Community discussions

MikroTik App

Search found 6914 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 24
by sindy
Sat Mar 06, 2021 12:31 am
Forum: General
Topic: can't see route(s)/address for ipv6/slaac
Replies: 7
Views: 206

Re: can't see route(s)/address for ipv6/slaac

When the Mikrotik itself acquires its own global IPv6 address using SLAAC, it does not show it. A default IPv6 route may not show as dst-address=::/0 , it may show as dst-address=2000::/3 and the gateway may be a link-local address. Or maybe it doesn't show at all in SLAAC case, can't check right no...
by sindy
Sat Mar 06, 2021 12:16 am
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Stupid question, is it possible that the traffic to/from that single PC takes some other path than the L2TP/IPsec one? I.e. when you ping it from the remote site and run /tool sniffer quick interface=<l2tp-STUDENCI> ip-address=ip.of.that.pc , can you see both the ping requests and the responses?
by sindy
Sat Mar 06, 2021 12:06 am
Forum: General
Topic: Routing Problem
Replies: 3
Views: 181

Re: Routing Problem

Better show the complete configuration export. It may be the firewall, it may be the IPsec policies, it may be missing routes. Check my signature below regarding non-destructive anonymisation.
by sindy
Fri Mar 05, 2021 11:44 pm
Forum: General
Topic: VPN IKEv2 transer large files issue
Replies: 1
Views: 92

Re: VPN IKEv2 transer large files issue

What is your /ip ipsec proposal setting? Any other setting of the pfs item than none is not compatible with the default IKEv2 settings of the embedded VPN client of Windows. So I suppose the 200 Mbytes are equivalent to 25-30 minutes, which is the interval after which the security association gets r...
by sindy
Fri Mar 05, 2021 11:36 pm
Forum: General
Topic: ASK [rule over mangle]
Replies: 3
Views: 152

Re: ASK [rule over mangle]

Sorry, I did not understand from any of your two posts what you want to achieve and what is not working the way you expect. There is a bit of confusion since the routing-mark and the name of the routing table are the same thing, but the parameters of /ip route rule rows use both routing-mark and tab...
by sindy
Fri Mar 05, 2021 2:17 pm
Forum: General
Topic: VPN IPsec - phase1 negotiation failed due to send error
Replies: 9
Views: 375

Re: VPN IPsec - phase1 negotiation failed due to send error

@evince's suggestion is a good shot because it is the most frequent cause of the symptom "can ping the router itself via the tunnel but nothing in its LAN", but here, the pool of addresses assigned to PPP clients does not overlap with the LAN subnet, so setting arp=proxy-arp on the bridge ...
by sindy
Fri Mar 05, 2021 1:10 pm
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

That's why posting complete configuration exports is always recommended. The "detect internet" function causes many different surprises, but as I find nothing useful in it (like other users on this forum), I constantly forget about its existence. So if I could spot it in the configuration ...
by sindy
Fri Mar 05, 2021 1:06 pm
Forum: General
Topic: VPN IPsec - phase1 negotiation failed due to send error
Replies: 9
Views: 375

Re: VPN IPsec - phase1 negotiation failed due to send error

Now I can connect from outside (sessions establishes fine) but I can't ping other IPs in my network I have "Reqest time out" The only IP which I can ping is 192.168.0.1 and 172.16.0.1 The above is true when you ping the LAN devices from the Mikrotik itself or when you try to ping them fro...
by sindy
Fri Mar 05, 2021 1:02 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

You can flush the "installed SA", but that changes nothing - first, they are short-lived (a rekey takes place every 30 minutes by defaut, and it actually means a creation of a new SA, a switchover to it, and removal of the old one), and second, all the differences between the two remote de...
by sindy
Fri Mar 05, 2021 12:12 am
Forum: General
Topic: Need to power cycle after loss of WAN connection
Replies: 8
Views: 359

Re: Need to power cycle after loss of WAN connection

You should not need a reboot, it should be sufficient to disable the ethernet interface connected to the modem when netwatch detects loss of internet access, and and re-enable it again in 10 seconds or so. So instead of watchdog, I'd use netwatch: /tool netwatch add down-script="/interface ethe...
by sindy
Thu Mar 04, 2021 11:09 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Pojma nemam... Especially as against the test pc the speed depends on use of IPsec.
by sindy
Thu Mar 04, 2021 5:19 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

In general, you download the older .npk package (or set of packages if you don't use the bundle) to the router using /tool fetch or upload it there using Winbox, WebFig, or sftp client like WinSCP. Then, run /system package downgrade and confirm the reboot. But in this case, switching the channel fr...
by sindy
Thu Mar 04, 2021 5:01 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Would you mind moving to 6.48.1 (or to 6.47.9)? The 6.48 seems to be one of the worse ones. And yes, your test indicates clearly that IPsec is responsible, the question is how exactly. Regarding that action=accept dst-port=1701 ... rule - given the overall setup of your firewall, adding ipsec-policy...
by sindy
Thu Mar 04, 2021 4:35 pm
Forum: General
Topic: VPN IPsec - phase1 negotiation failed due to send error
Replies: 9
Views: 375

Re: VPN IPsec - phase1 negotiation failed due to send error

The whole problem is that the use of policy routing for packets generated by the router itself is a bit counter-intuitive. When some process running on the router itself sends a packet, the first step is to find a route for that packet using routing table main , which consists of routes with no rout...
by sindy
Thu Mar 04, 2021 3:13 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Is the H (hardware encryption) indicator shown at server side in /ip ipsec installed-sa print output? Also, I'm afraid the 300 kBit/s Tx indicated in the /interface monitor <l2tp-STUDENCI> output suggests that the stream from the iperf gets throttled before reaching the L2TP processing, as that <l2t...
by sindy
Thu Mar 04, 2021 3:04 pm
Forum: General
Topic: Reset and load a custom save.rsc file
Replies: 1
Views: 115

Re: Reset and load a custom save.rsc file

15 seconds of delay may not be enough, 60s or 1m should be safe. But more important, this typically happens if there is a mistake in the .rsc file. I know it sounds strange, but I've seen cases where some configuration was allowed in one RouterOS version, and later it stopped being accepted, but sur...
by sindy
Thu Mar 04, 2021 2:51 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Does the iperf run in TCP or UDP mode? What is the round-trip delay of ping through the tunnel?
by sindy
Thu Mar 04, 2021 2:18 pm
Forum: General
Topic: VPN IPsec - phase1 negotiation failed due to send error
Replies: 9
Views: 375

Re: VPN IPsec - phase1 negotiation failed due to send error

So the Mikrotik with the PCC configuration acts as an L2TP server, is that correct?

Can you post the complete export of your configuration, after a "non-destructive anonymisation" as suggested in my automatic signature below?
by sindy
Thu Mar 04, 2021 2:09 pm
Forum: General
Topic: Debug slow L2TP/IPsec
Replies: 20
Views: 728

Re: Debug slow L2TP/IPsec

Under what conditions do you test the throughput? I remember you use L2 tunneling, maybe some L2 flood consumes the bandwidth of the tunnel?

What does /interface monitor l2tp-interface-name show when you send no test traffic, and when you do?
by sindy
Thu Mar 04, 2021 2:02 pm
Forum: General
Topic: SBC and Mikrotik help
Replies: 1
Views: 102

Re: SBC and Mikrotik help

A short guide would be "place an action=accept dst-address-list=somename rule at the proper position in chain forward of your /ip firewall filter , and then add as many list=somename address=x.x.x.x items as needed under /ip firewall address-list . The same address list would be used as src-add...
by sindy
Thu Mar 04, 2021 1:18 pm
Forum: General
Topic: Cann´t access my router 50-7B-9D-66-03-B4
Replies: 1
Views: 79

Re: Cann´t access my router 50-7B-9D-66-03-B4

You mention IP address (and a web browser expects an IP address or a domain name), but you've posted a MAC address in the subject of the topic. If you do enter the actual IP address of the router to the browser, it is possible that the firewall rules or other settings on the router make it reject th...
by sindy
Thu Mar 04, 2021 12:51 pm
Forum: General
Topic: Genieacs + Letsencrypt Cert = Handshake error on Mikrotik TR069? [SOLVED]
Replies: 4
Views: 575

Re: Genieacs + Letsencrypt Cert = Handshake error on Mikrotik TR069? [SOLVED]

What happens after that date, a new certificate is issued? Yes, the idea of Let's Encrypt is that the certificate is short-lived, and quite a long time before its expiry, the certificate holder applies for a new one, gets verified again, and a new certificate gets signed. All this is automatic on L...
by sindy
Thu Mar 04, 2021 12:45 pm
Forum: General
Topic: password getting reset automatically!
Replies: 2
Views: 194

Re: password getting reset automatically!

create a supout.rif file export ( not backup!) the configuration to a file, and download that file to some external machine netinstall the device with 6.48.1 check whether the issue continues if yes, netinstall it again with 6.47.9; if the issue is still there, raise a warranty claim for the device...
by sindy
Thu Mar 04, 2021 9:46 am
Forum: General
Topic: Omnitik AC PoE injector voltage
Replies: 4
Views: 238

Re: Omnitik AC PoE injector voltage

Both injectors are fully passive, so the lower limit of their voltage range has nothing to do with the injectors themselves. The Ethernet cables are thin, so with ones several tens of meters long, which are typically used when the radio units are on a tower and the power source is at ground level, a...
by sindy
Thu Mar 04, 2021 9:19 am
Forum: General
Topic: Secure Road Warrior VPN in 6.48
Replies: 10
Views: 524

Re: Secure Road Warrior VPN in 6.48

Some people are scared of certificates, while you have to use certificates to make IKEv2 work on Windows and in Strongswan. Tthe stock VPN client of Android reportedly supports PSK as well, but I cannot check that myself. Other than that, IKEv2 provides no virtual interface, so IPsec policies are us...
by sindy
Thu Mar 04, 2021 9:08 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 12
Views: 634

Re: CRS317-1G-16S+ High CPU lead to drop packet

The channel profile aggregates various parameters related to radio characteristics of the interface. But permitted frequency channels as well as their Tx power limits differ country by country, and for some reason I don't understand, the country choice itself is a parameter of the configuration prof...
by sindy
Wed Mar 03, 2021 11:34 pm
Forum: General
Topic: L2TP VPN can not connect on Windows 10
Replies: 17
Views: 11637

Re: L2TP VPN can not connect on Windows 10

I have the same issue, but only with some devices. What's "the same" in particular? Is your L2TP/IPsec server running on Mikrotik which doesn't have a public IP on itself and it is connected to the internet via some external NAT device with port forwarding? If yes, I suggest the trick I'v...
by sindy
Wed Mar 03, 2021 11:10 pm
Forum: General
Topic: find and reroute high bandwidth connection through other WAN
Replies: 2
Views: 149

Re: find and reroute high bandwidth connection through other WAN

There is a connection-rate match condition, which matches if the current connection rate in bits per second fits into a specified from-to range; the maximum value that can be expressed is 4Gbit/s. So what you could do is to add the destination address of a high-bandwidth connection to an address-lis...
by sindy
Wed Mar 03, 2021 9:30 pm
Forum: General
Topic: Secure Road Warrior VPN in 6.48
Replies: 10
Views: 524

Re: Secure Road Warrior VPN in 6.48

Are you saying you had a working L2TP/IPsec setup and it stopped working due to upgrade to 6.48? Other than that, this is still the only VPN to support and Windows and older versions of Android; if all your Android devices are new enough to support IKEv2 in the stock VPN client, or if you don't mind...
by sindy
Wed Mar 03, 2021 3:49 pm
Forum: General
Topic: Cannot block traffic Across subnets
Replies: 9
Views: 343

Re: Cannot block traffic Across subnets

I am new to Mikrotik but not networking. This may be the biggest source of the trouble, as the firewall philosophy on Mikrotik is the Linux iptables' one, which is quite different from the philosophy of Cisco ip access list matching. First, in IOS, the access list rules are typically bound to an in...
by sindy
Wed Mar 03, 2021 1:16 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 12
Views: 634

