MikroTik

forne

I think

/ip dns set allow-remote-requests=yes

did the trick.

forne

Is my masquradeing done right? Yes. How did you test dns? From the router or from the local network? Can you ping dns servers from a computer in the local network? If yes, try from a computer: nslookup google.com <ip-address-of-your-dns> And from the router: :put [/resolve domain-name=google.com] :...

forne

If you want to use two connections to different ISPs at the same time, most likely you will want to use external DNS servers, like google's ones:

/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

forne

http://wiki.mikrotik.com/wiki/Manual:Interface/PPPoE
http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

forne

I want to: 1. Use WAN-DSL as primary connection for my LAN (10.0.0.0/24). 2. Failover to WAN-SC upon failure of WAN-DSL. This can be easily done without any routing marks. Just make sure you have two default routes in your main routing table pointing to two ISPs with different distances. 3. Assign ...

forne

rado3105,
this page may help you: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

forne

my main router does NAT and also QOS(qt+mangle). I want to ask if I use forward and qt+ htb interface if it is ok? Yes, it will definitely work. At least with the pfifo queue type. Does that mean that pcq has no meaning? Not sure about pcq. It may take into account an src-address, but Interface HTB...

forne

It shouldn't? Likely you forgot to disable dhcp-client on that interface.

forne

Try to specify "add-default-route=yes" in dhcp-client. In fact, it adds not only a default route.

forne

Try this:

/interface ethernet
set 0 name=master
set 1,2,3,4 master-port=master

forne

add action=return chain=HTTP connection-mark=no-mark disabled=no add action=return chain=FTP connection-mark=no-mark disabled=no add action=return chain=GAMES connection-mark=no-mark disabled=no add action=return chain=INTERNET-OTHER connection-mark=no-mark disabled=no add action=return chain=PRIOR...

forne

Try to use an ip address as a gateway of the route instead of an interface name. Try to upgrade to 5.x if it's possible.

forne

Does this work?

/interface wireless monitor 0 once file=status.txt

forne

The rule "action=accept connection-state=established" should be placed as early as possible (ideally, first) in any firewall filter chain for performance reasons. After it you should place other rules that limit the creation of new connections. Connection-limit can be used as one of the ma...

forne

If it helps, you can use construction "packet-mark=no-mark" to match only packets without a mark. The same is for connection marks.

forne

Hi, this works better, but the problem here is, it clones the MAC address, I don't want everything to have the same MAC address, and the Backup and Restore is supposed to work 100%, I think its a bug! :? I think backup/restore is intended for using on the same device. Try "/export compact"...

forne

Try to use export/import instead of backups.

forne

However, shortly after creating the interface I see it starting to attempt connections. Is this normal? Do pptp-client interfaces just auto-start and keep trying forever to connect?

Yes, it's normal behavior. You don't need to monitor the connection and restart it manually.

forne

saracen , you have no rules in /ip firewall filter, right? Sorry, I don't know what else to try. I'd suggest you to restore your configuration to the initial state (remove routing stuff) and get the pptp connection working using a simple ping from the router through a static route to a remote host....

forne

Sorry, I overlooked one of your message somehow. :( This wasn't successful either. I'm guessing it might be because the "vpn" route keeps going "unreachable" though. Any idea how I can fix that? Remove "check-gateway=ping" from the static route as yet. Check whether you...

forne

And don't forget to do NAT on the pptp interface too.

forne

If it won't work, add the following:

/ip route rule
add action=lookup table=main
add action=lookup routing-mark=vpn table=vpn
add action=lookup-only-in-table table=default

/routing filter
add action=accept chain=dynamic-in prefix=0.0.0.0/0 set-routing-mark=default

forne

What static route should I add? What configuration can I use to prevent the timeouts, ping the pptp connection's gateway and eventually, allow me to, for example, make connections to dst port 80 travel over the pptp connection? Try something like this (untested): /ip route add dst-address=0.0.0.0/0...

forne

I have one interface to the local network ("lan") and several external interfaces to ISPs. I want to do source NAT on all the external interfaces. I have a single rule in the /ip firewall nat list for that purpose: /ip firewall nat add chain=srcnat action=masquerade out-interface=!lan My q...

forne

Make sure your l2tp server gives to every client connection not only different remote addresses, but also different local addresses.

forne

Make sure you have static routes to both l2tp servers.

forne

No, I'm getting addresses from provider automatically and I'm not using VRF nor proxy-arp. Hmm, that's odd for me. I haven't tried that, but wiki documentation at http://wiki.mikrotik.com/wiki/Manual:IP/Address states: Two IP addresses from the same network assigned to routers different interfaces ...

forne

The wiki documentation at http://wiki.mikrotik.com/wiki/Manual:IP/Route states: Routes with interface name as the value of gateway are not used for nexthop lookup. If route has both interface nexthops and active IP address nexthops, then interface nexthops are ignored. I've tested routes with a sing...

forne

How do you got ip addresses from the same network on different router interfaces? Do you use VRF or proxy-arp on those interfaces?

forne

If an pppoe/pptp/l2tp client on RouterOS wants to always use a static remote ip address specified in a ppp profile, can an ISP deny doing that or not? Does anyone know for certain?

forne

pinging gateway check only check the internet modem alive not the external gateway or dns That's not true. Read the following article: http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting And look at the following example: http://forum.mikrotik.com/viewtopic.php?p=252900#p252900

forne

Beone, the easiest way to add a script is to use WinBox for that. When I tried to copy/paste a large script body into the text editor using Windows telnet, my router got hanged.

