Community discussions

MikroTik App

Search found 7746 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 26
by sindy
Fri Sep 24, 2021 3:30 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

Well... the policy with a /24 at dst-address is a template, but I admit I never dug deep into what happens if the responder has to suggest a TS first because the initiator doesn't. So you may want to reduce the pool to a single address and set the same address as a /32 in the template, to a) verify ...
by sindy
Fri Sep 24, 2021 1:03 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

Here is the complete log: ... I couldn't figure out what goes really wrong, thank you so much for your help! What goes wrong is clear - this: responder selector: 192.168.200.0 /24 . The phone should get a single address from the pool via mode-config (or rather its IKEv2 equivalent to be precise). W...
by sindy
Fri Sep 24, 2021 11:05 am
Forum: General
Topic: 2 MT routers, but one having problems with internet
Replies: 9
Views: 202

Re: 2 MT routers, but one having problems with internet

I was just thinking there has to be a way to make an address list for IoTs and make them all static will solve it!!
There is - https://wiki.mikrotik.com/wiki/Manual:I ... P_Bindings . But it is an additional management burden as compared to splitting the networks.
by sindy
Fri Sep 24, 2021 10:28 am
Forum: General
Topic: 2 MT routers, but one having problems with internet
Replies: 9
Views: 202

Re: 2 MT routers, but one having problems with internet

Should we assume you are using the hotspot functionality of RouterOS? If so, do you really need the wired devices you named to share the same subnet/L2 segment with the wireless devices that you want to only get access to the internet after login? I mean, there are some home automation devices that ...
by sindy
Fri Sep 24, 2021 9:44 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

we did together long time ago: https://forum.mikrotik.com/viewtopic.php?t=160805. The notification about your update to that thread from this July never made it to my mailbox. I assume you've resolved it? I have no idea about UDP1025, this is not forwarded on ISP's router to Tik. it's a source port...
by sindy
Thu Sep 23, 2021 10:12 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

@erkexzcx, if I understand it correctly (no own experience so far), latest Androids support IKEv2 natively, i.e. you don't need to install Strongswan. The screenshots from the OP suggest that that's what he's dealing with here - the graphics does not resemble the one of the Strongswan app.
by sindy
Thu Sep 23, 2021 10:07 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

what is interesting, is that the packet size is now different - on Router B the largest packet is 770, on Router A - 1514 so, somewhere MTU is different ? I have no clue whether this happens due to different MTU as such, but something on the path between the routers indeed does fragment the packets...
by sindy
Thu Sep 23, 2021 6:35 pm
Forum: General
Topic: Loss of connection continuously with LtAP LTE6 kit
Replies: 9
Views: 176

Re: Loss of connection continuously with LtAP LTE6 kit

Make sure that you don't lose power for some time (a UPS or just a set of batteries should be sufficient), and repeat the same command with upgrade=yes, praying intensively and sincerely :)
by sindy
Thu Sep 23, 2021 6:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

I have exported the certificates (both ca and both the client) from winbox, in PKCS format, and providing a passphrase. You should not have exported the CA certificate using the passphrase, as the private key of the CA should never leave the CA. But this is "only" a security issue (anyone...
by sindy
Thu Sep 23, 2021 5:14 pm
Forum: General
Topic: Loss of connection continuously with LtAP LTE6 kit
Replies: 9
Views: 176

Re: Loss of connection continuously with LtAP LTE6 kit

First question, what does /interface lte firmware-upgrade 0 upgrade=no show?
by sindy
Thu Sep 23, 2021 5:12 pm
Forum: General
Topic: 2 MT routers, but one having problems with internet
Replies: 9
Views: 202

Re: 2 MT routers, but one having problems with internet

Not enough info. Are you trying both routers on the same internet uplink or on different ones? If on the same one, are you sure that the ISP doesn't lock the connection to a particular MAC address/client ID? On the hAP ac2, does the WAN interface come up at physical level? If yes, /system logging ad...
by sindy
Thu Sep 23, 2021 12:21 am
Forum: General
Topic: Problems With 5060 Sip Wildixin
Replies: 3
Views: 230

Re: Problems With 5060 Sip Wildixin

1) Missing dst-address=<WAN_PUBLIC_IP> on all rules yes, but he's got in-interface=ether1 , so the absence of dst-address=<WAN_PUBLIC_IP> doesn't break anything 2) I work with VoIP from 2010 and everytime SIP ALG IS ON, without using stun and proxy, never a problem. SIP ALG is great if phones are a...
by sindy
Wed Sep 22, 2021 11:53 pm
Forum: General
Topic: problems about VPN connection over multi-ISP
Replies: 1
Views: 72

Re: problems about VPN connection over multi-ISP

It is possible to set up two L2TP clients on the same router to connect to the same remote server, each via another WAN. Soing so involves use of the src-address parameter of the /interface l2tp-client row, and use of policy routing that takes source address into account when choosing a route. But y...
by sindy
Wed Sep 22, 2021 11:46 pm
Forum: General
Topic: Problems With 5060 Sip Wildixin
Replies: 3
Views: 230

Re: Problems With 5060 Sip Wildixin

Post the export of the complete configuration, there may be filter rules that break it. An unrelated remark: don't use to-ports in the NAT rules unless you need to change the port. With dst-port=1234 to-ports=1234 , it is just a waste of CPU but nothing bad happens; with dst-port=10000-15000 to-port...
by sindy
Wed Sep 22, 2021 11:12 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 22
Views: 504

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

Actually there are 3 posibilities EoIP tunnel, IP tunnel and GRE tunnel, I am using GRE is there any important differencies or recomendations which one to prefer? IPIP (IPencap) tunnel has the least overhead of the three. If you encrypt it using IPsec in transport mode, it has the same overhead as ...
by sindy
Wed Sep 22, 2021 10:16 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 22
Views: 504

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

Something like this?
Yes, both of us came to the same conclusion/solution, let's wait for the OP's reaction :)
by sindy
Wed Sep 22, 2021 10:07 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 22
Views: 504

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

OK, I start getting it. When you mentioned You can say, that I should use public just for this server, but I can not to afford it because I have only one public IP and need it for several other purposes. it didn't come to my mind that you were talking about assigning the public IP directly to the we...
by sindy
Wed Sep 22, 2021 8:33 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 22
Views: 504

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

I still don't get what are your expectations and why the additional selectivity of the dstnat rule is not sufficient. My understanding was that requests coming from the internet via WAN outside any VPN tunnel should be redirected to a particular web server A, whereas requests coming inside the VPN t...
by sindy
Wed Sep 22, 2021 7:37 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT
Replies: 15
Views: 343

Re: Setting up IKEv2 VPN Server behind NAT

Everything you wrote seems fine to me. What you haven't written is how exactly did you export the client certificate for the Android and what are the properties of the Mikrotik's certificate. If the client certificate is not created the proper way, where the client creates a certificate signing requ...
by sindy
Wed Sep 22, 2021 7:23 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 22
Views: 504

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

The action=dst-nat rule must match on additional criteria in order to distinguish the traffic coming in via the WAN from the internet from the traffic coming in via the GRE tunnel. If you make the rule match on in-interface=the-wan-interface-name , it won't match on packets coming in via the GRE int...
by sindy
Wed Sep 22, 2021 7:14 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

As you wrote that it worked before, I didn't study deep the configurations (or maybe I've missed them, or maybe you have added them to the OP later). It is better to attach configuration exports directly here, either as file attachments (which may require some karma) or into the body of the post, be...
by sindy
Wed Sep 22, 2021 5:22 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 9
Views: 761

Re: Bridge "Distance" vs Static Route

So if I read you right, assuming that the secondary device is connected to ether1 of the LtAP, you can see the packets from server1 or server2 to arive via sstp-out1 and leave via ether1, but no responses to come back via ether1 from the secondary device? Or you can see the ping packet to only arriv...
by sindy
Wed Sep 22, 2021 11:45 am
Forum: General
Topic: one cable / 2VLANS
Replies: 4
Views: 144

Re: one cable / 2VLANS

Just connect the Mikrotiks using that single cable and add VLAN interfaces on the ETH interface on both devices. Simple answers only work in simple contexts. Here, only a high-level context has been given in the OP. So your answer may be spot on or it may be completely misleading. But as the OP has...
by sindy
Wed Sep 22, 2021 11:11 am
Forum: General
Topic: one cable / 2VLANS
Replies: 4
Views: 144

Re: one cable / 2VLANS

That's what VLANs are intended for. This topic explains everything about VLANs, but maybe you should read this one first.
by sindy
Tue Sep 21, 2021 10:34 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

Your test 2 shows that the issue is between the PC and the internet - if the wireless APs had limitations on the number of NATed connections, their clients would have been affected but the test PC would not. So the service parameters and/or the modem/router are to be focused at. The APs can wait.
by sindy
Tue Sep 21, 2021 10:28 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 9
Views: 761

Re: Bridge "Distance" vs Static Route

6.45.9, which for the LtAP is the highest it can go without the SIM card becoming inoperable That's already weird alone. I'm running 6.47.10 in an LtAP and LTE works fine, so maybe some at-chat needs to be adjusted for the special needs of your MNO? Or maybe the LTE modem itself needs to get upgrad...
by sindy
Tue Sep 21, 2021 10:17 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

I read on another forum and from an example of sib that the provider does not have the macaddress to recognize the router model but only the imei. That's my understanding too, but the mobile world is in constant evolution and the MNOs come with new and new ideas how to get more money for the same s...
by sindy
Tue Sep 21, 2021 10:06 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 423

Re: Problem with building QinQ on "new bridge" with vlan-filtering

I wonder why the forum hasn't warned me about your posts following the last-but-one from me...

Regardless that woe, yes, it is simple when you have a single C-VLAN to be packed into a single S-VLAN, but it becomes more complicated if the other requirements need to be fulfilled simultaneously.
by sindy
Tue Sep 21, 2021 9:37 pm
Forum: General
Topic: How to determine the real (actual) MTU of the L2TP+IPsec tunnel?
Replies: 12
Views: 381

Re: How to determine the real (actual) MTU of the L2TP+IPsec tunnel?

