MikroTik

halacs

I can't set out interface to the tunnel:
"in/out-interface matcher not possible when interface (eoip-tunnel-xxx) is slave - use maser instead (brdige1)"

On bridge1 I have vlan tags also and I use it so far in the mangle rule as out interface.

halacs

Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things. Yeah, actually there is a warning in the documentation: MTU should be 1500 in the EOIP tunnel. if I set it to auto it gets somewhere between 15...

halacs

I have set 1300 MTU on the EoIP tunnel. Additional rule set MSS to 1250. Reason behind 1300/1250 MTU if a PPPoE internet connection with VLAN tagged LAN plus a NAT in front of the tunnel because of the dynamic public IP. Am I right that, in this case, if MTU of the tunnel would be set to 1250 then I...

halacs

Hi, I have an EoIP tunnel between a Mikrotik RB4011iGS+RM and a Mikrotik CCR1009-7G-1C-1S+PC device. There is a "Clamp TCP MSS" option at the EOIP settings page in winbox. Even if I set it, I also have to add another "change MSS" (with 1250 MSS) rule under Firewall/Mangle to have...

halacs

I want to share my experiences, might be usefull for others struggling with the same problems: user manager's database path setting is NOT permanent: it doesn't survive a reboot no external storage was working with user manager: neither microSD slot nor USB storage user manager's database is an sql...

halacs

Simply copying user-manager's directory to a USB stick then set db path to the new directory is enough to migrate without data loss. No need to do backups or whatever just disable the package, copy the files via SCP, re-enable the package and set db path in terminal. So issue is solved now, thanks a...

halacs

As the support didn't answer I had to take the risk and I bought a 64GB microSD card. So the answer is: 64GB card is supported, router could format it to ext3 but seems to be unusable as it is not stable at all. After a reboot microSD gets ejected/unmounted and cannot be remounted without pulling it...

halacs

Yeah, I had a similar idea: disabled user manager package, reboot, remove user-manager directory, re-enable um package, reboot then set the database directory but I got the same error: time out, send logs to the support. Before I did the above I downloaded the user-manger directory and copy-pasted m...

halacs

Now I have a microSD but can't work. I have tried two microSD: a brand new SanDisk 64GB and an older one which is 2GB big. Both could be formatted to ext3 but then I got the following error when I try to move the database which looks really bad. My best guess is 14MB free space on the internal disk ...

halacs

So the question is now simplified a bit: is original SD, SDHC or SDXC supported by my router.
Software side is then clear with ext3: we can say there is no limitation in practice from software point of view. Thanks for the comment!

halacs

My question is.... Why would they limit the possible size of such a card, its not some cheap chinese car video cam knockoff ;-) I saw so many devices with such a limitations. For example, I have a Hikvision network video recorder has 2 SATA disks with 4TB storage limit. Don't know why. Mikrotik did...

halacs

Regarding the microSD card: I found the answer for my question here: https://wiki.mikrotik.com/wiki/Manual:System/Disks#User_manager_moving_database_example The max size of the microSD card is still a question but I plan to order a 'SANDISK Ultra 64GB MicroSDXC 100 MB/s' one as soon as possible. I h...

halacs

Hi,

I have a Mikrotik CCR1009-7G-1C-1S+PC Cloud Core Router.
Does anyone know what is the max microSD card size? I want to buy a 64GB card if it is compatible.

Thanks & br,
Halacs

halacs

It seems my router really have a MicroSD slot, I never used so far.
How can I configure to use microSD for user manager?

Edit:
Do you know the max size of the microSD card I can use? I cannot find it in the specification on mikrotik.com. Thanks!

halacs

Hi, I have a Mikrotik CCR1009-7G-1C-1S+PC router acting as a RADIUS server as well with help of user manager package. Today when I wanted to upgrade to the latest RouterOS release I noticed there is no enough free space to do so. I can I free up some space? I noticed user-manager eats up almost all ...

halacs

And according to MT staff devices are designed to handle power outages without prior executing shutdown. This is a new information for me which means, especially with others you mentioned, I shouldn't care about power outage at all. If UPS is exhausted then it will turn off and will cause power out...

halacs

Hi, I have a Mikrotik Cloud Core router with a USB attached UPS. I want to notify somehow my other device, which is a Mikrotik Cloud Core Switch, in case of a power outage or restore detected by the UPS. So somehow the router should forward the UPS's notifications. Router can hibernate then wake up....

halacs

LAN interface MTU is 1500, true. In IPv6, ND MTU is set to 1280 for all interfaces.

