Community discussions

MikroTik App

Search found 57 matches

by ipdruide
Tue Feb 19, 2013 11:19 am
Forum: General
Topic: could not add address. Already have such address.
Replies: 8
Views: 14878

Re: could not add address. Already have such address.

Hey ! Sure I'm interested.
I'd be grateful to get to know the end of this story.
You never know when it will show up again until fully understood and fixed.
Thanks.
by ipdruide
Mon Feb 18, 2013 7:48 pm
Forum: General
Topic: could not add address. Already have such address.
Replies: 8
Views: 14878

Re: could not add address. Already have such address.

How funny to see that some threads can live for year !
I can't tell how and when this was fixed, but I haven't seen it occur since 2006.
by ipdruide
Wed Mar 28, 2007 2:00 pm
Forum: General
Topic: Converting dynamic address lists to static
Replies: 6
Views: 1869

Never mind. I did a search and I have found the script example. I'll try to do with that. Thanks.
by ipdruide
Tue Mar 27, 2007 7:08 pm
Forum: General
Topic: Converting dynamic address lists to static
Replies: 6
Views: 1869

Altough this is not what I am trying to do, it sounds interesting to use a scripting tool on a workstation and do the editing before pushing the commit button. Thank you for the idea. The truth is that I realized that our firewall rules were sometimes too harsh in blacklisting IPs. This is why I use...
by ipdruide
Tue Mar 27, 2007 6:39 pm
Forum: General
Topic: Converting dynamic address lists to static
Replies: 6
Views: 1869

Ideally it would be much easier if we had a chance to select "static" or "dynamic" whenever an IP is added to a list by a filetr rule. But this is a feature request and has nothing to do with the forum.

I will try the directions you gave me . Thank you.
by ipdruide
Tue Mar 27, 2007 5:05 pm
Forum: General
Topic: Converting dynamic address lists to static
Replies: 6
Views: 1869

Converting dynamic address lists to static

Greetings.

I need to convert Dynamic lists from our MK 2.29 firewall to statique lists. Anyone has an idea ? A script ?

Thank you for any suggestions.
by ipdruide
Fri Mar 16, 2007 6:18 pm
Forum: General
Topic: smtp relay failover with scripting ?
Replies: 5
Views: 2171

That means I would have 2 routers, right ?
by ipdruide
Thu Mar 15, 2007 8:25 pm
Forum: General
Topic: smtp relay failover with scripting ?
Replies: 5
Views: 2171

Thank you for the hint. I did not think of dest-nat rules... but now it does not seem very obvious for at least 2 reasons: 1. My local server (within the lan) knows only about 1 smtp relay (on the net), that means I will have to redirect any requests to the outworld ip smtp, to another one in case o...
by ipdruide
Thu Mar 15, 2007 4:21 pm
Forum: General
Topic: IP spoofing prevention
Replies: 3
Views: 2157

Thank you Janisk for the answer, I'll go ahead then and add these rules to our MKs.
I will even search for other "firewall good practices" . If anyone had a ressource to point at.

Thanks again.
by ipdruide
Thu Mar 15, 2007 11:35 am
Forum: General
Topic: IP spoofing prevention
Replies: 3
Views: 2157

IP spoofing prevention

Hello, Is it meaningfull to prevent acces from the internet to block access to RFC1819 type addresses, once masquerading is used ? Could a LAN be hacked anyway by packets spoofing internal addresses such as : (as a reminder these are RFC1819 internal type addresses). 10.0.0.0/8 172.16.0.0/12 192.168...
by ipdruide
Wed Mar 14, 2007 6:13 pm
Forum: General
Topic: smtp relay failover with scripting ?
Replies: 5
Views: 2171

smtp relay failover with scripting ?

Greetings to all... I am willing to use MK to allow our internal (within the LAN) mail server to be relayed with external SMTP servers with a failover feature. I mean if relay1 doesn't respond ( to a port 25 test ) then a static route would select relay2. Could this be achieved with some scripting o...
by ipdruide
Thu Feb 22, 2007 4:41 pm
Forum: General
Topic: better netwatch
Replies: 5
Views: 4047

Another netwatch enhancement ?

