MikroTik + Keenetic: FAQ and Step-by-Step Diagnostics
Published on 2025-09-21
This article is compiled as a “cheat sheet” for SOHO/SMB networks: common issues, their symptoms, causes, quick fixes, and diagnostic checklists. Suitable for both engineers and admins who maintain the MikroTik ↔ Keenetic bundle.
📑 Navigation
- EoIP “freezes” when transferring large files
- Site-to-Site VPN is up, but traffic doesn’t pass
- NAT breaks VPN/EoIP
- MTU/MSS: how to choose correctly
- Policy Routing (RouterOS 7)
- SMB from another subnet doesn’t work
- Quick diagnostics checklist
- Command cheat sheet
- Typical MTUs for tunnels
- NAT/Firewall exceptions matrix
- Common pitfalls
- Visualizations
- Resources and documentation
1) EoIP “freezes” when transferring large files
Symptoms: SMB/FTP hangs, speed fluctuates, RDP drops. Causes: incorrect MTU/MSS, fast-path with IPsec, NAT/Firewall errors.
⚡ Quick fix (MikroTik):
/interface eoip add name=eoip-tun remote-address=203.0.113.1 tunnel-id=10 mtu=1476 clamp-tcp-mss=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/interface ethernet set [find] allow-fast-path=no
Keenetic (CLI):
interface Tunnel0
ip tcp adjust-mss 1360
In web interface: Internet → Other connections → Tunnel → “Limit MSS”.
2) Site-to-Site VPN is up, but traffic doesn’t pass
Symptoms: tunnel is “UP”, but no ping/SMB between subnets. Causes: routes, NAT, IPsec selectors, firewall.
Example (MikroTik, IPsec S2S):
/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 \
sa-dst-address=203.0.113.2 tunnel=yes action=encrypt
/ip route add dst-address=192.168.2.0/24 gateway=ipsec
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
Example (Keenetic, OpenVPN server):
vpn-server openvpn
direct-access enable
pool 10.8.0.0/24
route 192.168.1.0/24
3) NAT breaks VPN/EoIP
Symptoms: tunnel goes up, but no communication between networks. Solution: exclude inter-subnet traffic from masquerade.
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 place-before=<id-masq>
4) MTU/MSS: how to choose correctly
Algorithm:
- Find Path MTU (ping df=yes).
- Set tunnel MTU lower by overhead.
- Enable MSS clamp.
/ping <peer-wan-ip> size=1472 df=yes
/ping <peer-lan-ip> interface=eoip-tun size=1450 df=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
5) Policy Routing (RouterOS 7)
Symptoms: traffic ignores required rules. Example:
/routing table add name=to-vpn fib
/ip route add dst-address=0.0.0.0/0 gateway=10.8.0.1 routing-table=to-vpn
/routing rule add action=lookup-only-in-table table=to-vpn src-address=192.168.1.0/24
6) SMB from another subnet doesn’t work
Causes: NAT/Firewall, NetBIOS broadcast doesn’t route, DNS. Solution: allow TCP/445, TCP/139, UDP/137-138, disable NAT between subnets.
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=445 src-address=192.168.1.0/24 dst-address=192.168.2.0/24
/ip firewall nat add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
✅ Quick diagnostics checklist
- L3 connectivity: ping WAN↔WAN, LAN↔LAN.
- MTU/MSS: ping df=yes, MSS clamp.
- Routes:
ip route print,traceroute. - NAT: exceptions before masquerade.
- Firewall: allow rules, counters.
- Tunnel: SA/peers (IPsec), client (OVPN).
- CPU/load: torch, monitor-traffic.
- Services: telnet host 445.
- DNS/WINS: name resolution.
- Logs/pcap: tool sniffer.
