MikroTik

sindy

A feature of the Wireguard protocol. Mikrotik pretty much uses the reference implementation.

sindy

Because Wireguard is UDP-based and has an embedded handling of roaming. Like everything, that appropach has both advantages and drawbacks.

sindy

I think the best summary of the Wireguard behavior and possible ways to address multi-WAN scenarios is here.

sindy

The PBX does not have to find it out on its own, the PBX needs to be told. There are mechanisms it could use to find out but they are not implemented on all PBXes.

sindy

The first thing that stands out is that in vanilla IPsec you cannot have two policies with identical traffic selectors, the one lower on the list is considered invalid and no Phase 2 SA pair is established for it. So I am very surprised it works with the 3011. The Mikrotik solution here is to have a...

sindy

Do the ones under /ip route not count? Of course they do, I have missed the routing-table column for the last two routes, and not only that. I was somehow tuned to the fallback approach that is based on recursive next-hop search. In the config above, you have two default routes with different dista...

sindy

Always post the complete export (anonymized of course), as the issue is typically caused by something you do not assume to be related. In what you've posted, the routing tables to_isp1 and to_isp2 are defined but empty; as you say the load distribution was working well while both WAN connections wer...

sindy

You can also convert a DHCP lease to a static one but then change the address item of the static lease to a name of a pool. That way, the lease will never disappear, but the address will still be dynamic.

sindy

This is only true because TCP 443 (where the web server listens) and UDP 443 (where you let any UDP service listen) are actually unrelated. But there are other UDP ports where RouterOS is listening by default (like 53 for DNS, 1701 for L2TP, 500 and 4500 for IPsec) which you cannot simultaneously us...

sindy

Your configuration export does not play well with your description - there are three default routes in table to_TW , so I don't get how a packet could "not find a route" in that table except if all 3 of the gateways were down. Is that the case? Other than that, matching packets to IPsec tr...

sindy

Also I do think that in general it is useful to have a gateway check on a wireguard route as wireguard connections do not have a clear connected state. Instead it's basically just a key exchange timeout that needs to occur before a wireguard connection is considered disconnected. In "normal&qu...

sindy

I have been thinking in that direction. You've said before that the switch part should be just a switch. DHCP server is something I would run on the pfSense during normal times and therefore I would attach it to SFP+2 on the "emergency router/firewall", not to the bridge. The only reason ...

sindy

Just remove SFP+1 and SFP+2 as ports from the bridge, and if you need to attach a management address to the bridge interface that fits to the subnet attached to SFP+2, create a VRF that will contain the bridge as its only interface. This will make the IP address attached to the bridge "invisibl...

sindy

The thing is that IPsec traffic selectors do not substitute the regular routing process, they just override its result if it matches them. In another words, the regular packet routing and firewall processing, including eventual src-nat, must always take place first, and only then the final result (p...

sindy

Am not sure why the gateway check fails. Because the gateway check is done literally the way chosen. So if you choose ping , the gateway must be set to an IP address - if it is not, there is nothing to be pinged. RouterOS doesn't make this plausibility check and simply returns a failure for the pin...

sindy

Rather than the pseudo-code, post the actual config. It normally works so there must be some minor mistake somewhere. As you mention the bridge name in the same row of the pseudocode like the routing rule, I suppose you are ping from the outside, not from the Mikrotik itself?

sindy

Is there any easier to manage vpn protocol for this kind of setup? instead of wg i mean? Configuration-wise, the simplest one is SSTP but it needs certificates (or at least it is quite insecure not to use them). L2TP/IPsec is equally easy to set up as SSTP if you are happy with the defaults for enc...

sindy

The fact that you get a timeout rather than packet too large and cannot be fragmented when you exceed the PMTU of the link in one direction indicates that either the path MTU discovery is broken and the notification does not make it to you (routing or firewall on some node on the path may cause this...

sindy

You have to find out the UDP port range the PBX uses for RTP (or set it if such a setting is available) so that it would not clash with the UDP ports used for the Wireguard or IPsec connections. You also have to tell the PBX the public IP so that it could put it into the SIP messages. If you don't m...

sindy

That typically happens when check-gateway is set to anything else than none on a route whose gateway is not an IP address. Could it be your case here?

sindy

So if no other UDP based protocol hangs as epically as Wireguard, then it does something different about it's traffic flow in RouterOS. Be it in the firewall, in the implementation interface, CPU, libraries, whatever. ... So the argument "it can't be fixed because this is how all UDP traffic g...

sindy

Maybe too many misunderstandings here? Mikrotik only adds a route via Wireguard interface automatically (to any routing table) if you attach a subnet to the Wireguard interface. There is no need to do it, though - it is just the simplest setup for the most typical use case where one wants a bunch of...

sindy

It depends. If you have in mind mobile network (3G/LTE/5G), then no, as the provider can always check the equipment IMEI and it cannot be changed - in many countries doing so is illegal so the equipment vendors cannot sell devices that support such change. For ISPs that use Ethernet and only authent...

sindy

There are multiple things to deal with. The explanation below assumes that you use some kind of controlled WAN failover or load distribution and thus you are familiar with the concept of "policy routing" and additional routing tables. If it is not the case, the forum has numerous topics di...

sindy

Whereas you can use the wireguard interface as a gateway of a route because a wireguard interface is an L3 one so the wireguard instance receives whatever the router sends through the interface, setting an L2 interface (Ethernet or VLAN) as a gateway of a route works different. If the router chooses...

sindy

An unmanaged (dumb) switch simply ignores the existence of VLAN tags, so in Mikrotik terms, it acts the same as a Mikrotik bridge with vlan-filtering set to no . It forwards all frames verbatim. So if ether3 is an access port to VLAN 20 and a trunk port for VLAN 10, so will be all the ports of the d...

sindy

The VLAN10 traffic via ether3 is not working Of course it is not as ether3 is missing in the tagged list on the only row in /interface bridge vlan : bridge=bridge tagged=bridge,ether2 ,ether3 vlan-ids=10,20,30,40 On the other hand, this row forces frames of VLAN 20 to egress tagged via ether3, whic...

