Community discussions

MikroTik App

Search found 1148 matches

by idlemind
Sun Aug 16, 2020 4:04 am
Forum: General
Topic: Updates over IPv6 not possible?
Replies: 4
Views: 1351

Re: Updates over IPv6 not possible?

Yes, buy from another vendor that has an active interest in IPv6 support and make sure to EMAIL them and tell them why. Honestly it's the most effective way to communicate with those able to set development direction. Just look at the crap show around Meraki and v6. They thought it didn't matter, th...
by idlemind
Sat May 30, 2020 5:07 am
Forum: General
Topic: IPv6 conntrack issue [SOLVED]
Replies: 5
Views: 1524

Re: IPv6 conntrack issue [SOLVED]

Yes, in Cisco land it's ND inspection, RA guard along with DHCPv6 snooping. It's similar to the purpose and goals of ARP and DHCP snooping in v4. That said here in Mikrotik land I do not think we have any equivalent yet. You could implement firewall rules that on allow trusted ports to emit RAs. I'd...
by idlemind
Sun May 10, 2020 2:11 pm
Forum: General
Topic: Cant reach higher speeds
Replies: 2
Views: 876

Re: Cant reach higher speeds

Per connection load balancing is going to limit you to the speed of 1 connection at a time. You won't see a single speed test with any aggregate bandwidth. You would see the ability to run multiple speed test and see it prefer different WANs. Other than that, maybe you're hitting a CPU limit on your...
by idlemind
Sun May 03, 2020 2:44 am
Forum: General
Topic: IPv6 neighbor status=failed
Replies: 5
Views: 1313

Re: IPv6 neighbor status=failed

Any chance you could post an export with hide-sensitive on? /export hide-sensitive I don't have a CCR and but v6 is working just fine on the hardware I still run with RouterOS. Like others have said IPv6 simply isn't a priority with Mikrotik. I've moved every purchase possible to other platforms lik...
by idlemind
Mon Apr 13, 2020 1:37 am
Forum: General
Topic: CISCO SSL VPN Server with Mikrotik as Client [SOLVED]
Replies: 2
Views: 3431

Re: CISCO SSL VPN Server with Mikrotik as Client [SOLVED]

You can do this with a Linux system acting as the client though.
by idlemind
Fri Apr 10, 2020 4:42 pm
Forum: General
Topic: 3 sites PPTP vpn
Replies: 7
Views: 1912

Re: 3 sites PPTP vpn

Yup I agree at least use L2TP unless security and privacy just don't matter.
by idlemind
Tue Apr 07, 2020 6:38 am
Forum: General
Topic: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues
Replies: 12
Views: 2503

Re: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues

Thanks for the feedback. My response follows: I misspoke, I'm on version 6.46.4, which is the latest in the stable tree. (I copied and pasted, and it seems I copied the wrong version - not sure how). Running SSH on port 22 is a HUGE security risk - it attracts thousands of breakin attempts each day...
by idlemind
Tue Apr 07, 2020 6:19 am
Forum: General
Topic: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues
Replies: 12
Views: 2503

Re: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues

VRRP transmits the shared MAC address from whichever device is currently master. I've not used CARP, but I would have expected it do the same - maybe with a configuration option if not the default. I do believe CARP requires that configuration to force the packet and to then toggle the FDB because ...
by idlemind
Mon Apr 06, 2020 4:54 am
Forum: General
Topic: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues
Replies: 12
Views: 2503

Re: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues

I've done some addiitonal sanitizing, so if something looks too alien I probably messed up. But I think not ;) I'd like to stress that this is primarily a switch, NOT a router or firewall. [admin@MikroTik_LSG_RED] > /export hide-sensitive # apr/05/2020 21:54:10 by RouterOS 6.46.4 # software id = 53...
by idlemind
Sun Apr 05, 2020 10:10 pm
Forum: General
Topic: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues
Replies: 12
Views: 2503

Re: CRS326-24G - Dual BSD firewalls, CARP, mac address learning and host timeout issues

Hmm. It should work. Mind posting a config (
/export hide-sensitive 
)?

Also, what code version? Newer versions of code added a message to show mac address "flap" between interfaces which should be shown during failover here.
by idlemind
Fri Apr 03, 2020 12:39 am
Forum: General
Topic: OpenVPN communication thru IPv6
Replies: 1
Views: 1156

Re: OpenVPN communication thru IPv6

Like most things IPv6, Mikrotik does not fully support IPv6. Specifically, incoming IPv6 connections in the VPN servers for anything outside of IPSEC.
by idlemind
Tue Mar 24, 2020 3:24 am
Forum: General
Topic: Traffic Flow on Bridge Interface
Replies: 6
Views: 1479

Re: Traffic Flow on Bridge Interface

Are you sure your script shouldn't be focused on standardizing and maintaining the RouterOS across those devices first ... #security
by idlemind
Tue Mar 24, 2020 1:20 am
Forum: General
Topic: Edge caching
Replies: 12
Views: 2737

Re: Edge caching

Yes, it works by pointing the CDN names to your cache. Those servers are cleartext. https://github.com/uklans/cache-domains If someone uses a non-ISP DNS server it is their problem, most home users won't bother doing that. I saw an unrelated example of setting the DNS server address in a PS4 to dow...
by idlemind
Tue Mar 24, 2020 12:21 am
Forum: General
Topic: Edge caching
Replies: 12
Views: 2737

Re: Edge caching

But wouldn't something like LanCache work for ISPs too to cache the main game CDNs? All technology specific. That works and requires DNS as far as I'm aware. As long as your customers are using your DNS you'd have the option to use that. Either way it's a game of managing all of these specific type...
by idlemind
Mon Mar 23, 2020 11:32 pm
Forum: General
Topic: Edge caching
Replies: 12
Views: 2737

Re: Edge caching

The SSL/TLS of all things have nuked most of this without help from upstreams like getting dedicated boxes from CDN and provider services.

Not as easy to put an HTTP proxy inline anymore and get significant bandwidth savings.
by idlemind
Fri Mar 20, 2020 3:51 am
Forum: General
Topic: Inter VPN Routing
Replies: 2
Views: 1038

Re: Inter VPN Routing

Likely it's your NAT rules. Give us a config from each side of the site to site VPN and maybe a quick drawing (picture of a whiteboard or notebook is fine).

A safe way to share the configs would be to run
/export hide-sensitive
by idlemind
Tue Mar 17, 2020 2:16 am
Forum: General
Topic: Feature Request: Adjustable TTL on DHCP client
Replies: 6
Views: 2045

Re: Feature Request: Adjustable TTL on DHCP client

Try mangling the TTL at a hop between the client and server. If memory serves, the DHCP packets originating on a device do not hit the firewall.
by idlemind
Fri Mar 13, 2020 12:55 am
Forum: General
Topic: Proper way to configure RSTP/Loop protection
Replies: 2
Views: 1292

Re: Proper way to configure RSTP/Loop protection

In the Linux system, create a bridge, add the bonds as bridge ports and enable STP on the server. Stock Linux will do STP so you get 45 second failover. Additionally your config snippet doesn't match the drawing for the Linux NIC numbering. Also, remove the check mark from BPDU guard. We want the Li...
by idlemind
Tue Mar 10, 2020 2:22 pm
Forum: General
Topic: Managing Router from linux
Replies: 3
Views: 1266

Re: Managing Router from linux

Plain old SSH for me at the CLI. Webfig works as well.
by idlemind
Sat Mar 07, 2020 4:36 pm
Forum: General
Topic: I can´t see the network in Google Cloud Platform
Replies: 5
Views: 2645

Re: I can´t see the network in Google Cloud Platform

/export hide-sensitive
by idlemind
Fri Mar 06, 2020 7:42 pm
Forum: General
Topic: Debian preseed fails on mikrotik switches
Replies: 2
Views: 1662

Re: Debian preseed fails on mikrotik switches

interface bridge port monitor <enter number>


Look to see if it is set to auto for edge port discovery (should be by default). If it is auto confirm that it is being discovered as an edge port. If not, configure it to be an edge port.
by idlemind
Fri Mar 06, 2020 7:32 pm
Forum: General
Topic: ipv6 6PE ?
Replies: 5
Views: 2432

Re: ipv6 6PE ?

Also, 5.2. Holy crap update!
by idlemind
Wed Mar 04, 2020 3:42 am
Forum: General
Topic: L2TP with IPsec MTU settings
Replies: 6
Views: 3974

Re: L2TP with IPsec MTU settings

1400 should normally be a good MTU/MRU For MSS you can also set "clamp to PMTU" to calculate it automatically but 1370 is OK with 1400 byte MTU Remember you cannot calculate exact values because you do not always know the outer MTU.... On your network it may be 1500 but the peer may be behind PPPoE...
by idlemind
Wed Mar 04, 2020 3:38 am
Forum: General
Topic: L2TP with IPsec MTU settings
Replies: 6
Views: 3974

Re: L2TP with IPsec MTU settings

In your case the fragmentation is happening during the crypto phase after the pppoe encapsulation. This allows IPSEC to perform the fragmentation. If your DF traffic exceeded the MTU of the PPPoE side it would send a Too Big message back to the originator and then drop. Which is not what you were se...
by idlemind
Tue Mar 03, 2020 3:00 am
Forum: General
Topic: Vlan https issue
Replies: 9
Views: 2564

Re: Vlan https issue

Thanks for the recommendation idlemind, I will dive into that.
I actually got my issue solved this afternoon. The answer was to add a filter rule to forward "new" connections from the vlan (source) address.
Good yup firewall rules can be brutal.
by idlemind
Tue Mar 03, 2020 2:07 am
Forum: General
Topic: Routing one ip across a tunnel.
Replies: 3
Views: 1636

Re: Routing one ip across a tunnel.

Specific to your requirements you probably want to stretch layer 2. At the far side, Mikrotik-2, give it an IP in the 10.0.0/24 range and set that IP as the default gateway for 10.0.0.15 host as that IP. This eliminates the need for any significant trickery and you just terminate the EoIP tunnel in ...
by idlemind
Tue Mar 03, 2020 1:57 am
Forum: General
Topic: Vlan https issue
Replies: 9
Views: 2564

Re: Vlan https issue

Can you post an export hide-sensitive from the CLI directly in a code block?

MTU issues should come to light by forcing pings with the DF bit set at various sizes. The posts under my name should have some more details on how to do that.
by idlemind
Mon Mar 02, 2020 11:00 pm
Forum: General
Topic: L2TP VPN on /23 subnet
Replies: 5
Views: 2191

Re: L2TP VPN on /23 subnet

Currently there isn't good solution. If not using VPN as default gateway, Windows client can use either dumb "class-based" route, which means that it will add route to 192.168.x.0/24. Alternatively, if can use DHCP to get routes to other subnets, but that's AFAIK not supported by RouterOS (it can d...
by idlemind
Sat Feb 29, 2020 11:20 pm
Forum: RouterOS v7 BETA
Topic: Who can use ipv6 normally?
Replies: 11
Views: 4732

Re: Who can use ipv6 normally?

If lowering the MTU helps it generally points to bad firewall rules that are blocking path MTU discovery. If you lower it further to 1280 and you see additional sites work that would confirm the issue. The fix would be to ensure you are allowing the correct ICMPv6 traffic through the firewall. It's ...
by idlemind
Sat Feb 29, 2020 3:47 am
Forum: General
Topic: WiFi Calling Problems
Replies: 8
Views: 2560

Re: WiFi Calling Problems

Yup, the fact that ATT insists on providing an absolutely garbage CPE is why I never consider them as an ISP unless I have absolutely no other choice. I've always had issues with their CPEs and upon switching to a decent ISP that allows their device to be placed in bridge mode the problems go away i...
by idlemind
Sat Feb 29, 2020 3:44 am
Forum: General
Topic: GRE VPNs weird behavior
Replies: 5
Views: 1995

Re: GRE VPNs weird behavior

/export hide-sensitive 

I wonder if you have something incorrect in the address lists or routes.
by idlemind
Sat Feb 29, 2020 3:08 am
Forum: General
Topic: Loop between bridged vlans in several routers
Replies: 2
Views: 1353

Re: Loop between bridged vlans in several routers

Switch to the new VLAN aware bridges?
by idlemind
Sat Feb 29, 2020 2:42 am
Forum: General
Topic: Port For Backup In Brdge
Replies: 1
Views: 1154

Re: Port For Backup In Brdge

It should work fine. I'd validate that the Cisco device has STP enabled. It's enabled by default on most platforms. I'd have to check if it's one of the Linksys based small business models though. Assuming the Cisco device has STP enabled then you should post the configuration of your Mikrotik devic...
by idlemind
Tue Feb 25, 2020 8:17 am
Forum: Forwarding Protocols
Topic: Apple Bonjour across vlans?
Replies: 16
Views: 5670

Re: Apple Bonjour across vlans?

