Community discussions

MikroTik App

Search found 700 matches

by andrewluck
Mon Jun 03, 2013 2:45 pm
Forum: General
Topic: ROS v6 - can't get queue tree working
Replies: 5
Views: 1861

Re: ROS v6 - can't get queue tree working

Same problem here. Mangle rule counters are incrementing but the queue tree counters are stuck at zero. There's another problem here as well. After making changes to the queue tree configuration the command
/queue tree print bytes
will timeout.

Regards
Andrew
by andrewluck
Wed Apr 18, 2012 12:26 pm
Forum: General
Topic: Feature request: VRRP sync groups
Replies: 7
Views: 6078

Feature request: VRRP sync groups

Alternative products such as Vyatta enable me to configure VRRP interfaces on a router in a group such that failure of a single interface in a group causes all interfaces in that group to go offline. This helps ensure that a virtual router with multiple VRRP instances will fail over correctly in the...
by andrewluck
Tue Apr 17, 2012 1:35 pm
Forum: General
Topic: Route problem for LAN with VRRP , is a bug ?
Replies: 4
Views: 2024

Re: Route problem for LAN with VRRP , is a bug ?

Post your VRRP configuration from both routers.

Regards

Andrew
by andrewluck
Mon Mar 12, 2012 1:41 pm
Forum: General
Topic: 1:1 NAT and proxy-arp
Replies: 2
Views: 2714

Re: 1:1 NAT and proxy-arp

/ip address add address=10.1.0.1/16 broadcast=10.1.255.255 comment="" disabled=no \ interface=ether5 network=10.1.0.0 add address=10.2.0.1/16 broadcast=10.2.255.255 comment="" disabled=no \ interface=ether1 network=10.2.0.0 /ip firewall nat add action=netmap chain=dstnat comment...
by andrewluck
Wed Mar 07, 2012 5:50 pm
Forum: General
Topic: 1:1 NAT and proxy-arp
Replies: 2
Views: 2714

1:1 NAT and proxy-arp

I've setup a 1:1 NAT scheme using the information in the wiki: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#1:1_mapping It's all working except that ARP isn't working on the public side. If I temporarily add an IP address to the router for a translated address the router will respond to the ...
by andrewluck
Sat Jul 16, 2011 11:03 pm
Forum: General
Topic: Router Problem...please advice
Replies: 3
Views: 1295

Re: Router Problem...please advice

What does the routing table on the PPTP router look like?

Andrew
by andrewluck
Fri Jul 08, 2011 12:07 am
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

OK. I see what you're trying to do. It won't work for me because I'm only getting one feed from my ISP.

Andrew
by andrewluck
Mon Jul 04, 2011 6:11 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

I can't see that this will work. Are you suggesting this instead of VRRP?

If so, in normal operation I would have duplicate IP addresses on both WAN & LAN interfaces.

Andrew
by andrewluck
Thu Jun 09, 2011 1:33 pm
Forum: General
Topic: L2TP/IPSec client cannot connect from behind Mikrotik router
Replies: 2
Views: 1920

Re: L2TP/IPSec client cannot connect from behind Mikrotik ro

Have you excluded the L2TP packets from NAT?

Regards

Andrew
by andrewluck
Sat Jun 04, 2011 11:28 pm
Forum: General
Topic: Routerboard 750 IPSec VPN Issues
Replies: 1
Views: 2215

Re: Routerboard 750 IPSec VPN Issues

Phase 1 is failing. Can you post your IPSEC configuration from both ends of the link.

Kind regards

Andrew
by andrewluck
Fri May 06, 2011 10:59 pm
Forum: General
Topic: UDP Across IPSEC VPN
Replies: 1
Views: 1185

Re: UDP Across IPSEC VPN

Can we get a look at your IPSEC & NAT setup.

Regards

Andrew
by andrewluck
Sat Apr 09, 2011 6:25 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Thanks for the post but I don't see how that's going to help me.

Both HSRP and other implementations of VRRP offer the ability to track another interface. At the moment it would appear that this function is not reproducible with scripting.

Andrew
by andrewluck
Sun Apr 03, 2011 9:51 pm
Forum: General
Topic: IPSec disables local access to RouterOS
Replies: 4
Views: 1851

Re: IPSec disables local access to RouterOS

Your problem is the policy you have defined on router B. 192.168.0.0/16 includes the routers local subnet 192.168.1.0/14. You will have to be more specific with this network definition so that the local LAN isn't included. Maybe setup separate policies for each of the remote networks. Regards Andrew
by andrewluck
Sat Mar 26, 2011 2:09 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Spent a while re-working this to use changing priorities to control the master/backup relationships with some success. The main problem I'm left with is this: Changing the priority on a vrrp instance where the router is the master causes the router to drop to backup for a short while. This occurs ev...
by andrewluck
Fri Mar 25, 2011 11:58 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

Is ether5 the switch master port? I think only the master port bridges across to the cpu.

Andrew
by andrewluck
Fri Mar 25, 2011 10:38 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

A very concise description that makes perfect sense. I think that what you're missing is putting the cpu port in vlan 0 with ether2: /interface ethernet switch vlan add disabled=no ports=cpu,ether2 switch= switch1 vlan-id=0 Once this is done then you don't need a rule to copy ether2's packets to the...
by andrewluck
Thu Mar 24, 2011 11:21 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

Maybe if you post exactly what you're trying to achieve...

Regards

Andrew
by andrewluck
Thu Mar 24, 2011 7:31 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

However, as a side effect ether4 can now talk to ether5 without me allowing this That's a function of switch. At least you can now ping the router! If you don't want to allow communication between the ports then you need to place them in different vlans or if you want them in the same vlan then you...
by andrewluck
Thu Mar 24, 2011 12:44 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

Setup a master port on the switch and assign the router interface IP to this interface.

Then add the cpu port into the vlan if you've set the vlan mode to secure. You don't need any switch rules once this is done.

Regards

Andrew
by andrewluck
Thu Mar 24, 2011 12:41 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Thanks for the tip. Sounds a lot better than disabling things. I'll look at reworking the scripts.

Regards

Andrew
by andrewluck
Mon Mar 21, 2011 12:43 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

If you check back to my first post in this thread you can see my attempt at scripting. However, I never managed to get this script working and was looking for some guidance.

Regards

Andrew
by andrewluck
Mon Mar 21, 2011 9:39 am
Forum: General
Topic: IPSEC Tunnel between Mikrotik routers
Replies: 5
Views: 1730

Re: IPSEC Tunnel between Mikrotik routers

If you have a NAT rule that applies to all traffic leaving the local network then you'll need to exclude the traffic that is destined for the VPN tunnel and the remote office. You do this by placing a NAT rule before the general one that rejects this traffic. There are some exceptions to this, e.g. ...
by andrewluck
Mon Mar 21, 2011 12:36 am
Forum: General
Topic: L2TP/IPsec confiruration disables all connectivity
Replies: 11
Views: 4792

Re: L2TP/IPsec confiruration disables all connectivity

The ipsec peer definition is incorrect; it should be address=0.0.0.0/0:500 Make sure you don't have an IPSEC policy defined. In what follows, replace any addresses with your own. Turn on the L2TP server: /interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=defaul...
by andrewluck
Sun Mar 20, 2011 11:02 pm
Forum: General
Topic: L2TP/IPsec confiruration disables all connectivity
Replies: 11
Views: 4792

Re: L2TP/IPsec confiruration disables all connectivity

Unfortunately, there's not enough information in the screen shots. Can you export your IPSEC, PPP and L2TP settings. I normally deviate from the instructions in the wiki article for the L2TP server by enabling it, but not creating the server interface. I then create a bridge group with the internal ...
by andrewluck
Sun Mar 20, 2011 4:37 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

I need to bump this thread as I still haven't found a solution to the problem of synchronising the state of multiple vrrp interfaces on a single router. With Vyatta I get the option to place vrrp interfaces into a group which will achieve this. Is there something that will do the same thing for Rout...
by andrewluck
Sun Mar 20, 2011 4:31 pm
Forum: General
Topic: L2TP/IPsec confiruration disables all connectivity
Replies: 11
Views: 4792

Re: L2TP/IPsec confiruration disables all connectivity

ISAKMP uses UDP/500, that's why you can't connect using telnet.

Can you post your revised config's after following the instructions given by the previous poster.

Regards

Andrew
by andrewluck
Sun Mar 20, 2011 4:25 pm
Forum: General
Topic: IPSEC Tunnel between Mikrotik routers
Replies: 5
Views: 1730

Re: IPSEC Tunnel between Mikrotik routers

Two things to start with:

1: The peer addresses are incorrect. Site 1 should specify the WAN address of site 2 & vice versa

2: The NAT exclusion rules should have an action of 'reject'

Regards

Andrew
by andrewluck
Fri Mar 18, 2011 7:06 pm
Forum: General
Topic: Half-Bridge PPPOA under Mikrotik not working
Replies: 4
Views: 2315

Re: Half-Bridge PPPOA under Mikrotik not working

I use a similar setup in the UK where again we have PPPoA only.

The router is a Solwise AR7 based device, reflashed with RouterTech firmware and setup as a bridge. I then run a PPPoE client on the Mikrotik with the ISP connection details.

Works just fine.

Andrew
by andrewluck
Fri Mar 18, 2011 7:00 pm
Forum: General
Topic: IPSEC Tunnel between Mikrotik routers
Replies: 5
Views: 1730

Re: IPSEC Tunnel between Mikrotik routers

If you post the commands that you're using to configure this and the error messages we can probably help you here.

Regards

Andrew
by andrewluck
Fri Mar 18, 2011 6:41 pm
Forum: General
Topic: VLAN via switch chip: cannot ping router interface
Replies: 26
Views: 10645

Re: VLAN via swtich chip: cannot ping router interface

I had some similar problems with a 450G. I eventually fixed it by removing the IP address from the master port of the switch and adding it again.

