Mikrotik Routers (RouterBoard & RouterOS)

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

176 Pages « < 107 108 109 110 111 > » Bottom

Outline · [ Standard ] · Linear+

Enterprise Networking Mikrotik Routers (RouterBoard & RouterOS), User and owner discussion group

views

sjovie05	May 2 2020, 04:14 AM Show posts by this member only \| Post #2161
Getting Started Junior Member 131 posts Joined: Dec 2009	QUOTE(raymond82 @ May 2 2020, 02:06 AM) try to enable debug logs for wireless i have enabled this. let see if i can get anything concrete tomorrow. QUOTE(heidarren @ May 2 2020, 03:18 AM) Are you using iPhone? iOS 13 has this bug for long time, Apple still no respond yet. restart your device and you will be fine i am using samsung note 10+. the issue is that it lost connectivity to the wifi for 10-15 seconds, then it gets connected back automatically. Anyone have any idea about the extensive data loss error from the debugging below? This post has been edited by sjovie05: May 3 2020, 02:11 AM
Card PM	Report Top Like Quote Reply

PC_CHEAH	May 6 2020, 09:46 PM Show posts by this member only \| IPv6 \| Post #2162
Getting Started Junior Member 67 posts Joined: Jun 2015	Hi, I tried to setup ikev2 vpn for surfshark vpn. the connection from router to their server is established but things are not working as expected. I only want my phone (192.168.0.5) to connect to vpn but the tunnel doesn't hide my true IPv6 and it is not using the VPN DNS. .... When I IPLeak test the connection for my device, ipv4 vpn ip is detected, but ISP ipv6 are also detected. The DNS detected are google dns, not the VPN dns. (ip leaked) Then, I disabled ipv6 in the router, my device (vpn) could not get any internet anymore. I also excluded ipsec from fasttrack and added mark connections in mangle I doubt there are something to do with the DNS settings, or firewall, not sure. and is there any ways that I can automatically disable ipv6 to the clients when using the VPN without actually disable IPv6 in the router? I also posted to MikroTik forum: https://forum.mikrotik.com/viewtopic.php?f=...533c653e64a12fa any mikrotik sifu can look into my config » Click to show Spoiler - click again to hide... « CODE # apr/24/2020 00:01:14 by RouterOS 6.46.5 # software id = KFRD-V8Q1 # # model = RBD52G-5HacD2HnD # serial number = ******** /interface bridge add name=TMNETUNIFI.IPTV add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge /interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=\ indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11 set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=indoors \ frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11 /interface vlan add interface=ether1 name=vlan500 vlan-id=500 add interface=ether1 name=vlan600 vlan-id=600 /interface pppoe-client add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name=TMNET_UNIFI_VDSL2 user=\ ******* /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \ supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip ipsec mode-config add name=SSVPN responder=no src-address-list=vpnc /ip ipsec policy group add name=SSVPN /ip ipsec profile add name=SSVPN /ip ipsec peer add address=lv-rig.prod.surfshark.com disabled=yes exchange-mode=ike2 name=SSVPN profile=SSVPN /ip ipsec proposal add name=SSVPN pfs-group=none /ip pool add name=dhcp ranges=192.168.0.20-192.168.0.60 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=DHCP /interface bridge port add bridge=TMNETUNIFI.IPTV comment="iptv bridge to Eth 2" interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=wlan1 add bridge=bridge comment=defconf interface=wlan2 add bridge=TMNETUNIFI.IPTV comment="vlan 600 bridge to iptv bridge" interface=vlan600 /ip neighbor discovery-settings set discover-interface-list=LAN /interface detect-internet set detect-interface-list=all /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf disabled=yes interface=ether1 list=WAN add interface=pppoe-tmunifi list=WAN /ip address add address=192.168.0.250/24 comment=defconf interface=ether4 network=192.168.0.0 /ip cloud set ddns-enabled=yes ddns-update-interval=5m /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server lease add address=192.168.0.251 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=DHCP add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=DHCP add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=DHCP /ip dhcp-server network add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24 /ip dns set servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844 /ip dns static add address=192.168.0.250 comment=defconf name=router.lan /ip firewall address-list add address=bef00a0a78c5.sn.mynetname.net list=WAN-IP add address=192.168.0.5 list=vpnc add address=192.168.0.1 disabled=yes list=vpnc /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \ disabled=yes add action=fasttrack-connection chain=forward comment="FastTrack w !ipsec" connection-mark=!ipsec connection-state=\ established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \ to-addresses=192.168.0.1 to-ports=25565 add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \ to-addresses=192.168.0.1 to-ports=25566 /ip ipsec identity add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict \ mode-config=SSVPN peer=SSVPN policy-template-group=SSVPN username=******* /ip ipsec policy add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0 set 1 disabled=yes add group=SSVPN proposal=SSVPN template=yes /ipv6 address add from-pool=pppoev6 interface=bridge /ipv6 dhcp-client add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \ src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /system clock set time-zone-name=Asia/Kuala_Lumpur /system identity set name=AMPHAC2 /system ntp client set enabled=yes primary-ntp=203.95.213.129 secondary-ntp=162.159.200.123 server-dns-names="" /system scheduler add interval=5m name=DynDNS on-event=DynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup /system script add dont-require-permissions=no name=DynDNS owner=amph policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"*********\"\r\ \n:global ddnspass \"**********\"\r\ \n:global theinterface \"pppoe-tmunifi\"\r\ \n:global ddnshost \"*******\" \r\ \n:global ipddns [:resolve \$ddnshost];\r\ \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\ \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\ \n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\ \n} else={\r\ \n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\ \n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\ \n :set ipfresh [:pick \$ipfresh 0 \$i];\r\ \n } \r\ \n}\r\ \n \r\ \n:if (\$ipddns != \$ipfresh) do={\r\ \n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\ \n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\ \n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\ \n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\ \n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\ \n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\ \n :delay 1\r\ \n :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\ \n /file remove \$str\r\ \n :global ipddns \$ipfresh\r\ \n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\ \n } else={\r\ \n :log info \"DynDNS: dont need changes\";\r\ \n }\r\ \n} " /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN This post has been edited by PC_CHEAH**: May 6 2020, 09:47 PM
Card PM	Report Top Like Quote Reply

