Community discussions

MikroTik App

Search found 7703 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 26
by sindy
Mon Sep 20, 2021 12:00 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 18780

Re: v7.1rc3 [development] is released!

May I ask while you are at it : what is "fastpath" and what's the difference between fastpath and fasttrack ? https://wiki.mikrotik.com/wiki/Manual:Fast_Path https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack If you need another wording or if the manual refers to other terms you need an e...
by sindy
Mon Sep 20, 2021 11:51 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 3
Views: 102

Re: Slow EOIP tunnel in one direction

IPSEC tunnel seems to have the performance I need in both directions. (or the test with "/tool bandwidth-test <IPofIPSECtunnel> duration=10s protocol=tcp" does not prove it ?) if the <IPofIPSECtunnel> is the private one inside the tunnel, then yes, it does prove it. However, there's a dif...
by sindy
Mon Sep 20, 2021 9:09 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 6
Views: 126

Re: Bind Webfig and ssh to a vlan

The documentation explicitly prohibits attaching an /interface vlan to an underlying interface which is also a member port of a bridge. There are a few other similar cases where RouterOS accepts such an incorrect setting and it even works most of the time, but some weird effects occur in some packet...
by sindy
Mon Sep 20, 2021 8:27 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 18780

Re: v7.1rc3 [development] is released!

It is something special for just IPsec then and not applicable to other offloading mechanisms? Hardware accelerated bridging means that a switch chip forwards the frames directly, without the CPU even knowing about their existence. There are typically no switch chips on the hosts where CHRs are run...
by sindy
Mon Sep 20, 2021 8:14 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 6
Views: 126

Re: Bind Webfig and ssh to a vlan

vlan90 is not a member of interface list LAN , so chain input of /ip firewall filter drops incoming traffic from it on the row of /interface bridge vlan for vlan-ids=90 , bridge is not on the tagged list, so frames tagged with VID 90 are not allowed to egress through the virtual port of the virtual...
by sindy
Mon Sep 20, 2021 8:02 am
Forum: General
Topic: Slow EOIP tunnel in one direction
Replies: 3
Views: 102

Re: Slow EOIP tunnel in one direction

As you mention you use null encryption for performance reasons, what particular models are the two routers in question? The thing is that so far all mysteries like this I've come across tracked down to packet loss, in some cases only the small second fragments of the transport packets were dropped. ...
by sindy
Sun Sep 19, 2021 11:24 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 132

Re: access systems on LAN via VPN [SOLVED]

There are at least two posts from myself, and countless ones from others, on this forum, explaining why you need to use proxy-arp or out-of-LAN subnet addresses.

IPsec has nothing to do with that, it's the L2TP, or any other PPP-based tunneling protocol.
by sindy
Sun Sep 19, 2021 9:34 pm
Forum: General
Topic: High memory usage
Replies: 7
Views: 1492

Re: High memory usage

How long does it take the memory to get full? How many devices at LAN side? Connection tracking can consume a lot of memory, but it normally releases it as the connection ends, so if it takes more than a day for the memory to get exhausted, it should not be the reason. If it's less than a day, broke...
by sindy
Sun Sep 19, 2021 9:27 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance
Replies: 28
Views: 1541

Re: CCR2004-1G-12S+2XS slow NAT performance

Oh, I've noticed only now you're using the bandwidth test on the Mikrotik itself. The manual explicitly states that you cannot use a bandwidth test running on a given machine to test the routing capacity of that same machine, as the bandwidth test itself consumes a lot of CPU resources. So if you ru...
by sindy
Sun Sep 19, 2021 8:46 pm
Forum: General
Topic: Inconsistent static DHCP with SFP+/DAC
Replies: 3
Views: 166

Re: Inconsistent static DHCP with SFP+/DAC

The ultimate resource is always the relevant standard, which is the RFC in DHCP case. But the client id value is generated by the client, and it need not necessarily be based on the client's MAC address.
by sindy
Sun Sep 19, 2021 8:16 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 10
Views: 245

Re: Change macaddress to lte interface.

If the first byte ends with anything else than 0,4,8, or c, it is a "locally administered address", which is the same in all Mikrotiks if their own R11e-LTE or R11-LTE6 modem is used; if it doesn't, try macvendors.com . It is enough to enter the first three bytes into their form.
by sindy
Sun Sep 19, 2021 8:13 pm
Forum: General
Topic: Routing rule not working
Replies: 11
Views: 260

Re: Routing rule not working

Since multiple people have reported complete loss of configuration with 7.1rc3, I'd say don't bother trying, use mangle, and try /routing/rule again in 7.1rc4 once it appears.
by sindy
Sun Sep 19, 2021 8:09 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance
Replies: 28
Views: 1541

Re: CCR2004-1G-12S+2XS slow NAT performance

I cannot spot anything wrong in the configuration, what is the output of /ip/firewall/connection/print where srcnat ? I'm not interested in the addresses, just in the flags, there should be s everywhere for src-nat and F for fasttracking.
by sindy
Sun Sep 19, 2021 7:55 pm
Forum: General
Topic: Routing rule not working
Replies: 11
Views: 260

Re: Routing rule not working

I have attached the complete configuration in this post. The following piece of configuration, /routing table add fib name=via-personal-vpn add fib name=lte-failover add fib name=primary-wan , also seems fine to me. So if it works if you use mangle rules to assign the routing-mark , I'm afraid ther...
by sindy
Sun Sep 19, 2021 7:26 pm
Forum: General
Topic: Routing rule not working
Replies: 11
Views: 260

Re: Routing rule not working

Not sure why you post pictures ? It's not pictures, it's proper text-mode prints of the actual routes. Export only shows you the static configuration, which is sometimes insufficient, especially in cases like this one where everything seems right configuration-wise. With RouterOS 7.x, you cannot re...
by sindy
Sun Sep 19, 2021 7:12 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 10
Views: 245

Re: Change macaddress to lte interface.

If so, it should actually be simpler, as you'd just modify the existing setup slightly.

The reason why I'm asking what MAC address is being shown currently at the LTE interface is that I suspect it is the router's own one, not one of the LTE modem.
by sindy
Sun Sep 19, 2021 6:30 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 10
Views: 245

Re: Change macaddress to lte interface.

the mac addres to clone starts with 90:FD:73... I wasn't asking what MAC address you wanted to set, I was asking what MAC address the Mikrotik was showing for the Quectel modem. so using passthrough all routerboard settings are excluded and it works as only lte extension for another router ? Not al...
by sindy
Sun Sep 19, 2021 6:19 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 200

Re: CRS312-4C+8XG L2 VLAN slow performance [Fixed]

The bandwidth test running on the switch itself indeed does load the CPU, plus it doesn't test bridging/switching throughput of the HW offloaded forwarding as the CPU is involved in the transfers. So that way you measure the CPU performance, not the switch chip performance.
by sindy
Sun Sep 19, 2021 6:15 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 24
Views: 715

Re: Need help on rb750gr3 about maximum lan connection

As the ISP gives you a 400 Mbit/s connection as you wrote in the OP, the modem/router they gave you should be capable to sustain that speed. The hEX is in a different position as you ask it not only to forward the traffic but also to do the bandwidth enforcement. Also, you throttle the bandwidth to ...
by sindy
Sun Sep 19, 2021 5:14 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 10
Views: 245

Re: Change macaddress to lte interface.

What are the first three bytes of the current MAC address of the LTE interface? And how exactly do you set the MAC address of an LTE interface on the mobile?
by sindy
Sun Sep 19, 2021 4:02 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 200

Re: CRS312-4C+8XG L2 VLAN slow performance, misconfiguration?

The configuration seems correct except ether9 being a member port of a non-existent bridge, and /interface bridge port print shows the hardware offloading to be active. So either there is a bug in this indication, and you have to set fast-leave and frame-types on the /interface bridge port rows to t...
by sindy
Sun Sep 19, 2021 3:47 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 9
Views: 220

Re: Router to router (site to site) IKEV2 with Dynamic IP

The safer authentification method you use, the less you have to care about the address of the remote peer. With properly generated certificates (CSR generated at the device that will use the certificate to authentify itself to others, signing the CSR by a CA, and importing the signed certificate to ...
by sindy
Sun Sep 19, 2021 3:28 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 9
Views: 220

Re: Router to router (site to site) IKEV2 with Dynamic IP

Set them exactly as you would if both had a static public IP, using the site to site example from the manual, but set passive=yes address=0.0.0.0/0 in the peer properties at the one with static IP. And set exchange-mode to ike2 rather than main at both. That's all.
by sindy
Sun Sep 19, 2021 3:23 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 24
Views: 715

Re: Need help on rb750gr3 about maximum lan connection

I would recommend to go step by step. First, remove the queues completely and re-enable the fasttracking rule in firewall, see the behaviour and CPU load. Next, disable the fasttracking rule, wait for some time (an hour or so) to let the fasttracked connections spontaneously die out, see the behavio...
by sindy
Sun Sep 19, 2021 2:57 pm
Forum: General
Topic: Access clients that are (each) on same subnet as the other.
Replies: 2
Views: 103

Re: Access clients that are (each) on same subnet as the other.

If you don't need to access other devices in 192.168.100.x but the Mikrotiks themselves, the fact that their local WAN subnets are the same doesn't matter. You assign an address to each L2TP client from the server, so you just have to make sure that this address doesn't fall into the local WAN subne...
by sindy
Sun Sep 19, 2021 2:53 pm
Forum: General
Topic: Change macaddress to lte interface.
Replies: 10
Views: 245

Re: Change macaddress to lte interface.

If we really talk about MAC address change, not an IMEI change, it might be possible to use the LTE in passthrough mode and change the MAC address on the Ethernet interface of the external router connected to the LTE one.
by sindy
Sun Sep 19, 2021 2:47 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 539

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Mikrotik tries hard to keep the price tag acceptable for sensitive markets and squeeze maximum from the hardware components chosen. Which leads to this confusion, where some models support L2 offloading only if VLAN filtering is disabled, other models support it even with VLAN filtering enabled, and...
by sindy
Sun Sep 19, 2021 2:35 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP
Replies: 9
Views: 220

Re: Router to router (site to site) IKEV2 with Dynamic IP

If you've got a static public IP at at least one peer, just make that one a responder only ( passive=yes ) and that's it. You only need to use dynamic DNS if none of the peers has a static public IP. And if none of them has a public IP, not even a dynamic one, it's yet another challenge which may or...
by sindy
Sun Sep 19, 2021 2:28 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 539

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

@mozerd, HW offload of bridging and HW offload of routing are two independent features. What you quote doesn't mention the latter one.
by sindy
Sun Sep 19, 2021 2:25 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 607

Re: Is my hAPac^2 dead?

I had an issue with the previous laptop where exiting netinstall on the laptop and running it again while the router was still in netinstall mode was the only way to make the router show up in the list in the netinstall, but this case was different - the router did show up, but if I pressed install ...
by sindy
Sun Sep 19, 2021 1:58 pm
Forum: General
Topic: access systems on LAN via VPN [SOLVED]
Replies: 3
Views: 132

Re: access systems on LAN via VPN [SOLVED]

Either use an /ip pool for the VPN clients that doesn't fit into the LAN subnet (a preferred solution), or set arp=proxy-arp at the bridge interface. Only do that if the Windows clients use the VPN tunnel only to access the devices in Mikrotik's LAN, not as a default gateway.
by sindy
Sun Sep 19, 2021 1:34 pm
Forum: General
Topic: Problem with building QinQ on "new bridge" with vlan-filtering
Replies: 1
Views: 84

Re: Problem with building QinQ on "new bridge" with vlan-filtering

The pvid must differ from 3119 on the /interface bridge port row linking ether1 to br_justnet , and ether1 must be on the tagged list on that single row of /interface bridge vlan , otherwise you strip the tag with VID 3119 on egress through ether1 . And you don't need to enable tag stacking at the b...
by sindy
Sun Sep 19, 2021 1:00 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 607

Re: Is my hAPac^2 dead?