sindy

For years, the BCP mode of L2TP (and other PPP derivatives) used to be completely incompatible with VLAN filtering on the bridge. I haven't had enough motivation to check the recent improvements in this regard brought by ROS 7.17, so I did now. It turns out that now you can use one ppp profile per V...

sindy

When the L2TP connection is established, what does /interface bridge port print and /interface bridge vlan print show at both the CAPsMAN and the CAP?

sindy

A "packet processor" is indeed a name that got coined some years ago for function blocks that would get offended if you called them just "switches", because they can do so much more with the packets/frames than just forward them based on their destination MAC address and VLAN ID ...

sindy

мистика...

sindy

The last RouterOS log you've posted shows that you have set the CA certificate as the remote-certificate on the /ip ipsec identity row, which of course cannot work. The IPsec stack can be set to accept any peer certificate signed by any CA it trusts as a proof that the peer can be trusted too, which...

sindy

Is this advice based on own hands-on experience? From what I could find, the t99w175 has M.2 connector and declares to support only PCIe interface, mentioning USB 2.0 for factory test only, whatever that may mean.

sindy

The purpose of a hotspot certificate (or certificate of any other server to which a client authenticates itself using some credentials) is that the client knows it has connected where it intended to so it does not reveal its credentials to some imposter or man in the middle. With Let's Encrypt, the ...

sindy

No, haven't changed anything. If so, it looks like an electromechanical issue to me, as the negotiation results apparently depend on weather in western Australia and the exchange rate between Ugandan Shilling and Bolívar. when I tried to do that, I wasn't able to connect to Proxmox. Ping from my PC...

sindy

To be even more precise - if you want it to try without netinstall, you must first uninstall the wireless package, and only then you can try to install the wifi-qcom-ac one. If even that way it still says "not enough space", netinstall is the only possibility.

sindy

If the speed wasn't shown as "full duplex", I would assume the negotiation has failed, but that normally means that "10M, half duplex" as a resulting status. Have you changed anything in the advertise list? What is worse is that on the same version of Proxmox, the following is su...

sindy

The criteria for a router as mentioned in that other thread are that a device is a router if it needs more than one own IP to do its job.

sindy

Everything looks OK to me. Do the logs from both the Strongswan and the Mikrotik look the same with this set of certificates? What RouterOS version are you testing that with? Just a security related remark, there is no reason why the Mikrotik should have the private key for any other certificate tha...

sindy

Or do I setup something to preserve .107 source ? You have to make sure that the src-nat or masquerade rule that handles outoing connections from the LAN hosts that use private addresses will not act on the outgoing connections from the LAN hosts that use public addresses. So let that rule match on...

sindy

Yeah, I wonder where this came from as well. There used to be a bridge and some L2 tunnel interface in the configuration in the past. You have removed both but haven't removed this row which was making the latter a member port of the former. I ordered a separate monitor for testing and it will come...

sindy

Apart from that, is there anything else in Mikrotik's config which might be an issue to my case? I could not spot anything that would explain the negotiation to behave the way the log in the initial post shows. Since you say the other ports of the hAP ax³ behave the same, it cannot be related to Po...

sindy

I don't know why export shows it like that but on UI all ports have the same settings (auto-negotiation=yes). Anyway, I added "2.5G base T" to ether5. What do you mean by the old device? Old router (I had RB951Ui-2HnD)? I haven't used my old router for several months and I surely didn't u...

sindy

Where did you find it? In Mikrotik or Proxmox info? In Mikrotik, it is set auto-negotiation=yes for ether5 if you meant it. Here: /interface ethernet set [ find default-name=ether1 ] name=ether5 advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full mac-...

sindy

First, unless you know exactly what you use the "detect internet" feature for, I'd suggest to disable it: /interface/detect-internet/set detect-interface-list=none Second, as you've chosen the only interface that is physically capable to support 2.5 Gbps speed to connect the N150, why have...

sindy

Do I read your goal properly that you want all the other users to also use the uplink with the address A for any "normal" traffic, but let whatismyip.com show address B to them? If so, it cannot be done reliably because there are tens, if not hundreds, of other services like whatismyip.com...

sindy

Now what I need is the right set of nat rules after setting the first useful adress of the pool as secondary on the bridge (as I will replace ISP router or I could buy a line without router from ISP). No NAT (Network Address Translation ) rules are necessary because you will not be translating any ...

sindy

It's either-or: either you want the LAN hosts to have the public addresses on themselves, and in such case you need to attach one of the public addresses to the router (as a secondary one to a common bridge or VLAN or as the only one on a dedicated bridge or VLAN) or you want the LAN hosts to have p...

sindy

1. you can setup multiple "bonding" interfaces in 802.3ad mode (LACP) in a single bridge. Always make sure you take the internal topology of the router into account - for a 4011, one interface in each 2-link bond should be chosen from ether1-ether5 and the other one from ether6-ether10: Yo...

sindy

although if you put the code in a script then you won't be able to independently call it anymore Well, it actually behaves quite nicely - even if on-up or on-down spawns another script, it passes those variables to it as a kind of environment, so it is just a matter of generating the address list n...

sindy

I don't think the script execution is blocking anything (and even if it was, it is executed when the WAN has just obtained a new address, so everything was broken until that happened anyway). The situation is different when a rule with action=add-src-to-address-list or add-dst-to-address-list is exe...

sindy

It's needlessly complicated - the on-up and on-down scripts expose some global variables as described here . So the script can be much simpler - $"local-address" gives you the current WAN IP directly. So the whole script would then look something like this: :local addressListName WAN_IP :l...

sindy

But I want to Know if there is any posibility to use the info from the ppoe config and avoid external services. Use of pppoe client data requires mild scripting. The /interface pppoe-client item refers to a /ppp profile item, and the /ppp profile item has an on-up parameter that can hold a script t...