asellus	May 7 2020, 09:29 AM Show posts by this member only \| Post #2163
#gompusas Elite 4,541 posts Joined: Jan 2003 From: BSRPPG51 Access Concentrator	QUOTE(PC_CHEAH @ May 6 2020, 09:46 PM) Hi, I tried to setup ikev2 vpn for surfshark vpn. the connection from router to their server is established but things are not working as expected. I only want my phone (192.168.0.5) to connect to vpn but the tunnel doesn't hide my true IPv6 and it is not using the VPN DNS. .... When I IPLeak test the connection for my device, ipv4 vpn ip is detected, but ISP ipv6 are also detected. The DNS detected are google dns, not the VPN dns. (ip leaked) Then, I disabled ipv6 in the router, my device (vpn) could not get any internet anymore. I also excluded ipsec from fasttrack and added mark connections in mangle I doubt there are something to do with the DNS settings, or firewall, not sure. and is there any ways that I can automatically disable ipv6 to the clients when using the VPN without actually disable IPv6 in the router? I also posted to MikroTik forum: https://forum.mikrotik.com/viewtopic.php?f=...533c653e64a12fa any mikrotik sifu can look into my config » Click to show Spoiler - click again to hide... « CODE # apr/24/2020 00:01:14 by RouterOS 6.46.5 # software id = KFRD-V8Q1 # # model = RBD52G-5HacD2HnD # serial number = ******** /interface bridge add name=TMNETUNIFI.IPTV add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge /interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=\ indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11 set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=indoors \ frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11 /interface vlan add interface=ether1 name=vlan500 vlan-id=500 add interface=ether1 name=vlan600 vlan-id=600 /interface pppoe-client add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name=TMNET_UNIFI_VDSL2 user=\ ******* /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \ supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip ipsec mode-config add name=SSVPN responder=no src-address-list=vpnc /ip ipsec policy group add name=SSVPN /ip ipsec profile add name=SSVPN /ip ipsec peer add address=lv-rig.prod.surfshark.com disabled=yes exchange-mode=ike2 name=SSVPN profile=SSVPN /ip ipsec proposal add name=SSVPN pfs-group=none /ip pool add name=dhcp ranges=192.168.0.20-192.168.0.60 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=DHCP /interface bridge port add bridge=TMNETUNIFI.IPTV comment="iptv bridge to Eth 2" interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=wlan1 add bridge=bridge comment=defconf interface=wlan2 add bridge=TMNETUNIFI.IPTV comment="vlan 600 bridge to iptv bridge" interface=vlan600 /ip neighbor discovery-settings set discover-interface-list=LAN /interface detect-internet set detect-interface-list=all /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf disabled=yes interface=ether1 list=WAN add interface=pppoe-tmunifi list=WAN /ip address add address=192.168.0.250/24 comment=defconf interface=ether4 network=192.168.0.0 /ip cloud set ddns-enabled=yes ddns-update-interval=5m /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server lease add address=192.168.0.251 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=DHCP add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=DHCP add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=DHCP /ip dhcp-server network add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24 /ip dns set servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844 /ip dns static add address=192.168.0.250 comment=defconf name=router.lan /ip firewall address-list add address=bef00a0a78c5.sn.mynetname.net list=WAN-IP add address=192.168.0.5 list=vpnc add address=192.168.0.1 disabled=yes list=vpnc /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \ disabled=yes add action=fasttrack-connection chain=forward comment="FastTrack w !ipsec" connection-mark=!ipsec connection-state=\ established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \ to-addresses=192.168.0.1 to-ports=25565 add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \ to-addresses=192.168.0.1 to-ports=25566 /ip ipsec identity add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict \ mode-config=SSVPN peer=SSVPN policy-template-group=SSVPN username=******* /ip ipsec policy add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0 set 1 disabled=yes add group=SSVPN proposal=SSVPN template=yes /ipv6 address add from-pool=pppoev6 interface=bridge /ipv6 dhcp-client add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \ src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /system clock set time-zone-name=Asia/Kuala_Lumpur /system identity set name=AMPHAC2 /system ntp client set enabled=yes primary-ntp=203.95.213.129 secondary-ntp=162.159.200.123 server-dns-names="" /system scheduler add interval=5m name=DynDNS on-event=DynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup /system script add dont-require-permissions=no name=DynDNS owner=amph policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"*********\"\r\ \n:global ddnspass \"**********\"\r\ \n:global theinterface \"pppoe-tmunifi\"\r\ \n:global ddnshost \"*********\" \r\ \n:global ipddns [:resolve \$ddnshost];\r\ \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\ \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\ \n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\ \n} else={\r\ \n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\ \n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\ \n :set ipfresh [:pick \$ipfresh 0 \$i];\r\ \n } \r\ \n}\r\ \n \r\ \n:if (\$ipddns != \$ipfresh) do={\r\ \n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\ \n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\ \n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\ \n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\ \n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\ \n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\ \n :delay 1\r\ \n :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\ \n /file remove \$str\r\ \n :global ipddns \$ipfresh\r\ \n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\ \n } else={\r\ \n :log info \"DynDNS: dont need changes\";\r\ \n }\r\ \n} " /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN Have you marked your connection in /ipv6 firewall mangle? Did surfshark vpn even support IPv6 on the VPN?
Card PM	Report Top Like Quote Reply