Regards

Andrew
by andrewluck
Sat Mar 05, 2011 12:03 am
Forum: General
Topic: Mikrotik IPv6 addresses
Replies: 33
Views: 5905

Re: Mikrotik IPv6 addresses

Working for me as well on HE, UK using London node: C:\Documents and Settings\andrew>tracert -d forum.mikrotik.com Tracing route to forum.mikrotik.com [2a02:610:7501:1000::201] over a maximum of 30 hops: 1 6 ms 1 ms 1 ms 2001:470:9136:1::1 2 118 ms 118 ms 118 ms 2001:470:1f08:67::1 3 111 ms 112 ms 1...
by andrewluck
Sun Aug 29, 2010 4:50 pm
Forum: General
Topic: pptp connected but no ping to other hosts
Replies: 2
Views: 2640

Re: pptp connected but no ping to other hosts

Proxy ARP on the LAN interface.

regards

Andrew
by andrewluck
Sat Jul 31, 2010 4:56 pm
Forum: General
Topic: 6to4 tunnel with tunnelbroker.com
Replies: 7
Views: 14422

Re: 6to4 tunnel with tunnelbroker.com

There are some wiki examples for this. One is here:

http://wiki.mikrotik.com/wiki/Setting_u ... nel_broker

That describes the basics that you need to get the tunnel up and running.

Kind regards

Andrew
by andrewluck
Mon Jun 21, 2010 10:41 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Interesting.

My priorities on each vrrp instance on the same router are the same.

Kind regards

Andrew
by andrewluck
Thu Jun 17, 2010 8:38 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

>>Flag RM goes to flag M after RM int fail on Master and on Backup B goes to RM! After int restore on master flag M goes to RM and on backup flag RM goes to B. Agreed. That's exactly what mine does. As you say, you need to ensure that both master's are on the same router. To do this you use a script...
by andrewluck
Wed Jun 16, 2010 4:31 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

and how look your up/down scripts?
At the top of this thread.
by andrewluck
Wed Jun 16, 2010 2:20 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Thanks for the offer of help. Much appreciated. http://www.littlebeck.org.uk/gif_1.gif Master config /interface vrrp add arp=enabled authentication=simple comment="" disabled=no interface=ether1 \ interval=1 mtu=1500 name=Internet on-backup=VRRP-Backup on-master=\ VRRP-Master password=****...
by andrewluck
Tue Jun 15, 2010 8:28 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Did you check it ?
Yes & the VRRP RFC. It's a little vague on what should happen if the parent interface goes down.
by andrewluck
Tue Jun 15, 2010 7:25 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

Re: VRRP failover

Hi Janisk

The problem I have is the Master never goes to backup when the parent interface stops running.

Interfaces on each side of the router are in different subnets.

Cheers

Andrew
by andrewluck
Tue Jun 15, 2010 1:18 pm
Forum: Scripting
Topic: VRRP failover
Replies: 36
Views: 35430

VRRP failover

I'm setting up a pair of routers on RB450Gs as a high availability VPN server. Each router has two active interfaces that participate in VRRP interfaces. Failover of the individual VRRP interfaces is fine and a complete router failure is handled OK with both vitual IP addresses ending up on the back...
by andrewluck
Wed Feb 24, 2010 6:03 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

Thanks for the reply. It doesn't look as if you can use the switch chip for this.

Andrew
by andrewluck
Tue Feb 23, 2010 4:45 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

So let me phrase this a different way:

The manual states:
new-vlan-id - if specified changes the vlan tag id, or add new vlan tag if one was not present
I want to do the opposite; i.e. if a vlan tag is present, remove it before the packet exits the switch port. Is this possible?

Regards

Andrew
by andrewluck
Thu Dec 24, 2009 4:18 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

Agreed. But how do I configure the switch such that packets arriving without a vlan tag get one added and packets leaving the port get the tag removed.

Andrew
by andrewluck
Thu Dec 24, 2009 2:25 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

Yes... but the question is about vlan tagging, not port bonding.

Andrew
by andrewluck
Thu Dec 24, 2009 1:57 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

LACP ????

How does that apply here?

Andrew
by andrewluck
Thu Dec 24, 2009 1:11 pm
Forum: RouterBOARD hardware
Topic: Switch
Replies: 15
Views: 6605

Re: Switch

I'm trying to do the same thing with an RB450G. I've tried adding rules to tag packets that arrive untagged at a switch port but I still can't communicate with any devices that use the native vlan. [admin@MikroTik] /interface ethernet switch rule> pr Flags: X - disabled, I - invalid 0 switch=switch1...
by andrewluck
Sun Nov 15, 2009 10:50 am
Forum: General
Topic: Mikrotik AAA authentication with windows server 2003
Replies: 5
Views: 1982

Re: Mikrotik AAA authentication with windows server 2003

Download a copy of DeepSoftware's IAS Logviewer program http://www.deepsoftware.ru/iasviewer/. That'll decypher the log and tell you why IAS is rejecting the request.

Kind regards

Andrew
by andrewluck
Sat Nov 14, 2009 10:50 pm
Forum: General
Topic: Mikrotik/cisco VPN with dynamic ip
Replies: 2
Views: 1920

Re: Mikrotik/cisco VPN with dynamic ip

As you have a dynamic address you will need to open the peer configuration up to accept connections from any address 0.0.0.0/0 (or the subnet you're allocated your address from). The experiment with the 'Generate Policy' option. Alternatively, why not configure the Mikrotik to be a client to a PPTP ...
by andrewluck
Sat Nov 14, 2009 10:41 pm
Forum: General
Topic: multiple VPN's between cisco 2811 and RB450's
Replies: 4
Views: 1545

Re: multiple VPN's between cisco 2811 and RB450's

More detail required. How about posting your IPSEC configuration from each end?

Kind regards

Andrew
by andrewluck
Sat Nov 14, 2009 10:36 pm
Forum: General
Topic: IPSec and NAT-T
Replies: 1
Views: 953

Re: IPSec and NAT-T

Sounds like someone doesn't have their Concentrator setup correctly. The v4.6 client is also now rather old. You don't need to setup anything on the Mikrotik other than ensuring that you're not blocking the traffic with a filter rule. The VPN is encapsulated in a straightforward TCP / UDP connection...
by andrewluck
Sat Nov 14, 2009 10:30 pm
Forum: General
Topic: IPSec Site-to-Site VPN RB1000 to Customer Cisco ASA
Replies: 2
Views: 5864

Re: IPSec Site-to-Site VPN RB1000 to Customer Cisco ASA

Enable Dead Peer Detection (DPD) on both ends of the link.

Kind regards

Andrew
by andrewluck
Mon Sep 21, 2009 8:36 pm
Forum: General
Topic: VPN IPsec connection does not reconnect
Replies: 1
Views: 855

Re: VPN IPsec connection does not reconnect

Both ends need to support DPD otherwise the setting on the RB will be ignored.

Andrew
by andrewluck
Sat Sep 12, 2009 5:35 pm
Forum: General
Topic: ipsec disconnect sometimes
Replies: 3
Views: 2022

Re: ipsec disconnect sometimes

Try enabling Dead Peer Detection.

Andrew
by andrewluck
Sat Sep 12, 2009 5:30 pm
Forum: General
Topic: Special needs - Broadcast UDP Packet needs forwarding
Replies: 7
Views: 3290

Re: Special needs - Broadcast UDP Packet needs forwarding

Bridge the two interfaces and apply a filter that allows only your udp traffic.

Andrew
by andrewluck
Mon Jul 27, 2009 12:04 am
Forum: General
Topic: Port Mirroring
Replies: 26
Views: 22373

Re: Port Mirroring

Documentation is a little thin on this subject. I found this is a config file:
/interface ethernet mirror
set mirror-port=none source-port=none
Hope this offers some clues.

Kind regards

Andrew
by andrewluck
Sun Jul 26, 2009 11:50 pm
Forum: General
Topic: IPSEC and NAT-T problem
Replies: 60
Views: 58526

Re: IPSEC and NAT-T problem

I've got a support ticket open for this issue. Nothing back yet apart from 'we're looking at it'. In my case I worked around the problem by turning off NAT-T and just passing ESP across the intermediate NAT device. Your milage may vary as this depends upon the NAT device being able to keep track of ...
by andrewluck
Sat Jan 24, 2009 7:00 pm
Forum: General
Topic: Disable-running-check on Ethernet interfaces - Major Flaw
Replies: 3
Views: 1953

Re: Disable-running-check on Ethernet interfaces - Major Flaw

Works for me:
set ether1 disable-running-check=no
Kind regards

Andrew
by andrewluck
Sat Jan 24, 2009 4:36 pm
Forum: General
Topic: How to create an IPsec tunnel from Nokia E71 to MT 3.18
Replies: 3
Views: 2092

Re: How to create an IPsec tunnel from Nokia E71 to MT 3.18

I created the following VPN policy using "Nokia Mobile VPN Client Policy"
Doesn't this configuration require a Nokia VPN client?

Is there an option for generating a site to site tunnel?

Kind regards

Andrew
by andrewluck
Sat Jan 24, 2009 3:28 pm
Forum: General
Topic: MPLS & VPLS = how it's work?
Replies: 1
Views: 864

Re: MPLS & VPLS = how it's work?

Have you read this?

http://wiki.mikrotik.com/wiki/MPLS

Kind regards

Andrew
by andrewluck
Sat Jan 24, 2009 3:26 pm
Forum: General
Topic: Using Cisco VPN client ver 4.x and mtik v 3.1
Replies: 1
Views: 831

Re: Using Cisco VPN client ver 4.x and mtik v 3.1

This isn't going to work. The Cisco client is only for use with Cisco VPN concentrators, PIX and ASAs.

Kind regards

Andrew
by andrewluck
Thu Nov 06, 2008 6:34 pm
Forum: General
Topic: Microtik Client to Cisco IPSec
Replies: 1
Views: 946

Re: Microtik Client to Cisco IPSec

Yes it is possible. You set up a site to site VPN rather than a client access one.

Kind regards

Andrew
by andrewluck
Sat Oct 11, 2008 5:07 pm
Forum: General
Topic: Mikrotik can access the clients on the VLAN network
Replies: 1
Views: 879

Re: Mikrotik can access the clients on the VLAN network

What is/could blocking that communications, is it a firewalll rule?
Maybe. NAT rule? Hard to tell without more information.

Kind regards

Andrew
by andrewluck
Sun Sep 21, 2008 10:49 am
Forum: General
Topic: Bridge network no IP
Replies: 3
Views: 1181

Re: Bridge network no IP

You're trying to use a bridge when it isn't appropriate to your situation. Check your earlier thread where people are advising you that this is the wrong approach.