forne

acim, the configuration in wiki is correct. Read how recursive nexthop lookup works:

http://wiki.mikrotik.com/wiki/Manual:IP ... hop_lookup

forne

You need some mangle rules as well. An example is here:

http://forum.mikrotik.com/viewtopic.php ... 00#p252900

forne

It's strange not to see other comments, especially from MT team. This question has been asked many times and every time a script has been suggested as a solution: http://forum.mikrotik.com/viewtopic.php?f=9&t=40417 http://forum.mikrotik.com/viewtopic.php?f=2&t=14461 http://forum.mikrotik.com...

forne

It was added, thanks.

forne

Try to do the same thing via telnet/ssh. Try to upgrade the firmware to the latest 5.x version.

forne

They are not. Use external monitoring via SNMP if you want more control.

forne

I've sent a bug report to support@.

forne

I'm using 5.0rc10.

forne

In short, use the following routing as is. Just replace 127.127.127.101 and 127.127.127.102 with your real gateways and routing marks "inet1" and "inet2" with your own. Other ip addresses should not be changed. /ip route rule add action=lookup disabled=no table=main add action=lo...

forne

forne,
I have had a look but I can't see how it disables the failed route
could you explain ?

The setup is done according to the following article: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
It works in ros 5.0rc10 without any workarounds.

forne

Ok here is my problem, I am trying to write a script that will fail over when a link goes down, but as I don't control the xDSL modems (ISP does) I can't use the check-gateway, becuase if the xDSL line goes down the gateway will still respond. You didn't try to understand the Mikrotik setup that I ...

forne

This is the real config used in my home router RB750G (5.0rc10) connected to two ISP over ethernet + vpn. There are 5 interfaces: lan - ethernet connection to local (home) network local-isp1 - ethernet connection to ISP1, ip address is assigned via dhcp local-isp2 - ethernet connection to ISP2, ip a...

forne

sergejs, is this workaround not added to v5rc11 yet?

forne

What password are you going to decrypt? If PAP authentication is used, a password is sent over network in plain text, so there is nothing to decrypt. If CHAP authentication is used, a password is not sent over network at all. Instead a password is used to compute a hash of random sequence of bytes o...

forne

Generally speaking it's impossible to kill p2p.

forne

Why do you need the second router at all? Use fiber media converter that will work as bridge.

forne

Sorry, but I don't believe it. An explanation from MK support would be good.

forne

That is true if the previous gateway is in the same network as a newly assigned ip address. Otherwise it will not work. Example of possible load balancing in the same broadcast segment: dhcp1: network=10.10.1.0/24 router=10.10.1.1 dhcp2: network=10.10.2.0/24 router=10.10.2.1 dhcp3: network=10.10.3.0...

forne

Some firewalling is probably a good idea: /ip firewall filter add chain=input connection-state=established action=accept add chain=input connection-state=related action=accept add chain=input connection-state=invalid action=drop add chain=input in-interface=ether2-local-master action=accept add cha...

forne

I suppose that there are several routers in one broadcast segment running in order to do load balancing.

forne

I wrote a couple of scripts to monitor arbitrary parameters of RouterOS and perform specified actions when parameter values are changed. Hope they will be useful. They are here:

http://wiki.mikrotik.com/wiki/Monitoring_Script

forne

I have three routing tables: inet1, inet2 and main: [admin@router] /ip route> print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=127.127.127.1 gatewa...

forne

[admin@router] > /system script add name=test source=":global var 10" [admin@router] > /system script run test [admin@router] > /environment print "var"=10 [admin@router] > /system script environment print # USER NAME VALUE 0 admin var 10 [admin@router] > /system script environm...

forne

Both of your rules are basically going to be the same. To save resources add in connection-state=new. This way the rule only fires when a new connection is being set up and not on subsequent packets after that. Every packet coming through as part of that connection will still receive the same packe...

forne

What is faster: to mark a connection with the same mark on every packet flow or to mark it only once but every time check if it already has a mark? I.e. what does consume less CPU cycles from these two: 1. /ip firewall mangle add action=mark-connection chain=prerouting disabled=no \ in-interface=ifa...

forne

The problem There is a way to set up load balancing with failover without scripting described here: http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting. All is working fine. We may use "virtual" hops and rely on recursive nexthop lookup. However in order to make it w...

forne

3) connection tracking is disabled on this device. Any other idea?

Have you checked all the submenus under /ip firewall? Are there any nat or mangle rules, including dynamic ones (tcp mss adjustments on vpn links)?

forne

This can be done by using different values for default-route-distance, that actually applies to the distance of all dhcp routes. Then set-routing-mark in routing filter should be used.

forne

greencomputing , thank you for input. I achieved the same behaviour in a slightly different way. I apply PCC mangle rules to all packets before routing decision stage and then use custom route rules: /ip firewall mangle add action=mark-routing chain=prerouting disabled=no \ in-interface=ether-local...

forne

I'm trying to set up load balancing over two ISPs, but only for those outgoing packets, for which there is no route in a routing table. I can't find how to apply PCC load balancing after routing table lookup was failed. Any suggestions would be appreciated.

forne

If there are several DNS servers specified under /ip dns submenu, how RouterOS (v4.11) uses them? It sends a request to the first one, waits for some time and in case if no answer is received sends the request to the second server and so on? Or it sends a request to all servers simultaneously? Will ...

forne

I have two ISPs connected to different ethernet ports of the router. Along with the default route every ISP assigns a bunch of additional static routes via DHCP. How can I put routes gotten from the different ISPs via DHCP into different routing tables, i.e. give them different routing marks?

forne

dhcp-client always sends DHCP:DISCOVER packets with the broadcast flag turned on. Some DHCP servers (not MikroTik) can't deal correctly with that flag and don't send any answer at all. So dhcp-client stays in "searching" state forever. Is there any way to not turn on the broadcast flag in ...

Search found 65 matches