Community discussions

MikroTik App

Search found 94 matches

by WojtusW5
Wed Mar 15, 2023 5:15 pm
Forum: General
Topic: Support for WAN side connections for multiple links
Replies: 9
Views: 977

Re: Support for WAN side connections for multiple links

The second rule ( mark routing ) change to passthrough=no! and where are the rules to ensure same same for second WAN? The same approach can be applied to wireguard, think about it. The initial handshake has to come in and out of the same WAN. So by using the endpoint or server address dyndns name ...
by WojtusW5
Wed Mar 15, 2023 4:23 pm
Forum: General
Topic: Support for WAN side connections for multiple links
Replies: 9
Views: 977

Re: Support for WAN side connections for multiple links

Hello, thank you for your reply - final managed to embrace the topic, below I am posting the final mangle rules: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vlan10_LTE new-connection-mark=LTE_conn passthrough=yes add action=mark-routing chain=...
by WojtusW5
Wed Mar 15, 2023 2:23 pm
Forum: General
Topic: Support for WAN side connections for multiple links
Replies: 9
Views: 977

Re: Support for WAN side connections for multiple links

1. The relationship between WAN1 and WAN2. ( assuming two different providers correct?) Is one Primary, to be used by all users and the other secondary only if WAN1 fails. 2. How are external users directed to WAN2 for example, DYDNS name if dynamic, or BY WANIP if fixed/static? All servers on WAN2...
by WojtusW5
Tue Mar 14, 2023 1:43 pm
Forum: General
Topic: Support for WAN side connections for multiple links
Replies: 9
Views: 977

Re: Support for WAN side connections for multiple links

Sorry for the lack of response - I'm completing the topic now. It's about handling incoming traffic TO MikroTik from 2 ISP I have added 2 default routing routes in 2 different tables: /ip route/print detail where dst-address="0.0.0.0/0" Flags: D - dynamic; X - disabled, I - inactive, A - a...
by WojtusW5
Tue Mar 14, 2023 10:42 am
Forum: General
Topic: CRS3xx selective VLAN stacking
Replies: 2
Views: 547

CRS3xx selective VLAN stacking

Hello, I have a problem with the configuration of the vlan stack with CRS3xx, below is the example I am aiming for. All vlans are 0x8100. On ether1 port I assume vlan 100 and 3000 Vlan 100 is a standard "single" vlan that I want to release on the appropriate ports as a tag or untag - I hav...
by WojtusW5
Thu Dec 15, 2022 7:40 pm
Forum: General
Topic: Support for WAN side connections for multiple links
Replies: 9
Views: 977

Support for WAN side connections for multiple links

Hello, I have a problem with the configuration in RouterOS v7.6 of the correct handling of return traffic when connections initiated from the WAN side to addresses served by a table other than main. I currently have 2 links one has a default route in the main table the other has a default route in a...
by WojtusW5
Tue Sep 20, 2022 5:15 pm
Forum: General
Topic: Problem with disconnecting wifi client (wave2)
Replies: 2
Views: 884

Problem with disconnecting wifi client (wave2)

Hi, I'm having trouble disconnecting clients on my Wi-Fi network - I'm using haP ac3 with wave2 package. The "key handshake timeout", "group key timeout", "does not have matching pairwise cipher" errors are most frequently repeated in the logs for individual devices. My...
by WojtusW5
Sun May 29, 2022 3:33 pm
Forum: General
Topic: Encryption in Wi-Fi Wave2
Replies: 0
Views: 591

Encryption in Wi-Fi Wave2

Hello, I have a question about Wi-Fi security with the Wave 2 package. I mean encryption, can anyone explain the difference between CCMP (256) and GCMP (256)? And what is the safest configuration while maintaining high compatibility with client devices? In the old configuration method, there was mai...
by WojtusW5
Tue May 24, 2022 7:50 pm
Forum: General
Topic: Feature Request: Domain name support in the speedtest tool
Replies: 3
Views: 347

Re: Feature Request: Domain name support in the speedtest tool

speed-test?
where is it?

Usually imprecise and approximative requests are ignored from MikroTik staff.
Hello, this is either in winbox (recently added so use the latest version) or in CLI /tool/speed-test
by WojtusW5
Tue May 24, 2022 7:47 pm
Forum: General
Topic: Wireguard dynamic enpoint address
Replies: 7
Views: 2185

Wireguard dynamic enpoint address

Hello I have a problem with wireguard Site2Site. One of the parties has a variable IP address with a DDNS service. By giving the DDNS address to the other party, the tunnel sets up, but when the address is changed, there is no communication. It looks like the address in the Endpoint field is not ref...
by WojtusW5
Fri May 20, 2022 9:50 am
Forum: General
Topic: Feature Request: Disable log from logging by the specified service
Replies: 7
Views: 1528