Mikrotik fixed this issue for gre tunnels (Dont Fragment:inherit setting), but for l2tp tunnels this issue still not fixed for unknown reason... The reason is that the PPP standard says nothing about respecting the Don't fragment bit, and Mikrotik choose not to go beyond the requirements of the sta...
by sindy
Tue Sep 21, 2021 9:29 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 423

Re: Problem with building QinQ on "new bridge" with vlan-filtering

If VLANs 10 and 20 are S-VLANs, like VLANs 52 and 53, the Huawei configuration above makes sense to me, because the first tag of all frames on the switch is of the same type (S-tag, 0x88a8). But maybe you use the C-VLAN and S-VLAN only to describe the roles of the tags, and expect both to have ether...
by sindy
Tue Sep 21, 2021 5:25 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 423

Re: Problem with building QinQ on "new bridge" with vlan-filtering

I would have preferred a drawing to a configuration from other vendor I just know to exist, but it seems you confirm my understanding, that C-VLANs 3110 to 3120 all come tagged to ether1. As you've said you need to also bridge some VLANs within the Mikrotik, I'll put together an example Mikrotik con...
by sindy
Tue Sep 21, 2021 5:14 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

If 1/2 of all ESP packets are marked duplicated, it's 99.9 % a measurement method error - I assume your WAN interface is a bridge, and the sniffer captures the same packet twice, once as it enters the bridge on the "bridge" interface between the router software and the bridge software, and...
by sindy
Tue Sep 21, 2021 1:33 pm
Forum: General
Topic: Problem with delivery / looking for alternative [SOLVED]
Replies: 9
Views: 390

Re: Problem with delivery / looking for alternative [SOLVED]

I fell into the same rabbit hole, no way it came to my mind you might be installing actual cAPs (2,4 GHz only, 4 W only, single FastEthernet port only) these days. Ask your distributor also about TP-link PoE switches like TL-SG2428P, here the price of this model is comparable with the CRS you've cho...
by sindy
Tue Sep 21, 2021 9:06 am
Forum: General
Topic: Problem with delivery / looking for alternative [SOLVED]
Replies: 9
Views: 390

Re: Problem with delivery / looking for alternative [SOLVED]

Or you may use the passive injectors bundled with the cAP ac for those 6 cAPs that exceed the power budget of each switch. It is definitely not nice, but you only need a forking DC cable and a 80 W power supply at 24 to 48 V. Or even an AC extension cord with 12 free outlets if there's a supply shor...
by sindy
Tue Sep 21, 2021 8:10 am
Forum: General
Topic: first L2TP UDP package received from
Replies: 1
Views: 156

Re: first L2TP UDP package received from

Debug logs & packet sniffing at both ends are the only way to find out whether it is a RouterOS bug or a network issue. The L2TP server process may not respond because something is wrong in the initial packet from the client, or because something is broken in the server code. Or the response of ...
by sindy
Mon Sep 20, 2021 11:16 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

Does this mean that the problem is not on my network? Is it congested on the modem router or server equipment on the ISP side? The result of your test No.2 (where the traffic of the test PC did not pass through the Mikrotik but was nevertheless affected by the traffic passing through the Mikrotik) ...
by sindy
Mon Sep 20, 2021 10:17 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

Already did that. Please see the network topology i posted above. I cannot see that on the drawing in your OP. What I've understood from your post describing the tests was that you've tried to connect the test PC directly to the ISP router/modem alone, with the WAN of the 750 disconnected connect t...
by sindy
Mon Sep 20, 2021 10:00 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 423

Re: Problem with building QinQ on "new bridge" with vlan-filtering

If it's not difficult for you, can you write your proposal as configuration commands? Sure I can, but first I have to understand what your actual goal is, as the following statement According to my logic (and the description), tag 3119 is not removed in my configuration (for some reason) in traffic...
by sindy
Mon Sep 20, 2021 9:36 pm
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 391

Re: Bind Webfig and ssh to a vlan

I did not understand that the bridge itself can be part of the vlan-tagging. The "bridge" object in RouterOS actually consists of three distinct components, as I've explained in the topic I've linked in my previous post. So here, the "bridge itself" you mention is actually the v...
by sindy
Mon Sep 20, 2021 5:38 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

The way to measure with UDP and with TCP differs, with UDP it is best to limit the sending rate to the expected throughput, and you should see no lost packets if everything is OK. If you let the transmitting end to send with unlimited speed, you get some lost packets even if the network path is fine...
by sindy
Mon Sep 20, 2021 5:25 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

Why is it like that? is it because the modem router of ISP can't handle it? Please make a third test, connecting only Mikrotik's WAN to the ISP's modem/router, and connecting only your PC to Mikrotik's LAN. If the results are the same like when you connect the PC alone to the ISP's modem/router, th...
by sindy
Mon Sep 20, 2021 4:23 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 11
Views: 418

Re: Router to router (site to site) IKEV2 with Dynamic IP

This one was quite useful for me back in 2016 when I knew almost nothing about RouterOS. Just bear in mind that certificate-based authentication is an add-on to this or, better to say, just a small change to the IPsec configuration but an additional area to study when it comes to creating the certi...
by sindy
Mon Sep 20, 2021 4:03 pm
Forum: General
Topic: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]
Replies: 4
Views: 368

Re: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]

As expected, both your existing IPsec policies only have src-address=192.168.40.0/24 , whereas the OpenVPN clients get their addresses from pool OVPNpool with ranges=10.1.2.100-10.1.2.110 . So you either have to add two more policies, same like the existing ones, but with src-address=10.1.2.96/28 , ...
by sindy
Mon Sep 20, 2021 12:00 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19753

Re: v7.1rc3 [development] is released!

May I ask while you are at it : what is "fastpath" and what's the difference between fastpath and fasttrack ? https://wiki.mikrotik.com/wiki/Manual:Fast_Path https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack If you need another wording or if the manual refers to other terms you need an e...
by sindy
Mon Sep 20, 2021 11:51 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

IPSEC tunnel seems to have the performance I need in both directions. (or the test with "/tool bandwidth-test <IPofIPSECtunnel> duration=10s protocol=tcp" does not prove it ?) if the <IPofIPSECtunnel> is the private one inside the tunnel, then yes, it does prove it. However, there's a dif...
by sindy
Mon Sep 20, 2021 9:09 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 391

Re: Bind Webfig and ssh to a vlan

The documentation explicitly prohibits attaching an /interface vlan to an underlying interface which is also a member port of a bridge. There are a few other similar cases where RouterOS accepts such an incorrect setting and it even works most of the time, but some weird effects occur in some packet...
by sindy
Mon Sep 20, 2021 8:27 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19753

Re: v7.1rc3 [development] is released!

It is something special for just IPsec then and not applicable to other offloading mechanisms? Hardware accelerated bridging means that a switch chip forwards the frames directly, without the CPU even knowing about their existence. There are typically no switch chips on the hosts where CHRs are run...
by sindy
Mon Sep 20, 2021 8:14 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 391

Re: Bind Webfig and ssh to a vlan

vlan90 is not a member of interface list LAN , so chain input of /ip firewall filter drops incoming traffic from it on the row of /interface bridge vlan for vlan-ids=90 , bridge is not on the tagged list, so frames tagged with VID 90 are not allowed to egress through the virtual port of the virtual...
by sindy
Mon Sep 20, 2021 8:02 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 12
Views: 484

Re: Slow EOIP tunnel in one direction

As you mention you use null encryption for performance reasons, what particular models are the two routers in question? The thing is that so far all mysteries like this I've come across tracked down to packet loss, in some cases only the small second fragments of the transport packets were dropped. ...
by sindy
Sun Sep 19, 2021 11:24 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 302

Re: access systems on LAN via VPN [SOLVED]

There are at least two posts from myself, and countless ones from others, on this forum, explaining why you need to use proxy-arp or out-of-LAN subnet addresses.

IPsec has nothing to do with that, it's the L2TP, or any other PPP-based tunneling protocol.
by sindy
Sun Sep 19, 2021 9:34 pm
Forum: General
Topic: High memory usage
Replies: 7
Views: 1599

Re: High memory usage

How long does it take the memory to get full? How many devices at LAN side? Connection tracking can consume a lot of memory, but it normally releases it as the connection ends, so if it takes more than a day for the memory to get exhausted, it should not be the reason. If it's less than a day, broke...
by sindy
Sun Sep 19, 2021 9:27 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance [Fixed]
Replies: 30
Views: 1815

Re: CCR2004-1G-12S+2XS slow NAT performance

Oh, I've noticed only now you're using the bandwidth test on the Mikrotik itself. The manual explicitly states that you cannot use a bandwidth test running on a given machine to test the routing capacity of that same machine, as the bandwidth test itself consumes a lot of CPU resources. So if you ru...
by sindy
Sun Sep 19, 2021 8:46 pm
Forum: General
Topic: Inconsistent static DHCP with SFP+/DAC
Replies: 4
Views: 347

Re: Inconsistent static DHCP with SFP+/DAC

The ultimate resource is always the relevant standard, which is the RFC in DHCP case. But the client id value is generated by the client, and it need not necessarily be based on the client's MAC address.
by sindy
Sun Sep 19, 2021 8:16 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

If the first byte ends with anything else than 0,4,8, or c, it is a "locally administered address", which is the same in all Mikrotiks if their own R11e-LTE or R11-LTE6 modem is used; if it doesn't, try macvendors.com . It is enough to enter the first three bytes into their form.
by sindy
Sun Sep 19, 2021 8:13 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 422

Re: Routing rule not working

Since multiple people have reported complete loss of configuration with 7.1rc3, I'd say don't bother trying, use mangle, and try /routing/rule again in 7.1rc4 once it appears.
by sindy
Sun Sep 19, 2021 8:09 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance [Fixed]
Replies: 30
Views: 1815

Re: CCR2004-1G-12S+2XS slow NAT performance

I cannot spot anything wrong in the configuration, what is the output of /ip/firewall/connection/print where srcnat ? I'm not interested in the addresses, just in the flags, there should be s everywhere for src-nat and F for fasttracking.
by sindy
Sun Sep 19, 2021 7:55 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 422

Re: Routing rule not working

I have attached the complete configuration in this post. The following piece of configuration, /routing table add fib name=via-personal-vpn add fib name=lte-failover add fib name=primary-wan , also seems fine to me. So if it works if you use mangle rules to assign the routing-mark , I'm afraid ther...
by sindy
Sun Sep 19, 2021 7:26 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 422

Re: Routing rule not working

Not sure why you post pictures ? It's not pictures, it's proper text-mode prints of the actual routes. Export only shows you the static configuration, which is sometimes insufficient, especially in cases like this one where everything seems right configuration-wise. With RouterOS 7.x, you cannot re...
by sindy
Sun Sep 19, 2021 7:12 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

If so, it should actually be simpler, as you'd just modify the existing setup slightly.

