Community discussions

MikroTik App

Search found 8037 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 27
by sindy
Wed Dec 01, 2021 3:15 pm
Forum: Announcements
Topic: v6.49.1 [stable] is released!
Replies: 133
Views: 20404

Re: v6.49.1 [stable] is released!

@tomislav91, what does /ip socks export say, could it be that the issue is not related to upgrade but to a botnet suqtting on your device?
by sindy
Tue Nov 30, 2021 11:19 pm
Forum: General
Topic: Hamachi Relayed Tunnel - Same router Different Networks
Replies: 3
Views: 344

Re: Hamachi Relayed Tunnel - Same router Different Networks

I've somehow missed that you have a single router for both. So it seems the Hamachi director is so clever that even if it detects the clients to have two distinct public addresses, it doesn't take for granted that these addresses can talk to each other, lets the clients test that, and switches them ...
by sindy
Mon Nov 29, 2021 9:06 pm
Forum: General
Topic: One interface for 2 Switch [SOLVED]
Replies: 4
Views: 260

Re: One interface for 2 Switch [SOLVED]

I wanted to do this setup to have redundancy, both switches will have same VLANs. This differs from the statement in the OP where you wrote "The 2 switches have different VLANs". Did it mean that there are multiple VLANs on the switches, but not that they differ between the switches? If s...
by sindy
Mon Nov 29, 2021 4:11 pm
Forum: General
Topic: LACP Issue
Replies: 7
Views: 302

Re: LACP Issue

The MNDP packets are normal IP/UPD ones, so if the Meraki looks at (source MAC address, source IP address) tuples, it will keep showing duplicates. At the Mikrotik side, you can only disable neighbor discovery at the interfaces facing towards the Meraki.
by sindy
Mon Nov 29, 2021 3:24 pm
Forum: General
Topic: VPN just for one of the LAN devices when the whole router is using IPSec
Replies: 10
Views: 660

Re: VPN just for one of the LAN devices when the whole router is using IPSec

i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik. My wild guess is that no routing is set at the SXT, hence it does not know that the route to 192.168.50.x (the L2TP clients) goes via 10.1.10.10. To get to the SXT via VPN, add another masq...
by sindy
Mon Nov 29, 2021 3:15 pm
Forum: General
Topic: LACP Issue
Replies: 7
Views: 302

Re: LACP Issue

This seems normal to me. All the neighbor discovery protocols (MNDP, CDP, LLDP) work at "physical" interfaces, i.e. even if two interfaces are bonded together, these protocols work at each of them separately. So nothing to worry about.
by sindy
Sun Nov 28, 2021 10:18 pm
Forum: General
Topic: One interface for 2 Switch [SOLVED]
Replies: 4
Views: 260

Re: One interface for 2 Switch [SOLVED]

Strictly speaking it's not a Router on a Stick scenario as you have the WAN direction there. As you say the switches host non-overlapping sets of VLANs, there is actually no need that you bridge together their connections to the routers at the router end, you can connect SW1 to eth2 of RT1 and SW2 t...
by sindy
Sun Nov 28, 2021 9:04 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc7 [development] is released!
Replies: 161
Views: 15304

Re: v7.1rc7 [development] is released!

syntax is not a rocket science that you have to learn for months, its literally one if with operators and action. What I always liked most about RouterOS is the systematic way of presenting the configuration, as compared to common Linux distributions where every package has its own configuration fi...
by sindy
Sun Nov 28, 2021 8:57 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

As long as the Rx packet rate is below the Tx packet rate, it's still reasonable, as TCP doesn't acknowledge every single packet. Also the speed fluctuation seems a TCP thing to me, because delay of ACK, as well as laziness of the destination to fetch the received data from the input buffer, causes ...
by sindy
Sun Nov 28, 2021 8:14 pm
Forum: General
Topic: LACP Issue
Replies: 7
Views: 302

Re: LACP Issue

Can you show the output /ip arp print where address=the.ip.add.ress on a Mikrotik device where you see this?
by sindy
Sun Nov 28, 2021 8:02 pm
Forum: General
Topic: LACP Issue
Replies: 7
Views: 302

Re: LACP Issue

What exactly means "IP addresses are duplicated across the network with different MAC addresses"? That in the ARP tables of some devices in the network, an IP address is shown with MAC address X, and in the ARP tables of other devices, the same IP address is shown with MAC address Y, or yo...
by sindy
Sun Nov 28, 2021 2:35 pm
Forum: General
Topic: Can't ping mikrotik LAN gateway from internal end users devices
Replies: 3
Views: 323

Re: Can't ping mikrotik LAN gateway from internal end users devices

your current firewall rules do not prevent management access to the router from WAN - the action=drop rules in chain input in filter only drop flood traffic (and their copies in prerouting in raw ), and the only other action=drop rules in chain prerouting in raw only drop DNS requests from WAN. But...
by sindy
Sun Nov 28, 2021 1:01 pm
Forum: General
Topic: Placing SXT LTE6 kit into "bridge" mode?
Replies: 1
Views: 147

Re: Placing SXT LTE6 kit into "bridge" mode?