Kind regards

Andrew
by andrewluck
Sun Sep 21, 2008 10:46 am
Forum: General
Topic: DMZ and PPTP server
Replies: 9
Views: 2937

Re: DMZ and PPTP server

You haven't specified TCP ports 80 & 21 in these NAT rules so they're natting all traffic.

Kind regards

Andrew
by andrewluck
Wed Sep 17, 2008 10:12 pm
Forum: General
Topic: redistribute a /48 ipv6 block
Replies: 4
Views: 1467

Re: redistribute a /48 ipv6 block

if i undertood , i need to break these /48 into lots of /64 in my lan?
Exactly. It's a /64 per network, all 65536 of them.

Advertise the network prefix on the router LAN interface and clients will autoconfig using their mac addresses to complete their ipv6 address.

Kind regards

Andrew
by andrewluck
Wed Sep 17, 2008 2:51 pm
Forum: General
Topic: redistribute a /48 ipv6 block
Replies: 4
Views: 1467

Re: redistribute a /48 ipv6 block

The default network size for a lan is /64. How many addresses do you need on one network? :shock:

Kind regards

Andrew
by andrewluck
Mon Sep 08, 2008 8:41 pm
Forum: General
Topic: IPsec Mikrotik RB 150 to Cisco problem to phase2?
Replies: 9
Views: 3599

Re: IPsec Mikrotik RB 150 to Cisco problem to phase2?

You said that IKE phase 1 was OK, but that there's no debugging output from Cisco. Both statements can't be true. If the router is completing phase 1 then it WILL be generating debug output if you enable it. You didn't mention the PIX before. Is it in front of the router? is it doing NAT? To many qu...
by andrewluck
Mon Sep 01, 2008 10:54 pm
Forum: General
Topic: IPsec Mikrotik RB 150 to Cisco problem to phase2?
Replies: 9
Views: 3599

Re: IPsec Mikrotik RB 150 to Cisco problem to phase2?

debug crypto isakmp output please.

Kind regards

Andrew
by andrewluck
Sun Aug 31, 2008 7:27 pm
Forum: General
Topic: IPsec Mikrotik RB 150 to Cisco problem to phase2?
Replies: 9
Views: 3599

Re: IPsec Mikrotik RB 150 to Cisco problem to phase2?

PFS is turned on at one end and off at the other.

Generate-policy should be set to No for this type of link.

Post the debug output from the Cisco for ISAKMP as this will offer some more clues.

Kind regards

Andrew
by andrewluck
Wed Aug 27, 2008 11:24 pm
Forum: General
Topic: IPSec Phase 2 problems with racoon
Replies: 1
Views: 10646

Re: IPSec Phase 2 problems with racoon

MT doesn't support compression schemes, you have it set to deflate at the Racoon end. Otherwise, the main cause of problems is that the ends of the link don't share a consistant view of the network i.e. if you've told the left hand end that the right hand network is 192.168.93.0/24 then the latter m...
by andrewluck
Mon Aug 04, 2008 8:21 pm
Forum: General
Topic: IPv6 firewall features
Replies: 14
Views: 6029

Re: IPv6 firewall features

I'll second the request for address lists.

Kind regards

Andrew
by andrewluck
Mon Jul 21, 2008 8:06 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 42
Views: 32404

Re: ipsec multisubnet or multi policy issue

Can't see anything out of order there. Turn on ipsec logging as well as ike, see if that reports anything. If you're not seeing anything useful at the MT end then turn on debugging on the Cisco end and see if that offers any clues. You might post the Cisco crypto setup here as well. Kind regards And...
by andrewluck
Sun Jul 20, 2008 12:30 pm
Forum: General
Topic: Clock keeps resetting
Replies: 5
Views: 1839

Re: Clock keeps resetting

At a guess, there's no separate clock chip on the board.

Use NTP to keep the time correct.

Kind regards

Andrew
by andrewluck
Sat Jul 19, 2008 11:01 pm
Forum: General
Topic: 25min internet works then page cannot be displayed
Replies: 2
Views: 1041

Re: 25min internet works then page cannot be displayed

Looking through the logs might offer some clues.

Kind regards

Andrew
by andrewluck
Sat Jul 19, 2008 10:57 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 42
Views: 32404

Re: ipsec multisubnet or multi policy issue

You need to post some configs. Also the log that shows the errors.

Kind regards

Andrew
by andrewluck
Mon Jul 07, 2008 11:16 pm
Forum: General
Topic: Chains
Replies: 2
Views: 1195

Re: Chains

Just specify the new chain name when you create the new rule.

Kind regards

Andrew
by andrewluck
Mon Jul 07, 2008 11:10 pm
Forum: General
Topic: v3.9 Winbox error
Replies: 2
Views: 1404

Re: v3.9 Winbox error

Yes. This is a known problem & should be fixed in the next release.

Kind regards

Andrew
by andrewluck
Sun Jun 29, 2008 11:26 am
Forum: General
Topic: IPSec help!
Replies: 1
Views: 893

Re: IPSec help!

Your problem is that the subnets at each end of the link overlap. 10.0.0.0/24 includes all of the 10.0.0.0/8 networks so the router can't determine the correct destination.

Yes, the policy must exist before the link is established.

Kind regards

Andrew
by andrewluck
Mon Jun 16, 2008 11:35 am
Forum: General
Topic: VPN (pptp) Stopped working
Replies: 9
Views: 2516

Re: VPN (pptp) Stopped working

As well as tcp/1723 you also require GRE (protocol 41).

Andrew
by andrewluck
Fri Jun 13, 2008 2:57 pm
Forum: General
Topic: block outgoing VPN
Replies: 6
Views: 1952

Re: block outgoing VPN

Block port 80 :lol:

Otherwise you might be able to do something using L7 filters.

Kind regards

Andrew
by andrewluck
Thu Jun 12, 2008 8:32 pm
Forum: General
Topic: routeros and cisco ASA 5500
Replies: 5
Views: 1749

Re: routeros and cisco ASA 5500

Just setup a link from my Soekris net4501 box at home to the office PIX 515E. Pinging 1000 byte packets continuously results in a cpu usage no higher than 18%. Encryption is ESP 3DES.

The net4501 box is based on a 133 Mhz 486 class processor! (MT v3.10)

Kind regards

Andrew
by andrewluck
Thu Jun 12, 2008 7:58 pm
Forum: General
Topic: routeros and cisco ASA 5500
Replies: 5
Views: 1749

Re: routeros and cisco ASA 5500

Can't get to that box right now but it was probably a late version 2.9 on a RouterBoard 532. CPU usage wasn't an issue.

Kind regards

Andrew
by andrewluck
Thu Jun 12, 2008 6:00 pm
Forum: General
Topic: VPN (pptp) Stopped working
Replies: 9
Views: 2516

Re: VPN (pptp) Stopped working

I'm not familiar with Path Analyzer Pro.

Kind regards

Andrew
by andrewluck
Wed Jun 11, 2008 11:49 am
Forum: General
Topic: VPN (pptp) Stopped working
Replies: 9
Views: 2516

Re: VPN (pptp) Stopped working

Layer 4 Traceroute will do this. http://en.wikipedia.org/wiki/Layer_Four_Trace

Kind regards

Andrew
by andrewluck
Tue Jun 10, 2008 8:32 pm
Forum: General
Topic: IPv6 setup
Replies: 9
Views: 2271

Re: IPv6 setup

Yes. E-mail as follows:

>>Hello,
>>
>>Thank you for report. We are aware of console issue, it will be fixed in next release.
>>Regarding winbox issue, this feature was not yet implemented. We will do that in near future.
>>
>>Regards,
>>Maris

Regards

Andrew
by andrewluck
Sat Jun 07, 2008 6:47 pm
Forum: General
Topic: DHCP Client blanks - no response
Replies: 3
Views: 1304

Re: DHCP Client blanks - no response

Mail support@mikrotik.com with a supout file.

Kind regards

Andrew
by andrewluck
Sat Jun 07, 2008 6:45 pm
Forum: General
Topic: VPN (pptp) Stopped working
Replies: 9
Views: 2516

Re: VPN (pptp) Stopped working

Service Port should show pptp enabled with the port column blank.

47 is a protocol, not a port. Do you see any traffic on tcp/1723 hit the router? Can you use telnet to connect to port 1723 on the router?

Kind regards

Andrew
by andrewluck
Sat Jun 07, 2008 6:39 pm
Forum: General
Topic: cisco ip helper-address equivelant
Replies: 2
Views: 2459

Re: cisco ip helper-address equivelant

Just guessing here, bridge the interfaces with a suitable filter to limit the types of traffic.

Regards

Andrew
by andrewluck
Fri May 30, 2008 12:35 pm
Forum: General
Topic: IPv6 setup
Replies: 9
Views: 2271

Re: IPv6 setup

Problem report submitted to support.

Kind regards

Andrew
by andrewluck
Wed May 28, 2008 12:31 am
Forum: General
Topic: IPv6 setup
Replies: 9
Views: 2271

Re: IPv6 setup

IPv4-compatible addresses as IPv6 route gateways now require manually specified interface This is still broken in 3.10. However, as I didn't send them a problem report either then we can't really expect it to get fixed. I'll try and get the time to do one this week. Unless someone at MT is reading ...
by andrewluck
Wed May 21, 2008 10:59 pm
Forum: General
Topic: IPv6 setup
Replies: 9
Views: 2271

Re: IPv6 setup

I've got routing working with a 6over4 tunnel. Instructions are on the wiki. v3.9 has broken some of the routing. If you create a default route using 2000::/3 then this isn't entered into the routing table correctly. I had to use ::/0 after I upgraded. Also, after v3.8 you need to specify the interf...
by andrewluck
Sat May 17, 2008 12:45 pm
Forum: General
Topic: v3.9 Winbox error
Replies: 2
Views: 1404

v3.9 Winbox error

Not quite sure what Winbox is trying to tell me :?
by andrewluck
Sat May 10, 2008 10:56 am
Forum: General
Topic: Help with IPSEC
Replies: 8
Views: 2150

Re: Help with IPSEC

Pablo

Glad to help.

