Community discussions

MikroTik App

Search found 7908 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 27
by sindy
Sun Oct 17, 2021 8:33 pm
Forum: General
Topic: Setting priority for IPsec traffic
Replies: 3
Views: 203

Re: Setting priority for IPsec traffic

Setting priority in mangle should have an effect only transports that support some L2 priority field, which is normally Ethernet and wireless. So in this sense, yes, priority is a metadata item, until the packet reaches the Ethernet or wireless driver that can extract the value from that item and st...
by sindy
Sun Oct 17, 2021 8:06 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

Oops. I haven't encountered an ISP to use compression on PPPoE yet, so I've never noticed that Wireshark doesn't inflate the payload. The only information I could find is that this has been the case 8 years ago. Try to disable compression on the /ppp profile row used by the PPPoE client (by setting ...
by sindy
Sun Oct 17, 2021 5:46 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 36
Views: 1948

Re: Client isolation within VLAN and fast roaming

I've just tried exactly the same (in my "real" rules, I match on a particular mac-protocol): /interface ethernet switch rule add new-dst-ports="" ports=ether1 src-mac-address=64:D1:54:xx:xx:x3/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=5 This does block traffic from 64:D1:54:xx:xx:...
by sindy
Sat Oct 16, 2021 10:50 pm
Forum: General
Topic: Is there any way to limit VLAN traffic while connection tracking is off
Replies: 2
Views: 131

Re: Is there any way to limit VLAN traffic while connection tracking is off

The fact that connection tracking is disabled doesn't affect packet marks and/or queues. It makes it impossible to use connection marks, so you cannot assign packet-mark values s based on connection-mark , connection-state , or connection-nat-state , but you can assign them based on any other match ...
by sindy
Sat Oct 16, 2021 10:35 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 96
Views: 12763

Re: Split traffic then merge [SOLVED]

Try lowering the MTU to 1300 on the bonding interfaces at both ends and see whether it changes anything, But if you say it worked at full speed and now it doesn't, it sounds like another trick of the ISP. What if you disable one of the EoIP tunnels at both ends, does the speed fall to 1/2?
by sindy
Sat Oct 16, 2021 10:25 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 36
Views: 1948

Re: Client isolation within VLAN and fast roaming

I had to have a look at my own switch chip rules to spot the issue. There's a catch - whereas in /interface bridge filter rules, the value specified as mac-protocol is always matched against offset 12 of the frame, and there is a separate match field, vlan-protocol , to match the protocol field insi...
by sindy
Sat Oct 16, 2021 10:12 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 96
Views: 12763

Re: Split traffic then merge [SOLVED]

I do remember the setup. However, what I didn't get from what you wrote now, nor could I find it in the history of this topic, is whether the throughput via the bonded interface was ever higher that this. MTU is generally an issue with tunnels - if set too high on the EoIP interfaces, the TCP sends ...
by sindy
Sat Oct 16, 2021 8:40 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 36
Views: 14126

Re: LHG LTE - Bridge mode???

The mysterious "passthrough" mode is actually very simple - in fact, it is very close to what you might call "bridge mode". You choose an L2 interface, and RouterOS creates a DHCP server on it, which responds to a request from a single client - either to the very first one to sen...
by sindy
Sat Oct 16, 2021 6:39 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 36
Views: 1948

Re: Client isolation within VLAN and fast roaming

How does the rest of the configuration look like? Switch chip rules are normally just working, so it looks really strange. Is VLAN 3 tagged on the switch ports to which the cAPs are connected?
by sindy
Sat Oct 16, 2021 4:03 pm
Forum: General
Topic: Router error
Replies: 1
Views: 88

Re: Router error

Such an information on the display should normally only appear as a result of a controlled shutdown. Which may be caused by a script, a malware, or a bug.

Post an anonymised export of the configuration as per the hint in my automatic signature below.
by sindy
Fri Oct 15, 2021 11:34 pm
Forum: General
Topic: ARP traffic on from MAC address
Replies: 1
Views: 183

Re: ARP traffic on from MAC address

Unless proxy-arp is permitted on ether3, the router should not respond to ARP requests regarding other IP addresses than its own ones. Post an anonymized export of your config if this answer is not sufficient.
by sindy
Fri Oct 15, 2021 11:31 pm
Forum: General
Topic: Routing betwin too interface
Replies: 2
Views: 137

Re: Routing betwin too interface

This normally works automatically if different subnets are attached to each interface. So if you assign e.g. 192.168.1.1/25 to the first interface, and 192.168.1.129/25 to the second one, and give the host connected to the second interface an address like 192.168.1.130/25 instead of 192.168.1.101/? ...
by sindy
Fri Oct 15, 2021 11:23 pm
Forum: General
Topic: dstnat on a specific VPN
Replies: 4
Views: 404

Re: dstnat on a specific VPN

Yes, read this post , starting from the last paragraph which relates it to your context. Think about your two VPN tunnels as WANs. Loosely related - PPTP provides almost no security, its encryption is ridiculously week from nowaday's perspective. L2TP/IPsec is equally simple (or complex) to configur...
by sindy
Fri Oct 15, 2021 11:16 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

Looking at your minimalistic configurations, I can currently imagine only the following things: something weird regarding handling packets that cannot be routed anywhere in RouterOS kernel - the only routes the packets between 10.199.199.0 and 10.199.199.1 can take are the default ones, and the only...
by sindy
Thu Oct 14, 2021 9:42 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

You forgot to obfuscate HQ.rsc, maybe you want to withdraw it and post it again once anonymized?
by sindy
Thu Oct 14, 2021 9:14 pm
Forum: General
Topic: 1:1 NATting of /29 subnet
Replies: 3
Views: 197

Re: 1:1 NATting of /29 subnet

The two rules as such should do what you expect them to do. However, the firewall rules work as a system where mutual order matters and rules in different chains must work in accord. So it is possible that these rules are shadowed by other ones, or that you do not permit dst-nated connections in for...
by sindy
Thu Oct 14, 2021 9:08 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 240
Views: 32934

Re: v7.1rc4 [development] is released!

Export started at oct/12/2021 10:40:20 by RouterOS 7.1rc4, and it's been stuck on this for 14 minutes so far
In previous 7.1rcX, adding verbose to the export used to make it work - have you tried that?
by sindy
Wed Oct 13, 2021 11:40 pm
Forum: General
Topic: Revoked certificates contunue to work
Replies: 11
Views: 5496

Re: Revoked certificates contunue to work

Ok, Last try - 127.0.0.1 - the same thing, revoked certificate still works. Upgraded to 7.1beta1 - the same thing. So I've returned to this and found that the old (wiki) manual is really insufficient, and the new (Confluence) one even misleading, as it tells you to self-sign all certificates. The n...
by sindy
Wed Oct 13, 2021 8:01 pm
Forum: General
Topic: Route site or ip out of the VPN [SOLVED]
Replies: 7
Views: 503

Re: Route site or ip out of the VPN [SOLVED]

So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way? That's a complex topic. First, you can choose whether to establish a connection via VPN or directly depending on the destination IP address, but multiple sites apparently unrel...
by sindy
Tue Oct 12, 2021 7:38 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 12759

Re: How to create multiple EoIP tunnels ?

It may be counter-intuitive, but same horizon value on a pair of ports means that traffic can not be forwarded between them. So set horizon at the ether2 row of /interface bridge port to none and see whether it helps. Or, if you do not need to prevent forwarding from one tunnel to another, set horiz...
by sindy
Tue Oct 12, 2021 3:40 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 12759

Re: How to create multiple EoIP tunnels ?

To prevent traffic from being forwarded between two ports of the same bridge, set the same horizon value for both. E.g.:
/interface bridge port set [find where interface~"eoip[23]"] horizon=1
will prevent traffic forwarding between eoip2 and eoip3.
by sindy
Tue Oct 12, 2021 2:33 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 710

Re: CRS112 and problem with vlans

Again - the hardware "offloading" on CRS 1xx is available only for L2 forwarding between ports in the same VLAN. If the CRS itself has to route between the subnets in the two VLANs, this is done by CPU, and the CPU in CRS1xx is weak, hence it reaches 100 % with relatively low traffic volum...
by sindy
Tue Oct 12, 2021 1:01 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 12759

Re: How to create multiple EoIP tunnels ?

Now, to make client traffic passing through Eth2 at HQ, do i have to bridge all 24 EoIP interface with the Eth2? Yes, exactly, as suggested above. Add-ons can be applied: if the client eventually wants each BO site to be reachable via a different VLAN at ether2 of the HQ site, you would activate vl...
by sindy
Mon Oct 11, 2021 10:45 pm
Forum: General
Topic: L2TP/IPsec does not remove dynamic IPsec entries when disabled
Replies: 3
Views: 234

Re: L2TP/IPsec does not remove dynamic IPsec entries when disabled

I've just tried it on a CHR running 6.47.9, it works normally - once I disable the /interface l2tp-client , the dynamically created IPsec configuration items disappear as they should. You may try to export ( not backup) the configuration into a file, download the file to the PC, netinstall the machi...
by sindy
Mon Oct 11, 2021 10:07 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 12759

Re: How to create multiple EoIP tunnels ?

Now what i want to know is : how to pass all the 24 tunnels through the Eth2 ? Supposing I've understood what you actually wanted properly, make a bridge and make eth2 and all the EoIP interfaces member ports if that bridge: /interface bridge add name=eoip-bridge /interface bridge port add bridge=e...
by sindy
Mon Oct 11, 2021 10:03 pm
Forum: General
Topic: L2TP/IPsec does not remove dynamic IPsec entries when disabled
Replies: 3
Views: 234

Re: L2TP/IPsec does not remove dynamic IPsec entries when disabled

I'd start by upgrading from 6.47 to 6.47.10. If still the same, it's worth opening a ticket at Mikrotik support. And until they solve it, create static copies of the dynamically created IPsec configuration rows (you'll have to use different names for the named ones) and then uncheck use-ipsec=yes on...
by sindy
Mon Oct 11, 2021 9:50 pm
Forum: General
Topic: find PPPoE user vlan
Replies: 2
Views: 228

Re: find PPPoE user vlan

Run

/tool sniffer quick mac-address=mac:add:ress:of:the:user

and wait...

But that will only show you the VLAN, is that enough?
by sindy
Mon Oct 11, 2021 9:43 pm
Forum: General
Topic: Route site or ip out of the VPN [SOLVED]
Replies: 7
Views: 503

Re: Route site or ip out of the VPN [SOLVED]

Thanks but it didn't worked, and just made that ip inaccessible. It's because Ilir probably hasn't noticed that you've got no srcnat rule except the one for out-interface=L2TP_XXXX . So you can e.g. copy that rule and change out-interface=L2TP_XXXX to out-interface=ether10 in the copy. Or instead y...
by sindy
Mon Oct 11, 2021 3:07 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 503

Re: Source NAT Multiple ISP

So i want to give the IP of ISP 1 to Tenant 1. But when they surf i want them to pass through ISP 2. The maximum you can get is that you give ISP1 addresses and dst-nat rules for incoming connections to tenants who want to run servers locally, but you use ISP2's addresses for src-nat. So instead of...
by sindy
Mon Oct 11, 2021 8:16 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 71
Views: 12421

Re: v6.48.5 [long-term] is released!

