Community discussions

Search found 1101 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 23
by idlemind
Wed Jul 10, 2019 3:23 pm
Forum: General
Topic: EoIP over Internet
Replies: 2
Views: 178

Re: EoIP over Internet

Do you have global unicast IPs on the 4G interfaces or are they carrier grade NAT addresses? You'll need a public IP on at least 1 side of the equation and even then you'll have to use something capable of traversing NAT first.
by idlemind
Wed Jul 10, 2019 7:50 am
Forum: General
Topic: IPv6 DHCP Server Not Leasing IP
Replies: 11
Views: 3907

Re: IPv6 DHCP Server Not Leasing IP

Hi all, i've got the same issue. Nothing works, the Ipv6 Clients gets no IPv6 Adress or prefix from the FTTH modem. DHCPV6 Server didn't work ... I spent a lot of time into this issue and i'm nearly to throw the Mikrotik onto the rubbish or i will drive over it with my car ... It is realy frustrati...
by idlemind
Wed Jul 10, 2019 6:17 am
Forum: General
Topic: What VPN tech with dynamic routing behind NAT?
Replies: 3
Views: 241

Re: What VPN tech with dynamic routing behind NAT?

You can use L2TP/IPSEC behind a NAT with little problems and leverage PPP for authentication and telling multiple clients apart. You can leverage either BGP or OSPF with static neighbors over that directly. If you really just want to use a dynamic routing protocol that does not require static neighb...
by idlemind
Wed Jul 10, 2019 6:09 am
Forum: General
Topic: MTU mismatch / confusion mixed network
Replies: 3
Views: 330

Re: MTU mismatch / confusion mixed network

So, w/PPPoE like other tunneling protocols we have to be aware of MTU along the path. We also have to think about how systems handle dissimilar MTU along the path of a packet. To handle the issue around MTU along the path it's a fairly simple equation. With the default of 1480 for both in the PPPoE ...
by idlemind
Wed Jun 05, 2019 2:58 am
Forum: General
Topic: IPv6 transition mechanism
Replies: 71
Views: 5226

Re: IPv6 transition mechanism

Happy eye-balls sort out this problem in a matter of 150 ms, not 5 seconds, the problem is probably a failure in the ISP or content provider. Is the same as when you have IPv4 only and something fails, we need to realize that technical problema can be the same in IPv4 than IPv6 ! Happy Eyeballs doe...
by idlemind
Wed Jun 05, 2019 1:34 am
Forum: General
Topic: Mikrotik icmp traffic from itself?
Replies: 3
Views: 218

Re: Mikrotik icmp traffic from itself?

Yes, the MikroTik is originating the reply from the IP based on routing so I assume your IP of 10.175.0.76 is either an IP meant for management and the router doesn't have a more preferred path on the Internet routing side or you're using RFC1918 IPs internally to route traffic to customers. If your...
by idlemind
Wed Jun 05, 2019 1:22 am
Forum: General
Topic: Full mesh VPN between 3 or more Mikrotik routers
Replies: 10
Views: 513

Re: Full mesh VPN between 3 or more Mikrotik routers

Sounds like a great place to use a routing protocol. Sadly no DMVPN in MikroTik land. I'd still likely opt to go with GRE so I could run a dynamic protocol across it. With a true mesh (all routers with links to all other routers) that will get unwieldy quick so an automation tool would be very helpf...
by idlemind
Fri Apr 26, 2019 5:27 pm
Forum: General
Topic: EoIP and VLANs advantages/
Replies: 2
Views: 225

Re: EoIP and VLANs advantages/

The best thing you can do is design your network and applications in a way that doesn't require L2 extensions. I understand this is always not a reality but you really don't want to spread your L2 failure domain. If the thought is to use EoIP to place the same IPs in 2 DCs that's the worst scenario....
by idlemind
Fri Apr 26, 2019 5:19 pm
Forum: General
Topic: IPv6 deployment on individual /64
Replies: 3
Views: 254

Re: IPv6 deployment on individual /64

Yup, the recommendation is to allow up to a /56 to be requested via DHCPv6-PD. The absolute smallest I'd go is a /60 for residential. It gives the customer the ability to provide a normal LAN, a guest network and VPN without compatibility breaking small subnets.
by idlemind
Thu Apr 25, 2019 9:29 am
Forum: General
Topic: IPv6 dhcp server lease script
Replies: 1
Views: 136

Re: IPv6 dhcp server lease script

We currently are using IPv4 for our customers and are about to convert to IPv6. We are using the lease script in the IPv4 dhcp server to report the ip address a customer pulls to Sonar. We need to do the same thing when we go to IPv6. When I look at the IPv6 dhcp server I don't see the lease script...
by idlemind
Thu Apr 25, 2019 9:24 am
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 513

