Community discussions

Search found 1101 matches

by idlemind
Wed Jul 10, 2019 3:23 pm
Forum: General
Topic: EoIP over Internet
Replies: 2
Views: 250

Re: EoIP over Internet

Do you have global unicast IPs on the 4G interfaces or are they carrier grade NAT addresses? You'll need a public IP on at least 1 side of the equation and even then you'll have to use something capable of traversing NAT first.
by idlemind
Wed Jul 10, 2019 7:50 am
Forum: General
Topic: IPv6 DHCP Server Not Leasing IP
Replies: 11
Views: 4988

Re: IPv6 DHCP Server Not Leasing IP

Hi all, i've got the same issue. Nothing works, the Ipv6 Clients gets no IPv6 Adress or prefix from the FTTH modem. DHCPV6 Server didn't work ... I spent a lot of time into this issue and i'm nearly to throw the Mikrotik onto the rubbish or i will drive over it with my car ... It is realy frustrati...
by idlemind
Wed Jul 10, 2019 6:17 am
Forum: General
Topic: What VPN tech with dynamic routing behind NAT?
Replies: 3
Views: 316

Re: What VPN tech with dynamic routing behind NAT?

You can use L2TP/IPSEC behind a NAT with little problems and leverage PPP for authentication and telling multiple clients apart. You can leverage either BGP or OSPF with static neighbors over that directly. If you really just want to use a dynamic routing protocol that does not require static neighb...
by idlemind
Wed Jul 10, 2019 6:09 am
Forum: General
Topic: MTU mismatch / confusion mixed network
Replies: 3
Views: 462

Re: MTU mismatch / confusion mixed network

So, w/PPPoE like other tunneling protocols we have to be aware of MTU along the path. We also have to think about how systems handle dissimilar MTU along the path of a packet. To handle the issue around MTU along the path it's a fairly simple equation. With the default of 1480 for both in the PPPoE ...
by idlemind
Wed Jun 05, 2019 2:58 am
Forum: General
Topic: IPv6 transition mechanism
Replies: 71
Views: 5641

Re: IPv6 transition mechanism

Happy eye-balls sort out this problem in a matter of 150 ms, not 5 seconds, the problem is probably a failure in the ISP or content provider. Is the same as when you have IPv4 only and something fails, we need to realize that technical problema can be the same in IPv4 than IPv6 ! Happy Eyeballs doe...
by idlemind
Wed Jun 05, 2019 1:34 am
Forum: General
Topic: Mikrotik icmp traffic from itself?
Replies: 3
Views: 284

Re: Mikrotik icmp traffic from itself?

Yes, the MikroTik is originating the reply from the IP based on routing so I assume your IP of 10.175.0.76 is either an IP meant for management and the router doesn't have a more preferred path on the Internet routing side or you're using RFC1918 IPs internally to route traffic to customers. If your...
by idlemind
Wed Jun 05, 2019 1:22 am
Forum: General
Topic: Full mesh VPN between 3 or more Mikrotik routers
Replies: 10
Views: 620

Re: Full mesh VPN between 3 or more Mikrotik routers

Sounds like a great place to use a routing protocol. Sadly no DMVPN in MikroTik land. I'd still likely opt to go with GRE so I could run a dynamic protocol across it. With a true mesh (all routers with links to all other routers) that will get unwieldy quick so an automation tool would be very helpf...
by idlemind
Fri Apr 26, 2019 5:27 pm
Forum: General
Topic: EoIP and VLANs advantages/
Replies: 2
Views: 295

Re: EoIP and VLANs advantages/

The best thing you can do is design your network and applications in a way that doesn't require L2 extensions. I understand this is always not a reality but you really don't want to spread your L2 failure domain. If the thought is to use EoIP to place the same IPs in 2 DCs that's the worst scenario....
by idlemind
Fri Apr 26, 2019 5:19 pm
Forum: General
Topic: IPv6 deployment on individual /64
Replies: 3
Views: 310

Re: IPv6 deployment on individual /64

Yup, the recommendation is to allow up to a /56 to be requested via DHCPv6-PD. The absolute smallest I'd go is a /60 for residential. It gives the customer the ability to provide a normal LAN, a guest network and VPN without compatibility breaking small subnets.
by idlemind
Thu Apr 25, 2019 9:29 am
Forum: General
Topic: IPv6 dhcp server lease script
Replies: 1
Views: 181

Re: IPv6 dhcp server lease script

We currently are using IPv4 for our customers and are about to convert to IPv6. We are using the lease script in the IPv4 dhcp server to report the ip address a customer pulls to Sonar. We need to do the same thing when we go to IPv6. When I look at the IPv6 dhcp server I don't see the lease script...
by idlemind
Thu Apr 25, 2019 9:24 am
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 673

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

Yes I did the ping tests with DF. Also switching to the cable modem had no effect. But yes, it is possible that some websites have broken path MTU discovery. The issue was very noticeable with some SSL/TLS services, but when I found a HTTP server doing it too, I knew something else was going on. Th...
by idlemind
Tue Apr 23, 2019 11:00 pm
Forum: General
Topic: Make device discoverable on second subnet
Replies: 2
Views: 291

Re: Make device discoverable on second subnet

Most "discovery" operations require layer 2 adjacency. A different IP subnet creates separation at layer 3. An example "discovery" mechanism is Bonjour which is bound at layer 2 or link-local. Their is technology solutions that enable you to "stretch" (read: bridge) the Bonjour traffic across layer ...
by idlemind
Tue Apr 23, 2019 10:48 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 673

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to th...
by idlemind
Sun Apr 21, 2019 4:28 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 673

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to the...
by idlemind
Sat Apr 06, 2019 6:10 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 1035

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP. I second this. Although TCP MSS clamping isn't strictly required if MTU and path MTU discovery (largely an ICMP process) is fu...
by idlemind
Wed Mar 27, 2019 11:37 pm
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 435

Re: EOIP when Behind another Router - A No Go?

EoIP is only required if you require L2 adjacency between endpoints. This is typically expressed as stretching a L2 network between to different L3 locations. If you do not need to stretch L2 then do not. If you need site to site connectivity with NAT traversal but not L2 stretching you can accompli...
by idlemind
Sun Mar 24, 2019 11:50 pm
Forum: General
Topic: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]
Replies: 5
Views: 567

Re: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]

Alternatively you can use a GRE tunnel. It is capable of being encrypted, handles IPv4 and IPv6 traffic as outer or inner protocols and, supports multicast for easy use of traditional IGPs for route handling.
by idlemind
Mon Mar 18, 2019 5:39 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71366

Re: v6.45beta [testing] is released!

IKE2 rfc states the use of RSA. What would be the client devices that support EC? Why exactly you need this? RFC 4754 https://tools.ietf.org/html/rfc4754 Not finalized but per usual MikroTik is behind almost all other vendors in supporting valid technology. Of course we still can't ping IPv6 only h...
by idlemind
Sun Mar 17, 2019 10:25 pm
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 11
Views: 803

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

If the ISP uses SLAAC on the point to point link between you and them then there is a setting that allows the router to get an address that way. I believe it is global though. Makes your device behave like a client as in IPv6 those are the devices that should react to other routers RAs. They "should...
by idlemind
Fri Mar 15, 2019 2:34 pm
Forum: Beginner Basics
Topic: NAT - Round Robin srcnat
Replies: 5
Views: 854

Re: NAT - Round Robin srcnat

Again assuming the address range doesn't work you could you use connection marking to cycle through similar 1:1 NAT rules like you would otherwise do when load balancing an ISP connection.
by idlemind
Sat Mar 02, 2019 9:01 pm
Forum: General
Topic: help for sxt lte VPN from android cliet
Replies: 5
Views: 500

Re: help for sxt lte VPN from android cliet

Yes the wiki has extensive documentation on the topic. Using L2TP/IPSEC for remote access or "road warrior" as the wiki calls it is nice because all major OS versions support it built-in right now. Technically I prefer IKEv2 but Android doesn't have native support for it yet. All other platforms do.
by idlemind
Thu Feb 28, 2019 1:43 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 595

Re: Multiple IPsec clients from same public IP [SOLVED]

Glad to hear!
by idlemind
Tue Feb 26, 2019 5:29 am
Forum: General
Topic: SOLVED Printer for 2 subnets
Replies: 6
Views: 666

Re: Printer for 2 subnets

Use policy routing on the MikroTik. Anything sourced by the printer destined to the wireless subnet is sent to the .249 IP.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing
by idlemind
Tue Feb 26, 2019 4:24 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 595

Re: Multiple IPsec clients from same public IP [SOLVED]

Hi All, I am sure this may have been asked before, however I don't seem to be able to find anyone trying to achieve exactly what I am trying to do. I have 3 Mikrotik's as follows 1 X CHR Router hosted in the cloud with a public IP address eg 1.1.1.1 2 X Mips devices these will be used as clients be...
by idlemind
Tue Feb 26, 2019 3:57 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 801

Re: IPv6 routing with several interfaces [SOLVED]

Basically if you want to use IPv6 don't buy MikroTik. They've done little more than maintain they're initial very basic set of features targeted mostly at service providers over the last several years. The comments from MikroTik see on here makes it seem that they think they can wait for an unannoun...
by idlemind
Sun Feb 24, 2019 10:10 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 734

Re: Advanced VLAN setup HAP AC RouterOS

As of 6.41+ this advice is irrelevant and dated. Please use the bridge with automatic hardware offload. If you read his link in depth you'll see MikroTik suggest the same thing. The software in the device will toggle the hardware features on and off as needed or as is capable for your device. This ...
by idlemind
Sat Feb 23, 2019 10:57 pm
Forum: General
Topic: Loop-protect packets (0x9003) drop by Centos [SOLVED]
Replies: 2
Views: 335

Re: Loop-protect packets (0x9003) drop by Centos [SOLVED]

Working as expected (tm).

https://access.redhat.com/solutions/657483

Likely the unknown protocol is triggering the behavior.
by idlemind
Sat Feb 23, 2019 10:49 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 734

Re: Advanced VLAN setup HAP AC RouterOS

SFP being part of bridge/vlans but not part of the switch will be problematic, I think. Is reducing the number of ports an option? So it would be better to do it this way? Eth1: Vlan 1, 2, 3, 4, 5 Tagged Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged Eth4: ...
by idlemind
Sat Feb 23, 2019 10:13 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 734

Re: Advanced VLAN setup HAP AC RouterOS

Might be challenging for bridging. Further, your Tik might be a bit too short for the routing duties: it's only a single core, but MT rates it at 950mbps with full frames so might just work. But you'll need to use switch vlan filtering functionality, not the one of bridge. Examples are here https:/...
by idlemind
Sat Feb 23, 2019 1:37 am
Forum: General
Topic: Cambium L2GRE with Mikrotik Problem
Replies: 5
Views: 688

Re: Cambium L2GRE with Mikrotik Problem

What he is saying us L2GRE and EoIP are not necessarily compatible tunnel types. God knows what L2GRE means from an implementation perspective. While EoIP is based on GRE and it encapsulates Ethernet it isn't a standard. Unless you've verified that the tech is compatible you're barking up the wrong ...
by idlemind
Sat Feb 23, 2019 1:29 am
Forum: General
Topic: Cannot access Lan devices over vpn client
Replies: 17
Views: 956

Re: Cannot access Lan devices over vpn client

Because your VPN addresses overlap with the LAN IP addressing you need to enable Proxy-ARP on the LAN bridge.