Have you tried booting into the previous version of the bootloader by pressing the reset button before applying power? See the "reset button" manual for details.
by sindy
Sun Oct 10, 2021 11:16 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 710

Re: CRS112 and problem with vlans

I would say remove all the /interface ethernet switch config, and try the basic common configuration with bridge vlan filtering activated: /interface bridge vlan add bridge=bridge_szkielet vlan-ids=30 tagged=bridge_szkielet,4_omni add bridge=bridge_szkielet vlan-ids=200 tagged=bridge_szkielet,4_omni...
by sindy
Sun Oct 10, 2021 10:17 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 710

Re: CRS112 and problem with vlans

In the egress direction, the rule has to be reverse - it must match on customer-vid=30 and assign new-customer-vid=0.
by sindy
Sun Oct 10, 2021 9:10 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 710

Re: CRS112 and problem with vlans

If you connect a Windows PC instead of the BCS and it works, the misconfiguration on the CRS 112 is in the egress direction. The thing is that the network card drivers of Windows strip any VLAN tags received. The CRS1xx/2xx manual is not really verbose regarding tag handling on egress, so maybe it i...
by sindy
Sun Oct 10, 2021 8:02 pm
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 642

Re: pppoe clients with multiple ISP links

Once again - it's not the load distribution as such that causes the trouble, it's the particular rules you use to distribute the traffic that make the difference. You must distribute the connections of the clients among the uplinks, otherwise you would have to use only one of the uplinks for all of ...
by sindy
Sun Oct 10, 2021 7:39 pm
Forum: General
Topic: What is the best way to mark packet in this case
Replies: 4
Views: 460

Re: What is the best way to mark packet in this case

I have 7 LANs without any bridges, if i removed src address or dst how could i mark packet upload and download in mangle? That's why I said "if the action=mark-connection rule is the only one ever to assign the connection-mark value QUIC ". Because if it is, this connection-mark value is ...
by sindy
Sun Oct 10, 2021 5:17 pm
Forum: General
Topic: What is the best way to mark packet in this case
Replies: 4
Views: 460

Re: What is the best way to mark packet in this case

If the first rule is the only one to ever assign the connection mark value QUIC , you don't need that the action=mark-packet rules also match on address-list Allowed_Users . If you remove this match condition, you save a little bit of CPU by not doing these matches. And yes, by adding connection-sta...
by sindy
Sun Oct 10, 2021 5:02 pm
Forum: General
Topic: L2TP VPN suddenly stop working
Replies: 1
Views: 262

Re: L2TP VPN suddenly stop working

activate detailed logging of IPsec: /system logging add topics=ipsec,!packet run /log print follow-only file=l2tp-ipsec-start where topics~"ipsec" try to connect from one of the clients, wait until it reports failure break the /log print ... , download the file l2tp-ipsec-start.txt to you...
by sindy
Sat Oct 09, 2021 9:17 pm
Forum: General
Topic: 3rd party plugins
Replies: 3
Views: 371

Re: 3rd party plugins

A soultion could be to use RouterOS scripting to deliver the information.
by sindy
Sat Oct 09, 2021 2:33 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 78
Views: 47570

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

The fact that one policy has dst-port=1701 and the other one doesn't is the key - see the last two paragraphs of chapter The root cause in the OP. I'd assume the reason in your case is that you use different client implementations. The L2TP standard says that both the client and the server bind to t...
by sindy
Sat Oct 09, 2021 11:56 am
Forum: General
Topic: Single TCP Connection issue
Replies: 3
Views: 353

Re: Single TCP Connection issue

Have you tried to sniff at the iperf server and iperf client themselves? I don't comment on CCR10xx as there indeed the concept of many relatively weak cores may affect single-stream throughput; I have in mind when testing with the CCR2xxx.
by sindy
Sat Oct 09, 2021 1:49 am
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 502

Re: router behind firewall, use vpn only to manage it

as the second router is available on internet due its public IP, the local one isn't, the providers give always a 10. class A private, so it should initiate the connection and the second one should listen about it. Does wireguard do that? From your words I suppose on 6.48.3 there isn't any other wa...
by sindy
Sat Oct 09, 2021 1:10 am
Forum: General
Topic: Single TCP Connection issue
Replies: 3
Views: 353

Re: Single TCP Connection issue

For me, all these single TCP session throughput issues always boiled down to packet loss so far - either caused merely by low quality network or by a too coarse bandwidth shaping. So watch for this at first.
by sindy
Fri Oct 08, 2021 1:37 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 714

Re: NP16 VLANs leaking, what am I missing?

But the xSTP part is not off-topic - even if you configure access, trunk, hybrid ports as needed and ingress-filtering on all ports, the "loop" will still be detected by xSTP. So if you still want to use the 60 GHz path for some VLANs and the 5 GHz path for other VLANs simultaneously, you ...
by sindy
Thu Oct 07, 2021 11:51 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 714

Re: NP16 VLANs leaking, what am I missing?

I second to @tdw in that I don't get what is the intended behaviour. From what you describe, you've connected two bridges by two physical links (it doesn't matter much that one of them is a 60 GHz PtP one and the other one is a 5 GHz AP-to-CPE one), and you complain that STP cuts one of the connecti...
by sindy
Thu Oct 07, 2021 11:38 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 714

Re: NP16 VLANs leaking, what am I missing?

No. Ingress filtering drops ingress frames tagged with VIDs not permitted on that port.
by sindy
Thu Oct 07, 2021 9:47 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 78
Views: 47570

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

I guess the change log *) l2tp - fixed multiple tunnel establishment from the same remote IP address (introduced in v6.47); refers to that ? I was discussing that with someone when 6.47 has been released, and Emils has stated that it was an issue of bare L2TP, without IPsec. So completely unrelated...
by sindy
Thu Oct 07, 2021 9:37 pm
Forum: General
Topic: hap mini - not enough space
Replies: 7
Views: 587

Re: hap mini - not enough space

This still does not work. Disable all packages but system, npk file does not fit. try to uninstall individual packages and says can not uninstall. It cannot uninstall them because they came in the bundled file. But it normally can replace the ones marked for use by same packages of a different vers...
by sindy
Wed Oct 06, 2021 2:54 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

right now the configs is as follows, the 10.10.5.0 address are for management only, and the are on the interfaces vlan 50 on both routers. it is not the issue. I understand this is not the issue, but to get rid of the actual issue, the configuration of the SXTs has to be changed. And since an SXT o...
by sindy
Tue Oct 05, 2021 9:36 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

I have created one bridge and added all my vlans, also associated all vlan to the bridge, Including wlan also. Unfortunately, from the last config export it seems you've totally misunderstood how the bridging configuration works in Mikrotik. I can suggest you the correct configuration, but I need a...
by sindy
Tue Oct 05, 2021 6:54 pm
Forum: General
Topic: hap mini - not enough space
Replies: 7
Views: 587

Re: hap mini - not enough space

The procedure is to disable packages you don't need (if any, this may be an issue) and reboot (maybe not absolutely necessary); then download the "additional packages" archive of 6.47.10, extract it, upload only those packages which you have left enabled; if they fit, reboot the router, an...
by sindy
Mon Oct 04, 2021 12:47 pm
Forum: General
Topic: Downgade
Replies: 2
Views: 262

Re: Downgade

After the reboot, check the log - it should explain what went wrong. I'd assume some package is missing in the 6.42 version which is enabled in the 6.47 one. Disabling that package (if safe!) before the downgrade should resolve the issue.
by sindy
Mon Oct 04, 2021 12:39 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 11
Views: 883

Re: LTE Bridge Vlan help.

As anticipated. You've got no /ip route configured on the LtAP, and you've got only a single /interface lte apn item defined, so the LtAP itself doesn't get its own IP address and default route from the LTE modem (I'm not sure how your mobile operator would deal with this, it works with some operato...
by sindy
Mon Oct 04, 2021 11:36 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

I'm out of ideas then.
by sindy
Mon Oct 04, 2021 11:34 am
Forum: General
Topic: Multiple VPNs but one per port
Replies: 2
Views: 277

Re: Multiple VPNs but one per port

Yes, as you've already found, the key is "policy routing" (not to be confused with IPsec policies). In short it means that you define multiple routing tables, and you use additional criteria like source address, source port, destination port, ingress interface etc. to choose a particular r...
by sindy
Mon Oct 04, 2021 11:09 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

I would say permit both VLANs at both ports.
by sindy
Mon Oct 04, 2021 10:56 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

Are both vlans (167,2607) permitted under /interface bridge vlan? The thing is that on CRS3xx, most of the switch chip configuration is inherited from the bridge configuration.
by sindy
Mon Oct 04, 2021 9:19 am
Forum: General
Topic: RSTP Root Port Issue
Replies: 2
Views: 344

Re: RSTP Root Port Issue

There cannot be a root port on a root bridge, because a root port is the one through which the root bridge is currently reachable, and there is just a single root bridge unless the network drops apart into isolated islands. Since the Netonix shows a root port and an alternate port, it is clear that ...
by sindy
Mon Oct 04, 2021 9:01 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

Developers need to read this post and respond plz
A post on the forum is not sufficient for this. You have to open a support ticket. Officially, it should even be raised via your reseller. But it can only succeed if the switch chip used supports such functionality.
by sindy
Sun Oct 03, 2021 10:52 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

I can imagine only two possible explanations why a single rule is sufficient on the Huawei: when learning the MAC address into the forwarding table for VLAN 2607 from an ingress packet with VID 167, the switch stores a remark that the VID has to be translated from 2607 to 167 on egress the VID trans...
by sindy
Sun Oct 03, 2021 10:36 pm
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 642

Re: pppoe clients with multiple ISP links

In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each. I only know Matrox as a graphic card vendor, but x64 and 5×10 Gbit/s interfaces indicate that packet throughput is not an issue. Load balancing have a issue that it break https connections. This gives ...
by sindy
Sun Oct 03, 2021 6:18 pm
Forum: General
Topic: 1036 and VLANs - dumb question
Replies: 2
Views: 270

Re: 1036 and VLANs - dumb question

If it is the first and last VLAN to ever be handled there: /interface vlan add vlan-id=1000 interface=sfp+1 name=sfp+1.1000 add vlan-id=1000 interface=sfp+2 name=sfp+2.1000 /interface bridge add name=br.1000 protocol-mode=none /interface bridge port add bridge=br.1000 interface=sfp+1.1000 add bridge...
by sindy
Sun Oct 03, 2021 5:22 pm
Forum: General
Topic: IPsec tunnel established but no traffic. [SOLVED]
Replies: 1
Views: 253

Re: IPsec tunnel established but no traffic. [SOLVED]

There are two (or even more) independent packet streams in IPsec - the "control session" (the IKE SA) and the "session(s) transporting the payload" (the data SA(s)). If there is a NAT somewhere between the peers, all the SAs use the same UDP stream; if there is not, the data SAs ...
by sindy
Sun Oct 03, 2021 4:54 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

@hashbang, do you really want to translate 2607 to 167, or do you actually want to add an outer tag 167 to frames passing through the leftmost CRS from left to right on your drawing? Or do you want to insert the 167 as the inner tag, so that the outer one remained 2607? In another words, the text do...
by sindy
Sun Oct 03, 2021 4:46 pm
Forum: General
Topic: cAP AC Ventialtion Requirments?
Replies: 3
Views: 309

Re: cAP AC Ventialtion Requirments?

