Community discussions

Search found 3814 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13
by sindy
Tue Oct 22, 2019 7:19 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 56
Views: 23865

Re: v6.45.6 [stable] is released!

It would be nice to see such things in changelogs or somewhere in wiki like 'package dependencies'.
Look again, it is there (in the changelog of the release which has introduced this dependency) and it has also been mentioned multiple times in these "x.xx.x has been released" topics.
by sindy
Tue Oct 22, 2019 7:01 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 56
Views: 23865

Re: v6.45.6 [stable] is released!

After upgrading from 6.44.1 to 6.45.6 it's not possible to disable dhcp package. RouterBOARD 750G r3. Why?
Because since 6.45.whatever, package security requires package dhcp to provide a route list to windows IKEv2 clients.
by sindy
Tue Oct 22, 2019 6:30 am
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 56
Views: 23865

Re: v6.45.6 [stable] is released!

What does /log print say after reboot? What does /system package print show?
by sindy
Wed Oct 16, 2019 11:36 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1370

Re: NordVPN-IKEv2 slow NET speed

I'd really love to understand how an MTU issue can cause much lower speed but otherwise working connections. Okay, each packet occupying the whole MTU gets broken into two thanks to IPsec processing which adds extra bytes to it, but that should cause half the speed at worst. And if they didn't get t...
by sindy
Tue Oct 15, 2019 11:00 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 14
Views: 1370

Re: NordVPN-IKEv2 slow NET speed

With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel i...
by sindy
Thu Oct 10, 2019 10:27 am
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I don't see any scripts that I haven't done and my logs are ok. Malware scripts and enabled services are just the visible top of the iceberg. More advanced malware lives below the RouterOS wrapper of linux so it remains invisible from the RouterOS level in both configuration and logs. By netinstall...
by sindy
Wed Oct 09, 2019 10:39 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I won't open my laptop right now just to study your configuration, but if FTP and telnet are accessible from internet, you must have ignored my suggestions given earlier regarding how to build the firewall (drop everything except what you absolutely need to be accessible from the internet). Telnet a...
by sindy
Tue Oct 08, 2019 11:32 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I think we discussed this earlier. It is not enough to disable access to management and/or file transfer services (SSH, telnet, http, FTP) only from the WAN side but also from the LAN side of your router devices, leaving them accessible only via dedicated physical interfaces and from dedicated sourc...
by sindy
Tue Oct 08, 2019 11:59 am
Forum: General
Topic: Multiple static public IPs through one interface
Replies: 26
Views: 5831

Re: Multiple static public IPs through one interface

... Block 1 = 189.xxx.xx2.90/30 Block 2 = 201.xxx.xx9.124/30 Both IPs are sent on one single fiber connection direclyt from ISP provider to my mikrotik. ... i know i can create a bridge on Mikrotik1 and public both "block1 and block2" IP/addresses on that Bridge Ports but would be only on Mikrotik1...
by sindy
Sat Sep 21, 2019 3:05 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 43
Views: 3979

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

All my needs is to have alternative route if it is possible through ADSL for my public IPs when leased line goes down for the same ISP Without his intervention .since there is route for these Public IPs from ISP side to Leased line IP /30 that configured in our router interface with MPLS modem. The...
by sindy
Wed Sep 18, 2019 3:09 pm
Forum: General
Topic: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]
Replies: 43
Views: 3979

Re: mikrotik with PPPoe and real ip behind bridge modem [SOLVED]

I have also the same issue What exactly is the "same issue" in your case? This topic was dealing with multiple ones throughout its history - first, how to set up RIP to fulfil ISP's requirements so that they could send traffic for your public IP subnet to you, and later how to set up the firewall s...
by sindy
Wed Sep 18, 2019 10:22 am
Forum: General
Topic: EoIP Tunnel not running?
Replies: 10
Views: 1664

Re: EoIP Tunnel not running?

I added GRE in firewall and it`s works! The reason is that EoIP is one of possible applications using GRE as transport. The very idea of GRE is to allow tunneling different types of payload (G = generic). So what we are used to call a GRE tunnel is actually an "IP over GRE" one, whilst EoIP is an "...
by sindy
Sun Sep 15, 2019 1:39 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 94
Views: 22928

Re: [Feature request] Wireguard

there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process. I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, ...
by sindy
Sun Sep 15, 2019 12:05 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 94
Views: 22928

Re: [Feature request] Wireguard

Also interested by some community driven plugins. That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay Route...
by sindy
Thu Sep 12, 2019 1:56 pm
Forum: General
Topic: L2TP/IPSec VPN can access LAN but not Router [SOLVED]
Replies: 12
Views: 4132

Re: L2TP/IPSec VPN can access LAN but not Router [SOLVED]

I think it's because IKE2 IPsec doesn't create separate virtual interface. Yes, this changes a lot. This is my FW and IPsec VPN configuration, basically everything is router default Screenshots are not a good method of presenting configuration for analysis. See my automatic signature below regardin...
by sindy
Tue Sep 10, 2019 9:52 am
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 196
Views: 36813

Re: RouterOS v7.0beta1 (ARM)

Where were the certificates generated? In my experience, MT generated certificates don't work with the Windows OVPN desktop client (maybe they do now, I haven't tested recently). Certificates generated by MT CHR, but I won’t say exactly which version, it was a year or two ago. It was definitely ver...
by sindy
Sun Sep 08, 2019 12:29 pm
Forum: General
Topic: Sofware VLAN/Bridge on RuterOS explained.
Replies: 59
Views: 16837

Re: Sofware VLAN/Bridge on RuterOS explained.

Don't mess with VLANs using /interface ethernet switch until you grasp them under /interface bridge . First, you cannot attach IP configuration (address, DHCP servers, DHCP clients) to a member port of a bridge. The IP configuration must be attached to the bridge itself or to /interface vlan using t...
by sindy
Fri Sep 06, 2019 9:12 pm
Forum: General
Topic: pcc and failover configuration not working on wlan
Replies: 9
Views: 1004

Re: pcc and failover configuration not working on wlan

I have sent you an e-mail message a few hours after you've posted your previous post, have you ever received it?
by sindy
Tue Sep 03, 2019 11:35 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Look at this page . For received packets, dst-nat handling takes place before routing, i.e. before taking the decision whether the packet is for the router itself or to be forwarded outwards. So once dst-nat rule diverts the received packet from its original dst-address (of the WAN interface) to the...
by sindy
Sun Sep 01, 2019 8:48 pm
Forum: General
Topic: Firewall Rules PPPoE vs ethernet-port
Replies: 9
Views: 984

Re: Firewall Rules PPPoE vs ethernet-port

This is the error log: initiate new phase (Identity Protection): 172.0.0.1[500]<=>172.0.0.2[500] phase1 negotation failed due to send error. 172.0.0.1[500]<=>172.0.0.2[500] xxxxxxxxxx As soon as I remove IPSec policy matcher (in-interface=pppoe-out1) the connection is up and running. Example: The l...
by sindy
Sat Aug 31, 2019 11:51 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

I just wanna make sure of this point: do i have to set an ip subnet based on vlan interface for the CRS ( or RB2011 in my case that will do the vlan switching traffic) in order to get full wire speed regarding the point-to-point link with the edge router ? I mean what if i just configure an ip subn...
by sindy
Fri Aug 30, 2019 11:08 am
Forum: Wireless Networking
Topic: Bridged vlan on physical interfaces to the new (vlan bridge filtering)
Replies: 9
Views: 992

Re: Bridged vlan on physical interfaces to the new (vlan bridge filtering)

Well, to my understanding vlan filtering and bridge port isolation are more or less orthogonal features, so there is no reason why you could not use both at the same time if that makes sense. So e.g. each AP connected to its own port on the switch, three SSIDs, each of them on all APs and in its own...
by sindy
Thu Aug 29, 2019 11:31 pm
Forum: Wireless Networking
Topic: Bridged vlan on physical interfaces to the new (vlan bridge filtering)
Replies: 9
Views: 992

Re: Bridged vlan on physical interfaces to the new (vlan bridge filtering)

I think the first thing is to understand why the APs should be isolated from each other, as it is an unusual requirement. What @mkx says is important - by having all APs (or same SSIDs on all APs) in same VLAN, you let the clients roam from AP to AP without losing their IP addresses, which is how mo...
by sindy
Thu Aug 29, 2019 3:03 pm
Forum: Announcements
Topic: v6.45.5 [stable] is released!
Replies: 54
Views: 15947

Re: v6.45.5 [stable] is released!

There is no bug. It just got fixes some Versions ago. "The accuracy of your information could be sucessfully questioned". You are right that the bug consisting in having the firewall too open for GRE was fixed, but bundled with this fix came another bug - the very first GRE packet of a new tunnel i...
by sindy
Thu Aug 29, 2019 11:22 am
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 59
Views: 15077

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

If I understand correctly, this is a solution if you have 2 L2TP/IPsec connections from the same network, that connect to the same public ip . Not exactly but maybe it's just wrong wording. There is no problem if multiple clients connect to the same server (listening at a public IP); the problem wh...
by sindy
Wed Aug 28, 2019 12:52 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 2030

Re: Bridge VLAN Filtering help [SOLVED]

I don't know any Mikrotik model on which frames between wireless and Ethernet interface would not go through the CPU, regardless whether vlan-filtering is activated or not. Other than that, there is a table on the wiki regarding bridge (I'm writing from a mobile, you'll have to find the exact page o...
by sindy
Wed Aug 28, 2019 1:26 am
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Sorry, a busy day today.

If you haven't figured out yourself yet, add a rule chain=input src-address=127.0.0.0/8 dst-address=127.0.0.0/8 action=accept before the final chain=input action=drop one and you should be good.
by sindy
Mon Aug 26, 2019 9:27 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I'm afraid this may be because one process on the Mikrotik wants to connect to another process (most likely, Radius). To check that, place an action=log chain=input before the last action=drop one, keep the drop one in place and see what the log one catches /log print where topics~"firewall" . Then ...
by sindy
Sun Aug 25, 2019 11:38 pm
Forum: General
Topic: Can not see trafic in TORCH
Replies: 2
Views: 383

Re: Can not see trafic in TORCH

As the ethernet ports are marked as S (laves) in the tables, I would assume that they are member ports of bridges and "hardware acceleration" is enabled (the value of hw in the respective rows of /interface bridge port is set to yes ). So any frames which pass through these ports to other ports of t...
by sindy
Sun Aug 25, 2019 11:21 pm
Forum: General
Topic: Problem with RBM33g and two independent IPsec tunnels [SOLVED]
Replies: 3
Views: 525

Re: Problem with RBM33g and two independent IPsec tunnels

It's too late down here so that I could analyse it completely, however as you can ping when you set the src-address manually, you can as well add dedicate routes with pref-src to do this automatically for any traffic towards the remote IPs: /ip route add dst-address=10.20.10.1/32 pref-src=10.20.10.2...
by sindy
Sun Aug 25, 2019 10:54 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

And this is it. The VPN does add a default route via the tunnel, but as your LAN subnet on the PC is 192.168.1.0/24 as well, packets for 192.168.1.0/24 never get to the 750 as they end up on local LAN. 3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 li...
by sindy
Sun Aug 25, 2019 8:13 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