Not being a huge fan of bridging bonjour as it creates a point where a router could be injected it's actually possible to use the Apple associated services via DNS directly in a way that isn't tied to leaking an intentionally link-local discovery protocol throughout your wan. That said the RouterOS...
by idlemind
Tue Feb 25, 2020 8:12 am
Forum: Forwarding Protocols
Topic: Apple Bonjour across vlans?
Replies: 16
Views: 5670

Re: Apple Bonjour across vlans?

Not being a huge fan of bridging bonjour as it creates a point where a router could be injected it's actually possible to use the Apple associated services via DNS directly in a way that isn't tied to leaking an intentionally link-local discovery protocol throughout your wan. That said the RouterOS ...
by idlemind
Tue Feb 25, 2020 8:08 am
Forum: Forwarding Protocols
Topic: IPv6 to IPv6 tunnel
Replies: 1
Views: 1651

Re: IPv6 to IPv6 tunnel

I'm not sure what you mean by redirect IPv4 from ISP2 ... It is entirely possible to use something like GRE to allow the internal IPv4 networks to communicate. The outer part of the tunnel would be IPv6 and the inner part could be IPv4, IPv6 or both (dual stack). You can also apply encryption to the...
by idlemind
Mon Feb 10, 2020 4:23 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 135
Views: 98288

Re: Add DNS over HTTPS (DoH) support

Of course when these techniques become universally implemented, we need to make a sticky topic for the many users that come here with requests like: - I need to block some specific website (Youtube/Facebook/whatever) - I need to allow access to only one specific website (externally hosted company s...
by idlemind
Fri Feb 07, 2020 6:52 am
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 156
Views: 50518

Re: Future of LTE products, user feedback requested

My opinion is to calm down on the LTE and work on critical feature gaps like IPv6. LTE is of very limited use here in the states. At best it's focused around delivering a small quantity of data per month. It's typically isolated to out of band management uses, emergency wireline replacement, or for ...
by idlemind
Mon Feb 03, 2020 10:59 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 29317

Re: IPv6 Ping does not work with domain names

Yup, major reason why my network is now on UniFi. Ubiquiti actually heard feedback and released updates to their platform to be much friendlier towards IPv6.

Vote with your wallet.
by idlemind
Sat Feb 01, 2020 3:43 am
Forum: General
Topic: Bring Tapatalk back
Replies: 32
Views: 4510

Re: Bring Tapatalk back

Good riddance. A far more usable experience directly on the forum from the web. No forced Tapatalk ad blocking precious real estate.
by idlemind
Fri Dec 06, 2019 6:40 pm
Forum: RouterOS v7 BETA
Topic: 7.0b4 Becoming The New 7 Release?
Replies: 18
Views: 8104

Re: 7.0b4 Becoming The New 7 Release?

It was tongue in cheek. As in when is it cijg because it's been a while.
by idlemind
Fri Dec 06, 2019 6:39 pm
Forum: General
Topic: IPv6 quirks
Replies: 2
Views: 720

Re: IPv6 quirks

What does RouterA have in IPv6 ND?
by idlemind
Mon Dec 02, 2019 5:17 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2876

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

What are you talking about ? There is no need to add any manual routes on your L2TP client...! The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network... I am talking about standard Windows client, lot of routes are needed in ...
by idlemind
Mon Dec 02, 2019 5:02 pm
Forum: RouterOS v7 BETA
Topic: 7.0b4 Becoming The New 7 Release?
Replies: 18
Views: 8104

7.0b4 Becoming The New 7 Release?

It's cold outside? Have the dev's fingers frozen? Seems a new beta hasn't dropped yet and it's been a bit over a month. The monthly cadence is fine for me. Hopefully the next one will have some more meaningful features in it.

The only feedback I have is the new CLI is a bit strange to me.
by idlemind
Mon Dec 02, 2019 4:59 pm
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 156
Views: 50518

Re: Future of LTE products, user feedback requested

We would like to know our customer wishes and use cases on what kind of future LTE technology would be interested in? 1. Which LTE Category you are interested in most - CAT6, CAT7, CAT9, CAT11, CAT12, CAT16 or some other? 2. Which LTE bands and which Carrier Aggregation combinations should be suppo...
by idlemind
Tue Nov 26, 2019 5:55 pm
Forum: General
Topic: IPv6 feature development speedup.
Replies: 8
Views: 1533

Re: IPv6 feature development speedup.

Not a perfect survey from a questions and functionality stand-point. I do feel MikroTik is rapidly getting outpaced in this area. I personally have been using UniFi hardware in my deployments since shortly after the bridging and VLAN rework. I really like that feature and would love to see it ubiqui...
by idlemind
Mon Nov 11, 2019 12:23 am
Forum: General
Topic: MSTP
Replies: 4
Views: 1238

Re: MSTP

Yup, plain STP and RSTP will work. MSTP shines when you need it to be aware of VLANs then MSTP is the play.

Either way you shouldn't see that for the MAC. If have to see the configurations at this point.
by idlemind
Wed Jul 10, 2019 3:23 pm
Forum: General
Topic: EoIP over Internet
Replies: 2
Views: 541

Re: EoIP over Internet

Do you have global unicast IPs on the 4G interfaces or are they carrier grade NAT addresses? You'll need a public IP on at least 1 side of the equation and even then you'll have to use something capable of traversing NAT first.
by idlemind
Wed Jul 10, 2019 7:50 am
Forum: General
Topic: IPv6 DHCP Server Not Leasing IP
Replies: 13
Views: 9221

Re: IPv6 DHCP Server Not Leasing IP

Hi all, i've got the same issue. Nothing works, the Ipv6 Clients gets no IPv6 Adress or prefix from the FTTH modem. DHCPV6 Server didn't work ... I spent a lot of time into this issue and i'm nearly to throw the Mikrotik onto the rubbish or i will drive over it with my car ... It is realy frustrati...
by idlemind
Wed Jul 10, 2019 6:17 am
Forum: General
Topic: What VPN tech with dynamic routing behind NAT?
Replies: 3
Views: 955

Re: What VPN tech with dynamic routing behind NAT?

You can use L2TP/IPSEC behind a NAT with little problems and leverage PPP for authentication and telling multiple clients apart. You can leverage either BGP or OSPF with static neighbors over that directly. If you really just want to use a dynamic routing protocol that does not require static neighb...
by idlemind
Wed Jul 10, 2019 6:09 am
Forum: General
Topic: MTU mismatch / confusion mixed network
Replies: 3
Views: 1250

Re: MTU mismatch / confusion mixed network

So, w/PPPoE like other tunneling protocols we have to be aware of MTU along the path. We also have to think about how systems handle dissimilar MTU along the path of a packet. To handle the issue around MTU along the path it's a fairly simple equation. With the default of 1480 for both in the PPPoE ...
by idlemind
Wed Jun 05, 2019 2:58 am
Forum: General
Topic: IPv6 transition mechanism
Replies: 76
Views: 9461

Re: IPv6 transition mechanism

Happy eye-balls sort out this problem in a matter of 150 ms, not 5 seconds, the problem is probably a failure in the ISP or content provider. Is the same as when you have IPv4 only and something fails, we need to realize that technical problema can be the same in IPv4 than IPv6 ! Happy Eyeballs doe...
by idlemind
Wed Jun 05, 2019 1:34 am
Forum: General
Topic: Mikrotik icmp traffic from itself?
Replies: 3
Views: 718

Re: Mikrotik icmp traffic from itself?

Yes, the MikroTik is originating the reply from the IP based on routing so I assume your IP of 10.175.0.76 is either an IP meant for management and the router doesn't have a more preferred path on the Internet routing side or you're using RFC1918 IPs internally to route traffic to customers. If your...
by idlemind
Wed Jun 05, 2019 1:22 am
Forum: General
Topic: Full mesh VPN between 3 or more Mikrotik routers
Replies: 10
Views: 1756

Re: Full mesh VPN between 3 or more Mikrotik routers

Sounds like a great place to use a routing protocol. Sadly no DMVPN in MikroTik land. I'd still likely opt to go with GRE so I could run a dynamic protocol across it. With a true mesh (all routers with links to all other routers) that will get unwieldy quick so an automation tool would be very helpf...
by idlemind
Fri Apr 26, 2019 5:27 pm
Forum: General
Topic: EoIP and VLANs advantages/
Replies: 2
Views: 728

Re: EoIP and VLANs advantages/

The best thing you can do is design your network and applications in a way that doesn't require L2 extensions. I understand this is always not a reality but you really don't want to spread your L2 failure domain. If the thought is to use EoIP to place the same IPs in 2 DCs that's the worst scenario....
by idlemind
Fri Apr 26, 2019 5:19 pm
Forum: General
Topic: IPv6 deployment on individual /64
Replies: 3
Views: 735

Re: IPv6 deployment on individual /64

Yup, the recommendation is to allow up to a /56 to be requested via DHCPv6-PD. The absolute smallest I'd go is a /60 for residential. It gives the customer the ability to provide a normal LAN, a guest network and VPN without compatibility breaking small subnets.
by idlemind
Thu Apr 25, 2019 9:29 am
Forum: General
Topic: IPv6 dhcp server lease script
Replies: 1
Views: 504

Re: IPv6 dhcp server lease script

We currently are using IPv4 for our customers and are about to convert to IPv6. We are using the lease script in the IPv4 dhcp server to report the ip address a customer pulls to Sonar. We need to do the same thing when we go to IPv6. When I look at the IPv6 dhcp server I don't see the lease script...
by idlemind
Thu Apr 25, 2019 9:24 am
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 2492

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

Yes I did the ping tests with DF. Also switching to the cable modem had no effect. But yes, it is possible that some websites have broken path MTU discovery. The issue was very noticeable with some SSL/TLS services, but when I found a HTTP server doing it too, I knew something else was going on. Th...
by idlemind
Tue Apr 23, 2019 11:00 pm
Forum: General
Topic: Make device discoverable on second subnet
Replies: 2
Views: 624

Re: Make device discoverable on second subnet

Most "discovery" operations require layer 2 adjacency. A different IP subnet creates separation at layer 3. An example "discovery" mechanism is Bonjour which is bound at layer 2 or link-local. Their is technology solutions that enable you to "stretch" (read: bridge) the Bonjour traffic across layer ...
by idlemind
Tue Apr 23, 2019 10:48 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 2492

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to th...
by idlemind
Sun Apr 21, 2019 4:28 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 2492

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492. This is fairly easy to test. Just turn off the VPN to go directly out to the...
by idlemind
Sat Apr 06, 2019 6:10 pm
Forum: General
Topic: Help: IPv4 NAT - some https websites won't load
Replies: 4
Views: 2018

Re: Help: IPv4 NAT - some https websites won't load

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP. I second this. Although TCP MSS clamping isn't strictly required if MTU and path MTU discovery (largely an ICMP process) is fu...
by idlemind
Wed Mar 27, 2019 11:37 pm
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 1014

Re: EOIP when Behind another Router - A No Go?

EoIP is only required if you require L2 adjacency between endpoints. This is typically expressed as stretching a L2 network between to different L3 locations. If you do not need to stretch L2 then do not. If you need site to site connectivity with NAT traversal but not L2 stretching you can accompli...
by idlemind
Sun Mar 24, 2019 11:50 pm
Forum: General
Topic: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]
Replies: 5
Views: 1370

Re: 4in6 - RFC 2473 support? (IPv4 traffic over an IPv6 tunnel) [SOLVED]

Alternatively you can use a GRE tunnel. It is capable of being encrypted, handles IPv4 and IPv6 traffic as outer or inner protocols and, supports multicast for easy use of traditional IGPs for route handling.
by idlemind
Mon Mar 18, 2019 5:39 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 102614

Re: v6.45beta [testing] is released!

