MikroTik

bekax5

Hello friends, I have a configured IKEv2 server running on my 3011 to which I connect remotely from an iOS and it grants me links to several internal networks and other VPNs.. Now my question is, how can I make sure iOS uses the static-dns from ipsec mode config ? [admin@MikroTik-RB3011] /ip ipsec m...

bekax5

I'm still trying to unravel this one... It seems like a simple problem of a forwarding packet that is missing the right route-mark. How should I address it ? Do I need to connection-mark first traffic and then catch the reply traffic and route-mark to the right route back? I'm trying this one, but I...

bekax5

Yea, I was trying to avoid pasting too much code but it's inevitable... Basically these are the configs of the router in Site0 (.1.0/24) that is a server of PPTP Site 1 (.2.0/24) and a client of PPTP Site 2 (.0.0/24). My issue at the moment is ping from Site 1 to Site 2 not working. Traffic reaches ...

bekax5

Hello everyone, I have 2 PPTP sites, and I am trying to allow connection from Site 1 to Site 2 through Mikrotik. Connection flows in right direction and reaches Site2, but reply arrives to router and fails to go through the right gateway. S1 has a route with routing mark. I'm not 100% sure how packe...

bekax5

If you provide a CRL host it should actually serve a CRL, otherwise there is no point specifying it. Also, from a number of forum posts a number of people have found that using the 'server' Mikrotik address or loopback IP for a CRL is fine until you replace that Mikrotik, when despite importing bac...

bekax5

I got it working, thanks!

It was a misconfiguration with CA CRL Host.
I was using public domain instead of gateway IP as you suggested.

I'm also trying to understand if CN and SAN are used for anything?
Or are they just random strings that could be ignored...

bekax5

Ended up changing CA CRL Host from public domain name to local IP and it started working. I thought this had to be the public but seems I was wrong. I'm pretty new to certs, but does any client or server use common-name or subject alt name for anything ? Or is this just a random string? I mean, if I...

bekax5

3. Create server certificate. with which key usage flags? In Client: 1. Import CA certificate (LAT) When importing the CA created without a CRL host I would expect the flags to be AT server certificate with: "digital signature", "key encipherment" and "tls server". CA ...

bekax5

I am still unable... Client is still not being able to "verify server certificate" and fails with TLS Failed. In server: 1. I create CA certificate with "key cert sign" and "crl sign" (KLAT). 2. Sign the certificate with public domain name in CA CRL Host. 3. Create serv...

bekax5

Can the client Mikrotik check the CRL as you have L flags on the certificates? With certificates and keys generated using OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) works, not u...

bekax5

Hello everyone, I configured an OpenVPN server and client between two Mikrotik devices. I created CA, server1 and client1 certificates. Require Client certificate works as intended (connection established && connected), however "Verify Server Certificate" doesn't (TLS failed). Clie...

bekax5

Awesome!
Honestly I became a bit confused with the "NAT and Fasttrack Bypass" Wiki.
I had a feeling it could have something to do with the first packets though.

I'm always learning a lot with you.
Thanks so much.

bekax5

The packet passes through the postrouting chain of mangle before getting to chain srcnat of nat , see this diagram . So the only way to see what happened in src-nat is by sniffing on the out-interface, of course if IPsec policy hasn't matched and encrypted the packet. Or you can see it on the remot...

bekax5

I pulled the src-nat rule to the first position. And the last rule in Mangle is being hit with traffic: 23 chain=postrouting action=accept src-address=192.168.200.199 dst-address=192.168.2.0/24 log=no log-prefix="" 0 chain=srcnat action=masquerade src-address=192.168.200.199 dst-address=19...

bekax5

Bump :)

bekax5

Hello, I have an iOS Phone that connects via IKEv2 to the main router. The router has a Site 2 Site VPN connection via Routing-Mark in Mangle. I see this Road Warrior trying to connect to the VPN through the correct interface, so seems Mangle rules for routing-mark are applied correctly.. However it...

bekax5

If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own ...

bekax5

And where do you set the "no-mark" mark? Or is "no-mark" implicit set when no other mark is set in mangle ruleset?