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

Yes I did the ping tests with DF. Also switching to the cable modem had no effect. But yes, it is possible that some websites have broken path MTU discovery. The issue was very noticeable with some SSL/TLS services, but when I found a HTTP server doing it too, I knew something else was going on. Th...
by idlemind
Tue Apr 23, 2019 11:00 pm
Forum: General
Topic: Make device discoverable on second subnet
Replies: 2
Views: 244

Re: Make device discoverable on second subnet

Most "discovery" operations require layer 2 adjacency. A different IP subnet creates separation at layer 3. An example "discovery" mechanism is Bonjour which is bound at layer 2 or link-local. Their is technology solutions that enable you to "stretch" (read: bridge) the Bonjour traffic across layer ...
by idlemind
Tue Apr 23, 2019 10:48 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 513

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to th...
by idlemind
Sun Apr 21, 2019 4:28 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 513

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to the...
by idlemind
Sat Apr 06, 2019 6:10 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 838

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP. I second this. Although TCP MSS clamping isn't strictly required if MTU and path MTU discovery (largely an ICMP process) is fu...
by idlemind
Wed Mar 27, 2019 11:37 pm
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 371

Re: EOIP when Behind another Router - A No Go?

EoIP is only required if you require L2 adjacency between endpoints. This is typically expressed as stretching a L2 network between to different L3 locations. If you do not need to stretch L2 then do not. If you need site to site connectivity with NAT traversal but not L2 stretching you can accompli...
by idlemind
Sun Mar 24, 2019 11:50 pm
Forum: General
Topic: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]
Replies: 5
Views: 459

Re: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]

Alternatively you can use a GRE tunnel. It is capable of being encrypted, handles IPv4 and IPv6 traffic as outer or inner protocols and, supports multicast for easy use of traditional IGPs for route handling.
by idlemind
Mon Mar 18, 2019 5:39 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66232

Re: v6.45beta [testing] is released!

IKE2 rfc states the use of RSA. What would be the client devices that support EC? Why exactly you need this? RFC 4754 https://tools.ietf.org/html/rfc4754 Not finalized but per usual MikroTik is behind almost all other vendors in supporting valid technology. Of course we still can't ping IPv6 only h...
by idlemind
Sun Mar 17, 2019 10:25 pm
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 11
Views: 647

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

If the ISP uses SLAAC on the point to point link between you and them then there is a setting that allows the router to get an address that way. I believe it is global though. Makes your device behave like a client as in IPv6 those are the devices that should react to other routers RAs. They "should...
by idlemind
Fri Mar 15, 2019 2:34 pm
Forum: Beginner Basics
Topic: NAT - Round Robin srcnat
Replies: 5
Views: 772

Re: NAT - Round Robin srcnat

Again assuming the address range doesn't work you could you use connection marking to cycle through similar 1:1 NAT rules like you would otherwise do when load balancing an ISP connection.
by idlemind
Sat Mar 02, 2019 9:01 pm
Forum: General
Topic: help for sxt lte VPN from android cliet
Replies: 5
Views: 399

Re: help for sxt lte VPN from android cliet

Yes the wiki has extensive documentation on the topic. Using L2TP/IPSEC for remote access or "road warrior" as the wiki calls it is nice because all major OS versions support it built-in right now. Technically I prefer IKEv2 but Android doesn't have native support for it yet. All other platforms do.
by idlemind
Thu Feb 28, 2019 1:43 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 555

Re: Multiple IPsec clients from same public IP [SOLVED]

Glad to hear!
by idlemind
Tue Feb 26, 2019 5:29 am
Forum: General
Topic: SOLVED Printer for 2 subnets
Replies: 6
Views: 626

Re: Printer for 2 subnets

Use policy routing on the MikroTik. Anything sourced by the printer destined to the wireless subnet is sent to the .249 IP.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing
by idlemind
Tue Feb 26, 2019 4:24 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 555

Re: Multiple IPsec clients from same public IP [SOLVED]

Hi All, I am sure this may have been asked before, however I don't seem to be able to find anyone trying to achieve exactly what I am trying to do. I have 3 Mikrotik's as follows 1 X CHR Router hosted in the cloud with a public IP address eg 1.1.1.1 2 X Mips devices these will be used as clients be...
by idlemind
Tue Feb 26, 2019 3:57 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 756

Re: IPv6 routing with several interfaces [SOLVED]

Basically if you want to use IPv6 don't buy MikroTik. They've done little more than maintain they're initial very basic set of features targeted mostly at service providers over the last several years. The comments from MikroTik see on here makes it seem that they think they can wait for an unannoun...
by idlemind
Sun Feb 24, 2019 10:10 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 633