📜 Command cheat sheet
MikroTik:
/ping <ip> size=1472 df=yes
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ip firewall nat add chain=srcnat action=accept src-address=<LAN-A>/24 dst-address=<LAN-B>/24 place-before=<id-masq>
/routing table add name=to-vpn fib
/ip ipsec active-peers print
/tool torch <iface>
/tool sniffer quick interface=<iface> file-name=trace.pcap
Keenetic:
show interface Tunnel0
show ip route
show ip nat translations
interface Tunnel0
ip tcp adjust-mss 1360
📊 Typical MTUs for tunnels
| Tunnel type | MTU | MSS | Overhead |
|---|---|---|---|
| EoIP | 1476 | 1436 | ~42 |
| IPsec | 1400 | 1360 | ~50–60 |
| OpenVPN | 1410 | 1370 | ~40–50 |
| L2TP | 1400 | 1360 | ~40 |
🔀 NAT/Firewall exceptions matrix
| Src Subnet | Dst Subnet | NAT Action | Firewall Ports | Note |
|---|---|---|---|---|
| 192.168.1.0/24 | 192.168.2.0/24 | accept | TCP 445, 139; UDP 137-138 | SMB/VPN |
| 192.168.1.0/24 | 10.8.0.0/24 | accept | TCP 443, UDP 1194 | OpenVPN |
| 192.168.2.0/24 | 1.1.1.1/32 | accept | UDP 53 | DNS via VPN |
⚠ Common pitfalls
- MTU “1500 everywhere” → fragmentation.
- Masquerade “ate” inter-subnet traffic → need exceptions.
- Policy routing without DNS consideration.
- Relying on NetBIOS broadcast.
- Testing only ping → also test TCP/SMB with large files.
Related reviews
Huge thanks to Mikhail for the work — I'm very pleased with the result. Special thanks for his recommendations during setup: from my rather muddled brief (I know little about servers), Mikhail, through clarifying questions and suggestions, formed a clear understanding of what the final build would accomplish and how best to organize everything. I recommend him!
ladohinpy · MikroTik hAP router setup. I'll set up a MikroTik Wi‑Fi router for you.
2025-07-21 · ⭐ 5/5
Many thanks to Mikhail for the work, I am very pleased with the result. I especially thank him for the recommendations during the setup process — from my rather muddled brief (and I know little about servers) Mikhail, with clarifying questions and suggestions of his own, formulated a clear understanding of what tasks the final build will solve and how to organize everything in the best way. I recommend!
An excellent specialist, a savvy expert, and a wonderful person. In an hour he fixed what we'd been racking our brains over for days! I'm sure this won't be the last time we rely on his boundless professionalism.
Ravenor · MikroTik hAP router setup. I'll configure a MikroTik Wi-Fi router for you.
2025-05-28 · ⭐ 5/5
An excellent specialist, a savvy expert, and a wonderful person. In an hour he fixed for us what we had been scratching our heads over for days! I'm sure this won't be the first time we make use of his boundless professionalism.
A professional approach to the job!
ErlikZ · MikroTik hAP router setup. I'll set up a MikroTik Wi-Fi router for you.
2025-03-31 · ⭐ 5/5
Professional approach to the job!
Knows their stuff, gets things done. Everything was prompt and to the point; I was satisfied with the collaboration.
Soveni4 · MikroTik hAP router setup. I'll set up a MikroTik Wi‑Fi router for you.
A customer who has settled in2025-03-14 · ⭐ 5/5
Knows, can, does. Everything was prompt and to the point; I was satisfied with the collaboration.
Thanks! We set up the router according to my technical specification, with a full explanation of what we're doing.
GFSoft · MikroTik hAP router setup. I'll configure a MikroTik Wi‑Fi router for you.
Savvy shopper2025-03-09 · ⭐ 5/5
Thank you! The router was configured according to my technical specification, with a full explanation of what we are doing
Everything's great! Thanks! I recommend it.
NekMiha · Help with a MikroTik router
Powerful buyer2024-11-16 · ⭐ 5/5
Everything's great! Thank you! I recommend it