The reason why I'm asking what MAC address is being shown currently at the LTE interface is that I suspect it is the router's own one, not one of the LTE modem.
by sindy
Sun Sep 19, 2021 6:30 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

the mac addres to clone starts with 90:FD:73... I wasn't asking what MAC address you wanted to set, I was asking what MAC address the Mikrotik was showing for the Quectel modem. so using passthrough all routerboard settings are excluded and it works as only lte extension for another router ? Not al...
by sindy
Sun Sep 19, 2021 6:19 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 311

Re: CRS312-4C+8XG L2 VLAN slow performance [Fixed]

The bandwidth test running on the switch itself indeed does load the CPU, plus it doesn't test bridging/switching throughput of the HW offloaded forwarding as the CPU is involved in the transfers. So that way you measure the CPU performance, not the switch chip performance.
by sindy
Sun Sep 19, 2021 6:15 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

As the ISP gives you a 400 Mbit/s connection as you wrote in the OP, the modem/router they gave you should be capable to sustain that speed. The hEX is in a different position as you ask it not only to forward the traffic but also to do the bandwidth enforcement. Also, you throttle the bandwidth to ...
by sindy
Sun Sep 19, 2021 5:14 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

What are the first three bytes of the current MAC address of the LTE interface? And how exactly do you set the MAC address of an LTE interface on the mobile?
by sindy
Sun Sep 19, 2021 4:02 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 311

Re: CRS312-4C+8XG L2 VLAN slow performance, misconfiguration?

The configuration seems correct except ether9 being a member port of a non-existent bridge, and /interface bridge port print shows the hardware offloading to be active. So either there is a bug in this indication, and you have to set fast-leave and frame-types on the /interface bridge port rows to t...
by sindy
Sun Sep 19, 2021 3:47 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 11
Views: 418

Re: Router to router (site to site) IKEV2 with Dynamic IP

The safer authentification method you use, the less you have to care about the address of the remote peer. With properly generated certificates (CSR generated at the device that will use the certificate to authentify itself to others, signing the CSR by a CA, and importing the signed certificate to ...
by sindy
Sun Sep 19, 2021 3:28 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 11
Views: 418

Re: Router to router (site to site) IKEV2 with Dynamic IP

Set them exactly as you would if both had a static public IP, using the site to site example from the manual, but set passive=yes address=0.0.0.0/0 in the peer properties at the one with static IP. And set exchange-mode to ike2 rather than main at both. That's all.
by sindy
Sun Sep 19, 2021 3:23 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

I would recommend to go step by step. First, remove the queues completely and re-enable the fasttracking rule in firewall, see the behaviour and CPU load. Next, disable the fasttracking rule, wait for some time (an hour or so) to let the fasttracked connections spontaneously die out, see the behavio...
by sindy
Sun Sep 19, 2021 2:57 pm
Forum: General
Topic: Access clients that are (each) on same subnet as the other.
Replies: 2
Views: 217

Re: Access clients that are (each) on same subnet as the other.

If you don't need to access other devices in 192.168.100.x but the Mikrotiks themselves, the fact that their local WAN subnets are the same doesn't matter. You assign an address to each L2TP client from the server, so you just have to make sure that this address doesn't fall into the local WAN subne...
by sindy
Sun Sep 19, 2021 2:53 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 583

Re: Change macaddress to lte interface.

If we really talk about MAC address change, not an IMEI change, it might be possible to use the LTE in passthrough mode and change the MAC address on the Ethernet interface of the external router connected to the LTE one.
by sindy
Sun Sep 19, 2021 2:47 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 776

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Mikrotik tries hard to keep the price tag acceptable for sensitive markets and squeeze maximum from the hardware components chosen. Which leads to this confusion, where some models support L2 offloading only if VLAN filtering is disabled, other models support it even with VLAN filtering enabled, and...
by sindy
Sun Sep 19, 2021 2:35 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 11
Views: 418

Re: Router to router (site to site) IKEV2 with Dynamic IP

If you've got a static public IP at at least one peer, just make that one a responder only ( passive=yes ) and that's it. You only need to use dynamic DNS if none of the peers has a static public IP. And if none of them has a public IP, not even a dynamic one, it's yet another challenge which may or...
by sindy
Sun Sep 19, 2021 2:28 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 776

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

@mozerd, HW offload of bridging and HW offload of routing are two independent features. What you quote doesn't mention the latter one.
by sindy
Sun Sep 19, 2021 2:25 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 825

Re: Is my hAPac^2 dead?

I had an issue with the previous laptop where exiting netinstall on the laptop and running it again while the router was still in netinstall mode was the only way to make the router show up in the list in the netinstall, but this case was different - the router did show up, but if I pressed install ...
by sindy
Sun Sep 19, 2021 1:58 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 302

Re: access systems on LAN via VPN [SOLVED]

Either use an /ip pool for the VPN clients that doesn't fit into the LAN subnet (a preferred solution), or set arp=proxy-arp at the bridge interface. Only do that if the Windows clients use the VPN tunnel only to access the devices in Mikrotik's LAN, not as a default gateway.
by sindy
Sun Sep 19, 2021 1:34 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 423

Re: Problem with building QinQ on "new bridge" with vlan-filtering

The pvid must differ from 3119 on the /interface bridge port row linking ether1 to br_justnet , and ether1 must be on the tagged list on that single row of /interface bridge vlan , otherwise you strip the tag with VID 3119 on egress through ether1 . And you don't need to enable tag stacking at the b...
by sindy
Sun Sep 19, 2021 1:00 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 825

Re: Is my hAPac^2 dead?

That makes it easier indeed... It didn't in my case 😡 I could always see the router to tftp the netinstall binary from the PC and then to keep sending the license code again and again, but somehow the request from the PC to erase the flash got misinterpreted, because the only thing it caused was th...
by sindy
Sun Sep 19, 2021 12:53 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 776

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Fast track is a combination of fast path and connection tracking, and as such is only relevant for routed traffic. If I were in this situation (given my home uplink parameters, I'm unfortunately not - no point in buying anything nearly as powerful as RB5009), I would use a step-by-step approach - fi...
by sindy
Sun Sep 19, 2021 11:20 am
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

However wouldn't this still allow clients to flood the network with broadcast and other traffic and potentially L2 malware? Ideally such traffic should be filtered at each AP. How about this rule instead or even in addition to the one you suggested: chain=output out-interface=ether1 mac-protocol=vl...
by sindy
Sat Sep 18, 2021 8:03 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 776

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Out of all @anav's suggestions, the most interesting point is "what do you expect from the use-ip-firewall-for-vlan=yes?"
by sindy
Sat Sep 18, 2021 7:16 pm
Forum: General
Topic: VPN setup for Windows 10 [SOLVED]
Replies: 2
Views: 351

Re: VPN setup for Windows 10 [SOLVED]

/system logging add topics=ipsec,!packet will make the log much more verbose, and you'll be able to see what is the contents of the Phase 1 proposal coming from Windows.

If I remember well, Windows don't support sha256, at least unless you do some PowerShell magic.
by sindy
Sat Sep 18, 2021 5:29 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 825

Re: Is my hAPac^2 dead?

Netinstall downloads its own loader to RAM, so unless you've upgraded the bootloader from a running 7.x, you should still be able to netinstall unles there is a hardware problem. Yesterday it took me more than 10 attempts before I could finally netinstall a hAP lite using netinstall 6.47.10 on Windo...
by sindy
Sat Sep 18, 2021 2:45 pm
Forum: General
Topic: IPSEC-related configuration of /ip firewall filter input chain
Replies: 3
Views: 306

Re: IPSEC-related configuration of /ip firewall filter input chain

@msatter, the rules in filter in chain input the OP has found necessary to be added deal with the transport packets of the tunnel, whereas your suggested action=notrack rules in raw deal with the payload of the tunnel. And the OP's concern is not CPU load but the fact that he has to add firewall rul...
by sindy
Sat Sep 18, 2021 2:34 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

I'm afraid that following video tutorials focusing on a single aspect is not the best way for a beginner, even if they are made by knowledgeable authors, which too often is not the case. So I'd suggest that you describe the target configuration in layman's terms so that we could offer you tailored c...
by sindy
Sat Sep 18, 2021 12:40 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1262

Re: Need help on rb750gr3 about maximum lan connection

Click the [Terminal] button in Winbox or WebFig, a command line window will open. In that command line window, type export hide-sensitive file=some-name . Then download some-name.rsc , and if some public IPs exist in the file, obfuscate them before posting the file here (see my automatic signature b...
by sindy
Sat Sep 18, 2021 12:04 pm
Forum: General
Topic: Scheduler stops executing script
Replies: 22
Views: 1153

Re: Scheduler stops executing script

When you change a particular value of the start time (i.e. xx:xx:xx, not "startup", the scheduler calculates the subsequent actual startup times from the new value and the "interval" value. So you can set a start time deep in the past, and repeated runs will continue even after r...
by sindy
Sat Sep 18, 2021 11:54 am
Forum: General
Topic: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]
Replies: 4
Views: 368

Re: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]

You haven't posted the configuration of the routers (see my automatic signature below), so I can just guess that your IPsec policies do not match on the IP prefix from which you assign addresses to the OpenVPN clients.
by sindy
Fri Sep 17, 2021 11:06 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

First, try pinging 192.168.88.252 from the CAPsMAN one with arp-ping=yes interface=bridge - it should respond, indicating that there's a firewall issue. If it responds, try /tool mac-telnet 2C:C8:1B:63:7C:15 (the login and password are asked by the CAPsMAN one, so the fact that you get asked doesn't...
by sindy
Fri Sep 17, 2021 10:26 pm
Forum: General
Topic: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)
Replies: 2
Views: 328

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

You can create a certificate signing request on Mikrotik, get it signed by the Windows CA, and import the signed certificate to the Mikrotik, i.e. the proper way how certificates should be handled, where the private key never leaves the device that has generated it. The way with client certificates ...
by sindy
Fri Sep 17, 2021 10:16 pm
Forum: General
Topic: IPSEC-related configuration of /ip firewall filter input chain
Replies: 3
Views: 306

Re: IPSEC-related configuration of /ip firewall filter input chain

First, you are right, the rules you've identified are necessary to make your particular setup work. Second, this is a user forum, so not the right place for feature requests, at least not outside the dedicated "feature request" topic. The official channel to submit feature requests is via ...
by sindy
Thu Sep 16, 2021 11:18 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 1039

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

@Sindy, do we get a packet flow blessing or are you going to pretzel another suggestion??? The OP has asked for "all NTP traffic", not "all traffic to a particular IP address". If you want traffic to a particular destination address to be sent via a particular WAN, you don't nee...
by sindy
Thu Sep 16, 2021 11:13 pm
Forum: General
Topic: Is there an error on the Manual:Interface/L2TP wiki page?
Replies: 2
Views: 293

Re: Is there an error on the Manual:Interface/L2TP wiki page?

You're right, the password item on the /interface l2tp-client row at the client router must match the password item on the /ppp secret row at the server router, whereas the secret items must match in the IPsec configurations. But worse than that, the Wiki page you refer to uses the old structure of ...
by sindy
Thu Sep 16, 2021 11:01 pm
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 463

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

Is it possible you could elaborate on the GRE failure issues you eluded to previously?

viewtopic.php?p=847677#p847677
by sindy
Thu Sep 16, 2021 10:20 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 1039

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

The answer is here . In brief, packets sent and received by the router itself are processed by other firewall chains than packets the router just forwards. What is not immediately clear from that diagram is that when the router itself sends a packet, first of all a route to the destination is found ...
by sindy
Thu Sep 16, 2021 4:16 pm
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 463

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

BTW, any config tips to get started :)? The first config tip is to prefer IPIP over GRE. Mikrotik cannot use the extra bytes of GRE's overhead to create multiple tunnels between the same pair of IP addresses, plus there is some additional headache with GRE handling in firewall (unless they've recen...
by sindy
Thu Sep 16, 2021 9:49 am
Forum: General
Topic: IPSec issues.
Replies: 4
Views: 362

Re: IPSec issues.