Feature Request: Disable log from logging by the specified service

Hello, I think that a useful option would be the ability to disable log generation for a given login method. For example, for the API - when we have a script logging every minute, it unnecessarily clutters the logs with entries. I know that it can turn off the logs of this title at all, but it will ...
by WojtusW5
Fri May 20, 2022 9:43 am
Forum: General
Topic: Feature Request: Domain name support in the speedtest tool
Replies: 3
Views: 347

Feature Request: Domain name support in the speedtest tool

Hello
I propose to add domain name support in the address parameter in the speedtest tool.
This currently works in the bandwidth-test client but not in speed-test.
by WojtusW5
Wed Jan 26, 2022 12:17 pm
Forum: General
Topic: RouterOSv7 OSPF filters
Replies: 0
Views: 1775

RouterOSv7 OSPF filters

Hi, question about OSPF and filters. In RoSv6, you could use the "set-routing-mark" option in the filter and the resulting routes fell into a separate table. Can it be done in RoSv7? After updating, the filter that did so has a telling comment: "upgrade-notes: 'set-routing-mark OSPF' ...
by WojtusW5
Fri Dec 17, 2021 8:10 pm
Forum: General
Topic: Separate routing tables in RouterOS v7
Replies: 0
Views: 3704

Separate routing tables in RouterOS v7

Hello, I have a question regarding the configuration of routing traffic to different routing tables in RouterOS v7. In RoSv6, wanting to redirect even very specific traffic (for example by specifying IP addresses, interfaces, port and protocol), I simply did routing mark, then adding routing in IP->...
by WojtusW5
Thu Apr 22, 2021 11:40 am
Forum: General
Topic: Setting specific routing via IKEv2 - linux and macos
Replies: 0
Views: 589

Setting specific routing via IKEv2 - linux and macos

Hi, the topic is not strictly about routerOS, but about using it as an IKEv2 VPN server. Can anyone meet the topic of configuring the forwarding of specific routes through an IKEv2 tunnel. On Ubuntu (graphical network manager) and macos. Because on these systems only the first upload route via split...
by WojtusW5
Sun Feb 21, 2021 12:41 pm
Forum: General
Topic: Native IKEv2 client issue in Android 11
Replies: 2
Views: 1586

Native IKEv2 client issue in Android 11

Hello, I'm trying to switch from an external strongswan application to the native ikev2 client which I have in my Google Pixel 4 with Android 11. I have a problem with configuring the encryption mechanisms, including extended logs, I can see that Android sends the following values: feb/20 23:39:32 i...
by WojtusW5
Sat Oct 31, 2020 11:35 pm
Forum: RouterOS beta
Topic: Feature request: mDNS relay/proxying across networks
Replies: 5
Views: 1700

Re: Feature request: mDNS relay/proxying across networks

+1
This is a very important functionality
by WojtusW5
Tue Oct 27, 2020 4:09 pm
Forum: General
Topic: Packet fragmentation - high ping
Replies: 5
Views: 1205

Re: Packet fragmentation - high ping

So in another words, it is not an EoIP problem, because bare ping with large fragments has the same issue. OK, so what about the sniffing? On every ping request sent, you should see two ICMP packets in the sniff, example: [me@HyperV-CHR-1] > tool sniffer quick ip-protocol=icmp INTERFACE TIME NUM DI...
by WojtusW5
Tue Oct 27, 2020 3:16 pm
Forum: General
Topic: Packet fragmentation - high ping
Replies: 5
Views: 1205

Re: Packet fragmentation - high ping

It really sounds weird. So first, when you ping between the EoIP endpoints outside the EoIP tunnel, is the round-trip time much better or the same like when pinging through the tunnel? Second, do you specify any echo request packet size when pinging through the EoIP tunnel, or do you ping with the ...
by WojtusW5
Tue Oct 27, 2020 12:28 pm
Forum: General
Topic: Packet fragmentation - high ping
Replies: 5
Views: 1205

Packet fragmentation - high ping

Hi, I have a question regarding packet fragmentation. I have an L2 network that passes through another operator's infrastructure. Unfortunately, there is a problem with increasing the MTU. Through this network I transmit EoIP tunnels where I have to send traffic in 1900 packets. So I have MTU set in...
by WojtusW5
Mon Oct 19, 2020 4:28 pm
Forum: Scripting
Topic: Search for interfaces containing the word
Replies: 2
Views: 798

Re: Search for interfaces containing the word

In RoOS CLI it will be so
/interface print where type="eoip" name~"NEW"
Ok, but according to the documentation, the ~ character is not supported in the API. I haven't found any other example of how to do this.
by WojtusW5
Mon Oct 19, 2020 12:19 pm
Forum: Scripting
Topic: Search for interfaces containing the word
Replies: 2
Views: 798

Search for interfaces containing the word

Hi, I am looking for a solution for an API (PHP) in which I will download an interface whose name contains a specific word.
For example, all EoIP interfers that contain the word NEW.
For example, eoip_MS_NEW but not eoip_MS_SEC.