The latter:
"If no-mark is set, rule will match any unmarked connection."

bekax5

Problem solved. I only changed this: /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes Thank you!! What was the problem with fasttrack? BR I believe fasttrack will jump Queues, firewall filter a...

bekax5

The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules...

bekax5

Yes, my experiments seem to match your explanation.
It is misleading though. Usually I use ping to test some rules but I'll have to manage another way.

Thanks!

bekax5

I keep in mind that PPTP is an unsecure protocol. Before I start pasting my rules, I've been digging into this for the last couple hours, and I've seen a couple very old topics that touched a sensible topic... Does "ping", "tracert", "traffic generator" ignore the route...

bekax5

Hello everyone, I'm trying to setup a PPTP (i know...) Site to Site VPN. Only some users will be allowed, so I did setup mangle prerouting mark routing rules in both sites. Also, since I would like to access the routers directly from both sites, I added an output mark routing rule. Now one of the is...

bekax5

Leaving aside the weak security of PPTP in particular while it's equally simple (or complex) to set up like L2TP/IPsec, there is always the possibility to use the on-up and on-down scripts of the /ppp profile row. You can link the /ppp secret row to a dedicated /ppp profile row. So instead of addin...

bekax5

Hello, I have a PPTP server in my RB3011 (ROS v6.44). It correctly adds a dynamic route whenever a client connects. I specified the route to add under PPP/Secret. Is there any way to have this route added with a routing mark? I would like to allow/block specific local clients to be routed. Any tip? ...

bekax5

If Ubiquiti Unifi-IW-HD is 802.3af/at compliant it should accept both Mode A and Mode B. And despite the fact, that in it's user manual it is stated that "using of passive PoE injectors is not recommended", I guess that means that it is still an option. So there is a good chance that it w...

bekax5

Hello everyone. I am powering a hEX S through PoE with a RBGPOE Gigabit adapter. I'd like to understand how to use the PoE Out on Port5 to power an Ubiquiti Unifi-IW-HD which accepts 802.3 af/at. Do I need a special adapter to convert the Mikrotik Passive 57V into af/at ? Will I need to use a crosso...

bekax5

Client still stays like that. It appears multicast option is not being applied...
Sniffer shows packets not being sent back through wlan again.

Edit: Client forwarding solved my issue by the way!
Thanks a lot!

bekax5

That makes sense. Yet, I tried to apply that to the AP, but CapsMan doesn't seem to apply that setting to the client.. I applied it both in CAP Interface and Configurations. Client AP after being reconfigured, still keeps "Multicast Helper: Default", and of course does not allow me to chan...

bekax5

Hi everyone, I saw that Mtik APs were the only in my house where devices weren't getting auto-discover services properly. A few sniffers later, I think the issue is that MDNS packets are forwarded to the other ports on the bridge, but not Wifi itself ( from where the original packet came from) Other...

bekax5

FYI Wine 4.19 and 4.20 breaks on Catalina again.
Use Wine 4.18 https://dl.winehq.org/wine-builds/macos ... g-4.18.pkg

Even though Wine gave lots and lots of errors... Winbox launched.
Thanks!

bekax5

Tried this method but also getting some errors: user@mac ~ % wine64 Desktop/winbox64.exe wine: created the configuration directory '/Users/andredias/.wine' 0009:fixme:esync:do_esync eventfd not supported on this platform. 000b:fixme:esync:do_esync eventfd not supported on this platform. 0009:err:env...

bekax5

I tried to follow this tutorial. Ended up with the following error: ###BOTTLING### Create .app... ###BOTTLING### Enabling CoreAudio, Colors, Antialiasing and flat menus... ### LOG ### Command '/Applications/Wine.app/Contents/Resources/bin/wine64 regedit /tmp/reg.reg' returned status 137. Task return...

bekax5

OK In header field replace http-content-type:application/json with content-type:application/json

Hahahah, nice catch!
I've been trying this on yesterday's late night and I probably wasn't even looking anymore.