Re: Advanced VLAN setup HAP AC RouterOS

As of 6.41+ this advice is irrelevant and dated. Please use the bridge with automatic hardware offload. If you read his link in depth you'll see MikroTik suggest the same thing. The software in the device will toggle the hardware features on and off as needed or as is capable for your device. This ...
by idlemind
Sat Feb 23, 2019 10:57 pm
Forum: General
Topic: Loop-protect packets (0x9003) drop by Centos [SOLVED]
Replies: 2
Views: 300

Re: Loop-protect packets (0x9003) drop by Centos [SOLVED]

Working as expected (tm).

https://access.redhat.com/solutions/657483

Likely the unknown protocol is triggering the behavior.
by idlemind
Sat Feb 23, 2019 10:49 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 633

Re: Advanced VLAN setup HAP AC RouterOS

SFP being part of bridge/vlans but not part of the switch will be problematic, I think. Is reducing the number of ports an option? So it would be better to do it this way? Eth1: Vlan 1, 2, 3, 4, 5 Tagged Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged Eth4: ...
by idlemind
Sat Feb 23, 2019 10:13 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 633

Re: Advanced VLAN setup HAP AC RouterOS

Might be challenging for bridging. Further, your Tik might be a bit too short for the routing duties: it's only a single core, but MT rates it at 950mbps with full frames so might just work. But you'll need to use switch vlan filtering functionality, not the one of bridge. Examples are here https:/...
by idlemind
Sat Feb 23, 2019 1:37 am
Forum: General
Topic: Cambium L2GRE with Mikrotik Problem
Replies: 5
Views: 614

Re: Cambium L2GRE with Mikrotik Problem

What he is saying us L2GRE and EoIP are not necessarily compatible tunnel types. God knows what L2GRE means from an implementation perspective. While EoIP is based on GRE and it encapsulates Ethernet it isn't a standard. Unless you've verified that the tech is compatible you're barking up the wrong ...
by idlemind
Sat Feb 23, 2019 1:29 am
Forum: General
Topic: Cannot access Lan devices over vpn client
Replies: 17
Views: 711

Re: Cannot access Lan devices over vpn client

Because your VPN addresses overlap with the LAN IP addressing you need to enable Proxy-ARP on the LAN bridge.

Alternatively give your VPN clients a different IP range and change the PPP local address. This would be the preferred option. Proxy-ARP comes with some security issues.
by idlemind
Tue Feb 19, 2019 9:01 am
Forum: Forwarding Protocols
Topic: Vlans + VRRP + Multiple Public IP addresses
Replies: 9
Views: 755

Re: Vlans + VRRP + Multiple Public IP addresses

The up/down method is a bit hacky. You can run VRRP for multiple networks but it seems you're running all of the instances on the same underlying interface. You should run it on the layer 3 interfaces that actually forward the traffic. Likely based on your post this should be the VLAN interfaces wit...
by idlemind
Mon Feb 18, 2019 3:30 am
Forum: General
Topic: Routing L2TP/IPSEC
Replies: 4
Views: 407

Re: Routing L2TP/IPSEC

Hi thank you I will give the ip forward a try, the gateways rules I already added without success . Gesendet von iPhone mit Tapatalk The PPP portion of a L2TP/IPSEC VPN allows you to add routes dynamically on the server side (head end) when it is connected. This paired with a default route injected...
by idlemind
Mon Feb 18, 2019 3:25 am
Forum: General
Topic: Using L2TP/Ipsec vpn using same subnet as lan?
Replies: 1
Views: 349

Re: Using L2TP/Ipsec vpn using same subnet as lan?

Yes you can use proxy ARP for that but it's not true layer 2 adjacency. If your camera solution requires that you'll want to look at BCP or PPP based bridging to see if that works on your phone. Otherwise find a camera system that works under normal IP routing scenarios. Proxy ARP is a crutch, has s...
by idlemind
Tue Feb 12, 2019 2:29 am
Forum: General
Topic: block ping just to puplick ip
Replies: 1
Views: 250

Re: block ping just to puplick ip

For ping or ICMP echo request and reply the input chain is for the WAN interface in this case and the forward chain for the servers behind it (likely).

Please only block ICMP echo request. The other types can be crucial for behaviors like path MTU discovery.
by idlemind
Mon Feb 11, 2019 8:18 pm
Forum: General
Topic: Trying to configure new VPN
Replies: 2
Views: 361

Re: Trying to configure new VPN

L2TP/IPSEC gets you native clients for Windows, Mac, Linux, iOS and, Android.