sindy

hello I wonder how to set up gre tunnel with ipsec on mikrotik to ubuntu with a public ip that should work on ubuntu? If you specify the ipsec-secret parameter when configuring a GRE interface in RouterOS, RouterOS creates the necessary IPsec setup (namely the peer , identity , and policy items) dy...

sindy

Is there a way to achieve this without using the central management / CAPsMAN? No. can i manage a AP bridge/station over CAPsMAN - and even achieve a handover in this scenario? I haven't tested this yet, but with the "wifi" driver, there is no difference between the "standalone"...

sindy

I never tried to confiure the datapath properties on the CAP - I don't think they override those provided from the CAPsMAN but I may be wrong. So client-isolation should be set to yes also on the CAPsMAN configuration rows, or at least not specified there. But you have to test that yourself. The bri...

sindy

I'm afraid that what follows is just an anwswer to your last question, not a solution. The bridge filter only sees frames that pass through the CPU port of the switch chip. CRS326 is designed as a switch device, so by default, the switch chip forwards frames between Ethernet ports on its own, withou...

sindy

First, the way VLAN is configured for ac and ax devices differs. The ac devices cannot use the vlan-id configured on datapath, and you have to make the wifi interfaces access ports to the respective VLANs manually (or, since you provision many of them, using a script). Regarding client isolation, th...

sindy

So how does the certificate the Strongswan presents to the Mikrotik look like now? openssl x509 -in <certificate-file-name> -noout -text -purpose The thing is that I do use a Strongswan responder authenticafing itself to Mikrotik initiators using a certificate (plus many Mikrotik peers authenticatin...

sindy

How can I reset RouterOS to factory defaults without losing remote access (Winbox/SSH)? As you mention "losing" access, it implies you still have it. If so, you should be able reset the machine to default configuration using a command rather than by power cycling it and pressing the reset...

sindy

Well, the fact that the ISP wastes three public addresses in order to deliver five actually usable ones to you does not imply that you have to do the same :) But I understand you want a drop-in replacement of the original router by the hEX S so that the configuration of the existing LAN hosts using ...

sindy

I'm not good with scripts yet, in RouterOS v6 I used to use the recursive route and it worked fine. In this case, it would be better to keep using the recursive route, right? Unless your requirements or expectations have changed, I would indeed recommend to stick with what you were satisfied with b...

sindy

To summarize this last exchange and the results of the direct communication between me and @rabienz: it is much easier to choose what you want to advertise using RIPv2 in RouterOS 7 than it was in RouterOS 6, because the routing filters are a more flexible tool than the prefix lists the other issues...

sindy

A simple question, what is the best way to failover in RouterOS v7, recursive route or netwatch with script? Why? A simple answer, it depends. A complicated answer - you may prefer speed of failover to anything else, then scripting can be faster than even netwatch; you may be really bad with script...

sindy

/29 subnet is routed (I suppose) over pppoe connection and /29 pool addresses are completely different from pppoe one. Okay. So the RB will not be (strictly speaking) a bridge but a router. The ISP will send packets for any address from the /29, including the .0 and .7, to the RB, and the RB may at...

sindy

How to configure this on MikroTik machine ? What you can do depends on how exactly the ISP provides those addresses (as 8 PPPoE accounts or as a subnet routed to you via the same PPPoE tunnel, and in the latter case, whether the address allocated using PPPoE is within that /29 or outside). It is yo...

sindy

we probably go for the Chateau LTE6. The product page says that Chateau LTE6 has only 16 MB of flash whereas hAP ax lite LTE6 has 128 MB, so the hAP ax lite LTE6 is definitely a safer choice with regard to future software versions. It has just 2 cores rather than 4 of Chateau LTE6, and of course on...

sindy

also note that if i enable this rule the internet will stops: /ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=aa.bb.cc.65 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 This route is a nonsense. Ogero sends traffic for the whole aa.bb.cc.64/29 subnet to you vi...

sindy

Is there anyway to send you message privately ?

follow the link in viewtopic.php?p=1011421#p1011421

sindy

Interesting. So open two command line windows, and run all commands below in the first one unless explicitly specified otherwise: /ip/address/disable [find where interface=bridge_WAN] wait 30 seconds, then in the second window: /tool/sniffer/quick interface=pppoe-out1 ip-protocol=udp port=520 /ip/ad...

sindy

Replace the rule chain=srcnat out-interface=pppoe-out1 action=masquerade in /ip/firewall/nat by chain=srcnat out-interface=pppoe-out1 action=src-nat to-addresses=aa.bb.cc.66, but before doing that, check that you can ping aa.bb.cc.66 from the internet.

sindy

Hello, it seems to me that the Mikrotik side does not like some aspects of the certificate the Strongswan side presents, plust there is possibly a slight misconfiguration. 2025-04-16 14:57:44 ipsec ipsec: ID_R (FQDN): protection1.cyberpointer.net 2025-04-16 14:57:44 ipsec ipsec: processing payload: ...

sindy

really ros7 is confusing. Well - it's different for sure, but the routing configuration is actually more consistent in ROS 7 than in ROS 6. If you look at the beginning of this topic, I started mentioning prefix-list because routing filters did not work with RIP; in ROS 7, routing filters are appli...

sindy

The older versions of OpenVPN clients for Windows can use L2 tunneling. Other than that, one of the many projects named iptools includes a part called ubridge that can bridge an "L2 loopback" interface with another bridge using VXLAN, https://sourceforge.net/projects/iptools/files - but th...

sindy

Hello, noted, I'll have a look at it, but be patient for a couple of days, I am a bit busy these days.

sindy

Can you please suggest what exactly to do / try ? I mean the exact commands. Thanks a lot! In Winbox, you can drag and drop rows in the list of policies. Not sure about WebFig and mobile app. In command line, /ip ipsec policy print /ip ipsec policy move X destination=Y where X is the current tempor...