Thanks a lot, it worked perfectly.

bekax5

In the meantime this feature has been added. Has anyone tried to use it with the Cloudflare v4 API ? I am having difficulties with post to update a DNS zone. It gives me error 400 bad request. [admin@MikroTik-RB3011] > /tool fetch http-method=get url="https://api.cloudflare.com/client/v4/zones...

bekax5

In the meantime this feature has been added. Has anyone tried to use it with the Cloudflare v4 API ? I am having difficulties with post to update a DNS zone. It gives me error 400 bad request. [admin@MikroTik-RB3011] > /tool fetch http-method=get url="https://api.cloudflare.com/client/v4/zones/...

bekax5

Hi! I am running the exact same setup and am dealing with the same issue, and by assigning none to the remote certificate it now accepts all clients. :) Thanks! However, would it be possible to distinct peers only by the remote certificate? Assuming I'd just like to have different mode-configs for d...

bekax5

[admin@MikroTik-RB3011] /ip ipsec> mode-config print Flags: * - default, R - responder 0 * name="request-only" responder=no 1 R name="ikev2-config" system-dns=no static-dns=192.168.1.250 address-pool=pool_ikev2_1 address-prefix-length=32 split-include=0.0.0.0/3,64.0.0.0/3 [admin...

bekax5

Now with both ipv4 range halves [admin@MikroTik-RB3011] /ip ipsec policy> print Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.200.0/24 protocol=all proposal=default template=yes 1 DA src-address=0.0....

bekax5

I was trying to avoid posting too much rules... /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related" connection-state=esta...

bekax5

I think it's safe to assume all packets that don't get caught in these rules are dropped. It is not safe to assume this, and this firewall actually protects nothing at all . The reason is that in RouterOS, the default packet handling in the /ip firewall filter is action=accept , so whatever does no...

bekax5

I am yet to understand if it is forwarding Internet traffic, since everywhere I check IP when connected to the IKEv2 in iPhone, it is showing the cell network IP and not the remote IKEv2 connection IP. The Note in this section of the Mikrotk IPsec manual is related to this. Many VPN clients on othe...

bekax5

Perfect! At first it was not working, it seems I had yet to add an accept firewall input rule for in:ipsec policy since these packets were being dropped by my generic WAN input drop rule. add action=accept chain=input in-interface=bridge-vlan12 ipsec-policy=in,ipsec add action=drop chain=input comme...

bekax5

With plain IPsec, routing works very different from the standard one. After all the standard routing is done and the packet is just about to be sent out, its source and destination IP addresses are compared to active IPsec policies and if they match, the packet is sent using the security associatio...

bekax5

Hello everyone, I'm trying to setup IKEv2 between my RB3011 and an iPhone. I've been fighting against the authentication, but finally I seem to have it figured out and it appears to be a bug which I would like to report first. I am using WinBox 3.17 and RB3011 v6.43rc51 # If I check in IPsec Peer Pr...

bekax5

Well, it would also limit but I guess it would be bonded to the CPU's processing power, which appears to be able to handle about 60% more than what I'm putting it up to (with gigabit). As you can see on the block diagram in one of the earlier posts, the CPU ports of the switch chip are also only 1 ...

bekax5

Also, do you know if Mangle "sniff-tzsp" option does have the same behaviour as the Packet Sniffer sniffer-server that kills "Fasttrack" and "Fastpath" when running? Bad news, sure it does. Fasttrack is fastpath combined with connection tracking, and consists in minimi...

bekax5

Well, you have yourself identified that there is a physical limitation. The mirror destination has a bandwidth of 1 Gbit/s and the mirroring function of the switch chip itself (so no CPU involved hence no CPU load) can only mirror both directions of the mirrored port (mirror source). So if the summ...

bekax5

Still looking for assistance with this.
Anyone?