That makes it easier indeed... It didn't in my case 😡 I could always see the router to tftp the netinstall binary from the PC and then to keep sending the license code again and again, but somehow the request from the PC to erase the flash got misinterpreted, because the only thing it caused was th...
by sindy
Sun Sep 19, 2021 12:53 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 539

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Fast track is a combination of fast path and connection tracking, and as such is only relevant for routed traffic. If I were in this situation (given my home uplink parameters, I'm unfortunately not - no point in buying anything nearly as powerful as RB5009), I would use a step-by-step approach - fi...
by sindy
Sun Sep 19, 2021 11:20 am
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

However wouldn't this still allow clients to flood the network with broadcast and other traffic and potentially L2 malware? Ideally such traffic should be filtered at each AP. How about this rule instead or even in addition to the one you suggested: chain=output out-interface=ether1 mac-protocol=vl...
by sindy
Sat Sep 18, 2021 8:03 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 539

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

Out of all @anav's suggestions, the most interesting point is "what do you expect from the use-ip-firewall-for-vlan=yes?"
by sindy
Sat Sep 18, 2021 7:16 pm
Forum: General
Topic: VPN setup for Windows 10 [SOLVED]
Replies: 2
Views: 175

Re: VPN setup for Windows 10 [SOLVED]

/system logging add topics=ipsec,!packet will make the log much more verbose, and you'll be able to see what is the contents of the Phase 1 proposal coming from Windows.

If I remember well, Windows don't support sha256, at least unless you do some PowerShell magic.
by sindy
Sat Sep 18, 2021 5:29 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 607

Re: Is my hAPac^2 dead?

Netinstall downloads its own loader to RAM, so unless you've upgraded the bootloader from a running 7.x, you should still be able to netinstall unles there is a hardware problem. Yesterday it took me more than 10 attempts before I could finally netinstall a hAP lite using netinstall 6.47.10 on Windo...
by sindy
Sat Sep 18, 2021 2:45 pm
Forum: General
Topic: IPSEC-related configuration of /ip firewall filter input chain
Replies: 3
Views: 163

Re: IPSEC-related configuration of /ip firewall filter input chain

@msatter, the rules in filter in chain input the OP has found necessary to be added deal with the transport packets of the tunnel, whereas your suggested action=notrack rules in raw deal with the payload of the tunnel. And the OP's concern is not CPU load but the fact that he has to add firewall rul...
by sindy
Sat Sep 18, 2021 2:34 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 24
Views: 715

Re: Need help on rb750gr3 about maximum lan connection

I'm afraid that following video tutorials focusing on a single aspect is not the best way for a beginner, even if they are made by knowledgeable authors, which too often is not the case. So I'd suggest that you describe the target configuration in layman's terms so that we could offer you tailored c...
by sindy
Sat Sep 18, 2021 12:40 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 24
Views: 715

Re: Need help on rb750gr3 about maximum lan connection

Click the [Terminal] button in Winbox or WebFig, a command line window will open. In that command line window, type export hide-sensitive file=some-name . Then download some-name.rsc , and if some public IPs exist in the file, obfuscate them before posting the file here (see my automatic signature b...
by sindy
Sat Sep 18, 2021 12:04 pm
Forum: General
Topic: Scheduler stops executing script
Replies: 22
Views: 1006

Re: Scheduler stops executing script

When you change a particular value of the start time (i.e. xx:xx:xx, not "startup", the scheduler calculates the subsequent actual startup times from the new value and the "interval" value. So you can set a start time deep in the past, and repeated runs will continue even after r...
by sindy
Sat Sep 18, 2021 11:54 am
Forum: General
Topic: IPSec Site2Site VPN vs. OpenVPN client
Replies: 1
Views: 142

Re: IPSec Site2Site VPN vs. OpenVPN client

You haven't posted the configuration of the routers (see my automatic signature below), so I can just guess that your IPsec policies do not match on the IP prefix from which you assign addresses to the OpenVPN clients.
by sindy
Fri Sep 17, 2021 11:06 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

First, try pinging 192.168.88.252 from the CAPsMAN one with arp-ping=yes interface=bridge - it should respond, indicating that there's a firewall issue. If it responds, try /tool mac-telnet 2C:C8:1B:63:7C:15 (the login and password are asked by the CAPsMAN one, so the fact that you get asked doesn't...
by sindy
Fri Sep 17, 2021 10:26 pm
Forum: General
Topic: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)
Replies: 2
Views: 148

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

You can create a certificate signing request on Mikrotik, get it signed by the Windows CA, and import the signed certificate to the Mikrotik, i.e. the proper way how certificates should be handled, where the private key never leaves the device that has generated it. The way with client certificates ...
by sindy
Fri Sep 17, 2021 10:16 pm
Forum: General
Topic: IPSEC-related configuration of /ip firewall filter input chain
Replies: 3
Views: 163

Re: IPSEC-related configuration of /ip firewall filter input chain

First, you are right, the rules you've identified are necessary to make your particular setup work. Second, this is a user forum, so not the right place for feature requests, at least not outside the dedicated "feature request" topic. The official channel to submit feature requests is via ...
by sindy
Thu Sep 16, 2021 11:18 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 806

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

@Sindy, do we get a packet flow blessing or are you going to pretzel another suggestion??? The OP has asked for "all NTP traffic", not "all traffic to a particular IP address". If you want traffic to a particular destination address to be sent via a particular WAN, you don't nee...
by sindy
Thu Sep 16, 2021 11:13 pm
Forum: General
Topic: Is there an error on the Manual:Interface/L2TP wiki page?
Replies: 2
Views: 192

Re: Is there an error on the Manual:Interface/L2TP wiki page?

You're right, the password item on the /interface l2tp-client row at the client router must match the password item on the /ppp secret row at the server router, whereas the secret items must match in the IPsec configurations. But worse than that, the Wiki page you refer to uses the old structure of ...
by sindy
Thu Sep 16, 2021 11:01 pm
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 338

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

Is it possible you could elaborate on the GRE failure issues you eluded to previously?

viewtopic.php?p=847677#p847677
by sindy
Thu Sep 16, 2021 10:20 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 806

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

The answer is here . In brief, packets sent and received by the router itself are processed by other firewall chains than packets the router just forwards. What is not immediately clear from that diagram is that when the router itself sends a packet, first of all a route to the destination is found ...
by sindy
Thu Sep 16, 2021 4:16 pm
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 338

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

BTW, any config tips to get started :)? The first config tip is to prefer IPIP over GRE. Mikrotik cannot use the extra bytes of GRE's overhead to create multiple tunnels between the same pair of IP addresses, plus there is some additional headache with GRE handling in firewall (unless they've recen...
by sindy
Thu Sep 16, 2021 9:49 am
Forum: General
Topic: IPSec issues.
Replies: 4
Views: 272

Re: IPSec issues.

I'm no expert here but I do not see your IPSec Policy configuration in your CLI data. @fsebera, for some reason, the export doesn't show all IPsec-related configuration in a single contagious block. So there is /ip ipsec peer , then unrelated stuff, and then comes /ip ipsec identity and /ip ipsec p...
by sindy
Thu Sep 16, 2021 9:46 am
Forum: General
Topic: IPSec issues.
Replies: 4
Views: 272

Re: IPSec issues.

Before addressing the topic issue: your firewall rules do not protect your routers from anything . If the routers are directly connected to internet, they may well be part of a botnet now. The reason is that the default handling in Mikrotik's firewall is "accept", so packets that do not ma...
by sindy
Thu Sep 16, 2021 9:08 am
Forum: General
Topic: VPN with static routes on client side(without default gateway)
Replies: 4
Views: 259

Re: VPN with static routes on client side(without default gateway)

To state that more explicitly than @fsebera - currently, RouterOS doesn't support "route push" for any other VPN protocol but IPsec. And it must be bare IPsec - route push doesn't work if you use IPsec to protect any "usual" tunnel like IPIP or GRE. For the embedded VPN client on...
by sindy
Thu Sep 16, 2021 9:03 am
Forum: General
Topic: Redundant or at least failover IPSec VPN Tunnels [SOLVED]
Replies: 6
Views: 338

Re: Redundant or at least failover IPSec VPN Tunnels [SOLVED]

For any (local address[:port], remote address[:port], IP protocol) tuple, only a single SA may be used at a time. So Mikrotik has implemented a possibility to link a single policy to two peers, allowing a failover scheme where a single "branch office" router has two "headquarters"...
by sindy
Wed Sep 15, 2021 10:19 am
Forum: General
Topic: Need help with VPN setup
Replies: 6
Views: 334

Re: Need help with VPN setup

What you show does indeed indicate phase 1 success. And yes, 6.36.whatever is very old and a device running that version must not be exposed to internet - if it was connected to internet without tight enough firewall rules, netinstall it again (not just upgrade) to a current long-term version (6.47....
by sindy
Wed Sep 15, 2021 12:15 am
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

I conneced the second cAP (via ether1) to the managed switch while keeping the reset button pressed for 10 seconds (5 seconds after the LED started blinking) ... Finally, I looked up the second cAP's IP in the leases tab of the first cAP's DHCP Server section to which I then tried to connect from t...
by sindy
Tue Sep 14, 2021 11:21 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

My new problem is: How can I gain access to a cAP ac in CAPs mode. The CAPsMAN device did assign it an IP (192.168.88.235). I tried to access it via SSH, Telnet and WebFig via Ethernet 1 to no avail. How did you get the cAP ac into the CAP mode? Because what you describe normally doesn't happen, ap...
by sindy
Mon Sep 13, 2021 10:48 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

there does not seem to be a function to configure the bridge in CAPsMAN.
Correct, there is unfortunately none, CAPsMAN ony takes care about the wireless interfaces. So you have to add the bridge filter rules device by device.
by sindy
Mon Sep 13, 2021 9:43 am
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 563

Re: Is it possible to NAT/PAT this traffic?

