inna

They may be in the same subnet IF you can connect each of the devices/servers onto a different physical port of your Mikrotik. (and these interfaces are members of the same bridge) Depends on the model you have then. Then simply adjust your (forward chain) firewall rule to include the "in-inte...

inna

Depends on Mikrotik device model either there's default config (selectable between different templates, those depend on type of WAN connection, e.g. "plain" DHCP vs. PPPoE) which does exactly what you're asking about (one WAN port, other wired ports are LAN and switched between). Or some ...

inna

Depends on Mikrotik device model either there's default config (selectable between different templates, those depend on type of WAN connection, e.g. "plain" DHCP vs. PPPoE) which does exactly what you're asking about (one WAN port, other wired ports are LAN and switched between). Or some ...

inna

I have a fiber modem at my house, and there's a physical server, too. On this server, I installed ESXi, and I created a Mikrotk VM on this server. I'm going to do this: This VM should be a LAN client in my fiber modem. So, my Mikrotik is going to have two interfaces, if I'm correct. Then, this Mikro...

inna

You cannot use firewall rules in this case because you are talking about users in the same subnet. If you want to exercise firewall rules simply move either all users or servers to a different subnet. This can be be done by putting the server on a port with its own IP address ............ or you ca...

inna

Hello, I used these two links https://help.mikrotik.com/docs/display/RKB/Port+forwarding and https://forum.mikrotik.com/viewtopic.php?t=121397&sid=11868a020ff02807662f3c3cc8405364 to do this: I have two servers: Ubuntu (ip=192.168.100.75) and Windows Server (ip=192.168.100.76). I'm going to limi...

inna

Hello, I watched multiple YouTube video tutorials regarding how to set up an OpenVPN on my Mikrotik device I have in my house, but I failed. So I thought if it's better to install an Ubuntu and install OpenVPN, to use the port forwarding and IP restriction in my case. The main question is, are there...

inna

I do not have such option in Wi-Fi interface. I had this option in MT version 6, but I cannot find it in MT version 7. sorry, this is available on the "older" wireless settings. you may have the newer "Wifi" interface. maybe this might help: /interface wifi access-list add actio...

inna

First , Upgrade the device to 7.12 and then to 7.15. works much better than 7.8 To solve your problem 1.) Create in Wifi Access list entries for each and every devices you want allow access (you can use also interface lists) 2.) at the end of the Access List, create one entry that rejects access to...

inna

I also do not have this command:

[admin@MikroTik] > /interface wireless
bad command name wireless (line 1 column 12)

I read this https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List.

inna

if you want to let only "known devices" connect (via known MAC) and that MAC is in your access list you might have to disable "default authenticate" for your wifi interface. I do not have such option in Wi-Fi interface. I had this option in MT version 6, but I cannot find it in ...

inna

I still have not find a way to do this.

Any updates for this thread?

inna

You can do that by only manually assigning DHCP leases I thought. Make use of ARP list etc. Thanks, but then I think I should go to networks settings of each connected device and assign a manual IP. Am I right? If yes, then I think it won't work for me because I'm not always home, and I connect to ...

inna

Only give the SSID password to those that need it for any particular Subnet WLAN Thanks, that was done before. But I'm curious if I can restrict and whitelist. Suppose both my phone and laptop are connected and both have the password. Now I want to whitelist my laptop's mac address and block all ot...

inna

Hello, I previously had another Mikrotik version 6 that I asked in another https://forum.mikrotik.com/viewtopic.php?t=205954 and it worked for my other Mikrotik device. Recently I have purchase another MT device which version is 7.8 (stable) . I use this like this: My ADSL modem --> a LAN cable from...

inna

Well obviously I thought we were dealing with a router not an access point, which all radio setups have mac-filtering setup for layer2 traffic control ( NOT fw rules ) Oops, yes that's an access point. In fact, I'm using Mikrotik as extender in my house, to extend the ADSL modem to the bedrooms. In...

inna

I solved it by this link: https://www.uobabylon.edu.iq/eprints/pu ... 5_1412.pdf
In my case, it's working.

If this solution is not a good one, I'll be happy to hear the reason and find a better solution.

inna

Doesn't this mean this sentence? If src-mac-address is my laptop for example, then allow this mac address. But what do you mean by the dst-mac? My laptop connects to Mikrotik and Mikrotik again sends the data to my laptop. Do you mean in this case, I should assign the dst to my laptop again? I mean...

inna

https://help.mikrotik.com/docs/display/ ... t+Firewall

Thanks for the doc. I read it before, but didn't understand it to how to reach what I'm looking for.

inna

"src-mac-address=some_mac_address" What about dst ? ;) Doesn't this mean this sentence? If src-mac-address is my laptop for example, then allow this mac address. But what do you mean by the dst-mac? My laptop connects to Mikrotik and Mikrotik again sends the data to my laptop. Do you mean...

inna

#5 rule drop all from internet (in chain forward)

Thanks, but I didn't understand what do you mean. My last rule drop all from internet but in the other rules with higher priority than the last one, I stated to allow some mac-addresses.

inna

Why do you want to use firewall rules, they are for layer3 traffic. if you need something else, I believe you may have success under bridge filters??? Thanks, but I have nothing in Bridge section. I just added the same rules in bridge filters, and finally added a drop forward chain, but it didn't w...

inna

Hello, This is my /ip firewall filter print : [admin@RouterOS] > /ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; saeed-laptop chain=forward action=accept src-mac-address=some_mac_address log=no log-prefix="" 1 ;;; saeed-phone chain=input action=accept src-mac-...

inna

Indeed config is needed. Many things can be missing. I see the Mikrotik admin page. But can you get to the modem (192.168.1.1) from 192.168.73.2 ? What is used? Masquerade/srcnat on the modem/MT line? Or Modem has been told 192.168.73.0/24 is via the MT router ? Some modems don't have IP route sett...

inna

I hope I said the required data to see what's done up to now. not really, you forgot to post your Mikrotik config Hello, here you are. I hope I removed the important data like mac address and passwords. I see no more important data to be public: # feb/08/2024 13:12:29 by RouterOS 6.48.6 # software ...

inna

Hello everyone, I have an ADSL modem with the subnet 192.168.1.1/24. I set up the repeater bridge mode in the Mikrotik and I created a new wireless network, called Repeater , and the ADSL's wireless network is called Zyxel . The very first time, the wireless network Repeater is only repeating the Zy...

Search found 48 matches