Thank you in advance.
by WojtusW5
Wed Aug 05, 2020 10:35 am
Forum: Wireless Networking
Topic: CAPsMAN with local forwarding - customer separation [SOLVED]
Replies: 10
Views: 4794

Re: CAPsMAN with local forwarding - customer separation [SOLVED]

Thanks for all the answers.
I also got info from the support - the only option to separate clients from different cAP interfaces is to introduce traffic filtering rules on the bridge.
by WojtusW5
Fri Jul 31, 2020 12:37 pm
Forum: Wireless Networking
Topic: CAPsMAN with local forwarding - customer separation [SOLVED]
Replies: 10
Views: 4794

Re: CAPsMAN with local forwarding - customer separation [SOLVED]

This parameter set on the controller has no effect on local forwarding. Which one? And the bridge horizon field on dynamic interfaces is not configurable. You set it in datapath tab of capsman config together with the bridge setting, not in bridge menu. We are talking here about local forwarding, n...
by WojtusW5
Fri Jul 31, 2020 11:37 am
Forum: Wireless Networking
Topic: CAPsMAN with local forwarding - customer separation [SOLVED]
Replies: 10
Views: 4794

Re: CAPsMAN with local forwarding - customer separation [SOLVED]

How about simple drop rule in firewall with source and destination IP same subnet? Maybe excluded wan interface if breaks net, not sure you can try. This traffic does not reach the router (controller). Alternatively what you say could be done on the cAP itself (using bridge filtering). However, i.e...
by WojtusW5
Tue Jul 28, 2020 10:56 pm
Forum: Wireless Networking
Topic: CAPsMAN with local forwarding - customer separation [SOLVED]
Replies: 10
Views: 4794

Re: CAPsMAN with local forwarding - customer separation [SOLVED]

I can only use bridge horizon with capsman forwarding. With local forwarding, the only interface on the router is vlan for the guest network (common for 2.4GHz and 5GHz interfaces). On the cap, the interferences add to the bridge dynamically so there also can't use bridge horizon. I use local forwar...
by WojtusW5
Tue Jul 28, 2020 11:15 am
Forum: Wireless Networking
Topic: CAPsMAN with local forwarding - customer separation [SOLVED]
Replies: 10
Views: 4794

CAPsMAN with local forwarding - customer separation [SOLVED]

Hi, I have a capsman based wireless network using local formarding. The configuration is very similar to this one https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs One of the networks is a guest network broadcast at 2.4GHz and 5GHz and it is provided by one vlan to the AP. In the configuratio...
by WojtusW5
Thu Jun 18, 2020 4:36 pm
Forum: General
Topic: Join to multicast group
Replies: 1
Views: 882

Join to multicast group

Hello, I need to insert the device into the IPTV network. Is there an option to order one or more multicast groups on RouterBord that would simply be ordered and that's it ? I had no contact with the multicast module in RouterOS so if such an option exists and someone could send an example config I ...
by WojtusW5
Tue Feb 11, 2020 8:34 pm
Forum: General
Topic: IPSEC Xauth PSK tunnel on Android
Replies: 0
Views: 2065

IPSEC Xauth PSK tunnel on Android

Hi, is it possible to configure the native Android client to connect to the IPSEC Xauth PSK tunnel with RouterOS and accept the routes sent to it ? I have a problem that after RouterOS sends "MODE_CFG REPLY" no further communication occurs and Android disconnects. Is there any method to do...
by WojtusW5
Fri Nov 29, 2019 12:49 am
Forum: General
Topic: Problem with expiring IPv6 addresses
Replies: 2
Views: 1444

Problem with expiring IPv6 addresses

Hello, I noticed a rather strange problem with the IPv6 address in the "LAN" network. The problem mainly concerns devices using WLAN. Some time after connecting the device loses communication via IPv6, they also disappear from neighbors on the mikrotik. The only solution is to disconnect f...
by WojtusW5
Tue Sep 17, 2019 9:42 am
Forum: RouterOS beta
Topic: Torrent client
Replies: 59
Views: 36052

Re: Torrent client

I was able to get the torrent client working but it wouldn't save the USB I had installed. It just ate up the ram disk. Kali has torrents available and I downloaded a .torrent file and uploaded it to the 3011. https://www.kali.org/downloads/ Then I enabled the client and it started downloading to R...
by WojtusW5
Mon Sep 16, 2019 4:47 pm
Forum: RouterOS beta
Topic: Torrent client
Replies: 59
Views: 36052

Torrent client

Hi, can I describe how to use the Torrent client ??
In system hints there is no such information and the system expects only one parameter.
[admin@MikroTik] > ip torrent/torrents/ add copy-from=

CopyFrom ::= see documentation
Thanks in advance.
by WojtusW5
Wed Aug 28, 2019 8:34 pm
Forum: RouterBOARD hardware
Topic: CRS326-24S+2Q+RM - 40G passive connection with Huawei [SOLVED]
Replies: 6
Views: 7251

Re: CRS326-24S+2Q+RM - 40G passive connection with Huawei [SOLVED]