Kind regards

Andrew
by andrewluck
Thu May 08, 2008 8:11 pm
Forum: General
Topic: Help with IPSEC
Replies: 8
Views: 2150

Re: Help with IPSEC

That looks OK to me. Don't forget that you need equivalent rules on the other ends of the link. After that, check that the traffic is hitting the relevant IPSEC policy.

Masquerade should work. I tend to avoid using it though and prefer to manually specify source nat rules.

Regards

Andrew
by andrewluck
Thu May 08, 2008 4:30 pm
Forum: General
Topic: Problem with ping on local net after connect on PPTP tunnel
Replies: 7
Views: 1834

Re: Problem with ping on local net after connect on PPTP tunnel

Turn on proxy-arp on interface ether2.

Regards

Andrew
by andrewluck
Thu May 08, 2008 4:26 pm
Forum: General
Topic: Help with IPSEC
Replies: 8
Views: 2150

Re: Help with IPSEC

I have all networks in firewall, for example: chain=srcnat action=accept src-address=192.168.20.0/24 This is probably incorrect. You will probably have a source nat rule that masquerades for the outside world. You require some additional rules before this one that excludes traffic bound for your IP...
by andrewluck
Wed May 07, 2008 4:50 pm
Forum: General
Topic: Help with IPSEC
Replies: 8
Views: 2150

Re: Help with IPSEC

Are you excluding the IPSEC Lan to Lan traffic from NAT?

Are the routing tables correct?

Regards

Andrew
by andrewluck
Wed May 07, 2008 4:41 pm
Forum: General
Topic: Firewall setup - Block all inbound but allow all outbound
Replies: 10
Views: 12427

Re: Firewall setup - Block all inbound but allow all outbound

Before the final drop rule add this:
chain=forward action=accept connection-state=established
Regards

Andrew
by andrewluck
Tue Apr 29, 2008 8:13 pm
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

You don't need to find it. Just manually type it in the IPv4 firewall rule.

Regards

Andrew
by andrewluck
Mon Apr 28, 2008 8:17 pm
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

This in the output chain:
chain=output action=accept protocol=41
This in the input:
chain=input action=accept src-address=216.66.80.26 protocol=41
216.66.80.26 is the providers endpoint address.

Regards

Andrew
by andrewluck
Sat Apr 26, 2008 8:58 pm
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

You're right, it's not the same, it's way cheaper than the Cisco. If your ISP doesn't provide an ipv6 service then you need to tunnel ipv6 inside an ipv4 tunnel, which is what a 6to4 tunnel is. Mine's working fine since I hit the rebuild tunnel button on the tunnel brokers web page. Tunnel traffic i...
by andrewluck
Wed Apr 23, 2008 7:24 pm
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

Ken
right now i have block'd ALL trafic to my main IPv4 where the IPv6 is routed to
But this is an ipv6 in ipv4 tunnel. You need to allow the tunnel traffic.

Regards

Andrew
by andrewluck
Mon Apr 21, 2008 11:14 pm
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

Ken

Had to rebuild my tunnel on the HE website. Working again now.

Are you pinging the remote gateway ipv6 address from the router or a PC?. Stick to the router at first, it's simpler.

Otherwise, your config looks OK. Double check the values you've entered.

Regards

Andrew
by andrewluck
Fri Apr 18, 2008 9:36 am
Forum: General
Topic: IPv6 and SixXS (6to4)
Replies: 16
Views: 9000

Re: IPv6 and SixXS (6to4)

Here's the article I wrote using the Hurricane Electric service.

http://wiki.mikrotik.com/wiki/Setting_u ... nel_broker

I need to look at this again because my tunnel isn't working at the moment.

Regards

Andrew
by andrewluck
Wed Apr 02, 2008 6:31 pm
Forum: General
Topic: how to block shared connection!!
Replies: 4
Views: 1586

Re: how to block shared connection!!

This was discussed here some time ago. I guess the thread is archived somewhere.

If you check the TTL on packets coming from the network you can delete any that have already traversed a router as they will show a lower value.

Regards

Andrew
by andrewluck
Tue Apr 01, 2008 7:23 pm
Forum: General
Topic: ssh works (kinda), winbox doesn't
Replies: 2
Views: 1136

Re: ssh works (kinda), winbox doesn't

Packet sizes? MTU blackhole?

Regards

Andrew
by andrewluck
Sun Mar 30, 2008 6:39 pm
Forum: General
Topic: Allow access from outside to internal network
Replies: 4
Views: 5905

Re: Allow access from outside to internal network

If you run Apache then I'd recommend having a copy of this on your bookshelf:

[url]http://www.apachesecurity.net/[url]

Otherwise, there are plenty of good articles on the web. Google is your friend.

Regards

Andrew
by andrewluck
Sun Mar 30, 2008 6:33 pm
Forum: General
Topic: Help me please RB532A Error
Replies: 1
Views: 766

Re: Help me please RB532A Error

Have you tried a re-install using Netinstall?

Regards

Andrew
by andrewluck
Wed Mar 26, 2008 12:05 pm
Forum: General
Topic: NTP Server
Replies: 8
Views: 2898

Re: NTP Server

Explanation here:

http://www.endruntechnologies.com/stratum1.htm

Regards

Andrew
by andrewluck
Wed Mar 26, 2008 12:02 pm
Forum: General
Topic: Allow access from outside to internal network
Replies: 4
Views: 5905

Re: Allow access from outside to internal network

Zerone

Welcome.

The solution to your problem is here: http://www.mikrotik.com/testdocs/ros/3.0/qos/nat.php There's a section near the bottom which gives an example of Destination NAT.

Regards

Andrew
by andrewluck
Wed Mar 19, 2008 12:57 pm
Forum: General
Topic: Cisco pix interop fails - ipsec,ike unknown notify message,
Replies: 6
Views: 2819

Re: Cisco pix interop fails - ipsec,ike unknown notify message,

Have you got Dead Peer Detection enabled?

Regards

Andrew
by andrewluck
Fri Mar 14, 2008 12:04 am
Forum: General
Topic: Mikrotik Router Blocking MSN Messanger
Replies: 6
Views: 2001

Re: Mikrotik Router Blocking MSN Messanger

Mangle MSS on TCP connections. Details in the forum here many times already.

Regards

Andrew
by andrewluck
Fri Mar 14, 2008 12:00 am
Forum: General
Topic: Free SSL pages
Replies: 2
Views: 1157

Re: Free SSL pages

http://www.cacert.org

Regards

Andrew
by andrewluck
Tue Mar 11, 2008 11:36 am
Forum: General
Topic: Specific IP set as DMZ
Replies: 1
Views: 1019

Re: Specific IP set as DMZ

This sounds like a destination NAT. You need to NAT all new connections to the external interface across to the internal IP of the DMZ machine.

Regards

Andrew
by andrewluck
Wed Feb 27, 2008 9:58 pm
Forum: General
Topic: IPsec problem
Replies: 3
Views: 1234

Re: IPsec problem

No traffic is matching the IPSEC policy. You need to specify your internal LAN addresses on each end.

Regards

Andrew
by andrewluck
Tue Feb 26, 2008 6:06 pm
Forum: General
Topic: Cisco pix interop fails - ipsec,ike unknown notify message,
Replies: 6
Views: 2819

Re: Cisco pix interop fails - ipsec,ike unknown notify message,

Thanks.

Can you post the IPSEC proposals as well.

I need to see the configuration from the Cisco end.

What version of ROS is this?

Regards

Andrew
by andrewluck
Mon Feb 25, 2008 11:48 pm
Forum: General
Topic: Cisco pix interop fails - ipsec,ike unknown notify message,
Replies: 6
Views: 2819

Re: Cisco pix interop fails - ipsec,ike unknown notify message,

Post your IPSEC configuration from both ends.

Regards

Andrew
by andrewluck
Sat Feb 23, 2008 6:37 pm
Forum: General
Topic: Setup ipv6 gateway
Replies: 1
Views: 1783

Re: Setup ipv6 gateway

IPv6 auto-configures with link local addresses so you shouldn't have to do anything on the client to get basic connectivity. ifconfig eth0 should have a line similar to this: inet6 addr: fe80::20c:29ff:fed5:bcc1/64 Scope:Link and netstat -A inet6 -r should show a default route entry similar to this:...
by andrewluck
Sat Feb 23, 2008 6:22 pm
Forum: General
Topic: Ipv6
Replies: 64
Views: 23710

Re: Ipv6

Wonder why that address?: dst-address=2000::/3
2000::/3 is the current allocation of global unicast addresses.

Regards

Andrew
by andrewluck
Sat Feb 23, 2008 10:44 am
Forum: General
Topic: IPv6 command reference
Replies: 16
Views: 10140

Re: IPv6 command reference

I posted some details on how to setup a ipv6 tunnel with a tunnel broker here:

[url]http://forum.mikrotik.com/viewtopic.php?f=1&t=7782[url]

Kind regards

Andrew
by andrewluck
Fri Jan 25, 2008 11:35 pm
Forum: Beginner Basics
Topic: PPTP Server Configuration for dynamic IP windows clients
Replies: 10
Views: 14447

Re: PPTP Server Configuration for dynamic IP windows clients

Remove ether1 from the bridge and add ether2 (Remove the IP address from ether2). Add the routers LAN IP address to the bridge.

In the PPP Profile command, specify the additional options:
local-address=LAN address of router
bridge=lan.

Regards

Andrew
by andrewluck
Fri Jan 11, 2008 5:51 pm
Forum: General
Topic: Ipv6
Replies: 64
Views: 23710

Re: Ipv6

OK. Some lateral thinking and a whole lot of reading later, I think I've got this working. Here's what I've setup: First sign up for your tunnel at http://www.tunnelbroker.net This will get you some information that looks like this: Server IPv4 address: 216.66.80.26 Server IPv6 address: 2001:470:111...
by andrewluck
Fri Jan 11, 2008 10:42 am
Forum: General
Topic: Ipv6
Replies: 64
Views: 23710

Re: Ipv6

Digging into this a little deeper (complete newbie at this ipv6 stuff!) I see that I'm using the wrong tunnel type. The iproute command to set the tunnel up in Linux is: ip tunnel add foo mode sit local 192.168.0.1 remote 192.168.1.42 dev eth0 I can see that MT now has a 6to4 tunnel type which sets ...
by andrewluck
Fri Jan 11, 2008 12:09 am
Forum: General
Topic: Ipv6
Replies: 64
Views: 23710

Re: Ipv6

Spent some time trying to get this to work (RC14) with a tunnel broker (Hurricane Electric). However, while I can ping the ipv6 addresses at the local end of the tunnel, I can't ping the remote end and I'm not seeing any traffic on the ipip tunnel. Has anyone else been able to get this working yet? ...
by andrewluck
Mon Dec 31, 2007 1:43 pm
Forum: General
Topic: some routing (rip) problems
Replies: 5
Views: 1614

Re: some routing (rip) problems

Post the route tables from the routers. Also, one of the clients that has the problem.