Hi,

I would also suggest that netwatch would execute a script :

- One time or
- as many times as N or
- until STATUS changes back to previous state.

Regards.
by ipdruide
Wed Jan 17, 2007 11:54 am
Forum: General
Topic: Adding a load balancer in Beta ?
Replies: 6
Views: 3241

Load balancing is not strait forward

Normis, I do already use policy routing for load balancing. But it is not straitforward and needs to be built with a complex set of rules. I suggest that you take a look at Pen that is a tiny footprint piece of nix software. I would hope for a balancing module that would use Pen type algorithm that ...
by ipdruide
Wed Jan 17, 2007 11:09 am
Forum: General
Topic: Adding a load balancer in Beta ?
Replies: 6
Views: 3241

Adding a load balancer in Beta ?

I hope this is a smart suggestion. I believe that integrating some tiny smart load balancer would make it easy for lots of us when managing multiple resources within a LAN. What do you think of Pen :

http://siag.nu/pen/

It seems to be the right stuff to implement in RouterOS.

Best regards.
by ipdruide
Mon Jan 08, 2007 3:11 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

ultimate solution

Sorry to post this twice. I had mistakenly posted it as a new thread... Here is where it belongs. Just in case some others may be facing the same issue. From experiment to experiment I ended in using a 2 lines script that does it all: Netwatch will run this script in the event of a tunnel failure : ...
by ipdruide
Tue Jan 02, 2007 11:17 am
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

Generic timeout set to 10 sec seems to solve the issue

Just to let you know where my experiments lead me: The IPSEC tunnels seem to be stable or at least to reconnect themselves since the Generic TimeOut sas set to 10 secondes instead of the default value ( 10 minutes ?) in the connection tracking. This setting seems to delete Unreplied connections afte...
by ipdruide
Mon Dec 18, 2006 1:24 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

fixed ?

Hello,

I haven't had neither a disconnection of the tunnel nor a Unreplied one since 3 days, still on manual mode. May the problem be fixed ? I'll let you know.

Thank you all for your help.
by ipdruide
Thu Dec 14, 2006 11:40 am
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

Good day, I tried manual SAs for one night and found the infamous Unreplied connection in the connection list display the next day. Deleting it manually led to a correct reconnection. Thus my thread title: Is there a way to time-out UNREPLIED connections ? I tried all kind of settings in the trackin...
by ipdruide
Wed Dec 13, 2006 7:13 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

Last try of IPSEC

Thank you guys for the feed-back. Although I am in the same mood as Sam, since I am facing the same trouble for 3 months, I want to give a last chance to IPSEC, at least on MT. Fatonk, I am not sure where I can change the setting from IKE to manual. I've been searching (in winbox ) all the menus, wi...
by ipdruide
Tue Dec 12, 2006 8:10 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

probably related

Hi Sam, I think they are related. To solve the problem I have already covered one step with a 1 line script that flushes the SAs if the remote network doesn't respond. But it wasn't enough, as I have noticed that from time to time the IPSEC connection is Unanswered from some reason, until it is dele...
by ipdruide
Tue Dec 12, 2006 1:03 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

Silly question ?

:oops: :oops:
by ipdruide
Mon Dec 11, 2006 12:14 pm
Forum: General
Topic: How to clean out Unreplied IPSEC connections
Replies: 16
Views: 5977

How to clean out Unreplied IPSEC connections

Greeting to all, I am facing IPSEC tunnel connections that some times showup as UNREPLIED in the connection list and sit there unreplied until the connection is manually deleted. I tried several tracking settings hoping that Unreplied connections would just timeout, but I failed. The timeout counter...
by ipdruide
Tue Nov 14, 2006 11:55 am
Forum: General
Topic: Netwatch to flush ipsec installed-sa
Replies: 5
Views: 2193

it works with policy routing

Thank you cmit. I was in trouble with my self-confidence ;-)
Moreover I did get it running with policy routing rule.
I owe you kudos today.