sindy

The log from the Mikrotik shows a different scenario than the one from Charon (the Notify: Auth failure has been received from the remote). Please send logs from the same single connection attempt from both devices. If both peers are on a public address and both are actively attempting to initiate t...

sindy

1) if a single IP address is sufficient for the device to do all what you want it to do, the davice acts as a bridge (switch). You may want to access it for management purposes using multiple IP addresses, but another own IP address must not be required to facilitate forwarding of packets/frames fro...

sindy

My question can be reformulted or restated as: How to I ensure that a CRS ROS configuration is such that the CRS is used as a cloud router SWITCH ? The answer to that question has already come from @mkx - if everything works as required while there is only a single IP address up on the CRS326, it o...

sindy

The distinction between bridging and routing indeed lays solely in what information is used to determine where to forward the frame/packet. DHCP is not routing, any kind of VPN handling is not routing; even traffic filtering is, strictly speaking, not routing (you may filter bridged traffic and you ...

sindy

A networking device can take various header fields of an Ethernet frame and of the packet it carries into account when making a decision where to forward that frame. If it only chooses the output interface based on the destination MAC address and, possibly, VLAN ID of the incoming frame, it handles ...

sindy

Making the assumption the OP has 5G in their area, or is likely to have in the future. There are still many areas where 5G isn't available and isn't likely to eventuate anytime soon, mainly in rural or small towns. For the telecom operators and network providers, it is way cheaper to upgrade the eq...

sindy

You have to move the action=none policy before (above) the template from which the actual policy is generated dynamically. The dynamically generated policies are placed right next to the templates they are created from, so if you place the action=none policy between the template and the dynamically ...

sindy

if they're exposed to high temp, sunlight, vapors (anything greasy and especially apolar solvents) ... but they were kept in relatively sane places. Regarding age, the affected one is from the initial series that still had the 256 MB RAM. As for the environment, it has always been in a living room,...

sindy

And the ax2 doesn't have the touchy-feely (polyurethane?) coating. (nor does the hAP ac lite-TC). Which is actually great, because in a few years, the moleskin layer turns out into the same sticky mess the thickier rubberish soft coats normally do. I liked the moleskin feel very much too until I've...

sindy

What I'm trying to achieve here is to not need to send all clients a new OVPN file everytime I have to change my VPS IP. To put @patrikg's suggestion into context: the purpose of using a certificate at server side is to allow the clients to verify that they are connecting (and revealing their crede...

sindy

My post intentionally refers to @Amm0's one in particular, just for the case that someone comes searching and gets mislead by it. But unless @Amm0 edits his, few people will probably notice mine.

sindy

Logically, RoMON is not a tagged packet, so bridge is dropping it. I've made some tests, and although it sounds perfectly logical, the behavior is actually totally different. Most ROMON frames have destination MAC address 01:80:C2:00:88:BF, which fits into the "link local" MAC address ran...

sindy

The protocol specification mandates that it would have to create a lot of SAs and associated traffic selectors based on the address lists, which wouldn't be manageable for the protocol. It would be much better to implement VTI like all major vendors did over time. But Mikrotik stays strictly complia...

sindy

Since the Mikrotik side has rejected the connection, the log on Mikrotik side should be more helpful. On Mikrotik, disable the peer or identity, and enable IPsec logging using /system logging add topics=ipsec,!packet Next, start writing ipsec log into a file: /log print follow-only file=ipsec-start ...

sindy

Is the central router a physical one or is it a virtual one running on some virtualisation platform? A common behavior of virtualisation platforms is that they block traffic to/from MAC addresses other than the one of the virtual NIC, so the virtual machine cannot act as a bridge. This is considered...

sindy

What I suspect and suggest is that the PMTUD (Path MTU Discovery) for the affected TCP traffic fails. You cannot discover this by trying with ICMP (ping). If tcpdump on ESXi doesn't show ICMP, run the sniffer on the Mikrotik as I have suggested initially. But if the tcpdump on ESXi shows 1500-byte o...

sindy

Sorry, the trigger of my reaction was that use of such term leads to misunderstanding of the actual topology. I would be more than happy if someone created a better set of terms to describe the virtual objects in the software than those somehow bulky ones I came up with, but putting an equation betw...

sindy

There is no effing CPU port of a software bridge. There indeed is a CPU port of a hardware switch, but it is not the same thing.

There is the router-facing port of the bridge, which is a virtual object within a software running on the CPU. The router software is not the same thing as the CPU.

sindy

Yup sounds familiar and as CGX pointed out we only need to use one LO address/interface to accomplish same.......... no need for bridge!! /ip address add address=10.20.30.40 interface=lo network=10.20.30.40 Does this even belong here? The src-nat rule in input is the key part of @lurker888's soluti...

sindy

only correctly authenticated connections show up at all - ever - as endpoint addresses. Failed handshake attempts never do. (Even if no multiwan/nat is present.) In Wireguard data, this is correct. In the connection tracking, it's different - any connection attempt to the Wireguard port that comes ...

sindy

Do you have any idea what else should I check or what else could be wrong? You can sniff at both end devices of the tunnel, and you should see packets to arrive to one of them that are larger than the IPIP tunnel MTU so the device cannot forward them, so it sends ICMP "fragmentation needed, MT...

sindy

Only authenticated users show up in the peers as "Current endpoint address". If I understand your solution correctly, thanks to the src-nat rule in input, the current enpoint address is always 172.16.10.2 (as per https://forum.mikrotik.com/viewtopic.php?p=1136875#p1136875) . So to find a ...

sindy

The only real solution working is from @lurker888 with srcnat. But in this case mikrotik does not see the real IP of connected client.