The connection tracking also provides an attribute called connection-nat-state , so instead of assigning a dedicated connection-mark value using an extra rule in mangle , you can let the filter rule match on connection-nat-state=dstnat . It seems to be less selective than the connection-mark approac...
by sindy
Sun Sep 12, 2021 10:56 pm
Forum: General
Topic: L2TP - I think the response is going out through the wrong interface
Replies: 2
Views: 254

Re: L2TP - I think the response is going out through the wrong interface

1) post the export of the configuration from one of the affected routers, it sure looks as if a route was either missing or one too many. As @BartoszP suggests, this may be a consequence of an upgrade. See my automatic signature right below for a mini-howto on the export. 2) do you use the EoIP tunn...
by sindy
Sun Sep 12, 2021 11:38 am
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4310

Re: Mangle + NAT + Policy Routing

As fas as i know /ppp profile has priority than /interface xxx-server, is that corect? more precisely, the profile value from /ppp secret overrides the default-profile value from /interface xxx-server server . So yes, if you specify a profile on each /ppp secret row, no need to change the "las...
by sindy
Sun Sep 12, 2021 10:52 am
Forum: General
Topic: Prioritize VoIP traffic, which speed to enter [SOLVED]
Replies: 1
Views: 323

Re: Prioritize VoIP traffic, which speed to enter [SOLVED]

Priority means priority. A highest priority packet will always overtake those waiting in any other queue, provided it fits into the limit of its own queue. So if you mark the VoIP packets to the highest priority queue and set unreasonably high limit-at and max-limit values for that queue, and set ve...
by sindy
Sun Sep 12, 2021 10:24 am
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4310

Re: Mangle + NAT + Policy Routing

OK, so you need to src-nat the payload traffic (sent inside the tunnel). But your action=mark-connection rule matches on protocol=tcp src-port=1198 , which seems to refer to the transport packets of the OpenVPN (those forming up the tunnel). As the IP firewall has no knowledge about the relationship...
by sindy
Sat Sep 11, 2021 4:03 pm
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4310

Re: Mangle + NAT + Policy Routing

i need that for OpenVPN, cant make it work @nichky, in your case, is the Mikrotik with these rules the OpenVPN client or server? Or none of the two and it just forwards someone else's OpenVPN connections? In any case, assigning a connection-mark alone has no effect on routing, you have to translate...
by sindy
Sat Sep 11, 2021 3:57 pm
Forum: General
Topic: Mangle + NAT + Policy Routing
Replies: 11
Views: 4310

Re:

But I'd like to know, why connection marking do not work :( What actually doesn't work, or rather works too good, is the rule translating the connection-mark to routing-mark . You've only got a single (default) route in the routing table dip-kav , and your action=mark-routing rule doesn't care abou...
by sindy
Sat Sep 11, 2021 3:46 pm
Forum: General
Topic: ?? How to renew SIP registration / connection from PBX after WAN failover ??
Replies: 5
Views: 407

Re: ?? How to renew SIP registration / connection from PBX after WAN failover ??

So, any hints on a script that can toggle (10secs downtime / flap) that ethernet port the PBX is connected to, when a WAN failover occurs? Or is there a smarter solution? There is no standardized way to tell an ordinary SIP UA "please re-register now", so your one (disable the Ethernet po...
by sindy
Sat Sep 11, 2021 8:29 am
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1476

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

Message sent, you can edit/remove the post.
by sindy
Fri Sep 10, 2021 10:18 pm
Forum: General
Topic: Forward all traffic on local device to vpn connection
Replies: 6
Views: 427

Re: Forward all traffic on local device to vpn connection

Looking at the masquerade rule counters, I'd say the setup works, but the VPN provider checks TTL of packets and drops them if the TTL is too low, which indicates that the L2TP client is a router, not a computer. Open a commandline window using the [Terminal] button, make it as wide as your screen a...
by sindy
Fri Sep 10, 2021 9:47 pm
Forum: General
Topic: Forward all traffic on local device to vpn connection
Replies: 6
Views: 427

Re: Forward all traffic on local device to vpn connection

/ip firewall nat add chain=srcnat out-interface=l2tp-out1 action=masquerade /ip route add gateway=l2tp-out1 routing-mark=via-l2tp /ip route rule add src-address=192.168.1.95 action=lookup-only-in-table table=via-l2tp Depending on your current configuration, you may need to place the firewall rule a...
by sindy
Fri Sep 10, 2021 9:23 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 563

Re: Is it possible to NAT/PAT this traffic?

So I need to change the destination port that the client is trying to connect to AND also change the source address as it leaves the Mikrotik router so that the database server will see a connection attempt from 10.1.1.2:(random source port) I can't see anything complex in this task if we talk abou...
by sindy
Fri Sep 10, 2021 9:03 pm
Forum: General
Topic: Mikrotik 5g modem + antenna recommendations
Replies: 2
Views: 349

Re: Mikrotik 5g modem + antenna recommendations

The LHGG LTE6 looks great to me CPU-wise. It may not perform as great as you expect in your particular deployment, depending what actually means "remote areas" and "the country" in your case. The following is nothing Mikrotik specific, it's pure physics - in general, lower freque...
by sindy
Fri Sep 10, 2021 8:38 pm
Forum: General
Topic: Drop all rule blocking PPTP
Replies: 5
Views: 384

Re: Drop all rule blocking PPTP

Then put in a block all else drop rule at the end of each chain. In fact, one common "drop the rest" rule in the root chain is sufficient - although the action name "jump" suggests otherwise, when a packet reaches and end of a custom chain without matching any of that chain's ru...
by sindy
Fri Sep 10, 2021 8:33 pm
Forum: General
Topic: Drop all rule blocking PPTP
Replies: 5
Views: 384

Re: Drop all rule blocking PPTP

If there was a "driving license for routing", successful completion of the "how firewalls work" test should be mandatory to get the "setting up VPNs" permission category. The "drop everything else" name you've used says it all. There simply isn't any rule befo...
by sindy
Fri Sep 10, 2021 7:58 pm
Forum: General
Topic: BTest blocked - any alternative
Replies: 5
Views: 464

Re: BTest blocked - any alternative

RouterOS normally does not permit dst-nat of outgoing sessions (nor src-nat of incoming sessions), but there is an ugly trick allowing both. It will cost some CPU cycles, but I assume your router model is powerful enough that the bottleneck for the btest would be the LTE throughput. choose any two o...
by sindy
Fri Sep 10, 2021 7:09 pm
Forum: General
Topic: Multiple encrypted ends in a IPSEC Tunnel not reachable at same time
Replies: 2
Views: 352

Re: Multiple encrypted ends in a IPSEC Tunnel not reachable at same time

A quick shot - change the level parameter of both policies to unique and try again.
by sindy
Fri Sep 10, 2021 3:54 pm
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1476

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

NP, just substitute the @ by something else (like !!!) to make the bots' life harder.
by sindy
Fri Sep 10, 2021 3:49 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 602

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

please, no biggie here. its just me being new into this box. In up-to-date RouterOS, an Ethernet port can be "enslaved" to a bridge or to a bonding interface. To remove it from a bridge , which is the case for ether2..ether5 in default configuration, remove or disable the corresponding ro...
by sindy
Fri Sep 10, 2021 3:32 pm
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2257

Re: Ipsec not traffic passing

When sending a packet, the router first finds a route based on the destination address, and only then chooses the local IP address based on the route. So on R1: since there is no dedicated route to 10.59.100.0/24, the packet gets the router's address attached to the interface through which the gatew...
by sindy
Thu Sep 09, 2021 10:48 pm
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2257

Re: Ipsec not traffic passing

In the output of /ip ipsec active-peers print , the PH2-TOTAL column indicates the number of active policies towards the remote peer; since it is empty, it means the SA could not be negotiated successfully. The fact that there is no A in the status column of the /ip ipsec policy print confirms that....
by sindy
Thu Sep 09, 2021 9:57 pm
Forum: General
Topic: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets [SOLVED]
Replies: 2
Views: 368

Re: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets [SOLVED]

You can associate multiple (at least tens of) policies to the same peer (or a pair of peers since 6.47.something).
by sindy
Thu Sep 09, 2021 9:43 pm
Forum: General
Topic: IPSec Policy brokes packet flow.
Replies: 1
Views: 233

Re: IPSec Policy brokes packet flow.

What you describe is an intentional behaviour, which is required by the IPsec RFC. In short, a packet matching a traffic selector of any existing policy with action=encrypt must not be sent, nor received, in any other way than via the security association linked to that policy, for security reasons....
by sindy
Thu Sep 09, 2021 8:20 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 602

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

"slave" ports used to be a way to configure "hardware accelerated bridging" (actually, switching by the switch chip) before RouterOS 6.41, which rolled out five years ago. There, you configured one ethernet interface as "master", and in default configuration, "mast...
by sindy
Thu Sep 09, 2021 4:29 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

Oops, sorry... I forgot the virtual interfaces created on
the CAPsMAN are nevertheless individual ones. But they are still connected to a single bridge so the horizon functionality may be used to isolate them.
by sindy
Thu Sep 09, 2021 11:12 am
Forum: General
Topic: Ipsec not traffic passing
Replies: 33
Views: 2257

Re: Ipsec not traffic passing

I can do nothing but repeat again - post the current configurations, not a reference to a manual. A single typo can break everything, so no point in reading the manual, all we need are the current actual configurations.
by sindy
Thu Sep 09, 2021 8:20 am
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 602

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

According to the configuration export you've posted in your other topic, ether3 to ether5 are not members (slaves) of any bridge or bond. So what are you talking about? The routes in red? Connected routes via interfaces that are currently down because nothing is connected to them are made inactive (...
by sindy
Wed Sep 08, 2021 10:28 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

The first option seems to bottleneck all traffic through one of the cAPs, right? It depends on what you mean by bottleneck. The CAPsMAN need not run on one of the APs, it can as well run on a wireless-less router, and there must be some device in the whole network that acts as a router and firewall...
by sindy
Wed Sep 08, 2021 3:03 pm
Forum: General
Topic: Not able to reach my PBX public address
Replies: 5
Views: 351

Re: Not able to reach my PBX public address

It seems to me more like a topic for a Grandstream forum. As you have a WAN bridge on the Mikrotik, you'd have to have /interface bridge filter or /interface bridge nat rules in place to interfere with the bridging, or you would have to have use-ip-firewall.* set to yes under /interface bridge setti...
by sindy
Wed Sep 08, 2021 2:54 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1290

Re: Client isolation within VLAN and fast roaming

In "CAPsMAN forwarding" mode, client isolation works among clients of all physical cAPs (if activated of course) because the virtual wireless interface runs at the CAPsMAN machine. In "local forwarding" mode, you would need bridge filter rules on each of the cAPs, allowing only f...
by sindy
Wed Sep 08, 2021 10:01 am
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 3
Views: 444

Re: MikroTik RB4011iGS+RM

If so, how do you measure the throughput? The packet that comes from the internet towards the public IP address reachable via the GRE tunnel occupies the download bandwidth of the WAN uplink, and then it occupies the upload bandwidth of the same WAN uplink as it is being sent encapsulated into GRE t...
by sindy
Wed Sep 08, 2021 9:31 am
Forum: General
Topic: Can Someone Explain this!!!!
Replies: 20
Views: 1283

Re: Can Someone Explain this!!!!

