MikroTik

sindy

When the Mikrotik itself acquires its own global IPv6 address using SLAAC, it does not show it. A default IPv6 route may not show as dst-address=::/0 , it may show as dst-address=2000::/3 and the gateway may be a link-local address. Or maybe it doesn't show at all in SLAAC case, can't check right no...

sindy

Stupid question, is it possible that the traffic to/from that single PC takes some other path than the L2TP/IPsec one? I.e. when you ping it from the remote site and run /tool sniffer quick interface=<l2tp-STUDENCI> ip-address=ip.of.that.pc , can you see both the ping requests and the responses?

sindy

Better show the complete configuration export. It may be the firewall, it may be the IPsec policies, it may be missing routes. Check my signature below regarding non-destructive anonymisation.

sindy

What is your /ip ipsec proposal setting? Any other setting of the pfs item than none is not compatible with the default IKEv2 settings of the embedded VPN client of Windows. So I suppose the 200 Mbytes are equivalent to 25-30 minutes, which is the interval after which the security association gets r...

sindy

Sorry, I did not understand from any of your two posts what you want to achieve and what is not working the way you expect. There is a bit of confusion since the routing-mark and the name of the routing table are the same thing, but the parameters of /ip route rule rows use both routing-mark and tab...

sindy

@evince's suggestion is a good shot because it is the most frequent cause of the symptom "can ping the router itself via the tunnel but nothing in its LAN", but here, the pool of addresses assigned to PPP clients does not overlap with the LAN subnet, so setting arp=proxy-arp on the bridge ...

sindy

That's why posting complete configuration exports is always recommended. The "detect internet" function causes many different surprises, but as I find nothing useful in it (like other users on this forum), I constantly forget about its existence. So if I could spot it in the configuration ...

sindy

Now I can connect from outside (sessions establishes fine) but I can't ping other IPs in my network I have "Reqest time out" The only IP which I can ping is 192.168.0.1 and 172.16.0.1 The above is true when you ping the LAN devices from the Mikrotik itself or when you try to ping them fro...

sindy

You can flush the "installed SA", but that changes nothing - first, they are short-lived (a rekey takes place every 30 minutes by defaut, and it actually means a creation of a new SA, a switchover to it, and removal of the old one), and second, all the differences between the two remote de...

sindy

You should not need a reboot, it should be sufficient to disable the ethernet interface connected to the modem when netwatch detects loss of internet access, and and re-enable it again in 10 seconds or so. So instead of watchdog, I'd use netwatch: /tool netwatch add down-script="/interface ethe...

sindy

Pojma nemam... Especially as against the test pc the speed depends on use of IPsec.

sindy

In general, you download the older .npk package (or set of packages if you don't use the bundle) to the router using /tool fetch or upload it there using Winbox, WebFig, or sftp client like WinSCP. Then, run /system package downgrade and confirm the reboot. But in this case, switching the channel fr...

sindy

Would you mind moving to 6.48.1 (or to 6.47.9)? The 6.48 seems to be one of the worse ones. And yes, your test indicates clearly that IPsec is responsible, the question is how exactly. Regarding that action=accept dst-port=1701 ... rule - given the overall setup of your firewall, adding ipsec-policy...

sindy

The whole problem is that the use of policy routing for packets generated by the router itself is a bit counter-intuitive. When some process running on the router itself sends a packet, the first step is to find a route for that packet using routing table main , which consists of routes with no rout...

sindy

Is the H (hardware encryption) indicator shown at server side in /ip ipsec installed-sa print output? Also, I'm afraid the 300 kBit/s Tx indicated in the /interface monitor <l2tp-STUDENCI> output suggests that the stream from the iperf gets throttled before reaching the L2TP processing, as that <l2t...

sindy

15 seconds of delay may not be enough, 60s or 1m should be safe. But more important, this typically happens if there is a mistake in the .rsc file. I know it sounds strange, but I've seen cases where some configuration was allowed in one RouterOS version, and later it stopped being accepted, but sur...

sindy

Does the iperf run in TCP or UDP mode? What is the round-trip delay of ping through the tunnel?

sindy

So the Mikrotik with the PCC configuration acts as an L2TP server, is that correct?

Can you post the complete export of your configuration, after a "non-destructive anonymisation" as suggested in my automatic signature below?

sindy

Under what conditions do you test the throughput? I remember you use L2 tunneling, maybe some L2 flood consumes the bandwidth of the tunnel?

What does /interface monitor l2tp-interface-name show when you send no test traffic, and when you do?

sindy

A short guide would be "place an action=accept dst-address-list=somename rule at the proper position in chain forward of your /ip firewall filter , and then add as many list=somename address=x.x.x.x items as needed under /ip firewall address-list . The same address list would be used as src-add...

sindy

You mention IP address (and a web browser expects an IP address or a domain name), but you've posted a MAC address in the subject of the topic. If you do enter the actual IP address of the router to the browser, it is possible that the firewall rules or other settings on the router make it reject th...

sindy

What happens after that date, a new certificate is issued? Yes, the idea of Let's Encrypt is that the certificate is short-lived, and quite a long time before its expiry, the certificate holder applies for a new one, gets verified again, and a new certificate gets signed. All this is automatic on L...

sindy

create a supout.rif file export ( not backup!) the configuration to a file, and download that file to some external machine netinstall the device with 6.48.1 check whether the issue continues if yes, netinstall it again with 6.47.9; if the issue is still there, raise a warranty claim for the device...

sindy

Both injectors are fully passive, so the lower limit of their voltage range has nothing to do with the injectors themselves. The Ethernet cables are thin, so with ones several tens of meters long, which are typically used when the radio units are on a tower and the power source is at ground level, a...

sindy

Some people are scared of certificates, while you have to use certificates to make IKEv2 work on Windows and in Strongswan. Tthe stock VPN client of Android reportedly supports PSK as well, but I cannot check that myself. Other than that, IKEv2 provides no virtual interface, so IPsec policies are us...