Regards

Andrew
by andrewluck
Sat Dec 29, 2007 7:39 pm
Forum: General
Topic: HELP NEEDED! Most net apps not working with load balance
Replies: 5
Views: 1911

Re: HELP NEEDED! Most net apps not working with load balance

Use the modified load balance example in the wiki.

http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

Once a client has connected and been routed through a WAN connection they then continue to use that gateway.

Regards

Andrew
by andrewluck
Sat Dec 29, 2007 7:30 pm
Forum: General
Topic: PPTP question ?
Replies: 3
Views: 1130

Re: PPTP question ?

Example at the bottom of this page:

http://www.mikrotik.com/testdocs/ros/2.9/ip/ipsec.php

Regards

Andrew
by andrewluck
Mon Dec 24, 2007 9:26 pm
Forum: General
Topic: NTP wierdness
Replies: 1
Views: 1972

NTP wierdness

RC13 NTP client is configured as follows: /system ntp client set enabled=yes mode=unicast primary-ntp=212.23.8.6 secondary-ntp=0.0.0.0 However, in the firewall log I'm seeing this continually: Dec 21 10:54:56 net4501 firewall,info Output output: in:(none) out:Internet, proto UDP, xxx.11.xxx.xxx:123-...
by andrewluck
Mon Dec 24, 2007 8:00 pm
Forum: General
Topic: PPTP question ?
Replies: 3
Views: 1130

Re: PPTP question ?

Turn on Proxy ARP on the LAN interface of the MT VPN box.

Regards

Andrew
by andrewluck
Thu Dec 06, 2007 8:52 pm
Forum: General
Topic: PPTP client from behind NAT not nice
Replies: 2
Views: 2044

Re: PPTP client from behind NAT not nice

Turn on PPTP helper in firewall service ports.

Regards

Andrew
by andrewluck
Wed Dec 05, 2007 10:42 am
Forum: General
Topic: Two ADSL connection connected to MT - Need 1-2-1 NAT
Replies: 1
Views: 874

Re: Two ADSL connection connected to MT - Need 1-2-1 NAT

Two problems here: 1: NAT Inbound traffic on ADSL2 will have a destination address of 192.168.2.2 when it gets to the MT. Therefore the NAT rules should look like: chain=dstnat action=dst-nat to-addresses=192.168.1.61 to-ports=0-65535 dst-address=192.168.2.2 chain=srcnat action=src-nat to-addresses=...
by andrewluck
Sun Dec 02, 2007 7:59 pm
Forum: General
Topic: IPSec VPN and underlying routing
Replies: 5
Views: 1427

Re: IPSec VPN and underlying routing

IPSEC requires that the address it's receiving packets from match the IPSEC peer policy setting. If you're sending and receiving packets on different links then this will not be the case and the packets will be dropped.

Regards

Andrew
by andrewluck
Fri Nov 30, 2007 8:33 pm
Forum: General
Topic: IPSec VPN and underlying routing
Replies: 5
Views: 1427

Re: IPSec VPN and underlying routing

OK, but OSPF will not cause the source IP address of packets to change which is what your clients are seeing.

Regards

Andrew
by andrewluck
Fri Nov 30, 2007 5:54 pm
Forum: General
Topic: IPSec VPN and underlying routing
Replies: 5
Views: 1427

Re: IPSec VPN and underlying routing

When a customer goes to "http://whatismyip.org" they see only the eth3-Router A address, not their real one at their actual router You don't mention a proxy so I presume that you're doing NAT on router A. If so, this is normal behaviour. Also, supposedly, IPSec will not work from my WISP ...
by andrewluck
Fri Nov 30, 2007 5:46 pm
Forum: General
Topic: IPSec error
Replies: 20
Views: 7402

Re: IPSec error

You could use DHCP relay to forward the broadcasts to the DHCP server. Better to run a server on each network.

Regards

Andrew
by andrewluck
Wed Nov 28, 2007 8:11 pm
Forum: General
Topic: VPN traffic traveling through MKT is limited to 10 tunnels?
Replies: 9
Views: 2228

Re: VPN traffic traveling through MKT is limited to 10 tunnels?

Post the error messages.

While we're at it, does debug crypto isakmp & debug crypto ipsec reveal any problems.

Regards

Andrew
by andrewluck
Wed Nov 28, 2007 2:18 pm
Forum: General
Topic: VPN traffic traveling through MKT is limited to 10 tunnels?
Replies: 9
Views: 2228

Re: VPN traffic traveling through MKT is limited to 10 tunnels?

Are you doing NAT between the Cisco and the Internet? If so, then protocol 50 (ESP) will have problems and you should use UDP encapsulation (NAT-T) for the VPN traffic.

Have you tried turning on connection tracking. Without it , RouterOS will drop all fragments.

Regards

Andrew
by andrewluck
Tue Nov 27, 2007 9:36 pm
Forum: General
Topic: IPSec error
Replies: 20
Views: 7402

Re: IPSec error

I've had Drayteks talking to Linux VPN servers so it should be possible. What's on the Advanced page, where do you specify the PSK on the Draytek, remote network etc?

Regards

Andrew
by andrewluck
Mon Nov 26, 2007 8:29 pm
Forum: General
Topic: IPSec error
Replies: 20
Views: 7402

Re: IPSec error

The two VPN ends can't agree an IPSEC policy. Check that the settings match on both ends. Also, you need to be rather more explicit with your policy definition. You have to specify the network in use at each end of the link. 0.0.0.0/0 will not match, you have to specify your LAN range. Regards Andrew
by andrewluck
Sat Nov 24, 2007 11:49 am
Forum: General
Topic: Need help with IPSec VPN problems. No connecting
Replies: 3
Views: 1153

Re: Need help with IPSec VPN problems. No connecting

As you're manually specifying a policy you need
generate-policy=no
.

Use main mode unless you really need aggressive mode.

Turn on IKE logging. VPN connection will only be created when there's traffic to encrypt. Ping from a client at one end to an address at the other.

Regards

ANdrew
by andrewluck
Tue Nov 20, 2007 10:26 pm
Forum: General
Topic: Where is my mistake?
Replies: 4
Views: 1408

Re: Where is my mistake?

/ip address add address=200.200.200.107/32 interface=wan
This is incorrect. The subnet should be /29

Regards

Andrew
by andrewluck
Mon Nov 19, 2007 7:09 pm
Forum: General
Topic: IP routes
Replies: 4
Views: 1443

Re: IP routes

Code please.

Regards

Andrew
by andrewluck
Mon Nov 19, 2007 7:03 pm
Forum: General
Topic: VPN
Replies: 3
Views: 1292

Re: VPN

Ensure that PPTP helper is turned on. It's at
/ip firewall service-port
Regards

Andrew
by andrewluck
Wed Nov 14, 2007 8:48 pm
Forum: General
Topic: VPN problem 3.0rc10
Replies: 18
Views: 5837

Re: VPN problem 3.0rc10

Looks like I've sorted my problem. I was defining a static L2TP entry but the system was detecting it as dynamic and deleting it when the connection ended. Letting the system do it all fixes the problem.

Regards

Andrew
by andrewluck
Sun Nov 11, 2007 3:34 pm
Forum: General
Topic: RouterOS not routing IP fragments without conntrack!
Replies: 9
Views: 4487

Re: RouterOS not routing IP fragments without conntrack!

Connection tracking is not required to handle fragments provided the iptables state engine is not turned on. As there's no way to turn the state engine off in RouterOS the end result is you need connection tracking to handle fragments.

Regards

Andrew
by andrewluck
Sat Nov 10, 2007 1:42 pm
Forum: General
Topic: routeros and cisco ASA 5500
Replies: 5
Views: 1749

Re: routeros and cisco ASA 5500

Haven't tried the ASA but it works fine using a PIX (v8) as the concentrator.

Regards

Andrew
by andrewluck
Sat Nov 10, 2007 1:33 pm
Forum: General
Topic: VPN problem 3.0rc10
Replies: 18
Views: 5837

Re: VPN problem 3.0rc10

I have similar problems. I have an L2TP server setup that I'm using with the MS L2TP VPN client. First connection is fine. Then, when the client disconnects the L2TP server is deleted. I have to reboot the router and add the connection back in. Then I can connect once and the cycle is repeated. Rega...
by andrewluck
Sat Nov 10, 2007 1:30 pm
Forum: General
Topic: please help with new MT router setup. Needs streamlined..
Replies: 10
Views: 2159

Re: please help with new MT router setup. Needs streamlined..

What version are you running? If not current then upgrade. What happens to these routes when you reboot the router? Do you have bridging setup on any interfaces? Anything else you haven't told us that might be relevant? If all else fails, reset to a default configuration and add the IP addresses to ...
by andrewluck
Thu Nov 08, 2007 11:18 pm
Forum: General
Topic: IPSec with dynamic peer ...
Replies: 6
Views: 3003

Re: IPSec with dynamic peer ...

You specify the peer address as 0.0.0.0/0 and set the option 'Generate policy' in the peer setup. This will allow connections from different IP addresses. At least one end must have a fixed address.

Regards

Andrew
by andrewluck
Thu Nov 08, 2007 11:15 pm
Forum: General
Topic: please help with new MT router setup. Needs streamlined..
Replies: 10
Views: 2159

Re: please help with new MT router setup. Needs streamlined..