Yes, replace the public address and the mac addresses and post it. And yes, I don't need you to re-post the config you've withdrawn.
by sindy
Sun Aug 25, 2019 7:04 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

to eliminate unique and/or personally identifiable info. I hope it meets your standards for that. You haven't sanitized at least the ip dhcp-server network part so the public IP addresses of the whole /22 are visible. Your firewall is quite leaky so it is probably quite easy to drain your monthly q...
by sindy
Sun Aug 25, 2019 5:17 pm
Forum: General
Topic: Using ssh with key between Mikrotik Routers
Replies: 3
Views: 462

Re: Using ssh with key between Mikrotik Routers

I performed Key Generation using puttygen utility, as a result I received 2 keys, one imported into Mikrotik and tied it to the user. I specify the second when connecting via ssh in putty. the two key files have unambiguous names representing their roles in the scheme: the one the client uses to au...
by sindy
Sun Aug 25, 2019 10:42 am
Forum: General
Topic: Using ssh with key between Mikrotik Routers
Replies: 3
Views: 462

Re: Using ssh with key between Mikrotik Routers

https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login) What may not be obvious: the client (where you run the /system ssh ... command) always uses the key of the user under which the command was issued, so in your case, of the user under which the script is running the server sea...
by sindy
Sun Aug 25, 2019 9:56 am
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

My VPN is a simple PPtP one with server running on the Mikrotik (I know, I need to change to something more secure - that's on my list). Client machine running Ubuntu and Gnome Connection Manager for CLI work. Local address for the VPN is 192.168.0.235, remote is 192.68.0.236. I also tried 192.168....
by sindy
Sat Aug 24, 2019 10:38 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

the network in question is a 7 hour drive away and whenever I do any remote config I try to be really, really sure that I don't knock it offline. Maybe Safe Mode would be an option here. Of course safe mode is a must no matter how risky or routine the configuration being done is, as at least typos ...
by sindy
Sat Aug 24, 2019 10:05 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 1204

Re: Hap Ac 2, not capable of 1Gbit transfer

It should not be unless there's a bug. You can try to create an /interface bridge name=br-wan protocol-mode=none , then switch on safe mode, and send the following line: /interface bridge port add bridge=br-wan interface=ether1 ; /interface vlan set [find name~"openfiber"] interface=br-wan This will...
by sindy
Sat Aug 24, 2019 9:51 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

or is there other step(s) that must be taken?
You must add the 192.168.1.1/24 address to ether1-gateway as well, keeping the other IP address it has (or the /ip dhcp-client attached to it) in place.
by sindy
Sat Aug 24, 2019 9:24 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 1204

Re: Hap Ac 2, not capable of 1Gbit transfer

I remember I was doing a throughput test on the hAP ac² and it could reach 900 Mbit/s while routing between LAN and PPPoE client as WAN with NAT. So the hardware as such is fine, the question is why the throughput is so limited in your particular configuration. What does /interface ethernet monitor ...
by sindy
Sat Aug 24, 2019 9:02 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

They are pingable on ether1-gateway with the Winbox PING tool. ... I tried reaching them from a web browser when VPN'd into the network with no success. ... I didn't get the feeling from your response that after changing these addresses I still need to assign 192.168.1.1/24 in parallel with the exi...
by sindy
Sat Aug 24, 2019 6:59 pm
Forum: General
Topic: where can I create a script in RouterOS?
Replies: 5
Views: 5465

Re: where can I create a script in RouterOS?

Yes, same like in Winbox, you have two possibilities - to click the [Terminal] button to get a command line window, or to go System -> Scripts and edit just the script body itself in the form. But if the script has to output something, run it from the command line window.
by sindy
Sat Aug 24, 2019 6:55 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2013

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

My issue was from my firewall rules. I had the VPN issue an IP from a dhcp pool that was managed by bridge rules, but obviously the ipsec connection is not an interface and not attached to a bridge. I had to add a new rule for the IP subnet. Yes, the payload packets coming via an IPsec SA are seen ...
by sindy
Sat Aug 24, 2019 6:07 pm
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

I'm afraid I'm still a bit lost on what is the actual problem. Are you saying that the subnet on the 750's LAN is the same (192.168.0.0/24) like the subnet you've chosen to place the management addresses of the wireless devices at WAN side into, whereas the own IP of the WAN of the 750 is from anoth...
by sindy
Sat Aug 24, 2019 5:45 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2013

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

Now I need to figure out why this difference behavior between iOS and Windows. If you mean the difference at Tik side, it is because iOS does send ID-R while Windows don't. Also, I still need to fix the routing issue as windows does not get any gateway set up. Have you specified any list of network...
by sindy
Sat Aug 24, 2019 4:27 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2013

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

I'm afraid @McSee might have in mind the own ID at Mikrotik side, which it uses to match the ID-R received from the initiator. So double-check that you have my-id in the identity row set to auto . I've tested here and I have no issue although the log shows that the Windows client sends, like in your...
by sindy
Sat Aug 24, 2019 12:13 pm
Forum: General
Topic: Firewall Rules PPPoE vs ethernet-port
Replies: 9
Views: 984

Re: Firewall Rules PPPoE vs ethernet-port

Are you absolutely positive that the "black box router" is transparent regarding udp ports 500 and 1701? Just a technical one, for L2TP over IPsec, access to UDP port 1701 need not be permitted on intermediate routers because the L2TP transport packets towards port 1701 are transported encrypted, i...
by sindy
Sat Aug 24, 2019 11:58 am
Forum: General
Topic: Reaching devices on the WAN [SOLVED]
Replies: 23
Views: 1818

Re: Reaching devices on the WAN [SOLVED]

From your description it is not really clear what the actual problem is, but the firewall rules in the default configuration do not allow access to management of the router via WAN, so if you need it, you have to add your own rules permitting such access for authorized source addresses. If the WAN a...
by sindy
Sat Aug 24, 2019 10:32 am
Forum: General
Topic: Routing or Bridge for p2p wireless link
Replies: 4
Views: 501

Re: Routing or Bridge for p2p wireless link

In your particular case, the scheme with bridging where only 4 hosts would be in the 10.0.0.0/x network is fine, as there won't be much broadcast traffic between these hosts.
by sindy
Sat Aug 24, 2019 10:18 am
Forum: General
Topic: Test for leaking VLAN's
Replies: 4
Views: 528

Re: Test for leaking VLAN's

For starters I would like to test that for example - Mikrotik router A should be getting only tagged VLAN packets for two Vlan's ID=1010 and 1020, then router B should be getting tagged VLAN packets for another two vlan's ID= 2010 and 2020 ? First of all think about how the switching and bridging w...
by sindy
Sat Aug 24, 2019 12:08 am
Forum: General
Topic: Setting firewall to run PPTP
Replies: 1
Views: 261

Re: Setting firewall to run PPTP

PPTP is not actually secure these days, so I assume you have strong reasons to use it anyway. Normally it is sufficient add a rule permitting incoming connections to TCP port 1723 into chain=input of /ip firewall filter if the default firewall rules are in place. The default firewall settings accept...
by sindy
Sat Aug 24, 2019 12:01 am
Forum: General
Topic: EOIP help! SOLVED :)
Replies: 1
Views: 303

Re: EOIP help! SOLVED :)

EoIP tunnels have IDs and the same ID cannot be used twice on the same machine. If all three machines have IPv6 addresses or all three have public IPv4 addresses, there should be no issue with termination of two tunnels on the central machine. To make the L2 segment span all three machines, there ha...
by sindy
Fri Aug 23, 2019 11:53 pm
Forum: General
Topic: ICMP Firewall Potential Bug
Replies: 13
Views: 1182

Re: ICMP Firewall Potential Bug

In another words: post the complete export of your firewall rules if you want a relevant analysis rather than a guess.
by sindy
Fri Aug 23, 2019 10:05 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 59
Views: 15077

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Is it still a thing? i mean if i have l2tp/ipsec vpn and i want to connect roadwarriors - i still have to do all this? Only if you need several road warriors connected from the same LAN at the same time, which often means that the sessions come to the server from the same public address. But i hone...
by sindy
Fri Aug 23, 2019 3:24 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 59
Views: 15077

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

At place-before=right after the "accept established,related" rule it gives me a syntax error, and I'm not sure if I'm supposed to change anything in this line? Sure you are. The whole text right after the "accept established,related" rule has to be replaced with a rule number; however, you have to ...
by sindy
Thu Aug 22, 2019 9:58 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

[*]it is a bad idea to have overlapping IP address pools (the one for dhcp and the one for ppp clients), I'm not sure how the machine coordinates leases from different pools I had to do it in order to "see" my routers. Also, I had to activate Proxy-Arp in LAN. [*]it is better not to assign to PPP c...
by sindy
Thu Aug 22, 2019 12:40 am
Forum: General
Topic: pcc and failover configuration not working on wlan
Replies: 9
Views: 1004

Re: pcc and failover configuration not working on wlan

The script body would say something like if [/ip route get [find dst-address=0.0.0.0/0 gateway=ip.of.WAN1.recursive.gw] active] do={ /ip firewall connection remove [find srcnat and connection-mark=via-WAN1 and reply-dst-address~"the.ip.of.wan2"] } It assumes that you use e.g. the recursive next-hop ...
by sindy
Wed Aug 21, 2019 3:26 pm
Forum: General
Topic: pcc and failover configuration not working on wlan
Replies: 9
Views: 1004

Re: pcc and failover configuration not working on wlan

Given that there is no standard way to force SIP phones (or PBXes) to re-register when you need them to do so (which is each time when the uplink migrates to another WAN), the question is whether the script is sufficient to resolve your headache. So one possibility is to configure the phones to re-r...
by sindy
Wed Aug 21, 2019 7:05 am
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 25465

Re: v6.45.3 [stable] is released!