sindy

The channel profile aggregates various parameters related to radio characteristics of the interface. But permitted frequency channels as well as their Tx power limits differ country by country, and for some reason I don't understand, the country choice itself is a parameter of the configuration prof...

sindy

I have the same issue, but only with some devices. What's "the same" in particular? Is your L2TP/IPsec server running on Mikrotik which doesn't have a public IP on itself and it is connected to the internet via some external NAT device with port forwarding? If yes, I suggest the trick I'v...

sindy

There is a connection-rate match condition, which matches if the current connection rate in bits per second fits into a specified from-to range; the maximum value that can be expressed is 4Gbit/s. So what you could do is to add the destination address of a high-bandwidth connection to an address-lis...

sindy

Are you saying you had a working L2TP/IPsec setup and it stopped working due to upgrade to 6.48? Other than that, this is still the only VPN to support and Windows and older versions of Android; if all your Android devices are new enough to support IKEv2 in the stock VPN client, or if you don't mind...

sindy

I am new to Mikrotik but not networking. This may be the biggest source of the trouble, as the firewall philosophy on Mikrotik is the Linux iptables' one, which is quite different from the philosophy of Cisco ip access list matching. First, in IOS, the access list rules are typically bound to an in...

sindy

Just for the case - if you configure just some APs into local forwarding mode, you have to use a dedicated /caps-man datapath row for them. You can see the bytes/packets Tx/Rx per client in CAPsMAN -> Registration Table in Winbox, or using caps-man registration-table print stats on command line. Jus...

sindy

The user manager was installed prior to upgrading the device. I will remove it, it should save around 1MB. If you don't need it, removing it will save more space, as its database can be removed from the disk too, it takes some 80 MB there. the system npk alone is > 8 Mo (compressed), not counting a...

sindy

Do you actually use the User Manager (UM) or it has become active after the upgrade to 6.48.1? Can you remember what was the disk space occupation before the upgrade? I could imagine the warning is the only actual change between the old and new version, i.e. that the disk occupation was about the sa...

sindy

Chain input handles packets for the router itself, so this rule doesn't match on packets being forwarded from one interface to another. And in chain forward , there are currently only accept rules, but no drop one; since accept is the default handling (for packets not matching any of the rules in th...

sindy

the command / system health print or / system health set (they do not work for my LHG LTE6 kit-MIPSBE) This command only reports temperature, power supply voltage etc. on higher grade models, which support measurement of these values in hardware. It says nothing about hardware failures (like memory...

sindy

Unfortunately it's hard to judge whether it is a single-piece hardware fault of your LTE modem or a firmware bug. The fact that the operator name changes into a 6-digit number means something is terribly wrong, because the number would have to be a 5-digit one if it was just a minor issue of not tra...

sindy

I'm ''old school'', ... I posted partial config, only to discuss this peculiar config where LAN and WAN are on same interface... The CPU is still expensive, no doubt about that. So use a single rule action=accept connection-state=established,related rather than one rule per connection-state - this ...

sindy

OK, so first on each CAP, use just /interface bridge vlan add bridge=Bridge tagged=ether1 vlan-ids=20 to permit VLAN 20 tagged on ether1, and /interface wireless cap set bridge=Bridge to define to which local bridge the local wireless interfaces under CAPsMAN control will be connected once switched ...

sindy

the NAT rules seem fine to me, they properly match on src-address and dst-address rather than out-interface . The dst-nat rule doesn't check from where the request comes, but it does not seem harmful in the context (or maybe vice versa, more is missing if you want to access the service running at 1...

sindy

sorry, i can't get you what you saying Let's put it in another words. "pseudowire" is a name of one possible way how payload data are encapsulated into MPLS transport packets; the "pseudowire" encapsulation in particular emulates a behaviour of a "wire" (Ethernet cable...

sindy

The only thing to come to my mind is that the NAT rules you've added affect the IPsec IKE packets, so they arrive to the 4011 from an unexpected address. So follow the suggestion in my automatic signature below when these rules are in place. Also, the rules you've posted seem to do something else th...

sindy

The explanation could be loose-tcp-tracking set to yes , which basically switches off the analysis of TCP flags in order to lower the CPU consumption by connection tracking. This item can be set to no under /ip firewall connection tracking . While there is no such section in the /ipv6 firewall confi...

sindy

"So with a CRS as the controller you should be using CAPsMAN local forwarding so the hAP ac2 WLAN - ethernet traffic is handled in the hAP." Do you have any guide for that please share to me. The guide is as follows: on each CAP: make sure that a VLAN for each SSID you use on a given CAP ...

sindy

In general, a switch only needs an IP address on its management interface. There is no need that a switch or bridge had an IP address in every VLAN, as there is no IP traffic a user device connected using that switch to that VLAN should exchange with the switch itself. Routing is done by the routers...

sindy

I have read several blogs, forum posts, etc, and I find strange that nobody had given this tip so far: add chain=forward action=accept comment="Allow port forwarding" / in-interface=ether1 connection-state=new connect-nat-state=dstnat The reason might be that a similar rule has been prese...

sindy

The /tool profile doesn't suggest that CAPsMAN is the biggest CPU hog. The 32 % CPU spent on ethernet would bother me much more. So I'd assume that there is either a lot of inter-VLAN traffic routed by the 317, or hardware L2 forwarding has been disabled by mistake. EDIT: indeed the Ethernet traffic...

sindy

I am on 6.48. Attached my ipsec policy printscreen - if I am following you correctly. Lovely, I didn't remember it correctly and made some additional mistakes. The release notes for 6.47 actually state: *) ipsec - place dynamically created IPsec policies by L2TP client at the begining of the table;...

sindy

I would also tick the "yes" radio button under the "Only One" option in PPP-> PROFILE -> LIMITS. My understanding is that this workaround -- the way that I've got it scripted -- is only going to be compatible with one active connection at a time PER USER. Yes, the generated name...

sindy

You mean top? My dynamic policy is placed at the top, above template.