Alternatively give your VPN clients a different IP range and change the PPP local address. This would be the preferred option. Proxy-ARP comes with some security issues.
by idlemind
Tue Feb 19, 2019 9:01 am
Forum: Forwarding Protocols
Topic: Vlans + VRRP + Multiple Public IP addresses
Replies: 9
Views: 1002

Re: Vlans + VRRP + Multiple Public IP addresses

The up/down method is a bit hacky. You can run VRRP for multiple networks but it seems you're running all of the instances on the same underlying interface. You should run it on the layer 3 interfaces that actually forward the traffic. Likely based on your post this should be the VLAN interfaces wit...
by idlemind
Mon Feb 18, 2019 3:30 am
Forum: General
Topic: Routing L2TP/IPSEC
Replies: 4
Views: 458

Re: Routing L2TP/IPSEC

Hi thank you I will give the ip forward a try, the gateways rules I already added without success . Gesendet von iPhone mit Tapatalk The PPP portion of a L2TP/IPSEC VPN allows you to add routes dynamically on the server side (head end) when it is connected. This paired with a default route injected...
by idlemind
Mon Feb 18, 2019 3:25 am
Forum: General
Topic: Using L2TP/Ipsec vpn using same subnet as lan?
Replies: 1
Views: 414

Re: Using L2TP/Ipsec vpn using same subnet as lan?

Yes you can use proxy ARP for that but it's not true layer 2 adjacency. If your camera solution requires that you'll want to look at BCP or PPP based bridging to see if that works on your phone. Otherwise find a camera system that works under normal IP routing scenarios. Proxy ARP is a crutch, has s...
by idlemind
Tue Feb 12, 2019 2:29 am
Forum: General
Topic: block ping just to puplick ip
Replies: 1
Views: 284

Re: block ping just to puplick ip

For ping or ICMP echo request and reply the input chain is for the WAN interface in this case and the forward chain for the servers behind it (likely).

Please only block ICMP echo request. The other types can be crucial for behaviors like path MTU discovery.
by idlemind
Mon Feb 11, 2019 8:18 pm
Forum: General
Topic: Trying to configure new VPN
Replies: 2
Views: 404

Re: Trying to configure new VPN

L2TP/IPSEC gets you native clients for Windows, Mac, Linux, iOS and, Android.

IKEv2 gets you native clients in all of the above except Android. Android has apps for IKEv2 (StrongSwan). (This may have changed but as of v7 on Android it still doesn't)

IKEv2 would be my preferred solution.
by idlemind
Mon Feb 11, 2019 8:15 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 1384

Re: DHCP Client brige l2tp tunnel [SOLVED]

That works if everything is in the same place. I assumed we had 2 separate Internet connections in play. Is this not the case?
by idlemind
Sun Feb 10, 2019 4:21 pm
Forum: General
Topic: ip phone and/or audio headset attached to Mikrotik
Replies: 6
Views: 874

Re: ip phone and/or audio headset attached to Mikrotik

I was thinking a traditional VoIP phone with a headset too. The only downside is needing a server to drive the VoIP. That said for a single phone you could bolt something onto an existing server or even a Raspberry Pi like device. If memory serves me correctly Axis makes an IP camera that has both h...
by idlemind
Sun Feb 10, 2019 4:14 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1718

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

You can't bond disparate WAN or L3 links. If the provider accepted 1 IP then yes. Additionally there is no way to map tunnels on one end to a single tunnel on the far end.
by idlemind
Sat Feb 09, 2019 7:27 pm
Forum: General
Topic: VPN PPTP ANDROID
Replies: 4
Views: 3591

Re: VPN PPTP ANDROID

PPTP is insecure STOP USING IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
by idlemind
Sat Feb 09, 2019 7:19 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 1384

Re: DHCP Client brige l2tp tunnel [SOLVED]

Use EoIP to bridge layer 2 cleanly between both locations. If the EoIP by hostname wrapped in IPSEC proves unreliable I've used L2TP in a road warrior fashion and ran EoIP inside of the L2TP. If you wrap the L2TP in IPSEC then just plain EoIP is fine underneath. Alternatively you can use BCP to do t...
by idlemind
Sat Feb 02, 2019 5:43 pm
Forum: General
Topic: IPSec "route based" S2S VPN with Azure
Replies: 2
Views: 591

Re: IPSec "route based" S2S VPN with Azure

If memory serves me correctly you need to actually build a tunnel interface (ipip I think) for the route based tunnel. If policy rules are working you're likely failing back to a previously configures policy based VPN with Azure.
by idlemind
Tue Jan 29, 2019 4:21 am
Forum: General
Topic: Two IPSec tunnels with same peer
Replies: 1
Views: 348

Re: Two IPSec tunnels with same peer

You could use two routed tunnels like GRE with different tunnel keys and wrap the traffic for both in IPSEC. A single IPSEC policy would fine to secure both tunnels. Probably have to manually do the encryption settings though
by idlemind
Sat Jan 26, 2019 4:36 pm
Forum: General
Topic: IKEv2 IPsec VPN and IPv6
Replies: 5
Views: 854

Re: IKEv2 IPsec VPN and IPv6

Hello, I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible. Regards. Hi, Thanks for the input. That's good to know. But in my case it would be connections made FRO...
by idlemind
Mon Jan 14, 2019 12:07 am
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 13
Views: 3086

Re: understanding and fixing MTU/MSS/PMTU with IPsec

You have two points of concern actually. Traffic inside of the VPN and traffic outside of the tunnel. You'll want to make sure you are allowing the ICMP too big and fragmentation needed messages on input and forward (outside of tunnel and inside of tunnel). MSS clamping is technically not required i...
by idlemind
Sun Jan 13, 2019 2:15 am
Forum: General
Topic: redundancy help
Replies: 1
Views: 431

Re: redundancy help

Without more details it's hard to give a more in depth recommendation other than if possible I prefer a dynamic protocol to solve these problems. Static routes are not ideal even with different costs and scripts. A dynamic protocol will only load balance when the routes are equal cost so keep that i...
by idlemind
Sun Jan 13, 2019 12:20 am
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 419

Re: OpenVPN listen on IPv6

Thank you for your quick response! Do you have any idea why? I would have guessed it does not matter over which protocol the package was delivered. A logical person would assume that. MikroTik has not publicly explained why their product is in capable of binding to IPv6 addresses for most services ...
by idlemind
Sat Jan 12, 2019 11:44 pm
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 419

Re: OpenVPN listen on IPv6

No, if you want an IPv6 capable device return your MikroTik and purchase a router from a manufacturer capable of delivering feature needs for an IPv6 world.

It's a limitation of RouterOS and they've said it likely will not change until the mythical v7.
by idlemind
Fri Jan 11, 2019 6:37 pm
Forum: General
Topic: Failover
Replies: 1
Views: 255

Re: Failover

It's a best practice as an ISP to not allow traffic to ingress it's side of the interface with an IP that shouldn't be there. In other words you "shouldn't" be able to send egress traffic out the second ADSL link with the source IP of the first ADSL link. This is described in BCP38. You may be able ...
by idlemind
Sat Jan 05, 2019 1:22 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1131

Re: Passive FTP to outside FTP Server

I am a 3rd party software supplier trying to exchange data - I do not have access to create a new VM. The command: ip firewall nat <numbers> set log=yes Would I apply this to the following rules? ; add action=masquerade chain=srcnat out-interface=ether1-FUSION-WAN add action=accept chain=input comm...
by idlemind
Sat Jan 05, 2019 12:38 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1131

Re: Passive FTP to outside FTP Server

On a windows box the -A is the auto anonymous log in. In this thread you will see I tried to establish a ftp connection on port 28834 This was received at the firewall where the ftp server is located so the port can get through the MT The problem is, I believe, how the MT is handling related and es...
by idlemind
Sat Jan 05, 2019 12:13 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1131

Re: Passive FTP to outside FTP Server

What OS is the client machine? Is their any chance it is manipulating the outbound request (or denying it)? It is possible to log a firewall rule this can be difficult to do on something like a global PAT (masquerade) rule though. You may want to place a masquerade rule above that one for traffic de...
by idlemind
Fri Jan 04, 2019 11:26 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1131

Re: Passive FTP to outside FTP Server

Thanks for the suggestion. (Not sure what the -p option on ftp is ?) I tried from home: ftp -A speedtest.tele2.net and was able to run a dir command successfully I then tried from the site with the MT: ftp -A speedtest.tele2.net Connected to speedtest.tele2.net. 220 (vsFTPd 2.3.5) 331 Please specif...
by idlemind
Fri Jan 04, 2019 7:16 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 2300

Re: EoIP MTU for pppoe server tunnel

Sorry for the delay on this amt. The max MTU of different product lines is different. For most products you can go to 2026 or 2028. CCR1036 at 10226 RB750P-PBr2 (PowerBox) at 2028 SXT at least 2028 The wireless side should be adjustable up to 65536 regardless of hardware (someone can correct me ther...
by idlemind
Fri Jan 04, 2019 6:41 pm
Forum: General
Topic: PPTP server problem
Replies: 7
Views: 720

Re: PPTP server problem

I can't stress this enough. PPTP is not a secure protocol. You really shouldn't be using it. IKEv2 would be the best option going forward for a remote access VPN. A quick search of the Googles ... https://jcutrer.com/howto/networking/mikrotik/ios-ikev2-vpn-mikrotik Notes: https://libreswan.org/wiki/...
by idlemind
Fri Jan 04, 2019 6:29 pm
Forum: General
Topic: Neighbor Clarification
Replies: 2
Views: 404

Re: Neighbor Clarification

The neighbor functionality uses MNDP, LLDP and CDP at L2 for discovery. If the MikroTik device is connected to the same L2 segment as say Ubiquiti APs still it should be seeing them through the Nexus 3k. It's possible the Nexus has disabled CDP, LLDP or, both on the interface facing the MikroTik. Th...
by idlemind
Fri Jan 04, 2019 6:17 pm
Forum: General
Topic: Bridging two VLANS on same Interface
Replies: 4
Views: 520

Re: Bridging two VLANS on same Interface

If you want all of your sites to be able to communicate without being hair-pinned through a router at one site you need to purchase a WAN product that will facilitate that type of communication. This could be a traditional L3 MPLS with BGP or a L2 VPLS. Even "bridging" the 2 VLANs together and enabl...
by idlemind
Fri Jan 04, 2019 6:08 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 1131

Re: Passive FTP to outside FTP Server

Have you tried a public FTP server that supports passive connections to rule out misconfiguration on the server side? A Linux based system makes testing passive connections easy enough (Username is anonymous): ftp -p speedtest.tele2.net Also, this FTP session doesn't involve TLS does it? If so, it's...
by idlemind
Tue Jan 01, 2019 7:43 pm
Forum: General
Topic: Vlan Routing Problem [SOLVED]
Replies: 18
Views: 1513

Re: Vlan Routing Problem [SOLVED]

Did you set the bridge ports facing VLAN5 correctly after the ugrade? Is VLAN5 defined in the bridge VLAN table. Without an:
/export hide-sensitive
It's going to be slow to troubleshoot. Additionally a diagram helps too (even something simple in ME Paint).
by idlemind
Fri Dec 21, 2018 6:59 am
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 42
Views: 23769

Re: IPv6 Ping does not work with domain names

RouterOS 6.43.7 on all devices. I have exactly the same problem with Mikrotik unable to resolve AAAA records from a hostname. My test Mikrotik LtAP device gets CGNAT protected private IPv4 address of 100.64.0.0/18 from the mobile operator. There is no inbound access to that. The same Mikrotik LtAP ...
by idlemind
Thu Nov 15, 2018 7:07 am
Forum: General
Topic: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range
Replies: 6
Views: 654

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Just DNAT the :443 traffic to a webserver configured to match anything (simple/default Apache configuration). The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As...
by idlemind
Thu Nov 15, 2018 6:59 am
Forum: General
Topic: bypassin 1:1 NAT to get Public IP Bridged to local server
Replies: 2
Views: 309

Re: bypassin 1:1 NAT to get Public IP Bridged to local server

I'd have to see a diagram to be certain but proxy ARP and NAT should not be required to place a public IP directly on a device or server. Like your second post, create a bridge, add the interface towards the server and upstream ISP as bridge ports on a VLAN of your choice. Migrate any existing IP ad...
by idlemind
Sun Sep 09, 2018 6:56 pm
Forum: General
Topic: PPPoE MTU problem
Replies: 6
Views: 2070

Re: PPPoE MTU problem

There seems to be a blackhole problem, doing tests with a Windows PC i discoveder that the "Timeout" reply appear only in the range of 1453-1472 Bytes. If it's greater i get "fragmentation needed", if it is inferior i can ping. Also, i see that the error presents only if the PPPoE Server is configu...
by idlemind
Tue Aug 21, 2018 3:36 pm
Forum: Beginner Basics
Topic: Why speed of Bridge only 100Mb?
Replies: 6
Views: 1888

Re: Why speed of Bridge only 100Mb?