Strictly speaking there will be no ventilation at all, so all the air in the closet will eventually get warm enough that the temperature gradient across the thickness of the ceiling, walls, and doors will be sufficient to dissipate the max. 13 Watts of power to the ambient environment. Most of it vi...
by sindy
Sun Oct 03, 2021 4:21 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

As said, CRS3xx can only add/remove a single tag on a single pass between ports. So provided the VLAN IDs never collide (you never get VLAN 10 in the inner tag from somewhere and VLAN 10 in the outer tag somewhere else), you can do the following to get the retagging done in hardware: /interface brid...
by sindy
Sun Oct 03, 2021 3:19 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Well, of course it is no copy-paste job, hence my question regarding the roles of the management addresses and via which VLAN they should be accessible. I don't think there is a reason why the SXTs should be accessible from all (both here) VLANs they forward at L2.
by sindy
Sun Oct 03, 2021 2:54 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

This is a standalone manual page explaining that setup. Please also note that they use mode=bridge at one device and mode=station-bridge at the other one, whilst you've got mode=bridge on both devices. Also here, maybe it works that way in 6.30.2, but it is unlikely to work in current RouterOS vers...
by sindy
Sun Oct 03, 2021 2:21 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

As @pe1chl wrote, there may be firewall/NAT issues associated with the PPPoE flap. If there is NAT somewhere between the peers, both IKE (or IKEv2) and the transport packets use the same UDP stream, and either Mikrotik's own NATs or those on the ISP's devices may behave in an unexpected way when the...
by sindy
Sun Oct 03, 2021 2:02 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

First, RouterOS can transport VLAN-tagged frames via a wireless link without any additional encapsulation, but I hazily remember this capability became available as late as with the vlan-filtering capability of bridges in ROS 6.41 (and it is not clearly described in either the wireless manual page o...
by sindy
Sat Oct 02, 2021 7:41 pm
Forum: General
Topic: High CPU CRS354-48G-4S+2Q+
Replies: 4
Views: 378

Re: High CPU CRS354-48G-4S+2Q+

Change the setup to a single bridge with VLANs. Multiple bridges and VLANs directly attached to Ethernet interfaces cause the device to bridge in software.
by sindy
Sat Oct 02, 2021 11:36 am
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 240
Views: 32934

Re: v7.1rc4 [development] is released!

All VPN initiators on Mikrotik keep retrying until the connection gets up - SSTP, IPsec, L2TP... if the remote address is indicated as fqdn, the retrying includes re-resolving of the peer address from the fqdn. But that does not necessarily mean that it's the same case with Wireguard - there, the re...
by sindy
Sat Oct 02, 2021 10:52 am
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 759

Re: ASK [caps-manager]

can you update the wiki, saying that this features does not work for local forwarding Again, the feature is totally unrelated to local forwarding. Local forwarding sets the way how the traffic to/from the wireless clients is handled by the CAP; this feature is how the CAP gets its own configuration.
by sindy
Sat Oct 02, 2021 10:46 am
Forum: General
Topic: Blocking Routers
Replies: 11
Views: 654

Re: Blocking Routers

You can permit access only from a registered MAC address on a given port - this will cause an additional administrative load, and the customer can set the MAC address of their own router to the registered one and still connect the device from which the MAC address has been cloned behind their own ro...
by sindy
Sat Oct 02, 2021 9:42 am
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

The picture is clear, but the configuration expors from both SXTs are missing. See my automatic signature for a hint.
by sindy
Sat Oct 02, 2021 9:40 am
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 510

Re: Guest wifi security configuration

Everything correct except the firewall rules - the two rules you've posted are fine as such, but if they are the only rules in the filter, it makes a security hole at least in terms of the guests not being prevented from accessing the management services of the router itself. So post the complete an...
by sindy
Sat Oct 02, 2021 9:23 am
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 642

Re: pppoe clients with multiple ISP links

The quality of the answer depends on the quality of the question, and there's a lot missing in your question. Your router is the PPPoE server for the clients, correct? And what is the setup with the upstream ISP - can you agree on bonding the three links together with the ISP, or is it three indepen...
by sindy
Fri Oct 01, 2021 10:27 pm
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 759

Re: ASK [caps-manager]

To give you a practical example where that /ip dhcp-server network parameter is useful - imagine there is a CAPsMAN somewhere, there is a CAP somewhere else, and there is a DHCP server, from which the CAP gets its IP address and other configuration. And the CAP asks this DHCP server for a CAPsMAN ad...
by sindy
Fri Oct 01, 2021 9:54 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

Torch is very useful, but correct me if I'm wrong, it only can see packets coming into the router on a specified interface, and not packets leaving the router on a specified interface. Torch shows both directions on an interface, but its notion of "in" and "out" may be confusing...
by sindy
Fri Oct 01, 2021 9:03 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

I did create a confusion that got brought up earlier in that LAN 200 IS actually the DSL (now fiber) WAN interface. Obviously Sindy assume (reasonably) that LAN 200 was just another one of the LANs. Exactly. Conclusion: you're much better in reading my mind than I am in reading yours :D It's these ...
by sindy
Fri Oct 01, 2021 8:12 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 191
Views: 153983

Re: Using RouterOS to VLAN your network

I really wish Mikrotik wouldn't have chosen the name bridge for the switch-like grouping of ports AND for the Layer 3 (CPU-Port) capabilities. It is very confusing.
@iegg, please have a look at this post and tell me whether it helps remove some of that confusion.
by sindy
Fri Oct 01, 2021 3:34 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 191
Views: 153983

Re: Using RouterOS to VLAN your network

Please create a new topic for this, preferably in the General subforum.
by sindy
Fri Oct 01, 2021 3:20 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

@anav, I've come across a tutorial on cultural differences (on LinkedIn I suppose, but don't remember exactly) - in some cultures, people expect first the explanation of the reasons and then a suggestion of the solution, whilst on others, they want to hear the solution first and then the reasons tha...
by sindy
Fri Oct 01, 2021 12:03 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

This looks funny to me. /ip route rule add action=lookup-only-in-table interface=E10-Fiber table=via-FO It's what Sindy recommended above. I actually haven't recommended that, but it needs a deeper explanation. In firewall rules, you can match on both in-interface(-list) and on out-interface(-list)...
by sindy
Thu Sep 30, 2021 11:20 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 826

Re: An easy routing question [SOLVED]

So a routing entry with routing-mark is prioritized over another one without routing-mark, even if both have the same dst-address and distance? You can put it this way - it is not exactly "priority" in this case but yes, if a packet has routing-mark X and a route with routing-mark X exist...
by sindy
Thu Sep 30, 2021 10:01 pm
Forum: General
Topic: Public IP instead of private IP as Peer ID in IPSEC tunnel
Replies: 3
Views: 358

Re: Public IP instead of private IP as Peer ID in IPSEC tunnel

By default, RouterOS generates the ID automatically, depending on the authentication type and other circumstances.

To set your public IP rather than the private one as your ID, set my-id=address:the.pub.lic.ip on the respective /ip ipsec identity row.
by sindy
Thu Sep 30, 2021 9:57 pm
Forum: General
Topic: Public IP instead of private IP as Peer ID in IPSEC tunnel
Replies: 3
Views: 358

Re: Public IP instead of private IP as Peer ID in IPSEC tunnel

Unless you've obfuscated them manually, delete your config export immediately and post it without the secret values on /ip ipsec identity rows.
by sindy
Thu Sep 30, 2021 9:54 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 826

Re: An easy routing question [SOLVED]

The distance parameter is only used to set mutual priority of routes with identical dst-address and identical routing-mark values. If several such routes exist, and their gateway interfaces are up, only the one with lowest value of distance is made active.
by sindy
Thu Sep 30, 2021 9:33 pm
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 759

Re: ASK [caps-manager]

That setting is unrelated to local-forwarding or to any settings of the CAPsMAN-controlled operation. It just tells the DHCP server "if the client asks you for the address of a CAPsMAN server, tell it this value". Normally, the only clients to ask for this field (DHCP option) will be the C...
by sindy
Thu Sep 30, 2021 9:23 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

From what I can see in your mangle rules: 0 action=accept chain=prerouting connection-mark=no-mark connection-state=established,related 1 action=accept chain=prerouting connection-state=established,related in-interface-list=incoming 2 action=mark-routing chain=prerouting connection-mark=ipsec-site2s...
by sindy
Thu Sep 30, 2021 8:15 pm
Forum: General
Topic: Compress EoiP Tunnel
Replies: 4
Views: 606

Re: Compress EoiP Tunnel

If you'd be using the EoIP tunnel only for IP traffic, why would you need an EoIP tunnel?