I'm no expert here but I do not see your IPSec Policy configuration in your CLI data. @fsebera, for some reason, the export doesn't show all IPsec-related configuration in a single contagious block. So there is /ip ipsec peer , then unrelated stuff, and then comes /ip ipsec identity and /ip ipsec p...
by sindy
Thu Sep 16, 2021 9:46 am
Forum: General
Topic: IPSec issues.
Replies: 4
Views: 362

Re: IPSec issues.

Before addressing the topic issue: your firewall rules do not protect your routers from anything . If the routers are directly connected to internet, they may well be part of a botnet now. The reason is that the default handling in Mikrotik's firewall is "accept", so packets that do not ma...
by sindy
Thu Sep 16, 2021 9:08 am
Forum: General
Topic: VPN with static routes on client side(without default gateway)
Replies: 4
Views: 337

Re: VPN with static routes on client side(without default gateway)

To state that more explicitly than @fsebera - currently, RouterOS doesn't support "route push" for any other VPN protocol but IPsec. And it must be bare IPsec - route push doesn't work if you use IPsec to protect any "usual" tunnel like IPIP or GRE. For the embedded VPN client on...
by sindy
Thu Sep 16, 2021 9:03 am
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 463

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

For any (local address[:port], remote address[:port], IP protocol) tuple, only a single SA may be used at a time. So Mikrotik has implemented a possibility to link a single policy to two peers, allowing a failover scheme where a single "branch office" router has two "headquarters"...
by sindy
Wed Sep 15, 2021 10:19 am
Forum: General
Topic: Need help with VPN setup
Replies: 6
Views: 398

Re: Need help with VPN setup

What you show does indeed indicate phase 1 success. And yes, 6.36.whatever is very old and a device running that version must not be exposed to internet - if it was connected to internet without tight enough firewall rules, netinstall it again (not just upgrade) to a current long-term version (6.47....
by sindy
Wed Sep 15, 2021 12:15 am
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

I conneced the second cAP (via ether1) to the managed switch while keeping the reset button pressed for 10 seconds (5 seconds after the LED started blinking) ... Finally, I looked up the second cAP's IP in the leases tab of the first cAP's DHCP Server section to which I then tried to connect from t...
by sindy
Tue Sep 14, 2021 11:21 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

My new problem is: How can I gain access to a cAP ac in CAPs mode. The CAPsMAN device did assign it an IP (192.168.88.235). I tried to access it via SSH, Telnet and WebFig via Ethernet 1 to no avail. How did you get the cAP ac into the CAP mode? Because what you describe normally doesn't happen, ap...
by sindy
Mon Sep 13, 2021 10:48 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

there does not seem to be a function to configure the bridge in CAPsMAN.
Correct, there is unfortunately none, CAPsMAN ony takes care about the wireless interfaces. So you have to add the bridge filter rules device by device.
by sindy
Mon Sep 13, 2021 9:43 am
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 617

Re: Is it possible to NAT/PAT this traffic?

The connection tracking also provides an attribute called connection-nat-state , so instead of assigning a dedicated connection-mark value using an extra rule in mangle , you can let the filter rule match on connection-nat-state=dstnat . It seems to be less selective than the connection-mark approac...
by sindy
Sun Sep 12, 2021 10:56 pm
Forum: General
Topic: L2TP - I think the response is going out through the wrong interface
Replies: 2
Views: 303

Re: L2TP - I think the response is going out through the wrong interface

1) post the export of the configuration from one of the affected routers, it sure looks as if a route was either missing or one too many. As @BartoszP suggests, this may be a consequence of an upgrade. See my automatic signature right below for a mini-howto on the export. 2) do you use the EoIP tunn...
by sindy
Sun Sep 12, 2021 11:38 am
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4355

Re: Mangle + NAT + Policy Routing

As fas as i know /ppp profile has priority than /interface xxx-server, is that corect? more precisely, the profile value from /ppp secret overrides the default-profile value from /interface xxx-server server . So yes, if you specify a profile on each /ppp secret row, no need to change the "las...
by sindy
Sun Sep 12, 2021 10:52 am
Forum: General
Topic: Prioritize VoIP traffic, which speed to enter [SOLVED]
Replies: 1
Views: 366

Re: Prioritize VoIP traffic, which speed to enter [SOLVED]

Priority means priority. A highest priority packet will always overtake those waiting in any other queue, provided it fits into the limit of its own queue. So if you mark the VoIP packets to the highest priority queue and set unreasonably high limit-at and max-limit values for that queue, and set ve...
by sindy
Sun Sep 12, 2021 10:24 am
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4355

Re: Mangle + NAT + Policy Routing

OK, so you need to src-nat the payload traffic (sent inside the tunnel). But your action=mark-connection rule matches on protocol=tcp src-port=1198 , which seems to refer to the transport packets of the OpenVPN (those forming up the tunnel). As the IP firewall has no knowledge about the relationship...
by sindy
Sat Sep 11, 2021 4:03 pm
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4355

Re: Mangle + NAT + Policy Routing

i need that for OpenVPN, cant make it work @nichky, in your case, is the Mikrotik with these rules the OpenVPN client or server? Or none of the two and it just forwards someone else's OpenVPN connections? In any case, assigning a connection-mark alone has no effect on routing, you have to translate...
by sindy
Sat Sep 11, 2021 3:57 pm
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4355

Re:

But I'd like to know, why connection marking do not work :( What actually doesn't work, or rather works too good, is the rule translating the connection-mark to routing-mark . You've only got a single (default) route in the routing table dip-kav , and your action=mark-routing rule doesn't care abou...
by sindy
Sat Sep 11, 2021 3:46 pm
Forum: General
Topic: ?? How to renew SIP registration / connection from PBX after WAN failover ??
Replies: 5
Views: 429

Re: ?? How to renew SIP registration / connection from PBX after WAN failover ??

So, any hints on a script that can toggle (10secs downtime / flap) that ethernet port the PBX is connected to, when a WAN failover occurs? Or is there a smarter solution? There is no standardized way to tell an ordinary SIP UA "please re-register now", so your one (disable the Ethernet po...
by sindy
Sat Sep 11, 2021 8:29 am
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1493

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

Message sent, you can edit/remove the post.
by sindy
Fri Sep 10, 2021 10:18 pm
Forum: General
Topic: Forward all traffic on local device to vpn connection
Replies: 6
Views: 438

Re: Forward all traffic on local device to vpn connection

Looking at the masquerade rule counters, I'd say the setup works, but the VPN provider checks TTL of packets and drops them if the TTL is too low, which indicates that the L2TP client is a router, not a computer. Open a commandline window using the [Terminal] button, make it as wide as your screen a...
by sindy
Fri Sep 10, 2021 9:47 pm
Forum: General
Topic: Forward all traffic on local device to vpn connection
Replies: 6
Views: 438

Re: Forward all traffic on local device to vpn connection

/ip firewall nat add chain=srcnat out-interface=l2tp-out1 action=masquerade /ip route add gateway=l2tp-out1 routing-mark=via-l2tp /ip route rule add src-address=192.168.1.95 action=lookup-only-in-table table=via-l2tp Depending on your current configuration, you may need to place the firewall rule a...
by sindy
Fri Sep 10, 2021 9:23 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 617

Re: Is it possible to NAT/PAT this traffic?

So I need to change the destination port that the client is trying to connect to AND also change the source address as it leaves the Mikrotik router so that the database server will see a connection attempt from 10.1.1.2:(random source port) I can't see anything complex in this task if we talk abou...
by sindy
Fri Sep 10, 2021 9:03 pm
Forum: General
Topic: Mikrotik 5g modem + antenna recommendations
Replies: 2
Views: 390

Re: Mikrotik 5g modem + antenna recommendations

The LHGG LTE6 looks great to me CPU-wise. It may not perform as great as you expect in your particular deployment, depending what actually means "remote areas" and "the country" in your case. The following is nothing Mikrotik specific, it's pure physics - in general, lower freque...
by sindy
Fri Sep 10, 2021 8:38 pm
Forum: General
Topic: Drop all rule blocking PPTP
Replies: 5
Views: 404

Re: Drop all rule blocking PPTP

Then put in a block all else drop rule at the end of each chain. In fact, one common "drop the rest" rule in the root chain is sufficient - although the action name "jump" suggests otherwise, when a packet reaches and end of a custom chain without matching any of that chain's ru...
by sindy
Fri Sep 10, 2021 8:33 pm
Forum: General
Topic: Drop all rule blocking PPTP
Replies: 5
Views: 404

Re: Drop all rule blocking PPTP

If there was a "driving license for routing", successful completion of the "how firewalls work" test should be mandatory to get the "setting up VPNs" permission category. The "drop everything else" name you've used says it all. There simply isn't any rule befo...
by sindy
Fri Sep 10, 2021 7:58 pm
Forum: General
Topic: BTest blocked - any alternative
Replies: 5
Views: 483

Re: BTest blocked - any alternative

RouterOS normally does not permit dst-nat of outgoing sessions (nor src-nat of incoming sessions), but there is an ugly trick allowing both. It will cost some CPU cycles, but I assume your router model is powerful enough that the bottleneck for the btest would be the LTE throughput. choose any two o...
by sindy
Fri Sep 10, 2021 7:09 pm
Forum: General
Topic: Multiple encrypted ends in a IPSEC Tunnel not reachable at same time
Replies: 2
Views: 389

Re: Multiple encrypted ends in a IPSEC Tunnel not reachable at same time

A quick shot - change the level parameter of both policies to unique and try again.
by sindy
Fri Sep 10, 2021 3:54 pm
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1493

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

NP, just substitute the @ by something else (like !!!) to make the bots' life harder.
by sindy
Fri Sep 10, 2021 3:49 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 635

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

please, no biggie here. its just me being new into this box. In up-to-date RouterOS, an Ethernet port can be "enslaved" to a bridge or to a bonding interface. To remove it from a bridge , which is the case for ether2..ether5 in default configuration, remove or disable the corresponding ro...
by sindy
Fri Sep 10, 2021 3:32 pm
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2266

Re: Ipsec not traffic passing

When sending a packet, the router first finds a route based on the destination address, and only then chooses the local IP address based on the route. So on R1: since there is no dedicated route to 10.59.100.0/24, the packet gets the router's address attached to the interface through which the gatew...
by sindy
Thu Sep 09, 2021 10:48 pm
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2266