IKE2 rfc states the use of RSA. What would be the client devices that support EC? Why exactly you need this? RFC 4754 https://tools.ietf.org/html/rfc4754 Not finalized but per usual MikroTik is behind almost all other vendors in supporting valid technology. Of course we still can't ping IPv6 only h...
by idlemind
Sun Mar 17, 2019 10:25 pm
Forum: General
Topic: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]
Replies: 15
Views: 3546

Re: Getting IPv6 only through SLAAC (without DHCP) [SOLVED]

If the ISP uses SLAAC on the point to point link between you and them then there is a setting that allows the router to get an address that way. I believe it is global though. Makes your device behave like a client as in IPv6 those are the devices that should react to other routers RAs. They "should...
by idlemind
Fri Mar 15, 2019 2:34 pm
Forum: Beginner Basics
Topic: NAT - Round Robin srcnat
Replies: 5
Views: 1452

Re: NAT - Round Robin srcnat

Again assuming the address range doesn't work you could you use connection marking to cycle through similar 1:1 NAT rules like you would otherwise do when load balancing an ISP connection.
by idlemind
Sat Mar 02, 2019 9:01 pm
Forum: General
Topic: help for sxt lte VPN from android cliet
Replies: 5
Views: 1066

Re: help for sxt lte VPN from android cliet

Yes the wiki has extensive documentation on the topic. Using L2TP/IPSEC for remote access or "road warrior" as the wiki calls it is nice because all major OS versions support it built-in right now. Technically I prefer IKEv2 but Android doesn't have native support for it yet. All other platforms do.
by idlemind
Thu Feb 28, 2019 1:43 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 978

Re: Multiple IPsec clients from same public IP [SOLVED]

Glad to hear!
by idlemind
Tue Feb 26, 2019 5:29 am
Forum: General
Topic: SOLVED Printer for 2 subnets
Replies: 6
Views: 1306

Re: Printer for 2 subnets

Use policy routing on the MikroTik. Anything sourced by the printer destined to the wireless subnet is sent to the .249 IP.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing
by idlemind
Tue Feb 26, 2019 4:24 am
Forum: General
Topic: Multiple IPsec clients from same public IP [SOLVED]
Replies: 3
Views: 978

Re: Multiple IPsec clients from same public IP [SOLVED]

Hi All, I am sure this may have been asked before, however I don't seem to be able to find anyone trying to achieve exactly what I am trying to do. I have 3 Mikrotik's as follows 1 X CHR Router hosted in the cloud with a public IP address eg 1.1.1.1 2 X Mips devices these will be used as clients be...
by idlemind
Tue Feb 26, 2019 3:57 am
Forum: General
Topic: IPv6 routing with several interfaces [SOLVED]
Replies: 3
Views: 1296

Re: IPv6 routing with several interfaces [SOLVED]

Basically if you want to use IPv6 don't buy MikroTik. They've done little more than maintain they're initial very basic set of features targeted mostly at service providers over the last several years. The comments from MikroTik see on here makes it seem that they think they can wait for an unannoun...
by idlemind
Sun Feb 24, 2019 10:10 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 1781

Re: Advanced VLAN setup HAP AC RouterOS

As of 6.41+ this advice is irrelevant and dated. Please use the bridge with automatic hardware offload. If you read his link in depth you'll see MikroTik suggest the same thing. The software in the device will toggle the hardware features on and off as needed or as is capable for your device. This ...
by idlemind
Sat Feb 23, 2019 10:57 pm
Forum: General
Topic: Loop-protect packets (0x9003) drop by Centos [SOLVED]
Replies: 2
Views: 640

Re: Loop-protect packets (0x9003) drop by Centos [SOLVED]

Working as expected (tm).

https://access.redhat.com/solutions/657483

Likely the unknown protocol is triggering the behavior.
by idlemind
Sat Feb 23, 2019 10:49 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 1781

Re: Advanced VLAN setup HAP AC RouterOS

SFP being part of bridge/vlans but not part of the switch will be problematic, I think. Is reducing the number of ports an option? So it would be better to do it this way? Eth1: Vlan 1, 2, 3, 4, 5 Tagged Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged Eth4: ...
by idlemind
Sat Feb 23, 2019 10:13 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 1781

Re: Advanced VLAN setup HAP AC RouterOS

Might be challenging for bridging. Further, your Tik might be a bit too short for the routing duties: it's only a single core, but MT rates it at 950mbps with full frames so might just work. But you'll need to use switch vlan filtering functionality, not the one of bridge. Examples are here https:/...
by idlemind
Sat Feb 23, 2019 1:37 am
Forum: General
Topic: Cambium L2GRE with Mikrotik Problem
Replies: 5
Views: 1389

Re: Cambium L2GRE with Mikrotik Problem

What he is saying us L2GRE and EoIP are not necessarily compatible tunnel types. God knows what L2GRE means from an implementation perspective. While EoIP is based on GRE and it encapsulates Ethernet it isn't a standard. Unless you've verified that the tech is compatible you're barking up the wrong ...
by idlemind
Sat Feb 23, 2019 1:29 am
Forum: General
Topic: Cannot access Lan devices over vpn client
Replies: 17
Views: 5432

Re: Cannot access Lan devices over vpn client

Because your VPN addresses overlap with the LAN IP addressing you need to enable Proxy-ARP on the LAN bridge.

Alternatively give your VPN clients a different IP range and change the PPP local address. This would be the preferred option. Proxy-ARP comes with some security issues.
by idlemind
Tue Feb 19, 2019 9:01 am
Forum: Forwarding Protocols
Topic: Vlans + VRRP + Multiple Public IP addresses
Replies: 10
Views: 4024

Re: Vlans + VRRP + Multiple Public IP addresses

The up/down method is a bit hacky. You can run VRRP for multiple networks but it seems you're running all of the instances on the same underlying interface. You should run it on the layer 3 interfaces that actually forward the traffic. Likely based on your post this should be the VLAN interfaces wit...
by idlemind
Mon Feb 18, 2019 3:30 am
Forum: General
Topic: Routing L2TP/IPSEC
Replies: 4
Views: 885

Re: Routing L2TP/IPSEC

Hi thank you I will give the ip forward a try, the gateways rules I already added without success . Gesendet von iPhone mit Tapatalk The PPP portion of a L2TP/IPSEC VPN allows you to add routes dynamically on the server side (head end) when it is connected. This paired with a default route injected...
by idlemind
Mon Feb 18, 2019 3:25 am
Forum: General
Topic: Using L2TP/Ipsec vpn using same subnet as lan?
Replies: 1
Views: 989

Re: Using L2TP/Ipsec vpn using same subnet as lan?

Yes you can use proxy ARP for that but it's not true layer 2 adjacency. If your camera solution requires that you'll want to look at BCP or PPP based bridging to see if that works on your phone. Otherwise find a camera system that works under normal IP routing scenarios. Proxy ARP is a crutch, has s...
by idlemind
Tue Feb 12, 2019 2:29 am
Forum: General
Topic: block ping just to puplick ip
Replies: 1
Views: 530

Re: block ping just to puplick ip

For ping or ICMP echo request and reply the input chain is for the WAN interface in this case and the forward chain for the servers behind it (likely).

Please only block ICMP echo request. The other types can be crucial for behaviors like path MTU discovery.
by idlemind
Mon Feb 11, 2019 8:18 pm
Forum: General
Topic: Trying to configure new VPN
Replies: 2
Views: 868

Re: Trying to configure new VPN

L2TP/IPSEC gets you native clients for Windows, Mac, Linux, iOS and, Android.

IKEv2 gets you native clients in all of the above except Android. Android has apps for IKEv2 (StrongSwan). (This may have changed but as of v7 on Android it still doesn't)

IKEv2 would be my preferred solution.
by idlemind
Mon Feb 11, 2019 8:15 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 2816

Re: DHCP Client brige l2tp tunnel [SOLVED]

That works if everything is in the same place. I assumed we had 2 separate Internet connections in play. Is this not the case?
by idlemind
Sun Feb 10, 2019 4:21 pm
Forum: General
Topic: ip phone and/or audio headset attached to Mikrotik
Replies: 6
Views: 1468

Re: ip phone and/or audio headset attached to Mikrotik

I was thinking a traditional VoIP phone with a headset too. The only downside is needing a server to drive the VoIP. That said for a single phone you could bolt something onto an existing server or even a Raspberry Pi like device. If memory serves me correctly Axis makes an IP camera that has both h...
by idlemind
Sun Feb 10, 2019 4:14 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 3666

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

You can't bond disparate WAN or L3 links. If the provider accepted 1 IP then yes. Additionally there is no way to map tunnels on one end to a single tunnel on the far end.
by idlemind
Sat Feb 09, 2019 7:27 pm
Forum: General
Topic: VPN PPTP ANDROID
Replies: 4
Views: 5145

Re: VPN PPTP ANDROID

PPTP is insecure STOP USING IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
by idlemind
Sat Feb 09, 2019 7:19 pm
Forum: General
Topic: DHCP Client brige l2tp tunnel [SOLVED]
Replies: 12
Views: 2816

Re: DHCP Client brige l2tp tunnel [SOLVED]

Use EoIP to bridge layer 2 cleanly between both locations. If the EoIP by hostname wrapped in IPSEC proves unreliable I've used L2TP in a road warrior fashion and ran EoIP inside of the L2TP. If you wrap the L2TP in IPSEC then just plain EoIP is fine underneath. Alternatively you can use BCP to do t...
by idlemind
Sat Feb 02, 2019 5:43 pm
Forum: General
Topic: IPSec "route based" S2S VPN with Azure
Replies: 2
Views: 1349

Re: IPSec "route based" S2S VPN with Azure

If memory serves me correctly you need to actually build a tunnel interface (ipip I think) for the route based tunnel. If policy rules are working you're likely failing back to a previously configures policy based VPN with Azure.
by idlemind
Tue Jan 29, 2019 4:21 am
Forum: General
Topic: Two IPSec tunnels with same peer
Replies: 1
Views: 695

Re: Two IPSec tunnels with same peer

You could use two routed tunnels like GRE with different tunnel keys and wrap the traffic for both in IPSEC. A single IPSEC policy would fine to secure both tunnels. Probably have to manually do the encryption settings though
by idlemind
Sat Jan 26, 2019 4:36 pm
Forum: General
Topic: IKEv2 IPsec VPN and IPv6
Replies: 7
Views: 3016

Re: IKEv2 IPsec VPN and IPv6

Hello, I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible. Regards. Hi, Thanks for the input. That's good to know. But in my case it would be connections made FRO...
by idlemind
Mon Jan 14, 2019 12:07 am
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 32
Views: 10322

Re: understanding and fixing MTU/MSS/PMTU with IPsec

You have two points of concern actually. Traffic inside of the VPN and traffic outside of the tunnel. You'll want to make sure you are allowing the ICMP too big and fragmentation needed messages on input and forward (outside of tunnel and inside of tunnel). MSS clamping is technically not required i...
by idlemind
Sun Jan 13, 2019 2:15 am
Forum: General
Topic: redundancy help
Replies: 1
Views: 717

Re: redundancy help

Without more details it's hard to give a more in depth recommendation other than if possible I prefer a dynamic protocol to solve these problems. Static routes are not ideal even with different costs and scripts. A dynamic protocol will only load balance when the routes are equal cost so keep that i...
by idlemind
Sun Jan 13, 2019 12:20 am
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 951

Re: OpenVPN listen on IPv6

Thank you for your quick response! Do you have any idea why? I would have guessed it does not matter over which protocol the package was delivered. A logical person would assume that. MikroTik has not publicly explained why their product is in capable of binding to IPv6 addresses for most services ...
by idlemind
Sat Jan 12, 2019 11:44 pm
Forum: General
Topic: OpenVPN listen on IPv6
Replies: 4
Views: 951

Re: OpenVPN listen on IPv6

No, if you want an IPv6 capable device return your MikroTik and purchase a router from a manufacturer capable of delivering feature needs for an IPv6 world.