Since you talk about "customers", chances are high that you've got some bandwidth shaping rules (using queues) in place. If so, it's what @bpwl suggests - that client has attracted (willingly or unwillingly) a traffic volume his contract doesn't allow. So that traffic arrives via the uplin...
by sindy
Wed Sep 08, 2021 9:00 am
Forum: General
Topic: ipsec multiple users [SOLVED]
Replies: 2
Views: 369

Re: ipsec multiple users [SOLVED]

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate , with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you've...
by sindy
Tue Sep 07, 2021 11:45 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Yes i know that the mangle rules did not work because of fast-track being enabled That's not exactly true. The mangle rules adjusting TCP MSS actually do work even when the fasttracking rule is enabled, because these particular rules handle just the first two packets of each TCP session, the SYN an...
by sindy
Tue Sep 07, 2021 9:27 pm
Forum: General
Topic: port forwarding problem
Replies: 4
Views: 410

Re: port forwarding problem

Sorry, the statement saying that the same configuration of client routerboard worked with another ISP is confusing. Since your drawing mentions the two CCRs, I assume you are the ISP technician; did you work for another ISP before, or how do you know the same client routerboard worked with another I...
by sindy
Tue Sep 07, 2021 8:56 pm
Forum: General
Topic: Something must be really wrong on my configuration. Needs real help here! [SOLVED]
Replies: 23
Views: 1146

Re: Something must be really wrong on my configuration. Needs real help here! [SOLVED]

A clear mistake I can see is that you've set /ip address ... add address=10.0.2. 0 /24 comment="PPPoE pool4" interface=ether5 network=10.0.2. 0 (own address of an interface must never be the same like the network address). Whether this causes also ether3 and ether4 subnets to become unreac...
by sindy
Tue Sep 07, 2021 8:37 pm
Forum: General
Topic: STP active on OSI level 1?
Replies: 7
Views: 532

Re: STP active on OSI level 1?

Sorry, I've completely missed that the APs were Ubiquiti ones (on the drawing, only the one to the left from the CRS is explicitly marked as an Ubiquiti one). So when STP is enabled on the CSS but disabled on the Ubiquiti devices, the 15-second interruptions exist? If so, could it be that the Ubiqui...
by sindy
Tue Sep 07, 2021 4:50 pm
Forum: General
Topic: STP active on OSI level 1?
Replies: 7
Views: 532

Re: STP active on OSI level 1?

My understanding was that STP operates at OSI level 2 - the loop, if one would exist, would be on level 1. Is my understanding incorrect? STP is an L2 protocol, but it can block forwarding of traffic through a port, which effectively looks like blocking of L1. And STP also reacts to L1 state change...
by sindy
Tue Sep 07, 2021 4:11 pm
Forum: General
Topic: Multiple winbox logins
Replies: 7
Views: 666

Re: Multiple winbox logins

Do you hapen to have command line windows (Terminal) open in the winbox sessions in question?
by sindy
Mon Sep 06, 2021 10:27 pm
Forum: General
Topic: Filter Content in Firewall with DOT (.) in string [SOLVED]
Replies: 19
Views: 1054

Re: Filter Content in Firewall with DOT (.) in string [SOLVED]

No. You have to use a byte whose value is the length of the subsequent part of the domain name, example:

\08somename\03com

I don't remember the encoding of byte values exactly, I just remember it differs between regexp (used in layer7 rules) and contents. Check the manual.
by sindy
Mon Sep 06, 2021 10:21 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 7
Views: 346

Re: LTE Bridge Vlan help.

Again, what is the default route on the LtAP?

Using DHCP is just one possible way to make it work.
by sindy
Mon Sep 06, 2021 9:55 pm
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 7
Views: 460

Re: MikroTik RB4011iGS+RM

Yep, those 1436 would be MSS, not MTU. Many people keep mixing up the two as the most suggested workaround for issues with path MTU discovery is MSS adjustment. Also, the description in the OP suggests that maybe a packet for the public IP arrives via WAN, gets encapsulated into GRE and leaves via t...
by sindy
Mon Sep 06, 2021 8:54 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

It depends. If you are in mainland France, you may be able to choose an ISP for your home that has a better connection to OVH's network. If you are overseas, so there is a satellite link somewhere in the path, it's very likely that all ISPs will have the same issue.
by sindy
Mon Sep 06, 2021 7:53 pm
Forum: General
Topic: Having issues routing all traffic over GRE tunnel.
Replies: 1
Views: 314

Re: Having issues routing all traffic over GRE tunnel.

I'm slightly lost in your description, so let me rephrase it to check whether I've understood it properly. The client's Mikrotik has 12.34.56.78/26 on its "physical" WAN. It also has 1.2.3.1/25 on the GRE tunnel, effectively acting as another WAN. All you want is that requests coming from ...
by sindy
Mon Sep 06, 2021 7:36 pm
Forum: General
Topic: MikroTik RB4011iGS+RM
Replies: 3
Views: 444

Re: MikroTik RB4011iGS+RM

From your description, it seems as if you delegate one of the 8 public IPs to a remote device using the GRE tunnel, so when a packet for that IP address arrives to the 4011's WAN, it gets encapsulated into GRE and sent via the same WAN to the remote device, is that the case?
by sindy
Mon Sep 06, 2021 7:23 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Those pictures show that most of the delay is between your ISP and the VPN provider's network. The first one shows that the responses from the last private IP in the ISP's network arrive in 15 ms on average, whereas the responses from the first responding OVH server arrive in 116 ms on average. The ...
by sindy
Mon Sep 06, 2021 5:39 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

I've done that but didn't understand the results that much The results show you (or not) IP addresses of the routers between your home and the destination, and the total round-trip delay (i.e. including the previous hops) to each of them. Can you paste the result here, hiding the actual addresses o...
by sindy
Mon Sep 06, 2021 5:15 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

My CPU load is almost always at 0% :D Can I disable those two /ip firewall mangle rules? You can try to disable them and see whether it affects the performance or not. Given that the overall performance is not stable, you may have to do several tests in each state to make a reliable conclusion. Als...
by sindy
Mon Sep 06, 2021 4:06 pm
Forum: General
Topic: EOIP DDNS & CGNAT
Replies: 2
Views: 270

Re: EOIP DDNS & CGNAT

If the IPs at both sites are dynamic, you'll always have some short-term interruption whenever one of the addresses changes. If you don't mind, and you don't mind using some DDNS system to publish the current public IP address of Site A, you can manually configure IPsec with a responder at Site A an...
by sindy
Mon Sep 06, 2021 4:00 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

@jaxed8 , What about Wireguard? I think it's available on RouterOS v7 Yes, Wireguard is available in ROS 7, and it is pretty fast as such on a 4011. However, TCP and ~120 ms round trip delay may mean lower throughput even if encryption and decryption alone works very fast. The only VPN protocol to ...
by sindy
Sun Sep 05, 2021 10:50 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Grrr... I forgot the obvious... disable the action=fasttrack-connection rule in /ip firewall filter and try again.
by sindy
Sun Sep 05, 2021 10:10 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

OK, so try just the mangle rules.
by sindy
Sun Sep 05, 2021 9:33 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

Is there a way to completely cover the VPN so ISP never understand I'm using one? Definitely not with PPTP, whose encryption is so weak that it actually hides nothing; IPsec or something-over-IPsec is also obvious, so you'd have to use an SSTP VPN which looks like a normal HTTPS session, except tha...
by sindy
Sun Sep 05, 2021 8:25 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 628

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
by sindy
Sun Sep 05, 2021 7:51 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 628

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

as soon i active the route with mark routes entry the static routing stop working. Please let me know which config to be changed . In the configuration you've posted, the two routes with routing-mark are not disabled. Is what you posted the exact configuration state when "far end cannot reach ...
by sindy
Sun Sep 05, 2021 7:38 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

No it's just VPN client on windows. the PC is always connect to the rb4011. If so, the MAC address of the 4011 plays no role in the VPN throughput, because the VPN provider can never see a MAC address, whereas the ISP can always see the MAC address of the 4011's WAN, no matter where the VPN client ...
by sindy
Sun Sep 05, 2021 7:17 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 628

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

It's not "static routing versus PBR". It's rather "static routing with PBR". In the configuration you've posted, traffic forwarded by the router never gets any connection-mark , hence it never gets any routing-mark , so it should keep using routing table main . Only the own traff...
by sindy
Sun Sep 05, 2021 5:39 pm
Forum: General
Topic: Farm Network Help
Replies: 2
Views: 343

Re: Farm Network Help

Given that PoE-out versions of Omnitiks exist, I'd recommend not to use a separate switch (with its own share of power consumption) but the Omnitik itself to power the Dynadish. If I get it right, the battery power is available at the bottom of the mast, so I'd use one passive injector there to feed...
by sindy
Sun Sep 05, 2021 3:44 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 628

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

While it is better to open your own topic than to piggyback a very loosely related existing one, it needs more than just copy-paste. The intro "I am facing the same issue" looks weird in an OP. What I can see is that you only assign a connection-mark value in chain input , whereas you tran...
by sindy
Sun Sep 05, 2021 2:51 pm
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

@nichky, if we change the TTL on the LTI we would be able to get more bandwidth, why is that? Cant find any logical explanation the logic behind is that mobile operators want to discourage subscribers from using LTE to connect whole networks, assuming that networks generate more traffic than individ...
by sindy
Sun Sep 05, 2021 12:44 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 7
Views: 346

Re: LTE Bridge Vlan help.

Have you configured a default route on the LtAP via the address of the main router in the subnet attached to the ether1 interface on the LtAP?
by sindy
Sun Sep 05, 2021 9:08 am
Forum: General
Topic: VPN speed issue (How to change the router MAC address) [SOLVED]
Replies: 51
Views: 2206

Re: VPN speed issue (How to change the router MAC address) [SOLVED]

When you say "VPN on the PC" vs. "VPN on the router", does that really mean only where you run the VPN client, or do you also connect the PC directly to the ISP's modem (excluding the 4011 from the path)?
by sindy
Sat Sep 04, 2021 1:03 pm
Forum: General
Topic: One wan for Internet and another for vpn [SOLVED]
Replies: 13
Views: 4318

Re: One wan for Internet and another for vpn [SOLVED]

In RouterOS, there are three possible ways to assign a routing-mark value (which almost always means the same as a routing table name): using VRF (so the routing-mark is assigned to the packet due to the fact that the packet has entered via an interface that is a member of that VRF) using /ip route ...
by sindy
Fri Sep 03, 2021 4:57 pm
Forum: General
Topic: Filter Content in Firewall with DOT (.) in string [SOLVED]
Replies: 19
Views: 1054

Re: Filter Content in Firewall with DOT (.) in string [SOLVED]

It doesn't work because the dot symbol is not actually present in the DNS query - the FQDNs are encoded in a rather complicated way, see the RFC for DNS for details. There are multiple topics regarding this here on the forum, e.g, this post gives you a hint.
by sindy
Thu Sep 02, 2021 8:14 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 5
Views: 587

Re: Bridge "Distance" vs Static Route

If the settings of the routers are "exactly the same", it should exclude a firewall issue.
So the next possibility is that the IP address assigned by the SSTP to the client fits into the subnet used at the affected router's LAN?
by sindy
Wed Sep 01, 2021 6:51 pm
Forum: General
Topic: cAP and wAP default config after reset [SOLVED]
Replies: 3
Views: 350

Re: cAP and wAP default config after reset [SOLVED]

Not really empty, but almost - try to use the reset button to let them start in cAP mode (cAP as controlled AP, not as model name), where all Ethernet ports are bridged together, wireless interfaces are disabled, and there is a DHCP client attached to the brigde.
by sindy
Wed Sep 01, 2021 12:49 pm
Forum: General
Topic: Trouble Passing static IP's from ISP through RB1100 to 3rd party router
Replies: 5
Views: 509

Re: Trouble Passing static IP's from ISP through RB1100 to 3rd party router

Assuming that your original "block of 5 addresses" is o.o.o.0, your 1100's own address on the ISP-facing interface is o.o.o.6, and the new "block of 5 addresses" (actually, 8 addresses if you don't waste them inefficiently) is n.n.n.0/29: ISP's hypothetical Mikrotik: /ip address ...
by sindy
Wed Sep 01, 2021 11:01 am
Forum: General
Topic: LTE quota management & signal
Replies: 7
Views: 836

Re: LTE quota management & signal

but it is a USB 4G stick, so there is nothing in /interface LTE Anyway that i could see the signal of the 4G, please? It's actually not "but". Various USB modems emulate various peripherals, let's call them "serial modem" and "ethernet interface", although there are ac...
by sindy
Tue Aug 31, 2021 11:20 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16623

Re: v7.1rc2 [development] is released!