Re: CRS317-1G-16S+ High CPU lead to drop packet

Just for the case - if you configure just some APs into local forwarding mode, you have to use a dedicated /caps-man datapath row for them. You can see the bytes/packets Tx/Rx per client in CAPsMAN -> Registration Table in Winbox, or using caps-man registration-table print stats on command line. Jus...
by sindy
Wed Mar 03, 2021 1:01 pm
Forum: General
Topic: "Running out of disk space" message since upgrade to RouterOS 6.48.1 [SOLVED]
Replies: 4
Views: 278

Re: "Running out of disk space" message since upgrade to RouterOS 6.48.1 [SOLVED]

The user manager was installed prior to upgrading the device. I will remove it, it should save around 1MB. If you don't need it, removing it will save more space, as its database can be removed from the disk too, it takes some 80 MB there. the system npk alone is > 8 Mo (compressed), not counting a...
by sindy
Wed Mar 03, 2021 11:30 am
Forum: General
Topic: "Running out of disk space" message since upgrade to RouterOS 6.48.1 [SOLVED]
Replies: 4
Views: 278

Re: "Running out of disk space" message since upgrade to RouterOS 6.48.1 [SOLVED]

Do you actually use the User Manager (UM) or it has become active after the upgrade to 6.48.1? Can you remember what was the disk space occupation before the upgrade? I could imagine the warning is the only actual change between the old and new version, i.e. that the disk occupation was about the sa...
by sindy
Wed Mar 03, 2021 10:54 am
Forum: General
Topic: Firewall Filtering ICMP Packet to many destination
Replies: 1
Views: 170

Re: Firewall Filtering ICMP Packet to many destination

Chain input handles packets for the router itself, so this rule doesn't match on packets being forwarded from one interface to another. And in chain forward , there are currently only accept rules, but no drop one; since accept is the default handling (for packets not matching any of the rules in th...
by sindy
Wed Mar 03, 2021 10:24 am
Forum: General
Topic: LTE operator problem?
Replies: 12
Views: 701

Re: LTE operator problem?

the command / system health print or / system health set (they do not work for my LHG LTE6 kit-MIPSBE) This command only reports temperature, power supply voltage etc. on higher grade models, which support measurement of these values in hardware. It says nothing about hardware failures (like memory...
by sindy
Tue Mar 02, 2021 9:54 pm
Forum: General
Topic: LTE operator problem?
Replies: 12
Views: 701

Re: LTE operator problem?

Unfortunately it's hard to judge whether it is a single-piece hardware fault of your LTE modem or a firmware bug. The fact that the operator name changes into a 6-digit number means something is terribly wrong, because the number would have to be a 5-digit one if it was just a minor issue of not tra...
by sindy
Tue Mar 02, 2021 9:35 pm
Forum: General
Topic: Please help with weird configuration
Replies: 5
Views: 275

Re: Please help with weird configuration

I'm ''old school'', ... I posted partial config, only to discuss this peculiar config where LAN and WAN are on same interface... The CPU is still expensive, no doubt about that. So use a single rule action=accept connection-state=established,related rather than one rule per connection-state - this ...
by sindy
Tue Mar 02, 2021 9:27 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 12
Views: 634

Re: CRS317-1G-16S+ High CPU lead to drop packet

OK, so first on each CAP, use just /interface bridge vlan add bridge=Bridge tagged=ether1 vlan-ids=20 to permit VLAN 20 tagged on ether1, and /interface wireless cap set bridge=Bridge to define to which local bridge the local wireless interfaces under CAPsMAN control will be connected once switched ...
by sindy
Tue Mar 02, 2021 3:14 pm
Forum: General
Topic: Please help with weird configuration
Replies: 5
Views: 275

Re: Please help with weird configuration

the NAT rules seem fine to me, they properly match on src-address and dst-address rather than out-interface . The dst-nat rule doesn't check from where the request comes, but it does not seem harmful in the context (or maybe vice versa, more is missing if you want to access the service running at 1...
by sindy
Tue Mar 02, 2021 2:28 pm
Forum: General
Topic: ASK [vpls PW]
Replies: 8
Views: 365

Re: ASK [vpls PW]

sorry, i can't get you what you saying Let's put it in another words. "pseudowire" is a name of one possible way how payload data are encapsulated into MPLS transport packets; the "pseudowire" encapsulation in particular emulates a behaviour of a "wire" (Ethernet cable...
by sindy
Tue Mar 02, 2021 1:58 pm
Forum: General
Topic: IPSec Site to Site tunnel after netmap subnet does not work
Replies: 3
Views: 186

Re: IPSec Site to Site tunnel after netmap subnet does not work

The only thing to come to my mind is that the NAT rules you've added affect the IPsec IKE packets, so they arrive to the 4011 from an unexpected address. So follow the suggestion in my automatic signature below when these rules are in place. Also, the rules you've posted seem to do something else th...
by sindy
Tue Mar 02, 2021 10:22 am
Forum: General
Topic: IPv6 firewall rule for new connections from WAN
Replies: 2
Views: 197

Re: IPv6 firewall rule for new connections from WAN

The explanation could be loose-tcp-tracking set to yes , which basically switches off the analysis of TCP flags in order to lower the CPU consumption by connection tracking. This item can be set to no under /ip firewall connection tracking . While there is no such section in the /ipv6 firewall confi...
by sindy
Tue Mar 02, 2021 10:05 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 12
Views: 634

Re: CRS317-1G-16S+ High CPU lead to drop packet

"So with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP." Do you have any guide for that please share to me. The guide is as follows: on each CAP: make sure that a VLAN for each SSID you use on a given CAP ...
by sindy
Mon Mar 01, 2021 7:49 pm
Forum: General
Topic: Bridge & Routing [SOLVED]
Replies: 2
Views: 242

Re: Bridge & Routing [SOLVED]

In general, a switch only needs an IP address on its management interface. There is no need that a switch or bridge had an IP address in every VLAN, as there is no IP traffic a user device connected using that switch to that VLAN should exchange with the switch itself. Routing is done by the routers...
by sindy
Mon Mar 01, 2021 7:42 pm
Forum: General
Topic: Port Forwarding Not Working but Shows Packets
Replies: 20
Views: 4756

Re: Port Forwarding Not Working but Shows Packets

I have read several blogs, forum posts, etc, and I find strange that nobody had given this tip so far: add chain=forward action=accept comment="Allow port forwarding" / in-interface=ether1 connection-state=new connect-nat-state=dstnat The reason might be that a similar rule has been prese...
by sindy
Mon Mar 01, 2021 6:36 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 12
Views: 634

Re: CRS317-1G-16S+ High CPU lead to drop packet

The /tool profile doesn't suggest that CAPsMAN is the biggest CPU hog. The 32 % CPU spent on ethernet would bother me much more. So I'd assume that there is either a lot of inter-VLAN traffic routed by the 317, or hardware L2 forwarding has been disabled by mistake. EDIT: indeed the Ethernet traffic...
by sindy
Mon Mar 01, 2021 6:06 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

I am on 6.48. Attached my ipsec policy printscreen - if I am following you correctly. Lovely, I didn't remember it correctly and made some additional mistakes. The release notes for 6.47 actually state: *) ipsec - place dynamically created IPsec policies by L2TP client at the begining of the table;...
by sindy
Mon Mar 01, 2021 5:37 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 49
Views: 54049

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

I would also tick the "yes" radio button under the "Only One" option in PPP-> PROFILE -> LIMITS. My understanding is that this workaround -- the way that I've got it scripted -- is only going to be compatible with one active connection at a time PER USER. Yes, the generated name...
by sindy
Mon Mar 01, 2021 3:22 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

You mean top? My dynamic policy is placed at the top, above template.
I mean bottom, and I did the test on 6.47.8, and the respective release notes mentioned bottom as well. So maybe you use a different version?

Are these "two processes" so independent?
Yes.
by sindy
Mon Mar 01, 2021 2:57 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

The sad reality is that use-ipsec=required only prevents the incoming L2TP connection from being accepted if the initial L2TP request doesn't arrive encrypted via an IPsec SA. But if the IPsec session breaks later, the L2TP session happily continues. EDIT: Until recently, the IPsec policy created dy...
by sindy
Mon Mar 01, 2021 1:53 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

The first one sounds good to me - "set and forget". If I remove remote site I don't have to worry about any other setting.
That's why I've suggested it as the first option.
by sindy
Mon Mar 01, 2021 1:50 pm
Forum: General
Topic: Add cooling fan to CRS-326-24P-2S+ ?
Replies: 50
Views: 2475

Re: Add cooling fan to CRS-326-24P-2S+ ?

if the main board can run with a 12V power supply and we do that are we not just adding more heat to the whole board because lower voltage = higher amperage? Or perhaps that is not significant enough to create more heat. The heat is the dissipated power, and power is a product of voltage and curren...
by sindy
Mon Mar 01, 2021 1:35 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 100
Views: 19245

Re: LLDP-MED behavior

[*]bridge forwards LLDP frames
Just to be clear - is this true also when protocol-mode differs from none on that bridge?
by sindy
Mon Mar 01, 2021 1:32 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

Yes. The setting is only taken into account when the L2TP connection establishes.
by sindy
Mon Mar 01, 2021 1:17 pm
Forum: General
Topic: When should/need I use IPsec policy templates? [SOLVED]
Replies: 1
Views: 110

Re: When should/need I use IPsec policy templates? [SOLVED]

Whenever you don't know in advance the IP address of the remote peer or the traffic selectors at local and remote side. I.e. at the responder it is necessary if the remote peer is a road warrior and/or you assign it an address dynamically using mode-config, and of course at such road warrior peer it...
by sindy
Mon Mar 01, 2021 1:12 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 457

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

On the /ppp profile row used by the /interface l2tp-client row at the client device, and on the /ppp profile row used by the /interface l2tp-server server or the /ppp secret row on the server device, have you set interface-list=BASE ? If not, the rules in chain input of /ip firewall filter at each d...
by sindy
Sun Feb 28, 2021 10:53 pm
Forum: General
Topic: hEX PoE // Powersupply
Replies: 13
Views: 2025

Re: hEX PoE // Powersupply

Both PoE port leds are RED - is this normal - don't know!
The Quick Guide says:

Once PowerOutput is enabled in RouterOS, the Ethernet LED adds red color to it (green means Ethernet link is made, red means power but no link, red and green both means there is link and power).
by sindy
Sun Feb 28, 2021 8:14 pm
Forum: General
Topic: How to create L2TP split tunneling profile?
Replies: 1
Views: 125

Re: How to create L2TP split tunneling profile?

RouterOS does not push routes to L2TP clients. If you insist on L2TP, you have to set up static routes on the clients. For IKEv2 clients, RouterOS sends the routing table using DHCPINFORM with Option 249 to Windows, and negotiates policies with iOS devices and with Strongswan, but just a single poli...
by sindy
Sun Feb 28, 2021 5:22 pm
Forum: General
Topic: VLAN problem on CRS326-24S+2Q+
Replies: 5
Views: 381

Re: VLAN problem on CRS326-24S+2Q+

OK, so as none of the IP addresses in question is assigned to any of the CRS, there is no need to have the VLAN enabled on the internal port of the bridge, and the issue is a pure L2 one. So when MSTP is on, what does /interface bridge port monitor [find where interface~" sfpplus2[34]"] sh...
by sindy
Sun Feb 28, 2021 4:41 pm
Forum: General
Topic: Cloud-Service with ipv6
Replies: 2
Views: 185

Re: Cloud-Service with ipv6

There is currently an issue with /ip cloud on IPv6 . Add an ipv6 firewall rule: /ipv6 firewall mangle add action=add-src-to-address-list address-list=my-ipv6-address chain=output out-interface=your-wan-interface-name (if you eventually already have some rules in chain output of /ipv6 firewall mangle...
by sindy
Sun Feb 28, 2021 11:10 am
Forum: General
Topic: Cannot ping IPv6 MikroTik Cloud
Replies: 7
Views: 449

Re: Cannot ping IPv6 MikroTik Cloud

First, please don't quote complete posts, especially if you react to a directly preceding one. There is no need to do so, this is not an e-mail message, the complete history of the conversation is always shown in the same window here. Second, what I wanted to say by my post is that it is easy to fin...
by sindy
Sun Feb 28, 2021 10:57 am
Forum: General
Topic: router under attack on L2TP tunnel?
Replies: 2
Views: 215

Re: router under attack on L2TP tunnel?