After upgrading RB3011 from 6.44.3 to 6.45.3, all my PPTP has stopped working, inbound and outbound. Search back in the 6.45.x topics for the fix of GRE handling in firewall and the bug introduced by that fix and how to deal with it. And although PPTP can be fixed easily, think about its drawbacks ...
by sindy
Wed Aug 21, 2019 12:13 am
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

Yeah, but that's a manual arp record per each individual IP... so you'd need the on-up/on-down scripts in /ppp profile to add/remove it, or to add it once for each address from the pool used for ppp clients, so a source of headache if you extend the pool and forget to add arp records, or even worse ...
by sindy
Tue Aug 20, 2019 10:57 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

I did everything suggested but it is not working properly. Some routers (Openwrt) receive their leases fine but the following happens. I can ping them a few seconds after the Tik reboots but I get timeouts after a few seconds of receiving the lease. Openwrt receive default VRRP gateway and DNS fine...
by sindy
Tue Aug 20, 2019 12:44 pm
Forum: General
Topic: IPSEC with ORacle cloud - understadn the setting
Replies: 6
Views: 652

Re: IPSEC with ORacle cloud - understadn the setting

In the masquerade rule, use dst-address instead of dst-address-list, I doubt 172.../24 is the name of the list?
by sindy
Tue Aug 20, 2019 12:08 pm
Forum: General
Topic: IPSEC with ORacle cloud - understadn the setting
Replies: 6
Views: 652

Re: IPSEC with ORacle cloud - understadn the setting

If the policy (or policies) are marked as Active at Mikrotik side, the phase 2 negotiation was successful. So the next things to check would be that at Mikrotik side you don't NAT connections towards the destination subnet at Oracle side to the WAN IP, that a firewall at Oracle side doesn't drop pin...
by sindy
Tue Aug 20, 2019 7:12 am
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

Both the gateway and the dns-server in the /ip dhcp-server network shall also be set to the virtual address 10.50.10.3 so that nothing changes from the client's perspective when the virtual address migrates between the physical devices.
by sindy
Tue Aug 20, 2019 7:07 am
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

If the Tik was behind an external firewall, it's OK, no need to netinstall. The rest remains - add the last drop rule in input after checking that the one permitting management access from a dedicated interface with a dedicated subnet counts packets. It will count just one packet per each connection...
by sindy
Mon Aug 19, 2019 11:27 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Well, as you've stated you could not access internet after you've added the forward rules without the "accept established or related" one, it means you did connect the router to internet before securing the management access to it using the input rules. So it can be compromised by now as it has spen...
by sindy
Mon Aug 19, 2019 10:52 pm
Forum: General
Topic: Dual WAN with OpenVPN Clients - problem with LAN connections
Replies: 4
Views: 672

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

Your mangle rule action=mark-routing chain=prerouting new-routing-mark=WAN-1 passthrough=no src-address-list=WAN-1 assigns routing-mark=WAN-1 to packets coming from OpenVPN client(s) because you've put 172.16.1.0-172.16.1.254, of which the /ip pool pool-OVPN is a subrange, to address list WAN-1. And...
by sindy
Mon Aug 19, 2019 8:38 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Seems fine to me. However: - if you haven't yet, don't add the last drop rule in the input chain before you check that the rule allowing management access counts your connection attempts (I don't know which of the management protocol you use out of ssh / https / winbox); on the other hand, you shoul...
by sindy
Mon Aug 19, 2019 7:58 pm
Forum: General
Topic: pppoe server and client on same router
Replies: 1
Views: 211

Re: pppoe server and client on same router

So what you actually want is a pppoe server and its client on the same router. Well, it is possible as you've checked yourself, however it will not help you reach your goal because both the server's and client's IP address will be up on the same device, so the IP stack will take the shortcut instead...
by sindy
Mon Aug 19, 2019 7:09 pm
Forum: General
Topic: pcc and failover configuration not working on wlan
Replies: 9
Views: 1004

Re: pcc and failover configuration not working on wlan

I'm afraid you expect too much from the failover. As your two uplinks use src-nat (masquerade in your case), ongoing connections will fail whenever the uplink they use fails, and they have to be re-established. The reason is that the remote party doesn't recognize packets coming from another address...
by sindy
Mon Aug 19, 2019 12:05 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

I have noticed the VLAN as uplink, but I haven't noticed that you haven't added interface Safaricom as a member of interface list WAN. Failing to add it to interface list WAN causes anything what comes in via that interface to be forwarded, not only dst-nated connections, as the rule add action=acce...
by sindy
Mon Aug 19, 2019 10:21 am
Forum: General
Topic: VLAN setup
Replies: 8
Views: 693

Re: VLAN setup

If the configuration in post #5 is complete (except the changes in post #7), the firewall is so leaky that it cannot be the reason why devices in VLAN cannot access internet. If these devices do get the dhcp lease and can ping 10.10.10.1, can they ping 8.8.8.8 too or not? If not, can you open a CLI ...
by sindy
Mon Aug 19, 2019 9:25 am
Forum: General
Topic: Router blocking traffic of Shark Ion Robot
Replies: 3
Views: 281

Re: Router blocking traffic of Shark Ion Robot

Your capture shows that the DNS responses do not contain the Authoritative Nameservers and Additional Records sections, i.e. so far the same issue which turned out to cause the trouble in the topic linked above can still be the explanation of yours. Now the question is why the DNS responses don't co...
by sindy
Sun Aug 18, 2019 8:01 pm
Forum: General
Topic: VLAN setup
Replies: 8
Views: 693

Re: VLAN setup

To post a configuration export and expect someone to find out what was wrong with the missing part is an interesting approach :? So how it SHOULD have looked like if ether3 should have been an access port to VLAN 2: /interface vlan add vlan-id=2 interface=bridge1 name=bridge1.2 /interface bridge por...
by sindy
Sun Aug 18, 2019 7:31 pm
Forum: General
Topic: basic ipsec server config
Replies: 1
Views: 291

Re: basic ipsec server config

TS is Traffic Selector. The (src-address,dst-address[,protocol[,src-port,dst-port]]) tuple (which is the Traffic Selector itself) of a policy at one peer must match the (dst-address,src-address[,protocol[,dst-port,src-port]]) tuple of the policy at the other peer. If they don't match exactly, no SA ...
by sindy
Sun Aug 18, 2019 7:02 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

The problem was that some devices renewed on the 450 (even though this last one was disconnected) and some others on the 750. Even waiting for the leases to be renown. That was a mess. I didn't understand why some devices kept waiting for the 450 and not liking to the then active 750. Attach the DH...
by sindy
Sun Aug 18, 2019 6:07 pm
Forum: General
Topic: Router blocking traffic of Shark Ion Robot
Replies: 3
Views: 281

Re: Router blocking traffic of Shark Ion Robot

It is often useful to search the forum before creating a new topic. See viewtopic.php?t=131475#p663143.
by sindy
Sun Aug 18, 2019 6:01 pm
Forum: General
Topic: IPSEC with ORacle cloud - understadn the setting
Replies: 6
Views: 652

Re: IPSEC with ORacle cloud - understadn the setting

Phase 1: Encryption: AES-256-cbc , AES-192-cbc, AES-128-cbc , Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96), Diffie-Hellman group: group 5 , group 2, group 1 , IKE session key lifetime: 28800 seconds (8 hours) => /ip ipsec profile add name=oracle enc-algorithm=aes-25...
by sindy
Sun Aug 18, 2019 4:35 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

chain=forward action=accept in-interface-list=!WAN out-interface-list=WAN chain=forward action=drop The above rule separates the zones > If I understand the rule, it only allows all interfaces internet connection and drops everything else. OFFICE clients can connect to each other? Clients in the sa...
by sindy
Sun Aug 18, 2019 3:56 pm
Forum: General
Topic: VLAN separation using new Bridge VLAN Filtering feature
Replies: 5
Views: 370

Re: VLAN separation using new Bridge VLAN Filtering feature

I had hoped it would be possible to separate the networks at the hardware level without involving the CPU, but as soon as IP firewall is in play that won't be the case. I don't think it is anything worth fearing. All the routing, including routing between the subnets in the VLANs, is done by the CP...
by sindy
Sun Aug 18, 2019 3:20 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2013

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

The possible reasons you've googled may be related both to Windows acting as server and to Windows acting as client so not all of them may be relevant. Unless Windows need something specific, the normal requirements are the following: to be able to prove its own identity to the remote party, each lo...
by sindy
Sun Aug 18, 2019 2:26 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

does not let android client to connect to 192.168.8.0/23 subnets if i do as you suggested. however works w/o split-include with system-dnes enabled. any specific disadvantage of this? In that case it seems that Android ignores the split-include information completely. The only disadvantage of not u...
by sindy
Sun Aug 18, 2019 2:19 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

When I tried to create rule, you just suggested, on the slave, I get the following error message: Couldn't add New NAT Rule - incoming interface matching not possible in output and postrouting chains (6) I keep forgetting about this :) OK, replace in-interface=Ether01_LAN_US by src-address=!192.168...
by sindy
Sun Aug 18, 2019 2:14 pm
Forum: General
Topic: VLAN separation using new Bridge VLAN Filtering feature
Replies: 5
Views: 370

Re: VLAN separation using new Bridge VLAN Filtering feature

@little_strawberry, separation of VLANs at L2 level works fine in your setup. What you actually need is a set of IP firewall rules to drop traffic between IP subnets living in the distinct VLANs - or, even better, a set of firewall rules dropping all traffic which is not explicitly allowed. So rough...
by sindy
Sun Aug 18, 2019 1:29 pm
Forum: General
Topic: VLAN setup
Replies: 8
Views: 693

Re: VLAN setup

Post the configuration export - see my automatic signature below.
by sindy
Sun Aug 18, 2019 1:15 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

i removed split because android and iOS client only take 1st subnet from split-include. enabling system-dns in mode-config solved it for me. thanks.
Check my suggestion above - you can set 192.168.8.0/23 as split-include which spans both 192.168.8.0/24 and 192.168.9.0/24.
by sindy
Sun Aug 18, 2019 1:08 pm
Forum: General
Topic: Partial VLAN configuration [SOLVED]
Replies: 9
Views: 937

Re: Partial VLAN configuration [SOLVED]

I verified that from another laptop I can ping the workstation without problems (from the same vlan/subnet) hence I assume any firewall issues are ootq? I don't understand why no reply packets are seen... Assuming that the other laptop is in the same subnet/vlan like the workstation, the issue may ...
by sindy
Sun Aug 18, 2019 12:55 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

On a fast glance, I can see that you've disabled the Mikrotik's DNS server list to be sent using mode-config (by setting system-dns=no ) and haven't defined any other one, but at the same time you've also removed the split-include from the mode-config so the IKEv2 clients use the VPN as a default ro...
by sindy
Sun Aug 18, 2019 12:29 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

need one clarification: Why disable DHCP servers from both routers? Where will the clients obtain an IP address? Sorry for ambiquity. I wrote "including the DHCP server" in the context of "remove everything related to 192.168.2.0/24", of course the DHCP server for 192.168.1.0/24 must stay. And as t...
by sindy
Sun Aug 18, 2019 11:40 am
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

I agree with you about see no point in running the innner 2011 as a router at all . Your how-to would be appreciated. Given that the two machines are interconnected using an external wireless link which is transparent at L2, the howto is quite simple: on the Slave, /ip address add address=192.168.1...
by sindy
Sun Aug 18, 2019 10:14 am
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

First to the actual topic: As the inner ("slave") router has no firewall rules at all, they cannot interfere with the functionality you desire. However, the current dst-nat rule on the outer ("master") router, add action=dst-nat chain=dstnat comment="WiFI AP Access" dst-port=50021-50024 in-interface...
by sindy
Sat Aug 17, 2019 9:23 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

No NAT and no firewall rules are different things. Post export of both routers (see anonymization hints in my automatic signature below). If there was nothing in the inner router's firewall, the single dst-nat rule in the outer one would be sufficient.
by sindy
Sat Aug 17, 2019 12:48 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

Oh, sorry, I didn't realize the double router part was also problem as you seemed to have the internal routing solved and transparent.. If the inner router's WAN (internet-facing) interface has a firewall on it preventing incoming connections via WAN, you have to set some rules on it too, but as you...
by sindy
Sat Aug 17, 2019 12:32 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

What I can see is that you now only deal with the static leases (as the parameter address-pool of /ip dhcp-server is set to the default value static-only ), so the fact that the pools for dynamic leases are the same at both routers does not cause any trouble now. But I can see that on the 450, the d...
by sindy
Sat Aug 17, 2019 11:36 am
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

Just bear in mind that while this rule port-forwards connections initiated from anywhere, connections initiated from LAN will not work properly, you have to test from outside. Look for "hairpin NAT" for explanation why.
by sindy
Sat Aug 17, 2019 11:30 am
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

That's a correct one. If you otherwise use the default firewall configuration, it should be enough. If not, post the export.
by sindy
Sat Aug 17, 2019 3:18 am
Forum: General
Topic: Address list dynamic entries [SOLVED]
Replies: 2
Views: 455