I mean bottom, and I did the test on 6.47.8, and the respective release notes mentioned bottom as well. So maybe you use a different version?

Are these "two processes" so independent?

Yes.

sindy

The sad reality is that use-ipsec=required only prevents the incoming L2TP connection from being accepted if the initial L2TP request doesn't arrive encrypted via an IPsec SA. But if the IPsec session breaks later, the L2TP session happily continues. EDIT: Until recently, the IPsec policy created dy...

sindy

The first one sounds good to me - "set and forget". If I remove remote site I don't have to worry about any other setting.

That's why I've suggested it as the first option.

sindy

if the main board can run with a 12V power supply and we do that are we not just adding more heat to the whole board because lower voltage = higher amperage? Or perhaps that is not significant enough to create more heat. The heat is the dissipated power, and power is a product of voltage and curren...

sindy

[*]bridge forwards LLDP frames

Just to be clear - is this true also when protocol-mode differs from none on that bridge?

sindy

Yes. The setting is only taken into account when the L2TP connection establishes.

sindy

Whenever you don't know in advance the IP address of the remote peer or the traffic selectors at local and remote side. I.e. at the responder it is necessary if the remote peer is a road warrior and/or you assign it an address dynamically using mode-config, and of course at such road warrior peer it...

sindy

On the /ppp profile row used by the /interface l2tp-client row at the client device, and on the /ppp profile row used by the /interface l2tp-server server or the /ppp secret row on the server device, have you set interface-list=BASE ? If not, the rules in chain input of /ip firewall filter at each d...

sindy

Both PoE port leds are RED - is this normal - don't know!

The Quick Guide says:

Once PowerOutput is enabled in RouterOS, the Ethernet LED adds red color to it (green means Ethernet link is made, red means power but no link, red and green both means there is link and power).

sindy

RouterOS does not push routes to L2TP clients. If you insist on L2TP, you have to set up static routes on the clients. For IKEv2 clients, RouterOS sends the routing table using DHCPINFORM with Option 249 to Windows, and negotiates policies with iOS devices and with Strongswan, but just a single poli...

sindy

OK, so as none of the IP addresses in question is assigned to any of the CRS, there is no need to have the VLAN enabled on the internal port of the bridge, and the issue is a pure L2 one. So when MSTP is on, what does /interface bridge port monitor [find where interface~" sfpplus2[34]"] sh...

sindy

There is currently an issue with /ip cloud on IPv6 . Add an ipv6 firewall rule: /ipv6 firewall mangle add action=add-src-to-address-list address-list=my-ipv6-address chain=output out-interface=your-wan-interface-name (if you eventually already have some rules in chain output of /ipv6 firewall mangle...

sindy

First, please don't quote complete posts, especially if you react to a directly preceding one. There is no need to do so, this is not an e-mail message, the complete history of the conversation is always shown in the same window here. Second, what I wanted to say by my post is that it is easy to fin...

sindy

The source IP resolves to https://www.arbor-observatory.com/, which declares itself as a security research organization. So it is a warning for you, highlighting that your L2TP server is open to the whole internet without IPsec encryption, intentionally or unintentionally, and the only barrier betwe...

sindy

There's an easy way to find out whether it is a firewall issue (even if the firewall was so selective that it would restrict access to cloud2.mikrotik.com but not to forum.mikrotik.com ): use /tool traceroute . If it shows no response at all, your own firewall or routing is to be blamed (or your ISP...

sindy

To disable fasttracking, it is enough to disable (or remove) a firewall rule action=fasttrack-connection ... in chain forward of /ip firewall filter (or all such rules in the unlikely case that you've got more than one). If a packet matches this rule, fasttracking of the connection the packet is a p...

sindy

amended my initial post after playing around.

The manual says that if tls-only is used, the port setting is overridden. So strictly speaking it works on port 465 as expected, not on port 25.

sindy

I think the issue is because in MY ISP instructions they talk about SSL encryption on outgoing port 465 whereas the MT only offers TLS?? There's unfortunately a terrible mess in terms. First, TLS is an evolution of SSL, and the actual (old) SSL should be deprecated everyhere, but people tend to sti...

sindy

I'm trying to add policy groups for each initiator. I'm having problems with specifying the different profiles. You wrote this: "You can use it to assign all Phase 2 and many Phase 1 properties individually for each initiator." Bad wording on my side. When mentioning "many Phase 1 pr...

sindy

Yes, I was referring to the /interface bridge vlan configuration, but you haven't answered my indirect question, so I repeat it directly: Are the IP addresses 10.10.100.x assigned to VLAN interfaces with vlan-id=30? If yes, the output of /interface bridge vlan print has to read # BRIDGE VLAN-IDS CUR...

sindy

I'm not sure it is a simpler way, but it seems to be the intended way: at the responder (server), for each remote initiator (client), create an individual row in /ip ipsec policy group : /ip ipsec policy group add name=branch01-group add name=branch02-group for each remote initiator, create an indiv...

sindy

Looking at a PPP MultiLink configuration, it seems to be built to aggregate over two or more devices. Not only. It splits the payload packet into multiple transport ones, and it can use the same link to transport both/all of them, providing a hidden fragmentation of the payload, hence payload proto...

sindy

mlp can transport the full size of packet instead tcp mss clamping on L4 Can you explain why hidden fragmentation of 1500-byte TCP packets (i.e. 2 PPP packets per each payload one) should provide a better TCP throughput than transmission of 1462-byte TCP packets using one PPP packet per each payloa...

sindy

You forgot to post the configuration exports from both devices, but here's my wild guess until you fix that: you mention "vlan 30" and "ping between devices", which hints that you have an /interface vlan row with vlan-id=30 interface=bridge and the IP address 10.10.100.x/25 is at...

sindy

My two cents: /ip neighbor discovery-settings set discover-interface-list= none Given that the largest volumes of data in the network should be the video streams, I'd assume there's rather some kind of packets the keyboard doesn't know how to handle, which may cause an overflow of some buffer despit...