If I connect 2 ports 40G with a MikroTik passive cable on a Huawei switch (making a theoretical loop) the ports are up. If I connect 2 ports 40G with a MikroTik passive cable on a MikroTik CRS 326 switch (making a theoretical loop) the ports are up. If I connect using the same cable Huawei to MikroT...
by WojtusW5
Fri Aug 23, 2019 5:15 pm
Forum: RouterBOARD hardware
Topic: CRS326-24S+2Q+RM - 40G passive connection with Huawei [SOLVED]
Replies: 6
Views: 7251

CRS326-24S+2Q+RM - 40G passive connection with Huawei [SOLVED]

Hello, I have a problem with connecting CRS326-24S + 2Q + RM with Huawei S6720-54C-EI-48S-AC switch. The connection is made using a MikroTik Q+DA0001 40GBPS QSFP+ cable. Both devices can see the passive cable correctly. Interestingly, when 2 ports of the same device are connected (MikroTik and Huawe...
by WojtusW5
Sat Aug 03, 2019 12:35 pm
Forum: General
Topic: Queuing bandwidth test [SOLVED]
Replies: 2
Views: 2078

Re: Queuing bandwidth test [SOLVED]

Right, stupid mistake :( Thank you for your help /queue tree add max-limit=20M name=master_up parent=ether1 queue=pcq-upload-default add max-limit=200M name=master_down parent=global queue=pcq-download-default add limit-at=1M max-limit=200M name=lan_down packet-mark=lan_down parent=master_down prior...
by WojtusW5
Sat Aug 03, 2019 12:32 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 173
Views: 80707

Re: Feature request - DNSCrypt support...

+1 a very good idea that encrypted DNS support will be implemented in RouterOS
by WojtusW5
Wed Jul 31, 2019 3:20 pm
Forum: General
Topic: Queuing bandwidth test [SOLVED]
Replies: 2
Views: 2078

Queuing bandwidth test [SOLVED]

Hi, I am trying to perform a configuration that will prioritize LAN traffic and limit BT made from the RouterOS level. I assumed that I would use a queue tree with this priority setting. Unfortunately, this solution does not work (BT has a higher speed than LAN). /interface bridge add name=br_lan pr...
by WojtusW5
Fri Jul 19, 2019 11:49 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 5967

Re: IPSEC performance problem

I am absolutely not saying that the results given by MikroTik are distorted. However, even after you have applied the steps you used, the speed is still around 230Mbps. Performs iperf3 from a computer on the local network. On hAP ac2, connecion tracking is off. ehter2 - LAN ether5 - WAN My config: /...
by WojtusW5
Fri Jul 19, 2019 10:19 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 5967

Re: IPSEC performance problem

In the attachment I am sending screen of devices between which I am doing the test. Looks like you're testing single core performance of a hAP ac2 by single threaded b-test here. Ok, but see results with IPSEC off - the traffic spreads to all cores. With IPSEC enabled one core is maximally saturate...
by WojtusW5
Fri Jul 19, 2019 12:02 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 5967

Re: IPSEC performance problem

By "incomplete use" I meant that the processor with IPSEC enabled was not fully used. Honestly, I would not look for problems with MTU. More with h2 ac2 performance. In the attachment I am sending screen of devices between which I am doing the test. I am wondering about IRQ called qca_cryp...
by WojtusW5
Thu Jul 18, 2019 11:51 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 5967

Re: IPSEC performance problem

Note that published results are strictly synthetic and achieved with only plain IPsec tunnel configured on the router. For example, connection tracking can significantly reduce the encrypted throughput. Also if you are using L2TP, it creates additional overhead thus bringing the encrypted throughpu...
by WojtusW5
Thu Jul 18, 2019 11:15 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 5967

IPSEC performance problem

Hello, I have a problem with IPSEC performance. I have the RB4011 and hAP ac2 connected directly via an ethernet cable. 4011 is the gateway for ac2, with ac2 I perform a bandwith test to the server and the local traffic exchange node. It then gets almost 1Gb/s and all cores in ac2 are maximally used...
by WojtusW5
Tue Jun 18, 2019 12:46 am
Forum: General
Topic: Problem after switching on SSTP
Replies: 2
Views: 981

Re: Problem after switching on SSTP

On remote end, have you looked at whatsmyip to ensure they are not using VPN as Internet Access?
Yes, I'm sure.
by WojtusW5
Mon Jun 17, 2019 3:03 pm
Forum: General
Topic: Problem after switching on SSTP
Replies: 2
Views: 981

Problem after switching on SSTP

Hello, I have 2 problems. 1. I have an SSTP tunnel between MikroTik devices that transmits local networks. The client has "add default route" disabled and the routes are entered statically. The internet of each party has as part of its own ISP. The problem is that when you turn on the tunn...
by WojtusW5
Fri Jun 14, 2019 2:21 pm
Forum: General
Topic: IPv6 SLAAC WAN - 2 gateway
Replies: 0
Views: 690