IPv6 support for L2TPv3 tunnels is finally here! great job! thanks a lot! @doneware, have you successfully completed the configuration of the tunnel? If so, could you please share the working server-side and client-side configuration? I keep getting l2tp,debug tunnel 2 has reached maximum session c...
by sindy
Tue Aug 31, 2021 11:05 pm
Forum: General
Topic: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT
Replies: 5
Views: 424

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

My imagination is probably not sufficient to understand how the preference of a particular port on the WAN IP for connections initiated by a particular internal IP can help serve more private IPs per the same public one. Let's say I have assigned 10 ports on the public IP to be used for outgoing src...
by sindy
Tue Aug 31, 2021 6:33 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

Sindy did you write me to my mail, is correct? just for confirm,.
Yes, I did, you can remove it from the post.
by sindy
Tue Aug 31, 2021 5:04 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

I guess it's a behavior of x86 implementation.. maybe? Possibly... I was actually asking about the release (like e.g. 6.47.10), not so much about CPU architecture, but yes, it's true that a few things behave different depending on the CPU architecture, I just didn't expect something this essential ...
by sindy
Tue Aug 31, 2021 4:41 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 710

Re: Port Forwarding Question

no the cloud address provided by the mik itself or rather the mik version of DynDNS But that's not what most people understand under the name "cloud access". The Tik registers its public IP into the DynDNS, and you then access this address directly (or via dst-nat if the xxx.sn.mynetname....
by sindy
Tue Aug 31, 2021 4:21 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

Interesting... what if you set the pref-src of the route via the GRE interface to 192.168.62.1, of course still with no IP address attached o the GRE interface? What are the RouterOS releases on both machines, given that they behave differently under apparently same conditions?
by sindy
Tue Aug 31, 2021 4:15 pm
Forum: General
Topic: route all traffic from a VM to another which runs a VPN
Replies: 1
Views: 244

Re: route all traffic from a VM to another which runs a VPN

The Windows VM running the VPN client must provide "internet connection sharing" in order that you could use it as an entry point to the VPN tunnel for some other device, and you don't need a Mikrotik to facilitate such connection to the Linux VM - you simply create a virtual network with ...
by sindy
Tue Aug 31, 2021 4:04 pm
Forum: General
Topic: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]
Replies: 3
Views: 380

Re: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]

So you actually did use connection-mark already before posting? Because without assigning a connection-mark to incoming connections based on in-interface , you cannot assign the correct routing-mark to the response packets of these connections. As you've mentioned a wrong in-interface now, it seems ...
by sindy
Tue Aug 31, 2021 3:57 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 710

Re: Port Forwarding Question

It's not jumping back and forward, look at the MAC addresses. The packet comes in via ether10 with the source MAC address of the LHG and destination MAC address of the 3011; the 3011 routes it to the destination and sends it via ether1 with its own MAC address as source. But nothing ever comes back ...
by sindy
Tue Aug 31, 2021 3:45 pm
Forum: General
Topic: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT
Replies: 5
Views: 424

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Let me apologize straight away that I'm unable to answer your "how to do exactly this" question, but in what regard should re-using the same "public SrcPort" for different connections from the same Internal IP "allow a lot better use of public IP" - or, in particular, w...
by sindy
Tue Aug 31, 2021 3:29 pm
Forum: General
Topic: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]
Replies: 3
Views: 380

Re: Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP) [SOLVED]

Look at this post. Read its last paragraph first to get the relationship to your case.
by sindy
Tue Aug 31, 2021 3:19 pm
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 710

Re: Port Forwarding Question

Recommended practice of the forum, if you post large pieces of configuration inline, put them between [ code] and [ /code] tags, try to edit your previous post to see the difference. To the subject, there are two action=dst-nat rules with log=yes , so I assume your log snippet in the OP comes from h...
by sindy
Tue Aug 31, 2021 2:57 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16623

Re: v7.1rc2 [development] is released!

@Cha0s, you've misspelled advertisements as advertisments everywhere... copy-paste can be a dangerous weapon.
by sindy
Tue Aug 31, 2021 2:18 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16623

Re: v7.1rc2 [development] is released!

Is this topic not posted among Announcements intentionally or by mistake?
by sindy
Tue Aug 31, 2021 1:56 pm
Forum: General
Topic: NAT to one of my VLANs [SOLVED]
Replies: 5
Views: 486

Re: NAT to one of my VLANs [SOLVED]

Just to add a point, whilst UDP, ICMP and others are not stateful protocols as such, connection tracking can still treat them as if they were thanks to the fact that they use port numbers (UDP) and an ID (ICMP echo and ICMP echo response). The rest is timeout - ICMP packets with a given (ID, IP addr...
by sindy
Tue Aug 31, 2021 1:24 pm
Forum: General
Topic: Pinging via secondary default route? [SOLVED]
Replies: 2
Views: 360

Re: Pinging via secondary default route? [SOLVED]

You cannot ping using the secondary default route itself. But you can create another route to the destination used for the path transparency check, using the same gateway the secondary default route uses, or you can create another default route using the same gateway, but in a dedicated routing tabl...
by sindy
Tue Aug 31, 2021 12:30 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

I would be careful with "defaulting to use ether1's address". For packets sent by the router itself, the route to the destination is found first, and only then the source address is chosen, using the properties of that route. If no pref-src parameter of the route is specified, RouterOS cho...
by sindy
Tue Aug 31, 2021 11:25 am
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

That did the trick! Just adding an address to the GRE tunnel on each side solved it! That sounds like some NAT issue. Do the sniffing as suggested above and see where the IP address assigned to the GRE interface is used instead of the one specified in the src-address parameter of the ping command. ...
by sindy
Tue Aug 31, 2021 11:06 am
Forum: General
Topic: Port Forwarding Question
Replies: 14
Views: 710

Re: Port Forwarding Question

Post the actual configuration of the LHG, see my automatic signature below for a mini-howto.
by sindy
Tue Aug 31, 2021 11:01 am
Forum: General
Topic: CPU Usage and unknown device
Replies: 13
Views: 1100

Re: CPU Usage and unknown device

Whilst I'm not sure the CPU load comes from some configuration issue, in general, there is no such thing as "important part of configuration" when it comes to analysis of an unexpected behaviour. Typically, the root cause of that behaviour is in the part of the configuration you do not exp...
by sindy
Tue Aug 31, 2021 10:56 am
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

ping times out from router A to B (but not vice versa).. ... I can't see any firewall activities either, so don't believe firewall is blocking it. Sorry, the first thing I've spotted in your OP was that whilst there were four subnets, 192.168.11.0/24 to 192.168.14.0/24, at router B, there was only ...
by sindy
Tue Aug 31, 2021 10:42 am
Forum: General
Topic: I can't change the MAC address
Replies: 4
Views: 391

Re: I can't change the MAC address

Number 3 At this position, only even digits (0,2,4,6,8,a,c,e) are possible for an own MAC address of a device. If the least significant bit of this digit is 1, i.e. when the digit is odd, it indicates a group address that can only be used as a broadcast or multicast destination one, never as an own...
by sindy
Tue Aug 31, 2021 9:57 am
Forum: General
Topic: Trouble Passing static IP's from ISP through RB1100 to 3rd party router
Replies: 5
Views: 509

Re: Trouble Passing static IP's from ISP through RB1100 to 3rd party router

the ISP says we have to pass them via layer 2 through our router to our tenants router that is connected to our Mikrotik. Is that a contractual obligation that you must pass this whole block of IPs to this particular tenant, i.e. you have to serve as an extension of the ISP's network so that the IS...
by sindy
Mon Aug 30, 2021 11:37 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

I can't imagine a direct connection to improve my Spanish, but if you want, send me your e-mail address encrypted according to this post.

So have you added all the four rules I've suggested or you've just disabled the one blocking UDP traffic to port 80?
by sindy
Mon Aug 30, 2021 10:33 pm
Forum: General
Topic: I can't change the MAC address
Replies: 4
Views: 391

Re: I can't change the MAC address

What is the second symbol from the left (xX:xx:xx:xx:xx:xx) of the address you are trying to set?
by sindy
Mon Aug 30, 2021 10:32 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

Did it help?
by sindy
Mon Aug 30, 2021 8:32 pm
Forum: General
Topic: Can I power up SXT with my RB951? [SOLVED]
Replies: 2
Views: 379

Re: Can I power up SXT with my RB951? [SOLVED]

Yes.
by sindy
Mon Aug 30, 2021 8:15 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

What do you recommend first? It depends on the character of your clients (as in "customers"). If none of them operated a server that needs to be reachable from the internet, you could actually implement a simple stateful firewall, whose first rule in chain forward of /ip firewall filter w...
by sindy
Mon Aug 30, 2021 7:25 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

Hm... with all those self-configured and 3rd party blacklists, complex layer7-protocol rules and caching web proxy, and the absence of a stateful firewall, there are plenty of reasons why the clients may be unable to connect to TikTok Live servers as they may get blocked by any of the above. Have yo...
by sindy
Mon Aug 30, 2021 7:02 pm
Forum: General
Topic: Rbcapgi-5acd2nd Cap Ac
Replies: 3
Views: 330

Re: Rbcapgi-5acd2nd Cap Ac

The thing is that with two cAP ac on a single branch and the bundled 24 V power supply, you'll be over the specs - according to the specs, the cAP ac takes 13 W at max without attachments, which requires more than 0.5 A current from 24 V (leaving aside that the voltage at PoE-out port is lower than ...
by sindy
Mon Aug 30, 2021 6:36 pm
Forum: General
Topic: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?
Replies: 12
Views: 969

Re: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?

You've mentioned initially that you want the setup work as a repeater in terms that it acts both as a wireless client and a wireless AP. So whenever the local client is connected to a 2.4 GHz radio and its traffic uses the 2.4 GHz WAN, the 1/2 throughput applies. Same for 5 GHz radio. So my statemen...
by sindy
Mon Aug 30, 2021 6:25 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

No, I mean /export hide-sensitive file=some-nice-name - it will export everything at once into a file, which you can download afterwards. Before posting the file, don't forget to obfuscate any public IP addresses or user account names if you use them. As I write in my automatic signature here below ...
by sindy
Mon Aug 30, 2021 6:01 pm
Forum: General
Topic: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?
Replies: 12
Views: 969

Re: ROS: Can I seamlessly combine/aggregate my 2-3 cellphones hotspots as WANs (on WAP ac)?