Re: Address list dynamic entries [SOLVED]

There is no fixed time, the address-list is renewed each time the TTL of the DNS response expires.
by sindy
Sat Aug 17, 2019 1:13 am
Forum: General
Topic: DHCP server: Options
Replies: 4
Views: 495

Re: DHCP server: Options

Who do you get 0xc0a81301c0a82101 from 192.168.19.1 & 192.168.33.1 ?
0x means that the rest is in hexadecimal
c0 = 192 in hexadecimal
a8 = 168 in hexadecimal
etc.
No separator is needed, as each address takes exactly 4 bytes.
by sindy
Sat Aug 17, 2019 12:43 am
Forum: General
Topic: Partial VLAN configuration [SOLVED]
Replies: 9
Views: 937

Re: Partial VLAN configuration [SOLVED]

I forgot to mention that the workstation (a windows 10 machine with its firewall disabled) can be pinged from both the HAP-AC as the CCR. That's not surprising because both the hAP ac and the CCR have an interface in the subnet/vlan "10" so no routing is necessary when you ping the workstation in t...
by sindy
Fri Aug 16, 2019 11:41 pm
Forum: General
Topic: DHCP server: Options
Replies: 4
Views: 495

Re: DHCP server: Options

It is not clear from your question whether you want to set this up on a Mikrotik or on some other DHCP server. On Mikrotik, the embedded help tells you what to do: [me@MyTik] > ip dhcp-server network add address=192.168.115.0/24 dns-server=[?] Server ::= Address[,Server] (max 100 times) Address ::= ...
by sindy
Fri Aug 16, 2019 11:23 pm
Forum: General
Topic: Access from the Internet
Replies: 23
Views: 1450

Re: Access from the Internet

There is just one port 443 on one public IP 41.x.x.x, so you can have just one AP accessible via that single port. But you can use port-forwarding rules in the firewall, so that e.g. port 21443 on the public IP will be forwarded to port 443 on the private IP of AP 1, port 22443 to port 443 of the pr...
by sindy
Fri Aug 16, 2019 11:13 pm
Forum: General
Topic: Partial VLAN configuration [SOLVED]
Replies: 9
Views: 937

Re: Partial VLAN configuration [SOLVED]

To know which part of the configuration to ask for, we would have to know where the problem is. So post the complete export (check my automatic signature below first), just don't forget to use the [ code] and [ /code] tag around the configuration exports of both machines. You have posted only the br...
by sindy
Fri Aug 16, 2019 10:12 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

Post the current configuration of both the Mikrotiks.
by sindy
Wed Aug 14, 2019 11:46 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Too late down here to think anything deep, but: I'd definitely wallgarden static equipment like seccams using a dedicated subnet+VLAN (+SSID if they are wireless) rather than hotspot, using their own dedicated zone. As for too many zones on one device - I'd use the primary ISP for everything and the...
by sindy
Wed Aug 14, 2019 10:28 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

I cannot, PMs don't work here, but if you post the TVw ID and one-time password, it should be safe enough given that it is one-time (and hopefully I'll be the first one to use it :) )
by sindy
Wed Aug 14, 2019 10:15 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

I start thinking of Teamviewer as I cannot see anything suspicious in the configuration any more, and I'd do some dynamic observations if it was my case already days ago :) Basically you should see the /ip ipsec installed-sa to increase packet count when you try to ping the 10.10.10.2x, but if there...
by sindy
Wed Aug 14, 2019 9:38 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

I meant with "hold connection" to be able to surf without problems (within 3-5 seconds after unplugging the Master MK) straight internet access. OK, so not in the sense that you wouldn't have to re-establish the TCP connections. I'm using my router with wireless DumbAP so clients go straight to MK....
by sindy
Wed Aug 14, 2019 9:12 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

I managed to make my PC hold connection but not in my table or cellphone. Now wait. What means "hold connection", and what means "table" - a VoIP phone or a desktop PC? If the cellphone is connected using wireless as I suppose, there is not just the DHCP and gateway part, there is also the wireless...
by sindy
Wed Aug 14, 2019 8:43 pm
Forum: General
Topic: Dual WAN with OpenVPN Clients - problem with LAN connections
Replies: 4
Views: 672

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

OpenVPN used to work before we added the second WAN. Before you added the second WAN or before you added the mangle rules ;) ? Just a rhetoric question, of couse you did both in the same step. Intuitively I feel that the packets coming in via the OpenVPN interface and with the destination addresses...
by sindy
Wed Aug 14, 2019 8:13 pm
Forum: General
Topic: RB450G failing need to replace
Replies: 8
Views: 1399

Re: RB450G failing need to replace

Thank you sindy & krafg for your responses. I have to keep the RB450G models because that is what the OEM installed at this site and I cannot change the model. Have you tried to replace only the power adaptors as I've suggested? I wanted to give you some detailed information. The OEM uses a VBScrip...
by sindy
Wed Aug 14, 2019 7:58 pm
Forum: General
Topic: RB450G failing need to replace
Replies: 8
Views: 1399

Re: RB450G failing need to replace

i am going to go with upgrading the RB450G up to release 6.43.12. is the routeros-mipsbe.npk the file I should use to upgrade the RB450G? dumb question, do i use the stable or long term release? For any RB4xx except RG450Gx4, mipsbe is the correct architecture, so yes, routeros-mipsbe-v.vv.vv.npk i...
by sindy
Wed Aug 14, 2019 7:33 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

as still unsure how to have access ports and tagged ports (vlan native trunk). Ie: untagged vlan and a tagged vlan on same port(s) with using the switch menu vlan setup. The bridge vlan filtering method makes it easy. also I know that anytime put vlan's into a bridge port - they're untagged. So may...
by sindy
Wed Aug 14, 2019 7:24 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

I use to always do link aggregation (802.3ad) to a single switch hanging off the MT, but not much benefit for these SMB networks. well, link aggregation is always done in software unless we talk about CRS (maybe even CRS3xx). And if the member links are 1 Gbit/s ones, the only benefit is redundancy...
by sindy
Wed Aug 14, 2019 7:09 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

@anav, So with a single bridge and vlans, its all software not hardware???? A single bridge and VLANs can still use hardware forwarding if you don't need to tag and untag the frames or filter them by VLAN ID as they ingress and egress. So if the same VLAN is untagged on all ports and you don't mind ...
by sindy
Wed Aug 14, 2019 7:02 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

I'm afraid you expect too much from VRRP. It provides nothing more than redundancy on a network segment where two (or more) physical devices can provide to other devices in the same network segment and IP subnet the service of a gateway (or other services which the clients need to contact on a stati...
by sindy
Wed Aug 14, 2019 6:38 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

Could you further elaborate? Are you mentioning this fact if one was to use the interface switch config (switch chip config method?). Or in regards to the new bridge vlan config way? I am mentioning this fact because "hardware acceleration" of L2 forwarding actually means letting the switch chip do...
by sindy
Wed Aug 14, 2019 2:11 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

Well, I did that. Export the Master backup, restore that backup using import from PC. Both RBs show their respective MAC addresses at Winbox. You can do either an import of .rsc file (which is a plaintext script) or a restore of .backup file (which is a compressed and ciphered binary file). If you ...
by sindy
Tue Aug 13, 2019 11:08 pm
Forum: General
Topic: VRRP Riddle [Help Needed]
Replies: 27
Views: 3113

Re: VRRP Riddle [Help Needed]

If you have really restored a backup rather than imported an export, you have cloned also the MAC addresses, so this is the first point to clarify.
by sindy
Tue Aug 13, 2019 10:52 pm
Forum: General
Topic: vlan bridge (new way) HW offload and performance
Replies: 22
Views: 3630

Re: vlan bridge (new way) HW offload and performance

block diagram shows HW acceleration... is this ONLY for IPSec, or this mean HW acceleration on ethernet for wirespeed? If so, perhaps the RB4011 is an upgrade path over RB2011. The switch chips used in the 4011 are not VLAN-aware and don't support hardware rules so if you need L2 traffic to be hard...
by sindy
Tue Aug 13, 2019 10:44 pm
Forum: General
Topic: Dual WAN trouble - acts like jitter
Replies: 1
Views: 492

Re: Dual WAN trouble - acts like jitter

I am sure it is something simple, but I am not sure where to look. Two points: unrestricted fasttracking is incompatible with use of mangle rules because most packets belonging to fasttracked connections skip a big deal of firewall processing. Few don't, which means that the connections via the non...
by sindy
Tue Aug 13, 2019 10:34 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

I think I've got it, I've got confused by the src-address=0.0.0.0/0 in your policy template on the 951, whereas in the mode-config there is split-include , so the actual policies created dynamically are 192.168.8.0/24<->10.10.10.2x and 192.168.9.0/24<->10.10.10.2x (please confirm, use /ip ipsec poli...
by sindy
Tue Aug 13, 2019 10:05 pm
Forum: General
Topic: PPTP public ip routage
Replies: 2
Views: 769

Re: PPTP public ip routage

Post the configuration. Does the 213.x.x.x/28 have any external gateway to access the internet or is only accessible from outside via the 87.x.x.x?
by sindy
Tue Aug 13, 2019 9:10 pm
Forum: General
Topic: Port isolation VLAN overwritten
Replies: 2
Views: 592

Re: Port isolation VLAN overwritten

6.43.12 and master port in one sentence? I am confused. Post the export, I didn't get what are you trying to achieve and what doesn't work.
by sindy
Tue Aug 13, 2019 6:43 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I got to put in firewall rules to separate the vlan from the office. Can you give me direction? A firewall provides the best protection if it drops everything by default and only lets through exceptions you want to let through. The firewall rules provided in the default configuration of the hXX pro...
by sindy
Tue Aug 13, 2019 3:19 pm
Forum: General
Topic: Internet access without 0.0.0.0/0
Replies: 7
Views: 1076

Re: Internet access without 0.0.0.0/0

I made a rough drawing indicating the current scenario so hope that sheds some light ... It hasn't changed my understanding of what the topology is and what are the goals, but it has neither dissolved the concerns I've expressed before :) If the client's L2TP client is not another Mikrotik or anoth...
by sindy
Tue Aug 13, 2019 3:03 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

Hope not to bother much longer... So far it's OK, I'm more concerned that you haven't written whether you managed to get there to the correct address after all :) I am aware of site to site would be better option for direct connection of two mikrotiks, but I need also rw clients such as phones and ...
by sindy
Tue Aug 13, 2019 9:54 am
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I also turned on vlan filtering > under bridge > double-click bridge tab and it works, but will uncheck for the rest of my config is done. vlan-filtering requires more settings to be done to work properly, as @pcunite explains here . For your scenario it is not actually needed unless the Ethernet p...
by sindy
Tue Aug 13, 2019 9:27 am
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

Don't do serious things late in the evening (unless you're an owl like @Sob) - you've properly added the firewall rules but you've totally ignored the other part of my post, saying that you have to ping/connect to 10.10.10.2x, not to 192.168.2.1, because the network 192.168.2.0/24 is invisible to th...
by sindy
Mon Aug 12, 2019 11:41 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Well, except the pvid=10 in the /interface bridge port row for ether4 (which is harmless until you eventually set vlan-filtering to yes), everything seems fine regarding VLANs. However, there is neither any hotspot configuration nor a regular IP configuration attached to /interface vlan vlan-id=10, ...
by sindy
Mon Aug 12, 2019 11:06 pm
Forum: General
Topic: Valid connection issues when dropping invalid packets in firewall
Replies: 11
Views: 1914