It's a limitation of RouterOS and they've said it likely will not change until the mythical v7.
by idlemind
Fri Jan 11, 2019 6:37 pm
Forum: General
Topic: Failover
Replies: 1
Views: 474

Re: Failover

It's a best practice as an ISP to not allow traffic to ingress it's side of the interface with an IP that shouldn't be there. In other words you "shouldn't" be able to send egress traffic out the second ADSL link with the source IP of the first ADSL link. This is described in BCP38. You may be able ...
by idlemind
Sat Jan 05, 2019 1:22 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 3351

Re: Passive FTP to outside FTP Server

I am a 3rd party software supplier trying to exchange data - I do not have access to create a new VM. The command: ip firewall nat <numbers> set log=yes Would I apply this to the following rules? ; add action=masquerade chain=srcnat out-interface=ether1-FUSION-WAN add action=accept chain=input comm...
by idlemind
Sat Jan 05, 2019 12:38 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 3351

Re: Passive FTP to outside FTP Server

On a windows box the -A is the auto anonymous log in. In this thread you will see I tried to establish a ftp connection on port 28834 This was received at the firewall where the ftp server is located so the port can get through the MT The problem is, I believe, how the MT is handling related and es...
by idlemind
Sat Jan 05, 2019 12:13 am
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 3351

Re: Passive FTP to outside FTP Server

What OS is the client machine? Is their any chance it is manipulating the outbound request (or denying it)? It is possible to log a firewall rule this can be difficult to do on something like a global PAT (masquerade) rule though. You may want to place a masquerade rule above that one for traffic de...
by idlemind
Fri Jan 04, 2019 11:26 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 3351

Re: Passive FTP to outside FTP Server

Thanks for the suggestion. (Not sure what the -p option on ftp is ?) I tried from home: ftp -A speedtest.tele2.net and was able to run a dir command successfully I then tried from the site with the MT: ftp -A speedtest.tele2.net Connected to speedtest.tele2.net. 220 (vsFTPd 2.3.5) 331 Please specif...
by idlemind
Fri Jan 04, 2019 7:16 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 4165

Re: EoIP MTU for pppoe server tunnel

Sorry for the delay on this amt. The max MTU of different product lines is different. For most products you can go to 2026 or 2028. CCR1036 at 10226 RB750P-PBr2 (PowerBox) at 2028 SXT at least 2028 The wireless side should be adjustable up to 65536 regardless of hardware (someone can correct me ther...
by idlemind
Fri Jan 04, 2019 6:41 pm
Forum: General
Topic: PPTP server problem
Replies: 7
Views: 1943

Re: PPTP server problem

I can't stress this enough. PPTP is not a secure protocol. You really shouldn't be using it. IKEv2 would be the best option going forward for a remote access VPN. A quick search of the Googles ... https://jcutrer.com/howto/networking/mikrotik/ios-ikev2-vpn-mikrotik Notes: https://libreswan.org/wiki/...
by idlemind
Fri Jan 04, 2019 6:29 pm
Forum: General
Topic: Neighbor Clarification
Replies: 2
Views: 670

Re: Neighbor Clarification

The neighbor functionality uses MNDP, LLDP and CDP at L2 for discovery. If the MikroTik device is connected to the same L2 segment as say Ubiquiti APs still it should be seeing them through the Nexus 3k. It's possible the Nexus has disabled CDP, LLDP or, both on the interface facing the MikroTik. Th...
by idlemind
Fri Jan 04, 2019 6:17 pm
Forum: General
Topic: Bridging two VLANS on same Interface
Replies: 4
Views: 1057

Re: Bridging two VLANS on same Interface

If you want all of your sites to be able to communicate without being hair-pinned through a router at one site you need to purchase a WAN product that will facilitate that type of communication. This could be a traditional L3 MPLS with BGP or a L2 VPLS. Even "bridging" the 2 VLANs together and enabl...
by idlemind
Fri Jan 04, 2019 6:08 pm
Forum: General
Topic: Passive FTP to outside FTP Server
Replies: 20
Views: 3351

Re: Passive FTP to outside FTP Server

Have you tried a public FTP server that supports passive connections to rule out misconfiguration on the server side? A Linux based system makes testing passive connections easy enough (Username is anonymous): ftp -p speedtest.tele2.net Also, this FTP session doesn't involve TLS does it? If so, it's...
by idlemind
Tue Jan 01, 2019 7:43 pm
Forum: General
Topic: Vlan Routing Problem [SOLVED]
Replies: 18
Views: 2221

Re: Vlan Routing Problem [SOLVED]

Did you set the bridge ports facing VLAN5 correctly after the ugrade? Is VLAN5 defined in the bridge VLAN table. Without an:
/export hide-sensitive
It's going to be slow to troubleshoot. Additionally a diagram helps too (even something simple in ME Paint).
by idlemind
Fri Dec 21, 2018 6:59 am
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 29317

Re: IPv6 Ping does not work with domain names

RouterOS 6.43.7 on all devices. I have exactly the same problem with Mikrotik unable to resolve AAAA records from a hostname. My test Mikrotik LtAP device gets CGNAT protected private IPv4 address of 100.64.0.0/18 from the mobile operator. There is no inbound access to that. The same Mikrotik LtAP ...
by idlemind
Thu Nov 15, 2018 7:07 am
Forum: General
Topic: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range
Replies: 6
Views: 1633

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Just DNAT the :443 traffic to a webserver configured to match anything (simple/default Apache configuration). The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As...
by idlemind
Thu Nov 15, 2018 6:59 am
Forum: General
Topic: bypassin 1:1 NAT to get Public IP Bridged to local server
Replies: 2
Views: 655

Re: bypassin 1:1 NAT to get Public IP Bridged to local server

I'd have to see a diagram to be certain but proxy ARP and NAT should not be required to place a public IP directly on a device or server. Like your second post, create a bridge, add the interface towards the server and upstream ISP as bridge ports on a VLAN of your choice. Migrate any existing IP ad...
by idlemind
Sun Sep 09, 2018 6:56 pm
Forum: General
Topic: PPPoE MTU problem
Replies: 6
Views: 3769

Re: PPPoE MTU problem

There seems to be a blackhole problem, doing tests with a Windows PC i discoveder that the "Timeout" reply appear only in the range of 1453-1472 Bytes. If it's greater i get "fragmentation needed", if it is inferior i can ping. Also, i see that the error presents only if the PPPoE Server is configu...
by idlemind
Tue Aug 21, 2018 3:36 pm
Forum: Beginner Basics
Topic: Why speed of Bridge only 100Mb?
Replies: 6
Views: 2559

Re: Why speed of Bridge only 100Mb?

Any update on this? Because I still am seeing bridge as 100Mbps only. Is it bottle-necking my 1G ports?

I doubt you'll see a more official response than my earlier reply. If you need an official MikroTik reply it's more effective to contact support by EMAIL.
by idlemind
Tue Aug 21, 2018 1:30 am
Forum: General
Topic: Local network Video store/playback [SOLVED]
Replies: 3
Views: 1054

Re: Local network Video store/playback [SOLVED]

No worries, I have yet to use "hotspot" at all so I was otherwise unaware of that feature. I suppose as long as you use the same IP addressing for all of your hotspots it must be easy enough to point them to the appropriate video.
by idlemind
Sun Aug 19, 2018 4:37 pm
Forum: General
Topic: CRS Egress Tag Removal
Replies: 5
Views: 1028

Re: CRS Egress Tag Removal

If you are using the current branch or newer you'll want to use the new(ish) VLAN aware bridge and not configure anything in the Ethernet switch menu. Except that the CRS1XX/2XX actually use a special switch menu and they do not support Bridge VLAN Filtering. We are working with him on this in the ...
by idlemind
Sun Aug 19, 2018 5:06 am
Forum: General
Topic: Passwords for hundreds/thousdands of devices
Replies: 10
Views: 2009

Re: Passwords for hundreds/thousdands of devices

SSH keys ...
by idlemind
Sun Aug 19, 2018 4:05 am
Forum: General
Topic: CRS Egress Tag Removal
Replies: 5
Views: 1028

Re: CRS Egress Tag Removal

If you are using the current branch or newer you'll want to use the new(ish) VLAN aware bridge and not configure anything in the Ethernet switch menu.
by idlemind
Sun Aug 19, 2018 3:32 am
Forum: General
Topic: Link Agregation-trunk - Vlan Tagging
Replies: 1
Views: 524

Re: Link Agregation-trunk - Vlan Tagging

Create a bond and add it to a bridge ...
by idlemind
Sat Aug 18, 2018 11:41 pm
Forum: General
Topic: mark as VLAN
Replies: 4
Views: 690

Re: mark as VLAN

interface bridge add name=br1 vlan-filtering=yes interface bridge vlan add untagged=br1 vlan-ids=1 interface bridge vlan add tagged=br1,ether2 untagged=ether3 vlan-ids=2 interface bridge port add bridge=br1 interface=ether2 pvid=1 interface bridge port add bridge=br1 interface=ether3 pvid=2 interfa...
by idlemind
Sat Aug 18, 2018 8:53 pm
Forum: General
Topic: Local network Video store/playback [SOLVED]
Replies: 3
Views: 1054

Re: Local network Video store/playback [SOLVED]

Using anycast addressing (/32 in IPv4 or /128 in IPv6) you can accomplish this. You'll need a server to live at (or use NAT) and host this file. If the built in web server can serve your file you may be able to use that. Alternatives would be the virtual router virtualization feature or attach a sma...
by idlemind
Thu Aug 16, 2018 9:23 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 2155

Re: Does RB750Gr3 support full switch chip VLAN?

@pe1chl Can you post a link to where it says it support its on not. Maybe I am blind, but as far as documentation, it is not listed as supported. But I can enter all commands without error. But since I have only one unit and its production, I can not test on it. I just like a clear answer, not a di...
by idlemind
Thu Aug 16, 2018 9:17 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 2155

Re: Does RB750Gr3 support full switch chip VLAN?

That method does not support VLANs in hardware on any router, even on those that *do* support it in the classic switch configuration. So it does not matter if you used the new VLAN aware bridge, or the old method of having VLAN subinterfaces on each port and putting them in several bridges (one per...
by idlemind
Thu Aug 16, 2018 5:40 pm
Forum: General
Topic: Does RB750Gr3 support full switch chip VLAN?
Replies: 7
Views: 2155

Re: Does RB750Gr3 support full switch chip VLAN?