Many many thanks.
by ipdruide
Mon Nov 13, 2006 12:04 pm
Forum: General
Topic: Netwatch to flush ipsec installed-sa
Replies: 5
Views: 2193

Silly question ?

Greeting !
Anyone there ? Is this a dummy question ?
Thanks to any comment.
by ipdruide
Sat Nov 11, 2006 4:50 pm
Forum: General
Topic: Netwatch to flush ipsec installed-sa
Replies: 5
Views: 2193

how to netwatch vpns ?

Any idea anyone on how to netwatch vpns ?
Thanks.
by ipdruide
Wed Nov 08, 2006 5:09 pm
Forum: General
Topic: Netwatch to flush ipsec installed-sa
Replies: 5
Views: 2193

Netwatch to flush ipsec installed-sa

Hi, As many are aware of ipsec tunnels suffer from the need to manually flush installed-sa from now and then. I tried to use Netwatch to start a one line script to do the flush. Unfortunately netwatch doesn't ping from a prefered source address, making it unusable to test a remote tunnel address. Di...
by ipdruide
Tue Oct 17, 2006 3:41 pm
Forum: General
Topic: Invalid filter rules ?
Replies: 4
Views: 1896

Great advice for winbox ! Thank you Sam.

Also I think I will ensure that my filters will be sitting on ethernet rather than any vanishing links such as pppoe or pptp.
by ipdruide
Fri Oct 13, 2006 7:59 pm
Forum: General
Topic: Invalid filter rules ?
Replies: 4
Views: 1896

Thank you Andrew for your response.
You were almost right. The filter rules were sitting on 2 pppoe interface that went down at a certain moment but were on again at the time I noticed the rules were invalid. I had to rest them nanually as I have explained.
by ipdruide
Fri Oct 13, 2006 1:07 pm
Forum: General
Topic: Invalid filter rules ?
Replies: 4
Views: 1896

Invalid filter rules ?

Hello there,

Does anyone know why some firewall filter rules suddenly show as invalid ( red lines in winbox). The only way to reset them to normal color is to disable-enable them.
BTW do red lines mean really invalid ?
by ipdruide
Thu Oct 12, 2006 6:59 pm
Forum: General
Topic: %100 Cpu Usage
Replies: 12
Views: 5270

Sam, where the hell do you change this logging rule ?
Couldn't figure out.

Thanks.
by ipdruide
Thu Oct 12, 2006 6:49 pm
Forum: General
Topic: could not add address. Already have such address.
Replies: 8
Views: 14878

Anyone ?

I really did have this problem with Dynamic IPs not flushing out. It prevents downed DSL links to reconnect themseves.
Isn't this an interesting issue ?
by ipdruide
Thu Oct 12, 2006 3:54 pm
Forum: General
Topic: %100 Cpu Usage
Replies: 12
Views: 5270

By the way 80000 p/s means that you have a huge bandwith at your disposal. What kind of link is it ? May be a routerboard is not suited. And may be the 80000 p/s are not all ddos trafic ?
by ipdruide
Thu Oct 12, 2006 12:56 pm
Forum: General
Topic: %100 Cpu Usage
Replies: 12
Views: 5270

You may also use address lists and tarpit. I do use them intensively and I am failly happy with the ever growing blacklist form various attackers.
In other words, you can add source addresses to a black list whenever there is an attack and use the blacklit to tarpit attackers.
by ipdruide
Thu Oct 12, 2006 12:51 pm
Forum: General
Topic: could not add address. Already have such address.
Replies: 8
Views: 14878

Anyone interested in reading my topic ?
by ipdruide
Wed Oct 11, 2006 6:49 pm
Forum: General
Topic: could not add address. Already have such address.
Replies: 8
Views: 14878

could not add address. Already have such address.

