MikroTik + Keenetic: FAQ and Step-by-Step Diagnostics
Published on September 21, 2025
MikroTik + Keenetic: FAQ and Step-by-Step Diagnostics
This article is compiled as a “cheat sheet” for SOHO/SMB networks: common issues, their symptoms, causes, quick fixes, and diagnostic checklists. Suitable for both engineers and admins who maintain the MikroTik ↔ Keenetic bundle.
📑 Navigation
- EoIP “freezes” when transferring large files
- Site-to-Site VPN is up, but traffic doesn’t pass
- NAT breaks VPN/EoIP
- MTU/MSS: how to choose correctly
- Policy Routing (RouterOS 7)
- SMB from another subnet doesn’t work
- Quick diagnostics checklist
- Command cheat sheet
- Typical MTUs for tunnels
- NAT/Firewall exceptions matrix
- Common pitfalls
- Visualizations
- Resources and documentation
1) EoIP “freezes” when transferring large files
Symptoms: SMB/FTP hangs, speed fluctuates, RDP drops. Causes: incorrect MTU/MSS, fast-path with IPsec, NAT/Firewall errors.
⚡ Quick fix (MikroTik):
/interface eoip add name=eoip-tun remote-address=203.0.113.1 tunnel-id=10 mtu=1476 clamp-tcp-mss=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/interface ethernet set [find] allow-fast-path=no
Keenetic (CLI):
interface Tunnel0
ip tcp adjust-mss 1360
In web interface: Internet → Other connections → Tunnel → “Limit MSS”.
2) Site-to-Site VPN is up, but traffic doesn’t pass
Symptoms: tunnel is “UP”, but no ping/SMB between subnets. Causes: routes, NAT, IPsec selectors, firewall.
Example (MikroTik, IPsec S2S):
/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 \
sa-dst-address=203.0.113.2 tunnel=yes action=encrypt
/ip route add dst-address=192.168.2.0/24 gateway=ipsec
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
Example (Keenetic, OpenVPN server):
vpn-server openvpn
direct-access enable
pool 10.8.0.0/24
route 192.168.1.0/24
3) NAT breaks VPN/EoIP
Symptoms: tunnel goes up, but no communication between networks. Solution: exclude inter-subnet traffic from masquerade.
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 place-before=<id-masq>
4) MTU/MSS: how to choose correctly
Algorithm:
- Find Path MTU (ping df=yes).
- Set tunnel MTU lower by overhead.
- Enable MSS clamp.
/ping <peer-wan-ip> size=1472 df=yes
/ping <peer-lan-ip> interface=eoip-tun size=1450 df=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
5) Policy Routing (RouterOS 7)
Symptoms: traffic ignores required rules. Example:
/routing table add name=to-vpn fib
/ip route add dst-address=0.0.0.0/0 gateway=10.8.0.1 routing-table=to-vpn
/routing rule add action=lookup-only-in-table table=to-vpn src-address=192.168.1.0/24
6) SMB from another subnet doesn’t work
Causes: NAT/Firewall, NetBIOS broadcast doesn’t route, DNS. Solution: allow TCP/445, TCP/139, UDP/137-138, disable NAT between subnets.
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=445 src-address=192.168.1.0/24 dst-address=192.168.2.0/24
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
✅ Quick diagnostics checklist
- L3 connectivity: ping WAN↔WAN, LAN↔LAN.
- MTU/MSS: ping df=yes, MSS clamp.
- Routes:
ip route print,traceroute. - NAT: exceptions before masquerade.
- Firewall: allow rules, counters.
- Tunnel: SA/peers (IPsec), client (OVPN).
- CPU/load: torch, monitor-traffic.
- Services: telnet host 445.
- DNS/WINS: name resolution.
- Logs/pcap: tool sniffer.
📜 Command cheat sheet
MikroTik:
/ping <ip> size=1472 df=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ip firewall nat add chain=srcnat action=accept src-address=<LAN-A>/24 dst-address=<LAN-B>/24 place-before=<id-masq>
/routing table add name=to-vpn fib
/ip ipsec active-peers print
/tool torch <iface>
/tool sniffer quick interface=<iface> file-name=trace.pcap
Keenetic:
show interface Tunnel0
show ip route
show ip nat translations
interface Tunnel0
ip tcp adjust-mss 1360
📊 Typical MTUs for tunnels
| Tunnel type | MTU | MSS | Overhead |
|---|---|---|---|
| EoIP | 1476 | 1436 | ~42 |
| IPsec | 1400 | 1360 | ~50–60 |
| OpenVPN | 1410 | 1370 | ~40–50 |
| L2TP | 1400 | 1360 | ~40 |
🔀 NAT/Firewall exceptions matrix
| Src Subnet | Dst Subnet | NAT Action | Firewall Ports | Note |
|---|---|---|---|---|
| 192.168.1.0/24 | 192.168.2.0/24 | accept | TCP 445, 139; UDP 137-138 | SMB/VPN |
| 192.168.1.0/24 | 10.8.0.0/24 | accept | TCP 443, UDP 1194 | OpenVPN |
| 192.168.2.0/24 | 1.1.1.1/32 | accept | UDP 53 | DNS via VPN |
⚠ Common pitfalls
- MTU “1500 everywhere” → fragmentation.
- Masquerade “ate” inter-subnet traffic → need exceptions.
- Policy routing without DNS consideration.
- Relying on NetBIOS broadcast.
- Testing only ping → also test TCP/SMB with large files.
Related Posts
105 | Automation with n8n and Its Alternatives: Choosing the Right Tool
September 20, 2025
Jitsi Meet vs Google Meet: when full control over data matters most
September 7, 2025
073 | Introduction to Virtualization: Why It’s Needed and How It Saves Time
August 4, 2025
065 | Why Network Resilience Is Not a Luxury, but a Necessity
July 27, 2025