You can use deterministic distribution of the connections, meaning that the same LAN host will always use the same WAN to connect to the same remote server. It may still not be enough, because some services hand over processing of a single application session between multiple servers and still expec...
by sindy
Mon Aug 30, 2021 5:12 pm
Forum: General
Topic: vlan with IPSEC l2tp
Replies: 2
Views: 271

Re: vlan with IPSEC l2tp

The name of L2TP is confusing. To establish an L2 tunnel using L2TP, you need BCP to be supported at both the client and the server, just like with any other PPP-based tunneling protocol. Your description suggests that only the L2TP server is a Mikrotik and the L2TP client is a PC or a phone, is tha...
by sindy
Mon Aug 30, 2021 5:05 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 545

Re: Limit bandwith per ip in vlan

Yes, the guess/expectation is correct. Since it doesn't work as expected, please do the following:
  1. /queue simple reset-counters-all
  2. run the speedtest from .151
  3. /queue simple print stats
What's the output of the last command?
by sindy
Mon Aug 30, 2021 4:16 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 545

Re: Automatic configuration deletion [SOLVED]

30 m should be fine with the original 24 V adaptor, unless the cable is extremely bad. Did you have the problems ever since you've switched the device on for the first time, or did they appear recently? A frequent issue is drying electrolytic capacitors in the power adaptors, and to a lower extent a...
by sindy
Mon Aug 30, 2021 2:32 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 925

Re: FastPath not working in combination hEXPoE + mAP lite

The switch chip accepts a setup but not a change of the memory size (nor can it borrow more RAM from the CPU) - hw=no just tells it to forward received frames always to the CPU rather than trying first to deliver them autonomously. The rate adaptation from 1000 down to 100 Mbit/s is a specific use c...
by sindy
Mon Aug 30, 2021 1:31 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 545

Re: Automatic configuration deletion [SOLVED]

As the first thing to do I would upgrade to the current long-term (6.47.10 as of writing this), including upgrading the bootloader ("firmware") in the second step (the firmware comes bundled with the RouterOS but needs to be flashed separately once the new version of RouterOS is already ru...
by sindy
Mon Aug 30, 2021 1:20 pm
Forum: General
Topic: PPPoE Server Fails to Authenticate Clients
Replies: 3
Views: 376

Re: PPPoE Server Fails to Authenticate Clients

If no failures appear in the log, it looks as if the PPPoE-discovery and PPPoE frames from the client didn't reach the PPPoE server process; on the other hand, if disabling and re-enabling the server makes things work again, it seems that the issue is the process itself. I cannot see any obvious mis...
by sindy
Mon Aug 30, 2021 12:56 pm
Forum: General
Topic: Routing via GRE to VLAN networks [SOLVED]
Replies: 13
Views: 832

Re: Routing via GRE to VLAN networks [SOLVED]

Although it is the best practice to locate each IP subnet to a dedicated VLAN, VLAN and IP subnet are not the same thing. So ignore VLANs for a while and concentrate on the subnets alone. In order that devices in subnet a.a.a.a on router A could talk to devices in subnet b.b.b.b on router B, a route...
by sindy
Mon Aug 30, 2021 12:47 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 925

Re: FastPath not working in combination hEXPoE + mAP lite

As @tdw wrote - the HW offload could only be "improved" by using a different switch chip. HW offload means that the switch chip forwards the frames between ports on its own, and since its buffer is too short, frames get dropped before the transport protocol notices the low bandwidth availa...
by sindy
Mon Aug 30, 2021 12:35 pm
Forum: General
Topic: Automatic configuration deletion [SOLVED]
Replies: 6
Views: 545

Re: Automatic configuration deletion [SOLVED]

What is the RouterOS version running there?
by sindy
Mon Aug 30, 2021 10:31 am
Forum: General
Topic: What typical changes do you make to AP box default configuration?
Replies: 4
Views: 611

Re: What typical changes do you make to AP box default configuration?

The "turning RSTP off" is not the best idea if more than on Ethernet port remains in the bridge. Instead, set edge=yes on the /interface bridge port rows for the wireless interfaces to get rid of the delay when the first client associates to a given wireless interface after the interface w...
by sindy
Mon Aug 30, 2021 10:19 am
Forum: General
Topic: LTE quota management & signal
Replies: 7
Views: 836

Re: LTE quota management & signal

What does /interface lte info [find] show (you may want to obfuscate the actual values, just the value names in the left column are important)? It depends on the modem model what information RouterOS can obtain and display.
by sindy
Mon Aug 30, 2021 9:12 am
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

@anav, I'm afraid there may be some difference between "mere TikTok" (recording videos and then posting them) and "TikTok Live" (live broadcasting) in what protocols they use. So let's wait until @adonato posts his configuration.
by sindy
Sun Aug 29, 2021 6:51 pm
Forum: General
Topic: Tiktok Live Problems
Replies: 22
Views: 1257

Re: Tiktok Live Problems

Post a sketch of the network (a photo of a handmade drawing will be sufficient if the topology is clear from there) and the configuration of the Mikrotik. See my automatic signature for a mini-howto.
by sindy
Sun Aug 29, 2021 2:28 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 925

Re: FastPath not working in combination hEXPoE + mAP lite

Out of curiosity, what happens if you set hw=no on all /interface bridge port rows and repeat the test?
by sindy
Sun Aug 29, 2021 1:44 pm
Forum: General
Topic: Slow VPN speed with single TCP stream in one direction
Replies: 12
Views: 1705

Re: Slow VPN speed with single TCP stream in one direction

Would love to test this out further but unfortunately I'm tied down on another project, had my second kid two weeks ago and don't really have time for a thorough gremlin hunt in the coming weeks. But do keep posting please! There's little to post without any input data (from you and/or from anyone ...
by sindy
Sat Aug 28, 2021 9:51 pm
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 620

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

Let me put it another way. Think about IPsec responder like a TCP server and IPsec initiator like a TCP client. The server doesn't send anything to the client until it gets an initial request from it; once the initial request arrives, the server learns the client's IP address and port from it and re...
by sindy
Sat Aug 28, 2021 7:45 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Glad that you've solved it. The reason why I keep recommending my solution with the dst-nat back to the public IP on the Mikrotik is that it is enough to implement this once on the Mikrotik, whereas the change of 1 to 2 in registry must be done on every single Windows client.
by sindy
Sat Aug 28, 2021 3:41 pm
Forum: Useful user articles
Topic: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP
Replies: 11
Views: 5185

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP

@plamensgurov, no one can help you without seeing the exported configurations from all three routers. What you want can work easily, so there must be some misconfiguration.
by sindy
Sat Aug 28, 2021 3:37 pm
Forum: General
Topic: FastPath not working in combination hEXPoE + mAP lite
Replies: 14
Views: 925

Re: FastPath not working in combination hEXPoE + mAP lite

FastPath is a way how the traffic is handled in the CPU, so it is not necessary between bridge ports if "hardware accelerated bridging" (in fact, forwarding of frames between switch ports without them even reaching the CPU) is enabled at both ports involved. If there is the H among the fla...
by sindy
Sat Aug 28, 2021 2:07 pm
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 620

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

Ah, the mask confusion strikes again... The WAN IP address of the initiator is not "172.24.73.9/25", it is just 172.24.73.9. The /25 is there to tell the router what is the size of the subnet around this single own address, inside which the other hosts can be reached directly, not via a ga...
by sindy
Sat Aug 28, 2021 11:03 am
Forum: General
Topic: How to bind EoIP tunnel to IPSec IKEv2 connection?
Replies: 8
Views: 620

Re: How to bind EoIP tunnel to IPSec IKEv2 connection?

If your ISP always uses the same public IP to NAT the traffic sent by your client router, and if you always get the same IP at the client router's WAN, you can use a transport mode of the Security Association (chosen by setting tunnel=no on the policy). In that case: on the initiator router, you'll ...
by sindy
Sat Aug 28, 2021 10:06 am
Forum: General
Topic: Slow VPN speed with single TCP stream in one direction
Replies: 12
Views: 1705

Re: Slow VPN speed with single TCP stream in one direction

I was looking into a similar problem (a single-connection TCP using / tool bandwidth-test between two CHR routers running at the same provider), and the root cause of the throughput being lowered from 200 Mbps to less than 0.5 Mbps was that 25 % of the tiny second fragments of the transport packets ...
by sindy
Sat Aug 28, 2021 8:26 am
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

There are two topics related to L2TP and NAT: the one you have found on your own and linked in your OP, dealing with multiple clients at the same site , thus NATed to the same public IP as seen by the server the one I've linked in my first response in this current thread, dealing with the server its...
by sindy
Sat Aug 28, 2021 12:00 am
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

I do understand that the issue started once you've moved the 3011 to a private address, however, you've taken a log from a connection attempt of just a single client that dislikes the IPsec connection as soon as it establishes. What made me cautious is that you've substituted the address of the clie...
by sindy
Fri Aug 27, 2021 8:51 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Oops, I was actually too fast. The initiator asks to delete the IPsec SA immediately after it has been established: 11:13:57 ipsec IPsec-SA established: ESP/Transport 10.106.74.190[4500]->my.pubip.1[4500] spi=0xbd067f70 11:13:57 ipsec,debug pfkey add sent. 11:13:57 ipsec,debug ===== received 76 byte...
by sindy
Fri Aug 27, 2021 8:26 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

No signs of L2TP connection attempt in the log whatsoever. Show me the configuration export (see my signature regarding anonymisation), it must be something about the firewall.
by sindy
Fri Aug 27, 2021 8:11 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

Yes, you can ignore the failure to bind ::[500].
by sindy
Fri Aug 27, 2021 5:30 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

It makes the posts much better readable if you place larger portions of configuration export between [ code] and [ /code] tags. In your configuration, there is /ip dns set allow-remote-requests=yes and the /ip firewall filter is almost empty. So the Mikrotik is ready to respond incoming DNS requests...
by sindy
Fri Aug 27, 2021 3:39 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 545

Re: Limit bandwith per ip in vlan

I'm lost. If you need to get different speeds to different tenants, then the target for each tenant's individual queue must be that tenant's /32 address, so there is no point in using 10.0.0.0/24 as target , except maybe for the last rule in the list, defining a common queue for everyone who hasn't ...
by sindy
Fri Aug 27, 2021 3:12 pm
Forum: General
Topic: issue multiple vlan on switch chip
Replies: 1
Views: 267

Re: issue multiple vlan on switch chip

Do I guess correctly that when you connect Windows or Mac to a port which is not configured as an access one to VLAN 20, both Windows or MAC get the address via DHCP, when you connect Windows or MAC to an access port to VLAN 20 (ether1 or ether5), Windows successfully accept the address assignment f...
by sindy
Fri Aug 27, 2021 2:44 pm
Forum: General
Topic: Limit bandwith per ip in vlan
Replies: 8
Views: 545

Re: Limit bandwith per ip in vlan

Several points. First, the error message itself tells you what is wrong. The target is a prefix (subnet), so .151/32 is OK but .151/24 is not because non-zero bits of the address exist on the bit positions that are zero in the mask. The only place where you can use the shortcut form of .151/24 is wh...
by sindy
Fri Aug 27, 2021 10:31 am
Forum: General
Topic: r11e-lte dead? [SOLVED]
Replies: 7
Views: 549

Re: r11e-lte dead? [SOLVED]

Weird, I've written a post but I apparently haven't submitted it as it is not here. So trying again for reference, although you've alreday found another method to cut your way through. And the part regarding LTE firmware is still important . In the Mikrotik-specific vernacular, "firmware" ...
by sindy
Fri Aug 27, 2021 9:59 am
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

Post the export of the current configuration of the Mikrotik (as per my automatic signature below) and also a screenshot of the IPv4 settings of the network interface of the Windows machine (the window where you choose between DHCP and Manual).
by sindy
Thu Aug 26, 2021 11:06 pm
Forum: General
Topic: Not working internet on vlan, cannot ping gw
Replies: 8
Views: 634