The Mikrotik does. The Wireguard stack running on that Mikrotik doesn't. Why is it important for you that the Wireguard stack knew the actual address of the peer?

sindy

Each SIM card is linked to a subscriber account, and each subscriber account has a "service plan" or whatever is the correct term in English, which determines a lot of parameters of your connection; in addition to limits of both bandwidth and total amount of data transported per some unit ...

sindy

That means that if you want to handle bridging between untagged ports, you have to assign a VLAN to them internally (possibly with only access ports attached). It is customary to reserve vlan 1 for this purpose. How is it "reserved"? Or, how is "bridging between access ports to VLAN ...

sindy

In another words (now it is my turn not to be sarcastic), your description is so vague that the only feedback you can get is consolation - yes, you are not alone, other people also have various sorts of issues with Wireguard, some of then even looking similar to your ones from the outside. If you ne...

sindy

For me, it doesn't make sense, that Phase 1 and 2 can be established, but anyway... For Phase 1, it is enough if one of the peers accepts incoming connections and the other one has a stateful firewall that automatically accepts responses to outgoing requests sent by the router itself or by devices ...

sindy

As both peers are on public addresses and therefore bare ESP is used for Phase 2, you have to make sure that ESP packets coming from the internet are allowed in. The firewall has no way to do that automatically based on information in the IKE (or IKEv2) exhange. So add a rule protocol=ipsec-esp src-...

sindy

Sorry for blurring the picture for you, my response was mainly triggered by @erlinden as I am kind of tired of everyone treating VLAN 1 as black magic that has to be avoided by all means, hence that approach spreads as a meme (in the meaning of a "human software" virus, not the funny pictu...

sindy

You said you had no problem with CPU consumption on the router, so maybe you can try with the action=fasttrack-connection rule disabled. If it starts working that way, you'll know for sure that fasttracking is the cause of the issue. And assuming that the documentation is accurate regarding the L7 m...

sindy

Do you indeed need to "bridge" the networks or would "routing" be sufficient? On one hand, you mention "machine" network, which hints on use of some proprietary L2-only protocols so bridging might indeed be required, on the other hand, you mention a distinct subnet on e...

sindy

am I still missing something? You have to distinguish between packets and connections. A connection consists of multiple packets; the connection tracking module inspects each packet that passes through it and if it concludes that it belongs to an existing connection, it treats it according to the c...

sindy

The "fastrack" mangle rules are default rules created by the OS... These dynamically added mangle rules whose comment mentions fasttrack are indeed used only to approximate the amount of fasttracked traffic, but their mere presence is an indicator that somewhere in filter, there is an act...

sindy

3. the mangle rules you have posted indicate that fasttracking is enabled in filter; one of the key elements of fasttracking is that most packets that belong to fasttracked connections skip mangle rules completely. A TCP connection gets fasttracked as soon as the "three-way handshake" is c...

sindy

In a VLAN world your bridge shouldn't have an IP Address. Since there are /interface/bridge/port rows with the default value of pvid (1) and bridge-the-port also has pvid set to the default value 1, there is nothing wrong about having an IP address attached to bridge-the-router-interface directly. ...

sindy

It is indeed, does it make the description misleading in any way?

sindy

With 7.16+, an /interface/bridge/vlan row is dynamically created for a particular VLAN ID and bridge: whenever an interface is made a member port of that bridge and its pvid is set to that VLAN ID (in this case, the interface name is put to the untagged list on that row) whenever an /interface/vlan ...

sindy

when is chain=detect-ddos processed? First, there is a mistake on the manual page you refer to. In the Configuration Lines section, the rule that invocates the detect-ddos chain is missing, it is only mentioned in the Configuration Explained session: /ip/firewall/filter/add chain=forward connection...

sindy

I want to activate VPN (tunnel to a remote VPN server, not provide VPN endpoint on my router). I then want to configure that specific devices (IP address) and a dedicated WLAN connects via VPN, all other devices without VPN. How can i reach this? Thanks. Depending on the type of your VPN (IPsec vs....

sindy

all should start working the intended way.

(that is, if the actual intention was to make ether1 an access port to VLAN 999, despite having no IP configuration attached to VLAN 999).

sindy

Why is this not the answer to your needs? In my opinion, the only part missing is the possibility to specify the roles of the interfaces via variables, but that only makes sense if you want to use a single template to configure lots of devices, which would make perfect sense for simple cases (where ...

sindy

As soon as you make any interface (in your case, ether1 ) a member port of a bridge, you must not use that interface directly for any other purpose - you must not attach /interface/vlan or an IP address/DHCP client to it, you must not make it a member port of any other bridge, you must not make it a...

sindy

Probably ISP do not asign static IPv6 etc. etc. etc. Paste this on terminal and reboot, see if solve on long term. /ipv6 nd set [ find default=yes ] hop-limit=64 /ipv6 nd prefix default set preferred-lifetime=45m valid-lifetime=1h30m OP has clearly stated that "nothing changes", which (if...

sindy

Is this correct? Either yes or no, why? Does the answer to this lie with the question of whether vlan2 frames need to be processed by the CPU, which is accomplished by tagging bridge? But, because the AP is not acting as a router, the CPU is not necessary? Each VLAN only needs to pass through the b...

sindy

The policy installed by mode-config is src.address 0.0.0.0/0 and dst.address 0.0.0.0/0 OK. So whereas a "normal" responder waits for the initiator to use the data it got in the mode-config message to construct their own policy and propose it, this one apparently uses some inverse logic - ...

sindy

Despite all my efforts the result is still the same: I can see the traffic going out back nothing received from the tunnel. That does not answer what the policy looks like when the tunnel is "up". You don't know what the responder is actually doing, so if it assigns the initiator an addre...

sindy

I have admin-mac defined on all devices, and auto-mac=no. OK, but for some reason, it is the MAC of ether1 on the cAP whereas it is the address of some other interface, or unrelated to any interface, on the NetMetal. It is a "locally administered one" (because the least significant digit ...

sindy

how and/or why ether1 and bridge share the same mac address on the cAP whereas they have different MAC addresses on the NetMetal? That has nothing to do with discovery protocols but with how the bridge is implemented. Unless you specify a MAC address for a bridge manually, it inherits the MAC addre...

sindy

I'd like to understand why there are 2 instances displayed in IP NEIGHBORS on the hEX. Because the neigbor advertisement protocols (any combination of MNDP, LLDP, and CDP depending on the settings) are being sent from all interfaces that are members of the interface list configured in the discover-...

sindy

There were multiple topics in the past that discussed this and the outcome was that even Mikrotik admitted that for LtAP mini, the external antenna for GPS was mandatory, not optional. The current wording in https://mikrotik.com/product/ltap_mini carefully avoids mentioning the existence of the inte...

sindy

Ok, quick update: after changing the PFS group to "none"...