Any update on this? Because I still am seeing bridge as 100Mbps only. Is it bottle-necking my 1G ports?

I doubt you'll see a more official response than my earlier reply. If you need an official MikroTik reply it's more effective to contact support by EMAIL.
by idlemind
Tue Aug 21, 2018 1:30 am
Forum: General
Topic: Local network Video store/playback [SOLVED]
Replies: 3
Views: 580

Re: Local network Video store/playback [SOLVED]

No worries, I have yet to use "hotspot" at all so I was otherwise unaware of that feature. I suppose as long as you use the same IP addressing for all of your hotspots it must be easy enough to point them to the appropriate video.
by idlemind
Sun Aug 19, 2018 4:37 pm
Forum: General
Topic: CRS Egress Tag Removal
Replies: 5
Views: 578

Re: CRS Egress Tag Removal

If you are using the current branch or newer you'll want to use the new(ish) VLAN aware bridge and not configure anything in the Ethernet switch menu. Except that the CRS1XX/2XX actually use a special switch menu and they do not support Bridge VLAN Filtering. We are working with him on this in the ...
by idlemind
Sun Aug 19, 2018 5:06 am
Forum: General
Topic: Passwords for hundreds/thousdands of devices
Replies: 10
Views: 1012

Re: Passwords for hundreds/thousdands of devices

SSH keys ...
by idlemind
Sun Aug 19, 2018 4:05 am
Forum: General
Topic: CRS Egress Tag Removal
Replies: 5
Views: 578

Re: CRS Egress Tag Removal

If you are using the current branch or newer you'll want to use the new(ish) VLAN aware bridge and not configure anything in the Ethernet switch menu.
by idlemind
Sun Aug 19, 2018 3:32 am
Forum: General
Topic: Link Agregation-trunk - Vlan Tagging
Replies: 1
Views: 303

Re: Link Agregation-trunk - Vlan Tagging

Create a bond and add it to a bridge ...
by idlemind
Sat Aug 18, 2018 11:41 pm
Forum: General
Topic: mark as VLAN
Replies: 4
Views: 431

Re: mark as VLAN

interface bridge add name=br1 vlan-filtering=yes interface bridge vlan add untagged=br1 vlan-ids=1 interface bridge vlan add tagged=br1,ether2 untagged=ether3 vlan-ids=2 interface bridge port add bridge=br1 interface=ether2 pvid=1 interface bridge port add bridge=br1 interface=ether3 pvid=2 interfa...
by idlemind
Sat Aug 18, 2018 8:53 pm
Forum: General
Topic: Local network Video store/playback [SOLVED]
Replies: 3
Views: 580

Re: Local network Video store/playback [SOLVED]

Using anycast addressing (/32 in IPv4 or /128 in IPv6) you can accomplish this. You'll need a server to live at (or use NAT) and host this file. If the built in web server can serve your file you may be able to use that. Alternatives would be the virtual router virtualization feature or attach a sma...
by idlemind
Thu Aug 16, 2018 9:23 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 1148

Re: Does RB750Gr3 support full switch chip VLAN?

@pe1chl Can you post a link to where it says it support its on not. Maybe I am blind, but as far as documentation, it is not listed as supported. But I can enter all commands without error. But since I have only one unit and its production, I can not test on it. I just like a clear answer, not a di...
by idlemind
Thu Aug 16, 2018 9:17 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 1148

Re: Does RB750Gr3 support full switch chip VLAN?

That method does not support VLANs in hardware on any router, even on those that *do* support it in the classic switch configuration. So it does not matter if you used the new VLAN aware bridge, or the old method of having VLAN subinterfaces on each port and putting them in several bridges (one per...
by idlemind
Thu Aug 16, 2018 5:40 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 1148

Re: Does RB750Gr3 support full switch chip VLAN?

Use the new VLAN aware bridging method. It will manage the hardware for you. In the case of the HEX or RB750Gr3 it does not support VLANs in hardware. I typically see about 300 Mbps for inter VLAN routing with no ACL in software on that model though.
by idlemind
Mon Aug 06, 2018 6:14 pm
Forum: General
Topic: Tunnel Public IP
Replies: 2
Views: 364

Re: Tunnel Public IP

Dear Users, I'we got a problem. I have this setup: CHR1 on DC1 with 1 interface and much static public IP CHR2 on DC2 with 2 interface 1 on wan 1 on lan side where i would like to use the IP's I would like to use the DC1 IP addresses on DC2 like layer 2 connect. I read about EoIP and other type of ...
by idlemind
Sun Aug 05, 2018 5:41 pm
Forum: General
Topic: VLANs with "stacked" switches
Replies: 12
Views: 1210

Re: VLANs with "stacked" switches

I imagine you're either running in the per-VLAN based mode or do not have STP correctly running. I haven't actually sniffed a link without an untagged VLAN defined to see if MikroTik hides this fault to keep networks working despite the best effort of their admins. [/quote Of course I know what Spa...
by idlemind
Sun Aug 05, 2018 4:43 am
Forum: General
Topic: VLANs with "stacked" switches
Replies: 12
Views: 1210

Re: VLANs with "stacked" switches

I don't know if this is an issue, but if I were doing it, the trunks between routers and switches would have nothing but VLAN tagged traffic - no untagged traffic. That's how I'm doing it at home with my three routers and five switches. It's a best practice to use a non-routable VLAN as the untagge...
by idlemind
Tue Jul 31, 2018 7:00 am
Forum: General
Topic: CRS317 - arp doesn't work
Replies: 3
Views: 457

Re: CRS317 - arp doesn't work

/interface bridge add admin-mac=CC:2D:E0:58:18:E0 auto-mac=no name=br-hardware protocol-mode=none vlan-filtering=yes ... /interface bridge add admin-mac=CC:2D:E0:51:8E:E0 auto-mac=no name=br-hardware protocol-mode=none vlan-filtering=yes Duplicate MAC issues? Try using unique static MAC addresses f...
by idlemind
Mon Jul 30, 2018 10:58 pm
Forum: General
Topic: hAP ac + SFP + 100Mb connection
Replies: 2
Views: 375

Re: hAP ac + SFP + 100Mb connection

Try keeping the link at the default of 1G ... I'd be surprised to see the fiber SFP allow you to actually drop the speed to 100M. The ISP should be providing your 1G via the SFP and using a shaper to push the connection down to 100M.
by idlemind
Mon Jul 30, 2018 8:07 am
Forum: General
Topic: GRE Tunnel Behind with one router behind NAT
Replies: 2
Views: 1143

Re: GRE Tunnel Behind with one router behind NAT

Hello guys. I'm trying to do GRE tunnel between 2 branch office but just one it's behind of NAT, anyone has a tutorial or know to do and can help me? Thanks. Use a NAT aware tunnel, this could be PPTP although that is limited to a single tunnel and weak encryption. You may find SSTP or L2TP/IPSec m...
by idlemind
Mon Jul 30, 2018 8:03 am
Forum: General
Topic: CRS317 - arp doesn't work
Replies: 3
Views: 457

Re: CRS317 - arp doesn't work

I assume the IP address is attached to the VLAN interface? Any ARP related settings? Maybe a full /export hide-sensitive
by idlemind
Sun Jul 29, 2018 5:30 am
Forum: General
Topic: PPTP client loses internet connection
Replies: 2
Views: 718

Re: PPTP client loses internet connection

Hi guys, I have a VPS with static ip and mikrotik installed (v6.42.6). There i have configured a simple VPN server with local pool addresses. This way i can access remotely my personal computers windows 10 RDP and troubleshooting to small networks which i have with mikrotik routerboards. My VPN wor...
by idlemind
Sat Jul 28, 2018 8:20 pm
Forum: General
Topic: How to Isolate an ethernet port to ALLOW a physical loop?
Replies: 3
Views: 473

Re: How to Isolate an ethernet port to ALLOW a physical loop?

A bridge by default will not flood traffic in that manner. The behaviour you're looking for is found in a hub, a layer 1 device. A bridge operates at layer 2 and intentionally learns MAC addresses found on ports and only forwards frames destined for those MAC addresses, broadcasts or a flood when a ...
by idlemind
Fri Jul 27, 2018 7:07 pm
Forum: General
Topic: Bridge VLAN filtering and routing –does this make sense?
Replies: 1
Views: 511

Re: Bridge VLAN filtering and routing –does this make sense?

WARNING: I haven't used a model with multiple underlying switch chips yet. You may want to verify with support on whether you need 2 VLAN filtering enabled bridges or 1 Assuming we can use a single VLAN filtering bridge, I'd create a VLAN for each function. VLAN100 - Internet VLAN200 - Local Client...
by idlemind
Fri Jul 27, 2018 5:15 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 2300

Re: EoIP MTU for pppoe server tunnel

I will probably need to see a diagram with the MTU noted along the pathing. The biggest item of concern is your statement that the EoIP and wireless are added to the same bridge. Is this happening at CPE? If so, why? No, CPE is customer side and customer side not using eoip or bridge, CPe connectin...
by idlemind
Thu Jul 26, 2018 10:50 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 2300

Re: EoIP MTU for pppoe server tunnel

I will probably need to see a diagram with the MTU noted along the pathing. The biggest item of concern is your statement that the EoIP and wireless are added to the same bridge. Is this happening at CPE? If so, why?
by idlemind
Wed Jul 25, 2018 7:48 pm
Forum: General
Topic: Firewall help
Replies: 4
Views: 515

Re: Firewall help

Thank you for the response. It would seem I am not as clued up as you are, but this is the information I can provide: Current setup: DSL Router (WAN, Ether1-Gateway) --> Mikrotik (PPPoE Client + Server + DHCP + Userman + RADIUS) --> UBNT Wireless Sector on Ether2 (Access Point, Point to Multipoint....
by idlemind
Wed Jul 25, 2018 5:26 pm
Forum: General
Topic: Unidentified Network Problem
Replies: 7
Views: 935

Re: Unidentified Network Problem

the only thing i did and it helped but affect other thing is i stopped all the dest nat and source nat i left only the main nat that is redirect the clients to the main router
but up to now i could not find the main reason for this prolem

Are you able to provide a list of those NAT rules?
by idlemind
Wed Jul 25, 2018 6:09 am
Forum: General
Topic: Unidentified Network Problem
Replies: 7
Views: 935

Re: Unidentified Network Problem

DNS - needs to be valid and capable of resolving correctly. Proxy ARP - remove any usage of it. MTU - make sure your MTU is consistent through your environment. Being a PPPoE service it's possible your external MTU is not 1500 and your internal is. If you haven't accounted for that it could break TL...
by idlemind
Tue Jul 24, 2018 8:03 pm
Forum: General
Topic: Firewall help
Replies: 4
Views: 515

Re: Firewall help

How do the PPPoE negotiation requests traverse the network into the 750UP? If it's a bridge, are you using the IP firewall filter option? Is it listening directly on an interface? It's possible you're blocking the negotiation process and the traffic afterwards is traversing just fine because of the ...
by idlemind
Tue Jul 24, 2018 4:36 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 2300

Re: EoIP MTU for pppoe server tunnel

MTU Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492. TCP stacks try to...
by idlemind
Sat Jul 14, 2018 9:33 pm
Forum: Forwarding Protocols
Topic: EoMPLS and Bridging
Replies: 1
Views: 745

Re: EoMPLS and Bridging

The bridge itself needs to be tagged as well.

