Recently I had a customer call and was missing some tools like “Ip Scan” and others under tools. They had forgotten to add in the “advanced tools” package. Sometimes this is not default. You have to manually add it in.
From the latest Mikrotik newsletter
You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN.
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49 to-ports=80
Recently there has been some activity on integration with LetsEncrypt and Mikrotik. WHile Mikrotik does not directly support Letsencrypt directly yet, you can make it work with this setup
From the GitHub Page:
How it works:
- Dedicated Linux renew and push certificates to RouterOS / Mikrotik
- After CertBot renew your certificates
- The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
- Delete previous certificate files
- Delete the previous certificate
- Upload two new files: Certificate and Key
- Import Certificate and Key
- Change SSTP Server Settings to use new certificate
- Delete certificate and key files form RouterOS / Mikrotik storage
While not perfect is a start.
While troubleshooting an issue this morning I went to upgrade the routerboard firmware on a CCR after bringing it up to 6.42. The upgrade-firmware now appears to match with the router-os version.
/system routerboard print
Now, if Mikrotik would just provide release notes on the routerboard firmware in a handy place.
Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=”” with your appropriate interface.
/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward connection-state=invalid add action=drop chain=forward connection-state=new in-interface=ether1-wan
Recently we had an issue with an IPsec tunnel on Mikrotik passing multiple subnets across a tunnel with multiple policies. The problem is Packet forwarding and encryption only works for one destination (the first matched IPSec Policy) and the other subnet, which has the second policy did not work. In our case, we had two subnets 192.168.115.0/24 and 192.168.116.0/24 going across the tunnel. We could reach things on 116, but not 115. The following blog post was the fix for our issue.
Once the level was set to “unique” everything was good.
I have had this bookmarked for awhile. It helped out today so I figured I would share it. Applies to other phone systems doing HTTP configs.
I had a simple network consisting of a Mikrotik hooked to an internet connection along with 3 APs behind it. Nothing fancy, The network was experiencing drop out in service. The internet would just stop. One of the most noticeable things would iPhones would drop the wireless link and revert back to LTE, or the internet would just stop working for them. This was happening on a very regular basis.
Wireless testing was done, new APs were added, but no one thought to check the ports on the headend router. Upon investigation of the logs this was found:
Normally this would be a slam dunk, however, there was nothing plugged in at all to ether4 to generate these areas. No cable, no nothing. If you disabled the port the errors would go away. Re-enable the port and they would come back. Upgrade and downgrade of the OS did not seem to fix the issue. A new headend router was installed and everything was back to working normally.