I guess you have updated a wrong topic?

sindy

Wireguard does not respond an incoming request from the same IP address to which that request has arrived because it is actually not a server in the narrow sense. So it treats any packet it sends as a standalone one rather than a part of some connection. So even though the initial hanshake packet fr...

sindy

Well... up... I would rather expect an upgrade of the problem description. What means "if Sophos is a gateway" - for what traffic it is a gateway? What means "if we connect both Sophos and Mikrotik on the network"? Which "connection" is down? After reading it several ti...

sindy

It could work without mode-config if the responder ("server") was a device that allows you to configure all the aspects of the IPsec connection. Since it is a blackbox, you have to adjust the configuration of the Mikrotik acting as initiator to its expectations. An IPsec "policy"...

sindy

Despite of many users claiming, that this problem has been resolved in the most recent versions, I am afraid I can't agree. At least for me it is not the case. In order to resolve this issue completely, RouterOS would have to modify the Wireguard behavior to fix 3rd party issues, causing headache t...

sindy

Remove the DHCP relay and try again. The essence of station-pseudobridge operation is an internal mapping table between IP addresses and MAC addresses on the wired side because it can only use a single MAC address towards the AP. Whatever the source address on the wired side of the bridge, when the ...

sindy

logs are filled with the same errors every 10 seconds ... ipsec,error failed to get proposal from first template Is this expected behaviour? ... should it be trying to establish phase2 (is it establishing phase2?) for peer2 every 10 seconds? The Mikrotik approach is based on an assumption that the ...

sindy

I have a similat situation Actually, the whole similarity is just "I also have some issue with IPsec". So please re-post the above in a new dedicated topic instead of piggybacking a loosely related one that is still unresolved. And once at it, post also the complete exports of the two IPs...

sindy

By design, bare IPsec does not permit two distinct policies with identical traffic selectors to be bound to two distinct peers. But the solution here should be to use just a single policy and bind it to both peers: peer=peer1,peer2 . With this setup, the router establishes Phase 1 to both remote pee...

sindy

What normally happens is that the initiator asks for Mode Config information (which is a name used in the IKE (v1) vernacular, so strictly speaking not correct for IKEv2, but let's ignore that), gets an address, and asks the responder to create a policy with only that single address on its side. So ...

sindy

If so, have you set generate-policy on the identity row to something else than no?

sindy

The advantage of ECMP as compared to PCC is simplicity of configuration; the advantage of PCC as compared to ECMP is the possibility to control the distribution more precisely. As for your updated requirements - you can think about the WG tunels as about yet another set of WANs. So one group of LAN ...

sindy

If so, go the other way round, enable (recreate) the mode-config and disable the manually configured policy.

sindy

When you wrote you wanted to pass all the LAN traffic to the CHR, it seemed that you didn't want to use the local WANs for anything else but for the Wireguard tunnels. Hence @anav suggested how you can create a WG tunnel via each WAN and use those WG tunnels instead of the actual WANs for all the LA...

sindy

Complete exports from both routers would have been much better because configuration issues are typically in those parts of the configuration you do not deem related, which is why you don't post them. In your case, you have set up a "cat-dog", in terms that you use a mode-config row on the...

sindy

Because it is the best thing to do from one perspective and the worst one from another. And there is no ideal solution for all cases due to the number of clueless network administrators out there. TCP is designed to automatically adjust the packet size to the lowest MTU on the path between the clien...

sindy

Have you considerd (or performed) a netinstall I have netinstalled a hAP ac² for other reasons and recreated the configuration from the text exports (i.e. no "invisible" data), nevertheless: the Intel 201ax gets thrown out from an AP no matter what (20 MHz channels, 40 MHz channels, 80 MH...

sindy

I was thinking about a script that will make the src-nat rules - the DHCP client will get an IP address... Well, there is a script item in the DHCP client configuration, so you can modify the rules, but you can also use the second routing table (with 7.18.x, you can specify the routing table to whi...

sindy

I just had to hope that my ISP will not change "its own 10.x…" addresses. Well, the possibility that this might happen is exactly the reason why I prefer the solution with two DHCP clients attached to the physical interface and to the macvlan one, although @panisk0's suggestion is fine if...

sindy

Sniffing on WAN would tell you more about what actually happens, but now as I look at your screenshots again, it seems to me that something is rotten in routing - in RouterOS, not in your configuration. While the default route with distance=5 is marked as active and the default route with distance=1...

sindy

There is no point in obfuscating private addresses (anything that begins with 10. is a private address).

Other than that - since the gateway IP is the same, try the change of srcnat rules I've suggested.

sindy

Hope everything redacted correctly :) If you enable the second DHCP client temporarily, do both the default routes added dynamically via DHCP have the same IP address as the gateway ? Anyway, as you haven't added a dedicated routing table, neither by creating a VRF (which needs a name of a routing ...

sindy

wan is on eth2, eth1 is unplugged Well, more importantly, both /interface/wireguard/peer rows say responder=yes so once the connection gets lost, the router itself should not keep updating the pinhole (the tracked connection). So when the Wireguard connection gets interrupted, what are the exact st...

sindy

If you have masquerade on WAN, there must be something else. Can you post the export of your configuration (anonymized as per the usual instructions, no public addresses, serial numbers, usernames for external services, ...)?

sindy

I hope I got your requirements properly. First, you can just functionally replicate your previous setup (Mikrotik and the other router) by engaging the VRF functionality of the Mikrotik and using a macvlan interface also on the LAN side. So like before, each device in the LAN subnet would get a dist...