/interface bridge vlan set [ find where vlan-ids=2601 ] tagged=vpn,cisco-eompls untagged=ether2
by idlemind
Sat Jul 07, 2018 4:36 pm
Forum: General
Topic: IPv6: NAT64 and ipip tunnel - how/when?
Replies: 8
Views: 1164

Re: IPv6: NAT64 and ipip tunnel - how/when?

So to say, you can not establish many vpns to ipv6 (ovpn as an example), so little use to deploy ipv6 only in remote office. Yes basically anything outside of the tunnel protocols does not listen on IPv6. It's either because their developers are inept or they simply refuse to setup the service unde...
by idlemind
Fri Jul 06, 2018 6:11 pm
Forum: General
Topic: EOIP Tunnel question
Replies: 13
Views: 1177

Re: EOIP Tunnel question

You don't need EoIP to move the VLANs across a wireless link. You certainly can but it's fairly redundant. Just bridge them. At the end where you have the camera and the unmanaged switch you are definitely in a tough spot. You couldn't definitely put each VLAN untagged towards the unmanaged non VLAN...
by idlemind
Fri Jul 06, 2018 4:28 am
Forum: General
Topic: IPv6: NAT64 and ipip tunnel - how/when?
Replies: 8
Views: 1164

Re: IPv6: NAT64 and ipip tunnel - how/when?

IPIP won't carry or work with v6 it literally means IPv4 in IPv4. I think Cisco supports IP in IPv6 and MikroTik might too but it'd be a separate tunnel type. Right now GRE can be used to use IPv6 as transport and either IPv4, IPv6 or both (dual stack) inside the tunnel. That said, yes MikroTik has ...
by idlemind
Thu Jul 05, 2018 8:20 pm
Forum: General
Topic: Untagged VLAN Access port on hEX
Replies: 7
Views: 2000

Re: Untagged VLAN Access port on hEX

The only caveat to the previous post is you only can have one VLAN untagged at the bridge. So if you untag VLAN10 at the bridge you will want to tag all other VLANs. If you want an access port for VLAN10, you could also do this: /interface bridge vlan add bridge=bridge untagged=bridge vlan-ids=1 /in...
by idlemind
Thu Jul 05, 2018 8:08 pm
Forum: General
Topic: Trunk port and VLAN translation [SOLVED]
Replies: 18
Views: 2842

Re: Trunk port and VLAN translation [SOLVED]

Are the VLANs on the existing switches using unique addressing already? Are you able to add a static route or static routes to the ISP device? I'm sure you've asked this but the ISP device cannot be put into a "bridge" like mode where the public addressing is presented directly to the new MikroTik (...
by idlemind
Wed Jul 04, 2018 5:37 pm
Forum: General
Topic: IPSEC - Remote subnet overlaps local subnet
Replies: 8
Views: 842

Re: IPSEC - Remote subnet overlaps local subnet

Sindy, I agree if there is a big to fix then let's fix it. I'm just saying an alternative is the NAT approach. They can always NAT the small overlapping piece. I'd just NAT the whole thing to unique addressing on both sides to keep it clean. Exempting the traffic I assume means those hosts cannot ta...
by idlemind
Wed Jul 04, 2018 4:29 pm
Forum: General
Topic: IPSEC - Remote subnet overlaps local subnet
Replies: 8
Views: 842

Re: IPSEC - Remote subnet overlaps local subnet

NAT both of the overlapping subnets to something unique. Conditional DNS forwarding can be used to overcome DNS based limitations. I've written a few posts on the subject. It's commonly done for business to business VPNs here in the US to make each partner side look like certain addressing that fits...
by idlemind
Wed Jul 04, 2018 3:44 pm
Forum: General
Topic: ICMP firewall problem
Replies: 2
Views: 614

Re: ICMP firewall problem

The JUMP to your ICMP chain is after an accept for related and established. It's almost certainly getting accepted there. That said, don't block TTL exceeded messages unless you like making troubleshooting harder on yourself. Also you may need to not decrement TTL on all connections to make it "invi...
by idlemind
Sun Jul 01, 2018 4:29 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

Unfortunately problem is not resolved yet. I also can not give you any ETA for such fixes. When problem will be resolved, then RouterOS release notes will include such fix description. I guess we keep on waiting, and hoping... Yup, I don't have any plan to use MikroTik equipment in net new projects...
by idlemind
Tue Jun 26, 2018 12:23 am
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by idlemind
Tue Jun 26, 2018 12:18 am
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 2792

Re: IPSec/L2TP and Network Resources [SOLVED]

Ok, I have news. If I connect physically to the network, I can see the NAS, but over VPN I can´t. Then, I change the pool of VPN to the same subnet as local network and WORKS, inclusive with Windows firewall enabled. Now I thinking something like the SMB protocol can't be routed between OpenVPN ran...
by idlemind
Tue Jun 26, 2018 12:16 am
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by idlemind
Mon Jun 25, 2018 11:43 pm
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

Its a lot of possibilities. :D Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack. :D ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A ...
by idlemind
Sun Jun 24, 2018 4:42 pm
Forum: General
Topic: Management VPNs
Replies: 10
Views: 914

Re: Management VPNs

IPv6 is free in AWS I believe. That may be a way to escape the CGNAT. That said I think SSTP is your best solution. Even with IPv6 SSTP or L2TP/IPSEC would be a more flexible and light configuration. If only MikroTik had DMVPN.
by idlemind
Sun Jun 24, 2018 3:58 pm
Forum: General
Topic: IPv6 - Identity Association for Non-temporary Address
Replies: 2
Views: 314

Re: IPv6 - Identity Association for Non-temporary Address

Yes, MikroTik has an increasingly obvious weakness in IPv6.

Their DHCPv6 service is prefix delegation only. MikroTik posters have shown their lack of knowly by posting replies about SLAAC being the only way to address hosts.
by idlemind
Sun Jun 24, 2018 4:50 am
Forum: General
Topic: Bridge VLAN Filtering
Replies: 22
Views: 7068

Re: Bridge VLAN Filtering

You are missing a tagged port on the CRS, most probably in your setup it is going to be ether8. Add ether8 to bridge VLAN table as a tagged port for VLAN5. Also note that RB3011 is capable of VLAN switching on a hardware level, you can find an example how to set it up here: https://wiki.mikrotik.co...
by idlemind
Sun Jun 24, 2018 4:14 am
Forum: General
Topic: Routing
Replies: 16
Views: 1197

Re: Routing

Hello, I have a question about routing. My router a Mikrotik CCR1009 should route a network to a Mikrotik CRS326 over SFP+. The networks are at port eth1. Located at the CRS are Server these should be get the IP addresses. My problem is i can´t bring the Netzwork to the Switch. The normal Static Ro...
by idlemind
Thu Jun 21, 2018 11:07 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 2792

Re: IPSec/L2TP and Network Resources [SOLVED]

You'll have to post an updated config of the MikroTik to further troubleshoot SMB.

Your comment about UniFi, are you running the controller on the VPN client? Is this VPN client meant to be transient and change networks all the time but stay connected via VPN?
by idlemind
Wed Jun 20, 2018 9:19 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 2792

Re: IPSec/L2TP and Network Resources [SOLVED]

I need remote access VPN, not site to site VPN, because I need to access by any network. As you see, I'm using a Mikrotik as server and a PC with OpenVPN software as client. The point of UAP is the less important to me right now. The most important requirement is the SMB access for file sharing. Re...
by idlemind
Wed Jun 20, 2018 8:18 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 2792

Re: IPSec/L2TP and Network Resources [SOLVED]

Just to make sure we're hitting all the right points. The video covers a remote access VPN and your requirements that are not working are: SMB based file access MAC based access to a MikroTik UniFi AP registration with a controller The UniFi AP item is what's throwing me for a loop. Are you really i...
by idlemind
Wed Jun 20, 2018 6:56 pm
Forum: General
Topic: Intel i210 ethernet Driver x86
Replies: 1
Views: 608

Re: Intel i210 ethernet Driver x86

Probably not the answer you're looking for but you can always go the hypervisor route and run your CHR as VMs. They would be a lot more portable during outages and avoid the need for drivers for every product baked into RouterOS. ESXi is free but management can get hard at scale. Alternatively solut...
by idlemind
Tue Jun 05, 2018 8:58 am
Forum: Forwarding Protocols
Topic: Public IP over a tunnel ( SOLVED )
Replies: 34
Views: 7957

Re: Public IP over a tunnel ( SOLVED )

If you search my old posts you'll find some in-depth ones on MTU with screenshot examples of packet captures. TLDR; if your PPPoE connection is 1480 then you'll want your tunnel MTU to be 1480 - the tunnels overhead. Depending on the protocol (IPIP, GRE, IPSec transport vs tunnel) will determine exa...
by idlemind
Tue Apr 24, 2018 10:29 pm
Forum: Forwarding Protocols
Topic: VRRP on bridge interface
Replies: 5
Views: 1614

Re: VRRP on bridge interface

Also, the VRRP addresses in IPv4 should be /32's and /128's for IPv6. If not, the router ends up with 2 interfaces that have the same network defined. The VRRP interface will get it's own link-local address automatically and will be reachable there. Additionally, you can if you want set a global uni...
by idlemind
Fri Apr 13, 2018 9:02 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

Maybe it is connection tracking. That would explain why it also effects unreachable networks. However, it does not really explain why it would be triggered by low volume traffic. Connection tracking should survive moderate traffic. Of course pumping a gigabit of ICMP probes like those friendly prog...
by idlemind
Fri Apr 13, 2018 5:40 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

However, I think it is also possible to cause problems for transit routers which are not directly connected to /64 being attacked. This might be because of memory exhaustion in the IPv6 routing cache… not sure yet. I need to do some more experiments over the weekend with some test lab equipment. In...
by idlemind
Sun Apr 08, 2018 2:21 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

So ... Grab a Linux box, put it on your LAN and prepare to LULz to the point of tears. My normal desktop is a Fedora machine plugged into a Meraki L2 switch and then into a MikroTik HEX w6.42rc52. Pick an IPv6 /64 that the HEX has to route locally (another network / VLAN in your environment where it...
by idlemind
Sat Apr 07, 2018 4:50 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

https://tools.ietf.org/html/rfc6583#section-6.4

A good read from 6.4 down and definitely should be read, documented and best practice recommendations made by MikroTik staff.
by idlemind
Mon Apr 02, 2018 5:30 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

I wonder if we can poll the ND cache with something like SNMP so it could be automatically monitored or at least dumped effectively for a post-mortem to see how the garbage collection happens to determine if the cache fills with discovery in progress entries and deletes older but valid entries. If t...
by idlemind
Sun Apr 01, 2018 3:28 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

xfrm6_gc_thresh - INTEGER The threshold at which we will start garbage collecting for IPv6 destination cache entries. At twice this value the system will refuse new allocations. ^^ probably a more correct Linux kernel option for what we're looking for the. One I posted earlier is not correct as you ...
by idlemind
Sun Apr 01, 2018 3:27 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

xfrm6_gc_thresh - INTEGER The threshold at which we will start garbage collecting for IPv6 destination cache entries. At twice this value the system will refuse new allocations. ^^ probably a more correct Linux kernel option for what we're looking for the. One I posted earlier is not correct as you ...
by idlemind
Sat Mar 31, 2018 10:38 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

There already is a limit like that. It is not like in the original Cisco IOS where the ND cache simply allocated out of the entire free memory pool and all memory was used (and thus the entire router got into trouble) as a result of such a scan. In RouterOS, like now in the Cisco routers, the size ...
by idlemind
Sat Mar 31, 2018 8:15 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier. Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this. "mikrotik.com has IPv6 address 2a02:610:7501:1000::2" It's only a matter of time before the researchers hit that… B...
by idlemind
Sat Mar 31, 2018 7:13 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier. That said it would constitute IPv6 feature work and we know how unlikely that is at MikroTik. Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this. Or, take my approach w...
by idlemind
Sat Mar 10, 2018 1:41 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 97329

Re: v6.42rc [release candidate] is released!