Re: Ipsec not traffic passing

In the output of /ip ipsec active-peers print , the PH2-TOTAL column indicates the number of active policies towards the remote peer; since it is empty, it means the SA could not be negotiated successfully. The fact that there is no A in the status column of the /ip ipsec policy print confirms that....
by sindy
Thu Sep 09, 2021 9:57 pm
Forum: General
Topic: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets [SOLVED]
Replies: 2
Views: 374

Re: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets [SOLVED]

You can associate multiple (at least tens of) policies to the same peer (or a pair of peers since 6.47.something).
by sindy
Thu Sep 09, 2021 9:43 pm
Forum: General
Topic: IPSec Policy brokes packet flow. [SOLVED]
Replies: 1
Views: 240

Re: IPSec Policy brokes packet flow. [SOLVED]

What you describe is an intentional behaviour, which is required by the IPsec RFC. In short, a packet matching a traffic selector of any existing policy with action=encrypt must not be sent, nor received, in any other way than via the security association linked to that policy, for security reasons....
by sindy
Thu Sep 09, 2021 8:20 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 635

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

"slave" ports used to be a way to configure "hardware accelerated bridging" (actually, switching by the switch chip) before RouterOS 6.41, which rolled out five years ago. There, you configured one ethernet interface as "master", and in default configuration, "mast...
by sindy
Thu Sep 09, 2021 4:29 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

Oops, sorry... I forgot the virtual interfaces created on
the CAPsMAN are nevertheless individual ones. But they are still connected to a single bridge so the horizon functionality may be used to isolate them.
by sindy
Thu Sep 09, 2021 11:12 am
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2266

Re: Ipsec not traffic passing

I can do nothing but repeat again - post the current configurations, not a reference to a manual. A single typo can break everything, so no point in reading the manual, all we need are the current actual configurations.
by sindy
Thu Sep 09, 2021 8:20 am
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 635

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

According to the configuration export you've posted in your other topic, ether3 to ether5 are not members (slaves) of any bridge or bond. So what are you talking about? The routes in red? Connected routes via interfaces that are currently down because nothing is connected to them are made inactive (...
by sindy
Wed Sep 08, 2021 10:28 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

The first option seems to bottleneck all traffic through one of the cAPs, right? It depends on what you mean by bottleneck. The CAPsMAN need not run on one of the APs, it can as well run on a wireless-less router, and there must be some device in the whole network that acts as a router and firewall...
by sindy
Wed Sep 08, 2021 3:03 pm
Forum: General
Topic: Not able to reach my PBX public address
Replies: 5
Views: 351

Re: Not able to reach my PBX public address

It seems to me more like a topic for a Grandstream forum. As you have a WAN bridge on the Mikrotik, you'd have to have /interface bridge filter or /interface bridge nat rules in place to interfere with the bridging, or you would have to have use-ip-firewall.* set to yes under /interface bridge setti...
by sindy
Wed Sep 08, 2021 2:54 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1450

Re: Client isolation within VLAN and fast roaming

In "CAPsMAN forwarding" mode, client isolation works among clients of all physical cAPs (if activated of course) because the virtual wireless interface runs at the CAPsMAN machine. In "local forwarding" mode, you would need bridge filter rules on each of the cAPs, allowing only f...
by sindy
Wed Sep 08, 2021 10:01 am
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 3
Views: 451

Re: MikroTik RB4011iGS+RM

If so, how do you measure the throughput? The packet that comes from the internet towards the public IP address reachable via the GRE tunnel occupies the download bandwidth of the WAN uplink, and then it occupies the upload bandwidth of the same WAN uplink as it is being sent encapsulated into GRE t...
by sindy
Wed Sep 08, 2021 9:31 am
Forum: General
Topic: Can Someone Explain this!!!!
Replies: 20
Views: 1298

Re: Can Someone Explain this!!!!

Since you talk about "customers", chances are high that you've got some bandwidth shaping rules (using queues) in place. If so, it's what @bpwl suggests - that client has attracted (willingly or unwillingly) a traffic volume his contract doesn't allow. So that traffic arrives via the uplin...
by sindy
Wed Sep 08, 2021 9:00 am
Forum: General
Topic: ipsec multiple users [SOLVED]
Replies: 2
Views: 372

Re: ipsec multiple users [SOLVED]

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate , with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you've...
by sindy
Tue Sep 07, 2021 11:45 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Yes i know that the mangle rules did not work because of fast-track being enabled That's not exactly true. The mangle rules adjusting TCP MSS actually do work even when the fasttracking rule is enabled, because these particular rules handle just the first two packets of each TCP session, the SYN an...
by sindy
Tue Sep 07, 2021 9:27 pm
Forum: General
Topic: port forwarding problem
Replies: 4
Views: 420

Re: port forwarding problem

Sorry, the statement saying that the same configuration of client routerboard worked with another ISP is confusing. Since your drawing mentions the two CCRs, I assume you are the ISP technician; did you work for another ISP before, or how do you know the same client routerboard worked with another I...
by sindy
Tue Sep 07, 2021 8:56 pm
Forum: General
Topic: Something must be really wrong on my configuration. Needs real help here! [SOLVED]
Replies: 23
Views: 1188

Re: Something must be really wrong on my configuration. Needs real help here! [SOLVED]

A clear mistake I can see is that you've set /ip address ... add address=10.0.2. 0 /24 comment="PPPoE pool4" interface=ether5 network=10.0.2. 0 (own address of an interface must never be the same like the network address). Whether this causes also ether3 and ether4 subnets to become unreac...
by sindy
Tue Sep 07, 2021 8:37 pm
Forum: General
Topic: STP active on OSI level 1?
Replies: 7
Views: 564

Re: STP active on OSI level 1?

Sorry, I've completely missed that the APs were Ubiquiti ones (on the drawing, only the one to the left from the CRS is explicitly marked as an Ubiquiti one). So when STP is enabled on the CSS but disabled on the Ubiquiti devices, the 15-second interruptions exist? If so, could it be that the Ubiqui...
by sindy
Tue Sep 07, 2021 4:50 pm
Forum: General
Topic: STP active on OSI level 1?
Replies: 7
Views: 564

Re: STP active on OSI level 1?

My understanding was that STP operates at OSI level 2 - the loop, if one would exist, would be on level 1. Is my understanding incorrect? STP is an L2 protocol, but it can block forwarding of traffic through a port, which effectively looks like blocking of L1. And STP also reacts to L1 state change...
by sindy
Tue Sep 07, 2021 4:11 pm
Forum: General
Topic: Multiple winbox logins
Replies: 7
Views: 674

Re: Multiple winbox logins

Do you hapen to have command line windows (Terminal) open in the winbox sessions in question?
by sindy
Mon Sep 06, 2021 10:27 pm
Forum: General
Topic: Filter Content in Firewall with DOT (.) in string [SOLVED]
Replies: 19
Views: 1067

Re: Filter Content in Firewall with DOT (.) in string [SOLVED]

No. You have to use a byte whose value is the length of the subsequent part of the domain name, example:

\08somename\03com

I don't remember the encoding of byte values exactly, I just remember it differs between regexp (used in layer7 rules) and contents. Check the manual.
by sindy
Mon Sep 06, 2021 10:21 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 7
Views: 446

Re: LTE Bridge Vlan help.

Again, what is the default route on the LtAP?

Using DHCP is just one possible way to make it work.
by sindy
Mon Sep 06, 2021 9:55 pm
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 7
Views: 471

Re: MikroTik RB4011iGS+RM

Yep, those 1436 would be MSS, not MTU. Many people keep mixing up the two as the most suggested workaround for issues with path MTU discovery is MSS adjustment. Also, the description in the OP suggests that maybe a packet for the public IP arrives via WAN, gets encapsulated into GRE and leaves via t...
by sindy
Mon Sep 06, 2021 8:54 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

It depends. If you are in mainland France, you may be able to choose an ISP for your home that has a better connection to OVH's network. If you are overseas, so there is a satellite link somewhere in the path, it's very likely that all ISPs will have the same issue.
by sindy
Mon Sep 06, 2021 7:53 pm
Forum: General
Topic: Having issues routing all traffic over GRE tunnel.
Replies: 1
Views: 315

Re: Having issues routing all traffic over GRE tunnel.

I'm slightly lost in your description, so let me rephrase it to check whether I've understood it properly. The client's Mikrotik has 12.34.56.78/26 on its "physical" WAN. It also has 1.2.3.1/25 on the GRE tunnel, effectively acting as another WAN. All you want is that requests coming from ...
by sindy
Mon Sep 06, 2021 7:36 pm
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 3
Views: 451

Re: MikroTik RB4011iGS+RM

From your description, it seems as if you delegate one of the 8 public IPs to a remote device using the GRE tunnel, so when a packet for that IP address arrives to the 4011's WAN, it gets encapsulated into GRE and sent via the same WAN to the remote device, is that the case?
by sindy
Mon Sep 06, 2021 7:23 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Those pictures show that most of the delay is between your ISP and the VPN provider's network. The first one shows that the responses from the last private IP in the ISP's network arrive in 15 ms on average, whereas the responses from the first responding OVH server arrive in 116 ms on average. The ...
by sindy
Mon Sep 06, 2021 5:39 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

I've done that but didn't understand the results that much The results show you (or not) IP addresses of the routers between your home and the destination, and the total round-trip delay (i.e. including the previous hops) to each of them. Can you paste the result here, hiding the actual addresses o...
by sindy
Mon Sep 06, 2021 5:15 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

My CPU load is almost always at 0% :D Can I disable those two /ip firewall mangle rules? You can try to disable them and see whether it affects the performance or not. Given that the overall performance is not stable, you may have to do several tests in each state to make a reliable conclusion. Als...
by sindy
Mon Sep 06, 2021 4:06 pm
Forum: General
Topic: EOIP DDNS & CGNAT
Replies: 2
Views: 273

Re: EOIP DDNS & CGNAT

If the IPs at both sites are dynamic, you'll always have some short-term interruption whenever one of the addresses changes. If you don't mind, and you don't mind using some DDNS system to publish the current public IP address of Site A, you can manually configure IPsec with a responder at Site A an...
by sindy
Mon Sep 06, 2021 4:00 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

@jaxed8 , What about Wireguard? I think it's available on RouterOS v7 Yes, Wireguard is available in ROS 7, and it is pretty fast as such on a 4011. However, TCP and ~120 ms round trip delay may mean lower throughput even if encryption and decryption alone works very fast. The only VPN protocol to ...
by sindy
Sun Sep 05, 2021 10:50 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Grrr... I forgot the obvious... disable the action=fasttrack-connection rule in /ip firewall filter and try again.
by sindy
Sun Sep 05, 2021 10:10 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