sindy

At least in the case we had a chance to analyse in detail, the behavior that annoys you was not a bug of RouterOS or Wireguard but a direct consequence of how the connection tracking in the firewall handles UDP connections and how temporary connectivity outages interact with that. So there is nothin...

sindy

It's most likely the same issue that is discussed here . It seems that the backups do contain some data that are not actually necessary, but even exporting the configuration as text and certificates as .crt ; .key or as .pkcs12 files and reimporting all that to a netinstalled device does not make th...

sindy

the default settings you mentioned for the firewall are maintained in a post [1] within this forum @rextended is indeed doing a good job there. Does anyone happen to know any guides about using the algorithm of WireGuard with IPsec? Would it be recommended? Would it change its behaviour and require...

sindy

Please post complete configs of both devices the way they actually are, because "similar" is not good enough - in your "common" firewall export, there is just one of the LAN subnets in the allowed_to_router address list ( add address=192.168.1.1-192.168.1.254 list=allowed_to_rout...

sindy

That would have been my expectation. Not so much mine, at least not to that extent, given the effort made at Mikrotik side to make the 960 work back then. what I'd check is if fireware upgrade is supported on the Quectel you're using At least for now it is not. So RM520N:FN990 0:0 here. if you ask ...

sindy

a Telit FN990-A28 is waiting in the box to be tested once an adaptor arrives - it is based on the same Qualcomm chipset, just the AT commands differ. It does work, however, it was not such a smooth ride like with the Quectel. At first, RouterOS saw it as a USB device but ignored it as a modem. The ...

sindy

Why is this happening and what is the fix? As part of the "we will make your devices secure no matter whether you like it or not" campaign, certain features now have to be explicitly allowed using exactly the "device mode" setting you haven't touched. So read the manual, check w...

sindy

@Larsa, the scripts and search phrases you've suggested do not address the topic of updating the IPsec identity rows whenever the LE certificate gets renewed; the renewal of the LE certificate happens fully automatically in recent versions of RouterOS so scripts are not necessary for that any more. ...

sindy

Mikrotik traffic flow always starts with the ''Input'' chain. This chain defines everything related to incoming traffic. Then follows the ''forward'' chain, which means the traffic flow that goes through the router. This wording is a bit misleading. In reality, it is an exclusive or: a received pac...

sindy

You can use both (in|out)-interface(-list) and (src|dst)-address(-list) in firewall filter rules, but until recently you could not use in-interface or in-interface-list in the srcnat chain of firewall nat for unclear reason, and you cannot use out-interface(-list) in dstnat and prerouting for obviou...

sindy

Have you set the level parameter of the policies to unique? Is the remote peer a Mikrotik or a device from another vendor?

sindy

BCP indeed does work but it does not interwork with bridges on which vlan-filtering is enabled (unless something has changed recently). But alone it doesn't help with MTU size - you need to use it in conjunction with another "forgotten protocol", MLPPP. The beauty of MLPPP is that it slice...

sindy

I simply don't understand the points along the way -- e.g., "interface/vlan," "bridge.the.interface," "bridge.the.port" a VLAN (sub)interface (abbreviated to interface/vlan on that scheme) is a functional entity that acts as a tagging/untagging pipe. Its "untagged...

sindy

I have got my 520(GL), not 502(EU), for about $180 from Ali. I've never tried a 502.

sindy

This is what I saw in the office the other day: primary-band: B1@20Mhz earfcn: 100 phy-cellid: abc ca-band: n78@80Mhz earfcn: 644640 phy-cellid: def B3@15Mhz earfcn: 1404 phy-cellid: ghi So 3 bands aggregated, one of them n78. In a more rural area where the device has been deployed permanently, stil...

sindy

Not sure whether it is "the best" one but I do successfully use Quectel RM520NGLAA (be careful to obtain the AA version as the USB interface is disabled on the ..AP one). And a Telit FN990-A28 is waiting in the box to be tested once an adaptor arrives - it is based on the same Qualcomm chi...

sindy

Have you resolved the subject of this topic or it's just that the loss of admin access has temporarily prevented you from moving further with this one?

sindy

Unfortunately, I don't really understand what is being demonstrated. I think it shows that the hEX router that has this VLAN config knows that each IP network has a different VLAN (10.11.11.x on VLAN1; 10.22.22.x on VLAN2; 10.33.33.x on VLAN3). Perhaps more specifically, that the broadcast traffic ...

sindy

You have renamed ether3 to OffBridge3, but “a rose by any other name would smell as sweet” - in RouterOS, the configuration items are linked to each other using internal IDs rather than the human-friendly names. So the important point is to disable the /interface bridge port row that makes OffBridge...

sindy

If you decide to specify the list of untagged ports for a VLAN manually (under /interface bridge vlan ), it still must be consistent with the pvid settings on the /interface bridge port rows, which is not the case e.g. for vlan 4 and ether5 (but other port/VLAN combinations are affected too). If fra...

sindy

@sokalsondha, do I understand properly that you want Wireguard user A to use an internal address 10.0.0.2, and if he sends a packet through the Wireguard tunnel towards a public destination address, that request gets its source address translated to the public one x.x.x.154, whereas user B will use ...

sindy

Many vendors allow you to configure a list of VLANs for a given port. So you say "ether5 is a member of VLANs 10,20,27,39" and specify whether it is an "access" or "trunk" member of that VLAN. For just a few VLANs, many users prefer this even if the other way round (spe...

sindy

Can someone please explain, in super clear and complete sentences and throughts (don't be afraid to be overly verbose), the following phrases: Without the surrounding context, those chunks of words alone cannot be translated properly. And some of them may have even been used incorrectly where you h...

sindy

There are multiple issues. First, the IPsec setup. Neither on the responder (home router) nor on the initiator (the roaming hAP) you have configured any particular IPsec policy, you only have templates. So the hAP gets a single address specified by the mode-config row, 10.10.20.41, and since the tem...