These are not dynamic routes, they're routes to directly connected networks. The issue is that you have an address overlap between your public network and PTP-B. In addition, you have the broadcast address for your public network defined incorrectly. Public gateway is 100.101.102.4/24 which means th...
by andrewluck
Thu Nov 08, 2007 9:15 am
Forum: General
Topic: Two concurent PPTP connections from same routerboard to same
Replies: 10
Views: 2551

Re: Two concurent PPTP connections from same routerboard to same

If the ISP is limiting traffic per PPTP tunnel is there a possibility that they also prevent more than one tunnel being opened to stop people bypassing the restriction like you're trying to do?

Regards

Andrew
by andrewluck
Wed Nov 07, 2007 12:22 am
Forum: General
Topic: Two concurent PPTP connections from same routerboard to same
Replies: 10
Views: 2551

Re: Two concurent PPTP connections from same routerboard to same

Enable PPTP in /ip firewall service-port

Regards

Andrew
by andrewluck
Tue Nov 06, 2007 9:52 pm
Forum: General
Topic: Maquerade using specific IP?
Replies: 1
Views: 800

Re: Maquerade using specific IP?

Use src-nat instead of masquerade.

Regards

Andrew
by andrewluck
Sat Nov 03, 2007 11:17 pm
Forum: General
Topic: Weak Ethernet and OSPF
Replies: 2
Views: 981

Re: Weak Ethernet and OSPF

Switch loop somewhere on your network?

Regards

Andrew
by andrewluck
Sat Nov 03, 2007 11:14 pm
Forum: General
Topic: miniRouter's ethernet ports die after random interval
Replies: 11
Views: 2689

Re: miniRouter's ethernet ports die after random interval

You're trying to load balance two DSL connections?

If so, this isn't the way to do it; bonding is a layer 2 function. The wiki has some details on how failover & load balancing should be configured.

http://wiki.mikrotik.com/wiki/Routing

Regards

Andrew
by andrewluck
Sat Nov 03, 2007 2:07 pm
Forum: General
Topic: miniRouter's ethernet ports die after random interval
Replies: 11
Views: 2689

Re: miniRouter's ethernet ports die after random interval

From the bonding mini-howto: 7. Which switches/systems does it work with? In round-robin mode, it works with systems that support trunking: * Cisco 5500 series (look for EtherChannel support). * SunTrunking software. * Alteon AceDirector switches / WebOS (use Trunks). * BayStack Switches (trunks mus...
by andrewluck
Fri Nov 02, 2007 10:45 pm
Forum: General
Topic: miniRouter's ethernet ports die after random interval
Replies: 11
Views: 2689

Re: miniRouter's ethernet ports die after random interval

Some details of the configuration would be useful. Bit hard to help when all we really have to go on is 'It doesn't work'.

Regards

Andrew
by andrewluck
Sun Sep 09, 2007 11:52 am
Forum: General
Topic: Why can't my clients talk to the mail server??
Replies: 26
Views: 4287

Re: Why can't my clients talk to the mail server??

You're not making much sense here: Yes, all three of those statements are correct. One of which is 'Clients can ping the mail server' then: if I try to ping mail.pogowave.com from one of the dynamically addressed client I.P.s (172.16.0.X), I cannot get through Where did these clients come from? From...
by andrewluck
Sat Sep 08, 2007 11:53 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 3898

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

in:DSL out:(none) .... proto TCP (ACK,RST), web.server.ip.address:80->mikro.tik.ip.address:someport, len 40
That isn't a SYN/FIN packet. Let's see some examples along with the traffic that immediately preceeded it.

Regards

Andrew
by andrewluck
Sat Sep 08, 2007 11:49 pm
Forum: General
Topic: Why can't my clients talk to the mail server??
Replies: 26
Views: 4287

Re: Why can't my clients talk to the mail server??

Adam A layer 2 network is one that is bridged or switched. Layer 3 is routed so we're talking layer 2 here. Correct me if I'm wrong: 1: Clients can ping the mail server. 2: Clients can connect to the mail server using Internet Explorer (you mentioned webmail). 3: Clients are unable to connect to the...
by andrewluck
Sat Sep 08, 2007 7:17 pm
Forum: General
Topic: Why can't my clients talk to the mail server??
Replies: 26
Views: 4287

Re: Why can't my clients talk to the mail server??

Adam

So this is one flat layer 2 network? What network devices are between the clients and the mail server?

What's the involvement of the MT router in all of this?

You can ping the mailserver from the clients, can you use telnet to connect to the mail ports?

Regards

Andrew
by andrewluck
Sat Sep 08, 2007 12:30 pm
Forum: General
Topic: Why can't my clients talk to the mail server??
Replies: 26
Views: 4287

Re: Why can't my clients talk to the mail server??

Are your clients using a proxy server for web browsing? This could explain why webmail is working.

You haven't specified subnet masks with your network addresses. 10.0.10.255 with a 24 bit subnet mask would be a broadcast address.

Regards

Andrew
by andrewluck
Sat Sep 08, 2007 12:23 pm
Forum: General
Topic: 532a reboots when ubiquiti radio is enabled
Replies: 4
Views: 1158

Re: 532a reboots when ubiquiti radio is enabled

Good chance that this is a PSU issue. What voltage is the AC adapter actually supplying with and without the radiocard?

Regards

Andrew
by andrewluck
Sat Sep 08, 2007 12:09 pm
Forum: General
Topic: msn audio not working behind NON-NATting setup
Replies: 10
Views: 2248

Re: msn audio not working behind NON-NATting setup

Do you have a compelling reason to use a public address space on your LAN? From a security standpoint this setup is a nightmare. As you've discovered, it's very difficult to secure this while keeping legitimate networking functions working. My solution would be to bind your public addresses to the o...
by andrewluck
Sat Sep 08, 2007 11:53 am
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 3898

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

[quote]I also noticed my "sanity check" rule that accepts related connections gets no hits on bytes or packets[quote] That's probably normal. FTP data connections are the only things I've noticed that trigger these rules. SYN/FIN packets are a good indication of a port scan. Do some checks...
by andrewluck
Sun Sep 02, 2007 11:52 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 3898

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

SYN & FIN together is an illegal combination. You can safely drop those.

Regards

Andrew
by andrewluck
Thu Aug 30, 2007 10:00 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 3898

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

As RST packets are part of normal TCP operations I wouldn't drop them. They're only a problem if they're combined with other flags such as SYN which is illegal and can indicate a port scan.

Regards

Andrew
by andrewluck
Wed Aug 22, 2007 10:07 pm
Forum: General
Topic: Computers with IPV6 installed and MT Hotspot
Replies: 16
Views: 5711

Re: Computers with IPV6 installed and MT Hotspot

This problem is also described by Microsoft as this issue affects all Vista clients (skip down to the section heading 'Installed and enabled by default):

http://www.microsoft.com/technet/commun ... g1005.mspx


Regards

Andrew
by andrewluck
Wed Aug 22, 2007 9:57 pm
Forum: General
Topic: ipsec tunel
Replies: 1
Views: 827

Re: ipsec tunel

by andrewluck
Fri Aug 17, 2007 11:10 pm
Forum: General
Topic: Masquerade and filter connection-state
Replies: 7
Views: 1839

Re: Masquerade and filter connection-state

I don't see anything like this. Post your NAT & firewall rules for us.

Regards

Andrew
by andrewluck
Fri Aug 17, 2007 12:12 am
Forum: General
Topic: Masquerade and filter connection-state
Replies: 7
Views: 1839

Re: Masquerade and filter connection-state

Do you have Connection Tracking turned on?

Regards

Andrew
by andrewluck
Wed Aug 15, 2007 7:59 pm
Forum: General
Topic: help routing in RB532 3 networks : 2 private and 1 Internet
Replies: 1
Views: 786

Re: help routing in RB532 3 networks : 2 private and 1 Internet

More information required.

What NAT rule have you added? You need to be pretty specific with this rule so that only Internet traffic is natted.

I presume that all clients have default routes directed to the MT box. Is this correct?

What firewall rules do you have?

Regards

Andrew
by andrewluck
Wed Aug 15, 2007 7:53 pm
Forum: General
Topic: Masquerade and filter connection-state
Replies: 7
Views: 1839

Re: Masquerade and filter connection-state

The INPUT chain is only used by traffic destined for the router. Customer traffic that is traversing the router will only use the FORWARD chain.

Regards

Andrew
by andrewluck
Sat Jul 28, 2007 2:41 pm
Forum: General
Topic: Cannot Get PPTP tunnel to work without Nat
Replies: 7
Views: 2180

Re: Cannot Get PPTP tunnel to work without Nat

This could be a routing problem but we can't help effectively without seeing the config.

Regards

Andrew
by andrewluck
Sat Jul 28, 2007 2:32 pm
Forum: General
Topic: Firewall not working?
Replies: 5
Views: 1565

Re: Firewall not working?

Yes. Anytime someone sends a udp packet from outside with a source port of 53 it will bypass your rules and be able to connect to any udp port.

Better to remove this rule and accept inbound established and related packets in the input chain the same as you have in the forward chain.

Regards

Andrew
by andrewluck
Sat Jul 28, 2007 2:19 pm
Forum: General
Topic: default router question, etc
Replies: 5
Views: 1883

Re: default router question, etc

You don't mention NAT which you will require as you're using private IP addresses internally.

Regards

Andrew
by andrewluck
Thu Jul 12, 2007 8:55 pm
Forum: General
Topic: problem adding subnet to address-list -- 123.123.123.123 ?
Replies: 6
Views: 1868

Re: problem adding subnet to address-list -- 123.123.123.123 ?

It won't add it because it's not a valid subnet.For the IP address and subnet you've supplied the network address is 10.6.0.0. First available host address is 10.6.0.1; last address is 10.7.255.254.

Regards

Andrew
by andrewluck
Thu Jul 12, 2007 6:46 pm
Forum: General
Topic: Norlel VPN using IPSec
Replies: 3
Views: 1092

Re: Norlel VPN using IPSec

Robert One-to-One nat is still nat. How far you get depends on which protocol they're using. AH is a definate no-go. I've seen ESP work through NAT but it's not recommended. If they're doing NAT-T then the whole IPSEC packet is wrapped in UDP or TCP which stands a much better chance of working. Gene...
by andrewluck
Wed Jul 11, 2007 10:52 pm
Forum: General
Topic: Brute forcing MikroTik's demo site
Replies: 3
Views: 1494

Re: Brute forcing MikroTik's demo site

I'm not sure that this works as you anticipate. When I experimented with this some time back I found that multiple login attempts could be made within the same tcp connection. As your rules only match a new connection state you don't see these additional attempts.