OK, so try just the mangle rules.
by sindy
Sun Sep 05, 2021 9:33 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Is there a way to completely cover the VPN so ISP never understand I'm using one? Definitely not with PPTP, whose encryption is so weak that it actually hides nothing; IPsec or something-over-IPsec is also obvious, so you'd have to use an SSTP VPN which looks like a normal HTTPS session, except tha...
by sindy
Sun Sep 05, 2021 8:25 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 677

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
by sindy
Sun Sep 05, 2021 7:51 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 677

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

as soon i active the route with mark routes entry the static routing stop working. Please let me know which config to be changed . In the configuration you've posted, the two routes with routing-mark are not disabled. Is what you posted the exact configuration state when "far end cannot reach ...
by sindy
Sun Sep 05, 2021 7:38 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

No it's just VPN client on windows. the PC is always connect to the rb4011. If so, the MAC address of the 4011 plays no role in the VPN throughput, because the VPN provider can never see a MAC address, whereas the ISP can always see the MAC address of the 4011's WAN, no matter where the VPN client ...
by sindy
Sun Sep 05, 2021 7:17 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 677

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

It's not "static routing versus PBR". It's rather "static routing with PBR". In the configuration you've posted, traffic forwarded by the router never gets any connection-mark , hence it never gets any routing-mark , so it should keep using routing table main . Only the own traff...
by sindy
Sun Sep 05, 2021 5:39 pm
Forum: General
Topic: Farm Network Help
Replies: 2
Views: 352

Re: Farm Network Help

Given that PoE-out versions of Omnitiks exist, I'd recommend not to use a separate switch (with its own share of power consumption) but the Omnitik itself to power the Dynadish. If I get it right, the battery power is available at the bottom of the mast, so I'd use one passive injector there to feed...
by sindy
Sun Sep 05, 2021 3:44 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 677

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

While it is better to open your own topic than to piggyback a very loosely related existing one, it needs more than just copy-paste. The intro "I am facing the same issue" looks weird in an OP. What I can see is that you only assign a connection-mark value in chain input , whereas you tran...
by sindy
Sun Sep 05, 2021 2:51 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

@nichky, if we change the TTL on the LTI we would be able to get more bandwidth, why is that? Cant find any logical explanation the logic behind is that mobile operators want to discourage subscribers from using LTE to connect whole networks, assuming that networks generate more traffic than individ...
by sindy
Sun Sep 05, 2021 12:44 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 7
Views: 446

Re: LTE Bridge Vlan help.

Have you configured a default route on the LtAP via the address of the main router in the subnet attached to the ether1 interface on the LtAP?
by sindy
Sun Sep 05, 2021 9:08 am
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2238

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

When you say "VPN on the PC" vs. "VPN on the router", does that really mean only where you run the VPN client, or do you also connect the PC directly to the ISP's modem (excluding the 4011 from the path)?
by sindy
Sat Sep 04, 2021 1:03 pm
Forum: General
Topic: One wan for Internet and another for vpn [SOLVED]
Replies: 13
Views: 4405

Re: One wan for Internet and another for vpn [SOLVED]

In RouterOS, there are three possible ways to assign a routing-mark value (which almost always means the same as a routing table name): using VRF (so the routing-mark is assigned to the packet due to the fact that the packet has entered via an interface that is a member of that VRF) using /ip route ...
by sindy
Fri Sep 03, 2021 4:57 pm
Forum: General
Topic: Filter Content in Firewall with DOT (.) in string [SOLVED]
Replies: 19
Views: 1067

Re: Filter Content in Firewall with DOT (.) in string [SOLVED]

It doesn't work because the dot symbol is not actually present in the DNS query - the FQDNs are encoded in a rather complicated way, see the RFC for DNS for details. There are multiple topics regarding this here on the forum, e.g, this post gives you a hint.
by sindy
Thu Sep 02, 2021 8:14 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 9
Views: 761

Re: Bridge "Distance" vs Static Route

If the settings of the routers are "exactly the same", it should exclude a firewall issue.
So the next possibility is that the IP address assigned by the SSTP to the client fits into the subnet used at the affected router's LAN?
by sindy
Wed Sep 01, 2021 6:51 pm
Forum: General
Topic: cAP and wAP default config after reset [SOLVED]
Replies: 3
Views: 355

Re: cAP and wAP default config after reset [SOLVED]

Not really empty, but almost - try to use the reset button to let them start in cAP mode (cAP as controlled AP, not as model name), where all Ethernet ports are bridged together, wireless interfaces are disabled, and there is a DHCP client attached to the brigde.
by sindy
Wed Sep 01, 2021 12:49 pm
Forum: General
Topic: Trouble Passing static IP's from ISP through RB1100 to 3rd party router
Replies: 5
Views: 513

Re: Trouble Passing static IP's from ISP through RB1100 to 3rd party router

Assuming that your original "block of 5 addresses" is o.o.o.0, your 1100's own address on the ISP-facing interface is o.o.o.6, and the new "block of 5 addresses" (actually, 8 addresses if you don't waste them inefficiently) is n.n.n.0/29: ISP's hypothetical Mikrotik: /ip address ...
by sindy
Wed Sep 01, 2021 11:01 am
Forum: General
Topic: LTE quota management & signal
Replies: 7
Views: 844

Re: LTE quota management & signal

but it is a USB 4G stick, so there is nothing in /interface LTE Anyway that i could see the signal of the 4G, please? It's actually not "but". Various USB modems emulate various peripherals, let's call them "serial modem" and "ethernet interface", although there are ac...
by sindy
Tue Aug 31, 2021 11:20 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16846

Re: v7.1rc2 [development] is released!

IPv6 support for L2TPv3 tunnels is finally here! great job! thanks a lot! @doneware, have you successfully completed the configuration of the tunnel? If so, could you please share the working server-side and client-side configuration? I keep getting l2tp,debug tunnel 2 has reached maximum session c...
by sindy
Tue Aug 31, 2021 11:05 pm
Forum: General
Topic: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT
Replies: 5
Views: 427

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

My imagination is probably not sufficient to understand how the preference of a particular port on the WAN IP for connections initiated by a particular internal IP can help serve more private IPs per the same public one. Let's say I have assigned 10 ports on the public IP to be used for outgoing src...
by sindy
Tue Aug 31, 2021 6:33 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

Sindy did you write me to my mail, is correct? just for confirm,.
Yes, I did, you can remove it from the post.
by sindy
Tue Aug 31, 2021 5:04 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

I guess it's a behavior of x86 implementation.. maybe? Possibly... I was actually asking about the release (like e.g. 6.47.10), not so much about CPU architecture, but yes, it's true that a few things behave different depending on the CPU architecture, I just didn't expect something this essential ...
by sindy
Tue Aug 31, 2021 4:41 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 720

Re: Port Forwarding Question

no the cloud address provided by the mik itself or rather the mik version of DynDNS But that's not what most people understand under the name "cloud access". The Tik registers its public IP into the DynDNS, and you then access this address directly (or via dst-nat if the xxx.sn.mynetname....
by sindy
Tue Aug 31, 2021 4:21 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

Interesting... what if you set the pref-src of the route via the GRE interface to 192.168.62.1, of course still with no IP address attached o the GRE interface? What are the RouterOS releases on both machines, given that they behave differently under apparently same conditions?
by sindy
Tue Aug 31, 2021 4:15 pm
Forum: General
Topic: route all traffic from a VM to another which runs a VPN
Replies: 1
Views: 246

Re: route all traffic from a VM to another which runs a VPN

The Windows VM running the VPN client must provide "internet connection sharing" in order that you could use it as an entry point to the VPN tunnel for some other device, and you don't need a Mikrotik to facilitate such connection to the Linux VM - you simply create a virtual network with ...
by sindy
Tue Aug 31, 2021 4:04 pm
Forum: General
Topic: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]
Replies: 3
Views: 387

Re: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]

So you actually did use connection-mark already before posting? Because without assigning a connection-mark to incoming connections based on in-interface , you cannot assign the correct routing-mark to the response packets of these connections. As you've mentioned a wrong in-interface now, it seems ...
by sindy
Tue Aug 31, 2021 3:57 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 720

Re: Port Forwarding Question

It's not jumping back and forward, look at the MAC addresses. The packet comes in via ether10 with the source MAC address of the LHG and destination MAC address of the 3011; the 3011 routes it to the destination and sends it via ether1 with its own MAC address as source. But nothing ever comes back ...
by sindy
Tue Aug 31, 2021 3:45 pm
Forum: General
Topic: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT
Replies: 5
Views: 427

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Let me apologize straight away that I'm unable to answer your "how to do exactly this" question, but in what regard should re-using the same "public SrcPort" for different connections from the same Internal IP "allow a lot better use of public IP" - or, in particular, w...
by sindy
Tue Aug 31, 2021 3:29 pm
Forum: General
Topic: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]
Replies: 3
Views: 387

Re: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]

Look at this post. Read its last paragraph first to get the relationship to your case.
by sindy
Tue Aug 31, 2021 3:19 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 720

Re: Port Forwarding Question

Recommended practice of the forum, if you post large pieces of configuration inline, put them between [ code] and [ /code] tags, try to edit your previous post to see the difference. To the subject, there are two action=dst-nat rules with log=yes , so I assume your log snippet in the OP comes from h...
by sindy
Tue Aug 31, 2021 2:57 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16846

Re: v7.1rc2 [development] is released!

@Cha0s, you've misspelled advertisements as advertisments everywhere... copy-paste can be a dangerous weapon.
by sindy
Tue Aug 31, 2021 2:18 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16846

Re: v7.1rc2 [development] is released!