Use the new VLAN aware bridging method. It will manage the hardware for you. In the case of the HEX or RB750Gr3 it does not support VLANs in hardware. I typically see about 300 Mbps for inter VLAN routing with no ACL in software on that model though.
by idlemind
Mon Aug 06, 2018 6:14 pm
Forum: General
Topic: Tunnel Public IP
Replies: 2
Views: 685

Re: Tunnel Public IP

Dear Users, I'we got a problem. I have this setup: CHR1 on DC1 with 1 interface and much static public IP CHR2 on DC2 with 2 interface 1 on wan 1 on lan side where i would like to use the IP's I would like to use the DC1 IP addresses on DC2 like layer 2 connect. I read about EoIP and other type of ...
by idlemind
Sun Aug 05, 2018 5:41 pm
Forum: General
Topic: VLANs with "stacked" switches
Replies: 12
Views: 2448

Re: VLANs with "stacked" switches

I imagine you're either running in the per-VLAN based mode or do not have STP correctly running. I haven't actually sniffed a link without an untagged VLAN defined to see if MikroTik hides this fault to keep networks working despite the best effort of their admins. [/quote Of course I know what Spa...
by idlemind
Sun Aug 05, 2018 4:43 am
Forum: General
Topic: VLANs with "stacked" switches
Replies: 12
Views: 2448

Re: VLANs with "stacked" switches

I don't know if this is an issue, but if I were doing it, the trunks between routers and switches would have nothing but VLAN tagged traffic - no untagged traffic. That's how I'm doing it at home with my three routers and five switches. It's a best practice to use a non-routable VLAN as the untagge...
by idlemind
Tue Jul 31, 2018 7:00 am
Forum: General
Topic: CRS317 - arp doesn't work
Replies: 3
Views: 807

Re: CRS317 - arp doesn't work

/interface bridge add admin-mac=CC:2D:E0:58:18:E0 auto-mac=no name=br-hardware protocol-mode=none vlan-filtering=yes ... /interface bridge add admin-mac=CC:2D:E0:51:8E:E0 auto-mac=no name=br-hardware protocol-mode=none vlan-filtering=yes Duplicate MAC issues? Try using unique static MAC addresses f...
by idlemind
Mon Jul 30, 2018 10:58 pm
Forum: General
Topic: hAP ac + SFP + 100Mb connection
Replies: 3
Views: 941

Re: hAP ac + SFP + 100Mb connection

Try keeping the link at the default of 1G ... I'd be surprised to see the fiber SFP allow you to actually drop the speed to 100M. The ISP should be providing your 1G via the SFP and using a shaper to push the connection down to 100M.
by idlemind
Mon Jul 30, 2018 8:07 am
Forum: General
Topic: GRE Tunnel Behind with one router behind NAT
Replies: 2
Views: 2298

Re: GRE Tunnel Behind with one router behind NAT

Hello guys. I'm trying to do GRE tunnel between 2 branch office but just one it's behind of NAT, anyone has a tutorial or know to do and can help me? Thanks. Use a NAT aware tunnel, this could be PPTP although that is limited to a single tunnel and weak encryption. You may find SSTP or L2TP/IPSec m...
by idlemind
Mon Jul 30, 2018 8:03 am
Forum: General
Topic: CRS317 - arp doesn't work
Replies: 3
Views: 807

Re: CRS317 - arp doesn't work

I assume the IP address is attached to the VLAN interface? Any ARP related settings? Maybe a full /export hide-sensitive
by idlemind
Sun Jul 29, 2018 5:30 am
Forum: General
Topic: PPTP client loses internet connection
Replies: 2
Views: 1376

Re: PPTP client loses internet connection

Hi guys, I have a VPS with static ip and mikrotik installed (v6.42.6). There i have configured a simple VPN server with local pool addresses. This way i can access remotely my personal computers windows 10 RDP and troubleshooting to small networks which i have with mikrotik routerboards. My VPN wor...
by idlemind
Sat Jul 28, 2018 8:20 pm
Forum: General
Topic: How to Isolate an ethernet port to ALLOW a physical loop?
Replies: 3
Views: 824

Re: How to Isolate an ethernet port to ALLOW a physical loop?

A bridge by default will not flood traffic in that manner. The behaviour you're looking for is found in a hub, a layer 1 device. A bridge operates at layer 2 and intentionally learns MAC addresses found on ports and only forwards frames destined for those MAC addresses, broadcasts or a flood when a ...
by idlemind
Fri Jul 27, 2018 7:07 pm
Forum: General
Topic: Bridge VLAN filtering and routing –does this make sense?
Replies: 1
Views: 805

Re: Bridge VLAN filtering and routing –does this make sense?

WARNING: I haven't used a model with multiple underlying switch chips yet. You may want to verify with support on whether you need 2 VLAN filtering enabled bridges or 1 Assuming we can use a single VLAN filtering bridge, I'd create a VLAN for each function. VLAN100 - Internet VLAN200 - Local Client...
by idlemind
Fri Jul 27, 2018 5:15 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 4165

Re: EoIP MTU for pppoe server tunnel

I will probably need to see a diagram with the MTU noted along the pathing. The biggest item of concern is your statement that the EoIP and wireless are added to the same bridge. Is this happening at CPE? If so, why? No, CPE is customer side and customer side not using eoip or bridge, CPe connectin...
by idlemind
Thu Jul 26, 2018 10:50 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 4165

Re: EoIP MTU for pppoe server tunnel

I will probably need to see a diagram with the MTU noted along the pathing. The biggest item of concern is your statement that the EoIP and wireless are added to the same bridge. Is this happening at CPE? If so, why?
by idlemind
Wed Jul 25, 2018 7:48 pm
Forum: General
Topic: Firewall help
Replies: 4
Views: 881

Re: Firewall help

Thank you for the response. It would seem I am not as clued up as you are, but this is the information I can provide: Current setup: DSL Router (WAN, Ether1-Gateway) --> Mikrotik (PPPoE Client + Server + DHCP + Userman + RADIUS) --> UBNT Wireless Sector on Ether2 (Access Point, Point to Multipoint....
by idlemind
Wed Jul 25, 2018 5:26 pm
Forum: General
Topic: Unidentified Network Problem
Replies: 7
Views: 2110

Re: Unidentified Network Problem

the only thing i did and it helped but affect other thing is i stopped all the dest nat and source nat i left only the main nat that is redirect the clients to the main router
but up to now i could not find the main reason for this prolem

Are you able to provide a list of those NAT rules?
by idlemind
Wed Jul 25, 2018 6:09 am
Forum: General
Topic: Unidentified Network Problem
Replies: 7
Views: 2110

Re: Unidentified Network Problem

DNS - needs to be valid and capable of resolving correctly. Proxy ARP - remove any usage of it. MTU - make sure your MTU is consistent through your environment. Being a PPPoE service it's possible your external MTU is not 1500 and your internal is. If you haven't accounted for that it could break TL...
by idlemind
Tue Jul 24, 2018 8:03 pm
Forum: General
Topic: Firewall help
Replies: 4
Views: 881

Re: Firewall help

How do the PPPoE negotiation requests traverse the network into the 750UP? If it's a bridge, are you using the IP firewall filter option? Is it listening directly on an interface? It's possible you're blocking the negotiation process and the traffic afterwards is traversing just fine because of the ...
by idlemind
Tue Jul 24, 2018 4:36 pm
Forum: General
Topic: EoIP MTU for pppoe server tunnel
Replies: 15
Views: 4165

Re: EoIP MTU for pppoe server tunnel

MTU Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492. TCP stacks try to...
by idlemind
Sat Jul 14, 2018 9:33 pm
Forum: Forwarding Protocols
Topic: EoMPLS and Bridging
Replies: 1
Views: 1179

Re: EoMPLS and Bridging

The bridge itself needs to be tagged as well.

/interface bridge vlan set [ find where vlan-ids=2601 ] tagged=vpn,cisco-eompls untagged=ether2
by idlemind
Sat Jul 07, 2018 4:36 pm
Forum: General
Topic: IPv6: NAT64 and ipip tunnel - how/when?
Replies: 8
Views: 2013

Re: IPv6: NAT64 and ipip tunnel - how/when?

So to say, you can not establish many vpns to ipv6 (ovpn as an example), so little use to deploy ipv6 only in remote office. Yes basically anything outside of the tunnel protocols does not listen on IPv6. It's either because their developers are inept or they simply refuse to setup the service unde...
by idlemind
Fri Jul 06, 2018 6:11 pm
Forum: General
Topic: EOIP Tunnel question
Replies: 13
Views: 1879

Re: EOIP Tunnel question

You don't need EoIP to move the VLANs across a wireless link. You certainly can but it's fairly redundant. Just bridge them. At the end where you have the camera and the unmanaged switch you are definitely in a tough spot. You couldn't definitely put each VLAN untagged towards the unmanaged non VLAN...
by idlemind
Fri Jul 06, 2018 4:28 am
Forum: General
Topic: IPv6: NAT64 and ipip tunnel - how/when?
Replies: 8
Views: 2013

Re: IPv6: NAT64 and ipip tunnel - how/when?

IPIP won't carry or work with v6 it literally means IPv4 in IPv4. I think Cisco supports IP in IPv6 and MikroTik might too but it'd be a separate tunnel type. Right now GRE can be used to use IPv6 as transport and either IPv4, IPv6 or both (dual stack) inside the tunnel. That said, yes MikroTik has ...
by idlemind
Thu Jul 05, 2018 8:20 pm
Forum: General
Topic: Untagged VLAN Access port on hEX
Replies: 7
Views: 3424

Re: Untagged VLAN Access port on hEX

The only caveat to the previous post is you only can have one VLAN untagged at the bridge. So if you untag VLAN10 at the bridge you will want to tag all other VLANs. If you want an access port for VLAN10, you could also do this: /interface bridge vlan add bridge=bridge untagged=bridge vlan-ids=1 /in...
by idlemind
Thu Jul 05, 2018 8:08 pm
Forum: General
Topic: Trunk port and VLAN translation [SOLVED]
Replies: 18
Views: 4186

Re: Trunk port and VLAN translation [SOLVED]

Are the VLANs on the existing switches using unique addressing already? Are you able to add a static route or static routes to the ISP device? I'm sure you've asked this but the ISP device cannot be put into a "bridge" like mode where the public addressing is presented directly to the new MikroTik (...
by idlemind
Wed Jul 04, 2018 5:37 pm
Forum: General
Topic: IPSEC - Remote subnet overlaps local subnet
Replies: 8
Views: 1547

Re: IPSEC - Remote subnet overlaps local subnet

Sindy, I agree if there is a big to fix then let's fix it. I'm just saying an alternative is the NAT approach. They can always NAT the small overlapping piece. I'd just NAT the whole thing to unique addressing on both sides to keep it clean. Exempting the traffic I assume means those hosts cannot ta...
by idlemind
Wed Jul 04, 2018 4:29 pm
Forum: General
Topic: IPSEC - Remote subnet overlaps local subnet
Replies: 8
Views: 1547

Re: IPSEC - Remote subnet overlaps local subnet

NAT both of the overlapping subnets to something unique. Conditional DNS forwarding can be used to overcome DNS based limitations. I've written a few posts on the subject. It's commonly done for business to business VPNs here in the US to make each partner side look like certain addressing that fits...
by idlemind
Wed Jul 04, 2018 3:44 pm
Forum: General
Topic: ICMP firewall problem
Replies: 2
Views: 1166

Re: ICMP firewall problem

The JUMP to your ICMP chain is after an accept for related and established. It's almost certainly getting accepted there. That said, don't block TTL exceeded messages unless you like making troubleshooting harder on yourself. Also you may need to not decrement TTL on all connections to make it "invi...
by idlemind
Sun Jul 01, 2018 4:29 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

Unfortunately problem is not resolved yet. I also can not give you any ETA for such fixes. When problem will be resolved, then RouterOS release notes will include such fix description. I guess we keep on waiting, and hoping... Yup, I don't have any plan to use MikroTik equipment in net new projects...
by idlemind
Tue Jun 26, 2018 12:23 am
Forum: General
Topic: Routing
Replies: 16
Views: 2081

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by idlemind
Tue Jun 26, 2018 12:18 am
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 4693

Re: IPSec/L2TP and Network Resources [SOLVED]

Ok, I have news. If I connect physically to the network, I can see the NAS, but over VPN I can´t. Then, I change the pool of VPN to the same subnet as local network and WORKS, inclusive with Windows firewall enabled. Now I thinking something like the SMB protocol can't be routed between OpenVPN ran...
by idlemind
Tue Jun 26, 2018 12:16 am
Forum: General
Topic: Routing
Replies: 16
Views: 2081

Re: Routing

As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work. If you use a rfc1918 address as dst inside your net - you need to use nat to have it working. Just to clarify for those following along - ICMP will be forwarded through rfc191...
by idlemind
Mon Jun 25, 2018 11:43 pm
Forum: General
Topic: Routing
Replies: 16
Views: 2081

Re: Routing

Its a lot of possibilities. :D Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack. :D ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A ...
by idlemind
Sun Jun 24, 2018 4:42 pm
Forum: General
Topic: Management VPNs
Replies: 10
Views: 1410

Re: Management VPNs

IPv6 is free in AWS I believe. That may be a way to escape the CGNAT. That said I think SSTP is your best solution. Even with IPv6 SSTP or L2TP/IPSEC would be a more flexible and light configuration. If only MikroTik had DMVPN.
by idlemind
Sun Jun 24, 2018 3:58 pm
Forum: General
Topic: IPv6 - Identity Association for Non-temporary Address
Replies: 2
Views: 586

Re: IPv6 - Identity Association for Non-temporary Address

Yes, MikroTik has an increasingly obvious weakness in IPv6.