To answer your question, packing should work, as an EoIP interface is like any other L2 interface from this perspective.
by sindy
Thu Sep 30, 2021 2:57 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

Tag should not be modified. It should bridge the interfaces together. GW side is only single tagged VLANs. So why does the picture indicate a trunk with VLANs 111 and 222 towards the GW? Again - when a frame arrives as v600.10 from the customer trunk, how should it be sent to the GW trunk? v111.600...
by sindy
Wed Sep 29, 2021 9:38 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Just post the full output of /export hide-sensitive after substituting public IPs and usernames in /ppp secret section. You can also remove static dhcp leases. Certificates and user names are not part of export even without hide-sensitive . The thing is that you never know where the issue is hidden....
by sindy
Wed Sep 29, 2021 9:34 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 705

Re: TCP port forwarding not working

If the machine was ever exposed to internet without the "drop everything except established/related and icmp" rules in filter/input, I'd even recommend to netinstall it, not just upgrade. In the past (6.4x, so even newer versions than your 6.30.2), there used to be vulnerabilities that all...
by sindy
Wed Sep 29, 2021 9:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Show me the complete anonymized configuration from TIK0. As adding the route to phone's address at TIK1 was enough to make the responses reach TIK0, the idea with another IPsec policy at TIK0 is clearly not the answer, so it must be some misconfiguration of the firewall at TIK0.
by sindy
Wed Sep 29, 2021 8:50 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 705

Re: TCP port forwarding not working

RouterOS 6.30.2??? Are you joking? Leaving all the security issues aside, no one here remembers what all has been fixed since then. So you may be hunting for a bug that has been solved years ago.
by sindy
Wed Sep 29, 2021 6:35 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Although, I have the intention that I won't need mangles: ... I've validated this, my packets are going back and forth, without adding any mangle-rules into TIK1 . Well - you've said before you wanted something "future-proof", i.e. something that would work even if you change the IP addre...
by sindy
Wed Sep 29, 2021 6:04 pm
Forum: General
Topic: Bridging VLANs only (and not untagged traffic)
Replies: 3
Views: 422

Re: Bridging VLANs only (and not untagged traffic)

When vlan-filtering is set to yes on the bridge, you can set frame-types on the individual /interface bridge port rows to admit-only-vlan-tagged . When vlan-filtering is set to no on the bridge, you can use /interface bridge filter rules to drop packets not matching mac-protocol=vlan .
by sindy
Wed Sep 29, 2021 2:34 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

I understand the customer side part, but you haven't shown the complete tag stack at the GW side.

A frame that came with v600.10 from the customer should go to the GW as v111.600.10 or as v111.10?
by sindy
Wed Sep 29, 2021 11:11 am
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

I tried on one site but I have the same issue! Could it mean that I have some issue on the HQ firewall? ... The only difference is that in the other enviroments the GRE-IPIP tunnel is not the default gateway in the BO: is it possible that cause the issue? Hopefully one of these is the reason, other...
by sindy
Wed Sep 29, 2021 10:54 am
Forum: General
Topic: load balance l2tp ExpressVPN
Replies: 8
Views: 720

Re: load balance l2tp ExpressVPN

It is normal that it gets disconnected, but it should re-connect again. The source address you set must be up on the router, is it? The action=src-nat (or action=masquerade ) rules in nat and action=mark-routing rules in mangle , or instead rules in /ip route rule , must exist in order that it worke...
by sindy
Wed Sep 29, 2021 9:15 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

The statement regarding the mangle marks being virtual and not being added to the actual packet data is absolutely correct, but you miss some information. The stateful firewall is built around a key component called connection tracker (conntrack module of Linux netfilter). This component maintains a...
by sindy
Tue Sep 28, 2021 5:24 pm
Forum: General
Topic: 2 PPOE Server Links in a Single Line
Replies: 2
Views: 397

Re: 2 PPOE Server Links in a Single Line

If it's really just 4 users in total and not just a simplified example, you can use bridge filter rules or even switch chip rules to forward traffic from each user to the corresponding ISP-facing port and to prevent traffic from leaking between the two ISP-facing ports. The latter is critical, other...
by sindy
Tue Sep 28, 2021 5:21 pm
Forum: General
Topic: Failover Single PPPoE
Replies: 3
Views: 393

Re: Failover Single PPPoE

It depends on the configuration of the remote end - is the same RAS accessible via both links? One architecture I could imagine would be that the ISP would have a switch with STP and would expect you to have one too, and both your local bridge and the ISP's switch would prefer the optical link when ...
by sindy
Tue Sep 28, 2021 5:08 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

It's just one of the components of the complete setup. You also need another mangle rule, assigning a routing-mark (in fact, a routing table name) to packets sent from LAN side depending on the connection-mark value, and the routing table itself, typically consisting of just a single default route v...
by sindy
Tue Sep 28, 2021 4:27 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

- make sure the "server"-port is THE SAME for peers on both server and client side. From your config above it seems this was not the case. To be precise - packets sent by router A to a configured "endpoint IP and port" must reach router B's "listen port", or packets se...
by sindy
Tue Sep 28, 2021 3:51 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

The essence of the setup outlined in the post I've linked is "send the response packets of a connection via the same interface through which the initial request of that connection has arrived to you", and it doesn't matter much whether that interface is a real WAN or a tunnel. So at the ro...
by sindy
Tue Sep 28, 2021 3:02 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

OK, so show the complete tag stack coming from/expected to be sent to the customer-facing ports, and the complete tag stack coming from/expected to be sent to the server-facing ports. The drawing didn't suggest anything about QinQ.
by sindy
Tue Sep 28, 2021 2:59 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

Maybe I just didn't get your OP right when you wrote that the traffic is trapped in the Audience? My feeling was that Umbra can ping 192.168.66.1, which would prove the tunnel itself to be working allright (which the configurations suggest), but it cannot get anywhere else. If that's the case, make ...
by sindy
Tue Sep 28, 2021 2:46 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

@pe1chl, unfortunately the PITA the OP has described exists in addition to the two you've mentioned. I've done all my homework to work these around (exemption of GRE from "drop invalid", measures to make sure that IPsec recovers from an interruption/restart of a mid-path router properly, f...
by sindy
Tue Sep 28, 2021 12:52 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

Meanwhile I opened a case with Mikrotik and I sent this thread... let's see what happen
So to contribute - if I remember right, I had this problem when CHR was at one end and RB1000AHx4 at the other one.
by sindy
Tue Sep 28, 2021 12:12 am
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

What I can see is that the Audience is a DHCP client, so the Fritzbox is most likely the default gateway on the LAN. So unless the Fritzbox tells its other DHCP clients that the gateway of the route to 192.168.66.0/24 is the IP address of the Audience, they send responses to requests coming from Umb...
by sindy
Mon Sep 27, 2021 11:35 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

So I'm considering something more elegant. Like some masq, or srcnat in TIK0? Or anything? Do you maybe have some ideas on this? How is this to be solved elegant in MikroTik's beautiful world? :) The solution is included in this post . Start reading it from the last paragraph, which explains the re...
by sindy
Mon Sep 27, 2021 11:32 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Actually, if I check "myip" from Android during VPN, I can see TIK's public address. So I believe it all goes through VPN, just I had some fear because of the packet logs. Yes, all goes through VPN, except traffic to the public address of the responder (VPN server). So you are saying, tha...
by sindy
Mon Sep 27, 2021 10:25 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

There is a common problem - when the VPN tunnel becomes the default gateway for the VPN client, you have to make sure that it is not used for routing the transport packets, for obvious reasons. And whilst on Mikrotik, you must take care about this manually for all types of VPN except bare IPsec wher...
by sindy
Mon Sep 27, 2021 9:13 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Okay... let's do another thing then, set the port parameter on the /ip ipsec peer row at the client to 500, and sniff at both the server and the client with port=500 (still with IKEv2, not L2TP/IPsec). What's the result?
by sindy
Mon Sep 27, 2021 9:00 pm
Forum: General
Topic: Port forwarding dual wan, replies get sent over wrong wan
Replies: 5
Views: 452

Re: Port forwarding dual wan, replies get sent over wrong wan

@CappyT, maybe have a look at this post and start reading it from the last paragraph, which links it to your context.
by sindy
Mon Sep 27, 2021 8:56 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

If so, and since the whole exercise is only for evaluation of sha512, leave it as it is, just be ready that the CHR may start sending tons of spam somewhere. And revert back to investigation why packets to port 500 do make it through whilst packets to port 4500 don't. When you enable the peer & ...
by sindy
Mon Sep 27, 2021 8:52 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

what kind of connection do you mean An external patchcord. To "map" two VIDs to one in hardware, the only thing you can do on a CRS3xx is to untag the frame on one pass through the switch, and tag it again with the other VID on another pass. You can map a single VID to another single one ...
by sindy
Mon Sep 27, 2021 8:45 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Should I tell the guy for netinstall or just do it myself, I mean cause it's on the vmware after resetting am I gonna be able to access it? If it's on a VMware you can manage, just delete the VM and deploy it again from the template, but do not connect the internet-facing interface before you set u...
by sindy
Mon Sep 27, 2021 8:17 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

Depending on the port it came through ...
Yes, but that only works if there is a separate port for each VLAN.
by sindy
Mon Sep 27, 2021 8:11 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

OK, so I have swapped the roles of the routers when checking the configurations, and the one without a firewall is actually the server one, with the public IP directly on itself. Great. The right thing to do would be to disconnect it from the internet, netinstall it with the default configuration, r...
by sindy
Mon Sep 27, 2021 7:58 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

So all of dst-nat rules will always get executed way earlier than any of src-nat rules. ... regardless their position in the configuration - only the order within each chain matters. So even if you create this mess: chain=srcnat rule 1 chain=srcnat rule 2 chain=dstnat rule 1 chain=srcnat rule 3 cha...
by sindy
Mon Sep 27, 2021 7:52 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Now wait - the server has a public IP on itself after all? If so, no port-forwarding is necessary at its side. Sorry, too many similar topics. L2TP client should send packets to port 500 on the server's address; IKEv2 initiator should send packets to port 4500. Both should be shown by the sniffer. Y...
by sindy
Mon Sep 27, 2021 7:06 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

OK, the title says IKEv2 but we've silently moved to L2TP. Never mind, just run /tool sniffer quick port=500 on the server, and try connecting from the client. If it shows nothing, the problem is not in the server-side Mikrotik but most likely on the router(s?) standing between that Mikrotik and the...
by sindy
Mon Sep 27, 2021 6:55 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

Since you can reach at least something on the remote side via the wireguard tunnel, you don't need to bother about the Fritzboxes and the Internet any more - all the remaining issues are related to the wireguard configuration and the firewall. So you'll have to post the exports from both Mikrotik de...
by sindy
Mon Sep 27, 2021 6:46 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1458

Re: HW offload bridging

@Zacharias, the setup is not simple at all. According to the picture, @hmortensen wants the switch to translate VLAN tags - what comes tagged with VID 10 or VID 20 is expected to leave with VID 111, and what comes tagged with VID 30 or VID 40 is expected to leave with VID 222. Worse, in the opposite...
by sindy
Mon Sep 27, 2021 6:34 pm
Forum: General
Topic: RB4011 Slow Inter-VLAN Routing
Replies: 24
Views: 1304

Re: RB4011 Slow Inter-VLAN Routing

If I do 1Gbe ports, will the VLAN switching happen on the bridge or back to the CPU? Where? On the 4011? "VLAN switching" means L2 forwarding within the same VLAN, so it is irrelevant for inter-VLAN routing, where the CPU has to strip the VLAN tag of the source VLAN to get to the IP packe...
by sindy
Mon Sep 27, 2021 6:25 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 25
Views: 1491

Re: GRE over IPSec stops working when PPPoE interface flaps.