bekax5

I have disabled the mikrotik web service. I try to disable hotspot. But all are not working. My blind shot would be to bind the Mikrotik www service to another port than 80 on top/instead of disabling it if the ISP is not the reason. I already disable the www service since I only use winbox. Moreov...

bekax5

Recently I came back to the mirror implementation. This problem still happens with the router. It happens with both switch groups. Packet loss is not happening, nor full CPU or Core usage. Unfortunately this limits actual "live" internet traffic and so it is not a solution to use until it ...

bekax5

Thanks a lot for your time! It's been great to read your explanation, and honestly I feel that there are some key points that the IPsec wiki misses to explain which I believe I got the handle with your help. I hope at lease that this topic will be useful for IPsec newcomers like me! - Good call on ...

bekax5

With IPsec "server" (your Mikrotik) connected to internet via a NAT device (i.e. when the Mikrotik itself doesn't have a public address on any interface) you need to use dirty tricks, so if you can get public address directly on Mikrotik via 4G, you should start from that configuration an...

bekax5

I believe you meant export the firewall? Anyway, I might have many rules that don't matter for this. Well, I had in mind everything in order to avoid asking piece per piece if the firewall is not guilty, but never mind. Before I dive into the rule jungle, are you sure that all your client devices h...

bekax5

"/export hide-sensitive", please. Replace each public address eventually present in the result systematically with a unique token (like public.ip.1) if you don't want to disclose their association to you. As phase 2 completes, most likely the firewall rules will be the reason. I believe y...

bekax5

bekax5

Hi everyone, Given that apple removed PPTP from all their devices, I'm trying to setup IPSec for about 2 or 3 devices I use outside. By outside, all these 3 devices have Dynamic IPs, and besides home also having a dynamic I use dynamic DNS. Following the wiki I managed to configure IPSec and the dev...

bekax5

I am really tempted on setting Suricata with Mtik integration. I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up ...

bekax5

Hi everyone, I have a hEX PoE which is double NATted behind a RB3011. This device is to have IoT devices and further a few VLANs for guests and other stuff. At the moment I'm trying to set a blacklist to drop every IP I consider not being safe. I'm using Fastpath+Fasttrack, although if I read correc...

bekax5

Hmm, indeed that seems weird. Have you tried v6.40.x? Does it exhibit the same behavior? (in case you are hitting some weird bug with the new bridges/hw offload implementation on 6.42rc) Just out of curiosity, have you tried this using the 2nd switch group instead? (eth6-eth10) I don't see how it c...

bekax5

You are hitting 100% CPU usage in one core that why you see 50% total usage (the 2nd core is idle). So you are CPU bound. What does /tool > profile shows when you get 50% cpu usage? I haven't used mirroring in MikroTik, so I don't know how it behaves when the destination port is congested. In Cisco...

bekax5

Hi everyone. I have a RB3011 with gigabit FTTH. This Gigabit line is recent and I am still optimising the router for this setup. Anyway, I found out that by having no mirror setup I could reach every time 920Mbps+ If I would setup a mirror from eth1 to eth2 I can't go over 750Mbps! CPU won't go over...

bekax5

Sorry for bump, but here it is the capture.

https://www.cloudshark.org/captures/d111922b008f

We can see the router offering a lease with a different hostname than the one being requested, but at the end the device just ignores...
Is this normal?
Am I using Option 12 in a wrong way?

bekax5

Hello everyone, As some might know, there is a firmware on these samsung tizen smart tvs that comes with hardcoded hostname "localhost". I don't what what kind of engineers they have at samsung that statically assigned a reserved hostname like this. For now it's not causing big problems on...

bekax5

Update: I was able to track this issue to the hosts themselves. It appears that they were taking too long to answer due to a config called DelayedAckTimeout. On Win8.1 one can see the settings over powershell: Get-NetTCPSettings There are several setting profiles, and it was using one that had a del...