Re: Not working internet on vlan, cannot ping gw

The thing is that a /32 address makes sense in some setups too, so no mask given translates to a /32. Se s tim smiř :)
by sindy
Thu Aug 26, 2021 10:36 pm
Forum: General
Topic: SSTP tunnel problem [SOLVED]
Replies: 5
Views: 484

Re: SSTP tunnel problem [SOLVED]

On the 2011, there is the following static IPsec policy: comment=vpn01 dst-address=10.10.10.0/24 proposal=secure-proposal sa-dst-address=you.forgot.to.substitute.it sa-src-address=0.0.0.0 src-address=10.20.10.0/24 tunnel=yes On the 4011, a complementary policy exists. Traffic matching a traffic sele...
by sindy
Thu Aug 26, 2021 9:23 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

The main DNS of the PC is 192.168.1.16 (the PC itself)
I don't understand this statement. How can the PC be its own DNS server? In any case, if the Mikrotik is not the DNS server for the PC, the static DNS records are never used, so the whole idea fails.
by sindy
Thu Aug 26, 2021 9:20 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

OK. What you definitely cannot do in hardware on the CRS is to merge the VLANs 30 and 31. This has to be done either on the CCR or nowhere at all, meaning that you'd have to use a separate PPPoE server for each of these VLANs. So I'd try the following, but it's pure theory, I have no possibility to ...
by sindy
Thu Aug 26, 2021 6:55 pm
Forum: General
Topic: SSTP tunnel problem [SOLVED]
Replies: 5
Views: 484

Re: SSTP tunnel problem [SOLVED]

Post the configurations of both machines as per my automatic signature below. Either copy-paste the text exports into the body of the post, each between [ code] and [ /code] tags, or attach them as file attachments to the post. At first glance, the routes seem OK, so it is likely that the firewall b...
by sindy
Thu Aug 26, 2021 6:48 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

So after all, my table did not express what you wanted, because you really want something unusual. You need a kind of protocol-based VLAN for the old OLTs, where you need to forward PPPoE and friends to the CCR via ether3, and to forward IP and friends to the CCR via ether4. And on the new OLT, you ...
by sindy
Thu Aug 26, 2021 4:55 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

Sorry, I don't understand what means that "ether1 would talk to vlan 30". In your original description, there was a group of ports ( ether1 .. ether3 ) and a group of VLANs, so I was expecting all three VLANs should be accessible on all three ports, which would thus be trunk ports, like sf...
by sindy
Thu Aug 26, 2021 4:33 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

sorry I'm a newbie to networks and microtik!
It's not so much a Mikrotik issue, it is a TP-link one. Have you managed to get rid of 8.8.8.8 as a DNS in the PC configuration? What do you get if you run the commandline on the PC and enter nslookup tplinkwifi.net there?
by sindy
Thu Aug 26, 2021 4:16 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 951

Re: L2TP/IPsec web browser location result issue

Check the geolocation settings in Firefox. Settings -> Privacy and Security -> Permissions -> Position -> Settings (the names may not be precise, my Firefox language is not English). I don't think the issue is directly with the VPN, and once you've described how you test it, I don't think any more i...
by sindy
Thu Aug 26, 2021 4:00 pm
Forum: General
Topic: login only via one mac address
Replies: 3
Views: 533

Re: login only via one mac address

In /ip firewall filter , you can match on src-mac-address . Depending how your firewall is organized, you may add src-mac-address=th:ep:er:mi:tt:ed to the action=accept rule that enables access to the management service, or src-mac-address= ! th:ep:er:mi:tt:ed to the action=drop rule that blocks acc...
by sindy
Thu Aug 26, 2021 3:52 pm
Forum: General
Topic: r11e-lte dead? [SOLVED]
Replies: 7
Views: 549

Re: r11e-lte dead? [SOLVED]

I'd start from 6.47.10, I hazily remember 6.46.x still had some issues with LTE modems and especially with upgrading them. What has made you choose 6.46.8 in particular, given that 6.47.10 has been the long-term release since a couple of weeks ago? What does /system resource usb print detail show? D...
by sindy
Thu Aug 26, 2021 3:43 pm
Forum: General
Topic: EOIP not working behind SNAT on IPACCT NAS
Replies: 3
Views: 289

Re: EOIP not working behind SNAT on IPACCT NAS

If so, you have to investigate into the actual reason why it fails, using the steps I've suggested above.
by sindy
Thu Aug 26, 2021 2:19 pm
Forum: General
Topic: Not working internet on vlan, cannot ping gw
Replies: 8
Views: 634

Re: Not working internet on vlan, cannot ping gw

You've assigned a /32 address to the VLAN interface, so no route to 10.0.0.0/24 via the VLAN interface has been created. As a consequence, packets for anything in 10.0.0.0/24 took the default route. If an Ethernet interface is a member port of a bridge, the VLAN interface must be attached to the bri...
by sindy
Thu Aug 26, 2021 2:15 pm
Forum: General
Topic: EOIP not working behind SNAT on IPACCT NAS
Replies: 3
Views: 289

Re: EOIP not working behind SNAT on IPACCT NAS

EoIP is a proprietary application atop GRE (i.e. IP protocol number 47, no ports), and it misuses the optional 4-byte tunnel ID header as a 2-byte EoIP tunnel ID and 2-byte frame length, so firewalls distinguishing GRE tunnels from one another to allow NATing of more than one tunnel to the same remo...
by sindy
Thu Aug 26, 2021 1:57 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

horizon is a software feature configured under /interface bridge port and its activation on a port deactivates hardware forwarding on that port. If you need port isolation in terms that ether1 , ether2 , ether3 could only forward traffic to/from sfpplus1 but not to/from each other, use the correspo...
by sindy
Thu Aug 26, 2021 1:46 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 951

Re: L2TP/IPsec web browser location result issue

I'd rather see what exact online service you use to check the VPN connection and the leakage of the actual address and/or location. As I've suggested earlier, the actual IP of the client may leak via DNS query, which may bypass the VPN tunnel even if the default route is set via that tunnel. I under...
by sindy
Thu Aug 26, 2021 12:47 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 951

Re: L2TP/IPsec web browser location result issue

Wait... is "the DHCP IP assigned by the CCR1009" a public one?
by sindy
Thu Aug 26, 2021 12:28 pm
Forum: General
Topic: r11e-lte dead? [SOLVED]
Replies: 7
Views: 549

Re: r11e-lte dead? [SOLVED]

That's bad as even without SIM, the LTE modem is normally detected and reports that no SIM is inserted. The maximum possible harm coming from disconnection of one antenna could be damage of the RF Tx amplifier, but that would require presence of SIM, so no issue here. And fried Tx amplifier would no...
by sindy
Thu Aug 26, 2021 12:17 pm
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

OK, so it's a normal use after all. The tutorial suggested by @mkx describes exactly that. Assuming that you manage the device via some other port, remove everything from /interface vlan and from /interface bridge port , and add the following: /interface bridge vlan set BR1 vlan-filtering=yes /inter...
by sindy
Thu Aug 26, 2021 12:08 pm
Forum: General
Topic: Multiple IPSec tunnels SmartDNSProxy but same Src.Address
Replies: 2
Views: 251

Re: Multiple IPSec tunnels SmartDNSProxy but same Src.Address

Unfortunately, since the SmartDNSProxy VPN assigns the same IP address to both connections, you cannot use both simultaneously. IPsec policy matching works with IP addresses, protocols and ports alone - no routing-mark , packet-mark or connection-mark values are taken into account. RB750Gr3 doesn't ...
by sindy
Thu Aug 26, 2021 9:12 am
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

OK, so the default route is added manually. But you don't need the default route at all, it is enough to have routes to each remote router via the approproiate gateway IP on each WAN. You've got: /interface eoip add ... remote-address= 192.168.10.13 ... local-address= 192.168.10.9 ... add ... remote...
by sindy
Thu Aug 26, 2021 12:51 am
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

There are no public IPs involved, so I cannot understand why you cannot simply export the complete configs from the three existing routers as a text and just obfuscate the names (and serial numbers and timezones if the paranoia is strong). So again: - what are the remote-address values at the HQ rou...
by sindy
Thu Aug 26, 2021 12:45 am
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

Maybe you actually want a normal thing but the wording and implementation is unfortunate? I.e. if I rephrase what you wrote into a table below, does it express what you actually want? VLAN | sfpplus1 | ether1 | ether2 | ether3 | ether4 30 | Y | Y | Y | Y | N 31 | Y | Y | Y | Y | N 35 | Y | Y | Y | Y...
by sindy
Thu Aug 26, 2021 12:13 am
Forum: General
Topic: Switch high CPU VLAN
Replies: 17
Views: 946

Re: Switch high CPU VLAN

I'm not sure I understand your intention properly - do you really want to interconnect VLANs 30, 31 and 35 together transparently? You can only benefit from switch chip forwarding if you do usual things, and interconnecting different VLANs is far from usual. Besides, only one bridge can benefit from...
by sindy
Thu Aug 26, 2021 12:02 am
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

OK, so as expected, the remote addresses are actually not 192.168.1.3 and ...1.4 but 192.168.1.9 and ...1.10, which makes more sense as they are not in the same subnet like 192.168.1.1 and ...1.2. It still doesn't explain from where the default routes pop up, but it doesn't matter, as /ip route add ...
by sindy
Wed Aug 25, 2021 11:52 pm
Forum: General
Topic: Not working internet on vlan, cannot ping gw
Replies: 8
Views: 634

Re: Not working internet on vlan, cannot ping gw

Two points:

/interface vlan set [find interface=ether3] interface=rybna_lan

/ip address set [find interface=VLAN-BYTY] address=10.0.0.1/24
by sindy
Wed Aug 25, 2021 11:02 pm
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

Are you getting the WAN IP configurations from the MPLS gear by DHCP? Otherwise I don't get from where the default routes should appear.
by sindy
Wed Aug 25, 2021 10:59 pm
Forum: General
Topic: 1 Router with 2 Trunk ports [SOLVED]
Replies: 13
Views: 738

Re: 1 Router with 2 Trunk ports [SOLVED]

Forget about interface list for now, it is not related. I gave you a link to the post with drawings how L2 forwarding/bridging/switching is linked to L3 routing etc. yesterday. The basic configuration to have two trunk ports bridged together on a router, handling VLANs 10, 20, and 30 in particular, ...
by sindy
Wed Aug 25, 2021 10:32 pm
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

But if so, you don't need the routes to be default ones: /ip address add interface=mpls-wan1 address=192.168.1.1/24 add interface=mpls-wan2 address=192.168.2.1/24 add interface=mpls-wan3 address=192.168.3.1/24 /ip route add dst-address=ip.of.remote.router.1 gateway=192.168.1.2 dst-address=ip.of.remo...
by sindy
Wed Aug 25, 2021 8:57 pm
Forum: General
Topic: 1 Router with 2 Trunk ports [SOLVED]
Replies: 13
Views: 738

Re: 1 Router with 2 Trunk ports [SOLVED]

OK, sorry, so bridge1 and bridge2 are not bridges on the router but external devices acting as bridges. Nevertheless, read my short post or the long one suggested by @anav. I can't see how PC1 can talk to PC3 with your weird configuration - if it does, it's due to some unexpected side effect. I actu...
by sindy
Wed Aug 25, 2021 8:51 pm
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