Are there any guides on how to achieve this? If you don't like the manual , here's one of multiple relevant topics here on the forum: https://forum.mikrotik.com/viewtopic.php?p=886000#p886000 I am very new to Mikrotik gear so don't really know my way around. To Mikrotik or to networking as a whole?...
by sindy
Sat Nov 27, 2021 11:25 pm
Forum: General
Topic: VPN P2P + L2TP clients.
Replies: 8
Views: 1070

Re: VPN P2P + L2TP clients.

A practical idea is to post the current configurations of A and B. You say that A and B are connected using bare IPsec, which means that traffic to be sent via the tunnel is choosen by traffic selectors of IPsec policies. If there is no policy between the pool (subnet) from which you assign addresse...
by sindy
Sat Nov 27, 2021 8:41 pm
Forum: General
Topic: 3g modem not showing in /ports
Replies: 12
Views: 2430

Re: 3g modem not showing in /ports

You have to google for detailed information for that particular modem type. I was able to switch several Huawei 3G modems permanently, but never had a D-link one. Another possibility is that the usb_modeswitch actually is part of RouterOS but the parameters for this D-link have not been added yet, s...
by sindy
Sat Nov 27, 2021 8:26 pm
Forum: General
Topic: 3g modem not showing in /ports
Replies: 12
Views: 2430

Re: 3g modem not showing in /ports

It depends on the type of the modem. Here's the home page of the usb_modeswitch project , the particular commands to be sent are model specific. But you really need a Linux machine for that, no way to change that from RouterOS. And the second issue is that not every USB modem can be set to remember ...
by sindy
Sat Nov 27, 2021 8:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

It seems that virtual bridge is not used anywhere, can I (should I) somehow make IPSec to use the virtual bridge as source of remote VPN clients? You cannot make the bridge a source (or rather in-interface) of the IPsec payload. The in-interface of IPsec payload is always the in-interface of the IP...
by sindy
Sat Nov 27, 2021 4:04 pm
Forum: General
Topic: VPN just for one of the LAN devices when the whole router is using IPSec
Replies: 10
Views: 660

Re: VPN just for one of the LAN devices when the whole router is using IPSec

My configurations: Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec). You've missed some points unfortunately: only the initial packet of each connection is handled by the /ip firewall nat rules, and t...
by sindy
Sat Nov 27, 2021 12:52 pm
Forum: General
Topic: MT IPSec to Sophos IPSec problems
Replies: 4
Views: 302

Re: MT IPSec to Sophos IPSec problems

our side needs to be the initiator Sorry for not structuring my thoughts more clearly: when I mentioned setting passive to yes , I had in mind that you'd see what the Sophos is trying to actively do while in that broken state. But if your side must be the initiator, it just means that instead, you ...
by sindy
Fri Nov 26, 2021 11:20 pm
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 697

Re: IKEv2 site2site firewall and routes

Trying now a bit more complex, passing vlans over ipsec (R2(VL10/30), R2(VL10/20/70).... Although many people use to talk about a VLAN when they actually have in mind a subnet, and vice versa, these are not synonyms. Sometimes it doesn't matter, sometimes it does. Since we've just got through subne...
by sindy
Fri Nov 26, 2021 6:05 pm
Forum: General
Topic: MT IPSec to Sophos IPSec problems
Replies: 4
Views: 302

Re: MT IPSec to Sophos IPSec problems

Since it is effectively unusable anyway, what I'd do in your situation would be to use another Mikrotik (even a CHR on a free license if you don't have anything else handy) to debug that without other tunnels writing to the same log. And unless your Mikrotik must be the initiator, I'd set it to pass...
by sindy
Fri Nov 26, 2021 5:56 pm
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 697

Re: IKEv2 site2site firewall and routes

OK, and from here on, you can start discovering the what-if way. Change the selector at one side (say, src-address at R1 and thus dst-address at R2) in both static policies to 0.0.0.0/0 , you should still be able to access R1 LAN subnets from R2 LAN subnets and vice versa, but also access "the ...
by sindy
Fri Nov 26, 2021 12:09 am
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 697

Re: IKEv2 site2site firewall and routes

Exclude traffic matching to IPsec policies from being NATed at both devices by placing the following rule as the first one of the srcnat chain: action=accept ipsec-policy=out,ipsec Then, enable matching static policies at both routers and once you see them to be constantly A ctive at both, try again...
by sindy
Thu Nov 25, 2021 11:59 pm
Forum: General
Topic: 3g modem not showing in /ports
Replies: 12
Views: 2430

Re: 3g modem not showing in /ports

These USB modems often used to show up as "mass storage" (disk) containing the driver for Windows and required a mode switch command to start identifying themselves as modems. I'm not sure whether RouterOS handles this at all, and if it does, whether it has the mode switch commands for all...
by sindy
Thu Nov 25, 2021 11:41 pm
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 697

Re: IKEv2 site2site firewall and routes

R1 can't ping anything on R2 That's no surprise - your export shows that the only IPsec policy at R1 is the dynamically created one, with src-address=0.0.0.0/0 and dst-address=192.168.20.2 (based on the address=192.168.20.2 and split-include=0.0.0.0/0 in the mode-config row). So only traffic to 192...
by sindy
Thu Nov 25, 2021 10:52 pm
Forum: General
Topic: IKEv2 site2site firewall and routes
Replies: 12
Views: 697

Re: IKEv2 site2site firewall and routes

Would it help you more to talk about it using voice? You keep switching between approaches and there is always some missing bit, maybe a systematic explanation might help?
by sindy
Thu Nov 25, 2021 5:01 pm
Forum: General
Topic: Use IPSec Peer's ID in firewall rule condition?
Replies: 5
Views: 370

Re: Use IPSec Peer's ID in firewall rule condition?