bekax5

Yes, I'm trying to figure out where the problem comes from. Although it doesn't appear to be from MTk. All packets are the same size in either situation, and no ICMP are trying to be sent, so it doesn't appear to be a MTU mismatch. Here I managed to capture both situations with MTk MTU=4137 & MT...

bekax5

I assume the L2MTU is still set to 8156 on the ten copper gigabit interfaces, and 8158 on SFP1 (which the Wiki states is the values for a 3011 routerboard) Honestly the copper are all 1500MTU/1598L2MTU. SFP is the only one in the local-bridge for testing purposes. This way I can also guarantee that...

bekax5

If you're trying to allow traffic from wan to lan side,

I believe you should go to "ip firewall nat":
add chain=dstnat protocol=tcp dst-port=6800 action=dst-nat to-addresses=INTERNAL_IP_WITH_SAID_SERVICES to-ports=6800 comment="" disabled=no

bekax5

I've noticed today something very peculiar when working with MTUs and jumbo frames. There's something weird happening when I change the MTU from 4136 bytes to 4137 bytes. I first saw this because I had a HTTP sensor in PRTG and I saw huge delay increases when I started using big frames in the RB3011...

bekax5

Hello everyone, I am using PRTG to monitor my network and its devices. One thing I noticed is that my VPN interface from mikrotik, whenever I get a link down and then it comes back up, even though that it's the same interface, PRTG is unable to keep tracking of it's information, It's as if the OIDs ...

bekax5

If that port is part of a bridge try disabling it in the bridge settings.... /interface bridge settings> set allow-fast-path=no I guess this fixes the problem ! :D Thanks a lot!! Question: The fasttrack keeps active for any traffic coming from the outside right? Only ignored inside the bridge-local...

bekax5

Hello everyone, I am using a RB3011 with 6.36rc12. Somehow starting the sniffer cures my problems with a PPTP connection (only two clients connect with packet_mark and route) I read somewhere that this could happen because the sniffer turns off the fasttrack. Although, I'm not sure how to set the fi...

bekax5

Hi everyone, I am in search of some help setting up correctly a PPTP Server. At the moment everything is working correctly, with multiple clients being able to connect, they must be in a LAN with different subnet obviously, and they have access to the whole network. 1. Is there any interesting solut...

bekax5

Just to update...

Turns out it was the NAT that getting too heavy.
I added: "dst-address-type=local" to every port-forward rule (I had 8 ) and the speeds increased from 17 to 100+

I haven't tried the full power on the 3011 because its only 100/100 fiber, but for now it's perfect.

Regards.

bekax5

I managed to find out the issue. Turns out I had one wrong Firewall filter rule: chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=bridge-vlan12 log=no log-prefix="" I forgot to add the ! in the "connection-nat-state=dstnat" and so I was dro...

bekax5

Hi all, I receive my internet through a VLAN on eth1. I have setup a vlan interface on that input, a masquerade on that vlan and now I'm receiving IP from ISP's DHCP and Internet is working ok! I'm having an issue although which is related to NAT. I was trying to forward some ports but they are not ...

bekax5

Atually I have the same dns issue at the new rb3011@6.36rc12

bekax5

I tried with the 6.36rc12 Same issue. Router isn't able to push over 17Mbit/s of upload. Whereas a simple crs109 is pushing a bit over 100Mbit/s. Also, I am not able to do a pingtest due to some firewall reason on the RB3011, even though both firewalls have the same configs! Not sure how to debug th...

bekax5

From the Block diagram, (http://i.mt.lv/routerboard/files/RB3011 ... 123613.png)
it looks like either it connects to the second CPU directly, or it gives 2Gbit/s for the second switch.