sindy

So I attached for your review. Hope you can help... On the second screenshot, closer to the bottom, there is Option 61 - Client identifier. It says "Hardware type: ethernet, Client MAC address: Routerbo...". Plus slightly above, there is Option 55 - Parameter Request List, which contains ...

sindy

Ah, sorry, I didn't realize the problem is the comparison, not the update. The fastest solution is $good in $old ; here, the first parameter ( $good ) may be an IP address or a prefix, and the second one ( $old ) is always a prefix ( 192.168.0.0 in 192.168.0.0/32 returns true , whereas 192.168.0.0 i...

sindy

I'm not sure I understand what you wrote precisely, but there is no reason why you should need to put another router between your Mikrotik and the new ASR. You can use one Ethernet port of your Mikrotik to connect to the VDSL modem as a PPPoE client as it was until now, and another Ethernet port of ...

sindy

The /32 is not a problem, it is added automatically if you set the address to just 1.2.3.4 . I didn't know that address=fqdn cannot be used for passive=yes peers, I haven't come across such an application case, can you detail why you need to identify the initiator by the source IP address tracked by...

sindy

It may or may not. If both the suspected /30 subnets are on the same device at ISP side, the traceroute from outside to both will show the address of the internet-facing interface of that device for both target subnets.

sindy

It's a mistake in the release notes. It's just address, not remote-address.

sindy

That means you are using "fasttrack" in a situation where it cannot be used. Are you sure that adding a /queue tree item prevents the packets handled by the queue from getting fasttracked? Yes, sniffing does disable fasttracking, maybe torching does as well, but adding a queue? Plus there...

sindy

Since the transaction ID is shown, dissection of the DHCP part must have succeeded at least partially although a malformed packet is reported, so open any of these packets in Wireshark (GUI) rather than tshark, unfold the DHCP dissection and find the client-id. No dhcp-relay configured on the machin...

sindy

If you try to ping "internet" from your broadcast address it works! You've made me investigate :) The thing is I do remember a recent issue where a colleague has made an mistake when calculating the mask and has set a broadcast address as the own one on the Tik, and the Tik didn't respond...

sindy

@nescafe was faster :) It is even so that the connection stays up until it fails, and the fqdn gets re-resolved before a new connection attempt; there was a period of time (RouterOS releases) when the fqdn was being re-resolved every time the TTL of the previous response expired and the running IKE ...

sindy

You say you've tried the addresses one by one with the PC but all 5 were configured simultaneously at the Tik. Can you try to configure just one of the malfunctioning ones on the Tik and try again, while sniffing at ether8? Make the command line window as wide as your screen allows. Then run /tool s...

sindy

I can see there are multiple VLANs in use on that link, and some of the requests go also without a VLAN ID, so it seems as if there were multiple /ip dhcp-client items enabled on your device. So now we know that the requests are really leaving through sfp-sfpplus1 and with own address of the sending...

sindy

Is 64:D1:54:XX:XX:XX the MAC address the IX peer claims? Is it one of own MAC addresses of your device on which you took the capture?

sindy

It seems you connect to an IMAP server (normally used to receive/view received messages) instead of an SMTP server (used to send messages). Check the domain name and port, one or both are apparently wrong.

sindy

The whole thing is that unlike with the /interface list , where you have to add a named item under /interface list first to be able to refer to the list from firewall rules and to add /interface list member items, an address-list name need not be "declared" in advance - the firewall rule a...

sindy

/system logging add topics=e-mail /log print follow-only file=e-mail-start where topics~"mail" From another window, send the test e-mail, wait until it fails, and then break the /log print ... and read the e-mail-start.txt file (you'll probably have to download it to a PC as it will be to...

sindy

Do I understand you right that you have already checked on the device connected to the IX whether it really sends these packets (no matter from where they actually come)? /tool sniffer quick port=67 interface=the-interface-connected-to-ix Because you can only take an effective action at your end if ...

sindy

I don't understand well the config but now 192.168.6.0/24 network, uses 5.x.x.x for incoming and outcoming traffic. so all the traffic from 192.168.6.0/24 goes through the GRE tunnel. When you specify an IP address as a gateway of a route, the system searches through the network values of the /ip a...

sindy

In more detail, there is a certificate signed by that CA certificate, which your Mikrotik receives from the switch. So to verify its validity, the CA certificate must be installed on the Mikrotik's certificate store, as a trusted CA. The Tik will not provide your credentials to a switch whose certif...

sindy

As the BGP peer is Fortinet and you haven't shown its configuration, it is hard to judge anything (and no, I don't know enough about Fortigate to be able to help with its configuration). Don't use rich text formats for configuration files. A plain .txt is enough and the probability that you inadvert...

sindy

Make the command line window as wide as your screen allows, there is almost no information in the output of the /tool sniffer quick . But it does show that the connection request comes via gre and the responses leave via VLAN 20, so something doesn't work well about the connection marking and routin...

sindy

While trying to connect to the Winbox port, run /tool sniffer quick port=the-winbox-port on the Theatre-tik. It should show you what is going on, i.e. whether the firewall (or the address setting on the /ip service row) blocks the incoming request (so no response is sent at all) or whether the respo...

sindy

These two rules are exactly what I had in mind. Has it not made it possible to connect by Winbox to 5.x.x.x?

sindy

I'm still a bit lost. You do have dst-nat rules which forward some port ranges to 192.168.6.2, but all these rules match on in-interface=vlan20_MASMOVIL . So whatever arrives to 5.x.x.x lands on the Theatre-tik itself, and if the Theatre-tik responds, it responds via the 212.x.x.x address for the re...

sindy

I'm afraid it came to nobody's mind that a single bridge could host multiple customers' bgp-vpls tunnels and hence VLAN tag manipulation would be required on the port of the bridge to which the tunnel is connected, hence the pvid is not part of the /interface vpls bgp configuration. The designers pr...