Regards

Andrew
by andrewluck
Wed Jul 11, 2007 7:28 pm
Forum: General
Topic: Norlel VPN using IPSec
Replies: 3
Views: 1092

Re: Norlel VPN using IPSec

No VPN setup is required on the router as the tunnel is between the client and the bank's VPN concentrator.

If your router is doing NAT then this can cause IPSEC to break. You'd need to turn on whatever NAT traversal options are available in the client software.

Regards

Andrew
by andrewluck
Sun Jul 08, 2007 5:57 pm
Forum: General
Topic: Static ARP not working on Bridge
Replies: 2
Views: 1120

Re: Static ARP not working on Bridge

That's just because of the way bridging works as opposed to routing. You'd need to implement bridge filtering.

Regards

Andrew
by andrewluck
Sun Jul 08, 2007 2:05 pm
Forum: General
Topic: IPSEc warning with L2TP and Win client
Replies: 1
Views: 973

Re: IPSEc warning with L2TP and Win client

Can we keep this in one thread please.

Regards

Andrew
by andrewluck
Sun Jul 08, 2007 2:04 pm
Forum: General
Topic: PLEASE HELP - IPSEC and Remote Clients
Replies: 5
Views: 1737

Re: PLEASE HELP - IPSEC and Remote Clients

Not much to go on there.

Check the IKE logs to see if anything is going wrong.

Also, you might try turning on ipsec logging on the windows client to see if that gives any clues.

Regards

Andrew
by andrewluck
Mon Jul 02, 2007 11:21 pm
Forum: General
Topic: [Resolved]PPTP vpn configuration[Resolved]
Replies: 6
Views: 2044

Re: PPTP vpn configuration

Usually it's because proxy arp is not enabled on the LAN interface of the MT box.

Regards

Andrew
by andrewluck
Sat Jun 30, 2007 2:16 pm
Forum: General
Topic: Cant get to microsoft.com, download.com, others!
Replies: 3
Views: 1333

Re: Cant get to microsoft.com, download.com, others!

pppoe-out is the interface that connects to the Internet. Replace it with whatever you use.

Regards

Andrew
by andrewluck
Sat Jun 30, 2007 2:13 pm
Forum: General
Topic: RIP - Update Timer Problems
Replies: 6
Views: 1603

Re: RIP - Update Timer Problems

Post your routing config from the MT and Cisco here. Also, the routing table from both devices and the output from 'debug ip rip'.

Regards

Andrew
by andrewluck
Wed Jun 27, 2007 10:56 pm
Forum: General
Topic: RIP - Update Timer Problems
Replies: 6
Views: 1603

Re: RIP - Update Timer Problems

It looks like a bug in RouterOS. However, if you need this frequent routing updates you're using the wrong routing protocol. Use link state, or, at least RIPv2 with triggered updates.

Regards

Andrew
by andrewluck
Wed Jun 27, 2007 10:52 pm
Forum: General
Topic: pls can any body help me what i sthis traffic
Replies: 4
Views: 1364

Re: pls can any body help me what i sthis traffic

It's packets addressed to TCP port 80.

You need to break further into the packet to determine the higher layer headers for further information.

Regards

Andrew
by andrewluck
Mon Jun 25, 2007 11:43 am
Forum: General
Topic: Office and Hotspot to Internet - need help
Replies: 2
Views: 1004

Re: Office and Hotspot to Internet - need help

The bridge and port 5 have addresses in the same subnet 192.168.0.0/24. This will not work. You need to change one of the subnets.

Regards

Andrew
by andrewluck
Fri Jun 22, 2007 12:06 pm
Forum: General
Topic: ssh key generation
Replies: 3
Views: 2846

Re: ssh key generation

I doubt that this can be made to work. SSH keys in MT are provided just for logging onto the local box, not for making connections from MT to other boxes.

Regards

Andrew
by andrewluck
Thu Jun 21, 2007 7:04 pm
Forum: General
Topic: ssh key generation
Replies: 3
Views: 2846

Re: ssh key generation

by andrewluck
Wed Jun 20, 2007 5:40 pm
Forum: General
Topic: Port Specifications on a Masquerade Firewall
Replies: 6
Views: 1931

Re: Port Specifications on a Masquerade Firewall

You need to specify an interface in the masquerade nat rule. e.g. from the manual
[admin@MikroTik] ip firewall nat> add chain=srcnat action=masquerade out-interface=Public
Regards

Andrew
by andrewluck
Sat Jun 16, 2007 3:22 pm
Forum: General
Topic: limit smtp connections
Replies: 1
Views: 1280

Re: limit smtp connections

[url]http://wiki.mikrotik.com/wiki/How_to_au ... output[url]

I'm pretty sure that someone also posted a method of greylisting SMTP servers a while back.

Regards

Andrew
by andrewluck
Sat Jun 16, 2007 3:16 pm
Forum: General
Topic: web server behind mikrotik cpe
Replies: 10
Views: 2418

Re: web server behind mikrotik cpe

Yes. Stick to one of the private address ranges specified in rfc1918.

In your case, change the 90 to a 10 and you're fixed.

Regards

Andrew
by andrewluck
Sat Jun 16, 2007 12:38 pm
Forum: General
Topic: web server behind mikrotik cpe
Replies: 10
Views: 2418

Re: web server behind mikrotik cpe

One problem here. Your LAN addresses are also public and allocated to wanadoo.fr.

Regards

Andrew
by andrewluck
Fri Jun 08, 2007 7:23 pm
Forum: General
Topic: ping to a website problem
Replies: 1
Views: 803

Re: ping to a website problem

DNS isn't working for your clients.

Regards

Andrew
by andrewluck
Fri Jun 08, 2007 7:22 pm
Forum: General
Topic: Port Specifications on a Masquerade Firewall
Replies: 6
Views: 1931

Re: Port Specifications on a Masquerade Firewall

Post your NAT setup here.

Regards

Andrew
by andrewluck
Wed Jun 06, 2007 10:59 pm
Forum: General
Topic: PLEASE HELP - IPSEC and Remote Clients
Replies: 5
Views: 1737

Re: PLEASE HELP - IPSEC and Remote Clients

This is what "generate-policy=yes" does. Make sure you specify the client IP address as 0.0.0.0. Subnet mask is either /0 or /32, I can't remember which.

Regards

Andrew
by andrewluck
Sun Jun 03, 2007 3:11 pm
Forum: General
Topic: PLEASE HELP - IPSEC and Remote Clients
Replies: 5
Views: 1737

Re: PLEASE HELP - IPSEC and Remote Clients

There is a setting in ISAKMP for "generate-policy=yes"

Regards

Andrew
by andrewluck
Sun Jun 03, 2007 3:07 pm
Forum: General
Topic: Manual instructions for icmp filter wrong?
Replies: 3
Views: 1515

Re: Manual instructions for icmp filter wrong?

Comments for the first three are incorrect. Rules are otherwise OK

Regards

Andrew
by andrewluck
Wed May 16, 2007 10:53 pm
Forum: General
Topic: Vists PPTP
Replies: 2
Views: 1039

I've also run into problems connecting Vista PPTP clients to Cisco PPTP servers. No solution for this yet.

Some people are reporting success by disabling MS-Chap (use only ms-chap-2) and disabling MPPE-40.

Regards

Andrew
by andrewluck
Tue May 15, 2007 11:32 pm
Forum: General
Topic: SIP + NAT
Replies: 1
Views: 1021

Yes.

Google for sip & nat. There's loads of information out there.

Regards

Andrew
by andrewluck
Fri May 04, 2007 12:25 am
Forum: General
Topic: Port Forwarding not working
Replies: 23
Views: 5141

NAT rules look OK. You haven't mentioned firewall rules.

Otherwise, routing tables?

Run ethereal on one of the servers and check that the inbound packet actually arrives.

Regards

Andrew
by andrewluck
Thu May 03, 2007 10:27 pm
Forum: General
Topic: litle problem with http browsing
Replies: 4
Views: 1632

Try this instead:

http://forum.mikrotik.com/viewtopic.php?t=15122

Regards

Andrew
by andrewluck
Thu May 03, 2007 10:23 pm
Forum: General
Topic: Port Forwarding not working
Replies: 23
Views: 5141

Do you have any src-nat or masquerade rules for outbound traffic?

Regards

Andrew
by andrewluck
Thu May 03, 2007 10:12 pm
Forum: General
Topic: Bizzare Problem...
Replies: 7
Views: 2101

Try 'clamp-to-pmtu' or a lower fixed value. I use 1360 but it's a case of whatever works.

Regards

Andrew
by andrewluck
Wed May 02, 2007 11:32 pm
Forum: General
Topic: Bizzare Problem...
Replies: 7
Views: 2101

Have you used Mangle to change the MSS on outgoing SYN packets? This is different to setting MTU on the interfaces. Directly setting the IP address in the browser may produce confusing results as the server will usually the looking for HTTP host header which won't be there. Are you proxying anywhere...
by andrewluck
Wed May 02, 2007 4:13 pm
Forum: General
Topic: Bizzare Problem...
Replies: 7
Views: 2101

Could be MTU issues. Search forum as this has been discussed many times.

Regards

Andrew
by andrewluck
Tue May 01, 2007 12:48 pm
Forum: General
Topic: Win shared directories
Replies: 9
Views: 2347

Don't you mean "\\192.168.1.1\public"? The two leading slashes are required. SMB only requires broadcasts for name lookup. As you're not doing this here this should work. Network browsing also requires broadcasts. Depending on the type of OS involved, you require a DNS and/or WINS server. ...
by andrewluck
Tue May 01, 2007 12:40 pm
Forum: General
Topic: need help-webproxy
Replies: 9
Views: 4613

http://www.mikrotik.com/testdocs/ros/2. ... bproxy.php

Use the cache-drive option.

Regards

Andrew
by andrewluck
Thu Apr 26, 2007 9:28 pm
Forum: General
Topic: FTP firewall rule not working
Replies: 5
Views: 2249

Turn on the FTP helper in Firewall - Service Ports. Add a rule to allow Related packets in the Forward chain. Remember that FTP has two modes: normal & passive which manage their data channel in completely different ways. Once you have this working I suggest you re-visit your Forward chain and s...
by andrewluck
Wed Apr 18, 2007 3:35 pm
Forum: General
Topic: Newbie with RouterOS as a Internet Router
Replies: 5
Views: 1726

A network diagram would help. Could you post a picture please.