Would it be too painful for you to change the tunnels from GRE to IPIP? The thing is that at least since a fix of some GRE-related vulnerability somewhere in 6.45.x, the issue you describe exists, plus only on some CPU architectures to make it even more entertaining. I've migrated all my affected tu...
by sindy
Mon Sep 27, 2021 6:07 pm
Forum: General
Topic: Issues with WiFi/VLAN config
Replies: 5
Views: 628

Re: Issues with WiFi/VLAN config

Correct ip pool = correct vlan right? Since the client can only reach the correct DHCP server if it lands in the correct VLAN, yes, this is a correct assumption. Just for the sake of completeness, exceptions exist - if you create a static lease for a particular MAC address and do not restrict it to...
by sindy
Mon Sep 27, 2021 5:48 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

How can I check if (UDP port 4500) is open I both side? cause on my client I cannot connect with L2TP to server On the server, run /tool sniffer quick port=4500 while trying to connect from the client. If you can see something to come, the port forwading outside the Mikrotik works fine. But with L2...
by sindy
Mon Sep 27, 2021 4:00 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

The group value default is wrong at both, unless you've changed also the policy template group on the identity row to default . According to the configurations you've posted, it should be My group . In fact, the group parameter is useless for a non-template policy, so as you've converted a static po...
by sindy
Mon Sep 27, 2021 3:39 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

You can make firewal rules log some headers of the packets they have processed, but in this type of investigation, it is usually either enough to look at the counters on firewall rules, or even their logs are insufficient and you need packet sniffing. In the unlikely event that the suggestion of @mk...
by sindy
Mon Sep 27, 2021 1:28 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 11
Views: 1199

Re: Bridge "Distance" vs Static Route

Adding ether1 to interface list LAN should only change the behaviour if you didn't have the default "accept established" rule in the firewall. But if this was the reason, you would still see the response at ether1, the firewall would just not allow it to get further. So if you can see the ...
by sindy
Mon Sep 27, 2021 12:10 pm
Forum: General
Topic: Frequent Disconnections
Replies: 2
Views: 398

Re: Frequent Disconnections

is there an ez way and $free to get a CA and so I can redirect to a secured site https// ? "Let's encrypt" certficates are free, and it seems that ROS 7 even supports them natively (i.e. you don't need an external PC to get and renew the certificate). But if you intend to use it to redire...
by sindy
Mon Sep 27, 2021 11:34 am
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

You have combined multiple configuration methods that don't play well with each other. Namely: at the initiator ("client") side, you use mode-config and generate-policy different from no on the /ip ipsec identity row but at the same time you have a static policy linked to the peer, and the...
by sindy
Mon Sep 27, 2021 10:33 am
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

That is similar to what I had in mind. Slightly different implementation. I had assumed using a routing mark in firewall mangle. Do I need to do similar set of rules for the 100 series LANs to make sure they only use the Spectrum cable internet? Whatever doesn't explicitly get a routing-mark will u...
by sindy
Mon Sep 27, 2021 9:30 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

It is strange that it worked for a few years without any problems. This is not as strange as the fact that it worked when you tested IPsec alone at the time when the EoIP already had problems. Maybe some other router is interfering on the same channels now... /interface wireless scan wlan1 backgrou...
by sindy
Sun Sep 26, 2021 10:31 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

Neither router has a bridge configured and since I am only using the routers as routers and all switch functions are done in the CSS326, I don't believe there is any advantage to adding a bridge to the router. There isn't. Just loosely related (i.e. not a reason to add a bridge), I don't know why y...
by sindy
Sun Sep 26, 2021 9:34 pm
Forum: General
Topic: Issues with WiFi/VLAN config
Replies: 5
Views: 628

Re: Issues with WiFi/VLAN config

- WiFi devices can not communicate with each other (client to client forwarding is enabled, and they are on the same vlan [based on ip given]) I cannot remember controlling client-to-client-forwarding by caps-man access-list anywhere so far, so maybe try to permit it in general (set the respective ...
by sindy
Sun Sep 26, 2021 9:07 pm
Forum: General
Topic: Strange network problem
Replies: 1
Views: 315

Re: Strange network problem

Both suggestions may be just cargo cult: I've seen Mikrotik/ESXi interworking issues to be solved by disabling STP on Mikrotik's bridge ( protocol-mode=none ). Of course you can only disable STP if there are no potential loops in your topology. I've seen setting all items under /interface detect-int...
by sindy
Sun Sep 26, 2021 7:15 pm
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

But if that device is potentially compromised whether it might be reasonable to set it aside for further analysis? If you can afford that because you've got another router you can use in the meantime, it might be helpful - it's up to Mikrotik support to say whether they are interested. If you canno...
by sindy
Sun Sep 26, 2021 2:27 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

Okay, so it means it was caused by the Dummkopf protection. Therefore,
/ip ipsec policy add copy-from=[find src-address=0.0.0.0/1] src-address=128.0.0.0/1
is the remaining step in that direction, to cover the other half of the internet.
by sindy
Sun Sep 26, 2021 2:02 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

OK, so as the first step, replace 0.0.0.0/0 in the src-address of the policy on Router A by 0.0.0.0/1 . If that helps, we may move further in that direction, otherwise disable that added policy at Router A, do /system logging add topics=ipsec,!packet at Router B, run log print follow-only file=ipsec...
by sindy
Sun Sep 26, 2021 12:44 pm
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

As the problem persists even though you have restarted the router with just the default firewall rules you've shown above, and even though the WAN interface is not by mistake a member of the /interface list LAN, I'm afraid your router may have been infected by malware due to the fact that you previo...
by sindy
Sun Sep 26, 2021 11:43 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

IPSEC tunnel is getting killed and the error message in log: ipsec,error responder selectors does not match my policy What does the log say at the same time on Router B? And show me the output of /ip ipsec policy export from RouterB. It can either be caused by a policy template misconfiguration at ...
by sindy
Sun Sep 26, 2021 1:17 am
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

That's one of the many drawbacks of posting screenshots rather than text export. The drop rules you've moved match specifically on connection-state=new , so if such a stream already exists, they cannot break it even if placed before the "accept established" one. Remove that match condition...
by sindy
Sun Sep 26, 2021 12:10 am
Forum: General
Topic: Public AP behind p2p bridge
Replies: 5
Views: 464

Re: Public AP behind p2p bridge

The community centre is not a 'Public' subnet in the sense that it's got public IP addresses or publicly available services. It's public in the sense that it'll allow guest access to untrusted devices. Devices which I obviously don't want to be able to connect to the internal services in my house :...
by sindy
Sat Sep 25, 2021 11:59 pm
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

And these drop rules have been always there? Since they are placed even before the "accept established" one, they should be sufficient to prevent such an attack even if it started before the rules have been added. Can you export your configuration and anonymize it as per my automatic signa...
by sindy
Sat Sep 25, 2021 11:39 pm
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

Your screenshot shows a good deal of the traffic comes to UDP port 53 of your router. This typically happens when you let the router process and respond DNS queries coming from the WAN - most often this is a consequence of missing or incorrect firewall rules. The attacker sends a small DNS query pac...
by sindy
Sat Sep 25, 2021 11:23 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

The only reason why you would need to assign the 41.xx.xx.xx addresses to the router itself would be if the ISP router had an address from 41.xx.xx.144/29 too, but it doesn't. So there is the route dst-address=41.xx.xx.144/29 gateway=172.15.55.2 on the ISP router; when the ISP router needs to delive...
by sindy
Sat Sep 25, 2021 10:56 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

Forget about ARP, it plays no role there. You can sniff on the WAN, you'll only see ARP asking for 172.xx.xx.xx, and the packets for 41.xx.xx.xx will come with dst-mac of your WAN port if you ping them from the outside. Also, do NOT assign the 41.xx.xx.xx to any interface, it's not needed. The NAT r...
by sindy
Sat Sep 25, 2021 10:41 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

i did want to know if the top solution works to make all the five ips works on the same router ... Ah, OK. In that case, you don't need to assign the 41.xx.xx.xx addresses to any interface on the central router at all, the NAT rule(s) alone will be sufficient. On the PPPoE links, the CHRs will get ...
by sindy
Sat Sep 25, 2021 10:17 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

vlan-isp interface=ether1-WAN ip address 172.××.××.××/30 interface=vlan-isp //our public ips 41.××.××.146/30 interface=vlan-isp internet=41.××.××.144 41.××.××.147/30 interface=vlan-isp internet=41.××.××.144 41.××.××.148/30 interface=vlan-isp internet=41.××.××.144 41.××.××.149/30 interface=vlan-isp ...
by sindy
Sat Sep 25, 2021 8:39 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 240
Views: 32934

Re: v7.1rc4 [development] is released!

That's why this is DEVELOPMENT channel and we are a test rabbit :)
(except SiB who is a test panda)
by sindy
Sat Sep 25, 2021 8:38 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

I am lost right from the beginning. You freely mix subnets and VLANs, and you say the ISP gives you IPs and a VLAN, and you say the 5 IPs are routed to the VLAN, so a total mess. One possibility is that your router shares with your ISP a /29 subnet, so there is one network address (which cannot be u...
by sindy
Sat Sep 25, 2021 6:12 pm
Forum: General
Topic: Connecting Private ip to a Public ip without nat [SOLVED]
Replies: 14
Views: 861

Re: Connecting Private ip to a Public ip without nat [SOLVED]

I want to know how i can connect private ip with public ip without using nat This is not a problem in a private network where some addresses are public and some are private if all the routers in that network have routes to both. But any traffic sent from private IPs towards public IPs outside this ...
by sindy
Sat Sep 25, 2021 6:05 pm
Forum: General
Topic: Public AP behind p2p bridge
Replies: 5
Views: 464

Re: Public AP behind p2p bridge

So if I get you correctly, you've got a public subnet on the uplink from the ISP, and you want to extend that public subnet all the way to the comunity centre via the P2P link, whilst there is one more hAP ac2 between the one connected to the uplink and the SXTsq at your end? If so, VLANs are one po...
by sindy
Sat Sep 25, 2021 5:29 pm
Forum: General
Topic: PPPoE does not reconnect automatically. Have to restart router everytime.
Replies: 4
Views: 499

Re: PPPoE does not reconnect automatically. Have to restart router everytime.