sindy

the problem now is that towards output now I don't go by the IP address 5.x.x.x , I go by 212.x.x.x any idea?? If you talk about packets sent by the router itself (i.e. you refer to chain output), the routing-mark is only assigned in mangle/prerouting, which means that packets sent by the router it...

sindy

I'd hesitate to call DHCP "L2", it's a regular IP protocol, except that part of the exchange uses broadcast addresses. So I'd say you need to attach the following ingress ACL rules to the trunk ports: drop frames carrying IP/UDP packets towards server port (67) accept frames carrying IP pa...

sindy

Nope. The only way to climb there without the laptop is to climb there with the PoE injector + extractor pair and a short patch cable in your pocket, connect the RJ-45 socket at the extractor to the installed cable and the plug to ether2, connect the RJ-45 socket at the injector to ether1 using the ...

sindy

if the IP address to which those DNS requests arrive is that router's own one, you cannot do more to mitigate that traffic - the router itself doesn't respond any UDP DNS queries coming from anywhere else than 10.11.11.0/24. It is unlikely that the source addresses of these requests belong to the a...

sindy

By the above you have responded only one of the questions, now we know that the BGP communication is established. But you haven't posted the configurations, and you haven't looked into the routing tables of both devices to see whether the routes to the remote devices' LAN subnets appeared there (mar...

sindy

You have to use policy routing at both Router 1 and Router 2. at Router 1, packets coming from 192.168.3.0/24 (or from ether4) must be handled by a dedicated routing table whose default gateway is Router 2's address in 192.168.10.0/24. at Router 2, packets from 192.168.3.0/24 must be handled by a de...

sindy

First, this is forum is not an interface of Mikrotik support, you can only get help from fellow users here. Next, if there is just one server where the problem exists, I'd start the search for the issue on that server first: maybe it has its own firewall, restricting access to telnet only to some so...

sindy

It seems to me that the support guy got lost in your network prefixes and maybe in the trouble description. As I wrote in post #5, you would only need the exception rule suggested by the support if you wanted to initiate connections from 192.168.178.0/24 to the Android client (whose adress comes fro...

sindy

/ip firewall export
/ip dns export

sindy

How can we suggest any "improvement" if you haven't shown the current rules?

sindy

OK, now as you've shown the export it became much clearer :) You assign a routing-mark to every packet sent from any LAN host to any destination, and the only route with that routing-mark is a default one, via one of the WANs. Hence even traffic whose destination is in your other LAN subnet takes on...

sindy

Both your drawings give little clue on what is the actual issue you're dealing with. Can you provide the current configuration exports instead? Is the BGP connection between the routers established but the routing tables are not updated, or the BGP is not up at all, or the routing tables are updated...

sindy

What is the share (percentage) of packets missed by the policy? Is fasttracking disabled?

sindy

in the DC-tik I only have this route: /ip route add comment="Ruta para mandar ip publica a TEATRO " distance=1 dst-address=5.x.x.x/32 gateway=172.20.100.202 The fact that the action=src-nat to-addresses=5.x.x.x comment="to ECONECTIA por GRE" ... rule at the Theatre-tik is suffic...

sindy

I give it a 60 % chance. The issue itself is weird, so removal of unusual (as in "rarely used and therefore lacking any significant experience among the users") configuration is quite likely to help.

sindy

I'm afraid you have to open a ticket with support directly (via support@mikrotik.com or, better, via the servicedesk web interface . The statement regarding availability of direct support only within 14 days from purchase is there mostly to avoid hundreds of newbie questions per day; on the other ha...

sindy

In the Theatre-tik configuration, the default route for traffic sent from 192.168.6.0/24 is via the GRE tunnel (by means of action=mark-routing in mangle and having that routing-mark on the default route via the GRE tunnel). This may be a correct setup if devices in this whole subnet have to always ...

sindy

Thanks for helping me out. I couldn't get it to work, for some reason, it only read the first if condition and action (in this case, it disable the queue). This looks to me as if the thresholds were not matching the actual speeds and it always seemed that no throttling is required. I have imported ...

sindy

If keepalive affects the operation, it means that there is extensive packet loss on the path, causing multiple keepalive responses to be lost. If it is the case, there must be "interface down" and "interface up" messages in the log of at least one of the affected routers. Are the...

sindy

If you mind disclosing your public IPs (which I suppose you do as you've obfuscated them in your OP), edit your previous post and obfuscate them also in the export, as I've recommended before.

I'll have a look on the details later.

sindy

Microsoft gear (and Android one as well) is checking internet availability by sending DNS queries and checking the response. So if these DNS queries do not get responded, it concludes internet is not accessible and doesn't even try to connect to the actual servers.

sindy

Someone is trying to use your Mikrotik as a DDoS traffic generator. Why they have chosen your public IP and whether they actually succeed is the question. If your Mikrotik does respond to DNS queries coming in via WAN, it means it can be used as a "smurf amplifier". The attacker sends a sm...

sindy

Instead of random screenshots, post the complete configuration exports (from both Mikrotiks), anonymized as per the hint in my automatic signature below, each between [ code] and [ /code] tags. My assumption is that you dst-nat the incoming connections at the Mikrotik in the datacenter (DC-tik), but...

sindy

All my clients is mikrotik router board that connect to main office with l2tp/ipsec. Great, so the pre-requisite that the clients never give up is met. I tested with ccr router and give same problem That's no surprise. The amount of data processing needed to establish a connection is high, and seve...

sindy

Do you think this could have an impact on a production environment? I can disable it without risk? Those brief but therefore misleading names... What all those use-ip-firewall... items under /interface bridge settings do if enabled is that they push through the IP firewall also frames which would n...

sindy

I eventually took the time to figure out the OVPN setup and have been using that ever since. At some point I'll just have to make some time and "merge" the bridges again and hopefully it won't have the same effect. The thing is that I've ran into the same issue in the meantime and realize...

sindy

how likely ipsec pass through NAT between 2 private IP? I have a positive experience with "normal" ISPs and a negative one with mobile ones, which do not keep the original port. interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it ...