Are there plans to provide dot1q-tunnel equivalent features and switch port rules to manipulate two VLAN tags? (eg pop outer and inner tags and replace them with others) I've been using QinQ trunking in software bridges on a hex for sometime now. Nothing really special to report about it. I imagine...
by idlemind
Fri Mar 09, 2018 4:03 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 42
Views: 23769

Re: IPv6 Ping does not work with domain names

This workaround is a definitive solution? :? :shock: the problem will go away when IPv6 is set as a preferred option for the :resolve command and elsewhere where RouterOS attempts to resolve a hostname to IP address. When forced the :resolve command is returning the IPv6 address, hence the workarou...
by idlemind
Tue Feb 27, 2018 3:17 pm
Forum: General
Topic: L2TP/IPSec for Road Warrior
Replies: 93
Views: 35308

Re: L2TP/IPSec for Road Warrior

Can a mAP be used to tunnel to a Mikrotik using IPIP or EOIP with the mAP letting multiple users in? I tried this about a year ago but never did get it to work. I think my stumbling point was trying to get the mAP into a motel wifi for the WAN side. I did it with cap lites, the little hockey puck l...
by idlemind
Mon Feb 26, 2018 4:25 pm
Forum: General
Topic: L2TP/IPSec for Road Warrior
Replies: 93
Views: 35308

Re: L2TP/IPSec for Road Warrior

It is in TODO list, however that will solve problem only if client is RouterOS. But such setups mostly are done where clients are laptops and mobile devices. How about IPv6 support in the L2TP/IPSec server implementation. This avoids the need for NAT traversal or source port randomization entirely....
by idlemind
Fri Feb 16, 2018 4:59 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1024

Re: DHCPv6 client problem

If you post the PCAP I'd be happy to review it. I haven't had a chance to gather my own yet.
by idlemind
Thu Jan 25, 2018 5:26 pm
Forum: General
Topic: mtu change ?
Replies: 5
Views: 4627

Re: mtu change ?

1452 + 20 (IP) + 8 (PPP) = the 1480 detected MTU is likely correct. It implies from your point of testing that is the available MTU size you can squeeze through without fragmentation. So if you were testing over the vDSL linkage like your drawing shows a good starting point might be to reduce the ma...
by idlemind
Thu Jan 25, 2018 4:47 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2775

Re: IPv6 router settings

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...
by idlemind
Wed Jan 17, 2018 10:41 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1024

Re: DHCPv6 client problem

Yup I'd be prepared to offer PCAPs of the solicit and advertise messages.
by idlemind
Wed Jan 17, 2018 9:19 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1024

Re: DHCPv6 client problem

Hmm, if I could see a packet capture of the DHCPv6 request cycle it could be verified where the fault is. RFC3633 (6) states: 6. Identity Association for Prefix Delegation An IA_PD is a construct through which a delegating router and a requesting router can identify, group and manage a set of relate...
by idlemind
Tue Jan 16, 2018 9:33 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 97329

Re: v6.42rc [release candidate] is released!

*) dhcpv6-client - added info exchange support; *) dhcpv6-client - added support for options 15 and 16; *) dhcpv6-server - added DHCPv4 style user options; While it is a worthy mention and any improvement in DHCPv6 support is welcome I feel it is important to remind you that your team is sorely lac...
by idlemind
Tue Jan 09, 2018 9:04 pm
Forum: Beginner Basics
Topic: Site to Site IpSec Tunnel
Replies: 23
Views: 28426

Re: Site to Site IpSec Tunnel

Hello everybody! I have got 2 LAN networks, IPSec and GRE tunnel is working fine. But there is a problem. There is a laptop in the another LAN and i can not access to it, but i can ping it. I can access the other side from this laptop by the way. So i can access my 951G, and behind my PC, ssh, ftp....
by idlemind
Tue Jan 09, 2018 9:02 pm
Forum: General
Topic: mtu change ?
Replies: 5
Views: 4627

Re: mtu change ?

Firewall rules should be unneeded. There is no roll in the firewall ! ( no filter - no NAT ) Set the MTU values on the appropriate interfaces Do you mean interfaces? I have set 1500 of all interface ( example : ether2 - 1500MTU ) and allow ICMP messages related to path MTU discovery to pass correct...
by idlemind
Tue Dec 26, 2017 2:06 am
Forum: General
Topic: mtu change ?
Replies: 5
Views: 4627

Re: mtu change ?

Firewall rules should be unneeded. The clamp-tcp-mss feature is a crutch and only cleans up TCP flows.

Set the MTU values on the appropriate interfaces and allow ICMP messages related to path MTU discovery to pass correctly and packets will move without issue.
by idlemind
Thu Dec 14, 2017 8:31 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Hi, is proxy-arp on v6.41rc61 working? I have CCR1036 directly connected to CRS226. I have vlan trunk on bridge between them. On CRS226 I have acces port and connected device with IP, i can ping IP from router and switch. I configured L2TP/IPsec and OVPN services, both are working, but I can't ping...
by idlemind
Tue Dec 12, 2017 4:48 pm
Forum: General
Topic: SSTP & IPv6
Replies: 18
Views: 4856

Re: SSTP & IPv6

Most likely new IPv6 features will not be added in ROS v6. Thank for the honest feedback. At least I know for certain I do not need to watch the RC patch notes anxiously. I'll continue to ask but know that myself and others require IPv6 support. Without it I cannot recommend your product for anythi...
by idlemind
Tue Dec 12, 2017 4:46 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Sure thing! /interface bridge add fast-forward=no igmp-snooping=no name=bridge priority=0x1000 protocol-mode=none vlan-filtering=yes The docs I referenced uses pvid=1 for the bridge and for holding the VLANs, so my bridge sets no pvid. Instead, I've assigned the IP directly to a VLAN Thanks bjornr,...
by idlemind
Mon Dec 11, 2017 8:12 pm
Forum: General
Topic: Possible to avoid loops using 6.41rc?
Replies: 3
Views: 536

Re: Possible to avoid loops using 6.41rc?

In this post I describe what is my problem: https://forum.mikrotik.com/viewtopic.php?f=2&t=127500&p=626795#p626795 Long story short, I have got advise from support to try 6.41rc with the new bridge concept and hardware offloading. Support says that maybe the problem was due to broadcasts both on vl...
by idlemind
Sun Dec 03, 2017 6:36 pm
Forum: General
Topic: Mikrotik as GW with Cisco as DHCP server!
Replies: 1
Views: 341

Re: Mikrotik as GW with Cisco as DHCP server!

/export hide-sensitive
Post the output of that please!
by idlemind
Thu Nov 23, 2017 7:26 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 725

Re: Issues w/ HTTPS

yes pppoe are set at 1492. i did more digging and noticed on a working router the mtu settings were 1500/1598 on backhaul interface and all others were 1500/1588 and pppoe virtual interface was 1492. changed the two other problem locations to same and what do ya know, "it works like a hank now" gue...
by idlemind
Thu Nov 23, 2017 7:06 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 725

Re: Issues w/ HTTPS

man i appreciate your thoughts, ive done some testing on mtu between the troubled subnet and a known working subnet and if i go lower than 1480 or 1500 just about everything times out. not using any ipv6 on my network but when i torch the interface trying to load netflix i do see ipv6 address appea...
by idlemind
Thu Nov 23, 2017 2:48 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 725

Re: Issues w/ HTTPS

how would one fix that? thx You'll need to test and verify path MTU is working appropriately. Depending on your architecture this can be difficult (especially if you have an IPSec policy based VPN). A quick test is to reduce your LAN or client MTU to something very small. A good value to start with...
by idlemind
Thu Nov 23, 2017 3:36 am
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 725

Re: Issues w/ HTTPS

I am having similar issues myself. nothing has changed. started noticing ubnt radios wouldnt update from from the gui when told to check for updates. cant connect to ubnt.com or netflix.com within this certain subnet and im sure theres more. can remote in to windows box on the main private subnet a...
by idlemind
Wed Nov 22, 2017 7:52 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 1527

Re: MTU Question

Reading this I am looking at I am able to ping directly from the Mikrotik to the outside at with 1500 without defragmenting. When I am on a device connected to the Mikrotik I can ping with 1472. Looking at the PPPoE connecting to the server I notice that the datalen is 1492. The displayed MTU on th...
by idlemind
Wed Nov 22, 2017 7:51 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 1521

Re: ipv6 - unable to reach beyond mikrotik.

TLDR; collaborate with your ISP and help them fix their broken IPv6 implementation. Once you get past the initial layers of tech support and into the ones actually doing the design and configuration they'll welcome the feedback if it's presented constructively. Allocating /56 is actually RIPE prefe...
by idlemind
Wed Nov 22, 2017 5:39 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 1521

Re: ipv6 - unable to reach beyond mikrotik.

i've narrowed the problem down to the ND configuration. Essentially i have to define LAN prefix advertisement to WAN port under ND: /ipv6 nd prefix add autonomous=no interface=ether6 on-link=yes prefix=X:X:X:102::/64 However! In order for ONT to start routing to that subnet i have to set icmpv6.nd....
by idlemind
Wed Nov 22, 2017 5:24 pm
Forum: General
Topic: Bonding Broadcast
Replies: 1
Views: 435

Re: Bonding Broadcast

Is your bonding mode set to broadcast? Maybe balance-xor with an appropriate transmit-hash-policy or 802.3ad?
by idlemind
Wed Nov 22, 2017 5:21 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 725

Re: Issues w/ HTTPS

Yup the usual offender is MTU related. Likely you are blocking path MTU discovery mechanisms like ICMP from being correctly transmitted through your network.
by idlemind
Wed Nov 22, 2017 5:19 pm
Forum: General
Topic: Vlans and Bridges
Replies: 2
Views: 436

Re: Vlans and Bridges

Yup, lots of ways to skin this cat. Let's do it with 6.41rc based bridging (VLAN aware) just because it is the most future proof solution. Step 1, remove master-port from all Ethernet interfaces (if it exists, the option has now been removed in 6.41rc) Step 2, pick an Ethernet interface to use for c...
by idlemind
Wed Nov 22, 2017 5:07 pm
Forum: General
Topic: Webserver configuration recommendation
Replies: 1
Views: 245

Re: Webserver configuration recommendation

The term DMZ is so "meh." You're really seeking isolation. This can be accomplished with the local firewall on the server, a segment protected by the firewall on a MikroTik router or a mix of both. If you want the server to live on the same segment as the client devices you can control #1and #4 easi...
by idlemind
Wed Nov 22, 2017 5:02 pm
Forum: General
Topic: IPv6 PD and specify DNS servers?
Replies: 1
Views: 442

Re: IPv6 PD and specify DNS servers?