The source IP resolves to https://www.arbor-observatory.com/, which declares itself as a security research organization. So it is a warning for you, highlighting that your L2TP server is open to the whole internet without IPsec encryption, intentionally or unintentionally, and the only barrier betwe...
by sindy
Sun Feb 28, 2021 9:29 am
Forum: General
Topic: Cannot ping IPv6 MikroTik Cloud
Replies: 7
Views: 449

Re: Cannot ping IPv6 MikroTik Cloud

There's an easy way to find out whether it is a firewall issue (even if the firewall was so selective that it would restrict access to cloud2.mikrotik.com but not to forum.mikrotik.com ): use /tool traceroute . If it shows no response at all, your own firewall or routing is to be blamed (or your ISP...
by sindy
Sun Feb 28, 2021 8:18 am
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 49
Views: 54049

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

To disable fasttracking, it is enough to disable (or remove) a firewall rule action=fasttrack-connection ... in chain forward of /ip firewall filter (or all such rules in the unlikely case that you've got more than one). If a packet matches this rule, fasttracking of the connection the packet is a p...
by sindy
Sat Feb 27, 2021 10:35 pm
Forum: General
Topic: Email notification not working
Replies: 7
Views: 403

Re: Email notification not working

amended my initial post after playing around.
The manual says that if tls-only is used, the port setting is overridden. So strictly speaking it works on port 465 as expected, not on port 25.
by sindy
Sat Feb 27, 2021 9:58 pm
Forum: General
Topic: Email notification not working
Replies: 7
Views: 403

Re: Email notification not working

I think the issue is because in MY ISP instructions they talk about SSL encryption on outgoing port 465 whereas the MT only offers TLS?? There's unfortunately a terrible mess in terms. First, TLS is an evolution of SSL, and the actual (old) SSL should be deprecated everyhere, but people tend to sti...
by sindy
Sat Feb 27, 2021 9:16 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

I'm trying to add policy groups for each initiator. I'm having problems with specifying the different profiles. You wrote this: "You can use it to assign all Phase 2 and many Phase 1 properties individually for each initiator." Bad wording on my side. When mentioning "many Phase 1 pr...
by sindy
Sat Feb 27, 2021 5:20 pm
Forum: General
Topic: VLAN problem on CRS326-24S+2Q+
Replies: 5
Views: 381

Re: VLAN problem on CRS326-24S+2Q+

Yes, I was referring to the /interface bridge vlan configuration, but you haven't answered my indirect question, so I repeat it directly: Are the IP addresses 10.10.100.x assigned to VLAN interfaces with vlan-id=30? If yes, the output of /interface bridge vlan print has to read # BRIDGE VLAN-IDS CUR...
by sindy
Sat Feb 27, 2021 5:06 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

I'm not sure it is a simpler way, but it seems to be the intended way: at the responder (server), for each remote initiator (client), create an individual row in /ip ipsec policy group : /ip ipsec policy group add name=branch01-group add name=branch02-group for each remote initiator, create an indiv...
by sindy
Sat Feb 27, 2021 1:51 pm
Forum: General
Topic: EOIP TCP problem
Replies: 17
Views: 2139

Re: EOIP TCP problem

Looking at a PPP MultiLink configuration, it seems to be built to aggregate over two or more devices. Not only. It splits the payload packet into multiple transport ones, and it can use the same link to transport both/all of them, providing a hidden fragmentation of the payload, hence payload proto...
by sindy
Sat Feb 27, 2021 11:37 am
Forum: General
Topic: EOIP TCP problem
Replies: 17
Views: 2139

Re: EOIP TCP problem

mlp can transport the full size of packet instead tcp mss clamping on L4 Can you explain why hidden fragmentation of 1500-byte TCP packets (i.e. 2 PPP packets per each payload one) should provide a better TCP throughput than transmission of 1462-byte TCP packets using one PPP packet per each payloa...
by sindy
Sat Feb 27, 2021 9:03 am
Forum: General
Topic: VLAN problem on CRS326-24S+2Q+
Replies: 5
Views: 381

Re: VLAN problem on CRS326-24S+2Q+

You forgot to post the configuration exports from both devices, but here's my wild guess until you fix that: you mention "vlan 30" and "ping between devices", which hints that you have an /interface vlan row with vlan-id=30 interface=bridge and the IP address 10.10.100.x/25 is at...
by sindy
Fri Feb 26, 2021 1:15 pm
Forum: General
Topic: PTZ controller overloaded with data?
Replies: 6
Views: 317

Re: PTZ controller overloaded with data?

My two cents: /ip neighbor discovery-settings set discover-interface-list= none Given that the largest volumes of data in the network should be the video streams, I'd assume there's rather some kind of packets the keyboard doesn't know how to handle, which may cause an overflow of some buffer despit...
by sindy
Fri Feb 26, 2021 11:54 am
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

So I attached for your review. Hope you can help... On the second screenshot, closer to the bottom, there is Option 61 - Client identifier. It says "Hardware type: ethernet, Client MAC address: Routerbo...". Plus slightly above, there is Option 55 - Parameter Request List, which contains ...
by sindy
Fri Feb 26, 2021 11:12 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

Ah, sorry, I didn't realize the problem is the comparison, not the update. The fastest solution is $good in $old ; here, the first parameter ( $good ) may be an IP address or a prefix, and the second one ( $old ) is always a prefix ( 192.168.0.0 in 192.168.0.0/32 returns true , whereas 192.168.0.0 i...
by sindy
Thu Feb 25, 2021 10:56 pm
Forum: General
Topic: Configure RB750Gr3 WAN ISP Switch
Replies: 1
Views: 139

Re: Configure RB750Gr3 WAN ISP Switch

I'm not sure I understand what you wrote precisely, but there is no reason why you should need to put another router between your Mikrotik and the new ASR. You can use one Ethernet port of your Mikrotik to connect to the VDSL modem as a PPPoE client as it was until now, and another Ethernet port of ...
by sindy
Thu Feb 25, 2021 10:14 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

The /32 is not a problem, it is added automatically if you set the address to just 1.2.3.4 . I didn't know that address=fqdn cannot be used for passive=yes peers, I haven't come across such an application case, can you detail why you need to identify the initiator by the source IP address tracked by...
by sindy
Thu Feb 25, 2021 9:24 pm
Forum: General
Topic: Cannot Use Multiple IPs
Replies: 10
Views: 491

Re: Cannot Use Multiple IPs

It may or may not. If both the suspected /30 subnets are on the same device at ISP side, the traceroute from outside to both will show the address of the internet-facing interface of that device for both target subnets.
by sindy
Thu Feb 25, 2021 9:20 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

It's a mistake in the release notes. It's just address, not remote-address.
by sindy
Thu Feb 25, 2021 7:43 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 49
Views: 54049

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

That means you are using "fasttrack" in a situation where it cannot be used. Are you sure that adding a /queue tree item prevents the packets handled by the queue from getting fasttracked? Yes, sniffing does disable fasttracking, maybe torching does as well, but adding a queue? Plus there...
by sindy
Thu Feb 25, 2021 7:34 pm
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

Since the transaction ID is shown, dissection of the DHCP part must have succeeded at least partially although a malformed packet is reported, so open any of these packets in Wireshark (GUI) rather than tshark, unfold the DHCP dissection and find the client-id. No dhcp-relay configured on the machin...
by sindy
Thu Feb 25, 2021 7:26 pm
Forum: General
Topic: Cannot Use Multiple IPs
Replies: 10
Views: 491

Re: Cannot Use Multiple IPs

If you try to ping "internet" from your broadcast address it works! You've made me investigate :) The thing is I do remember a recent issue where a colleague has made an mistake when calculating the mask and has set a broadcast address as the own one on the Tik, and the Tik didn't respond...
by sindy
Thu Feb 25, 2021 6:18 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 18
Views: 850

Re: Automatically update ipsec peer addresses from script

@nescafe was faster :) It is even so that the connection stays up until it fails, and the fqdn gets re-resolved before a new connection attempt; there was a period of time (RouterOS releases) when the fqdn was being re-resolved every time the TTL of the previous response expired and the running IKE ...
by sindy
Thu Feb 25, 2021 5:49 pm
Forum: General
Topic: Cannot Use Multiple IPs
Replies: 10
Views: 491

Re: Cannot Use Multiple IPs

You say you've tried the addresses one by one with the PC but all 5 were configured simultaneously at the Tik. Can you try to configure just one of the malfunctioning ones on the Tik and try again, while sniffing at ether8? Make the command line window as wide as your screen allows. Then run /tool s...
by sindy
Thu Feb 25, 2021 1:44 pm
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

I can see there are multiple VLANs in use on that link, and some of the requests go also without a VLAN ID, so it seems as if there were multiple /ip dhcp-client items enabled on your device. So now we know that the requests are really leaving through sfp-sfpplus1 and with own address of the sending...
by sindy
Thu Feb 25, 2021 12:56 pm
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

Is 64:D1:54:XX:XX:XX the MAC address the IX peer claims? Is it one of own MAC addresses of your device on which you took the capture?
by sindy
Thu Feb 25, 2021 12:53 pm
Forum: General
Topic: Email notification not working
Replies: 7
Views: 403

Re: Email notification not working

It seems you connect to an IMAP server (normally used to receive/view received messages) instead of an SMTP server (used to send messages). Check the domain name and port, one or both are apparently wrong.
by sindy
Thu Feb 25, 2021 11:33 am
Forum: General
Topic: Brute-Force Rules have mac
Replies: 1
Views: 163

Re: Brute-Force Rules have mac

The whole thing is that unlike with the /interface list , where you have to add a named item under /interface list first to be able to refer to the list from firewall rules and to add /interface list member items, an address-list name need not be "declared" in advance - the firewall rule a...
by sindy
Thu Feb 25, 2021 10:50 am
Forum: General
Topic: Email notification not working
Replies: 7
Views: 403

Re: Email notification not working

/system logging add topics=e-mail /log print follow-only file=e-mail-start where topics~"mail" From another window, send the test e-mail, wait until it fails, and then break the /log print ... and read the e-mail-start.txt file (you'll probably have to download it to a PC as it will be to...
by sindy
Thu Feb 25, 2021 10:46 am
Forum: General
Topic: DHCP/BOOTPS Broadcast [SOLVED]
Replies: 14
Views: 630

Re: DHCP/BOOTPS Broadcast [SOLVED]

Do I understand you right that you have already checked on the device connected to the IX whether it really sends these packets (no matter from where they actually come)? /tool sniffer quick port=67 interface=the-interface-connected-to-ix Because you can only take an effective action at your end if ...
by sindy
Wed Feb 24, 2021 8:17 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

I don't understand well the config but now 192.168.6.0/24 network, uses 5.x.x.x for incoming and outcoming traffic. so all the traffic from 192.168.6.0/24 goes through the GRE tunnel. When you specify an IP address as a gateway of a route, the system searches through the network values of the /ip a...
by sindy
Wed Feb 24, 2021 3:55 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 2
Views: 132

Re: Dot1x PEAP rejected: no key for certificate found

In more detail, there is a certificate signed by that CA certificate, which your Mikrotik receives from the switch. So to verify its validity, the CA certificate must be installed on the Mikrotik's certificate store, as a trusted CA. The Tik will not provide your credentials to a switch whose certif...
by sindy
Wed Feb 24, 2021 3:42 pm
Forum: General
Topic: Unable to Reach BGP Neighbour
Replies: 7
Views: 414