sindy

Depending on how the NATs in question behave, in particular whether the source port of a UDP packet sent from your router's WAN IP is kept as the packet goes through the NATs all the way to the public IP, it may be possible to establish an IPsec tunnel between the two devices. The source port must b...

sindy

What are your reasons to use /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes ? I don't say it is definitely the cause of the issue you experience, but as you don't use any /queue tree or /queue simple settings, it just causes the bridged ...

sindy

But what I describe is an alternative - you don't need to change anything on the existing router, it will just provide an uplink and address to the Mikrotik, and the Mikrotik will take over the rest. The LAN hosts receive not only their own IP addresses but also the IP address of the default gateway...

sindy

If the design of your solution is based on VTI and all the other components of your network support it, there is little point in adding Mikrotik to the mix. As @vikinggeek has suggested, you could use IPsec just to encrypt a "traditional" tunnel, but it would require to use specific handli...

sindy

@rules, does this still bother you?

sindy

It will be much simpler to use the existing router only to provide WAN uplink to the Mikrotik one and let the Mikrotik do the rest. Do you have any particular reason not to do it this way?

sindy

For road warriors, you get less headache if you use tunnel mode of the SA and create an individual identity referring to an individual policy template group for each road warrior. That way, you can use static private addresses at both ends for the EoIP tunnel although the WAN addresses of the road w...

sindy

after the \n:set wanRate (\$wanRate/55)\ row, add another one: \n:put $wanRate\ to visualize the result of the throughput measurement. Then you can run the script manually and before each run, update the thresholds to see the whether it does what is expected. I did it this way and it worked for me. ...

sindy

If you just specify the ipsec-secret value on the /interface eoip configuration row, RouterOS dynamically generates the IPsec configuration (peer, identity, policy) using the peer profile called default and the proposal called default . So if you don't plan to use this profile and proposal for other...

sindy

The reason is that once the L2TP client connects, RouterOS dynamically creates an interface called <l2tp-client-name>, through which the traffic from the client comes in. This interface is not a member of interface list LAN, so in the absence of any permissive rule, the rule action=drop chain=input ...

sindy

Exactly. This result illustrates that the packet reaches the input chain of filter as expected, and some rule in there drops it.

sindy

This is weird, considering that I have so many NATted services. There's nothing weird about that - the rule counts if it matches and thus drops a packet. Whatever is dstnated does not match the rule, so it doesn't count. And I've referred to a wrong rule in my previous post - the one which was drop...

sindy

The port for L2TP is 1701, not 1703. When you connect via LAN, the rule action=accept chain=input in-interface-list=WAN port=500, 1703 1701 ,4500,5500 protocol=udp is not necessary because the IPsec connection is established via LAN and thus the rule action=drop chain=forward comment="defconf: ...

sindy

Show me the complete export of your configuration (see my signature below regarding anonymisation). It seems that a firewall rule is missing in your configuration, as the sniffer shows that the phone is sending encrypted packets between the keepalives but there is no l2tp row in the log.

sindy

> /tool sniffer quick ip-address=172.16.0.1 INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN Uno ADSL 19.287 1 <- Uno ADSL 20.291 2 <- ...you get the idea Yes, this is enough, so the transport packets get received and the payload ones are extracted from them allright. If needs be, I can post the filter r...

sindy

First, try setting match-by=certificate on the identity row. If it doesn't help, it is necessary to use logging at Mikrotik side to find out whether the Apple device sends its certificate or not, so come back for instructions.

sindy

The chain of mismatches ends by a match, so it is not relevant. Also the FRAGMENTATION mentioned in the log means that fragmentation of the IKE negotiation packets is supported, i.e. it is not a complaint about existence of fragmented packets. The log shows that both Phase 1 and Phase 2 have complet...

sindy

Ok. If you run /tool sniffer quick ip-address=172.16.0.1 on R2 while pinging from R1, does it show anything? Are the /ip firewall filter rules you've posted above the only ones in that table? Is the IPsec policy for 172.16.0.1<->172.16.0.2 the only one at R2 or are there any other policies which are...

sindy

Of course it is not working. The address list item in my script was also playing a role of a state variable, from which the isOn was derived. So once you've removed it, isOn is undefined, so the if now probably always takes the else path. So replace the $isOn by (!([/queue tree get youtube-non-VIP d...

sindy

First remove the existing scheduler and script, and then repeat the whole exercise again, this time replacing wan-interface-name (once) and name-of-the-queue (twice). /system script add name=throttle source=":local onThreshold 45000000\ \n:local offThreshold 35000000\ \n:local isOn ([:len [ip f...

sindy

So you think it is actually a presentation error (the ARP record with no MAC address learned is shown as 0:0:0:0:0:0)?
Could be, you can easily check by pinging a non-existent address within the subnet range from one of the PCs. If it appears on that suspicious list, your assumption is confirmed.

sindy

So are you saying that the sending SA on R1 and the corresponding receiving SA on R2 count simultaneously as you ping, but nevertheless the firewall rule for icmp at R2 doesn't?

sindy

Yes, tunnel mode of the IPsec encapsulation allows to use fixed internal addresses as GRE/IPIP endpoint ones whilst the WAN address of at least the initiator keeps changing. The price to pay is the extra IP header, consuming part of MTU, so less space in the transport packet remains for the payload.

sindy

What do you think if it calculates the average of 5 minutes of bandwidth usage? Averaging definitely helps suppress overreaction, but is an overreaction which activates the limitation for just one minute really so important that the code needs to be made more complex (and thus a coding mistake more...

sindy

So the connection print shows no hidden src-nat/masquerade rule is the culprit as the reply-dst-address is the same like the src-address . With the installed SAs, I assume it's one pair per policy hence 4 for 2 policies? That being the case, it looks like the counters are increasing on the pair for ...

sindy

My mistake with the installed-sa , it must be dst-address ~" the.ip.of.the.remote.peer " so that the port need not be specified. What I was interested in was whether the installed-sa counts - assuming the traffic via the other SA (for 192.168...) is intentionally stopped to avoid confusion...