Regards

Andrew
by andrewluck
Mon Apr 16, 2007 10:08 pm
Forum: General
Topic: Newbie with RouterOS as a Internet Router
Replies: 5
Views: 1726

Welcome.

Try starting here:

http://wiki.mikrotik.com/wiki/How_to_Co ... _xDSL_Line

Regards

Andrew
by andrewluck
Thu Apr 12, 2007 9:47 pm
Forum: General
Topic: syslog configuration
Replies: 10
Views: 3921

You need to tell the router what to send to Syslog. e.g. / system logging add topics=info prefix="" action=remote disabled=no add topics=error prefix="" action=remote disabled=no add topics=warning prefix="" action=remote disabled=no add topics=critical prefix="&qu...
by andrewluck
Mon Apr 09, 2007 9:47 pm
Forum: General
Topic: IPSEC road warrior config help
Replies: 8
Views: 3936

RouterOS 2.9 does not handle NAT-T.

Otherwise, for dynamic IP clients use 'generate-policy'=yes in /ip policy peer.

Regards

Andrew
by andrewluck
Thu Mar 29, 2007 10:11 pm
Forum: General
Topic: netbios not working between bridged interfaces
Replies: 14
Views: 4312

Netbios doesn't use multi-cast for name resolution, in the absence of DNS, WINS or LMhosts it will use broadcast.


Regards

Andrew
by andrewluck
Tue Mar 27, 2007 7:10 pm
Forum: General
Topic: Filter/Mangle Rules to identify IPSEC traffic
Replies: 4
Views: 3955

Ben

Destination address would be the usual way of doing this.


Regards

Andrew
by andrewluck
Sun Mar 25, 2007 11:19 pm
Forum: General
Topic: Filter/Mangle Rules to identify IPSEC traffic
Replies: 4
Views: 3955

Take a look at the diagram here:

http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php

It'll give you a better idea of where you need to place rules etc.

Regards

Andrew
by andrewluck
Wed Mar 14, 2007 11:29 am
Forum: General
Topic: PPTP Error
Replies: 3
Views: 2584

Troubleshooting 'GRE: Protocol not available' errors

http://poptop.sourceforge.net/dox/gre-p ... able.phtml

Regards

Andrew
by andrewluck
Tue Mar 13, 2007 12:02 am
Forum: General
Topic: VPN Server (Win2003 ) behind MiktoTik - L2TP, PPTP
Replies: 7
Views: 2662

No need to forward ESP as NAT-T will be in use. This uses TCP:4500 (you need to check this port).

Seriously consider doing all this on the router. It'll save the NAT-T overhead.

Ports required:

TCP 1723, 4500
UDP 500

Regards

Andrew
by andrewluck
Mon Mar 12, 2007 11:04 pm
Forum: General
Topic: VPN Server (Win2003 ) behind MiktoTik - L2TP, PPTP
Replies: 7
Views: 2662

One question: why not do the VPN on the router? No need to forward ESP as NAT-T will be in use. This uses TCP4500 (you need to check this port). No need to forward UDP1701 as this is L2TP without ESP encapsulation. Turn on connection tracking and PPTP / GRE service ports in /IP FIREWALL. This should...
by andrewluck
Mon Mar 12, 2007 2:03 pm
Forum: General
Topic: NetBios traffic over a VPN
Replies: 11
Views: 9977

SAMBA will also act as a WINS server.

Regards

Andrew
by andrewluck
Sun Mar 11, 2007 1:06 pm
Forum: General
Topic: ARP Issue
Replies: 1
Views: 951

You haven't supplied much information to work with. Check your network cabling and switches first.

Regards

Andrew
by andrewluck
Fri Mar 09, 2007 1:47 pm
Forum: General
Topic: PPPoE and NAT problem (slow connectivity)
Replies: 5
Views: 3044

More likely an MTU / MSS problem. A mangle MSS rule usually fixes this. Search the forum for details.

Regards

Andrew
by andrewluck
Thu Mar 08, 2007 5:30 pm
Forum: General
Topic: Agressve mode IPSEC tunnel
Replies: 4
Views: 1438

Post your IPSEC setup.

Regards

Andrew
by andrewluck
Thu Mar 01, 2007 10:23 pm
Forum: General
Topic: Agressve mode IPSEC tunnel
Replies: 4
Views: 1438

Yes. You can use
generate-policy=yes
(/ip ipsec peer).

http://www.mikrotik.com/testdocs/ros/2.9/ip/ipsec.php

Regards

Andrew
by andrewluck
Sun Feb 11, 2007 7:02 pm
Forum: General
Topic: Hotspot DNS problem
Replies: 3
Views: 1480

Run a protocol analyser (e.g. Ethereal) on the PC. That way you can check the query and the reply. Compare the result to what you get on a PC that works. Some spyware messes with the PC DNS settings but this should be easy to spot from examining the packets.

Regards

Andrew
by andrewluck
Sun Feb 11, 2007 12:02 pm
Forum: General
Topic: Hotspot DNS problem
Replies: 3
Views: 1480

Seem to remember that I fixed this by using a DNS name for the hotspot that had at least one '.' in it e.g. hotspot.local

Regards

Andrew
by andrewluck
Fri Feb 02, 2007 11:34 am
Forum: General
Topic: ipsec mikrotik-pix
Replies: 2
Views: 1129

Check the SA timeout values on both ends.

Turn on crypto debugging on the Cisco end. Lots of useful information there.

Regards

Andrew
by andrewluck
Tue Jan 30, 2007 10:46 pm
Forum: General
Topic: Routerboard/RouterOS losing serious connection
Replies: 14
Views: 3854

Does the Procurve show any errors on the 532's port?

Only other thing I can suggest is to reset the config on the 532 and setup the bare minimum to bridge the ports. See if you still have the problem.


Regards

Andrew
by andrewluck
Tue Jan 30, 2007 6:35 pm
Forum: General
Topic: Routerboard/RouterOS losing serious connection
Replies: 14
Views: 3854

No problem with full-duplex that I'm aware of. I was just puzzled why your LAN connection is 10Mbit full-duplex. If your LAN is a switch then that should probably be set to 100Mbit full. If it's a hub, then 10Mbit half.

Regards

Andrew
by andrewluck
Mon Jan 29, 2007 11:09 pm
Forum: General
Topic: Routerboard/RouterOS losing serious connection
Replies: 14
Views: 3854

Just the interface and bridge config would have been sufficient for now :shock:

Two of your links are fixed at 10MBit full-duplex. This is unusual as 10Mbit is usually associated with hubs which are half-duplex.

Regards

Andrew
by andrewluck
Sun Jan 28, 2007 11:23 pm
Forum: General
Topic: Routerboard/RouterOS losing serious connection
Replies: 14
Views: 3854

Post your bridge config here.

Regards

Andrew
by andrewluck
Sun Jan 28, 2007 7:59 pm
Forum: General
Topic: Routerboard/RouterOS losing serious connection
Replies: 14
Views: 3854

Bad cable?

Regards

Andrew
by andrewluck
Fri Dec 29, 2006 1:44 pm
Forum: General
Topic: ospf help
Replies: 7
Views: 1798

Agreed. Removing static routes is generally a good idea in an OSPF environment. However, if you wish to maintain a backup default route then you'll need two static routes. Giving the backup an administrative distance above 110 means that it won't normally be used.

Regards

Andrew
by andrewluck
Fri Dec 29, 2006 1:30 pm
Forum: General
Topic: ospf help
Replies: 7
Views: 1798

The issue is usually that statically configured default routes have a lower administrative distance than routing protocol routes. Cisco define a static route as an AD of 1 and and OSPF route as 110 so the static route will always be used over the dynamic one. To change this behaviour, you need to al...
by andrewluck
Fri Dec 29, 2006 11:48 am
Forum: General
Topic: ospf help
Replies: 7
Views: 1798

What does the resulting route table look like?

Regards

Andrew
by andrewluck
Thu Dec 28, 2006 8:49 pm
Forum: General
Topic: weird reboot issue
Replies: 11
Views: 2935

My board was replaced.

Regards

Andrew
by andrewluck
Mon Dec 25, 2006 2:35 pm
Forum: General
Topic: VLAN problem... can anyone help??
Replies: 3
Views: 1254

Supply the results of the following please:
/interface vlan print
/ip address print
/ip route print
If you're using NAT, then
/ip firewall nat print
as well.

Regards

Andrew
by andrewluck
Mon Dec 25, 2006 12:04 pm
Forum: General
Topic: give a traffic 200 MB for each user !!
Replies: 6
Views: 1711

but it seem its hard to do
Yes, but you'll learn a whole bunch of stuff that you didn't know before you started! That's part of what it's all about.

If you get stuck then post specific queries here.

Regards

Andrew
by andrewluck
Mon Dec 25, 2006 12:00 pm
Forum: General
Topic: DHCP Leases
Replies: 3
Views: 1366

I misunderstood. So you get these entries after a re-boot but before any clients renew their leases? That does sound like a problem.

Regards

Andrew
by andrewluck
Sun Dec 24, 2006 11:31 pm
Forum: General
Topic: DHCP Leases
Replies: 3
Views: 1366

When a client performs an address renewal, it requests the same IP address again. The DHCP server will re-issue the address.

Regards

Andrew
by andrewluck
Sun Dec 24, 2006 11:27 pm
Forum: General
Topic: give a traffic 200 MB for each user !!
Replies: 6
Views: 1711

by andrewluck
Sun Dec 24, 2006 12:40 pm
Forum: General
Topic: give a traffic 200 MB for each user !!
Replies: 6
Views: 1711

You could try RADIUS accounting. There are some examples on the Wiki for setting up RouterOS & RADIUS.

Regards

Andrew
by andrewluck
Sun Dec 24, 2006 12:34 pm
Forum: General
Topic: VLAN problem... can anyone help??
Replies: 3
Views: 1254

You need to post some more details on your config before anyone is going to be able to help you with anything more than guesswork.

Regards

Andrew