Re: Unable to Reach BGP Neighbour

As the BGP peer is Fortinet and you haven't shown its configuration, it is hard to judge anything (and no, I don't know enough about Fortigate to be able to help with its configuration). Don't use rich text formats for configuration files. A plain .txt is enough and the probability that you inadvert...
by sindy
Wed Feb 24, 2021 3:09 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

Make the command line window as wide as your screen allows, there is almost no information in the output of the /tool sniffer quick . But it does show that the connection request comes via gre and the responses leave via VLAN 20, so something doesn't work well about the connection marking and routin...
by sindy
Wed Feb 24, 2021 2:44 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

While trying to connect to the Winbox port, run /tool sniffer quick port=the-winbox-port on the Theatre-tik. It should show you what is going on, i.e. whether the firewall (or the address setting on the /ip service row) blocks the incoming request (so no response is sent at all) or whether the respo...
by sindy
Wed Feb 24, 2021 2:30 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

These two rules are exactly what I had in mind. Has it not made it possible to connect by Winbox to 5.x.x.x?
by sindy
Wed Feb 24, 2021 1:26 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

I'm still a bit lost. You do have dst-nat rules which forward some port ranges to 192.168.6.2, but all these rules match on in-interface=vlan20_MASMOVIL . So whatever arrives to 5.x.x.x lands on the Theatre-tik itself, and if the Theatre-tik responds, it responds via the 212.x.x.x address for the re...
by sindy
Wed Feb 24, 2021 1:09 pm
Forum: General
Topic: PVID for BGP VPLS interface on a bridge
Replies: 5
Views: 1366

Re: PVID for BGP VPLS interface on a bridge

I'm afraid it came to nobody's mind that a single bridge could host multiple customers' bgp-vpls tunnels and hence VLAN tag manipulation would be required on the port of the bridge to which the tunnel is connected, hence the pvid is not part of the /interface vpls bgp configuration. The designers pr...
by sindy
Wed Feb 24, 2021 12:31 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

the problem now is that towards output now I don't go by the IP address 5.x.x.x , I go by 212.x.x.x any idea?? If you talk about packets sent by the router itself (i.e. you refer to chain output), the routing-mark is only assigned in mangle/prerouting, which means that packets sent by the router it...
by sindy
Wed Feb 24, 2021 12:12 pm
Forum: General
Topic: Can a bonded network be limited to Level 3 network?
Replies: 1
Views: 131

Re: Can a bonded network be limited to Level 3 network?

I'd hesitate to call DHCP "L2", it's a regular IP protocol, except that part of the exchange uses broadcast addresses. So I'd say you need to attach the following ingress ACL rules to the trunk ports: drop frames carrying IP/UDP packets towards server port (67) accept frames carrying IP pa...
by sindy
Wed Feb 24, 2021 11:43 am
Forum: General
Topic: Omnitik 5 ac
Replies: 1
Views: 85

Re: Omnitik 5 ac

Nope. The only way to climb there without the laptop is to climb there with the PoE injector + extractor pair and a short patch cable in your pocket, connect the RJ-45 socket at the extractor to the installed cable and the plug to ether2, connect the RJ-45 socket at the injector to ether1 using the ...
by sindy
Wed Feb 24, 2021 11:28 am
Forum: General
Topic: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71
Replies: 10
Views: 474

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

if the IP address to which those DNS requests arrive is that router's own one, you cannot do more to mitigate that traffic - the router itself doesn't respond any UDP DNS queries coming from anywhere else than 10.11.11.0/24. It is unlikely that the source addresses of these requests belong to the a...
by sindy
Tue Feb 23, 2021 10:22 pm
Forum: General
Topic: Unable to Reach BGP Neighbour
Replies: 7
Views: 414

Re: Unable to Reach BGP Neighbour

By the above you have responded only one of the questions, now we know that the BGP communication is established. But you haven't posted the configurations, and you haven't looked into the routing tables of both devices to see whether the routes to the remote devices' LAN subnets appeared there (mar...
by sindy
Tue Feb 23, 2021 10:15 pm
Forum: General
Topic: how to route two isp on different routers?
Replies: 1
Views: 101

Re: how to route two isp on different routers?

You have to use policy routing at both Router 1 and Router 2. at Router 1, packets coming from 192.168.3.0/24 (or from ether4) must be handled by a dedicated routing table whose default gateway is Router 2's address in 192.168.10.0/24. at Router 2, packets from 192.168.3.0/24 must be handled by a de...
by sindy
Tue Feb 23, 2021 10:06 pm
Forum: General
Topic: Can ping put cannot to connect/telnet to port
Replies: 1
Views: 115

Re: Can ping put cannot to connect/telnet to port

First, this is forum is not an interface of Mikrotik support, you can only get help from fellow users here. Next, if there is just one server where the problem exists, I'd start the search for the issue on that server first: maybe it has its own firewall, restricting access to telnet only to some so...
by sindy
Tue Feb 23, 2021 9:45 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

It seems to me that the support guy got lost in your network prefixes and maybe in the trouble description. As I wrote in post #5, you would only need the exception rule suggested by the support if you wanted to initiate connections from 192.168.178.0/24 to the Android client (whose adress comes fro...
by sindy
Tue Feb 23, 2021 8:09 pm
Forum: General
Topic: How do I interconnect 3 DHCP Server
Replies: 4
Views: 304

Re: How do I interconnect 3 DHCP Server

OK, now as you've shown the export it became much clearer :) You assign a routing-mark to every packet sent from any LAN host to any destination, and the only route with that routing-mark is a default one, via one of the WANs. Hence even traffic whose destination is in your other LAN subnet takes on...
by sindy
Tue Feb 23, 2021 7:48 pm
Forum: General
Topic: Unable to Reach BGP Neighbour
Replies: 7
Views: 414

Re: Unable to Reach BGP Neighbour

Both your drawings give little clue on what is the actual issue you're dealing with. Can you provide the current configuration exports instead? Is the BGP connection between the routers established but the routing tables are not updated, or the BGP is not up at all, or the routing tables are updated...
by sindy
Tue Feb 23, 2021 7:44 pm
Forum: General
Topic: IPSec Connection: Data is not corretly "transmitted" trough policy
Replies: 3
Views: 248

Re: IPSec Connection: Data is not corretly "transmitted" trough policy

What is the share (percentage) of packets missed by the policy? Is fasttracking disabled?
by sindy
Tue Feb 23, 2021 6:26 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

in the DC-tik I only have this route: /ip route add comment="Ruta para mandar ip publica a TEATRO " distance=1 dst-address=5.x.x.x/32 gateway=172.20.100.202 The fact that the action=src-nat to-addresses=5.x.x.x comment="to ECONECTIA por GRE" ... rule at the Theatre-tik is suffic...
by sindy
Tue Feb 23, 2021 5:48 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 737

Re: Problem with L2/L3 Tunnel VLAN

I give it a 60 % chance. The issue itself is weird, so removal of unusual (as in "rarely used and therefore lacking any significant experience among the users") configuration is quite likely to help.
by sindy
Tue Feb 23, 2021 5:24 pm
Forum: General
Topic: PVID for BGP VPLS interface on a bridge
Replies: 5
Views: 1366

Re: PVID for BGP VPLS interface on a bridge

I'm afraid you have to open a ticket with support directly (via support@mikrotik.com or, better, via the servicedesk web interface . The statement regarding availability of direct support only within 14 days from purchase is there mostly to avoid hundreds of newbie questions per day; on the other ha...
by sindy
Tue Feb 23, 2021 5:06 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

In the Theatre-tik configuration, the default route for traffic sent from 192.168.6.0/24 is via the GRE tunnel (by means of action=mark-routing in mangle and having that routing-mark on the default route via the GRE tunnel). This may be a correct setup if devices in this whole subnet have to always ...
by sindy
Tue Feb 23, 2021 4:07 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

Thanks for helping me out. I couldn't get it to work, for some reason, it only read the first if condition and action (in this case, it disable the queue). This looks to me as if the thresholds were not matching the actual speeds and it always seemed that no throttling is required. I have imported ...
by sindy
Tue Feb 23, 2021 2:14 pm
Forum: General
Topic: Loss of trafic for a few seconds every 20 minutes in a EoIP tunnel
Replies: 3
Views: 141

Re: Loss of trafic for a few seconds every 20 minutes in a EoIP tunnel

If keepalive affects the operation, it means that there is extensive packet loss on the path, causing multiple keepalive responses to be lost. If it is the case, there must be "interface down" and "interface up" messages in the log of at least one of the affected routers. Are the...
by sindy
Tue Feb 23, 2021 1:57 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

If you mind disclosing your public IPs (which I suppose you do as you've obfuscated them in your OP), edit your previous post and obfuscate them also in the export, as I've recommended before.

I'll have a look on the details later.
by sindy
Tue Feb 23, 2021 1:46 pm
Forum: General
Topic: block internet access but allow some sites - NOT WORKING
Replies: 7
Views: 394

Re: block internet access but allow some sites - NOT WORKING

Microsoft gear (and Android one as well) is checking internet availability by sending DNS queries and checking the response. So if these DNS queries do not get responded, it concludes internet is not accessible and doesn't even try to connect to the actual servers.
by sindy
Tue Feb 23, 2021 1:36 pm
Forum: General
Topic: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71
Replies: 10
Views: 474

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Someone is trying to use your Mikrotik as a DDoS traffic generator. Why they have chosen your public IP and whether they actually succeed is the question. If your Mikrotik does respond to DNS queries coming in via WAN, it means it can be used as a "smurf amplifier". The attacker sends a sm...
by sindy
Tue Feb 23, 2021 1:22 pm
Forum: General
Topic: Transporting public IP over a tunel GRE
Replies: 20
Views: 700

Re: Transporting public IP over a tunel GRE

Instead of random screenshots, post the complete configuration exports (from both Mikrotiks), anonymized as per the hint in my automatic signature below, each between [ code] and [ /code] tags. My assumption is that you dst-nat the incoming connections at the Mikrotik in the datacenter (DC-tik), but...
by sindy
Tue Feb 23, 2021 1:08 pm
Forum: General
Topic: prblem with l2tp/ipsec for 500 users in RB1100AHx4
Replies: 5
Views: 449

Re: prblem with l2tp/ipsec for 500 users in RB1100AHx4

All my clients is mikrotik router board that connect to main office with l2tp/ipsec. Great, so the pre-requisite that the clients never give up is met. I tested with ccr router and give same problem That's no surprise. The amount of data processing needed to establish a connection is high, and seve...
by sindy
Tue Feb 23, 2021 12:09 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 737

Re: Problem with L2/L3 Tunnel VLAN

Do you think this could have an impact on a production environment? I can disable it without risk? Those brief but therefore misleading names... What all those use-ip-firewall... items under /interface bridge settings do if enabled is that they push through the IP firewall also frames which would n...
by sindy
Tue Feb 23, 2021 11:30 am
Forum: General
Topic: Strange "Routing" Issue
Replies: 10
Views: 1748

Re: Strange "Routing" Issue

I eventually took the time to figure out the OVPN setup and have been using that ever since. At some point I'll just have to make some time and "merge" the bridges again and hopefully it won't have the same effect. The thing is that I've ran into the same issue in the meantime and realize...
by sindy
Tue Feb 23, 2021 10:31 am
Forum: General
Topic: Double NAT & no public IP for VPN [SOLVED]
Replies: 10
Views: 636

Re: Double NAT & no public IP for VPN [SOLVED]

how likely ipsec pass through NAT between 2 private IP? I have a positive experience with "normal" ISPs and a negative one with mobile ones, which do not keep the original port. interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it ...
by sindy
Mon Feb 22, 2021 10:23 pm
Forum: General
Topic: Double NAT & no public IP for VPN [SOLVED]
Replies: 10
Views: 636

Re: Double NAT & no public IP for VPN [SOLVED]

Depending on how the NATs in question behave, in particular whether the source port of a UDP packet sent from your router's WAN IP is kept as the packet goes through the NATs all the way to the public IP, it may be possible to establish an IPsec tunnel between the two devices. The source port must b...
by sindy
Mon Feb 22, 2021 10:13 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 737

Re: Problem with L2/L3 Tunnel VLAN

What are your reasons to use /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes ? I don't say it is definitely the cause of the issue you experience, but as you don't use any /queue tree or /queue simple settings, it just causes the bridged ...
by sindy
Mon Feb 22, 2021 9:57 pm
Forum: General
Topic: Bridge and failover, is it possible ?
Replies: 4
Views: 262

Re: Bridge and failover, is it possible ?

