If so, it looks like an overload of the device or a bug of the sniffer.I just did, same result. Many more missing ESP UDP datagrams on the sending than on the receiving side.
Yes. The client on the second Mikrotik connects to 10.10.10.4 and all the handling needs to be done at the 10.10.10.4 'Tik.every set-up should be only in first mikrotik? (192.168.1.3 / 10.10.10.4). No need to set anything to the second one?
This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?
Yes, but without PPPoE, which already makes a difference, and without VPN which makes much more of a difference.The following link demonstrates that the hEX can do 900 Mbps
So what happens if you attach a DHCP client directly (no /interface vlan in between) to Mikrotik's ether1 rather than a fixed address? Does it get a dynamic one too?When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.
s-vlans need 802.1ad (service) tagging (hence use-service-tag=yes), c-vlans need 802.1Q (customer) tagging, hence use-service-tag=no.The service vlan needs to be applied in the first vlan only (100 and 200) right?
But the configuration shows neither - fasttracking cannot speed up anything as the firewall is not there at all, and encryption is not used either.Because you can't fast track and actually have to route and use encryption, for what you asked
I haven't read carefully enough.OP says phase 2 SA lifetime is 8h. Why would it rekey after just 30 minutes at all?
This is only relevant when you assign to your VPN clients addresses which fit into your LAN subnets. That's not the case here.If you use ipsec and need to access local resources, then set the Proxy-arp option for the Bridge interface.
It was just an example in the absence of information about your overall network topology. If all your subnets which are not reachable via the WANs fit into 192.168.0.0/22, that one is of course sufficient.just a question, why not 192.168.0.0/22 but muss be /16??