IPv6 SLAAC WAN - 2 gateway

Hello, I have a question about the operation of SLAAC in MT. We have implemented IPv6 on one of our devices. It has a connection class with its default gateway with the prefix / 126 (address assigned statically). There are 2 gateways in the network that advertise their link-local addresses using the...
by WojtusW5
Thu May 23, 2019 3:24 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Hi, However, it will not be possible to establish an L2TP + IPSEC with RSA connection. MikroTik does not plan to do this for IKEv1. Below is the answer of the support: "Currently we do not have plans to implement identity matching by certificate for IKEv1 main mode as it is not easy due to prot...
by WojtusW5
Thu May 09, 2019 4:15 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

@sindy - I see that in general the solution to this problem that the certificate identifies the client will be difficult if at all possible.

@Sob - I also hope that EAP will also appear in other RouterOS sites.
by WojtusW5
Thu May 09, 2019 7:34 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

I believe that no support for EAP (and thus "current user" certificates) is current limitation of MikroTik's IKEv2. See the RouterOS test branch changelog: MAJOR CHANGES IN v6.45: ---------------------- !) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);...
by WojtusW5
Wed May 08, 2019 8:45 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

OK, so Wireshark says the certificate itself (or rather its informational part alone) is used as initiator ID - ID type: DER_ASN1_DN (9) Payload: Identification (5) Next payload: Certificate (6) Reserved: 00 Payload length: 59 ID type: DER_ASN1_DN (9) Protocol ID: Unused Port: Unused Identification...
by WojtusW5
Wed May 08, 2019 11:19 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Sure, I do not see a problem to throw it in, let me just say honestly, I do not know where to look for it Use the same /system logging settings you did before, set match-by=remote-id and remote-id=auto , run /log print follow-only file=ipsec-startup where topics~"ipsec" , let the client s...
by WojtusW5
Wed May 08, 2019 9:47 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Hola amigos. Tengo un problema con mi VPN. Mi configuracion es como sigue. Rb2011(A) - WAN recibe ip publica dinamica -----LAN es 192.168.2.254 Rb2011(B) - WAN recibe ip publica dinamica -----LAN es 192.168.1.254 RB1100AHX2 - 2 PUERTOS WAN que reciben ips de los RB arriba. PUERTO LAN es 192.168.51....
by WojtusW5
Tue May 07, 2019 11:51 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

In the ticket I added a link to this thread so support will stay up to date with the information. Nevertheless, would you mind finding out what ID type and value the Windows embedded client sends? It could be useful for others. If you cannot find it there and don't want to publish the log here, let...
by WojtusW5
Tue May 07, 2019 1:28 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

But this solution does not make sense because you lose the ability to authorize the customer. Oh my. So it seems the bug is a more complex one. When you want to identify individual peers (and possibly provide individual treatment like policy-template-group and mode-config to them), a particular row...
by WojtusW5
Tue May 07, 2019 11:36 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Still, if you set match-by=remote-id , you should get further, and the log might show the ID which the Windows client sends, so you could create a certificate with the proper subject-alt-name and be up and running long before Mikrotik fixes it. Search for peer's ID in the log, although it shows onl...
by WojtusW5
Tue May 07, 2019 10:52 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

OK. So I've set up a test and found out that match-by=certificate is the reason; if I set it (the default value is remote-id ), an otherwise working setup breaks the same way like yours. You are affected by the issue, so it is your job to send that to support@mikrotik.com. That doesn't necessarily ...
by WojtusW5
Tue May 07, 2019 10:10 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Unfortunately after changes: 1. Remote ID Type = ignore 2. Generating a new client certificate: K I name="Client_new1" digest-algorithm=sha256 country="PL" common-name=MAIL key-size=8192 subject-alt-name="" days-valid=365 trusted=no key-usage=ipsec-end-system,ipsec-tunn...
by WojtusW5
Tue May 07, 2019 1:59 am
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 11421

L2TP + IPSEC with certificate - problem [SOLVED]

Hi, I'm trying to put a VPN server using L2IP in conjunction with the certifications. I do not use the IPsec wizard in the L2TP server settings. After performing the IPsec configuration using PSK everything works fine but with certificates I have a "no identity suits proposal" error. It oc...
by WojtusW5
Sat Apr 20, 2019 8:04 am
Forum: General
Topic: Problem with IPv6 neighbours [SOLVED]
Replies: 2
Views: 1757

Re: Problem with IPv6 neighbours [SOLVED]

Problem has been solved :) Virtualization proxmox on which the virtual machine with RouterOS has been enabled has IGMP Snnoping turned on by default, which cut these packages. The solution to disable IGMP Snnoping on a specific bridge is: echo 1 > /sys/devices/virtual/net/ bridge /bridge/multicast_q...
by WojtusW5
Sat Apr 20, 2019 12:28 am
Forum: General
Topic: IPv6 for client via SSTP
Replies: 0
Views: 977