The PPPoE client normally does reconnect automatically. So something is wrong. You could use a script to disable and re-enable the PPPoE client interface if you lose connectivity, but it would be a workaround and normally it should not be necessary. As a first step, post an anonymized export of your...
by sindy
Sat Sep 25, 2021 11:30 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

could you please elaborate ? I think this is all I need. OK. Remove ether4 from the bridge at Router B, assign an address to it, like 192.168.77.1/24, and either assign 192.168.77.2/24 manually to Device B with 192.168.77.1 as a default gateway, or set up the complete /ip dhcp-server stuff at Route...
by sindy
Sat Sep 25, 2021 12:21 am
Forum: General
Topic: Loss of connection continuously with LtAP LTE6 kit
Replies: 15
Views: 794

Re: Loss of connection continuously with LtAP LTE6 kit

1. as you say you have tried different SIMs, were these from the same operator or from different operators? 2. as @gabacho4 suggests, it may actually not be an LTE issue but some weird behaviour of the ISP. So when "internet doesn't work", what does /interface lte info 0 show? And when it ...
by sindy
Fri Sep 24, 2021 10:34 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Other question with the DH mismatch would be still interesting though. According to the log, the Android proposes multiple DH groups in each Phase 1 proposal, one of which is not recognized by the RouterOS IPsec stack. So RouterOS accepts the proposal, but complains one more time about that. You ca...
by sindy
Fri Sep 24, 2021 6:40 pm
Forum: General
Topic: Ip cloud behind "gray" IP
Replies: 3
Views: 449

Re: Ip cloud behind "gray" IP

Your English is fine, it's just your choice of terms that gives a hint regarding your native language :) The issue with those tunneling solutions is that they are expensive - to get acceptable round-trip times, you need to run tunneling servers in multiple hostings around the world. So if you have m...
by sindy
Fri Sep 24, 2021 3:30 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Well... the policy with a /24 at dst-address is a template, but I admit I never dug deep into what happens if the responder has to suggest a TS first because the initiator doesn't. So you may want to reduce the pool to a single address and set the same address as a /32 in the template, to a) verify ...
by sindy
Fri Sep 24, 2021 1:03 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Here is the complete log: ... I couldn't figure out what goes really wrong, thank you so much for your help! What goes wrong is clear - this: responder selector: 192.168.200.0 /24 . The phone should get a single address from the pool via mode-config (or rather its IKEv2 equivalent to be precise). W...
by sindy
Fri Sep 24, 2021 11:05 am
Forum: General
Topic: 2 MT routers, but one having problems with internet [SOLVED]
Replies: 9
Views: 620

Re: 2 MT routers, but one having problems with internet [SOLVED]

I was just thinking there has to be a way to make an address list for IoTs and make them all static will solve it!!
There is - https://wiki.mikrotik.com/wiki/Manual:I ... P_Bindings . But it is an additional management burden as compared to splitting the networks.
by sindy
Fri Sep 24, 2021 10:28 am
Forum: General
Topic: 2 MT routers, but one having problems with internet [SOLVED]
Replies: 9
Views: 620

Re: 2 MT routers, but one having problems with internet [SOLVED]

Should we assume you are using the hotspot functionality of RouterOS? If so, do you really need the wired devices you named to share the same subnet/L2 segment with the wireless devices that you want to only get access to the internet after login? I mean, there are some home automation devices that ...
by sindy
Fri Sep 24, 2021 9:44 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

we did together long time ago: https://forum.mikrotik.com/viewtopic.php?t=160805. The notification about your update to that thread from this July never made it to my mailbox. I assume you've resolved it? I have no idea about UDP1025, this is not forwarded on ISP's router to Tik. it's a source port...
by sindy
Thu Sep 23, 2021 10:12 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

@erkexzcx, if I understand it correctly (no own experience so far), latest Androids support IKEv2 natively, i.e. you don't need to install Strongswan. The screenshots from the OP suggest that that's what he's dealing with here - the graphics does not resemble the one of the Strongswan app.
by sindy
Thu Sep 23, 2021 10:07 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

what is interesting, is that the packet size is now different - on Router B the largest packet is 770, on Router A - 1514 so, somewhere MTU is different ? I have no clue whether this happens due to different MTU as such, but something on the path between the routers indeed does fragment the packets...
by sindy
Thu Sep 23, 2021 6:35 pm
Forum: General
Topic: Loss of connection continuously with LtAP LTE6 kit
Replies: 15
Views: 794

Re: Loss of connection continuously with LtAP LTE6 kit

Make sure that you don't lose power for some time (a UPS or just a set of batteries should be sufficient), and repeat the same command with upgrade=yes, praying intensively and sincerely :)
by sindy
Thu Sep 23, 2021 6:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

I have exported the certificates (both ca and both the client) from winbox, in PKCS format, and providing a passphrase. You should not have exported the CA certificate using the passphrase, as the private key of the CA should never leave the CA. But this is "only" a security issue (anyone...
by sindy
Thu Sep 23, 2021 5:14 pm
Forum: General
Topic: Loss of connection continuously with LtAP LTE6 kit
Replies: 15
Views: 794

Re: Loss of connection continuously with LtAP LTE6 kit

First question, what does /interface lte firmware-upgrade 0 upgrade=no show?
by sindy
Thu Sep 23, 2021 5:12 pm
Forum: General
Topic: 2 MT routers, but one having problems with internet [SOLVED]
Replies: 9
Views: 620

Re: 2 MT routers, but one having problems with internet [SOLVED]

Not enough info. Are you trying both routers on the same internet uplink or on different ones? If on the same one, are you sure that the ISP doesn't lock the connection to a particular MAC address/client ID? On the hAP ac2, does the WAN interface come up at physical level? If yes, /system logging ad...
by sindy
Thu Sep 23, 2021 12:21 am
Forum: General
Topic: Problems With 5060 Sip Wildixin
Replies: 3
Views: 507

Re: Problems With 5060 Sip Wildixin

1) Missing dst-address=<WAN_PUBLIC_IP> on all rules yes, but he's got in-interface=ether1 , so the absence of dst-address=<WAN_PUBLIC_IP> doesn't break anything 2) I work with VoIP from 2010 and everytime SIP ALG IS ON, without using stun and proxy, never a problem. SIP ALG is great if phones are a...
by sindy
Wed Sep 22, 2021 11:53 pm
Forum: General
Topic: problems about VPN connection over multi-ISP
Replies: 1
Views: 304

Re: problems about VPN connection over multi-ISP

It is possible to set up two L2TP clients on the same router to connect to the same remote server, each via another WAN. Soing so involves use of the src-address parameter of the /interface l2tp-client row, and use of policy routing that takes source address into account when choosing a route. But y...
by sindy
Wed Sep 22, 2021 11:46 pm
Forum: General
Topic: Problems With 5060 Sip Wildixin
Replies: 3
Views: 507

Re: Problems With 5060 Sip Wildixin

Post the export of the complete configuration, there may be filter rules that break it. An unrelated remark: don't use to-ports in the NAT rules unless you need to change the port. With dst-port=1234 to-ports=1234 , it is just a waste of CPU but nothing bad happens; with dst-port=10000-15000 to-port...
by sindy
Wed Sep 22, 2021 11:12 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 23
Views: 1124

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

Actually there are 3 posibilities EoIP tunnel, IP tunnel and GRE tunnel, I am using GRE is there any important differencies or recomendations which one to prefer? IPIP (IPencap) tunnel has the least overhead of the three. If you encrypt it using IPsec in transport mode, it has the same overhead as ...
by sindy
Wed Sep 22, 2021 10:16 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 23
Views: 1124

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

Something like this?
Yes, both of us came to the same conclusion/solution, let's wait for the OP's reaction :)
by sindy
Wed Sep 22, 2021 10:07 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 23
Views: 1124

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

OK, I start getting it. When you mentioned You can say, that I should use public just for this server, but I can not to afford it because I have only one public IP and need it for several other purposes. it didn't come to my mind that you were talking about assigning the public IP directly to the we...
by sindy
Wed Sep 22, 2021 8:33 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 23
Views: 1124

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

I still don't get what are your expectations and why the additional selectivity of the dstnat rule is not sufficient. My understanding was that requests coming from the internet via WAN outside any VPN tunnel should be redirected to a particular web server A, whereas requests coming inside the VPN t...
by sindy
Wed Sep 22, 2021 7:37 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Everything you wrote seems fine to me. What you haven't written is how exactly did you export the client certificate for the Android and what are the properties of the Mikrotik's certificate. If the client certificate is not created the proper way, where the client creates a certificate signing requ...
by sindy
Wed Sep 22, 2021 7:23 pm
Forum: General
Topic: dstnat in conflict with gre over IPsec tunnel [SOLVED]
Replies: 23
Views: 1124

Re: dstnat in conflict with gre over IPsec tunnel [SOLVED]

The action=dst-nat rule must match on additional criteria in order to distinguish the traffic coming in via the WAN from the internet from the traffic coming in via the GRE tunnel. If you make the rule match on in-interface=the-wan-interface-name , it won't match on packets coming in via the GRE int...
by sindy
Wed Sep 22, 2021 7:14 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

As you wrote that it worked before, I didn't study deep the configurations (or maybe I've missed them, or maybe you have added them to the OP later). It is better to attach configuration exports directly here, either as file attachments (which may require some karma) or into the body of the post, be...
by sindy
Wed Sep 22, 2021 5:22 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 11
Views: 1199

Re: Bridge "Distance" vs Static Route

So if I read you right, assuming that the secondary device is connected to ether1 of the LtAP, you can see the packets from server1 or server2 to arive via sstp-out1 and leave via ether1, but no responses to come back via ether1 from the secondary device? Or you can see the ping packet to only arriv...
by sindy
Wed Sep 22, 2021 11:45 am
Forum: General
Topic: one cable / 2VLANS
Replies: 4
Views: 309

Re: one cable / 2VLANS

Just connect the Mikrotiks using that single cable and add VLAN interfaces on the ETH interface on both devices. Simple answers only work in simple contexts. Here, only a high-level context has been given in the OP. So your answer may be spot on or it may be completely misleading. But as the OP has...
by sindy
Wed Sep 22, 2021 11:11 am
Forum: General
Topic: one cable / 2VLANS
Replies: 4
Views: 309

Re: one cable / 2VLANS

That's what VLANs are intended for. This topic explains everything about VLANs, but maybe you should read this one first.
by sindy
Tue Sep 21, 2021 10:34 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

Your test 2 shows that the issue is between the PC and the internet - if the wireless APs had limitations on the number of NATed connections, their clients would have been affected but the test PC would not. So the service parameters and/or the modem/router are to be focused at. The APs can wait.
by sindy
Tue Sep 21, 2021 10:28 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 11
Views: 1199

Re: Bridge "Distance" vs Static Route

6.45.9, which for the LtAP is the highest it can go without the SIM card becoming inoperable That's already weird alone. I'm running 6.47.10 in an LtAP and LTE works fine, so maybe some at-chat needs to be adjusted for the special needs of your MNO? Or maybe the LTE modem itself needs to get upgrad...
by sindy
Tue Sep 21, 2021 10:17 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

I read on another forum and from an example of sib that the provider does not have the macaddress to recognize the router model but only the imei. That's my understanding too, but the mobile world is in constant evolution and the MNOs come with new and new ideas how to get more money for the same s...
by sindy
Tue Sep 21, 2021 10:06 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 650

Re: Problem with building QinQ on "new bridge" with vlan-filtering

I wonder why the forum hasn't warned me about your posts following the last-but-one from me...