But what I describe is an alternative - you don't need to change anything on the existing router, it will just provide an uplink and address to the Mikrotik, and the Mikrotik will take over the rest. The LAN hosts receive not only their own IP addresses but also the IP address of the default gateway...
by sindy
Mon Feb 22, 2021 9:36 pm
Forum: General
Topic: dynamic ipsec mode-config configuration
Replies: 11
Views: 615

Re: dynamic ipsec mode-config configuration

If the design of your solution is based on VTI and all the other components of your network support it, there is little point in adding Mikrotik to the mix. As @vikinggeek has suggested, you could use IPsec just to encrypt a "traditional" tunnel, but it would require to use specific handli...
by sindy
Mon Feb 22, 2021 8:20 pm
Forum: General
Topic: Strange "Routing" Issue
Replies: 10
Views: 1748

Re: Strange "Routing" Issue

@rules, does this still bother you?
by sindy
Mon Feb 22, 2021 3:39 pm
Forum: General
Topic: Bridge and failover, is it possible ?
Replies: 4
Views: 262

Re: Bridge and failover, is it possible ?

It will be much simpler to use the existing router only to provide WAN uplink to the Mikrotik one and let the Mikrotik do the rest. Do you have any particular reason not to do it this way?
by sindy
Mon Feb 22, 2021 2:05 pm
Forum: General
Topic: Question: Can I specify Proposal/Profile for EOIP/ISPEC?
Replies: 3
Views: 186

Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?

For road warriors, you get less headache if you use tunnel mode of the SA and create an individual identity referring to an individual policy template group for each road warrior. That way, you can use static private addresses at both ends for the EoIP tunnel although the WAN addresses of the road w...
by sindy
Mon Feb 22, 2021 12:25 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

after the \n:set wanRate (\$wanRate/55)\ row, add another one: \n:put $wanRate\ to visualize the result of the throughput measurement. Then you can run the script manually and before each run, update the thresholds to see the whether it does what is expected. I did it this way and it worked for me. ...
by sindy
Mon Feb 22, 2021 12:17 pm
Forum: General
Topic: Question: Can I specify Proposal/Profile for EOIP/ISPEC?
Replies: 3
Views: 186

Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?

If you just specify the ipsec-secret value on the /interface eoip configuration row, RouterOS dynamically generates the IPsec configuration (peer, identity, policy) using the peer profile called default and the proposal called default . So if you don't plan to use this profile and proposal for other...
by sindy
Sun Feb 21, 2021 11:54 pm
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

The reason is that once the L2TP client connects, RouterOS dynamically creates an interface called <l2tp-client-name>, through which the traffic from the client comes in. This interface is not a member of interface list LAN, so in the absence of any permissive rule, the rule action=drop chain=input ...
by sindy
Sun Feb 21, 2021 11:37 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Exactly. This result illustrates that the packet reaches the input chain of filter as expected, and some rule in there drops it.
by sindy
Sun Feb 21, 2021 11:27 pm
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

This is weird, considering that I have so many NATted services. There's nothing weird about that - the rule counts if it matches and thus drops a packet. Whatever is dstnated does not match the rule, so it doesn't count. And I've referred to a wrong rule in my previous post - the one which was drop...
by sindy
Sun Feb 21, 2021 11:04 pm
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

The port for L2TP is 1701, not 1703. When you connect via LAN, the rule action=accept chain=input in-interface-list=WAN port=500, 1703 1701 ,4500,5500 protocol=udp is not necessary because the IPsec connection is established via LAN and thus the rule action=drop chain=forward comment="defconf: ...
by sindy
Sun Feb 21, 2021 10:49 pm
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

Show me the complete export of your configuration (see my signature below regarding anonymisation). It seems that a firewall rule is missing in your configuration, as the sniffer shows that the phone is sending encrypted packets between the keepalives but there is no l2tp row in the log.
by sindy
Sun Feb 21, 2021 10:06 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

> /tool sniffer quick ip-address=172.16.0.1 INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN Uno ADSL 19.287 1 <- Uno ADSL 20.291 2 <- ...you get the idea Yes, this is enough, so the transport packets get received and the payload ones are extracted from them allright. If needs be, I can post the filter r...
by sindy
Sun Feb 21, 2021 9:27 pm
Forum: General
Topic: IKE2 identity not found (IOS to Mikrotik) [SOLVED]
Replies: 25
Views: 8523

Re: IKE2 identity not found (IOS to Mikrotik) [SOLVED]

First, try setting match-by=certificate on the identity row. If it doesn't help, it is necessary to use logging at Mikrotik side to find out whether the Apple device sends its certificate or not, so come back for instructions.
by sindy
Sun Feb 21, 2021 9:22 pm
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

The chain of mismatches ends by a match, so it is not relevant. Also the FRAGMENTATION mentioned in the log means that fragmentation of the IKE negotiation packets is supported, i.e. it is not a complaint about existence of fragmented packets. The log shows that both Phase 1 and Phase 2 have complet...
by sindy
Sun Feb 21, 2021 9:00 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Ok. If you run /tool sniffer quick ip-address=172.16.0.1 on R2 while pinging from R1, does it show anything? Are the /ip firewall filter rules you've posted above the only ones in that table? Is the IPsec policy for 172.16.0.1<->172.16.0.2 the only one at R2 or are there any other policies which are...
by sindy
Sun Feb 21, 2021 6:19 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

Of course it is not working. The address list item in my script was also playing a role of a state variable, from which the isOn was derived. So once you've removed it, isOn is undefined, so the if now probably always takes the else path. So replace the $isOn by (!([/queue tree get youtube-non-VIP d...
by sindy
Sun Feb 21, 2021 4:20 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

First remove the existing scheduler and script, and then repeat the whole exercise again, this time replacing wan-interface-name (once) and name-of-the-queue (twice). /system script add name=throttle source=":local onThreshold 45000000\ \n:local offThreshold 35000000\ \n:local isOn ([:len [ip f...
by sindy
Sun Feb 21, 2021 3:51 pm
Forum: General
Topic: invalid arp 00-00-00-00-00-00
Replies: 9
Views: 454

Re: invalid arp 00-00-00-00-00-00

So you think it is actually a presentation error (the ARP record with no MAC address learned is shown as 0:0:0:0:0:0)?
Could be, you can easily check by pinging a non-existent address within the subnet range from one of the PCs. If it appears on that suspicious list, your assumption is confirmed.
by sindy
Sun Feb 21, 2021 3:44 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

So are you saying that the sending SA on R1 and the corresponding receiving SA on R2 count simultaneously as you ping, but nevertheless the firewall rule for icmp at R2 doesn't?
by sindy
Sun Feb 21, 2021 3:42 pm
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1527

Re: 6.45.6 ipsec site to site tutorial request

Yes, tunnel mode of the IPsec encapsulation allows to use fixed internal addresses as GRE/IPIP endpoint ones whilst the WAN address of at least the initiator keeps changing. The price to pay is the extra IP header, consuming part of MTU, so less space in the transport packet remains for the payload.
by sindy
Sun Feb 21, 2021 3:36 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

What do you think if it calculates the average of 5 minutes of bandwidth usage? Averaging definitely helps suppress overreaction, but is an overreaction which activates the limitation for just one minute really so important that the code needs to be made more complex (and thus a coding mistake more...
by sindy
Sun Feb 21, 2021 2:51 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

So the connection print shows no hidden src-nat/masquerade rule is the culprit as the reply-dst-address is the same like the src-address . With the installed SAs, I assume it's one pair per policy hence 4 for 2 policies? That being the case, it looks like the counters are increasing on the pair for ...
by sindy
Sun Feb 21, 2021 1:12 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

My mistake with the installed-sa , it must be dst-address ~" the.ip.of.the.remote.peer " so that the port need not be specified. What I was interested in was whether the installed-sa counts - assuming the traffic via the other SA (for 192.168...) is intentionally stopped to avoid confusion...
by sindy
Sun Feb 21, 2021 12:59 pm
Forum: General
Topic: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]
Replies: 10
Views: 546

Re: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]

You may have misunderstood me. The identity row, even if just a single one is attached to a peer, is always matched on either the remote ID or the certificate (depending on the setting of the match-by parameter). So if remote-id is set to ignore , the row will match on any ID_I received, and the onl...
by sindy
Sun Feb 21, 2021 12:32 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

Sorry, I forgot to state you have to add also src-ip=172.16.0.x (1 or 2) to the /ip route check . What surprises me is the nexthop value, but that should not change the outcome. Hence chances are high that the packet makes it to the stage IPsec policy matching. So run the ping at R1, and tell me the...
by sindy
Sun Feb 21, 2021 12:18 pm
Forum: General
Topic: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]
Replies: 10
Views: 546

Re: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]

I'd say match-by=certificate remote-certificate=the-one-of-the-client should do the trick with either remote-id=ignore or remote-id=auto . But it's just a guess, maybe auto is necessary, as in fact the header of the certificate is sent as the ID, as the log should show you. Maybe Apple does that dif...
by sindy
Sun Feb 21, 2021 12:01 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

What does /ip route check 172.16.0.2 show? I.e. is there any route at all (even if the default one) for that destination?
by sindy
Sun Feb 21, 2021 11:56 am
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1527

Re: 6.45.6 ipsec site to site tutorial request

@pe1chl, the issue was different - it's the transport (GRE or IPIP) packets that got src-nated, not the payload ones. The transport ones are routed via the WAN before the policy diverts them.
by sindy
Sun Feb 21, 2021 11:41 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

I've just added a 172.16.99.1 <=> 172.16.99.2 policy to one of my running IPsec IKEv2 links, added the respective addresses to interfaces on the routers, and the ping goes through allright. Both are ARM ones and with quite outdated versions (6.45.9 and 6.46.8), but I don't expect such kind of a bug ...
by sindy
Sun Feb 21, 2021 11:27 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

It would be overkill to export the entire configuration I think The problem is that the issue is always where you don't suspect it could be - if it was where you expect it, you would find it, right? So a missed NAT rule, a missed item of some apparently unrelated address-list, an IPsec policy shado...
by sindy
Sun Feb 21, 2021 11:19 am
Forum: General
Topic: Mikrotik hEX lite (RB750r2) and satellite updates
Replies: 2
Views: 641

Re: Mikrotik hEX lite (RB750r2) and satellite updates

For me both fqdns resolve properly, so check your own DNS setup. 8.8.8.8 is an IP of Google DNS server, so something is really wrong in your DNS chain. You may resolve the fqdns to IPs somewhere else and then create static DNS items in the configuration of the device you're trying to upgrade. [me@my...
by sindy
Sun Feb 21, 2021 11:00 am
Forum: General
Topic: L2TP/IPsec doesn't work across NAT [SOLVED]
Replies: 12
Views: 637

Re: L2TP/IPsec doesn't work across NAT [SOLVED]

I wouldn't think it's the CGNAT, rather some fragmentation issues. Activate more detailed logging on the Mikrotik and try again: /system logging add topics=ipsec,!packet /log print follow-only file=ipsec-start where topics~"ipsec" then start connection attempt from the phone. Once it fails...
by sindy
Sun Feb 21, 2021 10:46 am
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

It is hard to debug things remotely without at least seeing the configuration. When you ping while the 172.x.x.x addresses are used, do you also specify the src-address or you let the machine choose one autonomously?
by sindy
Sun Feb 21, 2021 10:40 am
Forum: General
Topic: Homemade USB to USB null modem for serial console access
Replies: 2
Views: 227