Re: Valid connection issues when dropping invalid packets in firewall

The rule blocking invalid packets here is the first one, and without log. If I see packets in log, they should be blocked by the last rule ( drop all the rest) Sounds logical. So how can I target those packets? Just above the rule "drop all" but how? Finding about the 3-4 addresses often logged and...
by sindy
Mon Aug 12, 2019 10:44 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Guessing from your description what may be wrong: you can have one tagless and as many as you want tagged VLANs directly on an Ethernet interface, but if you do it this way, you cannot add the interface itself to a bridge (I mean, you can but the tagged VLANs won't work). So if you want ether4 to be...
by sindy
Mon Aug 12, 2019 10:36 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

No visible image, just a text "image". When you say you cannot connect to the Tik behind NAT, to which IP address are you trying to connect, 192.168.2.1 or 10.10.10.2x? And from where, directly from a device in your LAN (192.168.9.x) or from the 951 itself? There are two points: you have to connect ...
by sindy
Sat Aug 10, 2019 6:54 pm
Forum: General
Topic: Internet access without 0.0.0.0/0
Replies: 7
Views: 1076

Re: Internet access without 0.0.0.0/0

Messy ... yeah I really need to do my MTCRE already :lol: Well, maybe just "so unusual that a mere mortal cannot understand it without having additional context". Details below. On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server fo...
by sindy
Sat Aug 10, 2019 4:16 pm
Forum: General
Topic: Open VPN on a Wireless VLAN for Accessing Geo-blocked Content
Replies: 2
Views: 397

Re: Open VPN on a Wireless VLAN for Accessing Geo-blocked Content

1. Firstly, can I bypass VPN Express and roll my own somehow for less than $6.67 US p/m? If you can place your own router in each country of interest, and at least one of them will have a public IP address (or all of them will have IPv6 addresses which are all public), then yes. Whether the total e...
by sindy
Fri Aug 09, 2019 11:21 pm
Forum: General
Topic: RouterOS compatibility with older routerboards
Replies: 11
Views: 1028

Re: RouterOS compatibility with older routerboards

For example, in the other thread you mentioned converting from "master port" to "bridge" . I have no idea what that is about. I don't remember whether this came in 6.40 or 6.41, but the old way of allowing frames to be forwarded within a group of Ethernet ports by the switch chip, bypassing any CPU...
by sindy
Fri Aug 09, 2019 10:50 pm
Forum: General
Topic: Theoretical: Using multiple MikroTik boxes to create virtual line
Replies: 2
Views: 425

Re: Theoretical: Using multiple MikroTik boxes to create virtual line

Look at EoIP tunnel (/interface eoip). Set one between the two Mikrotiks, remove one Ethernet port on each Tik from the main bridge, create a dedicated bridge on each Tik, and make that Ethernet port released from the main bridge and the /inteface eoip members of this new bridge. Done.
by sindy
Fri Aug 09, 2019 10:41 pm
Forum: General
Topic: AC Wireless On Automated Script
Replies: 2
Views: 417

Re: AC Wireless On Automated Script

First I don't get from where the wlan3, wlan4 pops up. Second, if you paste the very same lines into the terminal window manually, do they have the expected effect or not? The answer determines whether the issue is that you run the script too early (i.e. use it as a run-after-reset parameter of /sys...
by sindy
Fri Aug 09, 2019 10:33 pm
Forum: General
Topic: Internet access without 0.0.0.0/0
Replies: 7
Views: 1076

Re: Internet access without 0.0.0.0/0

OK, so your configuration seems a little bit messy to me. The L2TP server's profile is configured to create both an L2 tunnel locally connected to the LAN bridge and an L3 tunnel; is the L2TP client another Mikrotik device or Linux so that you could really use the L2 tunnel? If you do, and if there ...
by sindy
Fri Aug 09, 2019 9:52 pm
Forum: General
Topic: RouterOS compatibility with older routerboards
Replies: 11
Views: 1028

Re: RouterOS compatibility with older routerboards

Should we update those three incrementally? Say update first to 6.20 then to 6.44.5?
A part of this post gives my opinion on this.
by sindy
Fri Aug 09, 2019 12:13 pm
Forum: General
Topic: Address list importing with other name
Replies: 9
Views: 691

Re: Address list importing with other name

chain=input handles connection attempts to your Tik itself. chain=forward handles transit traffic (between two interfaces of the router). And yes, "block everything but few exceptions" is the best firewall concept in my opinion. Only allow access to services which are secure by themselves (VPNs but ...
by sindy
Fri Aug 09, 2019 12:00 pm
Forum: General
Topic: Firewall log help needed
Replies: 8
Views: 749

Re: Firewall log help needed

If you use Winbox, it's drag and drop. If you use WebFig, press the [Download] button in the file list. If you use command line, use scp from your PC to download the file.
by sindy
Fri Aug 09, 2019 11:44 am
Forum: General
Topic: Address list importing with other name
Replies: 9
Views: 691

Re: Address list importing with other name

No changes can be made during import. So you have to do them before, using an external text editor because Mikrotik scripting cannot parse files, or after, using Mikrotik scripting on the already imported address lists. If there are no duplicate entries between those lists, the command is simple: ip...
by sindy
Fri Aug 09, 2019 10:52 am
Forum: General
Topic: Port forward for a PPTP VPN user
Replies: 2
Views: 323

Re: Port forward for a PPTP VPN user

To learn how the firewall works is one way to solve it. Posting a complete export of your configuration (see my automatic signature below on how to prevent sensitive information from leaking) is another way if you need to do it just once and you have some more important areas to spend your time on d...
by sindy
Fri Aug 09, 2019 10:38 am
Forum: General
Topic: RB450G failing need to replace
Replies: 8
Views: 1399

Re: RB450G failing need to replace

I have several of these units that were all installed 3 years ago and 2 of them are failing. It seems that when they handle heavy network traffic the leds on the ports go out and eventually the unit reboots and works again, does this sound like bad capacitors? Definitely try replacing just the powe...
by sindy
Fri Aug 09, 2019 9:11 am
Forum: General
Topic: SSH Access to old 6.9 routers [SOLVED]
Replies: 2
Views: 413

Re: SSH Access to old 6.9 routers [SOLVED]

Given that SSH access was possible with ROS 5.something, in 6.9 it may only be an issue due to a version-specific bug. But the first question is what ssh client do you use? Because with newer ROS releases, /ip ssh set strong-crypto=yes prevents connection to or from older systems which use older=wea...
by sindy
Thu Aug 08, 2019 10:48 pm
Forum: General
Topic: RouterOS compatibility with older routerboards
Replies: 11
Views: 1028

Re: RouterOS compatibility with older routerboards

I'd start from https://download.mikrotik.com/routeros/ ... 6.44.5.npk - RB4xx is still listed among supported models.
by sindy
Thu Aug 08, 2019 10:16 pm
Forum: General
Topic: Internet access without 0.0.0.0/0
Replies: 7
Views: 1076

Re: Internet access without 0.0.0.0/0

I suppose we are talking about devices connected to the LAN side of your router, not other devices connected to client's router LAN side where your router's WAN side is connected. If so, post the export of the configuration of your router, it will be just a matter of modifying the rules in chain=for...
by sindy
Thu Aug 08, 2019 10:06 pm
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1110

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

When vlan-mode on switch port is set to secure , frames tagged for VLANs which are not permitted on that port are dropped at ingress. So on all ports of the switch except the CPU one and the one used for connection with the other Tik, either only the LAN frames or only the ITV frames can get in. Onl...
by sindy
Thu Aug 08, 2019 9:18 pm
Forum: General
Topic: Problem With SXT Lite 5
Replies: 4
Views: 510

Re: Problem With SXT Lite 5

As you mention PoE, does your switch provide power to the SXTs via PoE? if so, is it a Mikrotik switch (such as hEX PoE lite or the same hardware in different mechanical case called PowerBox) providing "passive PoE", or some other vendor's switch providing the 802.3af or at PoE? If it is a Mikrotik'...
by sindy
Thu Aug 08, 2019 9:05 pm
Forum: General
Topic: Firewall log help needed
Replies: 8
Views: 749

Re: Firewall log help needed

if you get your WAN address from your ISP via DHCP, it usually means you get it via an L2 network where you are not alone. So other clients of your ISP renew their DHCP leases, and if they do not get a response for some reason, they send the DHCPDISCOVER messages to the broadcast address 255.255.255...
by sindy
Thu Aug 08, 2019 8:50 pm
Forum: General
Topic: site to site ipsec Mikrotik/Teltonika
Replies: 24
Views: 2226

Re: site to site ipsec Mikrotik/Teltonika

OK, but unless you put the interface representing the tunnel into a zone, only the default rules apply, which say REJECT for forward. The zone concept just simplifies the rules - traffic between all interfaces in the same zone is unrestricted, whereas the rules for forwarding from any interface in o...
by sindy
Thu Aug 08, 2019 8:02 pm
Forum: General
Topic: site to site ipsec Mikrotik/Teltonika
Replies: 24
Views: 2226

Re: site to site ipsec Mikrotik/Teltonika

Well, unless you've asked it to do otherwise, the ping goes once per second, so if this message was a symptom of a problem with delivering the ping response, it should also be logged once per second, which is not the case. So as Jorge has already said, check the firewall configuration on the Teltoni...
by sindy
Thu Aug 08, 2019 7:17 pm
Forum: General
Topic: site to site ipsec Mikrotik/Teltonika
Replies: 24
Views: 2226

Re: site to site ipsec Mikrotik/Teltonika

Hello Jorge, For the "server2" certificate I didn't select tls server in key usage For the client certificate I didn't select tls client in key usage Shall I regenerate them ? As Jorge seems to be busy, here is my answer instead: since you could ping the remote end via the tunnel, neither end cares...
by sindy
Thu Aug 08, 2019 6:52 pm
Forum: General
Topic: Easiest way to split WAN bandwidth between bridge1 devices?
Replies: 2
Views: 359

Re: Easiest way to split WAN bandwidth between bridge1 devices?

I'm afraid you need rather QoS (queues and possibly mangle rules) handling to limit the uplink bandwidth per LAN device. Load balancing of connections can distribute each device's connections among several uplinks but cannot prevent a single device from clogging the whole bandwidth of a given uplink...
by sindy
Thu Aug 08, 2019 6:47 pm
Forum: General
Topic: Strange Network Loop
Replies: 2
Views: 383

Re: Strange Network Loop

Given that the "MELI" and "MikroTik" devices are visible as neighbors at two interfaces each, and as these interfaces are probably member ports of the same bridge, the loop may actually be there, but you've provided too little information. So a configuration export (see my automatic signature below ...
by sindy
Thu Aug 08, 2019 6:33 pm
Forum: General
Topic: site to site ipsec Mikrotik/Teltonika
Replies: 24
Views: 2226

Re: site to site ipsec Mikrotik/Teltonika

Even longer answer to 2) - both Mikrotik and Teltonika support L2 tunneling mode (called TAP on Teltonika side and ethernet at Mikrotik side), so it is technically possible to bridge the two LANs using OpenVPN in TAP/ethernet mode. But it is not recommended for multiple reasons. One is security (you...
by sindy
Thu Aug 08, 2019 4:27 pm
Forum: General
Topic: Locked out of 2 routers!
Replies: 38
Views: 2756

Re: Locked out of 2 routers!

those 3rd world WISP customers won't ask for it I'd say it's not so much a matter of 3rd world as of ISPs as such, why on earth should an ISP do things like policy routing or even static routing on the NNI - they have redundancy mechanisms for their own network and BGP for peering and that should b...
by sindy
Thu Aug 08, 2019 1:45 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

As there is never 193.248.32.7:80 (port 80 on your public IP) as source or destination socket, but always some high port number is attached to 193.248.32.7 and port 80 is attached to the remote address, these connections are NATed connections of your LAN clients to remote http servers. So either tal...
by sindy
Thu Aug 08, 2019 12:26 pm
Forum: General
Topic: Locked out of 2 routers!
Replies: 38
Views: 2756

Re: Locked out of 2 routers!