I'm trying to connect servers within Hungary such as the biggest news portal (6ms ping on IPv4, 0% packet loss).

Thanks for your effort!

halacs

In the meanwhile I tried to clamp MSS both in IPv6 firewall/mangle and IPv4 firewall / mangle. It didn't help doesn't matter how small I set (e.g. 1100). You were right.

I'm wondering then why even my Windows 7 PC doesn't work if it is a linux bug.

halacs

Okay, so it is a bug in Ubuntu 18.04.3 LTS or Curl 7.58.0 released on 2018-01-24. If I know correctly, if remote server responds smaller MSS, that smaller MSS will be used in the connection. This is why I have internet at all. Right? But what about the 6to4 tunnel? Plus, if my PC sends too big MSS, ...

halacs

hmm, why? What should I change in my Mikrotik?
I have a PPPoE Internet connection with 1480 MTU.

halacs

On my remote Ubuntu server, I have never changed MTU and MSS. $ cat /sys/class/net/ens3/mtu 1500 ping looks good on IPv4. Curl gets back very fast as expected. On the picture you can see how I curl-ing my remote server. There an 1460 MSS in the SYN and 1440 in the SYN ACK. https://i.imgur.com/bzVQ3q...

halacs

Hi, yes, sure! I pase few other tests below. I have an Ubuntu server with working ipv6 somewhere else. I have curl-ed it while tcpdump was writing pcap file. Here I also found "TCP Retransmission" lines. In contrast with the previous sniff what happened locally in my Mikrotik router, SYN A...

halacs

Thanks a lot pe1chl!

halacs

I got answer from the support:

We don't have any firewall rules on our side configured for any tunnel, except SMTP and IRC filters as exist by default.
-- -H U R R I C A N E - E L E C T R I C-

halacs

So this is the point when I have to contact the tunnel support. Okay, thanks. I will contact them and come back to share the solution.

halacs

I started a packet sniffer on the tunnel interface. I can see a TCP SYN MSS=1220 packet then a TCP SYN ACK mss=1220 (between my PC and google.com) This seems to be good if 1280 is the MTU on the tunnel. Right? What is interesting for me is the TCP Retransmission part. https://i.imgur.com/4NjpWiX.png

halacs

Thanks for the ideas! I have changed MTU in ND as showed on the below picture but didn't help, even after a reboot on the client PC side then on the router side as well. Yes, native IPv6 would be better but as a Hungarian Telecom subscriber I can get native IPv6 address only via zero configuration. ...

halacs

Auch, I have pasted wrong curl call. Curl with google.com is not working even in case of http. $ time curl -6 -v -L google.com * Rebuilt URL to: google.com/ * Trying 2a00:1450:400d:808::200e... * TCP_NODELAY set * Connected to google.com (2a00:1450:400d:808::200e) port 80 (#0) > GET / HTTP/1.1 > Hos...

halacs

Well, it didn't help. I have set what you suggested but problem still exists: ipv6 connection is slow and not all the https pages are loading. Downloading google.com on ipv6 is wrong, but on ipv4: curl -6 -v -L google.com is stuck at https handshake but curl -4 -v -L google.com quickly gives back th...

halacs

ah, sorry, it seems I attached configuration when I really disabled IPv6 address advertisement. IPv6 advertisement was on on the vlan-local interface where IPv6 address itself is now disabled to avoid full internet outage at the clients. I have tried to add IPv6 DNS servers and enable MAC and DNS ad...

halacs

If protocol 41 is blocked then no IPv6 ping should work.
IPv4 addresses at both end of the tunnel should be also fine as IPv6 ping works fine. If I disable the tunnel interface no ping anymore.
Please correct me if I'm wrong.

halacs

Hi, I have a CCR1009-7G-1C-1S+ router with HE IPv6 tunnel. Ping6 works fine, but seemingly nothing else. Do you have any idea what could be the problem? I could setup successfully HE tunnel in my other flat. Full router config can be found here: https://gist.github.com/halacs/7194ff37a373fe7d9a5fc7e...