PC_CHEAH	May 7 2020, 02:41 PM Show posts by this member only \| Post #2164
Getting Started Junior Member 67 posts Joined: Jun 2015	QUOTE(asellus @ May 7 2020, 09:29 AM) Have you marked your connection in /ipv6 firewall mangle? Did surfshark vpn even support IPv6 on the VPN? I suppose they do not support ipv6, I intend to block ipv6 for my vpn tunnel device on the router side. Not very sure how to do that on ipv6 firewall.
Card PM	Report Top Like Quote Reply

asellus	May 7 2020, 04:33 PM Show posts by this member only \| Post #2165
#gompusas Elite 4,541 posts Joined: Jan 2003 From: BSRPPG51 Access Concentrator	QUOTE(PC_CHEAH @ May 7 2020, 02:41 PM) I suppose they do not support ipv6, I intend to block ipv6 for my vpn tunnel device on the router side. Not very sure how to do that on ipv6 firewall. Considering how ipleak.net works, IPv6 route leak is inevitable. No good way to disable IPv6 for a device when connected to the VPN due to the inflexibility of routerOS' IKEv2 implementation, routerOS' hopeless IPv6 stack and, if you use TM Unifi, their IPv6 limitations too. The latter two is especially infuriating. Just disable IPv6 to use the VPN correctly.
Card PM	Report Top Like Quote Reply

