MikroTik - Search

arnaldo

I'm looking for a definite answer for what happens when in a mangle subchain called from Prerouting:

- Mangle -> Prerouting -> ChainA

If a rule in ChainA matches and it has Passthrough = no, will it return to the main Prerouting chain or will break the Magle-Prerouting completely?

arnaldo

Interesting to see someone else with a similar problem! As far as I know, Forti SSL VPN is proprietary (not the "standard" one, if there is such a thing). The term SSL VPN mean "encapsulating the data in a TLS session", but the details are often very different (authentication, et...

arnaldo

I noticed that when running on x86 with AES-NI, OpenVPN will not use hardware encryption.

AES-NI is being used on x86 for IPSEC since ROS 6.39. Is there any reason for not supporting it for OpenVPN? To my best knowledge, AES-NI can do AES-256-CBC.

arnaldo

Being another macOS user, I've rarely resorted to WinBox and have managed all my Mikrotiks with WebFig, even when on the early ROS 7 routing was totally broken (used WinBox just to fix routes - running on a Windows VM under UTM on an Apple Silicon Mac). But back to the new theme, similar to the new ...

arnaldo

Are you sure your 2.5Gbps adapter is working properly? I've seen horror stories with some adapters (Realtek), with poor download or upload speeds.

Try checking the adapter first, without getting the RB5009 involved. Then move back to the router.

arnaldo

The concept is great! But there is an error in the post (probably resulting from cut-paste) is that the second example still has PCC lines 2 to 4. so the correct rules would be (assumes that all packets start as not conn-marked): PCC 4/0 ===> connection mark gateway-25 if not marked ==> connection m...

arnaldo

WinBox is 3.39 and WebFig 7.11.1 (latest as of this post). Yes, it is correct when using the CLI. Your WinBox image show exactly what I'm talking about: Address: 0.0.0.0/0. It's not a question of being able to check the IP address using WinBox/WebFig, but rather to make changes (need apply/ok). Look...

arnaldo

I may be missing something, but whenever I display (or try to change) the IP address associated with a veth (for a container) it shows as 0.0.0.0/0 in WinBox and as a "blank" in WebFig.

Is this a bug or I'm really missing something here?

Thanks in advance.

arnaldo

I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old). I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled...

arnaldo

Usually this indicates the certificate is in the store already... Thanks for the pointer! I've checked that already. But reminding of it gives me a hint. I will remove all certificates (if I can export the CA key, used to sign several OpenVPN certificates) and give it a try. The RB5009 is a fantast...

arnaldo

I'm trying to import a PKCS#12 certificate and key under 7.2.2 and it's not finding anything inside the P12 file. /certificate/import file-name=test.p12 passphrase=fd6eef05 certificates-imported: 0 private-keys-imported: 0 files-imported: 0 decryption-failures: 0 keys-with-no-certificate: 0 I've dou...

arnaldo

I finally managed to get it working this weekend. :D :D :D The problem was that I was using a single wireguard interface for both the site-to-site tunnel and to allow inbound road warriors! The "allowed-ip" were overlapping, even though the road-warriors were "not connected" (but...

arnaldo

My understanding is that they (Amazon, HBO Max, Netflix, Paramount+, etc) perform IP blacklisting. To counteract, the VPN providers keep changing their IP ranges. It's a never ending cat-and-mouse game. A few years ago most VPN providers would advertise that their service were "great" to b...

arnaldo

Finally you should be able to troubleshoot connections by pinging 10.10.10.254 from RouterB and 10.10.192.1 from Router A (who needs IP addresses for wg interface ;-P ) Ha ha ha!!! This is the part that works!!! Pinging either router from the other side! And yes, I have realized that with "all...

arnaldo

it is indeed a "consequence of anonymisation that went wrong" they are the same and they are correct in the real config. The assignment of routing marks to own outgoing traffic of the router is complicated - all the packets are first routed using routing table main, and only then they go t...