Regardless that woe, yes, it is simple when you have a single C-VLAN to be packed into a single S-VLAN, but it becomes more complicated if the other requirements need to be fulfilled simultaneously.
by sindy
Tue Sep 21, 2021 9:37 pm
Forum: General
Topic: How to determine the real (actual) MTU of the L2TP+IPsec tunnel?
Replies: 12
Views: 656

Re: How to determine the real (actual) MTU of the L2TP+IPsec tunnel?

Mikrotik fixed this issue for gre tunnels (Dont Fragment:inherit setting), but for l2tp tunnels this issue still not fixed for unknown reason... The reason is that the PPP standard says nothing about respecting the Don't fragment bit, and Mikrotik choose not to go beyond the requirements of the sta...
by sindy
Tue Sep 21, 2021 9:29 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 650

Re: Problem with building QinQ on "new bridge" with vlan-filtering

If VLANs 10 and 20 are S-VLANs, like VLANs 52 and 53, the Huawei configuration above makes sense to me, because the first tag of all frames on the switch is of the same type (S-tag, 0x88a8). But maybe you use the C-VLAN and S-VLAN only to describe the roles of the tags, and expect both to have ether...
by sindy
Tue Sep 21, 2021 5:25 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 650

Re: Problem with building QinQ on "new bridge" with vlan-filtering

I would have preferred a drawing to a configuration from other vendor I just know to exist, but it seems you confirm my understanding, that C-VLANs 3110 to 3120 all come tagged to ether1. As you've said you need to also bridge some VLANs within the Mikrotik, I'll put together an example Mikrotik con...
by sindy
Tue Sep 21, 2021 5:14 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

If 1/2 of all ESP packets are marked duplicated, it's 99.9 % a measurement method error - I assume your WAN interface is a bridge, and the sniffer captures the same packet twice, once as it enters the bridge on the "bridge" interface between the router software and the bridge software, and...
by sindy
Tue Sep 21, 2021 1:33 pm
Forum: General
Topic: Problem with delivery / looking for alternative [SOLVED]
Replies: 9
Views: 679

Re: Problem with delivery / looking for alternative [SOLVED]

I fell into the same rabbit hole, no way it came to my mind you might be installing actual cAPs (2,4 GHz only, 4 W only, single FastEthernet port only) these days. Ask your distributor also about TP-link PoE switches like TL-SG2428P, here the price of this model is comparable with the CRS you've cho...
by sindy
Tue Sep 21, 2021 9:06 am
Forum: General
Topic: Problem with delivery / looking for alternative [SOLVED]
Replies: 9
Views: 679

Re: Problem with delivery / looking for alternative [SOLVED]

Or you may use the passive injectors bundled with the cAP ac for those 6 cAPs that exceed the power budget of each switch. It is definitely not nice, but you only need a forking DC cable and a 80 W power supply at 24 to 48 V. Or even an AC extension cord with 12 free outlets if there's a supply shor...
by sindy
Tue Sep 21, 2021 8:10 am
Forum: General
Topic: first L2TP UDP package received from
Replies: 1
Views: 303

Re: first L2TP UDP package received from

Debug logs & packet sniffing at both ends are the only way to find out whether it is a RouterOS bug or a network issue. The L2TP server process may not respond because something is wrong in the initial packet from the client, or because something is broken in the server code. Or the response of ...
by sindy
Mon Sep 20, 2021 11:16 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

Does this mean that the problem is not on my network? Is it congested on the modem router or server equipment on the ISP side? The result of your test No.2 (where the traffic of the test PC did not pass through the Mikrotik but was nevertheless affected by the traffic passing through the Mikrotik) ...
by sindy
Mon Sep 20, 2021 10:17 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

Already did that. Please see the network topology i posted above. I cannot see that on the drawing in your OP. What I've understood from your post describing the tests was that you've tried to connect the test PC directly to the ISP router/modem alone, with the WAN of the 750 disconnected connect t...
by sindy
Mon Sep 20, 2021 10:00 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 650

Re: Problem with building QinQ on "new bridge" with vlan-filtering

If it's not difficult for you, can you write your proposal as configuration commands? Sure I can, but first I have to understand what your actual goal is, as the following statement According to my logic (and the description), tag 3119 is not removed in my configuration (for some reason) in traffic...
by sindy
Mon Sep 20, 2021 9:36 pm
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 657

Re: Bind Webfig and ssh to a vlan

I did not understand that the bridge itself can be part of the vlan-tagging. The "bridge" object in RouterOS actually consists of three distinct components, as I've explained in the topic I've linked in my previous post. So here, the "bridge itself" you mention is actually the v...
by sindy
Mon Sep 20, 2021 5:38 pm
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

The way to measure with UDP and with TCP differs, with UDP it is best to limit the sending rate to the expected throughput, and you should see no lost packets if everything is OK. If you let the transmitting end to send with unlimited speed, you get some lost packets even if the network path is fine...
by sindy
Mon Sep 20, 2021 5:25 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

Why is it like that? is it because the modem router of ISP can't handle it? Please make a third test, connecting only Mikrotik's WAN to the ISP's modem/router, and connecting only your PC to Mikrotik's LAN. If the results are the same like when you connect the PC alone to the ISP's modem/router, th...
by sindy
Mon Sep 20, 2021 4:23 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

This one was quite useful for me back in 2016 when I knew almost nothing about RouterOS. Just bear in mind that certificate-based authentication is an add-on to this or, better to say, just a small change to the IPsec configuration but an additional area to study when it comes to creating the certi...
by sindy
Mon Sep 20, 2021 4:03 pm
Forum: General
Topic: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]
Replies: 4
Views: 590

Re: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]

As expected, both your existing IPsec policies only have src-address=192.168.40.0/24 , whereas the OpenVPN clients get their addresses from pool OVPNpool with ranges=10.1.2.100-10.1.2.110 . So you either have to add two more policies, same like the existing ones, but with src-address=10.1.2.96/28 , ...
by sindy
Mon Sep 20, 2021 12:00 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 22045

Re: v7.1rc3 [development] is released!

May I ask while you are at it : what is "fastpath" and what's the difference between fastpath and fasttrack ? https://wiki.mikrotik.com/wiki/Manual:Fast_Path https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack If you need another wording or if the manual refers to other terms you need an e...
by sindy
Mon Sep 20, 2021 11:51 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

IPSEC tunnel seems to have the performance I need in both directions. (or the test with "/tool bandwidth-test <IPofIPSECtunnel> duration=10s protocol=tcp" does not prove it ?) if the <IPofIPSECtunnel> is the private one inside the tunnel, then yes, it does prove it. However, there's a dif...
by sindy
Mon Sep 20, 2021 9:09 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 657

Re: Bind Webfig and ssh to a vlan

The documentation explicitly prohibits attaching an /interface vlan to an underlying interface which is also a member port of a bridge. There are a few other similar cases where RouterOS accepts such an incorrect setting and it even works most of the time, but some weird effects occur in some packet...
by sindy
Mon Sep 20, 2021 8:27 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 22045

Re: v7.1rc3 [development] is released!

It is something special for just IPsec then and not applicable to other offloading mechanisms? Hardware accelerated bridging means that a switch chip forwards the frames directly, without the CPU even knowing about their existence. There are typically no switch chips on the hosts where CHRs are run...
by sindy
Mon Sep 20, 2021 8:14 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 657

Re: Bind Webfig and ssh to a vlan

vlan90 is not a member of interface list LAN , so chain input of /ip firewall filter drops incoming traffic from it on the row of /interface bridge vlan for vlan-ids=90 , bridge is not on the tagged list, so frames tagged with VID 90 are not allowed to egress through the virtual port of the virtual...
by sindy
Mon Sep 20, 2021 8:02 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 24
Views: 1909

Re: Slow EOIP tunnel in one direction

As you mention you use null encryption for performance reasons, what particular models are the two routers in question? The thing is that so far all mysteries like this I've come across tracked down to packet loss, in some cases only the small second fragments of the transport packets were dropped. ...
by sindy
Sun Sep 19, 2021 11:24 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 448

Re: access systems on LAN via VPN [SOLVED]

There are at least two posts from myself, and countless ones from others, on this forum, explaining why you need to use proxy-arp or out-of-LAN subnet addresses.

IPsec has nothing to do with that, it's the L2TP, or any other PPP-based tunneling protocol.
by sindy
Sun Sep 19, 2021 9:34 pm
Forum: General
Topic: High memory usage
Replies: 8
Views: 2033

Re: High memory usage

How long does it take the memory to get full? How many devices at LAN side? Connection tracking can consume a lot of memory, but it normally releases it as the connection ends, so if it takes more than a day for the memory to get exhausted, it should not be the reason. If it's less than a day, broke...
by sindy
Sun Sep 19, 2021 9:27 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance [Fixed]
Replies: 33
Views: 2533

Re: CCR2004-1G-12S+2XS slow NAT performance

Oh, I've noticed only now you're using the bandwidth test on the Mikrotik itself. The manual explicitly states that you cannot use a bandwidth test running on a given machine to test the routing capacity of that same machine, as the bandwidth test itself consumes a lot of CPU resources. So if you ru...
by sindy
Sun Sep 19, 2021 8:46 pm
Forum: General
Topic: Inconsistent static DHCP with SFP+/DAC
Replies: 4
Views: 621

Re: Inconsistent static DHCP with SFP+/DAC

The ultimate resource is always the relevant standard, which is the RFC in DHCP case. But the client id value is generated by the client, and it need not necessarily be based on the client's MAC address.
by sindy
Sun Sep 19, 2021 8:16 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

If the first byte ends with anything else than 0,4,8, or c, it is a "locally administered address", which is the same in all Mikrotiks if their own R11e-LTE or R11-LTE6 modem is used; if it doesn't, try macvendors.com . It is enough to enter the first three bytes into their form.
by sindy
Sun Sep 19, 2021 8:13 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 650

Re: Routing rule not working

Since multiple people have reported complete loss of configuration with 7.1rc3, I'd say don't bother trying, use mangle, and try /routing/rule again in 7.1rc4 once it appears.
by sindy
Sun Sep 19, 2021 8:09 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance [Fixed]
Replies: 33
Views: 2533

Re: CCR2004-1G-12S+2XS slow NAT performance

I cannot spot anything wrong in the configuration, what is the output of /ip/firewall/connection/print where srcnat ? I'm not interested in the addresses, just in the flags, there should be s everywhere for src-nat and F for fasttracking.
by sindy
Sun Sep 19, 2021 7:55 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 650

Re: Routing rule not working

I have attached the complete configuration in this post. The following piece of configuration, /routing table add fib name=via-personal-vpn add fib name=lte-failover add fib name=primary-wan , also seems fine to me. So if it works if you use mangle rules to assign the routing-mark , I'm afraid ther...
by sindy
Sun Sep 19, 2021 7:26 pm
Forum: General
Topic: Routing rule not working
Replies: 12
Views: 650

Re: Routing rule not working

Not sure why you post pictures ? It's not pictures, it's proper text-mode prints of the actual routes. Export only shows you the static configuration, which is sometimes insufficient, especially in cases like this one where everything seems right configuration-wise. With RouterOS 7.x, you cannot re...
by sindy
Sun Sep 19, 2021 7:12 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

If so, it should actually be simpler, as you'd just modify the existing setup slightly.