sindy

You may have misunderstood me. The identity row, even if just a single one is attached to a peer, is always matched on either the remote ID or the certificate (depending on the setting of the match-by parameter). So if remote-id is set to ignore , the row will match on any ID_I received, and the onl...

sindy

Sorry, I forgot to state you have to add also src-ip=172.16.0.x (1 or 2) to the /ip route check . What surprises me is the nexthop value, but that should not change the outcome. Hence chances are high that the packet makes it to the stage IPsec policy matching. So run the ping at R1, and tell me the...

sindy

I'd say match-by=certificate remote-certificate=the-one-of-the-client should do the trick with either remote-id=ignore or remote-id=auto . But it's just a guess, maybe auto is necessary, as in fact the header of the certificate is sent as the ID, as the log should show you. Maybe Apple does that dif...

sindy

What does /ip route check 172.16.0.2 show? I.e. is there any route at all (even if the default one) for that destination?

sindy

@pe1chl, the issue was different - it's the transport (GRE or IPIP) packets that got src-nated, not the payload ones. The transport ones are routed via the WAN before the policy diverts them.

sindy

I've just added a 172.16.99.1 <=> 172.16.99.2 policy to one of my running IPsec IKEv2 links, added the respective addresses to interfaces on the routers, and the ping goes through allright. Both are ARM ones and with quite outdated versions (6.45.9 and 6.46.8), but I don't expect such kind of a bug ...

sindy

It would be overkill to export the entire configuration I think The problem is that the issue is always where you don't suspect it could be - if it was where you expect it, you would find it, right? So a missed NAT rule, a missed item of some apparently unrelated address-list, an IPsec policy shado...

sindy

For me both fqdns resolve properly, so check your own DNS setup. 8.8.8.8 is an IP of Google DNS server, so something is really wrong in your DNS chain. You may resolve the fqdns to IPs somewhere else and then create static DNS items in the configuration of the device you're trying to upgrade. [me@my...

sindy

I wouldn't think it's the CGNAT, rather some fragmentation issues. Activate more detailed logging on the Mikrotik and try again: /system logging add topics=ipsec,!packet /log print follow-only file=ipsec-start where topics~"ipsec" then start connection attempt from the phone. Once it fails...

sindy

It is hard to debug things remotely without at least seeing the configuration. When you ping while the 172.x.x.x addresses are used, do you also specify the src-address or you let the machine choose one autonomously?

sindy

Thank you, a very useful info regarding different default treatment of different USB to serial chips in RouterOS. It explains why some people say it doesn't work out of the box and some (like me) have an opposite experience. Other than that, what's the advantage as compared to a pair of "fully ...

sindy

It seems @TomjNorthIdaho's server has some issue at the moment. Plus if you try too often, it won't let you connect for next 24 hours. So I'd suggest to post a question in the related topic . The other server by @Martoo and yet another one by @Garrison1701 were both up at the time I was testing minu...

sindy

As I've got no Mac/iPhone laying around, let alone with the OS version in question - can you post the window that opens if you click [Authentication Settings...] in the window you've already posted?

sindy

The log from the Mikrotik shows that the Apple uses its private IP address as its identifier (ID_I), so the Mikrotik cannot find a corresponding row in /ip ipsec identity . But if I understand it right, this actually indicates that the Apple device doesn't consider its own certificate fit for its ow...

sindy

I'm not suggesting the cAP itself sends the nonsense, I suggest it is some wireless device connected to the bridge on the 750 via the cAP. And unless you'd configure the 0:0:0:0:0:0 as the admin-mac of the bridge (which you haven't according to the config export), I cannot see how you could make the...

sindy

Ah, yes, you forgot to exempt the traffic between 192.168.99.1 and 192.168.99.2 from the masquerade rule, so it gets src-nated and the IPsec policy cannot see it. Add a rule src-address=192.168.99.0/30 dst-address=192.168.99.0/30 chain=src-nat action=accept before (above) the masquerade one at both ...

sindy

So you insist it must be GRE, you cannot use IPIP instead? Why?

sindy

To see the digest-algorithm used, you have to display the certificate parameters using the command line, /certificate print detail where common-name~"vpn" . But when signing certificates, RouterOS normally uses SHA-256, which is from the SHA-2 suite, so it fits those requirements. As for t...

sindy

GRE has become a headache generator since the security patch in 6.45.something, as received GRE packets are labeled with connection-state=invalid even if the device sends its own GRE packets in the opposite direction - unless the PPTP helper ( /ip firewall service-port ) is enabled. So if you can re...

sindy

Are you saying that it's the router that is telling to computers about 00:00:00:00:00:00. ie they aren't receiving it directly from the mad device ? Maybe I've misunderstood where you can see those weird ARP records - are they on the router or on the PCs? If on the PCs, the responses must be coming...

sindy

My questions are 1. Where do these 00:00:00:00:00:00 come from, and 2. Why do I see records for IP-s that shouldn't be talking to each other .. As for 2., the ARP table is used by RouterOS itself to translate IP addresses of the devices to their MAC addresses when it needs to deliver packets to the...

sindy

I'm not sure what happens if the client's /ppp profile row specifies a bridge and the server's one doesn't or vice versa, you have to try. But you can specify a particular row of /ppp profile for each client at that client's /ppp secret row, so you'll just need two profile rows at server side if cli...

sindy

Copy-paste the following code to a text editor, replace wan-interface-name by the actual name of your WAN interface, and then copy-paste the result into the command line window of the Mikrotik: /system script add name=throttle source=":local onThreshold 45000000\ \n:local offThreshold 35000000\...

sindy

The VLAN 20 config for BR1 is fine as it is, as BR1 is on the tagged list for vlan-ids=20 there. The /interface vlan is just a tagging/untagging pipe, whose tagged end is attached to the interface mentioned in its parameters, so in your case, BR1. You make its tagless end a member port of br-vlan20 ...

