Hi You need to add information about your domain in /ip/dns/static try with this, replacing example.com with your domain name and forward-to with your AD DNS. Remember to keep \\ and $ as they are special characters in regex /ip dns static add forward-to=1.2.3.4 regexp="example\\.com\$" t...

you can try viewing in connection tracking or by putting a raw passthrough rule on r2 to see how far are you going ie If you don't see anything on r2 it means that is not leaving r1, and start from there. raw rule will be earlier in case that is a filter issue in openvpn are you pushing routes or ju...

nat traversal is an option set on phase 1 config, but by both ends of the tunnel. in your case you are just in the middle doing nat magic. As Kentzo said, you don't need anything else other than dstnat rule and allowing in forward chain.

good luck

check with your client if in it's ipsec policy has nat traversal enabled, it should be mandatory in your case. if it is possible also try with ikev2 as it behaves better through nat

Hi You need to add information about your domain in /ip/dns/static try with this, replacing example.com with your domain name and forward-to with your AD DNS. Remember to keep \\ and $ as they are special characters in regex /ip dns static add forward-to=1.2.3.4 regexp="example\\.com\$" ty...

oh I'm sorry I thought this was america Consider the following: /ip addr add addr=10.1.10.1/24 iface=vlan10 add addr=10.1.20.1/24 iface=vlan20 add addr=10.1.30.1/24 iface=vlan30 /ip fire addr add list=rfc1918 addr=192.168.0.0/16 add list=rfc1918 addr=10.0.0.0/8 add list=rfc1918 addr=172.16.0.0/12 ad...

it can be useful for mangle rules instead of maintaining lists of exclusions. I understand that would be used in prerouting chain and by definition it doesn't know about routes yet, but as address-type=local does get a match, maybe ros also knows netmask of that local address at that stage and infer...

mbaute: "Public IP assigned to Tik": 8.7.6.5 is assigned to ISP's router, not to Tik. Tik is behind this ISP's router, and it gots an internal IP assigned by ISP's router. Is your suggestion considered this fact? Thank you! Yes no problem with that, take it as a form of "extra identi...

Hi danergo, Try setting My ID type as address in your Identity config and put as value in My ID your public IP assigned to tik (i.e 8.7.6.5). /ip ipsec identity add peer=vpn-peer auth-method=digital-signature certificate=vpnserver1 generate-policy=port-strict mode-config=vpn-config policy-template-g...

hi cooling, You shouldn't be doing this at all because it will break most of your nat'd connections over pppoe interfaces (/ip route set [find comment="Test"] gateway=$newgw1,$newgw2; this will do ecmp and multi socket like https will go haywire) Try creating a default route with routing m...

hi ljguerci,

what is the tld of the resources you're adding in mt dns?
some OSs e.g. ubuntu treat .local and such tlds as internal and don't recurse them even if you added a nameserver in network config. Maybe you can try around that, it involves config in resolv.conf or something.

Regards,

hi techclerk,

maybe you can try in capsman's access list doing accepts for MACs you want to connect to office network interfaces, and then a general reject for those interfaces. I don't know if it works with dynamic ones but if it doesn't the SSID regex filter should do the trick.

Regards,

hi adminadmin, Maybe you can play around with recursive routes to check for connectivity. Basically you set that X IP is reachable through gateway1, and Y IP is reachable through gateway2. Then you create your 0.0.0.0/0 using X and Y as gateways, will be your "testers" and with distance yo...

I wish I had your ability to explain things, awesome Thank you, but the thing here is that you've understood it already before reading my explanation; the true measure of that ability is the number of people who didn't before and do after. And here I sometimes question myself 🙂 to automate that add...

It seems you didn't get what @mbaute wanted to say, so I'll try to re-word it. The routes learned through OSPF are added to routing table called main , which is used to route packets without any routing-mark assigned. Those rules @mbaute has shown were your own rules from the export, and the sugges...

hi, add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=abspl_conn passthrough=yes per-connection-classifier=\ src-address-and-port:2/0 add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=sswl_conn passthrough=yes per-connec...

problem seems to be that if ISP A is the primary default gateway, traffic incoming from ISP B will get forwarded to ISP A unless being marked in mangle, to go out through ISP B's gateway. thats why it works when you unplug ISP A. please follow the answer here . As this is for vpn traffic, you can om...

viewtopic.php?f=21&t=132499

This thread was locked a couple months ago, but what dvm links is from hours ago. Are you positive sure that we're talking about the same threat?

Hi all, I'm trying to make my way around the inability to push routes from ovpn server on mt. One idea that came to my mind was to implement tap interfaces, and vía dhcp options set the required routes trough the vpn. Works flawlessly on mac-linux clients, but as always Windows has it's own picture ...

Find netblocks of dyndns.org and add those to routes. You wouldn't need to resolve anything else from from dyndns.org on wan2 right?

We had the same situation but with mikrotik's own ddns. Works everytime

Check if disk path has not changed. By data amount that has been queued it almost seems that no data has been written into db. disk path of dude store or anything else? i get this error to, when i disable enable dude or create backup file dude database, it always show some queued bytes, and it take...

same situation with 6.37.1 on x86 vm in esxi, tried mounting a second disk as suggested but problem remains. Also tried moving the vm to an empty RAID10 datastore but the issue still persists. it will show a increasing number in queued bytes until ROS goes on kernel failure and reboot. Already submi...

Hi, first of all sorry for my english as i'm not a native speaker (spanish, kind of, Uruguay :c) I'm trying to narrow down the reason of random constant crashes with a x86 Dude Server Version 8 VM, running on ESXi 5.5. I thought that checking if I gave proper hardware settings to the VM would be the...

Major update

digging around when i reset the pptp server, the sstp server goes down, same backwards

really odd

Same here with 3011@6.36.2!! god, thought i was going crazy it happens on every single "server"on /PPP; often in PPTP, but also in SSTP and L2TP only thing that works is what you've suggested, i even create a scheduler to reset servers, but still. Tried changing ports on SSTP tunnels to a ...

berkhoff by any chance if you disable PPTP server an re enable on destination does it solve the issue? pulling my hair out with this, but it happens on any Server (PPTP, SSTP , etc)

if anyone interested, i managed to solve the problem. The problem is at the moment when you create the template. Even if you dont specify any key usage when you hit enter in terminal or apply in GUI, it reverts to CA defaults (key-cert-sign, etc), so at signing it signs as a new authority. Solution ...

Updated to 6.29.1, still generating KA client certs. Anyone have info about this?

Regards

i thought it was that, but after writing in terminal using tab to autocomplete exactly, the problem remains. i mean, writing "sign ca=" and hitting TAB completes with my CA, then add "name=xyz", resulting in "sign ca=CA client-template name=xyz" but again it generates a...

1st of all sorry for the english you're about to read :c I've been working with SSTP vpn with self signed certificates created with mkt, no problems at all until today. CA, server and 14 client certs (KLAT, KIT and KI flags respectively). Today i wanted to issue a new client certificate, following t...