IPv6 for client via SSTP

Hello, I try to provide IPv6 address on my SSTP serwer. As client I use this app: https://play.google.com/store/apps/details?id=it.colucciweb.sstpvpnclient When I turn on IPv6 on serwer (ROS v6.44.2 stable) serwer and client assign link-local addresses to each other. But I can't give usefull IPv6 ad...
by WojtusW5
Thu Apr 18, 2019 11:32 pm
Forum: General
Topic: NordVPN
Replies: 17
Views: 9598

Re: NordVPN

Nope to both (moreover, non-accelerated AES on OVPN will be slow). Since NordVPN has deprecated L2TP/IPsec in late 2018 (for some obscure reasons), ROS is no longer able to connect to NordVPN. I've replaced my CHR with OPNsense because of that, and currently using OVPN from it. Runs well, including...
by WojtusW5
Thu Apr 18, 2019 4:54 pm
Forum: General
Topic: NordVPN
Replies: 17
Views: 9598

NordVPN

Hi, the topic has been discussed many times.
After the recent changes in IPSEC, MT is able to connect with NordVPN (IKEv2 with EAP).
And the second question, was anyone having fun trying to connect OpenVPN to NordVPN ?

Thank You in advance
by WojtusW5
Thu Mar 21, 2019 8:13 pm
Forum: General
Topic: Encryption of backup making in script [SOLVED]
Replies: 1
Views: 1495

Encryption of backup making in script [SOLVED]

Hello, I have z question about encryption of backup file make in script.
When I create a script whose owner user have a password this generated file be encrypted with this password ?

Thank you in advice :)
by WojtusW5
Mon Mar 11, 2019 5:04 pm
Forum: General
Topic: Problem with IPv6 neighbours [SOLVED]
Replies: 2
Views: 1757

Re: Problem with IPv6 neighbours [SOLVED]

After more thorough verification, the problem is with no sending neighbor advertisement packet. After a few minutes after I add IPv6 address RouterOS stops send neighbor advertisement. The only solution is disable and enable IPv6 address. But on link-local address communication works all time. Mikro...
by WojtusW5
Wed Feb 27, 2019 1:58 pm
Forum: General
Topic: Problem with IPv6 neighbours [SOLVED]
Replies: 2
Views: 1757

Problem with IPv6 neighbours [SOLVED]

Hi, I have problem with IPv6 IP.
After reboot my MikroTik IPv6 is working corectly but afer few minutes RouterOS stops send neighbor-advertisement to gateway.
I use /126 IPv6 network to connect with my ISP.

Please help
by WojtusW5
Tue Feb 19, 2019 8:53 pm
Forum: Beginner Basics
Topic: Problem with recursive routting [SOLVED]
Replies: 4
Views: 2533

Re: Problem with recursive routting [SOLVED]

Thank You !!!
I didn't think about it in this way.

Please moderators to close this topic.
by WojtusW5
Mon Feb 18, 2019 11:33 pm
Forum: Beginner Basics
Topic: Problem with recursive routting [SOLVED]
Replies: 4
Views: 2533

Problem with recursive routting [SOLVED]

Hello, I create a routing table for use recursive routing. I was used 2 ISP and 2 IP in internet for test. My routing table look like this: /ip route add check-gateway=ping distance=1 dst-address=208.67.222.222/32 gateway=172.20.150.14 add check-gateway=ping distance=1 gateway=208.67.222.222 target-...
by WojtusW5
Sat Dec 29, 2018 1:11 pm
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 4484

Re: PWR-Line AP - problem with cominicate

After upgrade to 6.43.8, it started working.
The interface pwr-line1 also appeared.
Surprisingly, the factory equipment was 6.42.7 ...
Nevertheless, thank you everyone.
by WojtusW5
Sat Dec 29, 2018 12:57 pm
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 4484

Re: PWR-Line AP - problem with cominicate

I see them separately when I connect the cable to it. But they do not see each other. Device 1: [admin@MikroTik] > export # dec/29/2018 11:52:21 by RouterOS 6.42.7 # software id = 1TNZ-061I # # model = PL7411-2nD # serial number = 9E7509A09BF0 /interface bridge add admin-mac=B8:69:F4:BA:DA:78 auto-m...
by WojtusW5
Sat Dec 29, 2018 11:07 am
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 4484

Re: PWR-Line AP - problem with cominicate

That's what I do.
The orange and blue LEDs are permanently on.
The diode with the network icon (drawn green) flashes.
by WojtusW5
Sat Dec 29, 2018 10:35 am
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 4484

PWR-Line AP - problem with cominicate

Hi, I have 2 PWR-Line devices for tests. They have RouterOS 6.42.7 and default config. I am doing a pairing instruction: https://i.mt.lv/cdn/rb_files/1544441162PWR-LINE-AP-qg.pdf On both devices the orange LEDs are constantly on but I don't have cominicate between device. Please help becouse I don't...
by WojtusW5
Fri Dec 21, 2018 5:59 pm
Forum: General
Topic: Problem with OpenVPN client - TLS failed
Replies: 4
Views: 23957