PC_CHEAH	May 7 2020, 05:11 PM Show posts by this member only \| Post #2166
Getting Started Junior Member 67 posts Joined: Jun 2015	QUOTE(asellus @ May 7 2020, 04:33 PM) Considering how ipleak.net works, IPv6 route leak is inevitable. No good way to disable IPv6 for a device when connected to the VPN due to the inflexibility of routerOS' IKEv2 implementation, routerOS' hopeless IPv6 stack and, if you use TM Unifi, their IPv6 limitations too. The latter two is especially infuriating. Just disable IPv6 to use the VPN correctly. after disabling ipv6, all websites I browse just connection timed out, but I'm able to ping IP addresses. I doubt the dns are also a problem. the dynamic servers below are vpn dns es. » Click to show Spoiler - click again to hide... « DNS es I get from my PC I think it query the router first (custom DNS) and not the vpn dnses below, could this be the cause of the timeout? From mikrotik forums, they said it is the encrypted packets not getting delivered to the vpn tunnel. Not sure what can I do about this. This post has been edited by PC_CHEAH: May 7 2020, 05:28 PM
Card PM	Report Top Like Quote Reply

asellus	May 7 2020, 10:33 PM Show posts by this member only \| Post #2167
#gompusas Elite 4,541 posts Joined: Jan 2003 From: BSRPPG51 Access Concentrator	QUOTE(PC_CHEAH @ May 7 2020, 05:11 PM) after disabling ipv6, all websites I browse just connection timed out, but I'm able to ping IP addresses. I doubt the dns are also a problem. the dynamic servers below are vpn dns es. » Click to show Spoiler - click again to hide... « DNS es I get from my PC I think it query the router first (custom DNS) and not the vpn dnses below, could this be the cause of the timeout? From mikrotik forums, they said it is the encrypted packets not getting delivered to the vpn tunnel. Not sure what can I do about this. If you set up the DNS server directly on the computer ethernet adapter (try using Google DNS), will you still see the same problem?
Card PM	Report Top Like Quote Reply

PC_CHEAH	May 8 2020, 05:26 PM Show posts by this member only \| Post #2168
Getting Started Junior Member 67 posts Joined: Jun 2015	QUOTE(asellus @ May 7 2020, 10:33 PM) If you set up the DNS server directly on the computer ethernet adapter (try using Google DNS), will you still see the same problem? Yes.
Card PM	Report Top Like Quote Reply

asellus	May 8 2020, 05:42 PM Show posts by this member only \| Post #2169
#gompusas Elite 4,541 posts Joined: Jan 2003 From: BSRPPG51 Access Concentrator	QUOTE(PC_CHEAH @ May 8 2020, 05:26 PM) Yes. Go to /ip dhcp-server network and explicitly tell the DHCP server to only serve the router's IP address OR the Quad9 IP addresses but NOT BOTH.
Card PM	Report Top Like Quote Reply

PC_CHEAH	May 9 2020, 05:34 PM Show posts by this member only \| Post #2170
Getting Started Junior Member 67 posts Joined: Jun 2015	QUOTE(asellus @ May 8 2020, 05:42 PM) Go to /ip dhcp-server network and explicitly tell the DHCP server to only serve the router's IP address OR the Quad9 IP addresses but NOT BOTH. It didn't work though, my VPN devices also get the dns I set.
Card PM	Report Top Like Quote Reply

asellus	May 9 2020, 05:47 PM Show posts by this member only \| Post #2171
#gompusas Elite 4,541 posts Joined: Jan 2003 From: BSRPPG51 Access Concentrator	QUOTE(PC_CHEAH @ May 9 2020, 05:34 PM) It didn't work though, my VPN devices also get the dns I set. Go to /ip ipsec mode-config and then delete Surfshark's mode-config connection mark and address list. Then disable IPv6. Restart the router, then try going to ipleak.net
Card PM	Report Top Like Quote Reply

cybercrew	May 13 2020, 01:36 AM Show posts by this member only \| Post #2172
Getting Started Junior Member 183 posts Joined: Sep 2009 From: Petaling Jaya, Malaysia	Anyone using USB LAN Adapter on Mikrotik RB750gr3 here? If yes please share the model of your USB Lan Adapter. It seems only ASIX AX88772 chipset will work but many are areporting even that doesnt work in mikrotik forum.
Card PM	Report Top Like Quote Reply