sindy

"it never connects" and "I cannot see any packets to get anywhere" are two distinct things. When you were sniffing while connecting via LAN, you could see a packet with dst-port 1194 to come in via ether3, the same packet to leave via ether 4, and then a response packet with src-...

sindy

On this new br-vlan20 I dont configure any vlan filtering correct? Frames will cross tagged or untagged? Correct. The /interface vlan receives frames tagged with VID 20 from the main bridge, untags them, and forwards them to br-vlan20; in the opposite direction, it receives tagless frames from br-v...

sindy

If it is really enough for you to push a single VLAN via the L2 tunnel, create a dedicated bridge "br-vlan20", create an /interface vlan with VLAN ID 20 on the main bridge (if not created yet), and make that /interface vlan a member port of br-vlan20. Then indicate br-vlan20 in the /ppp pr...

sindy

Fine, how does it look like when connecting from outside?

sindy

OK, nothing wrong with filter rules, as initial packets of dst-nated connections are excluded from the "drop all from WAN" rule. So I'd assume it is a routing or firewall issue at 192.168.88.246 and 192.168.88.249. /tool sniffer quick port=1194 will show you whether the packet has made it ...

sindy

In WinBox I see that both the effected NAT rules are counting packets

In that case, post the export of /ip firewall filter.

sindy

The default firewall configurations differ for different RouterOS releases, so it is better to post the configuration export. For IPsec itself, you have to permit, at responder side, inbound connections to UDP port 500 and for ESP if there is no NAT between the peers; if there is NAT, connections to...

sindy

While it may be caused by a bug, it is much more likely that the access to the port is blocked externally or that some other dst-nat rule shadows the newly added one. So I'd suggest you first run /tool sniffer quick interface=your-wan-interface-name port=the-port-number and try to connect to the por...

sindy

The answer is scripting. In my opinion, it is easier to use hysteresis rather than to calculate 5 minute traffic averages - configure two different threshold values far enough from each other for activation and deactivation of the bandwidth throttling. Let's say activate it if traffic exceeds 45 Mbi...

sindy

Instead of posting the configuration on an external site with its own rules for personal data collection you have to accept, put the configuration export here inline, between [code] and [/code] tags if you don't have sufficient score to attach files here yet.

sindy

So if I summarize: if 500 clients are up and running, the CPU load is 3 % if a single client tries to connect while the others are running, there is no problem if 500 clients are trying to connect at the same time, the CPU goes to 100 % and most clients cannot connect Is that correct? If so, what is...

sindy

Being stuck at syn_sent doesn't seem like an MTU thing to me. The initial "three way handshake" consists of packets which have zero payload size, and syn_sent means that even the the SYN+ACK response from the server, which simply cannot be lost due to insufficient MTU because it consists o...

sindy

Я перевел англисйкий текст гугл транслейтом на русский и поменял слова в английском в тех случаях, когда автоматический перевод совсем испортил значение. Мелочи остались, но мне они кажутся некритичными. Starting from the end - the PPPoE clients should stay directly attached to their respective Ethe...

sindy

Well, summarizing everything :-) The combination of modified "shield" policy and adding "exclusion" rule to srcnat (or removing masquerade at all): ... makes it working (incl even BGP) until IPSec is active. As soon as IPSec became inactive, "exclusion" rule prevents L...

sindy

Each row of /interface bridge actually aggregates parameters for three distinct types of objects linked together: the bridge itself, as in "virtual switch" the virtual member port of that bridge, to which a virtual port of a virtual router is connected the virtual port of a virtual router...

sindy

First, CAPsMAN is a way to make your life easier when provisioning multiple APs and to reduce the requirements on the transport network capabilities. It is not necessary to make roaming possible, nor does it make it easier or faster. The stations (clients) may roam among individually configured APs ...

sindy

Please read this post first. If it doesn't help, come back here. Whereas I also don't understand the purpose of the ingress-filtering parameter of the bridge port, the pvid is meaningful there.

sindy

Seems fine to me. If there is a mistake, it is most likely coming from me :)

sindy

Ah, sorry, I wasn't careful when looking at the first four action=mark-routing rules in prerouting , they are actually used to assign the routing-mark to LAN->WAN packets, not to WAN->LAN ones. The reason is that it is quite unusual to use three groups of connection-mark values (WAN->LAN, LAN->WAN, ...

sindy

If you assign a routing-mark to WAN->LAN packets, they may end up being sent back to the internet if only a default route exists with that routing-mark , which is typically the case. You haven't shown your /ip route section so hard to say. PCC can be normally used to assign a routing-mark directly, ...

sindy

What coud be the problem?

The problem is the design of L2TP/IPsec. Details here. No way to solve this at the 3011 end unless you could use as many public IPs at WAN side as there are phones. It might be possible to solve it at the phones themselves but it is not very likely.

sindy

Note that I don't need it to be NATed by dynamic IPSec policy - I need to see LAN traffic inside VPN with original addresses. Exactly, since you have a route to 192.168.56.0/24 on the Cisco, there is no point at all in doing the NAT to the address assigned using IKEv2. So the correct thing is to pl...

sindy

So for a case where the wireless interfaces are created at the CAPsMAN machine , this is a real life configuration adopted to your network. To simplify things and save a bit of CPU, the home and guest subnets are linked to individual bridge interfaces, so no VLANs are used for them. CAPsMAN: /interf...

sindy

In one terminal window: /system logging add topics=e-mail /tool sniffer set file-name=e-mail.pcap /tool sniffer quick port=587 (and let it run) In another terminal window: /log print follow-only file=e-mail where topics~"e-mail" (and let it run) Now change the scheduler to send the log, sa...

sindy

The fact that the CAPsMAN and the CAP(s) are not in the same subnet is not really important; what is important is the expected traffic pattern in the network. You say that the routing between the router and the switch is by BGP (which is an overkill) and worst of all, it implies that the CRS328 has ...

Search found 6914 matches