arnaldo

(不完全是。网关= < peer-address >,but it's just for routing process, WG doesn't care about that. WG determines to which peer it should send it from their allowed-address. That's why you can't have more than one peer with same allowed addresses on one WG interface. Good to know, as I...

arnaldo

Thanks for all the comments. Let me start to address some of the points: ALSO I NOTE YOUR DIAGRAM IS WRONG---> the local network A should be 10.10.10.0/20 Ah... nope: 10.10.10.0/20 = IP address 10.10.10.0 on the 10.10.0.0/20 network. The /20 applied to x.x.0.0 will go from x.x.0.0 to x.x.15.255, thu...

arnaldo

I'm having a rough time with WireGuard and routing tables. I have a WireGuard VPN between 2 Mikrotik routers (both at 7.1.2, as shown in the diagram bellow: https://i.ibb.co/HdPpHM9/Screen-Shot-2022-02-20-at-5-07-41-PM.png Each side has proper routes to the other side's network, through WireGuard, a...

arnaldo

Ok. Here it is (just the relevant parts) # feb/17/2022 17:56:51 by RouterOS 7.1.2 # software id = MMRW-IEXQ # model = RB5009UG+S+ /interface ethernet set [ find default-name=ether1 ] comment="Ethernet Port #1" set [ find default-name=ether5 ] comment="Ethernet Port #5 - LAN Interface ...

arnaldo

With dual WAN you need to ensure that inbound packages to the routers will have their responses sent out through the same interface. - Inbound connections on the WANs that are not connection marked need to be tagged (in magle/preroute). One rule per WAN. - On the output flow (mangle/output), if a co...

arnaldo

Packages addressed to the IP address of ISP_B are being returned thru ISP_A, as if connection tracking was not working. But only with UDP packages. TCP works fine.

arnaldo

I put my WireGuard interface on the list of internal interfaces (LAN on the default configuration). This will solve most problems, like masquerading (if needed), firewall rules, forwarding internal to WireGuard road warriors, etc. The only firewall rule I add is to accept UDP port 13231 in the input...

arnaldo

I'm having a problem with connection tracking and UDP, specifically with OpenVPN (ROSv7). While the actual configuration is way more complex (PCC load balancing and recursive routing), I have simplyfied the scenario for testing and for posting here. - There are 2 ISPs: ISP_A and ISP_B - Configuratio...

arnaldo

Just found out that OpenVPN server is not working in 7.1.2.

arnaldo

WebFig still preent the IP->Routes bug. Will not properly display current routes and will become irresponsive after showing either the "Rules" tab or "Add New" or show route (basically leave and return to the route list tab). Also, there is a really wierd problem with Firefox: it...

arnaldo

Same here. And it's not only IP->Routes that is "broken" (I did some digging and there are tons of Javascript errors). Another point with IP->Routes is that if you add one route (or simply press "Add New" and "Cancel"). Due to a javascript error you can't add another ro...

arnaldo

Congratulations for figuring it out. But it looks like you missed this page , it could save you some effort, everything is described there, even with images. But it doesn't hurt when something makes you think and discover stuff by yourself. :) Thanks for the pointer. it's indeed the same explanatio...

arnaldo

I've been trying to make heads and tail about this, specially since all "basic" routers seem to do it without requiring any special configuration. As there are some "solutions" but no explanation of the flow, I was looking at the solutions that claim to be working, so I dare to s...

arnaldo

Maybe your ISP is filtering port 5060?
I'm running 6.42.1 and SIP is working for me (my ISP filters and I switch to port 5080).