Their DHCPv6 service is prefix delegation only. MikroTik posters have shown their lack of knowly by posting replies about SLAAC being the only way to address hosts.
by idlemind
Sun Jun 24, 2018 4:50 am
Forum: General
Topic: Bridge VLAN Filtering
Replies: 22
Views: 12311

Re: Bridge VLAN Filtering

You are missing a tagged port on the CRS, most probably in your setup it is going to be ether8. Add ether8 to bridge VLAN table as a tagged port for VLAN5. Also note that RB3011 is capable of VLAN switching on a hardware level, you can find an example how to set it up here: https://wiki.mikrotik.co...
by idlemind
Sun Jun 24, 2018 4:14 am
Forum: General
Topic: Routing
Replies: 16
Views: 2081

Re: Routing

Hello, I have a question about routing. My router a Mikrotik CCR1009 should route a network to a Mikrotik CRS326 over SFP+. The networks are at port eth1. Located at the CRS are Server these should be get the IP addresses. My problem is i can´t bring the Netzwork to the Switch. The normal Static Ro...
by idlemind
Thu Jun 21, 2018 11:07 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 4693

Re: IPSec/L2TP and Network Resources [SOLVED]

You'll have to post an updated config of the MikroTik to further troubleshoot SMB.

Your comment about UniFi, are you running the controller on the VPN client? Is this VPN client meant to be transient and change networks all the time but stay connected via VPN?
by idlemind
Wed Jun 20, 2018 9:19 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 4693

Re: IPSec/L2TP and Network Resources [SOLVED]

I need remote access VPN, not site to site VPN, because I need to access by any network. As you see, I'm using a Mikrotik as server and a PC with OpenVPN software as client. The point of UAP is the less important to me right now. The most important requirement is the SMB access for file sharing. Re...
by idlemind
Wed Jun 20, 2018 8:18 pm
Forum: General
Topic: IPSec/L2TP and Network Resources [SOLVED]
Replies: 28
Views: 4693

Re: IPSec/L2TP and Network Resources [SOLVED]

Just to make sure we're hitting all the right points. The video covers a remote access VPN and your requirements that are not working are: SMB based file access MAC based access to a MikroTik UniFi AP registration with a controller The UniFi AP item is what's throwing me for a loop. Are you really i...
by idlemind
Wed Jun 20, 2018 6:56 pm
Forum: General
Topic: Intel i210 ethernet Driver x86
Replies: 3
Views: 1586

Re: Intel i210 ethernet Driver x86

Probably not the answer you're looking for but you can always go the hypervisor route and run your CHR as VMs. They would be a lot more portable during outages and avoid the need for drivers for every product baked into RouterOS. ESXi is free but management can get hard at scale. Alternatively solut...
by idlemind
Tue Jun 05, 2018 8:58 am
Forum: Forwarding Protocols
Topic: Public IP over a tunnel ( SOLVED )
Replies: 34
Views: 13644

Re: Public IP over a tunnel ( SOLVED )

If you search my old posts you'll find some in-depth ones on MTU with screenshot examples of packet captures. TLDR; if your PPPoE connection is 1480 then you'll want your tunnel MTU to be 1480 - the tunnels overhead. Depending on the protocol (IPIP, GRE, IPSec transport vs tunnel) will determine exa...
by idlemind
Tue Apr 24, 2018 10:29 pm
Forum: Forwarding Protocols
Topic: VRRP on bridge interface
Replies: 6
Views: 3289

Re: VRRP on bridge interface

Also, the VRRP addresses in IPv4 should be /32's and /128's for IPv6. If not, the router ends up with 2 interfaces that have the same network defined. The VRRP interface will get it's own link-local address automatically and will be reachable there. Additionally, you can if you want set a global uni...
by idlemind
Fri Apr 13, 2018 9:02 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

Maybe it is connection tracking. That would explain why it also effects unreachable networks. However, it does not really explain why it would be triggered by low volume traffic. Connection tracking should survive moderate traffic. Of course pumping a gigabit of ICMP probes like those friendly prog...
by idlemind
Fri Apr 13, 2018 5:40 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

However, I think it is also possible to cause problems for transit routers which are not directly connected to /64 being attacked. This might be because of memory exhaustion in the IPv6 routing cache… not sure yet. I need to do some more experiments over the weekend with some test lab equipment. In...
by idlemind
Sun Apr 08, 2018 2:21 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

So ... Grab a Linux box, put it on your LAN and prepare to LULz to the point of tears. My normal desktop is a Fedora machine plugged into a Meraki L2 switch and then into a MikroTik HEX w6.42rc52. Pick an IPv6 /64 that the HEX has to route locally (another network / VLAN in your environment where it...
by idlemind
Sat Apr 07, 2018 4:50 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

https://tools.ietf.org/html/rfc6583#section-6.4

A good read from 6.4 down and definitely should be read, documented and best practice recommendations made by MikroTik staff.
by idlemind
Mon Apr 02, 2018 5:30 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

I wonder if we can poll the ND cache with something like SNMP so it could be automatically monitored or at least dumped effectively for a post-mortem to see how the garbage collection happens to determine if the cache fills with discovery in progress entries and deletes older but valid entries. If t...
by idlemind
Sun Apr 01, 2018 3:28 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

xfrm6_gc_thresh - INTEGER The threshold at which we will start garbage collecting for IPv6 destination cache entries. At twice this value the system will refuse new allocations. ^^ probably a more correct Linux kernel option for what we're looking for the. One I posted earlier is not correct as you ...
by idlemind
Sun Apr 01, 2018 3:27 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

xfrm6_gc_thresh - INTEGER The threshold at which we will start garbage collecting for IPv6 destination cache entries. At twice this value the system will refuse new allocations. ^^ probably a more correct Linux kernel option for what we're looking for the. One I posted earlier is not correct as you ...
by idlemind
Sat Mar 31, 2018 10:38 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

There already is a limit like that. It is not like in the original Cisco IOS where the ND cache simply allocated out of the entire free memory pool and all memory was used (and thus the entire router got into trouble) as a result of such a scan. In RouterOS, like now in the Cisco routers, the size ...
by idlemind
Sat Mar 31, 2018 8:15 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier. Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this. "mikrotik.com has IPv6 address 2a02:610:7501:1000::2" It's only a matter of time before the researchers hit that… B...
by idlemind
Sat Mar 31, 2018 7:13 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 8134

Re: Remote Host Scanning our IPv6 Network

Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier. That said it would constitute IPv6 feature work and we know how unlikely that is at MikroTik. Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this. Or, take my approach w...
by idlemind
Sat Mar 10, 2018 1:41 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 123415

Re: v6.42rc [release candidate] is released!

Are there plans to provide dot1q-tunnel equivalent features and switch port rules to manipulate two VLAN tags? (eg pop outer and inner tags and replace them with others) I've been using QinQ trunking in software bridges on a hex for sometime now. Nothing really special to report about it. I imagine...
by idlemind
Fri Mar 09, 2018 4:03 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 29317

Re: IPv6 Ping does not work with domain names

This workaround is a definitive solution? :? :shock: the problem will go away when IPv6 is set as a preferred option for the :resolve command and elsewhere where RouterOS attempts to resolve a hostname to IP address. When forced the :resolve command is returning the IPv6 address, hence the workarou...
by idlemind
Tue Feb 27, 2018 3:17 pm
Forum: General
Topic: L2TP/IPSec for Road Warrior
Replies: 93
Views: 40579

Re: L2TP/IPSec for Road Warrior

Can a mAP be used to tunnel to a Mikrotik using IPIP or EOIP with the mAP letting multiple users in? I tried this about a year ago but never did get it to work. I think my stumbling point was trying to get the mAP into a motel wifi for the WAN side. I did it with cap lites, the little hockey puck l...
by idlemind
Mon Feb 26, 2018 4:25 pm
Forum: General
Topic: L2TP/IPSec for Road Warrior
Replies: 93
Views: 40579

Re: L2TP/IPSec for Road Warrior

It is in TODO list, however that will solve problem only if client is RouterOS. But such setups mostly are done where clients are laptops and mobile devices. How about IPv6 support in the L2TP/IPSec server implementation. This avoids the need for NAT traversal or source port randomization entirely....
by idlemind
Fri Feb 16, 2018 4:59 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1514

Re: DHCPv6 client problem

If you post the PCAP I'd be happy to review it. I haven't had a chance to gather my own yet.
by idlemind
Thu Jan 25, 2018 5:26 pm
Forum: General
Topic: mtu change ?
Replies: 5
Views: 8954

Re: mtu change ?

1452 + 20 (IP) + 8 (PPP) = the 1480 detected MTU is likely correct. It implies from your point of testing that is the available MTU size you can squeeze through without fragmentation. So if you were testing over the vDSL linkage like your drawing shows a good starting point might be to reduce the ma...
by idlemind
Thu Jan 25, 2018 4:47 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 4203

Re: IPv6 router settings

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...
by idlemind
Wed Jan 17, 2018 10:41 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1514

Re: DHCPv6 client problem

Yup I'd be prepared to offer PCAPs of the solicit and advertise messages.
by idlemind
Wed Jan 17, 2018 9:19 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1514

Re: DHCPv6 client problem

Hmm, if I could see a packet capture of the DHCPv6 request cycle it could be verified where the fault is. RFC3633 (6) states: 6. Identity Association for Prefix Delegation An IA_PD is a construct through which a delegating router and a requesting router can identify, group and manage a set of relate...
by idlemind
Tue Jan 16, 2018 9:33 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 123415

Re: v6.42rc [release candidate] is released!

*) dhcpv6-client - added info exchange support; *) dhcpv6-client - added support for options 15 and 16; *) dhcpv6-server - added DHCPv4 style user options; While it is a worthy mention and any improvement in DHCPv6 support is welcome I feel it is important to remind you that your team is sorely lac...
by idlemind
Tue Jan 09, 2018 9:04 pm
Forum: Beginner Basics
Topic: Site to Site IpSec Tunnel
Replies: 23
Views: 30184

Re: Site to Site IpSec Tunnel

Hello everybody! I have got 2 LAN networks, IPSec and GRE tunnel is working fine. But there is a problem. There is a laptop in the another LAN and i can not access to it, but i can ping it. I can access the other side from this laptop by the way. So i can access my 951G, and behind my PC, ssh, ftp....
by idlemind
Tue Jan 09, 2018 9:02 pm
Forum: General
Topic: mtu change ?
Replies: 5
Views: 8954

Re: mtu change ?

Firewall rules should be unneeded. There is no roll in the firewall ! ( no filter - no NAT ) Set the MTU values on the appropriate interfaces Do you mean interfaces? I have set 1500 of all interface ( example : ether2 - 1500MTU ) and allow ICMP messages related to path MTU discovery to pass correct...
by idlemind
Tue Dec 26, 2017 2:06 am
Forum: General
Topic: mtu change ?
Replies: 5
Views: 8954

Re: mtu change ?

Firewall rules should be unneeded. The clamp-tcp-mss feature is a crutch and only cleans up TCP flows.

Set the MTU values on the appropriate interfaces and allow ICMP messages related to path MTU discovery to pass correctly and packets will move without issue.
by idlemind
Thu Dec 14, 2017 8:31 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

Hi, is proxy-arp on v6.41rc61 working? I have CCR1036 directly connected to CRS226. I have vlan trunk on bridge between them. On CRS226 I have acces port and connected device with IP, i can ping IP from router and switch. I configured L2TP/IPsec and OVPN services, both are working, but I can't ping...
by idlemind
Tue Dec 12, 2017 4:48 pm
Forum: General
Topic: SSTP & IPv6
Replies: 21
Views: 6680

Re: SSTP & IPv6

Most likely new IPv6 features will not be added in ROS v6. Thank for the honest feedback. At least I know for certain I do not need to watch the RC patch notes anxiously. I'll continue to ask but know that myself and others require IPv6 support. Without it I cannot recommend your product for anythi...
by idlemind
Tue Dec 12, 2017 4:46 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

Sure thing! /interface bridge add fast-forward=no igmp-snooping=no name=bridge priority=0x1000 protocol-mode=none vlan-filtering=yes The docs I referenced uses pvid=1 for the bridge and for holding the VLANs, so my bridge sets no pvid. Instead, I've assigned the IP directly to a VLAN Thanks bjornr,...
by idlemind
Mon Dec 11, 2017 8:12 pm
Forum: General
Topic: Possible to avoid loops using 6.41rc?
Replies: 3
Views: 906

Re: Possible to avoid loops using 6.41rc?