Is this topic not posted among Announcements intentionally or by mistake?
by sindy
Tue Aug 31, 2021 1:56 pm
Forum: General
Topic: NAT to one of my VLANs [SOLVED]
Replies: 5
Views: 490

Re: NAT to one of my VLANs [SOLVED]

Just to add a point, whilst UDP, ICMP and others are not stateful protocols as such, connection tracking can still treat them as if they were thanks to the fact that they use port numbers (UDP) and an ID (ICMP echo and ICMP echo response). The rest is timeout - ICMP packets with a given (ID, IP addr...
by sindy
Tue Aug 31, 2021 1:24 pm
Forum: General
Topic: Pinging via secondary default route? [SOLVED]
Replies: 2
Views: 371

Re: Pinging via secondary default route? [SOLVED]

You cannot ping using the secondary default route itself. But you can create another route to the destination used for the path transparency check, using the same gateway the secondary default route uses, or you can create another default route using the same gateway, but in a dedicated routing tabl...
by sindy
Tue Aug 31, 2021 12:30 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

I would be careful with "defaulting to use ether1's address". For packets sent by the router itself, the route to the destination is found first, and only then the source address is chosen, using the properties of that route. If no pref-src parameter of the route is specified, RouterOS cho...
by sindy
Tue Aug 31, 2021 11:25 am
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

That did the trick! Just adding an address to the GRE tunnel on each side solved it! That sounds like some NAT issue. Do the sniffing as suggested above and see where the IP address assigned to the GRE interface is used instead of the one specified in the src-address parameter of the ping command. ...
by sindy
Tue Aug 31, 2021 11:06 am
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 720

Re: Port Forwarding Question

Post the actual configuration of the LHG, see my automatic signature below for a mini-howto.
by sindy
Tue Aug 31, 2021 11:01 am
Forum: General
Topic: CPU Usage and unknown device
Replies: 13
Views: 1105

Re: CPU Usage and unknown device

Whilst I'm not sure the CPU load comes from some configuration issue, in general, there is no such thing as "important part of configuration" when it comes to analysis of an unexpected behaviour. Typically, the root cause of that behaviour is in the part of the configuration you do not exp...
by sindy
Tue Aug 31, 2021 10:56 am
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

ping times out from router A to B (but not vice versa).. ... I can't see any firewall activities either, so don't believe firewall is blocking it. Sorry, the first thing I've spotted in your OP was that whilst there were four subnets, 192.168.11.0/24 to 192.168.14.0/24, at router B, there was only ...
by sindy
Tue Aug 31, 2021 10:42 am
Forum: General
Topic: I can't change the MAC address
Replies: 4
Views: 396

Re: I can't change the MAC address

Number 3 At this position, only even digits (0,2,4,6,8,a,c,e) are possible for an own MAC address of a device. If the least significant bit of this digit is 1, i.e. when the digit is odd, it indicates a group address that can only be used as a broadcast or multicast destination one, never as an own...
by sindy
Tue Aug 31, 2021 9:57 am
Forum: General
Topic: Trouble Passing static IP's from ISP through RB1100 to 3rd party router
Replies: 5
Views: 513

Re: Trouble Passing static IP's from ISP through RB1100 to 3rd party router

the ISP says we have to pass them via layer 2 through our router to our tenants router that is connected to our Mikrotik. Is that a contractual obligation that you must pass this whole block of IPs to this particular tenant, i.e. you have to serve as an extension of the ISP's network so that the IS...
by sindy
Mon Aug 30, 2021 11:37 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

I can't imagine a direct connection to improve my Spanish, but if you want, send me your e-mail address encrypted according to this post.

So have you added all the four rules I've suggested or you've just disabled the one blocking UDP traffic to port 80?
by sindy
Mon Aug 30, 2021 10:33 pm
Forum: General
Topic: I can't change the MAC address
Replies: 4
Views: 396

Re: I can't change the MAC address

What is the second symbol from the left (xX:xx:xx:xx:xx:xx) of the address you are trying to set?
by sindy
Mon Aug 30, 2021 10:32 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

Did it help?
by sindy
Mon Aug 30, 2021 8:32 pm
Forum: General
Topic: Can I power up SXT with my RB951? [SOLVED]
Replies: 2
Views: 386

Re: Can I power up SXT with my RB951? [SOLVED]

Yes.
by sindy
Mon Aug 30, 2021 8:15 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

What do you recommend first? It depends on the character of your clients (as in "customers"). If none of them operated a server that needs to be reachable from the internet, you could actually implement a simple stateful firewall, whose first rule in chain forward of /ip firewall filter w...
by sindy
Mon Aug 30, 2021 7:25 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

Hm... with all those self-configured and 3rd party blacklists, complex layer7-protocol rules and caching web proxy, and the absence of a stateful firewall, there are plenty of reasons why the clients may be unable to connect to TikTok Live servers as they may get blocked by any of the above. Have yo...
by sindy
Mon Aug 30, 2021 7:02 pm
Forum: General
Topic: Rbcapgi-5acd2nd Cap Ac
Replies: 3
Views: 336

Re: Rbcapgi-5acd2nd Cap Ac

The thing is that with two cAP ac on a single branch and the bundled 24 V power supply, you'll be over the specs - according to the specs, the cAP ac takes 13 W at max without attachments, which requires more than 0.5 A current from 24 V (leaving aside that the voltage at PoE-out port is lower than ...
by sindy
Mon Aug 30, 2021 6:36 pm
Forum: General
Topic: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?
Replies: 12
Views: 983

Re: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?

You've mentioned initially that you want the setup work as a repeater in terms that it acts both as a wireless client and a wireless AP. So whenever the local client is connected to a 2.4 GHz radio and its traffic uses the 2.4 GHz WAN, the 1/2 throughput applies. Same for 5 GHz radio. So my statemen...
by sindy
Mon Aug 30, 2021 6:25 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

No, I mean /export hide-sensitive file=some-nice-name - it will export everything at once into a file, which you can download afterwards. Before posting the file, don't forget to obfuscate any public IP addresses or user account names if you use them. As I write in my automatic signature here below ...
by sindy
Mon Aug 30, 2021 6:01 pm
Forum: General
Topic: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?
Replies: 12
Views: 983

Re: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?

You can use deterministic distribution of the connections, meaning that the same LAN host will always use the same WAN to connect to the same remote server. It may still not be enough, because some services hand over processing of a single application session between multiple servers and still expec...
by sindy
Mon Aug 30, 2021 5:12 pm
Forum: General
Topic: vlan with IPSEC l2tp
Replies: 2
Views: 275

Re: vlan with IPSEC l2tp

The name of L2TP is confusing. To establish an L2 tunnel using L2TP, you need BCP to be supported at both the client and the server, just like with any other PPP-based tunneling protocol. Your description suggests that only the L2TP server is a Mikrotik and the L2TP client is a PC or a phone, is tha...
by sindy
Mon Aug 30, 2021 5:05 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 551

Re: Limit bandwith per ip in vlan

Yes, the guess/expectation is correct. Since it doesn't work as expected, please do the following:
  1. /queue simple reset-counters-all
  2. run the speedtest from .151
  3. /queue simple print stats
What's the output of the last command?
by sindy
Mon Aug 30, 2021 4:16 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 551

Re: Automatic configuration deletion [SOLVED]

30 m should be fine with the original 24 V adaptor, unless the cable is extremely bad. Did you have the problems ever since you've switched the device on for the first time, or did they appear recently? A frequent issue is drying electrolytic capacitors in the power adaptors, and to a lower extent a...
by sindy
Mon Aug 30, 2021 2:32 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 935

Re: FastPath not working in combination hEXPoE + mAP lite

The switch chip accepts a setup but not a change of the memory size (nor can it borrow more RAM from the CPU) - hw=no just tells it to forward received frames always to the CPU rather than trying first to deliver them autonomously. The rate adaptation from 1000 down to 100 Mbit/s is a specific use c...
by sindy
Mon Aug 30, 2021 1:31 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 551

Re: Automatic configuration deletion [SOLVED]

As the first thing to do I would upgrade to the current long-term (6.47.10 as of writing this), including upgrading the bootloader ("firmware") in the second step (the firmware comes bundled with the RouterOS but needs to be flashed separately once the new version of RouterOS is already ru...
by sindy
Mon Aug 30, 2021 1:20 pm
Forum: General
Topic: PPPoE Server Fails to Authenticate Clients
Replies: 3
Views: 381

Re: PPPoE Server Fails to Authenticate Clients

If no failures appear in the log, it looks as if the PPPoE-discovery and PPPoE frames from the client didn't reach the PPPoE server process; on the other hand, if disabling and re-enabling the server makes things work again, it seems that the issue is the process itself. I cannot see any obvious mis...
by sindy
Mon Aug 30, 2021 12:56 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 837

Re: Routing via GRE to VLAN networks [SOLVED]

Although it is the best practice to locate each IP subnet to a dedicated VLAN, VLAN and IP subnet are not the same thing. So ignore VLANs for a while and concentrate on the subnets alone. In order that devices in subnet a.a.a.a on router A could talk to devices in subnet b.b.b.b on router B, a route...
by sindy
Mon Aug 30, 2021 12:47 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 935

Re: FastPath not working in combination hEXPoE + mAP lite

As @tdw wrote - the HW offload could only be "improved" by using a different switch chip. HW offload means that the switch chip forwards the frames between ports on its own, and since its buffer is too short, frames get dropped before the transport protocol notices the low bandwidth availa...
by sindy
Mon Aug 30, 2021 12:35 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 551

Re: Automatic configuration deletion [SOLVED]

What is the RouterOS version running there?
by sindy
Mon Aug 30, 2021 10:31 am
Forum: General
Topic: What typical changes do you make to AP box default configuration?
Replies: 4
Views: 640

Re: What typical changes do you make to AP box default configuration?

The "turning RSTP off" is not the best idea if more than on Ethernet port remains in the bridge. Instead, set edge=yes on the /interface bridge port rows for the wireless interfaces to get rid of the delay when the first client associates to a given wireless interface after the interface w...
by sindy
Mon Aug 30, 2021 10:19 am
Forum: General
Topic: LTE quota management & signal
Replies: 7
Views: 844

Re: LTE quota management & signal

What does /interface lte info [find] show (you may want to obfuscate the actual values, just the value names in the left column are important)? It depends on the modem model what information RouterOS can obtain and display.
by sindy
Mon Aug 30, 2021 9:12 am
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

@anav, I'm afraid there may be some difference between "mere TikTok" (recording videos and then posting them) and "TikTok Live" (live broadcasting) in what protocols they use. So let's wait until @adonato posts his configuration.
by sindy
Sun Aug 29, 2021 6:51 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1388

Re: Tiktok Live Problems

Post a sketch of the network (a photo of a handmade drawing will be sufficient if the topology is clear from there) and the configuration of the Mikrotik. See my automatic signature for a mini-howto.
by sindy
Sun Aug 29, 2021 2:28 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 935

Re: FastPath not working in combination hEXPoE + mAP lite

Out of curiosity, what happens if you set hw=no on all /interface bridge port rows and repeat the test?
by sindy
Sun Aug 29, 2021 1:44 pm
Forum: General
Topic: Slow VPN speed with single TCP stream in one direction
Replies: 12
Views: 1726

Re: Slow VPN speed with single TCP stream in one direction

Would love to test this out further but unfortunately I'm tied down on another project, had my second kid two weeks ago and don't really have time for a thorough gremlin hunt in the coming weeks. But do keep posting please! There's little to post without any input data (from you and/or from anyone ...
by sindy
Sat Aug 28, 2021 9:51 pm
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 628

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

Let me put it another way. Think about IPsec responder like a TCP server and IPsec initiator like a TCP client. The server doesn't send anything to the client until it gets an initial request from it; once the initial request arrives, the server learns the client's IP address and port from it and re...
by sindy
Sat Aug 28, 2021 7:45 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Glad that you've solved it. The reason why I keep recommending my solution with the dst-nat back to the public IP on the Mikrotik is that it is enough to implement this once on the Mikrotik, whereas the change of 1 to 2 in registry must be done on every single Windows client.
by sindy
Sat Aug 28, 2021 3:41 pm
Forum: Useful user articles
Topic: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP
Replies: 11
Views: 5274