If you are using Mikrotik SIP ALG (service port), try disabling NAT support on your client (SIP device or PBX).

arnaldo

This one allows for multiple interfaces, dynamic interfaces, and even more than one DNS entry per interface. I've been using it for a few years now. :local ifs {"ppp1";"wan1";"wan1"}; :local hostnames {"a.homeip.net";"b.homeip.net";"c.homeip.net...

arnaldo

My view of why you don't want to fasttrack "new" connections is that you want the new connection to first go through your firewall to see if safe/trusted, once the new connection is seens as safe/trusted, the established/related part of that connection can be accepted/fasttracked That's h...

arnaldo

Took some time to rewrite all the rules (changing route-marks to connection-marks) adjust passthrough and setting the new route-marks. So far seems to be working fine. The idea to add extra connection-mark->route-mark at the top saves most packages from having to traverse the whole chain. Combine th...

arnaldo

Thanks for all the insights. Using connection-marks was my original approach, but I went the other way around: route-mark -> connection-mark (not a bright idea) :mrgreen: I think the following code will work: /ip firewall mangle add connection-state=new dst-address=10.10.0.0/16 chain=prerouting acti...

arnaldo

Interesting, my understanding of "route-mark" with a value of "main" is that it means "no routing mark" (if that's true, why not use "no-mark"). This is very confusing. Also, I've tried using routing-table, without success. Anyone knows when "routing-tabl...

arnaldo

I know that PBR does not play well with Fasttrack. So, I'm trying to exclude "route-marked" packets from being Fasttracked. To my understanding, the following filter rule should pick all packets that were not mangled with route-mark during prerouting: /ip firewall chain=forward action=fast...

arnaldo

Let me joint the party and share my toughts here. With Apple dropping PPTP, this issue has become a more sensitive problem. Setting up an L2TP/IPSEC server for road warriors was not a major problem once I moved to 6.37.1. It works fine for Win7-10, Android, macOS (10.11 and 10.12) and iOS 10. But as...

arnaldo

我试图用ROS 6.37.1 (RB750GL)作为L2TP /我PSEC client (user/password + shared key), using the auto-generated IPSEC policies (I do not create the IPSEC policies, ROS does) The setup is quite straight forward and I can get it to work from mobile phones, macOS and Windows. But under ROS I can o...

arnaldo

(at least) On 6.36.3 we can defer the creation of the IPSec peer and policy to ROS, for setting up either a L2TP/IPSec server or client. I need to set up both. Setting up the server works fine and I can connect from our target road warrior devices, iOS and Mac OS X. But I also need to make our Mikro...

Search found 38 matches

Passthrough in a mangle subchain

Re: Fortigate VPN SSL

Hardware encryption for OpenVPN on x86 hardware

Re: New RouterOS theme

Re: 2.5Gbps speed on RB5009 not working

Re: Using PCC more efficient

Re: Missing veth address in both WinBox and WebFig

Missing veth address in both WinBox and WebFig

Re: Certificate Key Import not possible on v7.7

Re: PKCS#12 certificate import not working on 7.2.2

PKCS#12 certificate import not working on 7.2.2

Re: WireGuard and routing tables

Re: Amazon Prime only blocks NordVPN on MikroTik routerboard

Re: WireGuard and routing tables

Re: UDP connection tracking not working (OpenVPN)

Re: WireGuard and routing tables

Re: WireGuard and routing tables

WireGuard and routing tables

Re: UDP connection tracking not working (OpenVPN)

Re: Open VPN Server Issue on a Dual WAN setup

Re: UDP connection tracking not working (OpenVPN)

Re: RB760iGS - Wireguard - Road Warrior issues

UDP connection tracking not working (OpenVPN)

Re: v7.1.2 is released!

Re: v7.1.2 is released!

Re: Missing route on webfig

Re: Access public IP dst-nat from local subnet

Re: Access public IP dst-nat from local subnet

Re: SIP Account Registration Problem

Re: DynDNS script that works?

Re: Fasttrack and route marked packets

Re: Fasttrack and route marked packets

Re: Fasttrack and route marked packets

Re: Fasttrack and route marked packets

Fasttrack and route marked packets

Re: L2TP/IPSec for Road Warrior

L2TP/IPSEC client only connects on ROS reboot

Re: Need Help: L2TP Client Interface with shared secret key