Greetings MT..ers, I am using 2.9.30 on routerboard. For the last 2 days I had the same error in the logs : could not add address. Already have such address. While my 2 DSL (pppoe) connections were down and unable to reconnect by themselves...When I looked at the logs to see that the Dynamically all...
by ipdruide
Thu Oct 05, 2006 3:54 pm
Forum: Scripting
Topic: How to AND :IF sentences
Replies: 2
Views: 1631

Thank you Eric for the answer. Altough the post was old, I was still in great need of that script.
by ipdruide
Mon Oct 02, 2006 7:02 pm
Forum: General
Topic: Dual ipsec or l2tp tunnel
Replies: 5
Views: 4499

Thanks Sam for your experience. I do have static public IPs on both sides. Also I had to do the flush - thanks to your other posts !!- from time to time to allow the peer to reconnect. I will follow your advice and give a try to L2TP, but you didn't mention REDUNDANCY wich is more the topic in my po...
by ipdruide
Mon Oct 02, 2006 6:37 pm
Forum: General
Topic: Dual ipsec or l2tp tunnel
Replies: 5
Views: 4499

Thank you Janisk, but it is more about implementing a DUAL tunnel between 2 office location, for the sake of redundancy.

I've already one tunnel running.
I tought may be someone had already tried that and is willing to share experience.
by ipdruide
Mon Oct 02, 2006 3:21 pm
Forum: General
Topic: Dual ipsec or l2tp tunnel
Replies: 5
Views: 4499

Dual ipsec or l2tp tunnel

Greetings. I was wondering if anyone had an experience interconnecting 2 small offices with dual vpn tunnels. Both offices operate simple lan with a few workstatsions/server and 2 dsl links with fixed public IPs. My tries with IPSEC had not been successfull so far. Either I am on a peer-pair or on t...
by ipdruide
Wed Sep 27, 2006 6:29 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Not even bonding encrypted EoIP tunnels ?

I may have missed something. But before I start useless work, my understanding was that : - one could build EoIP over IPSEC tunnels. - EoIP was Ethernet like interface thus bondable. - Then if I have 2 offices with 2 ISPs each I could bond the EoIP tunnels for redundancy and bandwidth sake. Sorry I ...
by ipdruide
Wed Sep 27, 2006 1:25 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

It's working !

Thanks and gratefullness to Eugene and Sam for their help and directions. I got it working. I had previously tried the connection/route marks and routes based on the routing marks but I was using the "prerouting" chain only because I ( I must confess) wasn't really aware of the differences...
by ipdruide
Tue Sep 26, 2006 8:41 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Poor workaround

My apologies, but this is a poor workaround, since I have to create an entry in the routing table for every single destination address. Which limits severally the router accessibility. The purpose for a dual link in more a problem of availability than bandwidth, as you can imagine. It becomes useles...
by ipdruide
Tue Sep 26, 2006 3:54 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Eugene wrote Router does not have "preferences". If it does not have a specific route to the destination, it _will_ respond through the default gateway. I do not see really why. I believe things would work better in many situations if in any LOCAL services were responding from the relevant...
by ipdruide
Tue Sep 26, 2006 1:04 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Eugene, do you mean there is no way to acces routers services from differents public IPs ?

Also IPSEC (and may other L2TP, pptp) tunnels wouldn't work is there is more then one peer, AND/OR if you use for tunnels 2 or more differents wan links ?

Please confirm.
Thank you.
by ipdruide
Tue Sep 26, 2006 11:28 am
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

IPSEC sould also stop working if there are 2 wan links

Also IPSEC tunnels (I didn't try with L2TP or PPTP) stop working if the default gateway is NOT the one related to the peer IP.

All this is the same problem: Once there are more then one internet links, then router's inner services tend to respond via the default gateway.

Thank you for any comments.
by ipdruide
Tue Sep 26, 2006 10:36 am
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

If I may add my feeling: - I do not understand why a router would answer requests addressed to one of his wan links from another link. In other words, routes designed to draw paths from the lan to outside world shouldn't apply to services that are listening on the wan side. Isn't this an obvious bug...
by ipdruide
Mon Sep 25, 2006 5:13 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Here they are : > /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=193.253.160.3 interface=pppoe-isp2 gateway-state=reachable distance=0 scope=255...
by ipdruide
Mon Sep 25, 2006 1:47 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Routes and addresses

Eugene, Thank you for your response. What I am trying to do is connect from the internet to the Router services (ssh, ftp etc...) to BOTH isp1 and isp2 public addresses: Until now I only can connect to the address that is related to the main-route (in BOLD italic). public addresses : 6 D 195.154.30....
by ipdruide
Fri Sep 22, 2006 11:38 am
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Is this routing problem worthless ?