Re: Problem with OpenVPN client - TLS failed

Log from server: Wed Dec 19 22:18:54 2018 us=837802 IP:58497 TLS: Initial packet from [AF_INET]IP:58497, sid=40f2de8f a1c8edaa Wed Dec 19 22:18:54 2018 us=848374 IP:58497 Connection reset, restarting [0] Wed Dec 19 22:18:54 2018 us=848392 IP:58497 SIGUSR1[soft,connection-reset] received, client-inst...
by WojtusW5
Thu Dec 20, 2018 2:25 pm
Forum: General
Topic: Problem with OpenVPN client - TLS failed
Replies: 4
Views: 23957

Problem with OpenVPN client - TLS failed

Hello, I have problem with connect to OpenVPN server. When I try to connect I have an error "terminating - TLS failed". My config: /interface ovpn-client add certificate=ca.crt_0 cipher=aes128 connect-to=server mac-address=02:6D:CB:4E:7F:91 name=ovpn-out1 password=pass user=login Log: 12:2...
by WojtusW5
Tue Dec 18, 2018 1:51 am
Forum: General
Topic: IPSEC in EoIP
Replies: 0
Views: 692

IPSEC in EoIP

Hello, I have question about IPSEC encryption in EoIP tunel. When I set IPSEC key in EoIP settings I see warning in IPSEC->PEERS about thie method is not secure and I should to use certyficates. And my question is whether the built-in routeros functionality (without certyficates) is really dangerous...
by WojtusW5
Mon Dec 10, 2018 2:06 pm
Forum: Wireless Networking
Topic: WPS on virtual access point
Replies: 1
Views: 1666

WPS on virtual access point

Hello, I have question about WPS. I have my home newtork on phisycal interface. I need create the second SSID for the network where there be deviced using WPS. On "master" network I have disabled WPS but on virtual network a need that as "push-button-virtual-only". And now the qu...
by WojtusW5
Thu Nov 29, 2018 4:38 pm
Forum: Scripting
Topic: How to pass variable between scripts
Replies: 10
Views: 4427

Re: How to pass variable between scripts

Hello, I have similar problem. I have 2 script name="test1" source=:global test "12345"; name="test2" source=:put $test; And I can't display global variable from script [admin@test] /system script> run test1 [admin@test] /system script> environment print # NAME VALUE 0 ...
by WojtusW5
Wed Nov 28, 2018 2:33 pm
Forum: Scripting
Topic: Hide the fetch log
Replies: 3
Views: 2599

Re: Hide the fetch log

Try onder System-Logging to add under Rules - Topic info Prefix line ! fetch But fetch option is don't on topics list /system logging> add topics= account bridge ddns e-mail gsm interface l2tp mpls pim radius route smb store timer warning ! async calc debug error health ipsec ldp ntp poe-out radvd ...
by WojtusW5
Wed Nov 28, 2018 1:41 pm
Forum: Scripting
Topic: Hide the fetch log
Replies: 3
Views: 2599

Hide the fetch log

Hello I have the problem with use fetch funcion in my script. I use construction :local fullMessage ([/tool fetch url="$apiUrl/export.php?export" output=user as-value]->"data"); And in log I have many lines: 12:35:47 info fetch: file "export.php?export" downloaded 12:35...
by WojtusW5
Sat Aug 25, 2018 12:00 pm
Forum: General
Topic: RB 3011 Multicast problem
Replies: 10
Views: 3395

Re: RB 3011 Multicast problem

Hi, I would have to connect WAN to the ethernet port. Then you will use hw-offload for vlan IPTV, but you have to remember about the lack of igmp-snooping because of this configuration. Unfortunately, at the SFP port you will not do it - it is plugged directly into the CPU and not to the chip-switch.
by WojtusW5
Wed Aug 01, 2018 12:11 am
Forum: General
Topic: Problem with import p12 ipsec certificate into Android strongSwan
Replies: 0
Views: 725

Problem with import p12 ipsec certificate into Android strongSwan

Hi, I have problem with import .p12 file into strongSwan on my mobile phone.
In the certificate selection list, they are inactive (you can not click on them) - screen in attachment.
Could someone have such a problem?
by WojtusW5
Tue Jul 31, 2018 7:32 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

Ok, now it works. /ip ipsec mode-config add address-pool=IPSEC address-prefix-length=32 name=cfg1 static-dns=8.8.8.8 system-dns=no /ip ipsec proposal set [ find default=yes ] lifetime=0s pfs-group=none /ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=IPSEC_Server dh-group=m...
by WojtusW5
Mon Jul 30, 2018 3:31 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

My config in this moment: /ip ipsec mode-config set [ find default=yes ] name=request-only add address-pool=IPSEC address-prefix-length=24 name=cfg1 static-dns=8.8.8.8 system-dns=no /ip ipsec policy group set [ find default=yes ] name=default /ip ipsec proposal set [ find default=yes ] auth-algorith...
by WojtusW5
Mon Jul 30, 2018 3:18 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