At least on mine it came as default on the local-bridge but also didn't came with any switch association.

bekax5

Hello everyone, I have been using a CRS109 as my home router. I realize it wasn't actually made to work as a router but as a switch, although until a few days ago I only had ADSL and 4G which didn't actually need much horsepower and it was doing a perfect job until now. Now I have a fiber 100/100 an...

bekax5

Allow me to resuscitate this topic :D Am I right to assume that if I have a fiber uplink to the LAN and WAN on the first switch chip the router will just use the CPU1 ?? I am not sure if SFP will connect directly to CPU1 or to the second Switch chip? By the way, how does the router decide which CPU ...

bekax5

How should I do that with DNS? set a static DNS record? Yes, and make sure your LAN is using your Mikrotik as its DNS server. Perfect! Thanks. It is, unfortunately these 4G routers can't be config as Bridges, and they still offer much more bandwith than a pendrive that I could really use as modem...

bekax5

Nobody is going to be able to tell you have to do hairpin NAT on this outside router without knowing the make/model. You might find it easier to do this with DNS rather than hairpin NAT. Hi. Well, let's just say that the other router is not very customizable.. It's a Huawei B593 and I was trying to...

bekax5

Hi everyone. I have setup a NAT rule for Hairpin NAT. Now I had to change from Mikrotik being the only gateway for a second 4G router being the Internet gateway and it stopped working.. It seems that the second router doesnt redirect the requests when they are the public IP but uses them as if it wo...

bekax5

I mean, if we have multiple lan networks with DHCP and all. What IP must we put there in Quick Set - Local Network - IP Address? I figure out that sometimes automatically changes this IP and also sometimes if i set a wrong ip i got no connection to internet. Thanks for your help That's exactly what...

bekax5

Heelo, Set proxy-arp on your local bridge, and then try to ping again. Regards, Hi, I've already done it, but still nothing. I'm starting to think this is a server side problem since I did the exact same thing with a different server and got it to work on the first try. I guess it's some problem as...

bekax5

Edit: Local and Remote IP are now - OK. It was a misconfiguration under the PPP profile (Use Encryption required a yes). Still, I can sniff the ping packets, they leave with the correct IPs, but never return... I have a NAT masquerade for the pptp-out1 A mangle that I confirm the packets are passing...

bekax5

Hi everyone, I am trying to set my Mikrotik CRS109 with a PPTP Client. I tried following this tutorial: http://strongvpn.com/setup_mikrotik_pptp.html However there is still something not working. I see packets flowing through the out interface and Mangle rule, but they are not returning. It works ho...

bekax5

lease-time (time; Default: 0s) Time that the client may use the address. If set to 0s lease will never expire. From: wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server Hope that helps, --jg3 Well, I tried: "0s" which returns an "Invalid value in Lease Time". Also the default comes as:...

bekax5

adding a lease makes it static, as you say, indefinite. Any device that is not specifically added by you, will have a dynamic lease, and will expire as per the DHCP server lease time. So, simply adding the IP and MAC makes the lease last forever. All other will expire. Both via the telnet or web, a...

bekax5

adding a lease makes it static, as you say, indefinite. Any device that is not specifically added by you, will have a dynamic lease, and will expire as per the DHCP server lease time. So, simply adding the IP and MAC makes the lease last forever. All other will expire. Both via the telnet or web, a...

bekax5

you only need the IP address and MAC address. /ip dhcp-server lease add address=192.168.1.10 mac-address=00:11:22:33:44:55:66 Hi, thanks for the quick answer. That way the lease will still take the DHCP Rule lease time correct? I would like for any normal lease to take 1 day, and for static leases ...

bekax5

Hello everyone. I am trying to set some static leases. Although, I am not able to set a lease time =infinite in the static ones. The DHCP Rule has lease time ="1d 00:00:00" In the static leases I was trying to set lease time ="00:00:00" Which I though was infinite, but or the mai...

bekax5

Update:

Nevermind.
My other NAT rules were set with in-interface=pppoe-out1
I did change them From in-interface=pppoe-out1 To dst-address-type=local

Now everything is working with a general Hairpin NAT rule.
Thanks for all!

bekax5

Looks like this is what you are looking for: http://wiki.mikrotik.com/wiki/Hairpin_NAT That was exactly what I was searching for. Thanks a lot !! I was reading a bit more to see how to set a general rule for the hairpin NAT from 192.168.1.0/24 to 192.168.1.0/24. I am although, trying to set it like...

bekax5

Dont forward to port 80 ! Port 80 is allready "bisy" from WebFig Administration Panel from MikroTik. Please cheange the port to 82 for ex, and try again, or change Webfig port from 80 to another else. Perhaps I didn't explain well. My problem is after I forwarded several ports via Nat to ...

bekax5

Anyone ?

