Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 c...

I assume you mean a site-to-site VPN. IPsec is actually pretty light as far as VPN tech goes, but your limiting factor will be your link between the two routers compounded by your underlying encryption. Heavy encryption = more security = slower speeds. So the fastest? Don't encrypt. But you'll have ...

I have been using 1100AHx2's and the occasional CCR-36 in the field for a while as packet sniffer/bandwidth test appliances. I see that although it only has 1gb RAM, the nominal CPU frequency of the 3011UAS is .4ghz faster than the 1100. Just for fun, I have placed a couple of 3011's directly connec...

Has any one written a script to secure the mikrotik from unauthorized access attempts? Part of the issue is that the mikrotik listens on all public interfaces. Most commercial routers have some facility like Juniper's implicit deny or Cisco's vty "funneling". It would be pretty easy to hav...

What exactly are you trying to do? Bridging VLANs sort of defeats the purpose of the VLAN. If you want a "trunk" port, meaning it just passes all of the VLANs, a generic bridge of physical interfaces will suffice. You can hang VLAN sub-interfaces off of the bridge if you are trying to use ...

Well, the obvious is they have a different queueing system than the profile you are connecting to with your computer, but I'm sure you've vetted this. I would suspect this if the speed is consistently the same. This can also be the case if you have multiple clients and it is dividing the bandwidth v...

Right, you have a check gateway setup I'd assume. Can you ping 4.2.2.3 from 192.168.1.1?

You'll have to ask a question with some additional information. The above just shows that the gateway of 192.168.1.1 is reachable.

Yep, so a masquerade rule would look like: chain=srcnat action=masquerade to-addresses=PUBLIC IP HERE src-address=10.2.2.0/24 dst-address-list=!private You set the address list under /ip firewall address-list. It might look something like: 1 private 172.16.0.0/12 2 private 192.168.0.0/16 3 private 1...

Your next hop needs to be a direct adjacency. Whether that is over the L2TP or via a standard ethernet bridge. The route pointing a private network to a public IP nexthop is problematic because it's unlikely that your ISP will know what to do with it. You may have a type-o in your l2tp setup as well...

For the LAN side of the SIP server? Shouldn't be. For your masquerade rule that allows you to get to the internet, you can also a rule to it that says ! SIP SERVER IP. The ! before an IP in a rule, basically means "not equal to"

Assuming the mikrotik is the gatekeeper for both private networks, no static routes are required.

Typical setups like this are: Computer (10.0.0.5) --> (10.0.0.1) Mikrotik (192.168.0.1) --> (192.168.0.2) SIP Server --> Phone Provider Computer (10.0.0.5) --> (10.0.0.1) Mikrotik (x.x.x.x WAN IP) --> interwebs Basically, your computer would send all traffic to the mikrotik. You would just set up yo...

I had a 103612G-4S that had this behavior. I was able to fix it by switching to 6.36rc12 (testing) firmware, but that was months ago, and I no longer use the CCR as a PPoE aggregator. Take this with a grain of salt since you said all three have the same firmware. Based on the process of elimination,...

Your computers are connecting to the mikrotik already, so the easiest way would be to just create a connection between the mikrotik and your SIP server. Is there a particular reason you have two networks assigned to each computer?

Ok, maybe I'm missing something then. The L2TP just forms a new adjacency. You still need a path to whatever network you want to reach. By your client route output, 0.0.0.0 0.0.0.0 On-link 10.10.0.30 21 appears to be the preferred gateway of last resort. All traffic will attempt to go to 10.10.0.30 ...

Your masquerade rule should take care of outbound traffic. You will need to create a destination nat rule. Functionally, it would look something like: chain=dstnat action=dst-nat to-addresses=INSIDE/PRIVATE IP HERE to-ports=443 protocol=tcp dst-address=OUTSIDE IP HERE dst-port=443 log=no log-prefix=...

I recently had an issue with this. A packet cap looking for protocol 47 should help you diagnose. In my case, it was just a software bug of sorts. One side was simply not attempting a connection. Disabling/Re-enabling did not resolve the issue, but opening it up, copying it, deleting the original, t...

Unless I'm mis-understanding your problem, the issue would be on the client side routes. On your l2tp client, what does "netstat -rn" show you about your destinations? You could probably pass this with DHCP option 121 from the mtik, or just have them added on startup via some script. Apple...