Re: Homemade USB to USB null modem for serial console access

Thank you, a very useful info regarding different default treatment of different USB to serial chips in RouterOS. It explains why some people say it doesn't work out of the box and some (like me) have an opposite experience. Other than that, what's the advantage as compared to a pair of "fully ...
by sindy
Sun Feb 21, 2021 10:34 am
Forum: General
Topic: unable to carry out speed test to mikrotik public test server
Replies: 1
Views: 123

Re: unable to carry out speed test to mikrotik public test server

It seems @TomjNorthIdaho's server has some issue at the moment. Plus if you try too often, it won't let you connect for next 24 hours. So I'd suggest to post a question in the related topic . The other server by @Martoo and yet another one by @Garrison1701 were both up at the time I was testing minu...
by sindy
Sun Feb 21, 2021 10:07 am
Forum: General
Topic: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]
Replies: 10
Views: 546

Re: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]

As I've got no Mac/iPhone laying around, let alone with the OS version in question - can you post the window that opens if you click [Authentication Settings...] in the window you've already posted?
by sindy
Sun Feb 21, 2021 12:37 am
Forum: General
Topic: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]
Replies: 10
Views: 546

Re: IKEv2 VPN on latest IOS and MacOS what a pain [SOLVED]

The log from the Mikrotik shows that the Apple uses its private IP address as its identifier (ID_I), so the Mikrotik cannot find a corresponding row in /ip ipsec identity . But if I understand it right, this actually indicates that the Apple device doesn't consider its own certificate fit for its ow...
by sindy
Sun Feb 21, 2021 12:23 am
Forum: General
Topic: invalid arp 00-00-00-00-00-00
Replies: 9
Views: 454

Re: invalid arp 00-00-00-00-00-00

I'm not suggesting the cAP itself sends the nonsense, I suggest it is some wireless device connected to the bridge on the 750 via the cAP. And unless you'd configure the 0:0:0:0:0:0 as the admin-mac of the bridge (which you haven't according to the config export), I cannot see how you could make the...
by sindy
Sun Feb 21, 2021 12:15 am
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1527

Re: 6.45.6 ipsec site to site tutorial request

Ah, yes, you forgot to exempt the traffic between 192.168.99.1 and 192.168.99.2 from the masquerade rule, so it gets src-nated and the IPsec policy cannot see it. Add a rule src-address=192.168.99.0/30 dst-address=192.168.99.0/30 chain=src-nat action=accept before (above) the masquerade one at both ...
by sindy
Sat Feb 20, 2021 11:49 pm
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1527

Re: 6.45.6 ipsec site to site tutorial request

So you insist it must be GRE, you cannot use IPIP instead? Why?
by sindy
Sat Feb 20, 2021 11:45 pm
Forum: General
Topic: IKEv2 VPN on latest IOS and MacOS what a pain / identity not found for server [SOLVED]
Replies: 10
Views: 546

Re: IKEv2 VPN on latest IOS and MacOS what a pain [SOLVED]

To see the digest-algorithm used, you have to display the certificate parameters using the command line, /certificate print detail where common-name~"vpn" . But when signing certificates, RouterOS normally uses SHA-256, which is from the SHA-2 suite, so it fits those requirements. As for t...
by sindy
Sat Feb 20, 2021 11:31 pm
Forum: General
Topic: 172.16.0.0/12 RFC1918 in ROS [SOLVED]
Replies: 25
Views: 1102

Re: 172.16.0.0/12 RFC1918 in ROS [SOLVED]

GRE has become a headache generator since the security patch in 6.45.something, as received GRE packets are labeled with connection-state=invalid even if the device sends its own GRE packets in the opposite direction - unless the PPTP helper ( /ip firewall service-port ) is enabled. So if you can re...
by sindy
Sat Feb 20, 2021 11:22 pm
Forum: General
Topic: invalid arp 00-00-00-00-00-00
Replies: 9
Views: 454

Re: invalid arp 00-00-00-00-00-00

Are you saying that it's the router that is telling to computers about 00:00:00:00:00:00. ie they aren't receiving it directly from the mad device ? Maybe I've misunderstood where you can see those weird ARP records - are they on the router or on the PCs? If on the PCs, the responses must be coming...
by sindy
Sat Feb 20, 2021 10:45 pm
Forum: General
Topic: invalid arp 00-00-00-00-00-00
Replies: 9
Views: 454

Re: invalid arp 00-00-00-00-00-00

My questions are 1. Where do these 00:00:00:00:00:00 come from, and 2. Why do I see records for IP-s that shouldn't be talking to each other .. As for 2., the ARP table is used by RouterOS itself to translate IP addresses of the devices to their MAC addresses when it needs to deliver packets to the...
by sindy
Sat Feb 20, 2021 9:58 pm
Forum: General
Topic: options for connecting two locations [SOLVED]
Replies: 13
Views: 686

Re: options for connecting two locations [SOLVED]

I'm not sure what happens if the client's /ppp profile row specifies a bridge and the server's one doesn't or vice versa, you have to try. But you can specify a particular row of /ppp profile for each client at that client's /ppp secret row, so you'll just need two profile rows at server side if cli...
by sindy
Sat Feb 20, 2021 9:52 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

Copy-paste the following code to a text editor, replace wan-interface-name by the actual name of your WAN interface, and then copy-paste the result into the command line window of the Mikrotik: /system script add name=throttle source=":local onThreshold 45000000\ \n:local offThreshold 35000000\...
by sindy
Sat Feb 20, 2021 9:32 pm
Forum: General
Topic: options for connecting two locations [SOLVED]
Replies: 13
Views: 686

Re: options for connecting two locations [SOLVED]

The VLAN 20 config for BR1 is fine as it is, as BR1 is on the tagged list for vlan-ids=20 there. The /interface vlan is just a tagging/untagging pipe, whose tagged end is attached to the interface mentioned in its parameters, so in your case, BR1. You make its tagless end a member port of br-vlan20 ...
by sindy
Sat Feb 20, 2021 9:26 pm
Forum: General
Topic: Can't Make New NAT Rules Work [SOLVED]
Replies: 13
Views: 516

Re: Can't Make New NAT Rules Work [SOLVED]

"it never connects" and "I cannot see any packets to get anywhere" are two distinct things. When you were sniffing while connecting via LAN, you could see a packet with dst-port 1194 to come in via ether3, the same packet to leave via ether 4, and then a response packet with src-...
by sindy
Sat Feb 20, 2021 9:16 pm
Forum: General
Topic: options for connecting two locations [SOLVED]
Replies: 13
Views: 686

Re: options for connecting two locations [SOLVED]

On this new br-vlan20 I dont configure any vlan filtering correct? Frames will cross tagged or untagged? Correct. The /interface vlan receives frames tagged with VID 20 from the main bridge, untags them, and forwards them to br-vlan20; in the opposite direction, it receives tagless frames from br-v...
by sindy
Sat Feb 20, 2021 7:25 pm
Forum: General
Topic: options for connecting two locations [SOLVED]
Replies: 13
Views: 686

Re: options for connecting two locations [SOLVED]

If it is really enough for you to push a single VLAN via the L2 tunnel, create a dedicated bridge "br-vlan20", create an /interface vlan with VLAN ID 20 on the main bridge (if not created yet), and make that /interface vlan a member port of br-vlan20. Then indicate br-vlan20 in the /ppp pr...
by sindy
Sat Feb 20, 2021 7:17 pm
Forum: General
Topic: Can't Make New NAT Rules Work [SOLVED]
Replies: 13
Views: 516

Re: Can't Make New NAT Rules Work [SOLVED]

Fine, how does it look like when connecting from outside?
by sindy
Sat Feb 20, 2021 6:13 pm
Forum: General
Topic: Can't Make New NAT Rules Work [SOLVED]
Replies: 13
Views: 516

Re: Can't Make New NAT Rules Work [SOLVED]

OK, nothing wrong with filter rules, as initial packets of dst-nated connections are excluded from the "drop all from WAN" rule. So I'd assume it is a routing or firewall issue at 192.168.88.246 and 192.168.88.249. /tool sniffer quick port=1194 will show you whether the packet has made it ...
by sindy
Sat Feb 20, 2021 5:51 pm
Forum: General
Topic: Can't Make New NAT Rules Work [SOLVED]
Replies: 13
Views: 516

Re: Can't Make New NAT Rules Work [SOLVED]

In WinBox I see that both the effected NAT rules are counting packets
In that case, post the export of /ip firewall filter.
by sindy
Sat Feb 20, 2021 5:43 pm
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1527

Re: 6.45.6 ipsec site to site tutorial request

The default firewall configurations differ for different RouterOS releases, so it is better to post the configuration export. For IPsec itself, you have to permit, at responder side, inbound connections to UDP port 500 and for ESP if there is no NAT between the peers; if there is NAT, connections to...
by sindy
Sat Feb 20, 2021 5:18 pm
Forum: General
Topic: Can't Make New NAT Rules Work [SOLVED]
Replies: 13
Views: 516

Re: Can't Make New NAT Rules Work [SOLVED]

While it may be caused by a bug, it is much more likely that the access to the port is blocked externally or that some other dst-nat rule shadows the newly added one. So I'd suggest you first run /tool sniffer quick interface=your-wan-interface-name port=the-port-number and try to connect to the por...
by sindy
Sat Feb 20, 2021 3:23 pm
Forum: General
Topic: Auto Throttle During Congestion
Replies: 14
Views: 712

Re: Auto Throttle During Congestion

The answer is scripting. In my opinion, it is easier to use hysteresis rather than to calculate 5 minute traffic averages - configure two different threshold values far enough from each other for activation and deactivation of the bandwidth throttling. Let's say activate it if traffic exceeds 45 Mbi...
by sindy
Sat Feb 20, 2021 12:11 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 737

Re: Problem with L2/L3 Tunnel VLAN

Instead of posting the configuration on an external site with its own rules for personal data collection you have to accept, put the configuration export here inline, between [code] and [/code] tags if you don't have sufficient score to attach files here yet.
by sindy
Sat Feb 20, 2021 12:03 pm
Forum: General
Topic: prblem with l2tp/ipsec for 500 users in RB1100AHx4
Replies: 5
Views: 449

Re: prblem with l2tp/ipsec for 500 users in RB1100AHx4

So if I summarize: if 500 clients are up and running, the CPU load is 3 % if a single client tries to connect while the others are running, there is no problem if 500 clients are trying to connect at the same time, the CPU goes to 100 % and most clients cannot connect Is that correct? If so, what is...
by sindy
Fri Feb 19, 2021 11:20 pm
Forum: General
Topic: Weird MTU problem on LTE failover connection
Replies: 4
Views: 253

Re: Weird MTU problem on LTE failover connection

Being stuck at syn_sent doesn't seem like an MTU thing to me. The initial "three way handshake" consists of packets which have zero payload size, and syn_sent means that even the the SYN+ACK response from the server, which simply cannot be lost due to insufficient MTU because it consists o...
by sindy
Fri Feb 19, 2021 10:44 pm
Forum: General
Topic: How to make 2 isolated networks on 2 different PPPoE interfaces?
Replies: 2
Views: 170

Re: How to make 2 isolated networks on 2 different PPPoE interfaces?