quadcube	May 13 2020, 12:22 PM Show posts by this member only \| Post #2173
Regular Senior Member 1,924 posts Joined: May 2009 From: Yokohama, JP	QUOTE(cybercrew @ May 13 2020, 01:36 AM) Anyone using USB LAN Adapter on Mikrotik RB750gr3 here? If yes please share the model of your USB Lan Adapter. It seems only ASIX AX88772 chipset will work but many are areporting even that doesnt work in mikrotik forum. just tested mine USB LAN adapter on my HAP AC. HAP AC detects the USB LAN adapter and list it as an ethernet interface (Auto nego: incomplete, rate: unknown) on the other end, device could not get any IP added the new interface to bridge, DHCP now serves an IP to the device The USB LAN adapter that I tested https://www.planex.co.jp/products/usb-lan1000r/spec.shtml
Card PM	Report Top Like Quote Reply

cybercrew	May 13 2020, 08:30 PM Show posts by this member only \| Post #2174
Getting Started Junior Member 183 posts Joined: Sep 2009 From: Petaling Jaya, Malaysia	QUOTE(quadcube @ May 13 2020, 12:22 PM) just tested mine USB LAN adapter on my HAP AC. HAP AC detects the USB LAN adapter and list it as an ethernet interface (Auto nego: incomplete, rate: unknown) on the other end, device could not get any IP added the new interface to bridge, DHCP now serves an IP to the device The USB LAN adapter that I tested https://www.planex.co.jp/products/usb-lan1000r/spec.shtml Thanks..but where did you got this from..I couldn't find this model in lazada or shopee.. Any other model.apart.from.this?
Card PM	Report Top Like Quote Reply

quadcube	May 13 2020, 08:46 PM Show posts by this member only \| Post #2175
Regular Senior Member 1,924 posts Joined: May 2009 From: Yokohama, JP	QUOTE(cybercrew @ May 13 2020, 08:30 PM) Thanks..but where did you got this from..I couldn't find this model in lazada or shopee.. Any other model.apart.from.this? bought a bunch of them from JP, it's one of the popular driverless USB LAN adapter in JP. not sure if there's any in MY don't have any other USB LAN adapter to test
Card PM	Report Top Like Quote Reply

cybercrew	May 13 2020, 09:04 PM Show posts by this member only \| Post #2176
Getting Started Junior Member 183 posts Joined: Sep 2009 From: Petaling Jaya, Malaysia	no wonder.. when i google .. it is mostly redirecting to JP stores.. anyway thanks for the info.
Card PM	Report Top Like Quote Reply

quadcube	May 13 2020, 10:49 PM Show posts by this member only \| Post #2177
Regular Senior Member 1,924 posts Joined: May 2009 From: Yokohama, JP	QUOTE(cybercrew @ May 13 2020, 09:04 PM) no wonder.. when i google .. it is mostly redirecting to JP stores.. anyway thanks for the info. try to find the adapter that supports CDC-ECM or CDC-NCM (linux driver) out of the box. not sure what is the exact problem that u faced but my assumption would be something related to drivers?
Card PM	Report Top Like Quote Reply