Basically, what I'm trying to do is access:
http://domain.com:8080 (since I have a dst-nat map to internal IP 192.168.1.100:8080)
But instead, it gives me the router's IP:Port, meaning: http://192.168.1.254:8080

Perhaps something missing in the NAT ? Any ideas?

bekax5

Hello everyone. I am currently using a CRS109-8G-1S-2HnD-IN with OS6.28. I have a valid SSL/TLS certificate that points to my external IP. Although when I use it inside of the network, the mikrotik does not point to the correct IP:Port that should, but redirects to the router's IP and not the correc...

bekax5

One more question. I am not able to access inside services if I use my DNS anymore. Before I could for example use my DNS to open my web server or open an SSH session with DNS:22. Now if I use it inside of the network it doesn't redirect me. I believe it's some config I have no idea of. Could you en...

bekax5

They have different IP addresses, they represent IP hops between devices attached to them.... It actually makes a lot more sense on the server side - suppose you have 500 customers all connected to ether1 via PPPoE - you'd have 500 interfaces that you could set up with different queues, IP filters,...

bekax5

Well, as for the block incoming traffic question I think I got it to work since I changed one rule blocking all input traffic from interface "ether1-gateway" to interface "pppoe-out" and it stopped previously opened ports =) Edit: I did the same with the NAT, changed "ether1...

bekax5

Ah I guess I got the point! In fact yes, there was no gateway in the device on the ether1 network so I guess that's why there wasn't any answer back =) Thanks for the hint! Let me ask you for a few more questions regarding the security of the Mikrotik. I configured everything else and now I'm in the...

bekax5

Problem: I cannot ping inside 192.168.0.0/24 from LAN. Mikrotik can ping 192.168.0.0/24 from web portal. I have although, Internet access on LAN =) Add this rule to your srcnat chain, BEFORE the normal masquerade rule for the pppoe interface: action=src-nat to-addresses=192.168.0.x dst-address=192....

bekax5

This is not a clear request. Your ADSL modem, what you are calling the bridge?, is configured with 192.168.0.1/24 on its ethernet interface. Yes / No? Your ADSL modem also passes through PPPoE so that your CRS109 can get a public IP for Internet access. Yes / No? You want to use PPPoE on the MikroT...

bekax5

Have you ever heard about hamachi ?

bekax5

This is not a clear request. Your ADSL modem, what you are calling the bridge?, is configured with 192.168.0.1/24 on its ethernet interface. Yes / No? Your ADSL modem also passes through PPPoE so that your CRS109 can get a public IP for Internet access. Yes / No? You want to use PPPoE on the MikroT...

bekax5

I am really interested in knowing if this is possible! (bump)

bekax5

Hello everyone,

I have a question related to these transceivers.

I wonder if they accept all kinds of LC connectors, like LC/PC, LC/UPC and LC/APC or if they don't allow certain types?

Regards!

bekax5

Hi all, I am trying to find out how to make a connection similar to the one I have at the moment but I want to improve the network to RouterOS. I bought a CRS109 and want to make it my default router at home. I have a bridge that brings ADSL as a PPPoE, but I would like to still access this bridge's...

bekax5

Hi everyone. Yesterday I received a new CRS109. My knowledge in networks is nothing really advanced, but I want to use this equipment to learn something more. In any case, at the moment I have my network setup like this: Modem - Router - Switch - Rest of the network The modem is actually an Adsl rou...

Search found 110 matches