Я перевел англисйкий текст гугл транслейтом на русский и поменял слова в английском в тех случаях, когда автоматический перевод совсем испортил значение. Мелочи остались, но мне они кажутся некритичными. Starting from the end - the PPPoE clients should stay directly attached to their respective Ethe...
by sindy
Fri Feb 19, 2021 10:02 am
Forum: General
Topic: dynamic ipsec mode-config configuration
Replies: 11
Views: 615

Re: dynamic ipsec mode-config configuration

Well, summarizing everything :-) The combination of modified "shield" policy and adding "exclusion" rule to srcnat (or removing masquerade at all): ... makes it working (incl even BGP) until IPSec is active. As soon as IPSec became inactive, "exclusion" rule prevents L...
by sindy
Fri Feb 19, 2021 8:57 am
Forum: General
Topic: VLAN Bridge (CPU Port) Question about tagged/untagged
Replies: 3
Views: 251

Re: VLAN Bridge (CPU Port) Question about tagged/untagged

Each row of /interface bridge actually aggregates parameters for three distinct types of objects linked together: the bridge itself, as in "virtual switch" the virtual member port of that bridge, to which a virtual port of a virtual router is connected the virtual port of a virtual router...
by sindy
Thu Feb 18, 2021 10:18 pm
Forum: General
Topic: Help on wiring solution
Replies: 18
Views: 1331

Re: Help on wiring solution

First, CAPsMAN is a way to make your life easier when provisioning multiple APs and to reduce the requirements on the transport network capabilities. It is not necessary to make roaming possible, nor does it make it easier or faster. The stations (clients) may roam among individually configured APs ...
by sindy
Thu Feb 18, 2021 9:26 pm
Forum: General
Topic: VLAN Bridge (CPU Port) Question about tagged/untagged
Replies: 3
Views: 251

Re: VLAN Bridge (CPU Port) Question about tagged/untagged

Please read this post first. If it doesn't help, come back here. Whereas I also don't understand the purpose of the ingress-filtering parameter of the bridge port, the pvid is meaningful there.
by sindy
Thu Feb 18, 2021 9:20 pm
Forum: General
Topic: pcc load balancing help [SOLVED]
Replies: 7
Views: 419

Re: pcc load balancing help [SOLVED]

Seems fine to me. If there is a mistake, it is most likely coming from me :)
by sindy
Thu Feb 18, 2021 8:18 pm
Forum: General
Topic: pcc load balancing help [SOLVED]
Replies: 7
Views: 419

Re: pcc load balanceing help [SOLVED]

Ah, sorry, I wasn't careful when looking at the first four action=mark-routing rules in prerouting , they are actually used to assign the routing-mark to LAN->WAN packets, not to WAN->LAN ones. The reason is that it is quite unusual to use three groups of connection-mark values (WAN->LAN, LAN->WAN, ...
by sindy
Thu Feb 18, 2021 6:37 pm
Forum: General
Topic: pcc load balancing help [SOLVED]
Replies: 7
Views: 419

Re: pcc load balanceing help [SOLVED]

If you assign a routing-mark to WAN->LAN packets, they may end up being sent back to the internet if only a default route exists with that routing-mark , which is typically the case. You haven't shown your /ip route section so hard to say. PCC can be normally used to assign a routing-mark directly, ...
by sindy
Thu Feb 18, 2021 2:13 pm
Forum: General
Topic: Only one VPN- client behind Mikrotik is connecting to external Cloud- VPN Server
Replies: 1
Views: 125

Re: Only one VPN- client behind Mikrotik is connecting to external Cloud- VPN Server

What coud be the problem?
The problem is the design of L2TP/IPsec. Details here. No way to solve this at the 3011 end unless you could use as many public IPs at WAN side as there are phones. It might be possible to solve it at the phones themselves but it is not very likely.
by sindy
Thu Feb 18, 2021 12:21 pm
Forum: General
Topic: dynamic ipsec mode-config configuration
Replies: 11
Views: 615

Re: dynamic ipsec mode-config configuration

Note that I don't need it to be NATed by dynamic IPSec policy - I need to see LAN traffic inside VPN with original addresses. Exactly, since you have a route to 192.168.56.0/24 on the Cisco, there is no point at all in doing the NAT to the address assigned using IKEv2. So the correct thing is to pl...
by sindy
Thu Feb 18, 2021 9:47 am
Forum: General
Topic: Multiple SSID capsman and caps not in the same subnet
Replies: 4
Views: 315

Re: Multiple SSID capsman and caps not in the same subnet

So for a case where the wireless interfaces are created at the CAPsMAN machine , this is a real life configuration adopted to your network. To simplify things and save a bit of CPU, the home and guest subnets are linked to individual bridge interfaces, so no VLANs are used for them. CAPsMAN: /interf...
by sindy
Wed Feb 17, 2021 10:17 pm
Forum: General
Topic: Random "Error sending email timeout occured"
Replies: 3
Views: 230

Re: Random "Error sending email timeout occured"

In one terminal window: /system logging add topics=e-mail /tool sniffer set file-name=e-mail.pcap /tool sniffer quick port=587 (and let it run) In another terminal window: /log print follow-only file=e-mail where topics~"e-mail" (and let it run) Now change the scheduler to send the log, sa...
by sindy
Wed Feb 17, 2021 8:06 pm
Forum: General
Topic: Multiple SSID capsman and caps not in the same subnet
Replies: 4
Views: 315

Re: Multiple SSID capsman and caps not in the same subnet

The fact that the CAPsMAN and the CAP(s) are not in the same subnet is not really important; what is important is the expected traffic pattern in the network. You say that the routing between the router and the switch is by BGP (which is an overkill) and worst of all, it implies that the CRS328 has ...
by sindy
Wed Feb 17, 2021 6:26 pm
Forum: General
Topic: Routing traffic though VPN SSTP to Mikrotik from a client W10
Replies: 2
Views: 148

Re: Routing traffic though VPN SSTP to Mikrotik from a client W10

The only VPN protocol in RouterOS which currently supports pushing routes to Windows is IKEv2. For all other protocols, you either have to follow the suggestion of @16again, or you may use the "normal" command line to add persistent routes ( route add -p ... ) with gateway 0.0.0.0 and the ...
by sindy
Wed Feb 17, 2021 3:18 pm
Forum: General
Topic: L2TP with IP Sec Server
Replies: 6
Views: 413

Re: L2TP with IP Sec Server

Since there is no peer and no identity, the dynamic generation of IPsec configuration for L2TP did not happen. Can you post the output of /interface l2tp-server export or, even better, a complete export?
by sindy
Wed Feb 17, 2021 12:33 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 670

Re: How to connect vrrp'ed routers to wan (ISP)

Maybe I'm wrong but using a script it still looks much more easy way to handle it. ... Why this simple method is not good? The above is quite in contrast with what you've stated earlier: Only I wouldn't be able to script this in Mikrotik environment so need to find out if something similar is alrea...
by sindy
Wed Feb 17, 2021 11:34 am
Forum: General
Topic: L2TP with IP Sec Server
Replies: 6
Views: 413

Re: L2TP with IP Sec Server

First, switching firewall completely off is a very bad idea. The filth from the net is incredibly fast to squat in. Second, do you realize that the order of rules in the firewall matters, as the rules in each chain are evaluated from the first (topmost) one towards the last (bottommost) one until fi...
by sindy
Wed Feb 17, 2021 9:54 am
Forum: General
Topic: dynamic ipsec mode-config configuration
Replies: 11
Views: 615

Re: dynamic ipsec mode-config configuration

... see an interesting thing: - when I switch off IPSec (and regular routing is in action - you see the NAT to 192.0.2.177 in debug below), I see incoming packets on the LAN interface: ... - but as soon as I enable IPSec peer and policies/NAT are installed: ... these records stops in the log (while...
by sindy
Tue Feb 16, 2021 11:27 pm
Forum: General
Topic: lost pings
Replies: 5
Views: 282

Re: lost pings

The idea was that the packet was being dropped in the routing phase (between prerouting and input or foward) because the backward route didn't match the in-interface of that packet. But if rp-filter is no, it cannot be the case.
by sindy
Tue Feb 16, 2021 11:10 pm
Forum: General
Topic: lost pings
Replies: 5
Views: 282

Re: lost pings

:put [/ip settings get rp-filter]
by sindy
Tue Feb 16, 2021 9:28 pm
Forum: General
Topic: L2TP with IP Sec Server
Replies: 6
Views: 413

Re: L2TP with IP Sec Server

What is wrong about the manual, and how exactly your setup "doesn't work"?
by sindy
Tue Feb 16, 2021 7:44 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

but the behavior is exactly the same as with the pre-shared key solution and the native Android client That pretty much excludes issues at the Android end. So I'd myself try 6.46.8 before digging further. Not because that version is special in some way but because I know IKEv2 works on it, whereas ...
by sindy
Tue Feb 16, 2021 7:39 pm
Forum: General
Topic: IKEv2 -> VLANs filtering
Replies: 3
Views: 248

Re: IKEv2 -> VLANs filtering

So for main VLAN I can use identity with Auth. Method 'eap radius' so all domain users get access to the main VLAN. And for the rest VLANs I'll have to define separate identities for each user with Auth. Method different than 'eap radius' Am I correct? Sounds correct to me, unless RouterOS supports...
by sindy
Tue Feb 16, 2021 7:04 pm
Forum: General
Topic: Fat fingered VPN config
Replies: 12
Views: 600

Re: Fat fingered VPN config

Please start by following the text of my automatic signature below.
by sindy
Tue Feb 16, 2021 7:02 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 670

Re: How to connect vrrp'ed routers to wan (ISP)

The key here is the "policy routing" as mentioned above, which is a shortcut for "routing which takes into account not only the destination address but also other properties of the packet being routed". In particular, you have to distinguish from where a packet came in. If it cam...
by sindy
Tue Feb 16, 2021 6:31 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

Using IP address together with type fqdn as peer identity is not a good idea as the Strongswan expects the type of the Subject-Alt-Name of the certificate to match the identity type. So if identity type is fqdn , the subject alt name type must be DNS ; if identity type is address , the subject alt n...
by sindy
Tue Feb 16, 2021 5:58 pm
Forum: General
Topic: dynamic ipsec mode-config configuration
Replies: 11
Views: 615

Re: dynamic ipsec mode-config configuration

Currently it is not, i.e. you cannot use the "normal" routing to send packets via the IPsec tunnel, they have to be matched by a policy. Your /ip ipsec policy print detail shows that the remote peer has suggested a policy "0.0.0.0/0 to 0.0.0.0/0" and your peer has accepted it, wh...
by sindy
Tue Feb 16, 2021 5:43 pm
Forum: General
Topic: Fat fingered VPN config
Replies: 12
Views: 600

Re: Fat fingered VPN config

It sounds to me as if the interface list LAN didn't exist, so the connection gets broken once the stack attempts to add the interface as its member and finds out it doesn't exist. Strange. What was the RouterOS version you started with (i.e. from which one the default configuration came)?
by sindy
Tue Feb 16, 2021 5:39 pm
Forum: General
Topic: IKEv2 -> VLANs filtering
Replies: 3
Views: 248

Re: IKEv2 -> VLANs filtering

You can create several separate /ip ipsec policy group items, and create a policy template with dst-address restricted to a long prefix (a small "subnet") for each group. The policy-template-group parameter of each /ip ipsec identity row will point to one of these groups. This will prevent...
by sindy
Tue Feb 16, 2021 5:27 pm
Forum: General
Topic: Fat fingered VPN config
Replies: 12
Views: 600

Re: Fat fingered VPN config

I think I'm confused about the multiple meaning of "bridge". I used the "Quick Set" to do the initial setup and included "bridge all ports". When I then mess with the PPP/Profile, do I tell it to use the bridge? If the client is Windows, you don't. You can only bridge ...
by sindy
Tue Feb 16, 2021 5:08 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

Show me the /certificate print detail (assuming you've created the certificate for the Strongswan client on the 4011 so it will be there as well) and the /ip ipsec export hide-sensitive.
by sindy
Tue Feb 16, 2021 4:39 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 670

Re: How to connect vrrp'ed routers to wan (ISP)

As suggested by @tdw, you actually don't need any script if the primary default route of each router goes via its own WAN and the secondary one goes via the second router, and you use the script-free monitoring of transparency of both WANs, as described here . Or you can even use any of those fancy ...
by sindy
Tue Feb 16, 2021 10:04 am
Forum: General
Topic: Fat fingered VPN config
Replies: 12
Views: 600