The reason why I'm asking what MAC address is being shown currently at the LTE interface is that I suspect it is the router's own one, not one of the LTE modem.
by sindy
Sun Sep 19, 2021 6:30 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

the mac addres to clone starts with 90:FD:73... I wasn't asking what MAC address you wanted to set, I was asking what MAC address the Mikrotik was showing for the Quectel modem. so using passthrough all routerboard settings are excluded and it works as only lte extension for another router ? Not al...
by sindy
Sun Sep 19, 2021 6:19 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 477

Re: CRS312-4C+8XG L2 VLAN slow performance [Fixed]

The bandwidth test running on the switch itself indeed does load the CPU, plus it doesn't test bridging/switching throughput of the HW offloaded forwarding as the CPU is involved in the transfers. So that way you measure the CPU performance, not the switch chip performance.
by sindy
Sun Sep 19, 2021 6:15 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

As the ISP gives you a 400 Mbit/s connection as you wrote in the OP, the modem/router they gave you should be capable to sustain that speed. The hEX is in a different position as you ask it not only to forward the traffic but also to do the bandwidth enforcement. Also, you throttle the bandwidth to ...
by sindy
Sun Sep 19, 2021 5:14 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

What are the first three bytes of the current MAC address of the LTE interface? And how exactly do you set the MAC address of an LTE interface on the mobile?
by sindy
Sun Sep 19, 2021 4:02 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 477

Re: CRS312-4C+8XG L2 VLAN slow performance, misconfiguration?

The configuration seems correct except ether9 being a member port of a non-existent bridge, and /interface bridge port print shows the hardware offloading to be active. So either there is a bug in this indication, and you have to set fast-leave and frame-types on the /interface bridge port rows to t...
by sindy
Sun Sep 19, 2021 3:47 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

The safer authentification method you use, the less you have to care about the address of the remote peer. With properly generated certificates (CSR generated at the device that will use the certificate to authentify itself to others, signing the CSR by a CA, and importing the signed certificate to ...
by sindy
Sun Sep 19, 2021 3:28 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Set them exactly as you would if both had a static public IP, using the site to site example from the manual, but set passive=yes address=0.0.0.0/0 in the peer properties at the one with static IP. And set exchange-mode to ike2 rather than main at both. That's all.
by sindy
Sun Sep 19, 2021 3:23 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

I would recommend to go step by step. First, remove the queues completely and re-enable the fasttracking rule in firewall, see the behaviour and CPU load. Next, disable the fasttracking rule, wait for some time (an hour or so) to let the fasttracked connections spontaneously die out, see the behavio...
by sindy
Sun Sep 19, 2021 2:57 pm
Forum: General
Topic: Access clients that are (each) on same subnet as the other.
Replies: 2
Views: 330

Re: Access clients that are (each) on same subnet as the other.

If you don't need to access other devices in 192.168.100.x but the Mikrotiks themselves, the fact that their local WAN subnets are the same doesn't matter. You assign an address to each L2TP client from the server, so you just have to make sure that this address doesn't fall into the local WAN subne...
by sindy
Sun Sep 19, 2021 2:53 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 19
Views: 1028

Re: Change macaddress to lte interface.

If we really talk about MAC address change, not an IMEI change, it might be possible to use the LTE in passthrough mode and change the MAC address on the Ethernet interface of the external router connected to the LTE one.
by sindy
Sun Sep 19, 2021 2:47 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 20
Views: 1361

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Mikrotik tries hard to keep the price tag acceptable for sensitive markets and squeeze maximum from the hardware components chosen. Which leads to this confusion, where some models support L2 offloading only if VLAN filtering is disabled, other models support it even with VLAN filtering enabled, and...
by sindy
Sun Sep 19, 2021 2:35 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1450

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

If you've got a static public IP at at least one peer, just make that one a responder only ( passive=yes ) and that's it. You only need to use dynamic DNS if none of the peers has a static public IP. And if none of them has a public IP, not even a dynamic one, it's yet another challenge which may or...
by sindy
Sun Sep 19, 2021 2:28 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 20
Views: 1361

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

@mozerd, HW offload of bridging and HW offload of routing are two independent features. What you quote doesn't mention the latter one.
by sindy
Sun Sep 19, 2021 2:25 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 1019

Re: Is my hAPac^2 dead?

I had an issue with the previous laptop where exiting netinstall on the laptop and running it again while the router was still in netinstall mode was the only way to make the router show up in the list in the netinstall, but this case was different - the router did show up, but if I pressed install ...
by sindy
Sun Sep 19, 2021 1:58 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 448

Re: access systems on LAN via VPN [SOLVED]

Either use an /ip pool for the VPN clients that doesn't fit into the LAN subnet (a preferred solution), or set arp=proxy-arp at the bridge interface. Only do that if the Windows clients use the VPN tunnel only to access the devices in Mikrotik's LAN, not as a default gateway.
by sindy
Sun Sep 19, 2021 1:34 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 9
Views: 650

Re: Problem with building QinQ on "new bridge" with vlan-filtering

The pvid must differ from 3119 on the /interface bridge port row linking ether1 to br_justnet , and ether1 must be on the tagged list on that single row of /interface bridge vlan , otherwise you strip the tag with VID 3119 on egress through ether1 . And you don't need to enable tag stacking at the b...
by sindy
Sun Sep 19, 2021 1:00 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 1019

Re: Is my hAPac^2 dead?

That makes it easier indeed... It didn't in my case 😡 I could always see the router to tftp the netinstall binary from the PC and then to keep sending the license code again and again, but somehow the request from the PC to erase the flash got misinterpreted, because the only thing it caused was th...
by sindy
Sun Sep 19, 2021 12:53 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 20
Views: 1361

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Fast track is a combination of fast path and connection tracking, and as such is only relevant for routed traffic. If I were in this situation (given my home uplink parameters, I'm unfortunately not - no point in buying anything nearly as powerful as RB5009), I would use a step-by-step approach - fi...
by sindy
Sun Sep 19, 2021 11:20 am
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 36
Views: 1948

Re: Client isolation within VLAN and fast roaming

However wouldn't this still allow clients to flood the network with broadcast and other traffic and potentially L2 malware? Ideally such traffic should be filtered at each AP. How about this rule instead or even in addition to the one you suggested: chain=output out-interface=ether1 mac-protocol=vl...
by sindy
Sat Sep 18, 2021 8:03 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 20
Views: 1361

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Out of all @anav's suggestions, the most interesting point is "what do you expect from the use-ip-firewall-for-vlan=yes?"
by sindy
Sat Sep 18, 2021 7:16 pm
Forum: General
Topic: VPN setup for Windows 10 [SOLVED]
Replies: 2
Views: 453

Re: VPN setup for Windows 10 [SOLVED]

/system logging add topics=ipsec,!packet will make the log much more verbose, and you'll be able to see what is the contents of the Phase 1 proposal coming from Windows.

If I remember well, Windows don't support sha256, at least unless you do some PowerShell magic.
by sindy
Sat Sep 18, 2021 5:29 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 1019

Re: Is my hAPac^2 dead?

Netinstall downloads its own loader to RAM, so unless you've upgraded the bootloader from a running 7.x, you should still be able to netinstall unles there is a hardware problem. Yesterday it took me more than 10 attempts before I could finally netinstall a hAP lite using netinstall 6.47.10 on Windo...
by sindy
Sat Sep 18, 2021 2:45 pm
Forum: General
Topic: IPSEC-related configuration of /ip firewall filter input chain
Replies: 3
Views: 392

Re: IPSEC-related configuration of /ip firewall filter input chain

@msatter, the rules in filter in chain input the OP has found necessary to be added deal with the transport packets of the tunnel, whereas your suggested action=notrack rules in raw deal with the payload of the tunnel. And the OP's concern is not CPU load but the fact that he has to add firewall rul...
by sindy
Sat Sep 18, 2021 2:34 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

I'm afraid that following video tutorials focusing on a single aspect is not the best way for a beginner, even if they are made by knowledgeable authors, which too often is not the case. So I'd suggest that you describe the target configuration in layman's terms so that we could offer you tailored c...
by sindy
Sat Sep 18, 2021 12:40 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1778

Re: Need help on rb750gr3 about maximum lan connection

Click the [Terminal] button in Winbox or WebFig, a command line window will open. In that command line window, type export hide-sensitive file=some-name . Then download some-name.rsc , and if some public IPs exist in the file, obfuscate them before posting the file here (see my automatic signature b...
by sindy
Sat Sep 18, 2021 12:04 pm
Forum: General
Topic: Scheduler stops executing script
Replies: 22
Views: 1446

Re: Scheduler stops executing script

When you change a particular value of the start time (i.e. xx:xx:xx, not "startup", the scheduler calculates the subsequent actual startup times from the new value and the "interval" value. So you can set a start time deep in the past, and repeated runs will continue even after r...
by sindy
Sat Sep 18, 2021 11:54 am
Forum: General
Topic: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]
Replies: 4
Views: 590

Re: IPSec Site2Site VPN vs. OpenVPN client [SOLVED]

You haven't posted the configuration of the routers (see my automatic signature below), so I can just guess that your IPsec policies do not match on the IP prefix from which you assign addresses to the OpenVPN clients.
by sindy
Fri Sep 17, 2021 11:06 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 36
Views: 1948

Re: Client isolation within VLAN and fast roaming

First, try pinging 192.168.88.252 from the CAPsMAN one with arp-ping=yes interface=bridge - it should respond, indicating that there's a firewall issue. If it responds, try /tool mac-telnet 2C:C8:1B:63:7C:15 (the login and password are asked by the CAPsMAN one, so the fact that you get asked doesn't...
by sindy
Fri Sep 17, 2021 10:26 pm
Forum: General
Topic: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)
Replies: 2
Views: 430

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

You can create a certificate signing request on Mikrotik, get it signed by the Windows CA, and import the signed certificate to the Mikrotik, i.e. the proper way how certificates should be handled, where the private key never leaves the device that has generated it. The way with client certificates ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 27