halacs

Few days ago I have set EoIP tunnels between my two flats and have set VLAN-s too. All fine, but now I can't filter out the IPv6 address advertisements. I tried to use the forward chain and the EoIP interface as the incoming interface with "86dd (ipv6)" MAC protocol, but PCs get IPv6 addre...

halacs

I agree that it would be very good to have some kind of control on the fans. I think we don't really need to have so detailed control but at least some profiles would be really appreciated. Profile like "silent" would keep the fans off as long as possible then turn them on with a much high...

halacs

Actually the dst-nat rules were there. I disabled the eoip tunnel for a couple of minutes then enabled it back.

halacs

Thank you so much for your help and the detailed explanations! I checked that end where the issue happened and the rules were in different order: first accept gre, then the two dst-nat and finally the default masquarade. I moved default masquarade rule at the 2nd place right after the accept gre and...

halacs

Magic :) It started to work now. I have configured both end now at the same way. Very cool! Thanks! :) One more question what I don't understand now: at both end, I can see a 'responder' and an 'initiator' in the ipsec remote peers. The strange thing is the two ends are different, meaning that at on...

halacs

[admin@zoldmali.intra.example.com] > /ip firewall connection print detail where src-address~":4\?500" or dst-address~":4\?500" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 0 SAC protocol=udp src-address=x.y.5.1...

halacs

I'm just wondering loudly what could be the problem. I have PPTP and L2TP VPN servers on this end. Can it be the problem? Fast forward should be on or off on the bridge where 172.20.0.1 IP is?

halacs

Sure! I disabled the manually created peer (under IPsec/Peers in winbox) but nothing changed. [admin@router.intra.example.com] > /ip ipsec remote-peers print Flags: R - responder, N - natt-peer # ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME 0 message-1-sent x.x.5.107 [admin@router.intra.example.co...

halacs

But I've understood from what you wrote earlier that both ends have dynamic public IP so both need to be configured the other one's domain name, is that true? Yes, that's true. Both end are with dynamic IP changed quite rarely. Initial state is a EoIP tunnel with manually configured local IP addres...

halacs

You are right, sorry. Here are the both end of the tunnel. Router A (where I have set NAT because of dynamic IP) [admin@router.local.example.com] > /ip ipsec peer print Flags: X - disabled, D - dynamic, R - responder 0 D ;;; eoip-tunnel-Zoldmali name="peer17" address=a.b.5.107/32 local-add...

halacs

Hi, today I had some time to understand a bit more the configuration you suggested but it still not working somehow. When I set local IP as my real IP on the WAN interface (ppoe now actually) my EoIP is working but in case of the private IP hack, it's not. Here is my configuration hopefully without ...

halacs

Sounds interesting! It's a bit much for the first glance now so give me some time to process what you wrote then I'll be back with the outcome.

halacs

It works now, thanks! I have set the EoIP tunnel used by the public IPs of the routers and turned off the L2TP site-to-site VPN. It seems all fine with tagged L2 connection. Local endpoint can be only an IP at the EoIP settings. My WAN IP assigned dynamically via DHCP. You meant that this IP will be...

halacs

Okay, thanks! I the meanwhile, I managed EoIP on top of L2TP, but then it is secure enough if I set IPsec secret at the tunnel config. I hope I can set domain name for the remote host instead of the IP, but this is what I will check only tomorrow. WAN side firewall will be interesting, what I have t...

halacs

One more maybe a bit more advanced question: I have site-to-site VPN between two mikrotik router. I have a same VLAN config on them with same IDs. With my previous VLAN settings when I had separated bridges for all VLANs, I could set a bridge in the PPP profile to create a layer 2 VPN connection. No...

halacs

Finally I took the risk and bought one. For others who will be in similar situations, below are the row data as well. There's no much load on it until now just 5 pieces Hikvision security cameras. Regarding the noise: okay, not fully silent because of the 2 fans, but good enough with this load, mean...

halacs

Suggest reading this source if your keen to do the vlan router method.........
viewtopic.php?f=13&t=143620

Thank you so much for the link! It helped a lot! Very good tutorial!

halacs

Thanks for the link! It has an example with proper comments what seems very useful. I tried to do my setup in a very similar way but based on this one I will try it again and come back.