Not really, some have reported it working to set DHCP servers with regular DHCP in a dual stack method. Complain to MikroTik for their half-baked implementation like all of us have been doing as IPv6 continues to ramp up in relevance. Now, to provide a more specific work-around. You can set your DNS...
by idlemind
Wed Nov 22, 2017 4:53 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 1527

Re: MTU Question

Hi guys i have a little question about MTU .. I need to run to PPPoE Server over to single VLAN in our CCR1036 to our clients and i have a question about set MTU on interfaces to avoid fragmentation problems. The basic diagram is this: CCR1036 ---------- (eth cable) ---------- SWITCH ------- (eth c...
by idlemind
Wed Nov 22, 2017 4:44 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 1527

Re: MTU Question

Mangle rules are depending on your rOS version rOS 6.39 !) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary; rOS 6.39.2 *) ppp - fixed "change-mss" functionality (introduced in 6.39); You should be OK without any additional settings :) Change MSS only applies to TCP,...
by idlemind
Wed Nov 22, 2017 4:18 pm
Forum: General
Topic: Ip Flow Problem
Replies: 6
Views: 587

Re: Ip Flow Problem

What is the CPU usage of the PPPoE server with users connected and the IP flow exporter running? Does the exported data take the same data path as the PPPoE clients therefore potentially causing contention?
by idlemind
Wed Nov 22, 2017 5:57 am
Forum: General
Topic: NFS browsing issue
Replies: 6
Views: 1772

Re: NFS browsing issue

If they are on the same segment local discovery should be working without interference from MikroTik. I suppose it's possible that by placing your NAS in each VLAN like you have it may be confusing the autoconf deamon (Avahi). When the NAS and client are the same VLAN the MikroTik won't or at least ...
by idlemind
Wed Nov 22, 2017 5:29 am
Forum: General
Topic: NFS browsing issue
Replies: 6
Views: 1772

Re: NFS browsing issue

Avahi is only needed if you want NFS to be "announced" or at least "discoverable." If you simply mount the share in Kodi and use NFS natively it should behave normally over the network. That said, Avahi can be used with a custom TLD (not .local) and DNS-SD, DNS Service Discovery, is not necessary re...
by idlemind
Fri Nov 17, 2017 10:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

These complaints are exactly why arbitrary hard setting a value is bad when it can be valid within a range. This includes what a developer personally feels is acceptable.
by idlemind
Fri Nov 10, 2017 7:34 pm
Forum: General
Topic: DNS in mikrotik and DC on Windows Server
Replies: 3
Views: 4813

Re: DNS in mikrotik and DC on Windows Server

All of these suggestions are good, if you have a Microsoft AD environment you should not be using DNS or DHCP on the MikroTik for domain joined clients. It would be ok to use the MikroTik to relay and cache requests to another upstream DNS server but to reduce complexity I'd just have the AD servers...
by idlemind
Fri Nov 10, 2017 7:03 pm
Forum: General
Topic: Ether2 to SSTP-out1 can't seem to see it.
Replies: 1
Views: 272

Re: Ether2 to SSTP-out1 can't seem to see it.

Let's start with:
/export hide-sensitive
by idlemind
Fri Nov 10, 2017 7:01 pm
Forum: General
Topic: Changing/removing a master-port disconnects from a router
Replies: 1
Views: 413

Re: Changing/removing a master-port disconnects from a router

The way RouterOS older than 6.41rc works is that the switch chip is managed through the "master-port" by default that's ether2 as you're finding out. You can change that, I personally drop everything master-port related and have been strictly running on the new bridge that replaces this nightmare. T...
by idlemind
Fri Nov 10, 2017 6:50 pm
Forum: General
Topic: Hotspot behind Gigabit WAN lines
Replies: 4
Views: 493

Re: Hotspot behind Gigabit WAN lines

To be honest, I avoid hotspot and captive portals like the plague. I've seen more issues particularly with captive portal detection than any other method produces by volume of support calls. You'd need a method to manage either the certificates or users. You likely are doing this already. This would...
by idlemind
Fri Nov 10, 2017 6:42 pm
Forum: General
Topic: FTP helper doesn't work properly
Replies: 1
Views: 616

Re: FTP helper doesn't work properly

Hello. I have broken my head. I Have ftp server with SSL. Inside LAN everything works fine, users can connect and get data from server. If I want to connect via Internet, connection refuses (Server sent passive reply with unroutable address "my local ftp-server address") after establishing. I set u...
by idlemind
Fri Nov 10, 2017 6:38 pm
Forum: General
Topic: Hex v3 ( RB750Gr3 ) EoIP/IPsec
Replies: 5
Views: 1020

Re: Hex v3 ( RB750Gr3 ) EoIP/IPsec

If you don't actually need the functionality of EoIP (tunneling layer 2) then you could use straight IPSec tunnel mode and maintain an accelerated state with little overhead from the tunneling action.
by idlemind
Fri Nov 10, 2017 3:59 pm
Forum: General
Topic: Hotspot behind Gigabit WAN lines
Replies: 4
Views: 493

Re: Hotspot behind Gigabit WAN lines

Why not 802.1x at scale instead of captive portal and hotspot silliness?
by idlemind
Thu Nov 09, 2017 7:04 pm
Forum: General
Topic: SSTP & IPv6
Replies: 18
Views: 4856

Re: SSTP & IPv6

Currently you can't connect to the router using IPv6 address. This feature will be added in future versions.
This was 7 years ago. How future was that version you were talking about MRZ?
by idlemind
Wed Nov 08, 2017 6:44 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

RADIUS timeout value was reduced due to the fact that there is no point of higher value than 3s. Neither of RouterOS RADIUS services would wait more than 3s for a reply from RADIUS server. If you had value higher than 3 seconds, then either configuration will work with timeout set to 3s or it was n...
by idlemind
Wed Nov 08, 2017 6:22 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

idlemind
Thank you for all your help. I appreciate. :D :D :D
No problem! Good luck on your adventures!
by idlemind
Tue Nov 07, 2017 10:26 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too. HQ Route list https://hfmc9w.dm2301.livefilestore.com/y4m2UkB9IUdtURPqaI019SqjqB_MztQLSq2lbyhCDzz-S5bqn1QWJ9VFhV16xxOjw4xfy4qgMLwcKNa2XjIR5rHpbuEI7_I2MWG3jixe5HPjIhR9TjFWaYewH9QmWgL...
by idlemind
Tue Nov 07, 2017 10:06 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too. HQ Route list https://hfmc9w.dm2301.livefilestore.com/y4m2UkB9IUdtURPqaI019SqjqB_MztQLSq2lbyhCDzz-S5bqn1QWJ9VFhV16xxOjw4xfy4qgMLwcKNa2XjIR5rHpbuEI7_I2MWG3jixe5HPjIhR9TjFWaYewH9QmWgL...
by idlemind
Tue Nov 07, 2017 8:41 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too.
by idlemind
Tue Nov 07, 2017 5:22 pm
Forum: General
Topic: Feature request: Make IPv6 DNS servers configureable in ND/DHCPv6
Replies: 6
Views: 1183

Re: Feature request: Make IPv6 DNS servers configureable in ND/DHCPv6

Currently ND and DHCPv6 advertise only the IPv6 DNS servers set in "/ip dns" which are the upstream DNS servers. Therefore it is not possible to use the internal RouterOS DNS server as IPv6 DNS server. Please make the DNS server configurable in the same way, as it's already done on the IPv4 DHCP se...
by idlemind
Tue Nov 07, 2017 5:21 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

What's new in 6.41rc50 (2017-Oct-30 10:13): Important note!!! Backup before upgrade! RouterOS (v6.40rc36-rc40 and) v6.41rc1+ contains new bridge implementation that supports hardware offloading (hw-offload). This update will convert all interface "master-port" configuration into new bridge configur...
by idlemind
Tue Nov 07, 2017 2:36 am
Forum: General
Topic: IPv6 firewalling
Replies: 2
Views: 409

Re: IPv6 firewalling

You may want to look at explicitly allowing some ICMPv6 codes like "TOO BIG" in FORWARD just in case established/related doesn't pick it up to prevent fragmentation issues.
by idlemind
Tue Nov 07, 2017 2:31 am
Forum: General
Topic: NATing entire subnet to bridge colliding address spaces
Replies: 1
Views: 226

Re: NATing entire subnet to bridge colliding address spaces

Search my posts for double NAT you should find an example of doing this. It can be done with any VPN method. You mind OVPN in MikroTik limiting I think it's still TCP only.
by idlemind
Mon Nov 06, 2017 6:36 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

An example with the networks of 192.168.101.0/24 with a gateway of 192.168.255.1/30 and 192.168.201.0/24 with a gateway of 192.168.255.5/30. ppp secret set 0 routes="192.168.101.0/24 192.168.255.1 1,192.168.201.0/24 192.168.255.5 1" https://wiki.mikrotik.com/wiki/Manual:PPP_AAA ^^ Search for "routes...
by idlemind
Fri Nov 03, 2017 10:52 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

They've done that already. Done what? In released version? With no roll back? Hey, you must be kidding me! :) What I talk about is the we shoudl split new bridge implementation from all these other changes, for good reason: bridge change is BIG one so this alone should be tested very serious. When ...
by idlemind
Fri Nov 03, 2017 8:08 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

I'm in need of some clarification on your issue. Do you want to stretch the VLANs from remote sites back to HQ so you have layer 2 connectivity between the sites? Do you want layer 3 connectivity between the locations from the additional networks present on the remote site VLANs (ping from that VLA...
by idlemind
Fri Nov 03, 2017 4:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Just wanted to tell you guys implementing very good thing, but new RC seems to be very long in development so far. It is not common to see 50 (!) RCs per release (and not yet 6.41 released this far), and this looks like it will be just dangerous to install in into prod for too many changes (beside ...
by idlemind
Thu Nov 02, 2017 9:02 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 5175

Re: Vlans to run over L2TP/IPsec. [SOLVED]

I'm in need of some clarification on your issue. Do you want to stretch the VLANs from remote sites back to HQ so you have layer 2 connectivity between the sites? Do you want layer 3 connectivity between the locations from the additional networks present on the remote site VLANs (ping from that VLAN...
by idlemind
Thu Nov 02, 2017 6:20 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

What's new in 6.41rc50 (2017-Oct-30 10:13): *) radius - limited RADIUS timeout maximum value to 3 seconds; a very bad idea, this field generally needs to remove the limits, so that I myself can set the desired value, for example, even 15-20 seconds Yup, seems like MT was overstepping. Seems like so...
by idlemind
Mon Oct 30, 2017 9:15 pm
Forum: General
Topic: Help with router configuration for Agascha
Replies: 6
Views: 515

Re: Help with router configuration for Agascha

Right, you probably need a bit more background in networking. If you choose to do it with the method involving DNS you and your users never need to enter the IP address in the browser. Instead it could just be "http://pictures" for example. If you choose to manage just the IP address and access it v...
by idlemind
Mon Oct 30, 2017 6:02 pm
Forum: Wireless Networking
Topic: VLANS over wireless link
Replies: 4
Views: 639

Re: VLANS over wireless link

Ok thanks a lot.
That mean It is not necessary to enable WDS in dynamic mode on bridge interface?
Correct, you also can do it with bridging by setting which VLANs you explicitly want to tag or not (PVID).
by idlemind
Mon Oct 30, 2017 3:53 pm
Forum: Beginner Basics
Topic: Why speed of Bridge only 100Mb?
Replies: 6
Views: 1888

Re: Why speed of Bridge only 100Mb?