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP

@plamensgurov, no one can help you without seeing the exported configurations from all three routers. What you want can work easily, so there must be some misconfiguration.
by sindy
Sat Aug 28, 2021 3:37 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 935

Re: FastPath not working in combination hEXPoE + mAP lite

FastPath is a way how the traffic is handled in the CPU, so it is not necessary between bridge ports if "hardware accelerated bridging" (in fact, forwarding of frames between switch ports without them even reaching the CPU) is enabled at both ports involved. If there is the H among the fla...
by sindy
Sat Aug 28, 2021 2:07 pm
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 628

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

Ah, the mask confusion strikes again... The WAN IP address of the initiator is not "172.24.73.9/25", it is just 172.24.73.9. The /25 is there to tell the router what is the size of the subnet around this single own address, inside which the other hosts can be reached directly, not via a ga...
by sindy
Sat Aug 28, 2021 11:03 am
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 628

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

If your ISP always uses the same public IP to NAT the traffic sent by your client router, and if you always get the same IP at the client router's WAN, you can use a transport mode of the Security Association (chosen by setting tunnel=no on the policy). In that case: on the initiator router, you'll ...
by sindy
Sat Aug 28, 2021 10:06 am
Forum: General
Topic: Slow VPN speed with single TCP stream in one direction
Replies: 12
Views: 1726

Re: Slow VPN speed with single TCP stream in one direction

I was looking into a similar problem (a single-connection TCP using / tool bandwidth-test between two CHR routers running at the same provider), and the root cause of the throughput being lowered from 200 Mbps to less than 0.5 Mbps was that 25 % of the tiny second fragments of the transport packets ...
by sindy
Sat Aug 28, 2021 8:26 am
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

There are two topics related to L2TP and NAT: the one you have found on your own and linked in your OP, dealing with multiple clients at the same site , thus NATed to the same public IP as seen by the server the one I've linked in my first response in this current thread, dealing with the server its...
by sindy
Sat Aug 28, 2021 12:00 am
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

I do understand that the issue started once you've moved the 3011 to a private address, however, you've taken a log from a connection attempt of just a single client that dislikes the IPsec connection as soon as it establishes. What made me cautious is that you've substituted the address of the clie...
by sindy
Fri Aug 27, 2021 8:51 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Oops, I was actually too fast. The initiator asks to delete the IPsec SA immediately after it has been established: 11:13:57 ipsec IPsec-SA established: ESP/Transport 10.106.74.190[4500]->my.pubip.1[4500] spi=0xbd067f70 11:13:57 ipsec,debug pfkey add sent. 11:13:57 ipsec,debug ===== received 76 byte...
by sindy
Fri Aug 27, 2021 8:26 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

No signs of L2TP connection attempt in the log whatsoever. Show me the configuration export (see my signature regarding anonymisation), it must be something about the firewall.
by sindy
Fri Aug 27, 2021 8:11 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 926

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Yes, you can ignore the failure to bind ::[500].
by sindy
Fri Aug 27, 2021 5:30 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1602

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

It makes the posts much better readable if you place larger portions of configuration export between [ code] and [ /code] tags. In your configuration, there is /ip dns set allow-remote-requests=yes and the /ip firewall filter is almost empty. So the Mikrotik is ready to respond incoming DNS requests...
by sindy
Fri Aug 27, 2021 3:39 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 551

Re: Limit bandwith per ip in vlan

I'm lost. If you need to get different speeds to different tenants, then the target for each tenant's individual queue must be that tenant's /32 address, so there is no point in using 10.0.0.0/24 as target , except maybe for the last rule in the list, defining a common queue for everyone who hasn't ...
by sindy
Fri Aug 27, 2021 3:12 pm
Forum: General
Topic: issue multiple vlan on switch chip
Replies: 1
Views: 268

Re: issue multiple vlan on switch chip

Do I guess correctly that when you connect Windows or Mac to a port which is not configured as an access one to VLAN 20, both Windows or MAC get the address via DHCP, when you connect Windows or MAC to an access port to VLAN 20 (ether1 or ether5), Windows successfully accept the address assignment f...
by sindy
Fri Aug 27, 2021 2:44 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 551

Re: Limit bandwith per ip in vlan

Several points. First, the error message itself tells you what is wrong. The target is a prefix (subnet), so .151/32 is OK but .151/24 is not because non-zero bits of the address exist on the bit positions that are zero in the mask. The only place where you can use the shortcut form of .151/24 is wh...
by sindy
Fri Aug 27, 2021 10:31 am
Forum: General
Topic: r11e-lte dead? [SOLVED]
Replies: 7
Views: 549

Re: r11e-lte dead? [SOLVED]

Weird, I've written a post but I apparently haven't submitted it as it is not here. So trying again for reference, although you've alreday found another method to cut your way through. And the part regarding LTE firmware is still important . In the Mikrotik-specific vernacular, "firmware" ...
by sindy
Fri Aug 27, 2021 9:59 am
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1602

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

Post the export of the current configuration of the Mikrotik (as per my automatic signature below) and also a screenshot of the IPv4 settings of the network interface of the Windows machine (the window where you choose between DHCP and Manual).
by sindy
Thu Aug 26, 2021 11:06 pm
Forum: General
Topic: Not working internet on vlan, cannot ping gw
Replies: 8
Views: 637

Re: Not working internet on vlan, cannot ping gw

The thing is that a /32 address makes sense in some setups too, so no mask given translates to a /32. Se s tim smiř :)
by sindy
Thu Aug 26, 2021 10:36 pm
Forum: General
Topic: SSTP tunnel problem [SOLVED]
Replies: 5
Views: 486

Re: SSTP tunnel problem [SOLVED]

On the 2011, there is the following static IPsec policy: comment=vpn01 dst-address=10.10.10.0/24 proposal=secure-proposal sa-dst-address=you.forgot.to.substitute.it sa-src-address=0.0.0.0 src-address=10.20.10.0/24 tunnel=yes On the 4011, a complementary policy exists. Traffic matching a traffic sele...
by sindy
Thu Aug 26, 2021 9:23 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1602

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

The main DNS of the PC is 192.168.1.16 (the PC itself)
I don't understand this statement. How can the PC be its own DNS server? In any case, if the Mikrotik is not the DNS server for the PC, the static DNS records are never used, so the whole idea fails.
by sindy
Thu Aug 26, 2021 9:20 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 950

Re: Switch high CPU VLAN

OK. What you definitely cannot do in hardware on the CRS is to merge the VLANs 30 and 31. This has to be done either on the CCR or nowhere at all, meaning that you'd have to use a separate PPPoE server for each of these VLANs. So I'd try the following, but it's pure theory, I have no possibility to ...
by sindy
Thu Aug 26, 2021 6:55 pm
Forum: General
Topic: SSTP tunnel problem [SOLVED]
Replies: 5
Views: 486

Re: SSTP tunnel problem [SOLVED]

Post the configurations of both machines as per my automatic signature below. Either copy-paste the text exports into the body of the post, each between [ code] and [ /code] tags, or attach them as file attachments to the post. At first glance, the routes seem OK, so it is likely that the firewall b...
by sindy
Thu Aug 26, 2021 6:48 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 950

Re: Switch high CPU VLAN

So after all, my table did not express what you wanted, because you really want something unusual. You need a kind of protocol-based VLAN for the old OLTs, where you need to forward PPPoE and friends to the CCR via ether3, and to forward IP and friends to the CCR via ether4. And on the new OLT, you ...
by sindy
Thu Aug 26, 2021 4:55 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 950

Re: Switch high CPU VLAN

Sorry, I don't understand what means that "ether1 would talk to vlan 30". In your original description, there was a group of ports ( ether1 .. ether3 ) and a group of VLANs, so I was expecting all three VLANs should be accessible on all three ports, which would thus be trunk ports, like sf...
by sindy
Thu Aug 26, 2021 4:33 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1602

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

sorry I'm a newbie to networks and microtik!
It's not so much a Mikrotik issue, it is a TP-link one. Have you managed to get rid of 8.8.8.8 as a DNS in the PC configuration? What do you get if you run the commandline on the PC and enter nslookup tplinkwifi.net there?
by sindy
Thu Aug 26, 2021 4:16 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 955

Re: L2TP/IPsec web browser location result issue

Check the geolocation settings in Firefox. Settings -> Privacy and Security -> Permissions -> Position -> Settings (the names may not be precise, my Firefox language is not English). I don't think the issue is directly with the VPN, and once you've described how you test it, I don't think any more i...
by sindy
Thu Aug 26, 2021 4:00 pm
Forum: General
Topic: login only via one mac address
Replies: 3
Views: 534

Re: login only via one mac address

In /ip firewall filter , you can match on src-mac-address . Depending how your firewall is organized, you may add src-mac-address=th:ep:er:mi:tt:ed to the action=accept rule that enables access to the management service, or src-mac-address= ! th:ep:er:mi:tt:ed to the action=drop rule that blocks acc...
by sindy
Thu Aug 26, 2021 3:52 pm
Forum: General
Topic: r11e-lte dead? [SOLVED]
Replies: 7
Views: 549

Re: r11e-lte dead? [SOLVED]

I'd start from 6.47.10, I hazily remember 6.46.x still had some issues with LTE modems and especially with upgrading them. What has made you choose 6.46.8 in particular, given that 6.47.10 has been the long-term release since a couple of weeks ago? What does /system resource usb print detail show? D...
by sindy
Thu Aug 26, 2021 3:43 pm
Forum: General
Topic: EOIP not working behind SNAT on IPACCT NAS
Replies: 3
Views: 292

Re: EOIP not working behind SNAT on IPACCT NAS

If so, you have to investigate into the actual reason why it fails, using the steps I've suggested above.
by sindy
Thu Aug 26, 2021 2:19 pm
Forum: General
Topic: Not working internet on vlan, cannot ping gw
Replies: 8
Views: 637

Re: Not working internet on vlan, cannot ping gw

You've assigned a /32 address to the VLAN interface, so no route to 10.0.0.0/24 via the VLAN interface has been created. As a consequence, packets for anything in 10.0.0.0/24 took the default route. If an Ethernet interface is a member port of a bridge, the VLAN interface must be attached to the bri...
by sindy
Thu Aug 26, 2021 2:15 pm
Forum: General
Topic: EOIP not working behind SNAT on IPACCT NAS
Replies: 3
Views: 292

Re: EOIP not working behind SNAT on IPACCT NAS

EoIP is a proprietary application atop GRE (i.e. IP protocol number 47, no ports), and it misuses the optional 4-byte tunnel ID header as a 2-byte EoIP tunnel ID and 2-byte frame length, so firewalls distinguishing GRE tunnels from one another to allow NATing of more than one tunnel to the same remo...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 26