Re: Fat fingered VPN config

An ipconfig on a remote machine shows an assigned IP on the private network, but the subnet is 255.255.255.255 (rather than the expected 255.255.255.0) and the gateway is blank. Maybe this has nothing to do with the problem. This is a normal behaviour with L3 PPP tunnels (L2TP is basically an augme...
by sindy
Mon Feb 15, 2021 10:20 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

Well... so the IPsec transport packets are now going in both directions, installed-sa are counting - it sounds to me like an Android problem, or a problem of incorrect encryption and/or authentication at Mikrotik side, making the received packets at Android side undecipherable. To find out which ass...
by sindy
Mon Feb 15, 2021 9:43 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

I'm surprised that the action=accept ipsec-policy=out,ipsec rule does not count whereas the mikrotik->android installed-sa does. But if I read you right, both installed-sa now count when you ping from the Android, and don't otherwise? Or I have missed something? If you run /tool sniffer ip-address=t...
by sindy
Mon Feb 15, 2021 9:24 pm
Forum: General
Topic: DHCP Client
Replies: 15
Views: 4310

Re: DHCP Client

Reading RFC is very useful when you need to find out which end of a failed conversation is responsible for the failure. So in the OP's case, the server was responding with a NAK to a renewal request coming after half of the lease time, and @tippenring gave that link to the RFC to explain why the ren...
by sindy
Mon Feb 15, 2021 8:59 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

Something is happening...wrong. Google DNS ping generate traffic back/forth ether1 interface (mac addresses between mirkotik and ISP router), but no ping on the Android phone. Ping to LAN comes to ether1---> bridge ----> ether2 LAN interface and reverse. But still no ping succeded. Crazy. So in the...
by sindy
Mon Feb 15, 2021 8:42 pm
Forum: General
Topic: 3rd party Layer 3 Switch + DHCP Server on mikrotik
Replies: 1
Views: 135

Re: 3rd party Layer 3 Switch + DHCP Server on mikrotik

All these 3 vlans are tagged at switch side, although I think I really need only the transit VLAN tagged. It depends on how you have set up the routing on the L3 switch. If routing between 192.168.100.0/24 and 192.168.200.0/24 is provided by the L3 switch itself, it is enough to have the VLAN 7 / 1...
by sindy
Mon Feb 15, 2021 8:17 pm
Forum: General
Topic: One or more bridges?
Replies: 6
Views: 358

Re: One or more bridges?

The additional bridge used to hold an IP address for OSPF doesn't actually do any bridging - it is just the only way to create a virtual interface, which remains up no matter what, on Mikrotik. So its presence doesn't affect performance.
by sindy
Mon Feb 15, 2021 8:12 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

I can see traffic hitting the masquerade rule in the NAT, but no webpage or other traffic will pop up succefully on the Android client, and of course no ping to internal LAN. Hm. The masquerade rule is definitely not related to pinging a LAN host, so something more must be wrong. So run /tool sniff...
by sindy
Mon Feb 15, 2021 6:46 pm
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

I also tried to remove all the "drop" rules from firewall (so, no firewall :) ) Not really funny, the filth from the net may be incredibly fast to squat in (been there, seen that). A question: the IKEv2 tunnel should create also a dynamic routing rule when establishes? Nope. With IPsec on...
by sindy
Mon Feb 15, 2021 9:39 am
Forum: General
Topic: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1
Replies: 22
Views: 1292

Re: IPsec IKEv2 Server for Road Warriors/Site to Site behind double NAT - rb4011 and OS6.48.1

Is it possible in general to have IPSec server under double nat as above? Yes, sure. The number of NATs doesn't matter (provided that all of them work properly). from firewall rules I can see packets on 500, 4500 ports but not on on ipsec-esp rule. That is no surprise. If there is at least one NAT ...
by sindy
Sun Feb 14, 2021 10:39 am
Forum: General
Topic: Windows 10 unable to connect to IPSEC/IKE2 VPN
Replies: 5
Views: 412

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

I haven't tried with 6.48.1 yet, but below is the experience from 6.46.8. Mikrotik states that tls-server value is sufficient for the responder certificate and tls-client is sufficient for initiator certificate, but Windows 10 require one of the ipsec-end-system , ipsec-tunnel values (didn't test wh...
by sindy
Sun Feb 14, 2021 10:13 am
Forum: General
Topic: IPIP, GRE and IPsec tunnel is not working.
Replies: 6
Views: 486

Re: IPIP, GRE and IPsec tunnel is not working.

Open a command line window (using the [Terminal] button in Winbox or WebFig) and follow my automatic signature here below: type /export hide-sensitive file=some-name in that window ( hide-sensitive causes passwords and secrets not to be shown in the export, but doesn't hide usernames or any contents...
by sindy
Sun Feb 14, 2021 10:06 am
Forum: General
Topic: VPS domain blocks nslook up
Replies: 1
Views: 162

Re: VPS domain blocks nslook up

I don't really understand what you actually want to achieve. If you want that your fqdn cannot be resolved to a public IP (my.name.org -> 1.2.3.4) , simply don't create any A record for it. But then it's a question why you'd need any fqdn at all, as without the A record, whoever only knows the fqdn ...
by sindy
Sat Feb 13, 2021 9:22 pm
Forum: General
Topic: GRE tunnel over IPsec to mobile private APN
Replies: 1
Views: 114

Re: GRE tunnel over IPsec to mobile private APN

Agreed APN is 192.168.8.0/23. Does the above mean that the mobile clients will get addresses from that range (192.168.8.0 - 192.168.9.255)? Regardless that, the IPsec configuration will look as follows: /ip ipsec profile add name=polkomtel-profile enc-algorithm=3des dh-group=modp1024 /ip ipsec peer...
by sindy
Sat Feb 13, 2021 8:20 pm
Forum: General
Topic: DHCP option 55 example
Replies: 8
Views: 542

Re: DHCP option 55 example

You cannot force the DHCP server of RouterOS to send options the client hasn't asked for, as doing so would break the RFC. Mikrotik has refused to implement this although some ISPs asked for it because they cannot provide service to broken CPEs whose DHCP clients don't ask for some options but need ...
by sindy
Sat Feb 13, 2021 8:12 pm
Forum: General
Topic: Routing and mangle
Replies: 7
Views: 557

Re: Routing and mangle

Anybody can help? I missing something? Have you disabled the action=fasttrack-connection rule in chain forward of /ip firewall filter on this router? Fasttracked connections bypass mangle rules (and a whole lot of other packet handling steps, skipping them is the essence of fasttracking). /ip route...
by sindy
Sat Feb 13, 2021 7:36 pm
Forum: General
Topic: for 3 years about chain mangle game ?
Replies: 5
Views: 489

Re: for 3 years about chain mangle game ?

What is best chain for mangle games connection mark ? ... so I need best explaination or good reason from people who unsderstanding about marking the game, not asnwer from wiki. The best chain for connection marking depends on the purpose. You can assign a connection-mark value for multiple purpose...
by sindy
Sat Feb 13, 2021 12:47 pm
Forum: General
Topic: Mikrotik hEX S (6.48.1) - Strongswan 2 policies, invalid SPI value
Replies: 2
Views: 256

Re: Mikrotik hEX S (6.48.1) - Strongswan 2 policies, invalid SPI value

Change level from require to unique on the /ip ipsec policy rows and try again. I suspect that Mikrotik sends the traffic of both policies via the same SA and the Strongswan drops traffic which comes in via the "wrong" SA.
by sindy
Sat Feb 13, 2021 12:22 pm
Forum: General
Topic: Problems with IPSec - only one device can connect
Replies: 3
Views: 343

Re: Problems with IPSec - only one device can connect

I can connect to my router from a remote location from my iPhone(using 4G or wifi), but not from my Mac (using wifi). I can see you have activated IPsec logging; can you say whether the Mac even attempts to initiate the IPsec connection? The thing is that the Apple devices are quite picky about the...
by sindy
Wed Feb 10, 2021 10:07 pm
Forum: General
Topic: Mikrotik and Cisco Router GRE Tunnel Problem
Replies: 18
Views: 1117

Re: Mikrotik and Cisco Router GRE Tunnel Problem

I'm afraid there is a problem with my English. I keep trying to help you and you keep asking for something else. So once more - before analysing what is actually going on, the way suggested above, there is no point in asking me further questions. The problem may not be in the Mikrotik or the Cisco a...
by sindy
Sun Jan 31, 2021 3:33 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

The network address is 10.112.113.88, from where is this comming from? It is generated by RouterOS instead of the one assigned by the server. It is a workaround to avoid breaking the routing. If RouterOS used the address provided by the server, a route to it with distance 0 would be created with th...
by sindy
Sun Jan 31, 2021 11:16 am
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

The log shows a successful establishment of the control connection: 09:14:47 l2tp,debug,packet sent control message to my.remote.server.ip:1701 from my.public.ip:1701 ... 09:14:47 l2tp,debug,packet (M) Message-Type= SCCRQ ... 09:14:47 l2tp,debug,packet rcvd control message from my.remote.server.ip:1...
by sindy
Sun Jan 31, 2021 9:19 am
Forum: General
Topic: basic ipsec server config
Replies: 5
Views: 2167

Re: basic ipsec server config

@sindy, you available to chat?
I have sent you an e-mail yesterday, maybe a spam filter has caught it?
by sindy
Sat Jan 30, 2021 10:52 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit ... 1 S dst-address=172.16.10.101/32 gateway=l2tp-out1 gateway-status=l2tp-out1 unreachable distance=1 scope=30 target-scope=10 ...and the l2tp-ou...
by sindy
Sat Jan 30, 2021 8:19 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

What does /ip route print detail where gateway~"l2tp" show?
by sindy
Sat Jan 30, 2021 3:20 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

No, I can't even reach it from the mikrotik termial. Windows by default use the tunnel as the default gateway once it goes up, unless the server responds a DHCPINFORM message sent through the tunnel with a response carrying a routing table in Option 249. Mikrotik doesn't support the above; you can ...
by sindy
Fri Jan 29, 2021 11:27 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

Now that the link is working there is still something missing because I can't reach anything on the server LAN. (it is working on my windows test client) I'd assume you actually cannot reach anything on the server LAN from anything on the Mikrotik's LAN . You should be able to reach it from the Mik...
by sindy
Thu Jan 28, 2021 11:26 pm
Forum: General
Topic: NetWatch Script Keeping 2nd ISP down
Replies: 15
Views: 832

Re: NetWatch Script Keeping 2nd ISP down

I am not able to find where I can add the file here. When you edit a post, below the editing window there are buttons [Save draft][Preview][Submit], and below these, there are two tabs: (Options) and (Attachments). Click (Attachments), there is some explanation and a button [Add files]. Some people...
by sindy
Thu Jan 28, 2021 11:18 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

i downgraded to the latest LTE. Here is the new log: # jan/28/2021 15:15:41 by RouterOS 6.48 # software id = L809-98LV # It doesn't seem that the downgrade has succeeded, given that the log header still says 6.48. Have you just uploaded the 6.46.8 to the machine and rebooted it or have you properly...
by sindy
Thu Jan 28, 2021 5:26 pm
Forum: General
Topic: PPPoE client drops with BT Full Fibre 100 [SOLVED]
Replies: 19
Views: 1525

Re: PPPoE client drops with BT Full Fibre 100 [SOLVED]

It sounds reasonable if the actual interruption is really brief so few enough PPP keepalives get lost. Something is telling me that protocol-mode must be set to none at that auxiliary bridge, at least so that each outage on the Ethernet port wouldn't get automatically extended to 15 seconds or so un...
by sindy
Thu Jan 28, 2021 3:22 pm
Forum: General
Topic: connecting as an l2tp/IPSEC client
Replies: 21
Views: 1306

Re: connecting as an l2tp/IPSEC client

To be honest I'm confused on how to set up P1 and P2 in MikroTik, I couldn't really find it where to do that. That sounds surprising given that you've managed to configure Phase 1 and Phase 2 for the connection to pfsense. In short - Phase 1 proposal parameters are on /ip ipsec profile rows, Phase ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 24