In this post I describe what is my problem: https://forum.mikrotik.com/viewtopic.php?f=2&t=127500&p=626795#p626795 Long story short, I have got advise from support to try 6.41rc with the new bridge concept and hardware offloading. Support says that maybe the problem was due to broadcasts both on vl...
by idlemind
Sun Dec 03, 2017 6:36 pm
Forum: General
Topic: Mikrotik as GW with Cisco as DHCP server!
Replies: 1
Views: 546

Re: Mikrotik as GW with Cisco as DHCP server!

/export hide-sensitive
Post the output of that please!
by idlemind
Thu Nov 23, 2017 7:26 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 1371

Re: Issues w/ HTTPS

yes pppoe are set at 1492. i did more digging and noticed on a working router the mtu settings were 1500/1598 on backhaul interface and all others were 1500/1588 and pppoe virtual interface was 1492. changed the two other problem locations to same and what do ya know, "it works like a hank now" gue...
by idlemind
Thu Nov 23, 2017 7:06 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 1371

Re: Issues w/ HTTPS

man i appreciate your thoughts, ive done some testing on mtu between the troubled subnet and a known working subnet and if i go lower than 1480 or 1500 just about everything times out. not using any ipv6 on my network but when i torch the interface trying to load netflix i do see ipv6 address appea...
by idlemind
Thu Nov 23, 2017 2:48 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 1371

Re: Issues w/ HTTPS

how would one fix that? thx You'll need to test and verify path MTU is working appropriately. Depending on your architecture this can be difficult (especially if you have an IPSec policy based VPN). A quick test is to reduce your LAN or client MTU to something very small. A good value to start with...
by idlemind
Thu Nov 23, 2017 3:36 am
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 1371

Re: Issues w/ HTTPS

I am having similar issues myself. nothing has changed. started noticing ubnt radios wouldnt update from from the gui when told to check for updates. cant connect to ubnt.com or netflix.com within this certain subnet and im sure theres more. can remote in to windows box on the main private subnet a...
by idlemind
Wed Nov 22, 2017 7:52 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 2328

Re: MTU Question

Reading this I am looking at I am able to ping directly from the Mikrotik to the outside at with 1500 without defragmenting. When I am on a device connected to the Mikrotik I can ping with 1472. Looking at the PPPoE connecting to the server I notice that the datalen is 1492. The displayed MTU on th...
by idlemind
Wed Nov 22, 2017 7:51 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 2592

Re: ipv6 - unable to reach beyond mikrotik.

TLDR; collaborate with your ISP and help them fix their broken IPv6 implementation. Once you get past the initial layers of tech support and into the ones actually doing the design and configuration they'll welcome the feedback if it's presented constructively. Allocating /56 is actually RIPE prefe...
by idlemind
Wed Nov 22, 2017 5:39 pm
Forum: General
Topic: ipv6 - unable to reach beyond mikrotik.
Replies: 25
Views: 2592

Re: ipv6 - unable to reach beyond mikrotik.

i've narrowed the problem down to the ND configuration. Essentially i have to define LAN prefix advertisement to WAN port under ND: /ipv6 nd prefix add autonomous=no interface=ether6 on-link=yes prefix=X:X:X:102::/64 However! In order for ONT to start routing to that subnet i have to set icmpv6.nd....
by idlemind
Wed Nov 22, 2017 5:24 pm
Forum: General
Topic: Bonding Broadcast
Replies: 1
Views: 689

Re: Bonding Broadcast

Is your bonding mode set to broadcast? Maybe balance-xor with an appropriate transmit-hash-policy or 802.3ad?
by idlemind
Wed Nov 22, 2017 5:21 pm
Forum: General
Topic: Issues w/ HTTPS
Replies: 10
Views: 1371

Re: Issues w/ HTTPS

Yup the usual offender is MTU related. Likely you are blocking path MTU discovery mechanisms like ICMP from being correctly transmitted through your network.
by idlemind
Wed Nov 22, 2017 5:19 pm
Forum: General
Topic: Vlans and Bridges
Replies: 2
Views: 623

Re: Vlans and Bridges

Yup, lots of ways to skin this cat. Let's do it with 6.41rc based bridging (VLAN aware) just because it is the most future proof solution. Step 1, remove master-port from all Ethernet interfaces (if it exists, the option has now been removed in 6.41rc) Step 2, pick an Ethernet interface to use for c...
by idlemind
Wed Nov 22, 2017 5:07 pm
Forum: General
Topic: Webserver configuration recommendation
Replies: 1
Views: 440

Re: Webserver configuration recommendation

The term DMZ is so "meh." You're really seeking isolation. This can be accomplished with the local firewall on the server, a segment protected by the firewall on a MikroTik router or a mix of both. If you want the server to live on the same segment as the client devices you can control #1and #4 easi...
by idlemind
Wed Nov 22, 2017 5:02 pm
Forum: General
Topic: IPv6 PD and specify DNS servers?
Replies: 1
Views: 667

Re: IPv6 PD and specify DNS servers?

Not really, some have reported it working to set DHCP servers with regular DHCP in a dual stack method. Complain to MikroTik for their half-baked implementation like all of us have been doing as IPv6 continues to ramp up in relevance. Now, to provide a more specific work-around. You can set your DNS...
by idlemind
Wed Nov 22, 2017 4:53 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 2328

Re: MTU Question

Hi guys i have a little question about MTU .. I need to run to PPPoE Server over to single VLAN in our CCR1036 to our clients and i have a question about set MTU on interfaces to avoid fragmentation problems. The basic diagram is this: CCR1036 ---------- (eth cable) ---------- SWITCH ------- (eth c...
by idlemind
Wed Nov 22, 2017 4:44 pm
Forum: General
Topic: MTU Question
Replies: 12
Views: 2328

Re: MTU Question

Mangle rules are depending on your rOS version rOS 6.39 !) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary; rOS 6.39.2 *) ppp - fixed "change-mss" functionality (introduced in 6.39); You should be OK without any additional settings :) Change MSS only applies to TCP,...
by idlemind
Wed Nov 22, 2017 4:18 pm
Forum: General
Topic: Ip Flow Problem
Replies: 6
Views: 906

Re: Ip Flow Problem

What is the CPU usage of the PPPoE server with users connected and the IP flow exporter running? Does the exported data take the same data path as the PPPoE clients therefore potentially causing contention?
by idlemind
Wed Nov 22, 2017 5:57 am
Forum: General
Topic: NFS browsing issue
Replies: 6
Views: 2818

Re: NFS browsing issue

If they are on the same segment local discovery should be working without interference from MikroTik. I suppose it's possible that by placing your NAS in each VLAN like you have it may be confusing the autoconf deamon (Avahi). When the NAS and client are the same VLAN the MikroTik won't or at least ...
by idlemind
Wed Nov 22, 2017 5:29 am
Forum: General
Topic: NFS browsing issue
Replies: 6
Views: 2818

Re: NFS browsing issue

Avahi is only needed if you want NFS to be "announced" or at least "discoverable." If you simply mount the share in Kodi and use NFS natively it should behave normally over the network. That said, Avahi can be used with a custom TLD (not .local) and DNS-SD, DNS Service Discovery, is not necessary re...
by idlemind
Fri Nov 17, 2017 10:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

These complaints are exactly why arbitrary hard setting a value is bad when it can be valid within a range. This includes what a developer personally feels is acceptable.
by idlemind
Fri Nov 10, 2017 7:34 pm
Forum: General
Topic: DNS in mikrotik and DC on Windows Server
Replies: 3
Views: 7453

Re: DNS in mikrotik and DC on Windows Server

All of these suggestions are good, if you have a Microsoft AD environment you should not be using DNS or DHCP on the MikroTik for domain joined clients. It would be ok to use the MikroTik to relay and cache requests to another upstream DNS server but to reduce complexity I'd just have the AD servers...
by idlemind
Fri Nov 10, 2017 7:03 pm
Forum: General
Topic: Ether2 to SSTP-out1 can't seem to see it.
Replies: 1
Views: 451

Re: Ether2 to SSTP-out1 can't seem to see it.

Let's start with:
/export hide-sensitive
by idlemind
Fri Nov 10, 2017 7:01 pm
Forum: General
Topic: Changing/removing a master-port disconnects from a router
Replies: 1
Views: 598

Re: Changing/removing a master-port disconnects from a router

The way RouterOS older than 6.41rc works is that the switch chip is managed through the "master-port" by default that's ether2 as you're finding out. You can change that, I personally drop everything master-port related and have been strictly running on the new bridge that replaces this nightmare. T...
by idlemind
Fri Nov 10, 2017 6:50 pm
Forum: General
Topic: Hotspot behind Gigabit WAN lines
Replies: 4
Views: 834

Re: Hotspot behind Gigabit WAN lines

To be honest, I avoid hotspot and captive portals like the plague. I've seen more issues particularly with captive portal detection than any other method produces by volume of support calls. You'd need a method to manage either the certificates or users. You likely are doing this already. This would...
by idlemind
Fri Nov 10, 2017 6:42 pm
Forum: General
Topic: FTP helper doesn't work properly
Replies: 1
Views: 1031

Re: FTP helper doesn't work properly

Hello. I have broken my head. I Have ftp server with SSL. Inside LAN everything works fine, users can connect and get data from server. If I want to connect via Internet, connection refuses (Server sent passive reply with unroutable address "my local ftp-server address") after establishing. I set u...
by idlemind
Fri Nov 10, 2017 6:38 pm
Forum: General
Topic: Hex v3 ( RB750Gr3 ) EoIP/IPsec
Replies: 5
Views: 1422

Re: Hex v3 ( RB750Gr3 ) EoIP/IPsec

If you don't actually need the functionality of EoIP (tunneling layer 2) then you could use straight IPSec tunnel mode and maintain an accelerated state with little overhead from the tunneling action.
by idlemind
Fri Nov 10, 2017 3:59 pm
Forum: General
Topic: Hotspot behind Gigabit WAN lines
Replies: 4
Views: 834

Re: Hotspot behind Gigabit WAN lines

Why not 802.1x at scale instead of captive portal and hotspot silliness?
by idlemind
Thu Nov 09, 2017 7:04 pm
Forum: General
Topic: SSTP & IPv6
Replies: 21
Views: 6680

Re: SSTP & IPv6

Currently you can't connect to the router using IPv6 address. This feature will be added in future versions.
This was 7 years ago. How future was that version you were talking about MRZ?
by idlemind
Wed Nov 08, 2017 6:44 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

RADIUS timeout value was reduced due to the fact that there is no point of higher value than 3s. Neither of RouterOS RADIUS services would wait more than 3s for a reply from RADIUS server. If you had value higher than 3 seconds, then either configuration will work with timeout set to 3s or it was n...
by idlemind
Wed Nov 08, 2017 6:22 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

idlemind
Thank you for all your help. I appreciate. :D :D :D
No problem! Good luck on your adventures!
by idlemind
Tue Nov 07, 2017 10:26 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too. HQ Route list https://hfmc9w.dm2301.livefilestore.com/y4m2UkB9IUdtURPqaI019SqjqB_MztQLSq2lbyhCDzz-S5bqn1QWJ9VFhV16xxOjw4xfy4qgMLwcKNa2XjIR5rHpbuEI7_I2MWG3jixe5HPjIhR9TjFWaYewH9QmWgL...
by idlemind
Tue Nov 07, 2017 10:06 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too. HQ Route list https://hfmc9w.dm2301.livefilestore.com/y4m2UkB9IUdtURPqaI019SqjqB_MztQLSq2lbyhCDzz-S5bqn1QWJ9VFhV16xxOjw4xfy4qgMLwcKNa2XjIR5rHpbuEI7_I2MWG3jixe5HPjIhR9TjFWaYewH9QmWgL...
by idlemind
Tue Nov 07, 2017 8:41 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