I would not claim that... Yeah... what (censored) me most is that one of the largest resellers keeps declaring full support of IPv6 to be available on Tik. Needed a DHCPv6 server for end hosts, ended up with OpenWRT :( However, with or without Mikrotik - unless you had NAT in IPv6, I can't imagine ...
by sindy
Thu Aug 08, 2019 12:13 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

sorry, it's ip-protocol=tcp.
by sindy
Thu Aug 08, 2019 11:48 am
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

In this situation I suspect that your ISP is blocking access to port 80. Open a command line window as wide as your screen allows, run /tool sniffer quick interface=ether1 protocol=tcp port=80 in it and try to open the public address of your Tik in a web browser from outside. Or is the issue the sam...
by sindy
Thu Aug 08, 2019 11:21 am
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1110

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

OK, so let's take the way with tagless LAN between the Tiks, I hope it will work. But do every step with safe mode on; if you don't get locked out during 30 seconds after the change, disable and re-enable safe mode to store the progress gained so far and be safe for the next step. If you get locked ...
by sindy
Thu Aug 08, 2019 9:52 am
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1110

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

If you don't insist that the LAN goes tagged between the Tiks, it might be much easier to handle the ITV VLAN by switch chips. The point is that the switch chip can tag frames on ingress but not on egress, so to have VLAN 7 frames tagged at ether1, they have to get tagged already at ether2..ether4 a...
by sindy
Thu Aug 08, 2019 9:14 am
Forum: General
Topic: RB951G-2HnD dissapears
Replies: 4
Views: 494

Re: RB951G-2HnD dissapears

Netinstall is a tricky thing even if done locally so I wouldn't make any conclusions on problems with netinstall alone unless you have a lot of experience using it. Power surprises should normally only affect the power adaptors, not the devices behind them. But what does happen regularly is that the...
by sindy
Thu Aug 08, 2019 12:10 am
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

I will incorporate the firewalls once I get the Tik hotspot working on the vlan. If ether1 gets a public IP, the machine may have already been compromised. >Where do you add DNS server address to hotspot clients on the dhcp-server? /ip dns - My server now is 8.8.8.8 and 8.8.4.4 >I ticked "allow-rem...
by sindy
Wed Aug 07, 2019 11:29 pm
Forum: General
Topic: Error Microtik ovpn
Replies: 1
Views: 231

Re: Error Microtik ovpn

If you don't have one such line in the log for each and every packet received, it should not be a big deal. Record the packet traffic on the interface through which the VPN clients connect to the Tik into a file using /tool sniffer , download the file to a PC and open it using Wireshark. If you find...
by sindy
Wed Aug 07, 2019 11:21 pm
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 2
Views: 343

Re: IPSec error payload missing: ID_R

I'm afraid that the responder ID can be ignored only in some authentication setups. Can you post your complete configuration? See my automatic signature below for hints on anonymisation.
by sindy
Wed Aug 07, 2019 11:17 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

First, I haven't opened your previous config so I haven't noticed your firewall is widely open; in contrary to popular belief, NAT alone is not sufficient as a protection against all attacks which can come in via WAN, and it doesn't protect the router itself at all. So have a look at the default fir...
by sindy
Wed Aug 07, 2019 10:54 pm
Forum: General
Topic: Router - AP with WIFI guest on VLAN don't work
Replies: 4
Views: 455

Re: Router - AP with WIFI guest on VLAN don't work

There is no point in having VLAN 20 out of the bridge, it can stay there. At the cAP, set both the "local" and "guest" wireless interfaces along with ether1 as member ports of the only bridge, remove any /interface vlan , and configure the guest wireless interface with vlan-id=20 vlan-mode=use-tag ....
by sindy
Wed Aug 07, 2019 10:39 pm
Forum: General
Topic: Many IPS assigned to a single PC
Replies: 1
Views: 294

Re: Many IPS assigned to a single PC

To me it doesn't seem to be a matter of ROS configuration. If you look closely at the leases, you'll see that the DHCP client running on the W2012 machine uses a unique Client ID field when applying for each lease, which makes ROS' DHCP server treat them independently, hence you end up with multiple...
by sindy
Wed Aug 07, 2019 10:14 pm
Forum: General
Topic: Valid connection issues when dropping invalid packets in firewall
Replies: 11
Views: 1914

Re: Valid connection issues when dropping invalid packets in firewall

What can happen if I just remove the rule dropping invalid packets? As I wrote just one post above - removing the drop invalid rule doesn't make the invalid packets miraculously be accepted by the accept established,related one. So if your firewall chains don't end with drop the rest rules, removin...
by sindy
Wed Aug 07, 2019 9:53 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

Post the current configuration (see my automatic signature below) as you did some changes since you've posted it before, there must be something else wrong. Other than that, I would first disable everything related to the hotspot (and set some password for the guest SSID on the AP) to check whether ...
by sindy
Wed Aug 07, 2019 8:48 pm
Forum: General
Topic: Microtik router with existing network
Replies: 64
Views: 6268

Re: Microtik router with existing network

The /interface vlan for hotspot must be attached to the bridge, not to its particular member port. And the IP address, DHCP server, and hotspot configuration for the guest network must all be attached to that /interface vlan , whilst the IP address and DHCP server for the "insider" network stays att...
by sindy
Wed Aug 07, 2019 7:32 pm
Forum: General
Topic: Fetch X-Forwarded-For string
Replies: 1
Views: 206

Re: Fetch X-Forwarded-For string

Have a look at /ip firewal layer7-protocol. But bear in mind that it will only work for plaintext http, not for https.
by sindy
Wed Aug 07, 2019 6:10 pm
Forum: General
Topic: marked routing not working
Replies: 5
Views: 594

Re: marked routing not working

The distance parameter only matters when several routes have exactly the same dst-address - otherwise a more narrow dst-address prefix matching the destination address of the packet always beats any wider one(s) also matching it. I didn't get from your description whether the client can reach 10.179...
by sindy
Wed Aug 07, 2019 5:15 pm
Forum: General
Topic: RB3011: Config import fail's with "failure: cannot change builtin"
Replies: 3
Views: 384

Re: RB3011: Config import fail's with "failure: cannot change builtin"

I'm afraid there is a difference between the "default configuration" (which is just a template of user configuration, and you can prevent it from getting loaded) and "built-in configuration" which is there even if you remove any user configuration using reset-configuration with no-defaults=yes . The...
by sindy
Wed Aug 07, 2019 4:05 pm
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1110

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

I have checked load on both routers, it is near idle while watching TV. For example CPU usage never gets higher than 5%. I suppose this is not an issue. That's quite surprising, but as you say that sound is unaffected and only the video became an SSTV one, it seems as if there was no packet loss al...
by sindy
Wed Aug 07, 2019 3:00 pm
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1110

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

Your configuration prints don't show any /interface ethernet switch settings and you handle the VLAN tagging and untagging using a dedicated bridge for each VLAN, which means that the IPTV traffic is handled by the CPU. So have a look at /tool profile at both your Tik machines while watching TV, at ...
by sindy
Wed Aug 07, 2019 1:39 pm
Forum: General
Topic: Valid connection issues when dropping invalid packets in firewall
Replies: 11
Views: 1914

Re: Valid connection issues when dropping invalid packets in firewall

Not sure about your (@nethor's) setup, but in the OP from 2016, Router B's interface facing towards the SSH client was in the same subnet like the client. So while the request packets from the client went to Router A (because 192.168.10.1 was configured as the gateway of the default route or at leas...
by sindy
Tue Aug 06, 2019 9:41 am
Forum: Wireless Networking
Topic: capsman local bridge as datapath
Replies: 12
Views: 3681

Re: capsman local bridge as datapath

or RoS evolved enough to tag them correctly
I hazily remember this is the case and that it did not take long after we've discussed it here.
by sindy
Mon Aug 05, 2019 11:03 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 25465

Re: v6.45.3 [stable] is released!

I am running 6.45.1 and if I try to update to 6.45.3 I get an error : "ERROR: not enough disk space, 7.3MiB required and only 7.3MiB is free." ... I have no files on the device. The upgrade package is downloaded to ramdisk, which may be occupied also by hidden files, so try rebooting just before th...
by sindy
Mon Aug 05, 2019 6:54 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

and I replaced the public IP with "removed" the Mikrotik is sitting on a public IP and is NOT behind NAT then the mikrotik has a VPN pool to NAT the VPN Clients If the Tik sits on public IP, then the restriction of the policy template's src-address to 10.222.22.1 is a nonsense, as the policy needs ...
by sindy
Mon Aug 05, 2019 5:15 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

Port strict and NAT are unrelated. What is related is that at least Microsoft VPN client needs to be tweaked in registry to accept an L2TP server listening on a private address behind a NAT. But it can also be done without tweaking the registry using the method described here . But as you stubbornly...
by sindy
Mon Aug 05, 2019 3:13 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

Just remove the src-address-list from the rules permitting access to UDP ports 500 and 4500
by sindy
Mon Aug 05, 2019 2:46 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

Have you added the log topic I have suggested? Because if you did, you have to see tons of ipsec,info messages. How exactly did you set the debug?
by sindy
Mon Aug 05, 2019 2:37 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

The failed to bind message is a cosmetic issue as you have disabled IPv6, it's not the reason why it doesn't work. Set /system logging print add topics=ipsec,!packet and see whether the log shows anything when the client tries to connect.
by sindy
Mon Aug 05, 2019 2:09 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

OK. So you ask RouterOS to generate the settings for L2TP for you using the default profile , proposal , and template in the default policy group by setting use-ipsec=required in /interface l2tp-server server , but at the same time you have created a peer and identity on your own, so there may be a ...
by sindy
Mon Aug 05, 2019 1:39 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

In the L2TP part, you forgot to post the /interface l2tp-server server part. That's why it always better to post the complete export and just obfuscate the sensitive information (see the hint in my automatic signature below). So either do that or post at least /interface l2tp-server export verbose h...
by sindy
Sun Aug 04, 2019 4:47 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 25465

Re: v6.45.3 [stable] is released!