My apologies for insisting.

This may be a simple setting in my routing, but I need help from an expert. I know there are quite a few in this forum.
Many thanks.
by ipdruide
Thu Sep 21, 2006 4:03 pm
Forum: General
Topic: Simple routing problem
Replies: 18
Views: 5163

Simple routing problem

Hello everyone, Greetings. I 've been on this one for a couple of weeks although teh problem seems fairly simple. It is again related to multiple gateways. I am running a routerboard 2.9.30 with 2 DSL links and fixed IPs. There is some routing with marks for incoming trafic to be responded through t...
by ipdruide
Mon Sep 04, 2006 5:57 pm
Forum: Scripting
Topic: How to AND :IF sentences
Replies: 2
Views: 1631

How to AND :IF sentences

Hi Guys, I know the following code is wrong, but is there away to AND 2 or more :IF sentences in order to take an action such as route setting ? Here is teh wrong code: :if ([/tool netwatch get R1 status]=up) && :if ([/tool netwatch get R2 status]=up) /ip route set [/ip route find comment=fa...
by ipdruide
Fri Aug 25, 2006 4:19 pm
Forum: General
Topic: Ootbound load balancing an incoming trafic
Replies: 5
Views: 1983

Finally I did solve the problem with the help of all. The precious link directed by Jörgen was so helpfull that I did save it's content in my local pc. Finally the solution was simple and involved only : - connection marks - routing marks - and routing based on routing marks. The difficulty I had wa...
by ipdruide
Tue Aug 22, 2006 8:00 pm
Forum: General
Topic: Ootbound load balancing an incoming trafic
Replies: 5
Views: 1983

Sorry Guys, I've been away for a week and could not follow up. I tried the mangle rules but it doesn't seem to be working for ... a good reason: Mangle marks, at least according to the documentation do not exist anymore once they leave the router. Thus the server that responds to a request creates a...
by ipdruide
Thu Aug 10, 2006 4:52 pm
Forum: General
Topic: Ootbound load balancing an incoming trafic
Replies: 5
Views: 1983

Sorry Guys for the unreadable title. And many thanks also for redirecting me to this huge great thread. It looks like a good direction and I am going to give the 2 examples a close look, altough I believe, incoming trafic from ISPs links side should always be responded accros the initiating link and...
by ipdruide
Thu Aug 10, 2006 1:00 pm
Forum: General
Topic: Ootbound load balancing an incoming trafic
Replies: 5
Views: 1983

Ootbound load balancing an incoming trafic

I have been searching the forums, the wiki and the documentations , and noticed that this issue was raised many times but never really solved. When using multiple gateways with some kind of (multiple ISPs) load balancing ( thanks to the wiki there are 3 good example to choose from) , a big problem r...
by ipdruide
Thu Aug 10, 2006 12:50 pm
Forum: General
Topic: How to retain dynamic address lists
Replies: 2
Views: 1289

Thank you for your response. However I guess address lists could still be dynamic and retained in a file (purhaps as an option in case of low space). Well you are certainly right : The lists rebuilt by themselves as soon as the same cause appear. Keep up with this great product, and congratulation f...
by ipdruide
Mon Aug 07, 2006 6:16 pm
Forum: General
Topic: How to retain dynamic address lists
Replies: 2
Views: 1289

How to retain dynamic address lists

Hello there... first post ever. :D

I realized that (using 2.9.27 routerboard) dynamic address list ( added with firewall rules) - eg black-list - are not retained upon a reboot. Is this a feature, a bug ? Is ther any hidden way to retain these addresses at least until they expire ?
Thanks