Post a /ip route print from the hq and one of the branches. Maybe a little drawing showing the networks involved too.
by idlemind
Tue Nov 07, 2017 5:22 pm
Forum: General
Topic: Feature request: Make IPv6 DNS servers configureable in ND/DHCPv6
Replies: 6
Views: 1672

Re: Feature request: Make IPv6 DNS servers configureable in ND/DHCPv6

Currently ND and DHCPv6 advertise only the IPv6 DNS servers set in "/ip dns" which are the upstream DNS servers. Therefore it is not possible to use the internal RouterOS DNS server as IPv6 DNS server. Please make the DNS server configurable in the same way, as it's already done on the IPv4 DHCP se...
by idlemind
Tue Nov 07, 2017 5:21 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

What's new in 6.41rc50 (2017-Oct-30 10:13): Important note!!! Backup before upgrade! RouterOS (v6.40rc36-rc40 and) v6.41rc1+ contains new bridge implementation that supports hardware offloading (hw-offload). This update will convert all interface "master-port" configuration into new bridge configur...
by idlemind
Tue Nov 07, 2017 2:36 am
Forum: General
Topic: IPv6 firewalling
Replies: 2
Views: 598

Re: IPv6 firewalling

You may want to look at explicitly allowing some ICMPv6 codes like "TOO BIG" in FORWARD just in case established/related doesn't pick it up to prevent fragmentation issues.
by idlemind
Tue Nov 07, 2017 2:31 am
Forum: General
Topic: NATing entire subnet to bridge colliding address spaces
Replies: 1
Views: 392

Re: NATing entire subnet to bridge colliding address spaces

Search my posts for double NAT you should find an example of doing this. It can be done with any VPN method. You mind OVPN in MikroTik limiting I think it's still TCP only.
by idlemind
Mon Nov 06, 2017 6:36 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

An example with the networks of 192.168.101.0/24 with a gateway of 192.168.255.1/30 and 192.168.201.0/24 with a gateway of 192.168.255.5/30. ppp secret set 0 routes="192.168.101.0/24 192.168.255.1 1,192.168.201.0/24 192.168.255.5 1" https://wiki.mikrotik.com/wiki/Manual:PPP_AAA ^^ Search for "routes...
by idlemind
Fri Nov 03, 2017 10:52 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

They've done that already. Done what? In released version? With no roll back? Hey, you must be kidding me! :) What I talk about is the we shoudl split new bridge implementation from all these other changes, for good reason: bridge change is BIG one so this alone should be tested very serious. When ...
by idlemind
Fri Nov 03, 2017 8:08 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

I'm in need of some clarification on your issue. Do you want to stretch the VLANs from remote sites back to HQ so you have layer 2 connectivity between the sites? Do you want layer 3 connectivity between the locations from the additional networks present on the remote site VLANs (ping from that VLA...
by idlemind
Fri Nov 03, 2017 4:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

Just wanted to tell you guys implementing very good thing, but new RC seems to be very long in development so far. It is not common to see 50 (!) RCs per release (and not yet 6.41 released this far), and this looks like it will be just dangerous to install in into prod for too many changes (beside ...
by idlemind
Thu Nov 02, 2017 9:02 pm
Forum: General
Topic: Vlans to run over L2TP/IPsec. [SOLVED]
Replies: 14
Views: 7541

Re: Vlans to run over L2TP/IPsec. [SOLVED]

I'm in need of some clarification on your issue. Do you want to stretch the VLANs from remote sites back to HQ so you have layer 2 connectivity between the sites? Do you want layer 3 connectivity between the locations from the additional networks present on the remote site VLANs (ping from that VLAN...
by idlemind
Thu Nov 02, 2017 6:20 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

What's new in 6.41rc50 (2017-Oct-30 10:13): *) radius - limited RADIUS timeout maximum value to 3 seconds; a very bad idea, this field generally needs to remove the limits, so that I myself can set the desired value, for example, even 15-20 seconds Yup, seems like MT was overstepping. Seems like so...
by idlemind
Mon Oct 30, 2017 9:15 pm
Forum: General
Topic: Help with router configuration for Agascha
Replies: 6
Views: 962

Re: Help with router configuration for Agascha

Right, you probably need a bit more background in networking. If you choose to do it with the method involving DNS you and your users never need to enter the IP address in the browser. Instead it could just be "http://pictures" for example. If you choose to manage just the IP address and access it v...
by idlemind
Mon Oct 30, 2017 6:02 pm
Forum: Wireless Networking
Topic: VLANS over wireless link
Replies: 4
Views: 971

Re: VLANS over wireless link

Ok thanks a lot.
That mean It is not necessary to enable WDS in dynamic mode on bridge interface?
Correct, you also can do it with bridging by setting which VLANs you explicitly want to tag or not (PVID).
by idlemind
Mon Oct 30, 2017 3:53 pm
Forum: Beginner Basics
Topic: Why speed of Bridge only 100Mb?
Replies: 6
Views: 2559

Re: Why speed of Bridge only 100Mb?

Running MikroTik RouterOS 6.41rc I see the same speed reported. That said, I am able to perform inter VLAN routing across the bridge at well over 100mbps. I imagine it's a superficial value. If it's not already reported do it. Maybe MikroTik can update the value to be the speed of the fastest bridge...
by idlemind
Sun Oct 29, 2017 7:57 pm
Forum: Beginner Basics
Topic: Understanding and develop VLAN
Replies: 4
Views: 734

Re: Understanding and develop VLAN

RC? GA?
RC, Release Candidate
GA, General Availability or Stable

Software versions.
by idlemind
Sun Oct 29, 2017 7:32 pm
Forum: Beginner Basics
Topic: VLAN/TRUNK - Cisco equiv commands
Replies: 1
Views: 533

Re: VLAN/TRUNK - Cisco equiv commands

Look at the new VLAN aware bridge implementation in 6.41rc. Might as well learn the way it will be done by default soon right out of the gate if you ask me.
by idlemind
Sun Oct 29, 2017 7:26 pm
Forum: Beginner Basics
Topic: Understanding and develop VLAN
Replies: 4
Views: 734

Re: Understanding and develop VLAN

It might be easier for you to learn how to implement VLANs in the new RC version. Might as well only learn it once. For a small topology it shouldn't be hard to validate the RC enough to ensure stability while it moves to GA. It's been around for several months now.
by idlemind
Sun Oct 29, 2017 2:54 pm
Forum: General
Topic: Network issues for L2tp/ipsec with CCR 1009
Replies: 3
Views: 679

Re: Network issues for L2tp/ipsec with CCR 1009

The IPs you're using are public IPs you know that right?

If you have subnet overlap you need to enable Proxy ARP on the overlapping non VPN subnet, ether2 in your case.
by idlemind
Sun Oct 29, 2017 2:51 pm
Forum: General
Topic: Help with router configuration for Agascha
Replies: 6
Views: 962

Re: Help with router configuration for Agascha

Hello pukkita, thanks for your help. Is there no way that the router is set up, which depends on Lan4 always the same IP address? So even with changing laptops on this Ethernet always the same IP receive. Thank you for your help. Greetings Agascha You could do it with scripting, set a short lease t...
by idlemind
Sun Oct 29, 2017 6:12 am
Forum: General
Topic: IPSEC +GRE issue R6.40.4
Replies: 2
Views: 940

Re: IPSEC +GRE issue R6.40.4

With IPSec and GRE the IPSec mode should be transport not tunnel. That won't affect functionality but you are adding a useless IP header per packet which affects MTU and CPU. Additionally the NAT rule is useless when using the GRE tunnel and not a policy based VPN (IPSec only). Post an export for ea...
by idlemind
Fri Oct 27, 2017 3:55 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2819

Re: MicroTik RB750Gr3 trunk vLAN issue

Idlemind: Having now set these up for an eleven-vLan configuration, it isn't hard to see how the 'new order' vLan-aware bridges will make life, and configuration, way easier with increased flexibility. The RC version was fun to tinker with, but in the end I opted for a stable build in the interim [...
by idlemind
Fri Oct 27, 2017 3:36 pm
Forum: General
Topic: Broadcast and Multicast over VPN (PPP)
Replies: 11
Views: 5984

Re: Broadcast and Multicast over VPN (PPP)

Hi, I have tested with RB951 ROS version 6.40. I have do EOIP VPN and bridge the EOIP tunnel to Ethernet interface. Then I do multicast stream from 1 side to another but it didn't work. As I search it forumn it need IGMP Snooping enable on bridge interface. It seem RB951 not support that feature. T...
by idlemind
Wed Oct 25, 2017 7:28 am
Forum: General
Topic: Questions regarding EoIP Performance on CCR1036-12G-4S
Replies: 2
Views: 837

Re: Questions regarding EoIP Performance on CCR1036-12G-4S

Fragmentation happens at the router in IPv4. Switching to IPv6 would move the fragmentation cost to the source of traffic.

I imagine that's not a real fix. It does however highlight a strength of IPv6 though.

If you share more of your desired architecture we may be able to help further.
by idlemind
Mon Oct 23, 2017 5:43 pm
Forum: General
Topic: Connecting 2 RB750GR3 over wan
Replies: 7
Views: 1276

Re: Connecting 2 RB750GR3 over wan

It depends on your requirements. If both have static IPv4 or IPv6 addressing I prefer to run GRE wrapped in IPSec transport mode personally. I say this because GRE supports all types of traffic. This allows you to run a dynamic routing protocol between the sites. Having an actual GRE interface also ...
by idlemind
Mon Oct 23, 2017 1:38 am
Forum: General
Topic: Feature Request: TACACS/TACACS+
Replies: 40
Views: 13615

Re: Feature Request: TACACS/TACACS+

I wonder if IPSec could be used to secure the RADIUS traffic between endpoints and an auth server. This would only cover the encryption side of the discussion not the feature differences.
by idlemind
Fri Oct 20, 2017 11:46 pm
Forum: General
Topic: MicroTik RB750Gr3 trunk vLAN issue
Replies: 13
Views: 2819

Re: MicroTik RB750Gr3 trunk vLAN issue

Hi Idlemind, I've taken the plunge into 6.41rc## and the bridge stuff is certainly cleaner... thanks for the heads-up. With reference to Cisco or Adtran style vLAN config in the switches, seems like the bridged-vlan's in MikroTik under this RC are much like the vLAN Trunks in those switches, with t...
by idlemind
Fri Oct 20, 2017 7:00 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 148939

Re: v6.41rc [release candidate] is released! New bridge implementation!

In RouterOS v6.41 everything QinQ related has to configured with bridge "vlan-filtering=no" using VLAN interfaces and their "use-service-tag" option. And if one do that all qinq switching will get software switched or what? Wouldn't it have been in software before? Are their models that supported Q...
by idlemind
Fri Oct 20, 2017 5:44 pm
Forum: Beginner Basics
Topic: VPN and ping with big packet size. help me
Replies: 2
Views: 679

Re: VPN and ping with big packet size. help me

1) PPTP has been shown to not be secure so switch to a different protocol. L2TP/IPSec should work fine for remote access VPN or a site-to-site connection similar to PPTP while retaining client viability (Win10). 2) Post a /export hide-sensitive of all the involved devices. As the previous poster sta...
by idlemind
Fri Oct 20, 2017 5:23 pm
Forum: Beginner Basics
Topic: Websites not being blocked/logged?
Replies: 5
Views: 1036

Re: Websites not being blocked/logged?

It looks like every week there are at least 5 overzealous network operators here that want to block block block... And unfortunately none of them first check the replies to all the others about the difficulties / impossibilities. I guess we need to setup a course "how to live with the reality of th...
by idlemind
Fri Oct 20, 2017 5:17 pm
Forum: Beginner Basics
Topic: Problem with very simple Route on Mikrotik RB750
Replies: 6
Views: 1301

Re: Problem with very simple Route on Mikrotik RB750

At the command prompt execute and post it:
/export hide-sensitive
You never know what sneaks into a configuration.