engonaplane	May 13 2020, 11:41 PM Show posts by this member only \| Post #2178
New Member Junior Member 43 posts Joined: Mar 2020	QUOTE(th3game @ Dec 18 2019, 04:42 PM) hi guys..im still exploring my new hap ac2 and got question.. » Click to show Spoiler - click again to hide... « I have the following setup: Internet ---->HAP AC2 (local ip 192.168.1.1) --->Dlink dgs 1100 switch (static local IP 192.168.1.2)---> asus router as APs static local ip 192.168.1.3 & 192.168.1.4 (not Vlan aware devices) hap ac2 trunking port 2 (vlan30,vlan40) to the switch port 1 n configured as tagged vlans asus AP 1 connect to port 3 on switch as untagged vlan30 asue AP 2 connect to port 4 on switch as untagged vlan40 vlan30 - tagged port 1, untagged port 3 vlan40 - tagged port 1, untagged port 4 management vlan - vlan1 router hap ac2 DHCP address space : 192.168.1.0/24 gateway for DHCP network : 192.168.1.1 addresses to give out : 192.168.1.10 - 192.168.1.254 interface : vlan30 DHCP address space : 10.10.30.0/24 gateway for DHCP network : 10.10.30.1 addresses to give out : 10.10.30.2 - 10.10.30.254 interface : vlan40 DHCP address space : 10.10.40.0/24 gateway for DHCP network : 10.10.40.1 addresses to give out : 10.10.40.2 - 10.10.40.254 default config enable for hap ac2 i can access the internet wifi from asus AP 1 and got ip 10.10.30.254 i can access the internet wifi from asus AP 2 and got ip 10.10.40.254 questions.. I am able to connect to the hap ac2 local IP (192.168.1.1) via Winbox when connected to mikrotik wifi I also want to be able to connect to the switch (192.168.1.2) & Asus APs (192.168.1.3 & 192.168.1.4) via local IP wirelessly. Aleady tried to use mikrotik wifi to connect to those local IP but cannot Any solutions/suggestions will be highly appreciated..sorry if my question is bit noob if i recall correctly you can do a manual ARP route to force it across. But however I am curious / don't understand why you decided to run 3 VLANs in your home just to split by AP. I have the same setup (but only 1 mikrotik). All run on the same network range (no VLAN) allowing me to easily maintain all APs regardless where I am connected. I don't think you use up 200+ IP addresses right? QUOTE(th3game @ Mar 14 2020, 10:38 PM) anyone managed to setup IPSec ikev2 on mikrotik router for remote clients? this should help https://forum.mikrotik.com/viewtopic.php?t=145138
Card PM	Report Top Like Quote Reply

hao0302	May 16 2020, 02:24 AM Show posts by this member only \| Post #2179
New Member Junior Member 49 posts Joined: May 2011	QUOTE(th3game @ Dec 18 2019, 04:42 PM) hi guys..im still exploring my new hap ac2 and got question.. I have the following setup: Internet ---->HAP AC2 (local ip 192.168.1.1) --->Dlink dgs 1100 switch (static local IP 192.168.1.2)---> asus router as APs static local ip 192.168.1.3 & 192.168.1.4 (not Vlan aware devices) hap ac2 trunking port 2 (vlan30,vlan40) to the switch port 1 n configured as tagged vlans asus AP 1 connect to port 3 on switch as untagged vlan30 asue AP 2 connect to port 4 on switch as untagged vlan40 vlan30 - tagged port 1, untagged port 3 vlan40 - tagged port 1, untagged port 4 management vlan - vlan1 router hap ac2 DHCP address space : 192.168.1.0/24 gateway for DHCP network : 192.168.1.1 addresses to give out : 192.168.1.10 - 192.168.1.254 interface : vlan30 DHCP address space : 10.10.30.0/24 gateway for DHCP network : 10.10.30.1 addresses to give out : 10.10.30.2 - 10.10.30.254 interface : vlan40 DHCP address space : 10.10.40.0/24 gateway for DHCP network : 10.10.40.1 addresses to give out : 10.10.40.2 - 10.10.40.254 default config enable for hap ac2 i can access the internet wifi from asus AP 1 and got ip 10.10.30.254 i can access the internet wifi from asus AP 2 and got ip 10.10.40.254 questions.. I am able to connect to the hap ac2 local IP (192.168.1.1) via Winbox when connected to mikrotik wifi I also want to be able to connect to the switch (192.168.1.2) & Asus APs (192.168.1.3 & 192.168.1.4) via local IP wirelessly. Aleady tried to use mikrotik wifi to connect to those local IP but cannot Any solutions/suggestions will be highly appreciated..sorry if my question is bit noob You need to enable forward between vlan30,40 with the local ip under ip>firewall. Btw if you are not planning to isolate these three network you may use only one ip range instead of difference vlans.
Card PM	Report Top Like Quote Reply

quadcube	Jun 8 2020, 09:44 PM Show posts by this member only \| Post #2180
Regular Senior Member 1,924 posts Joined: May 2009 From: Yokohama, JP	anyone managed to maintain IKEv2 connection for more than 8 minutes? setup an IKEv2 VPN server on the HAP AC^2, certificate authenticated. client used is a Mac.
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

176 Pages « < 107 108 109 110 111 > » Top

Add Reply Options

Change to:

0.0232sec

0.51

6 queries

GZIP Disabled
Time is now: 21st December 2025 - 10:16 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.