Thanks & br,
Halacs

halacs

Hi, First my question, then my environment. What is the best way to define these VLAN trunks and access point? What is the most flexible way? I will have a new switch what I want to add with the same VLANs but a new trunk cable. I'm not sure I did my configuration the best/easiest way. So about my e...

halacs

I got the following answer from the support regarding the fan control. I share it as it is. It might be useful for others too. Yes, this device has 2 fans, you cannot control them. Fan speed depends on CPU and SFP temperatures. At full speed, they are louder than ambient noise. When CPU/SFP or PoE c...

halacs

Sounds good! One more question: does this also mean that if I have only a limited POE power request (8 devices with max 7 Watt/port) then my device won't turn on the fans? How it goes in your case? I only have 4 PoE devices connected to mine: ether1 ether2 ether11 ether24 poe-out: auto-on auto-on a...

halacs

Sounds good!
One more question: does this also mean that if I have only a limited POE power request (8 devices with max 7 Watt/port) then my device won't turn on the fans? How it goes in your case?

halacs

That's bad. Then this device is not fit into my environment unfortunately.
There is no any device with passive cooling from any vendor, right?

halacs

Hi,

I see this topic is several month old already. I'm wondering if fan control is already solved.

I also want to buy want into my home office to feed my 8 POE security cameras (roughly 7W / camera). All the other devices would be non-POE.

Thanks!

halacs

Thanks all the help. Now it works. I made a stupid mistake first why the package wasn't installed after reboot: forget to check the architecture.
Now I have a working radius server tested with MAC authentication on my WiFi. Next step would be to configure it with a DD-WRT WiFi AP too.

halacs

It is part of the extra packages, right? I have downloaded these files but how to install?

halacs

Hi, I have two Mikrotik router and a DD-WRT too. Would it be possible to use one of them as a radius server for the WiFi authentication at least? I have WPA2-PSK with MAC filtering. It would be nice to configure WiFi users only one place and other APs use that central authentication device. Radius l...

halacs

Thanks! This helped me a lot!

halacs

In case of RB951G-2HnD device, "Routing, 25 ip filter rules, 689.8 Mbps" is shown under the test results for 1518 byte packet size. Does this mean, that if I have just 25 IP filter rules (under IP / Firewall / Filter Rules) , then I should be able to reach this throughput without fast trac...

halacs

Great, thanks, I will check that one! Do you have any hint where I can find these performance related parameters? Where do you know these from?

halacs

I have just added the above two fasttrack firewall rules and my connection immediately because 2 times faster then before so this was definitely the problem. Big thanks! Just to make sure I understand correctly: they should be at the top of my firewall rules, right? Mkx, you mentioned 500Mbps is the...

halacs

Hi, I have a Mikrotik 951G-2HnD router. I suspect it is the bottleneck of my network why I cannot reach Internet with 500Mbps/20Mbps what my ISP should provide. I would like to know what can cause this: configuration of my device or hardware failure. I can measure maximum 100-120Mbps download speed ...

halacs

Hi, I noticed that my ISP (UPC Hungary) provides IPv6 address but my Mikrotik router didn't get it. If I directly connect my Windows 7 PC into the ISP's modem, I get IPv6 tunnel IP. This is how I noticed that IPv6 provisioning. I tried to use DHCPv6 and 4to6 tunnel too to get IPv6 address from my IS...

halacs

Is this the so called "MAC Protocol-Num" in winbox in the "New Bridge Filter Rule"? If yes, how can I filter only the inter-VPN advertisements? I cannot select VPN interface. UPDATE: my problem seems to be solved with the above hint I got. I added a bridge filter for ipv6 MAC pro...

halacs

Hi, I have 2 mikrotik routers interconnected with a layer 2 VPN. Layer 2 because I need to use broadcast messages between the sites because of a DLNA server in use. Is it possible somehow to block IPv6 IP address advertisements via the VPN? I want to avoid somehow to get IPv6 address from the other ...

halacs

Hi, I have a site-to-site L2 VPN. How can I disable to get IPv6 address via VPN? When I turn on IPv6 address advertisement on the Site1, Site2 also get IPv6 address automatically what I want to prevent. I tried with iptables6 rules but I could drop only ping packages while machine on the other site ...

Search found 69 matches