Running MikroTik RouterOS 6.41rc I see the same speed reported. That said, I am able to perform inter VLAN routing across the bridge at well over 100mbps. I imagine it's a superficial value. If it's not already reported do it. Maybe MikroTik can update the value to be the speed of the fastest bridge...
by idlemind
Sun Oct 29, 2017 7:57 pm
Forum: Beginner Basics
Topic: Understanding and develop VLAN
Replies: 4
Views: 443

Re: Understanding and develop VLAN

RC? GA?
RC, Release Candidate
GA, General Availability or Stable

Software versions.
by idlemind
Sun Oct 29, 2017 7:32 pm
Forum: Beginner Basics
Topic: VLAN/TRUNK - Cisco equiv commands
Replies: 1
Views: 353

Re: VLAN/TRUNK - Cisco equiv commands

Look at the new VLAN aware bridge implementation in 6.41rc. Might as well learn the way it will be done by default soon right out of the gate if you ask me.
by idlemind
Sun Oct 29, 2017 7:26 pm
Forum: Beginner Basics
Topic: Understanding and develop VLAN
Replies: 4
Views: 443

Re: Understanding and develop VLAN

It might be easier for you to learn how to implement VLANs in the new RC version. Might as well only learn it once. For a small topology it shouldn't be hard to validate the RC enough to ensure stability while it moves to GA. It's been around for several months now.
by idlemind
Sun Oct 29, 2017 2:54 pm
Forum: General
Topic: Network issues for L2tp/ipsec with CCR 1009
Replies: 3
Views: 397

Re: Network issues for L2tp/ipsec with CCR 1009

The IPs you're using are public IPs you know that right?

If you have subnet overlap you need to enable Proxy ARP on the overlapping non VPN subnet, ether2 in your case.
by idlemind
Sun Oct 29, 2017 2:51 pm
Forum: General
Topic: Help with router configuration for Agascha
Replies: 6
Views: 515

Re: Help with router configuration for Agascha

Hello pukkita, thanks for your help. Is there no way that the router is set up, which depends on Lan4 always the same IP address? So even with changing laptops on this Ethernet always the same IP receive. Thank you for your help. Greetings Agascha You could do it with scripting, set a short lease t...
by idlemind
Sun Oct 29, 2017 6:12 am
Forum: General
Topic: IPSEC +GRE issue R6.40.4
Replies: 2
Views: 644

Re: IPSEC +GRE issue R6.40.4

With IPSec and GRE the IPSec mode should be transport not tunnel. That won't affect functionality but you are adding a useless IP header per packet which affects MTU and CPU. Additionally the NAT rule is useless when using the GRE tunnel and not a policy based VPN (IPSec only). Post an export for ea...
by idlemind
Fri Oct 27, 2017 3:55 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

Idlemind: Having now set these up for an eleven-vLan configuration, it isn't hard to see how the 'new order' vLan-aware bridges will make life, and configuration, way easier with increased flexibility. The RC version was fun to tinker with, but in the end I opted for a stable build in the interim [...
by idlemind
Fri Oct 27, 2017 3:36 pm
Forum: General
Topic: Broadcast and Multicast over VPN (PPP)
Replies: 11
Views: 4269

Re: Broadcast and Multicast over VPN (PPP)

Hi, I have tested with RB951 ROS version 6.40. I have do EOIP VPN and bridge the EOIP tunnel to Ethernet interface. Then I do multicast stream from 1 side to another but it didn't work. As I search it forumn it need IGMP Snooping enable on bridge interface. It seem RB951 not support that feature. T...
by idlemind
Wed Oct 25, 2017 7:28 am
Forum: General
Topic: Questions regarding EoIP Performance on CCR1036-12G-4S
Replies: 2
Views: 569

Re: Questions regarding EoIP Performance on CCR1036-12G-4S

Fragmentation happens at the router in IPv4. Switching to IPv6 would move the fragmentation cost to the source of traffic.

I imagine that's not a real fix. It does however highlight a strength of IPv6 though.

If you share more of your desired architecture we may be able to help further.
by idlemind
Mon Oct 23, 2017 5:43 pm
Forum: General
Topic: Connecting 2 RB750GR3 over wan
Replies: 7
Views: 881

Re: Connecting 2 RB750GR3 over wan

It depends on your requirements. If both have static IPv4 or IPv6 addressing I prefer to run GRE wrapped in IPSec transport mode personally. I say this because GRE supports all types of traffic. This allows you to run a dynamic routing protocol between the sites. Having an actual GRE interface also ...
by idlemind
Mon Oct 23, 2017 1:38 am
Forum: General
Topic: Feature Request: TACACS/TACACS+
Replies: 35
Views: 8598

Re: Feature Request: TACACS/TACACS+

I wonder if IPSec could be used to secure the RADIUS traffic between endpoints and an auth server. This would only cover the encryption side of the discussion not the feature differences.
by idlemind
Fri Oct 20, 2017 11:46 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

Hi Idlemind, I've taken the plunge into 6.41rc## and the bridge stuff is certainly cleaner... thanks for the heads-up. With reference to Cisco or Adtran style vLAN config in the switches, seems like the bridged-vlan's in MikroTik under this RC are much like the vLAN Trunks in those switches, with t...
by idlemind
Fri Oct 20, 2017 7:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

In RouterOS v6.41 everything QinQ related has to configured with bridge "vlan-filtering=no" using VLAN interfaces and their "use-service-tag" option. And if one do that all qinq switching will get software switched or what? Wouldn't it have been in software before? Are their models that supported Q...
by idlemind
Fri Oct 20, 2017 5:44 pm
Forum: Beginner Basics
Topic: VPN and ping with big packet size. help me
Replies: 2
Views: 394

Re: VPN and ping with big packet size. help me

1) PPTP has been shown to not be secure so switch to a different protocol. L2TP/IPSec should work fine for remote access VPN or a site-to-site connection similar to PPTP while retaining client viability (Win10). 2) Post a /export hide-sensitive of all the involved devices. As the previous poster sta...
by idlemind
Fri Oct 20, 2017 5:23 pm
Forum: Beginner Basics
Topic: Websites not being blocked/logged?
Replies: 6
Views: 686

Re: Websites not being blocked/logged?

It looks like every week there are at least 5 overzealous network operators here that want to block block block... And unfortunately none of them first check the replies to all the others about the difficulties / impossibilities. I guess we need to setup a course "how to live with the reality of th...
by idlemind
Fri Oct 20, 2017 5:17 pm
Forum: Beginner Basics
Topic: Problem with very simple Route on Mikrotik RB750
Replies: 6
Views: 700

Re: Problem with very simple Route on Mikrotik RB750

At the command prompt execute and post it:
/export hide-sensitive
You never know what sneaks into a configuration.
by idlemind
Fri Oct 20, 2017 5:15 pm
Forum: General
Topic: Issues with station-psuedobridge [SOLVED]
Replies: 4
Views: 493

Re: Issues with station-psuedobridge [SOLVED]

Switch it around, what's the worst that can happen?
I'll give it a go when I get home. I was just being impatient. I can't access it at the moment to try it.
Thanks
I feel ya.
by idlemind
Fri Oct 20, 2017 5:12 pm
Forum: General
Topic: ipv6 tunnel over hurricane electric is not running
Replies: 8
Views: 1497

Re: ipv6 tunnel over hurricane electric is not running

Flame's aside about patience vs impatience.

What's your firewall configuration? Are you able to ping the HE side of the tunnel from the router? A full /export hide-sensitive would be good.
by idlemind
Fri Oct 20, 2017 5:07 pm
Forum: General
Topic: Issues with station-psuedobridge [SOLVED]
Replies: 4
Views: 493

Re: Issues with station-psuedobridge [SOLVED]

Switch it around, what's the worst that can happen?
by idlemind
Fri Oct 20, 2017 6:13 am
Forum: General
Topic: L2TP/IPSec for Road Warrior
Replies: 93
Views: 35308

Re: L2TP/IPSec for Road Warrior

A problem IPv6 was born to fix ...
by idlemind
Fri Oct 20, 2017 5:15 am
Forum: Wireless Networking
Topic: AC WiFi requires local forwarding
Replies: 4
Views: 627

Re: AC WiFi requires local forwarding

Remember non-local forwarding will tunnel all connectivity back through the controller. Issues related to MTU from the tunneling and subsequent fragmentation is possible. Additionally, if the radio's are at a shared point of contention you may be seeing issues. An example could be a non-local CAPSMA...
by idlemind
Fri Oct 20, 2017 5:08 am
Forum: General
Topic: Feature request: BGP4-MIB (RFC 4273)
Replies: 32
Views: 5611

Re: Feature request: BGP4-MIB (RFC 4273)

+1, seems like a valid ask and has been present for a long time.
by idlemind
Fri Oct 20, 2017 3:18 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Has anyone tested ROMON in 6.41rc47?
Seems that is not working.

Also, can someone explain how QinQ vlans would be programmed in the new Bridge vlan implementation?
Put a bridge in your bridge?
by idlemind
Thu Oct 19, 2017 12:07 am
Forum: General
Topic: Bind ethernet port to VLAN on hAP ac in bridge/AP configuration
Replies: 6
Views: 1513

Re: Bind ethernet port to VLAN on hAP ac in bridge/AP configuration

Please post a complete "/export hide-sensitive" for both devices. We'll get you sorted.
by idlemind
Tue Oct 17, 2017 5:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Oh boy - you are right: RTFM! The bridge itself is kind of an interface. Now everything works. But I am still curious if I choose the correct way to work with untagged i.e. PVID1-traffic. Both trunk ports have PVID1. The whole configuration works only if I set both trunk ports as tagged in bridge v...
by idlemind
Tue Oct 17, 2017 5:12 am
Forum: General
Topic: Proxy-arp issue
Replies: 3
Views: 1206

Re: Proxy-arp issue

Does the router have any routes? I imagine a default gateway? If so that would match 192.168.1.0/24 and therefore replies to ARP requests. From what you are describing, are the 3 switches each connected to one another without VLANs? Maybe draw us a topology. Something simple will do like Paint if yo...
by idlemind
Tue Oct 17, 2017 2:15 am
Forum: General
Topic: Proxy-arp issue
Replies: 3
Views: 1206

Re: Proxy-arp issue

Proxy-ARP will return the MAC of the router for any IP the router has a route for on the segment Proxy-ARP is on for.