As @tdw has already asked - do you need a different gateway (or even a different physical WAN interface) to connect to each remote router? I.e. do you have three MPLS tunnels from the ISP? What are the addresses of the remote routers, i.e. remote-address values of the three tunnels?
by sindy
Wed Aug 25, 2021 8:32 pm
Forum: General
Topic: 1 Router with 2 Trunk ports [SOLVED]
Replies: 13
Views: 738

Re: 1 Router with 2 Trunk ports [SOLVED]

EXAMPLE 192.168.0.1/28    E2-VL10 192.168.0.1/28    E3-VL10 192.168.0.17/28  E2-VL20 192.168.0.17/28  E3-VL20 192.168.0.33/28  MGT-E2-VL30 192.168.0.33/28  MGT-E3-VL30 Problem solved. This is not normal but this crap works Nope. The crap above doesn't work - it only appears to work, and it will eje...
by sindy
Wed Aug 25, 2021 8:28 pm
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

And here we go - it's not a problem with EoIP tunnels, it's a problem with the network architecture. What do you need the routes for, to route the transport packets of the tunnels, i.e. the packets sent by the router itself, towards the remote peer (the other router terminating the tunnel), or to ro...
by sindy
Wed Aug 25, 2021 8:15 pm
Forum: General
Topic: 1 Router with 2 Trunk ports [SOLVED]
Replies: 13
Views: 738

Re: 1 Router with 2 Trunk ports [SOLVED]

Sorry man, but it's a mess. Your "ascii-art" drawing is not in accord with your configuration export. First, it is correct that at L2 (bridging, switching, L2 forwarding - various names for the same thing), VLAN 10 on one bridge is isolated from VLAN 10 on another bridge. That's no limitat...
by sindy
Wed Aug 25, 2021 7:47 pm
Forum: General
Topic: Site to Multi-Site EoIP Tunnel
Replies: 17
Views: 847

Re: Site to Multi-Site EoIP Tunnel

The answer seems so obvious that I'm sure I must be missing something about the intended use. Just configure the three tunnels at the single HQ router, with the same settings you've used on the separate ones, except that the tunnel-id values must differ even though the remote-address values are diff...
by sindy
Wed Aug 25, 2021 7:34 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 951

Re: L2TP/IPsec web browser location result issue

Start by double-checking, using /tool sniffer on the CCR, that the traffic from the client to internet really goes through the VPN. Another possibility is DNS query leakage - Windows used to have the bad habit of sending DNS queries down every gateway they could see, regardless what the routing was ...
by sindy
Wed Aug 25, 2021 6:48 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 23
Views: 951

Re: L2TP/IPsec web browser location result issue

What computer do you use? Windows/Linux/Mac/other? It looks as if the VPN client settings at the computer differed, where the one connecting to hEX S has the "use the VPN gateway" enabled whereas the one connecting to CCR1009 has this option unchecked and adds a class-based route only (to ...
by sindy
Wed Aug 25, 2021 5:11 pm
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

You actually only need UDP ports 500 and 4500 to be forwarded all the way from the public IP to the 3011's WAN IP. UDP port 1701 is invisible to the firewall as it is the port of the payload encrypted and encapsulated inside the IPsec transport packets. If a cleartext packet to UDP port 1701 ever ar...
by sindy
Wed Aug 25, 2021 4:59 pm
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

@rextended, why do you insist on use of the dst-nat rule and redirection from 192.168.0.16:something to 192.168.13.1:80 rather than using the src-nat rule alone and resolving tplinkxyz.net to 192.168.13.1 directly? What am I missing? @merced25, the basic idea of that TPlink thing is that if the DNS ...
by sindy
Wed Aug 25, 2021 2:04 pm
Forum: General
Topic: LTE failover access
Replies: 3
Views: 387

Re: LTE failover access

Sorry if my questions sound stupid Stupid questions are actually rare. Stupid answers are much more common. ad a), for the failover at the 3011 it makes no difference whether the second WAN interface of the 3011 gets its IP configuration directly from the LTE modem (using the passthrough method) or...
by sindy
Wed Aug 25, 2021 1:19 pm
Forum: General
Topic: PPPoE Server Fails to Authenticate Clients
Replies: 3
Views: 376

Re: PPPoE Server Fails to Authenticate Clients

I'm not sure I understand the whole topology, i.e. how the physical interface(s), the bridge, the two VLANs, and the two PPPoE servers are linked together. Can you post an export of the configuration?
by sindy
Wed Aug 25, 2021 10:50 am
Forum: General
Topic: MIKROTIK RB4011iGS+RM, reset of routeros [SOLVED]
Replies: 4
Views: 597

Re: MIKROTIK RB4011iGS+RM, reset of routeros [SOLVED]

You don't need neinstall just to restore the factory default configuration - for that, it is sufficient to follow the procedure on the page suggested by @k6ccc. As that manual page may be quite confusing, I copy and comment here the part relevant to you: How to reset configuration 1) unplug the devi...
by sindy
Wed Aug 25, 2021 10:39 am
Forum: General
Topic: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]
Replies: 26
Views: 1590

Re: It is not possible to access the web panel of a No microtik router from a subnet. [SOLVED]

This cannot be solved by firewall rules alone, you have to involve also a static DNS record. The thing is that when you fill in the url into the address field of a browser, it gets resolved to an IP address using DNS, and is used in the header of the HTTP request sent to the server. And I don't know...
by sindy
Wed Aug 25, 2021 9:50 am
Forum: General
Topic: L2TP with private ip from DHCP Server Connection Problems [SOLVED]
Replies: 15
Views: 920

Re: L2TP with private ip from DHCP Server Connection Problems [SOLVED]

You've written a lot in your OP but you've also left out a lot.

So do I guess properly that the 3011 getting a private WAN address from a NATing router is the L2TP/IPsec server and the L2TP/IPsec client that fails to connect is the Windows embedded VPN client?

If so, see this topic.
by sindy
Tue Aug 24, 2021 10:40 pm
Forum: General
Topic: Client connected to ROAS inaccessible
Replies: 4
Views: 360

Re: Client connected to ROAS inaccessible

Regarding trouble with bridging on virtualization platforms, it's a separate can of worms, see this post and some details in the subsequent discussion. Also tagged frames must be explicitly permitted on some virtualization platforms.
by sindy
Tue Aug 24, 2021 10:15 pm
Forum: General
Topic: Client connected to ROAS inaccessible
Replies: 4
Views: 360

Re: Client connected to ROAS inaccessible

You have several bits of logical nonsense in the configuration: on both devices, you've set pvid=30 on the CPU-facing port of the bridge, but at the same time you've put that port to the tagged list for the bridge for vlan-ids=30 in /interface bridge vlan and created an /interface vlan for vlan-id=3...
by sindy
Tue Aug 24, 2021 6:50 pm
Forum: General
Topic: wAP AC (ARM revision): Bad flash chip?
Replies: 6
Views: 449

Re: wAP AC (ARM revision): Bad flash chip?

is there a difference between netinstall and System -> Packages -> Upgrade in terms of how the firmware is physically flashed? It's not about physical difference, it's about a chance of eventual malware to survive. Netinstall rewrites everything on the disk; upgrade is under control of the old Rout...
by sindy
Tue Aug 24, 2021 6:35 pm
Forum: General
Topic: wAP AC (ARM revision): Bad flash chip?
Replies: 6
Views: 449

Re: wAP AC (ARM revision): Bad flash chip?

After the netinstall, have you restored the configuration from a backup file or have you configured the device manually? If manually, I'm afraid it is indeed a hardware issue.
by sindy
Tue Aug 24, 2021 6:24 pm
Forum: General
Topic: wAP AC (ARM revision): Bad flash chip?
Replies: 6
Views: 449

Re: wAP AC (ARM revision): Bad flash chip?

I've re-flashed the firmware a couple times
How exactly? Using netinstall or some other way?
by sindy
Tue Aug 24, 2021 5:39 pm
Forum: General
Topic: Bridge "Distance" vs Static Route
Replies: 5
Views: 587

Re: Bridge "Distance" vs Static Route

You cannot manipulate the distance parameter of routes to "connected networks" that have been added dynamically, but you can prevent the L2 tunnel from interconnecting the bridges without driving to the remote site. Just copy the /ppp profile row you use for the remote client with a differ...
by sindy
Tue Aug 24, 2021 5:19 pm
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1476

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

Speedtest.net reports 3.69 by 2.30 (inside VPN) and Google Speed Test reports 25.6 by 2.42 (inside the VPN) This further reinforces my assumption that it is a timing/small packet/fragmented packet issue. For OTE, these two tests are indistinguishable from each other by anything than possibly packet...
by sindy
Tue Aug 24, 2021 5:16 pm
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1476

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

Large services often serve customers from regional servers (Google does that for sure), whereas the direct connection spans half of Europe. I doubt OTE has a direct peering with Virgin UK, so there are most likely multiple network paths between the two, making packet overtaking, resulting in shuffle...
by sindy
Tue Aug 24, 2021 4:15 pm
Forum: General
Topic: RSTP Root port selection [SOLVED]
Replies: 4
Views: 876

Re: RSTP Root port selection [SOLVED]

It's a misunderstanding of how the spanning tree works. If there is no ring topology, i.e. there is no other connection between the two switches but via the CCR1036, it doesn't matter at all which of the three devices is the root bridge. If there is a ring topology, you most likely don't want either...
by sindy
Tue Aug 24, 2021 3:15 pm
Forum: General
Topic: Urgently need help with strange forwarding issue
Replies: 6
Views: 475

Re: Urgently need help with strange forwarding issue

Ah, click, so on the original diagram, the 3011 is the "Mikrotik Customer Router", not the "MikroTik ISP Routers". So no need to sniff at two routers, just at the 3011 itself, but still without filtering on interface, just on the remote IP (which is not affected by all the src-na...
by sindy
Tue Aug 24, 2021 2:48 pm
Forum: General
Topic: Windows 7/10 & L2TP connection issue
Replies: 12
Views: 3484

Re: Windows 7/10 & L2TP connection issue

The dirty trick can only affect connections from clients with public addresses directly on themselves if ESP cannot be properly forwarded at the device standing between the Mikrotik server and the internet, because the NAT detection of IPsec doesn't discover any NAT and hence the SA gets established...
by sindy
Tue Aug 24, 2021 2:39 pm
Forum: General
Topic: Urgently need help with strange forwarding issue
Replies: 6
Views: 475

Re: Urgently need help with strange forwarding issue

I have no problem with the [VDSLmodem] - [DSLAM] - [3011] topology, nor with the fact that the DSLAM acts as a switch with port isolation between the VDSL ports. Only the "customer's Mikrotik" element in your diagram causes the confusion :) I can also understand that since you assign RFC 6...
by sindy
Tue Aug 24, 2021 12:39 pm
Forum: General
Topic: Solve ISP VPN L2TP throttle (CCR to CCR)
Replies: 28
Views: 1476

Re: Solve ISP VPN L2TP throttle (CCR to CCR)

I don't think the change of behaviour is caused by some action of the ISP intended to slow down VPNs. The thing is that no matter what you do inside the L2TP/IPsec tunnel, the ISP can see the whole tunnel traffic as a single UDP connection from port 4500 of the Tinos CCR to port 4500 of the London C...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 26