Is there some other procedure I should be following?
Yes, firmware is not automatically upgraded together with RouterOS. You have to do /system routerboard upgrade, and once it succeeds (it takes less than three seconds), reboot the machine.
by sindy
Sun Aug 04, 2019 3:27 pm
Forum: General
Topic: Help Dual WAN setup with WAN2 for just 1 site
Replies: 1
Views: 311

Re: Help Dual WAN setup with WAN2 for just 1 site

Basically you have to determine the IP addresses of the servers you need to access via the LTE and set static routes via the dongle to these addresses. A more specific route always wins over a more generic one, so it seems simple. However, depending on the properties of the dongle, RouterOS uses one...
by sindy
Sat Aug 03, 2019 9:05 pm
Forum: General
Topic: Very simple VLAN
Replies: 16
Views: 1453

Re: Very simple VLAN

You cannot simplify it the way you suggest, think about the frames carrying the response packets, which need to get tagged with the correct VID on their way to the wireless clients.
by sindy
Sat Aug 03, 2019 4:08 pm
Forum: General
Topic: Onle some services allowed over Backup link (LTE)
Replies: 3
Views: 466

Re: Onle some services allowed over Backup link (LTE)

A supercharged introduction into how firewall works is here . In your case, the rules in chain=forward of /ip firewall filter would use in-interface(-list) and src-address(-list) matching to restrict which local users can use the LTE, and dst-address(-list) to restrict which remote destinations may ...
by sindy
Sat Aug 03, 2019 3:11 pm
Forum: General
Topic: NAT-T flag missing in 6.45.3
Replies: 7
Views: 808

Re: NAT-T flag missing in 6.45.3

I confirm that 6.45.3 initiator doesn't show the N flag in print (I've got no 6.45.3 responder up at the moment) - exchange-mode=ike2 on peer , auth-method=eap on identity . An initiator in 6.45.2 ( exchange-mode=ike2 , auth-method=digital-signature ) does show it. ESP cannot be handled even by prop...
by sindy
Sat Aug 03, 2019 1:21 pm
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 828

Re: MAC Address limitation

What @cdiedrich has proposed can be described more in detail, maybe you have missed it? set add-arp=yes on all dhcp servers make all the current dhcp leases which you recognize (most important, the PC from which you configure the machine) static make the address-range of all ip pool items used by dh...
by sindy
Sat Aug 03, 2019 12:13 pm
Forum: General
Topic: Very simple VLAN
Replies: 16
Views: 1453

Re: Very simple VLAN

There is a way, however a terrible one. On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX ), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). Bu...
by sindy
Sat Aug 03, 2019 8:15 am
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

If by "this rule" you mean the two rules on the responder with comment "VPN ikev2 allow", then not exactly, these are in chain forward and to access the Tik itself, you need a rule in chain input . So a rule like chain=input action=accept in-interface-list=WAN ipsec-policy=in,ipsec before the final ...
by sindy
Sat Aug 03, 2019 7:54 am
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 25465

Re: v6.45.3 [stable] is released!

I think that statement like "!somthing" is not good... in any iptables on so on firewalls...
Why? For security or for CPU load reasons?
by sindy
Fri Aug 02, 2019 10:38 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

If there is a PC and someone able to use it, Teamviewer is a way to connect to the remote Mikrotik from the LAN side.
by sindy
Fri Aug 02, 2019 10:03 pm
Forum: General
Topic: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]
Replies: 28
Views: 2962

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

I can see nothing in the config of this side that would explain it, so most likely chain=input of /ip firewall filter on the remote Tik has to be modified to accept incoming connections via the IPsec SA. So until you manage to get there and post its configuration, there is no way to move forward.
by sindy
Fri Aug 02, 2019 8:45 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 25465

Re: v6.45.3 [stable] is released!

GRE fixed? What exactly do you have in mind? The incorrect flagging of actually new GRE packets as invalid ? If so, then no, this is not fixed in 6.45.3, but it can be worked around by adding protocol=!gre to the action=drop connection-state=invalid rules in the default firewall, or several other e...
by sindy
Fri Aug 02, 2019 7:18 pm
Forum: General
Topic: issues about ipsec over ikev2 with rsa
Replies: 8
Views: 1034

Re: issues about ipsec over ikev2 with rsa

Well, I can see this: ... Aug/02/2019 19:14:37 ipsec rrr: adding payload: CERTREQ ... Aug/02/2019 19:14:37 ipsec,debug rrr: ===== sending 297 bytes from res.pon.der.ip[500] to ini.tia.tor.ip[56595] whereas the next packet from the Apple says: ... Aug/02/2019 19:14:37 ipsec,debug rrr: ===== received ...
by sindy
Fri Aug 02, 2019 5:25 pm
Forum: General
Topic: issues about ipsec over ikev2 with rsa
Replies: 8
Views: 1034

Re: issues about ipsec over ikev2 with rsa

I have got it.so I just export client cert to p12 that include private and public key,and CA to pem that include public key only.do nothing for server cert,right Right, but did the import of both to the Apple device and telling the VPN client which client certificate to use for connection to the Ti...
by sindy
Fri Aug 02, 2019 3:07 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 36087

Re: v6.45.2 [stable] is released!

See post #202 above.
by sindy
Fri Aug 02, 2019 2:10 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 36087

Re: v6.45.2 [stable] is released!

6.45.3 has no GRE miss-marking fix. Very Bad...
I agree it is bad, but on the other hand what is so complicated about adding protocol=!gre to the action=drop connection-state=invalid rule?
by sindy
Fri Aug 02, 2019 1:57 pm
Forum: General
Topic: issues about ipsec over ikev2 with rsa
Replies: 8
Views: 1034

Re: issues about ipsec over ikev2 with rsa

The user-level theory behind certificates is the following: the party which authenticates itself to others using a certificate must have a private key for that certificate. No one else should have access to the private key as otherwise they could impersonate the actual holder of the certificate. So ...
by sindy
Fri Aug 02, 2019 1:15 pm
Forum: General
Topic: IPsec tunnels keep reconnecting every second
Replies: 2
Views: 465

Re: IPsec tunnels keep reconnecting every second

Please post the log in some format less friendly to malware, or even better post it directly here between [code] and [/code] tags. Be aware that your public IPs are likely to be visible in the log, so if that bothers you, follow the hint in my automatic signature below.
by sindy
Fri Aug 02, 2019 12:50 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 36087

Re: v6.45.2 [stable] is released!

One day since 6.45.3 released on download, nothing here on the forum.
Can't remember seeing this behavior before.
@emils has explained that in the 6.45.3 topic you've spawned yourself - problems with the release system.
by sindy
Fri Aug 02, 2019 12:05 pm
Forum: General
Topic: Block Ping request
Replies: 9
Views: 5461

Re: Block Ping request

The order of rules matters, so a perfect rule on a wrong position in the chain cannot work because a matching packet never reaches it as it is always dropped or accepted by one of the earlier rules in that chain. Also a perfect rule in a wrong chain doesn't do what you expect.
by sindy
Fri Aug 02, 2019 11:50 am
Forum: General
Topic: IPSec and ppp tunnel precedence
Replies: 1
Views: 294

Re: IPSec and ppp tunnel precedence

Both ways are possible, the only exception is that you cannot directly tunnel one IPsec SA through another IPsec SA, which is clearly not your intention. The precedence is determined by the fact that IPsec policy match always wins - first all the routing and firewalling, including NAT, is done, and ...
by sindy
Fri Aug 02, 2019 11:36 am
Forum: General
Topic: Firewall rules based upon PPP userid
Replies: 1
Views: 281

Re: Firewall rules based upon PPP userid

There are plenty of possibilities associated to /ppp profile to which you refer from the /ppp secret , you can create an individual profile for each secret . In each /ppp profile item, you can set a name of an address-list to which the IP assigned to the user will be added, or an interface-list to w...
by sindy
Fri Aug 02, 2019 11:04 am
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 2098

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

Can you /export hide-sensitive the current configuration (at least the scrambled IPsec part as well as the L2TP part)? Maybe we can find a way to tidy it up.
by sindy
Fri Aug 02, 2019 10:52 am
Forum: General
Topic: help to set ipv6 / 48
Replies: 35
Views: 2452

Re: help to set ipv6 / 48

Just one more idea, is the 4011 your first Mikrotik ever? I've bumped into the fact that as of current, Mikrotik's DHCPv6 server only delegates prefixes to other routers but doesn't assign individual addresses to end hosts, so I had to look for alternatives and the most natural choice for me was Ope...
by sindy
Thu Aug 01, 2019 9:38 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 36087

Re: v6.45.2 [stable] is released!

I know it, but I would like download via the command line.
No problem:
/tool fetch url=("https://download.mikrotik.com/routeros/6.45.3/routeros-".[/system resource get architecture-name]."-6.45.3.npk")
by sindy
Thu Aug 01, 2019 8:23 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1692

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]

On the 760,
/ip firewall address-list
add address=192.168.5.0 list=HOME

must say
/ip firewall address-list
add address=192.168.5.0/24 list=HOME
by sindy
Thu Aug 01, 2019 6:06 pm
Forum: General
Topic: 802.1x / dot1x client not working when interface is on a bridge
Replies: 5
Views: 851

Re: 802.1x / dot1x client not working when interface is on a bridge

Question - what protocol-mode have you set on the bridge? One of the STP flavors or none?
by sindy
Thu Aug 01, 2019 3:17 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1692

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]

Now it is even more confusing. Please post the current config of both machines.
by sindy
Thu Aug 01, 2019 8:57 am
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1692

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]

Do you test from a PC connected to some other switch which is connected to the new hEX via ether4? Because everything seems fine to me except the following: /interface bridge port ... add bridge=BR1 frame-types= admit-only-vlan-tagged ingress-filtering=yes interface=ether4 pvid=1 ... /interface brid...
by sindy
Tue Jul 30, 2019 9:07 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

@Sob was reading it diagonally too so he took my assumption that you use pppoe as a fact. Now for all ppp-based protocols you can define a script to be run when the interface goes up and another one to be run when it goes down as on-up and on-down items in /ppp profile . For dhcp client, there is on...
by sindy
Tue Jul 30, 2019 7:14 pm
Forum: General
Topic: How to set priority code on vlan (for pppoe)
Replies: 9
Views: 872

Re: How to set priority code on vlan (for pppoe)

If I tag everything with priority code 2, I think it will break my local network too... It should not as normally only advanced L2 equipment cares about that field, and it only uses it to choose which frame to send next out a given egress port if several have arrived while the previous one was bein...
by sindy
Tue Jul 30, 2019 6:44 pm
Forum: General
Topic: How to set priority code on vlan (for pppoe)
Replies: 9
Views: 872

Re: How to set priority code on vlan (for pppoe)

Hm, it should be the MAC address of the remote PPPoE server, but as I think of it, it seems we have a deadlock problem here, as you don't know its MAC address until it answers and it doesn't answer until you set the VLAN priority. So try to match on src-mac-address first: /interface ethernet switch ...
by sindy
Tue Jul 30, 2019 5:04 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

The dst-address is the one on which the rule matches, i.e. the public one (in the dst-nat chain); to-addresses is the new one to be set.
by sindy
Tue Jul 30, 2019 3:21 pm
Forum: General
Topic: How to set priority code on vlan (for pppoe)
Replies: 9
Views: 872

Re: How to set priority code on vlan (for pppoe)

You're right that PPPoE is L2 so /ip firewall rules do not handle PPPoE frames. But as /interface ethernet switch rules act on ingress frames, you have to set your rule to match the CPU port of the switch. As there is an issue with matching VLAN ID, you'll have to match on the MAC address instead, s...
by sindy
Tue Jul 30, 2019 1:34 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1900