You could make the VPN it's own IP range and disable Proxy-ARP.
by idlemind
Mon Oct 16, 2017 6:44 pm
Forum: General
Topic: Bind ethernet port to VLAN on hAP ac in bridge/AP configuration
Replies: 6
Views: 1513

Re: Bind ethernet port to VLAN on hAP ac in bridge/AP configuration

I took a break on this issue for a bit. I'm ready to give it another try... I implemented the configuration idelmind suggested but it is not functioning. I started from a base config: ether1-5 bridged ether2-master is the trunk port connected to a router supplying untagged traffic and tagged traffi...
by idlemind
Mon Oct 16, 2017 4:22 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Hi, I am trying to set up VLAN bridge for upstream and access to the router on RB3011 running 6.41rc44 but also offload the switching to the hardware switch. I am able to successfully do one or the other but if I combine both setups for local pings I get 3 DUPs. Setup in question: Main router: 3011...
by idlemind
Mon Oct 16, 2017 4:18 am
Forum: General
Topic: Torrent+Mikrotik ROS
Replies: 4
Views: 577

Re: Torrent+Mikrotik ROS

Ah, search the forums there are a lot of other posts about it. Long story short the higher layer filtering (the bold rules or new layer 7 filter) can function against non encrypted sessions. Do you own or manage the devices in question? If so you can make a more intelligent filter by statically defi...
by idlemind
Sun Oct 15, 2017 11:54 pm
Forum: General
Topic: IP-less AWS CHR
Replies: 1
Views: 393

Re: IP-less AWS CHR

Download the volume and boot it locally in something like VMware workstation or VirtualBox. You can perform something like MAC Telnet their or just type /export from the console and copy down the settings. Alternatively, detach the volume from the CHR and attach it to a Linux instance. Mount the fil...
by idlemind
Sun Oct 15, 2017 11:52 pm
Forum: General
Topic: Make RB2011 as VLAN Trunk
Replies: 4
Views: 944

Re: Make RB2011 as VLAN Trunk

Right, but in this scenario RB2011 will not tag or untag VLAN. The aim is to configure RB2011 only to transport tagged VLAN from PPPoE Server > AP and vice-versa without modifying them. It seems the only way is to create a bridge and add all ports to it (or use a VLAN capable switch with all ports ...
by idlemind
Sun Oct 15, 2017 11:39 pm
Forum: General
Topic: Torrent+Mikrotik ROS
Replies: 4
Views: 577

Re: Torrent+Mikrotik ROS

Identify the traffic with a mangle rule in the pre-routing chain. Set the connection-mark or routing-mark to the ISP you prefer. Just make sure the new rule is high-enough up in the rule-set to take effect.
by idlemind
Sun Oct 15, 2017 11:35 pm
Forum: General
Topic: DHCPv6: ia_na: not found
Replies: 2
Views: 498

Re: DHCPv6: ia_na: not found

I just found out that it works if only prefix is selected on the client and not address, and not both. This is a bug, I assume? No, currently MikroTik has taken a very "head in the sands" approach to IPv6. They have implemented SLAAC for address assignment to end devices. Their implementation of SL...
by idlemind
Sun Oct 15, 2017 9:11 pm
Forum: General
Topic: proxy-arp on VRRP?
Replies: 6
Views: 1819

Re: proxy-arp on VRRP?

This may be very difficult. I know you necro'd an older post so I'll start off with some basics. Proxy-ARP means it will reply to ARP requests on a segment for any IP in it's routing table. VRRP means it will manage which router in a group of routers will reply to ARP requests for a particular IP ad...
by idlemind
Sun Oct 15, 2017 6:53 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

... assuming OP wants to run beta code on their device. If it's just a lab, then that's cool, but I wouldn't ever want to run RC code on anything production. Ya, I guess I'm more daring than most. I take the approach of run local tests in a lab and if it works then deploy until proven wrong. This o...
by idlemind
Sun Oct 15, 2017 4:03 pm
Forum: General
Topic: Bug: SNMP over VRRP interface problem
Replies: 19
Views: 2052

Re: Bug: SNMP over VRRP interface problem

Yes it seems like the inverse. Try setting the source IP for SNMP. Additionally, I don't typically manage my device by public IP. I typically deploy a private management network. This might take the shape of a VLAN pushed to the CPE that is isolated. I don't know your specific topology but it is gen...
by idlemind
Fri Oct 13, 2017 6:22 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

The switch-chip in the 750Gr3 doesn't support VLANs. It let's you configure them but they won't work as you're finding out. Yeah, noticed that... but did see that *some* things are properly (for this chipset) blocked - such as auto-tagging untagged vlan packets arriving on an ethernet interface. Th...
by idlemind
Fri Oct 13, 2017 2:32 am
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2078

Re: MicroTik RB750Gr3 trunk vLAN issue

The switch-chip in the 750Gr3 doesn't support VLANs. It let's you configure them but they won't work as you're finding out. That kind of behavior is solved in 6.41rc+ the device will toggle hardware features on automatically if the device and configuration allow it. It will fail back to software if ...
by idlemind
Fri Oct 13, 2017 1:32 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

I am stuck with new bridge implementation using VLAN's either. What I want to accomplish is to pass tagged traffic through the router while reaching the router through the same VLAN. I am using RB2011's and a RB951G with v.6.41RC44. R1 is connected via cable to R2. R2 is connected via wireless brid...
by idlemind
Wed Oct 11, 2017 6:31 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Just imagine, you can DDoS cloud.mikrotik.com and every router using this feature goes offline! ports still will be 'WAN', so nothing terrible should happen :) Opposite, inject a route to 8.8.8.8 into a dynamic protocol running on someones environment that relies on this feature. It'll toggle the i...
by idlemind
Wed Oct 11, 2017 6:12 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Fairly in depth post, to highlight a few things (community and strods correct me if I'm wrong). The independent learning = no option doesn't exist anymore. You're going to get independent MAC databases per VLAN. I'm curious as to why you weren't doing that before, was it a hardware limitation? Well...
by idlemind
Wed Oct 11, 2017 6:02 pm
Forum: Forwarding Protocols
Topic: IPv6 Settings disables eBGP
Replies: 7
Views: 635

Re: IPv6 Settings disables eBGP

That seems odd, you do have accept-router-advertisements on. Additionally, the only thing that makes sense is you're receiving a redirect because that is only on if you disable forwarding. Could you dump an ipv6 route? You may also want to setup an ACL entry to log icmpv6 and see if you're getting r...
by idlemind
Wed Oct 11, 2017 6:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Just imagine, you can DDoS cloud.mikrotik.com and every router using this feature goes offline! ports still will be 'WAN', so nothing terrible should happen :) Opposite, inject a route to 8.8.8.8 into a dynamic protocol running on someones environment that relies on this feature. It'll toggle the i...
by idlemind
Wed Oct 11, 2017 4:05 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

!) detnet - implemented "/interface detect-internet" feature; https://wiki.mikrotik.com/wiki/Manual:Detect_internet Is the test IPv6 compliant. It needs to be. The address 8.8.8.8 is an IPv4 static, fail. The DNS name cloud.mikrotik.com only has an A record. If you truly want to detect for Internet...
by idlemind
Wed Oct 11, 2017 2:45 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

Fairly in depth post, to highlight a few things (community and strods correct me if I'm wrong). The independent learning = no option doesn't exist anymore. You're going to get independent MAC databases per VLAN. I'm curious as to why you weren't doing that before, was it a hardware limitation? Frame...
by idlemind
Sun Oct 08, 2017 3:13 pm
Forum: General
Topic: EoIP & IPsec... trying to get it going again.
Replies: 4
Views: 892

Re: EoIP & IPsec... trying to get it going again.

Add a specific route for each remote IP to use the EoIP interface and make sure you source NAT only targets traffic leaving (out) the other interface with dst address of 0.0.0.0/0 (default). This will make the routing side source the EoIP traffic to originate from the right IP and prevent it from be...
by idlemind
Sat Oct 07, 2017 5:52 pm
Forum: General
Topic: EoIP & IPsec... trying to get it going again.
Replies: 4
Views: 892

Re: EoIP & IPsec... trying to get it going again.

MTU changes when you enable IPSec but the default value should function. The addresses you gave are private IPs. If they are really private IPs can you draw a picture of how these devices connect. EoIP (GRE) doesn't place nice with NAT but it is possible to traverses it (1:1 NAT). IPSec however will...
by idlemind
Wed Oct 04, 2017 5:08 pm
Forum: General
Topic: Broadcast and Multicast over VPN (PPP)
Replies: 11
Views: 4269

Re: Broadcast and Multicast over VPN (PPP)

EoIP is amazing and I highly recommend it. Works a treat. Thanks.
Excellent, did you use my example above or did you find EoIP before I posted?
by idlemind
Sat Sep 30, 2017 10:53 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123700

Re: v6.41rc [release candidate] is released! New bridge implementation!

MikroTik can correct me on Monday but that's probably referring to the bridge level hardware offload feature or the port hw=yes setting. You can set it to yes regardless of it being a wlan or Ethernet interface.
by idlemind
Fri Sep 29, 2017 5:59 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Then I'm a little confused. I don't imagine anything was changed on the TP-Link. If it was say, 192.168.1.0/24 before it should be still. As long as your DVR is on that network, say 192.168.1.20/24 then you should still have access to it.

The TP-Link is the variable of concern then.
by idlemind
Fri Sep 29, 2017 5:22 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

lhg5 as the activation of the subscription I did by a technician, so I do not know in combination if I have to reset everything tell me how I should proceed Is the LHG part of an Internet service? Is it meant to be managed by the service provider? If so, they'll need to set it to bridged mode so yo...
by idlemind
Fri Sep 29, 2017 3:55 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Is the LHG connected to the Internet directly or is it be used to connect to another location? Are you able to configure the LHG? If so, please run the command: /export hide-sensitive Just to be certain. You are trying to access the DVR system locally and remotely? Like Jarda said the LHG and the TP...
by idlemind
Fri Sep 29, 2017 3:37 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Is that while you're connected to WiFi locally or are you trying to access the DVR somewhere on the Internet?
by idlemind
Fri Sep 29, 2017 3:36 pm
Forum: General
Topic: Confusing naming for the location of the switch configuration.
Replies: 1
Views: 407

Re: Confusing naming for the location of the switch configuration.

In 6.41rc and later it's all moving to the VLAN aware and HW offload bridge. It will all be part of /interface bridge.
by idlemind
Fri Sep 29, 2017 3:16 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Draw how the cameras are connected please.
by idlemind
Fri Sep 29, 2017 2:58 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Why not plug the DVR directly into the LHG?
by idlemind
Fri Sep 29, 2017 4:51 am
Forum: Forwarding Protocols
Topic: Advertisement Print close Peers
Replies: 3
Views: 578

Re: Advertisement Print close Peers

I wonder if a CHR has the same issue? I have been hesitant of the 1072, it sounds cool - 72 cores except BGP uses one of those and I believe they are all 1 GHz CPUs. That said, printing a database table should never seg-fault regardless. Worst case is output should be slow. I'm with you, the "sniff ...
by idlemind
Thu Sep 28, 2017 7:59 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

Derp, now able to replicate it on my 750Gr3. Oddly, I see the number of entries in /ipv6 neighbor climbing well past my current setting of maxneighbors. That said it hasn't seemed to hit my level of free-memory yet. Thankfully the 750Gr3 has 256 MB. It is slowly creeping downwards though. I'm defini...
by idlemind
Thu Sep 28, 2017 6:50 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

Alright, maybe we can get a native Italian speaker to help. <cameras> <lhg5-1> ))) WiFi ((( <lhg5-2> -- WAN -- <tp-link> -- LAN -- DVR ^^ Is this how your camera's and DVR are connected today? If so, you cannot see the cameras because the TP-Link is likely performing network address translation (NAT...
by idlemind
Thu Sep 28, 2017 6:41 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5727

Re: Remote Host Scanning our IPv6 Network

I wonder if a firewall filter with limits would pick this scanning up effectively without blocking real traffic. Setting the packet count to just below the maximum you can set the "MaxNeigbhorEntries" value to without experiencing exhaustion from a ND cache perspective but not high enough to cause r...
by idlemind
Thu Sep 28, 2017 6:15 pm
Forum: Beginner Basics
Topic: Can't get IPv6 double router config to work
Replies: 17
Views: 1722

Re: Can't get IPv6 double router config to work

Seriously though - another thread here mentions ND cache exhaustion attacks caused by IPv6 scans. This reminds me of the days before "no ip directed-broadcast" became a default setting in Cisco (back in IOS 11 days - wheeeee). Smurf attacks became the most feared form of DOS attack until Cisco miti...
by idlemind
Thu Sep 28, 2017 2:29 pm
Forum: Beginner Basics
Topic: with lhg 5 I can not see local cameras
Replies: 32
Views: 1864

Re: with lhg 5 I can not see local cameras

What's your native language?