IKEv2 gets you native clients in all of the above except Android. Android has apps for IKEv2 (StrongSwan). (This may have changed but as of v7 on Android it still doesn't)

IKEv2 would be my preferred solution.
by idlemind
Mon Feb 11, 2019 8:15 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 1203

Re: DHCP Client brige l2tp tunnel [SOLVED]

That works if everything is in the same place. I assumed we had 2 separate Internet connections in play. Is this not the case?
by idlemind
Sun Feb 10, 2019 4:21 pm
Forum: General
Topic: ip phone and/or audio headset attached to Mikrotik
Replies: 6
Views: 789

Re: ip phone and/or audio headset attached to Mikrotik

I was thinking a traditional VoIP phone with a headset too. The only downside is needing a server to drive the VoIP. That said for a single phone you could bolt something onto an existing server or even a Raspberry Pi like device. If memory serves me correctly Axis makes an IP camera that has both h...
by idlemind
Sun Feb 10, 2019 4:14 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1443

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

You can't bond disparate WAN or L3 links. If the provider accepted 1 IP then yes. Additionally there is no way to map tunnels on one end to a single tunnel on the far end.
by idlemind
Sat Feb 09, 2019 7:27 pm
Forum: General
Topic: VPN PPTP ANDROID
Replies: 4
Views: 3193

Re: VPN PPTP ANDROID

PPTP is insecure STOP USING IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
by idlemind
Sat Feb 09, 2019 7:19 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 1203

Re: DHCP Client brige l2tp tunnel [SOLVED]

Use EoIP to bridge layer 2 cleanly between both locations. If the EoIP by hostname wrapped in IPSEC proves unreliable I've used L2TP in a road warrior fashion and ran EoIP inside of the L2TP. If you wrap the L2TP in IPSEC then just plain EoIP is fine underneath. Alternatively you can use BCP to do t...
by idlemind
Sat Feb 02, 2019 5:43 pm
Forum: General
Topic: IPSec "route based" S2S VPN with Azure
Replies: 2
Views: 451

Re: IPSec "route based" S2S VPN with Azure

If memory serves me correctly you need to actually build a tunnel interface (ipip I think) for the route based tunnel. If policy rules are working you're likely failing back to a previously configures policy based VPN with Azure.
by idlemind
Tue Jan 29, 2019 4:21 am
Forum: General
Topic: Two IPSec tunnels with same peer
Replies: 1
Views: 282

Re: Two IPSec tunnels with same peer

You could use two routed tunnels like GRE with different tunnel keys and wrap the traffic for both in IPSEC. A single IPSEC policy would fine to secure both tunnels. Probably have to manually do the encryption settings though
by idlemind
Sat Jan 26, 2019 4:36 pm
Forum: General
Topic: IKEv2 IPsec VPN and IPv6
Replies: 5
Views: 679

Re: IKEv2 IPsec VPN and IPv6

Hello, I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible. Regards. Hi, Thanks for the input. That's good to know. But in my case it would be connections made FRO...
by idlemind
Mon Jan 14, 2019 12:07 am
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 8
Views: 1429

Re: understanding and fixing MTU/MSS/PMTU with IPsec

You have to points of concern actually. Traffic inside of the VPN and traffic outside of the tunnel. You'll want to make sure you are allowing the ICMP too big and fragmentation needed messages on input and forward (outside of tunnel and inside of tunnel). MSS clamping is technically not required if...
by idlemind
Sun Jan 13, 2019 2:15 am
Forum: General
Topic: redundancy help
Replies: 1
Views: 390

Re: redundancy help

Without more details it's hard to give a more in depth recommendation other than if possible I prefer a dynamic protocol to solve these problems. Static routes are not ideal even with different costs and scripts. A dynamic protocol will only load balance when the routes are equal cost so keep that i...
by idlemind
Sun Jan 13, 2019 12:20 am
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 362

Re: OpenVPN listen on IPv6

Thank you for your quick response! Do you have any idea why? I would have guessed it does not matter over which protocol the package was delivered. A logical person would assume that. MikroTik has not publicly explained why their product is in capable of binding to IPv6 addresses for most services ...
by idlemind
Sat Jan 12, 2019 11:44 pm
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 362

Re: OpenVPN listen on IPv6

No, if you want an IPv6 capable device return your MikroTik and purchase a router from a manufacturer capable of delivering feature needs for an IPv6 world.

It's a limitation of RouterOS and they've said it likely will not change until the mythical v7.
by idlemind
Fri Jan 11, 2019 6:37 pm
Forum: General
Topic: Failover
Replies: 1
Views: 220

Re: Failover

It's a best practice as an ISP to not allow traffic to ingress it's side of the interface with an IP that shouldn't be there. In other words you "shouldn't" be able to send egress traffic out the second ADSL link with the source IP of the first ADSL link. This is described in BCP38. You may be able ...
by idlemind
Sat Jan 05, 2019 1:22 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 949

Re: Passive FTP to outside FTP Server

I am a 3rd party software supplier trying to exchange data - I do not have access to create a new VM. The command: ip firewall nat <numbers> set log=yes Would I apply this to the following rules? ; add action=masquerade chain=srcnat out-interface=ether1-FUSION-WAN add action=accept chain=input comm...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 23