sindy

L2TP/IPsec does work on 7.16.2 so the issue must be something in the configuration or the Windows may have another glitch. Please post the export of the configuration, of course after obfuscating any sensitive information.

sindy

I have the same problem You don't. The OP's problem was that the two connections were killing each other due to the INITIAL_CONTACT notification. According to your description, the INITIAL_CONTACT option is disabled by default. ... The tables are there and the marking rules are there too. However, ...

sindy

The whole OP was aimed to explain that in fact, there is no single "bridge itself", because the "bridge" term actually represents three distinct functional entities that are tightly linked to each other, and that a clear distinction between these entities in the respective contex...

sindy

How do i get the intermediate CA (R11) on the mikrotik and how do i make it so that this stays correct when the domaincertificate is renewed? Sorry for late reaction, life is intense these days. The ACME agent in RouterOS requests a new certificate every 60 days, so in any case you need a script th...

sindy

OK, so you use mangle rules to choose a specific routing table for packets depending on their origin ( source-address(-list) and/or in-interface(-list) ). So you have to make these rules match also on dst-address-list so that they would not act on packets whose destination address is in another loca...

sindy

With bonding, a single connection (TCP session, UDP stream) always uses only one of the bonded paths - unless you use the round robin (balance-rr) mode but that causes other issues. But the aggregate throughput may reach the sum of the bandwidths under favourable conditions (a sufficient number of i...

sindy

Since a router normally allows routing among all networks connected to it unless you explicitly ask it not to do so (using firewall rules and/or routing rules and/or VRF settings), it is clear that something in your configuration is set differently from what you actually want to happen. Until you po...

sindy

Running scripts loads the device several orders of magnitude less than routing packets, so you can literally run the check every second without a noticeable impact. The phone will send the SYN packet to establish a connection to a new server multiple times before giving up so running the script once...

sindy

The phone must send its SRV query first, or use dig as you did before. The TTL was an hour when I tried a while ago.

sindy

The only workaround currently available requires scripting. RouterOS is unable to generate a SRV query at all, not just as a way to populate an address list, but it does cache the responses to SRV queries issued by clients. So you can schedule a script that will keep reading the cached responses and...

sindy

In general yes, in detail not so much. I mean, I could not find any important bit to miss in the configuration, but the actual behavior may not fulfil your expectations. The overhead of Wireguard takes 80 bytes (hence MTU 1420 if the path between the peers has MTU 1500) and the overhead of VXLAN tak...

sindy

If there are no VLANs, everything should sit in a single common subnet, so there should be one DHCP server with a single range and a single "network". So assuming it is a /20 network (192.168.0.0-192.168.15.255.255), there would be a gateway on 192.168.0.1/20 and the dynamic pool could spa...

sindy

Who is "MSP"? VLANs are an L2 thing. If you want devices in different VLANs, they normally have to be also in different subnets, and each subnet needs an interface of a router with an address within that subnet, to be used as a gateway from that subnet to the rest of the world. So typicall...

sindy

Many devices are unable to handle a gateway outside their subnet, so giving all of them 192.168.1.1 is most likely wrong. By giving all a netmask /20 you put all of them to the same subnet, but then having them in distinct VLANs is weird to me - they will be unable to talk to each other that way eve...

sindy

When a Mikrotik DHCP server serves an incoming request, it first chooses the pool based on the interface and, if configured, the matcher rules (the pool attached to the DHCP server is used if matcher does not choose another one). Once the address is chosen, it is compared with the address items of t...

sindy

Mikrotik should handle only the DHCP part. DNS is dandled by windows domain controller server and Internet by Fortigate. That's OK, but the DHCP server must tell the clients which DNS servers to use. If you are going to give each new device an address from 192.168.12.0/24 and then make that lease s...

sindy

When someone says they want "separate VLANs", it normally means they actually want separate subnets. And if so, you need an IP interface in each subnet (typically, a VLAN interface) to which a dedicated DHCP server or a DHCP relay for that subnet is attached, and a router with an IP interf...

sindy

I guess it took that too litterally. I installed the LE certificate on the windows VPN-client via import. There is no reason to import the LE certificate issued for the FQDN of the Mikrotik server to the Windows. But as you said you wouldn't take the Let's Encrypt path, I probably did not give enou...

sindy

It may be OK if you have some matching rules in place (under ip dhcp-server/matcher) that allow to identify the various classes of hosts as specified in the comments, based on vendor-class-id or some other DHCP options in the clients' requests, and choose the corresponding pool for each class.

sindy

For me, it was the simplest possible setup on Windows - no powershell needed. The Windows must have the certificate of the signing CA of the Mikrotik's certificate among its trusted root CAs. No own certificate of the Windows client is required if you choose username/password authentication. The cer...

sindy

ID of the peer is not really relevant as in the current configuration, it should be ignored when matching the /ip/ipsec/identity row. As the Windows throw the error upon receiving the certificate from the Mikrotik, you are most likely right that they do not like the contents of the certificate. And,...

sindy

Run Wireshark simultaneously with logging on Mikrotik and compare whether the packets shown in firewall log of Mikrotik indeed made it to Windows. It is strange that it behaves different in the individual attempts.

sindy

I guess something is wrong there.

If you use the trick with public address on the Mikrotik itself, it must be set as a local-address on the peer. The dst-nat rules are OK.

sindy

To me it seems that the initiator (Windows) auth requests (fragment 1 of 3 etc.) do not reach the Mikrotik, as I can see retransmissions in both the Mikrotik log and the Wireshark from Windows. Do you forward also UDP port 4500 from the public IP to Mikrotik's WAN?

sindy

Windows are not famous for useful error messages, they report unnacceptable for almost everything :( What I can see in the logs that Windows either do not get the auth response from us or they do not bother to send NOTIFY with rejection payload in response. Can you verify which case it is using Wire...

Search found 11588 matches