Re: NAT to a local server

The point is, as @baragoon hinted, that from the point of view of the IP stack, in-interface of packets coming from your hAP from the internet is none of the etherX ( all-ethernet ) but pppoe-out1 or how have you named the /interface pppoe-client you probably use as uplink. But it's all guessing as ...
by sindy
Tue Jul 30, 2019 11:57 am
Forum: General
Topic: Site to Site VPN passes traffic half the time
Replies: 1
Views: 230

Re: Site to Site VPN passes traffic half the time

Packet sniffing and action=log firewall rules always help localize the issue - you can see whether there is a matching encrypted packet (or two) for each plaintext packet which should have been sent through the SA, so you can see whether the issue is on encrypting/transmitting or decrypting/receivin...
by sindy
Mon Jul 29, 2019 6:16 pm
Forum: General
Topic: Stuck with L2TP VPN routing
Replies: 4
Views: 515

Re: Stuck with L2TP VPN routing

While it does seem to work, can you please confirm that the fix is the right one? If you don't need that the hosts in your brother's LAN know the actual addresses of hosts in your LAN which connect to them, and if you don't need hosts in your brother's LAN to connect to hosts in your LAN, it is the...
by sindy
Mon Jul 29, 2019 5:54 pm
Forum: General
Topic: Stuck with L2TP VPN routing
Replies: 4
Views: 515

Re: Stuck with L2TP VPN routing

First, for point-to-point tunnels it is nothing unusual that the IP addresses on the two ends of the tunnel are not "similar". The remote address is only used by routing to determine the right interface to use as output one if set as routes' gateway, but you can as well set the interface name as gat...
by sindy
Mon Jul 29, 2019 4:32 pm
Forum: General
Topic: NordVPN
Replies: 7
Views: 917

Re: NordVPN

Nothing is relevant unless the OP changes his mind - so far he's said he's given up :) But correct, as the dynamic NAT rule has been installed, it means that the IPsec connection as such has successfully negotiated so profiles and proposals are not the most important components to investigate.
by sindy
Mon Jul 29, 2019 12:08 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 36087

Re: v6.45.2 [stable] is released!

Did you check your firewalls allow inbound GRE? If you check the notes there was a fix for a bug that allowed it when it shouldn't've been allowed. ...and while fixing that one, another one has been introduced which incorrectly labels the initial packet of a GRE connection with connection-state=inv...
by sindy
Mon Jul 29, 2019 12:03 pm
Forum: General
Topic: VPN L2TP on RB2011UiAS
Replies: 1
Views: 221

Re: VPN L2TP on RB2011UiAS

Start by posting your current configuration following the hint in my automatic signature below.
by sindy
Sun Jul 28, 2019 7:24 pm
Forum: General
Topic: IKEv2 Blackberry OS10
Replies: 1
Views: 306

Re: IKEv2 Blackberry OS10

There has been a change in IKEv2 - pre-shared-key-xauth is not supported any more since 6.44, but I somehow hesitate to believe that the Blackberry uses it, especially as the iPhone keeps working. The log at Mikrotik is worth checking even though Mikrotik itself is happy. /system logging add topics=...
by sindy
Sun Jul 28, 2019 6:52 pm
Forum: General
Topic: NordVPN
Replies: 7
Views: 917

Re: NordVPN

What you posted is not the complete configuration, just the filter part of the firewall and the ipsec configuration. So if the issue is elsewhere (other firewall tables, routing), we cannot spot that. Other than that, first check the recent similar topic , chances are high that you are affected by t...
by sindy
Sun Jul 28, 2019 5:28 pm
Forum: General
Topic: site to site ipsec Mikrotik/Teltonika
Replies: 24
Views: 2226

Re: site to site ipsec Mikrotik/Teltonika

First, the openvpn implementation in RouterOS is very limited. It doesn't support UDP transport, compression, and pushing routes to client. So you have to configure the Teltonika accordingly (TCP transport, no compression). And you have to choose the same tunneling mode (L2 or L3) at both the server...
by sindy
Sat Jul 27, 2019 6:01 pm
Forum: General
Topic: IKEv2 to NordVPN
Replies: 2
Views: 431

Re: IKEv2 to NordVPN

I followed tutorial on wiki and NordVPN homepage but result is that my PC opens only google and rest internet not?? Any ideas? This is a different kind of issue than the one in the OP, so please open a separate topic for it. And instead of just referring to tutorials, post the complete resulting co...
by sindy
Sat Jul 27, 2019 5:49 pm
Forum: General
Topic: VLAN - Multiple Trunk Port
Replies: 1
Views: 302

Re: VLAN - Multiple Trunk Port

So are you saying you have a star topology with the CRS328 in the centre and those CRS112's are not connected to each other, and nevertheless all the traffic only goes via a single port of the CRS328? If not, can you post a drawing of your actual topology and an export of the configurations of the s...
by sindy
Sat Jul 27, 2019 12:12 pm
Forum: General
Topic: Why need to kick-start a IKEv2 connection to provider
Replies: 5
Views: 623

Re: Why need to kick-start a IKEv2 connection to provider

I read it in the Wiki: It is very important that bypass rule is placed at the top of all other NAT rules. ... Oh, OK. But that's all still relevant to the traditional use of VPN, where it is desirable to avoid NAT. In the model where you get a dynamically assigned public address and you need that t...
by sindy
Sat Jul 27, 2019 11:59 am
Forum: General
Topic: EOIP and Portforward
Replies: 7
Views: 770

Re: EOIP and Portforward

It is always better to post full configuration (between [ code] and [ /code] tags), following the anonymisation hints in my automatic signature below, as a lot of things need to be guessed otherwise. I assume that the gateway of the default route in routing table main (i.e. the one with no routing-m...
by sindy
Sat Jul 27, 2019 11:16 am
Forum: General
Topic: VPN to Mikrotik for an Android phone!!!
Replies: 6
Views: 667

Re: VPN to Mikrotik for an Android phone!!!

It would have been nice when you could use a small file to "import" a VPN configuration on the phone like on most platforms, but I have not found how to do it on Android. well... such a file would be as secure or insecure as a plaintext file, so you can deliver a plaintext file "somehow" to the And...
by sindy
Sat Jul 27, 2019 12:21 am
Forum: General
Topic: issues about ipsec over ikev2 with rsa
Replies: 8
Views: 1034

Re: issues about ipsec over ikev2 with rsa

The configuration seems fine to me for the stuff named "apple" (as the other peer is shadowed by the "apple" one, the identity related to it doesn't work as well but I guess it is no surprise to you). So do you have the complete certificate chain from client's and server's certificates' root CAs thr...
by sindy
Sat Jul 27, 2019 12:11 am
Forum: General
Topic: VPN to Mikrotik for an Android phone!!!
Replies: 6
Views: 667

Re: VPN to Mikrotik for an Android phone!!!

Can you link to those Android 9 L2TP issues? I've set up an L2TP/IPsec VPN for my friend so that he could access his cameras, and his wife's Anroid 9 phone works fine with that setup.
by sindy
Sat Jul 27, 2019 12:08 am
Forum: General
Topic: IPSEC / Xauth on Mikrotik problem
Replies: 5
Views: 531

Re: IPSEC / Xauth on Mikrotik problem

I hazily remember reading something about "dangerous" characters in the password which cause trouble. So as the first step, try a "less secure" xauth password with no special characters in it (only upper and lower case letters and digits) to exclude this.
by sindy
Sat Jul 27, 2019 12:01 am
Forum: General
Topic: Trying to set-up a main PPPoE and failover PPPoE
Replies: 1
Views: 295

Re: Trying to set-up a main PPPoE and failover PPPoE

First activate logging of PPPoE and set up a file name to store a packet capture: /system logging add topics=pppoe /tool sniffer set file-name=pppoe-trouble.pcap Next, run /log print follow-only file=pppoe-trouble where topics~"pppoe|interface" in one command-line window, and in another one, run /to...
by sindy
Fri Jul 26, 2019 11:46 pm
Forum: General
Topic: EOIP and Portforward
Replies: 7
Views: 770

Re: EOIP and Portforward

Any ideas? Without seeing the actual configuration, I'd expect the routing to be the issue. You need that the response from the server in the LAN subnet is routed out the same WAN through which the corresponding request came in, and this does not happen automatically, you need to use policy routing...
by sindy
Fri Jul 26, 2019 11:35 pm
Forum: General
Topic: Why need to kick-start a IKEv2 connection to provider
Replies: 5
Views: 623

Re: Why need to kick-start a IKEv2 connection to provider

The current client config in ROS has an option to set Prerouting or Output These are designed for another use case than the one you expect, it's for the payload packets to be transported using IPsec. The original purpose of VPNs is to interconnect sites running on private addresses via public inter...
by sindy
Thu Jul 25, 2019 12:00 am
Forum: General
Topic: IPsec phase 2
Replies: 31
Views: 1540

Re: IPsec phase 2

Congratulations. I only changed the src-address in policy to 10.0.1.0/28 That would mean that the log is reprehensibly silent for IKE(v1) phase 2, not mentioning the traffic selector of the policy to be sent to the remote party in that unresponded message, the remote party doesn't notify you about t...
by sindy
Wed Jul 24, 2019 11:42 pm
Forum: General
Topic: pppoe-1 not reconnecting
Replies: 9
Views: 648

Re: pppoe-1 not reconnecting

I may be missing something, but I've understood from the OP that the issue to be addressed was the need to reboot the machine as softer methods didn't lead to re-establishment of the connection? So unless the script reboots the machine (no matter what way of detecting the issue it uses), it cannot r...
by sindy
Wed Jul 24, 2019 11:12 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 739

Re: Port 80 redirect [SOLVED]

I'm not as beerly as most of my fellow citizens so feeding me with beer is a waste of beer. But I like another thing I haven't seen elsewhere yet, the blueberry juice. Unfortunately the cooperation for which I used to visit Lj has ended a few years ago so it is unpredictable when I get there next ti...
by sindy
Wed Jul 24, 2019 10:56 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1692

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

If things have reached the level of purchasing new hardware, I'd rather recommend hAP ac². As compared to hEX S, it has a switch chip with independent VLAN learning and support of hybrid ports, and wireless hardware which you may just disable if you don't need it but it's there if you ever need it, ...
by sindy
Wed Jul 24, 2019 10:50 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 739

Re: Port 80 redirect [SOLVED]

it's a simple tax on all those Czechs and Polaks hoarding towards summer holidays in Croatia ;-) You should be applying for a refund just because you stopped at local restaurant :lol: Hehe. I think I've spent much more on them when driving to Lj than when transiting to Croatia even though one was u...
by sindy
Wed Jul 24, 2019 10:33 pm
Forum: General
Topic: IPsec phase 2
Replies: 31
Views: 1540

Re: IPsec phase 2

I'd say you could get here on a boat using gravity alone, switching river only once. After drifting through the capital it's just few more kilometers to go. As for the attachment - I think it's not a matter of English, except that due to the natural structure of the sentence, in our native language ...
by sindy
Wed Jul 24, 2019 9:57 pm
Forum: General
Topic: IPsec phase 2
Replies: 31
Views: 1540

Re: IPsec phase 2

No attachment... first, can you describe the exact procedure to upload a picture here from a local file? I could not find any way except a link to external http server which then remains as a link in the post. Second, ulozto will do if you want me to see the pcap.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13