The RouterOS version and the firmware is the same - 6.42.5.
In the register I send a file - after breaking the connection, the logs were generated with dizzying activities.
by WojtusW5
Mon Jul 30, 2018 1:48 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

Unfortunately, 2048 does not start 1536, it does not connect - no restrictions on the rules.
However, I do not understand how this would solve the problem of transmission failure.
by WojtusW5
Mon Jul 30, 2018 12:11 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

Ehh... Windows :) dh-group=modp1024 The tunnel sets up and works, however, after some unspecified time, the transmission disappears. After disconnecting and reconnecting it works again for some time. Logs: 10:56:04 ipsec payload seen: SA 10:56:04 ipsec payload seen: NONCE 10:56:04 ipsec payload seen...
by WojtusW5
Sun Jul 29, 2018 11:40 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

Re: IPSEC IKEv2 problem -

Ok, thank you. Now I have "policy match error" in Windows 10. In RouterOS log: ipsec notify: NO_PROPOSAL_CHOSEN [admin@MikroTik] > ip ipsec export verbose /ip ipsec mode-config set [ find default=yes ] name=request-only add address-pool=IPSEC address-prefix-length=24 name=cfg1 static-dns=8...
by WojtusW5
Sun Jul 29, 2018 4:01 pm
Forum: General
Topic: IPSEC IKEv2 problem -
Replies: 15
Views: 16293

IPSEC IKEv2 problem -

Hi, I have problem with establish IPSEC IKEv2 tunnel. Mikrotik <--> Windows 10. My config: /interface vlan add interface=ether1 name=vlan10 vlan-id=10 /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal_ipsec pfs-group=none /ip pool add name=IPSEC ranges=192.168.10...
by WojtusW5
Tue May 08, 2018 8:01 am
Forum: General
Topic: v6.42.1 Bridge Port Add
Replies: 1
Views: 1084

v6.42.1 Bridge Port Add

Hi, I have a question about new options for adding ports to the bridge Przechwytywanie.JPG The documentation describes these parameters vaguely so I am asking you to confirm whether I think well unknown-unicast-flood selected - unknown unicast traffic that will come to this port is forwarded to all ...
by WojtusW5
Sun Mar 25, 2018 7:42 pm
Forum: RouterBOARD hardware
Topic: Mode button on devices
Replies: 2
Views: 13680

Mode button on devices

Hi,
I have a question what is the mode button on the routers (for example at top of RB 941) - foto in attachment
When I press the button, there is no action (default and empty configuration).

Thank you in advance for your help
by WojtusW5
Thu Dec 28, 2017 7:56 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 138870

Re: v6.41 [current]

Hi, I have a problem with hw-offload and IGMP Snooping on my CRS109-8G-1S-2HnD I use this function to support IPTV. After selecting a channel on the STB I see in the MDB that the multicast group has been ordered but there is no transmission from it. When I checked the traffic in the torch, I saw tha...
by WojtusW5
Mon Dec 04, 2017 6:44 pm
Forum: General
Topic: RB 3011 Multicast problem
Replies: 10
Views: 3395

Re: RB 3011 Multicast problem

I have both IP TV and Internet from the same provider. I do however not handle IP TV in the router at all. I do all the VLAN and so on in my switch. So IP TV never hits a Mikrotik device at home only my switches. Found this to work better. My switches also support multicast very well and I have ver...
by WojtusW5
Mon Dec 04, 2017 6:32 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 206640

Re: v6.41rc [release candidate] is released! New bridge implementation!

Hi, small off-top when 6.41 will be as current version ?
Is there an initial deadline ?
by WojtusW5
Mon Dec 04, 2017 2:12 pm
Forum: General
Topic: RB 3011 Multicast problem
Replies: 10
Views: 3395

Re: RB 3011 Multicast problem

Hi,
try latest RC
"*bridge - fixed multicast forwarding (introduced in v6.40rc36);"
Thank you, but is there any tweaking for the current stable version ?
by WojtusW5
Sun Dec 03, 2017 4:14 pm
Forum: General
Topic: RB 3011 Multicast problem
Replies: 10
Views: 3395

RB 3011 Multicast problem

Hi, I have a new MikroTik RB3011UiAS-RM router a few days ago i I have a problem witch multicast traffic. This router (the latest soft current) that gets two WAN tags from the WAN's one Internet IPTV (multicast). The internet connection is symmetrical 200/200 (the IPTV band is not included in them)....
by WojtusW5
Mon Oct 02, 2017 1:36 pm
Forum: Scripting
Topic: Send log via email
Replies: 0
Views: 789

Send log via email

Hello, on my device I have written a script that make a configuration backup and send it via email. I would like to add system log (/log print) in body this email, but I don't know how to download it to a variable in the script. Thank you in advance.