On the other hand, since both ends are in your own hands, it is relatively easy for you to migrate to what @pe1chl proposes.
by sindy
Thu Nov 25, 2021 4:50 pm
Forum: General
Topic: How to explain my boss about complexity of RouterOS
Replies: 9
Views: 632

Re: How to explain my boss about complexity of RouterOS

You can consider yourself lucky. Well, he is lucky, as he is leaving. The unlucky one is the boss who will have to outsource the network administration because the other chap won't be able to deal with it. @miro, it's not the complexity of RouterOS, it's the complexity of networking. No other brand...
by sindy
Thu Nov 25, 2021 4:43 pm
Forum: General
Topic: Use IPSec Peer's ID in firewall rule condition?
Replies: 5
Views: 370

Re: Use IPSec Peer's ID in firewall rule condition?

No and no. The only thing related to IPsec you can use to match in firewall rules is whether a packet matches any existing IPsec policy. Nor is there a possibility to trigger a script when peer activity state changes, or at least to add the IP address assigned to a peer with mode-config=request-only...
by sindy
Thu Nov 25, 2021 2:50 pm
Forum: General
Topic: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]
Replies: 6
Views: 450

Re: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]

I was wondering why you set the DSCP in chain input , as the right place is to set it in chain output for packets sent by the Mikrotik itself, and in chain forward for packets forwarded from one interface to another. For the traffic from the client to the Mikrotik, the client itself or the switch to...
by sindy
Thu Nov 25, 2021 2:34 pm
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 674

Re: Detecting Viber traffic characteristics?

Apparently according to Palo Alto (application research cente) Viber has several subservices. ... Key-message here : use the right tool for the job Can you use the Palo Alto policy also to use specific routing for the matching traffic, not just to block it? I mean, to choose the routing policy, you...
by sindy
Thu Nov 25, 2021 2:03 pm
Forum: General
Topic: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]
Replies: 6
Views: 450

Re: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]

Something must be wrong, as in my case, it works the way I expect: [me@myTik] > ip firewall mangle print where !dynamic Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=change-dscp new-dscp=34 protocol=tcp src-port=443 1 chain=input action=log dscp=35 When the second rule matches o...
by sindy
Thu Nov 25, 2021 1:14 pm
Forum: General
Topic: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]
Replies: 6
Views: 450

Re: Change DSCP on DNS packet from LAN to Mikrotik? [SOLVED]

/tool sniffer shows received packets before they get handled by any mangle rules, I'm not sure where /tool torch is hooked. So if /tool sniffer quick interface=whateverthenameis ip-protocol=icmp ip-address=ip.of.the.router shows you any DSCP value except 56 for received ICMP (to see the DSCP value,...
by sindy
Thu Nov 25, 2021 12:12 pm
Forum: General
Topic: separate circuit
Replies: 7
Views: 476

Re: separate circuit

It depends on what else you want from the device providing this functionality. Any Mikrotik device with at least three Ethernet interfaces can do this using a software bridge, but it may become a bottleneck - you haven't stated the actual bandwidth of the two "circuits". If you want that t...
by sindy
Thu Nov 25, 2021 10:33 am
Forum: General
Topic: VPN just for one of the LAN devices when the whole router is using IPSec
Replies: 10
Views: 660

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Is it possible? Definitely yes, but without seeing the IPsec part, it is impossible to tell you what exactly overrides your policy routing setup. Most likely the IP address assigned to the PPTP tunnel matches to an IPsec policy, but it is not the only possibility. See my automatic signature below f...
by sindy
Thu Nov 25, 2021 10:30 am
Forum: General
Topic: ASK [CGNAT-port forwarding]
Replies: 9
Views: 732

Re: ASK [CGNAT-port forwarding]

i did try, that will allow me to do PF to the CPE01 only It means there was some error in one of the dst-nat rules, or in some filter rules. Of course you cannot use the same port for both the web access to the CPE and the web access to the server (the dst-nat rule handles the incoming traffic firs...
by sindy
Wed Nov 24, 2021 11:58 pm
Forum: General
Topic: Route LTE connection to my DIA connection
Replies: 1
Views: 325

Re: Route LTE connection to my DIA connection

Can you draw what you have in mind? Too much information missing.
by sindy
Wed Nov 24, 2021 11:55 pm
Forum: Announcements
Topic: v6.49.1 [stable] is released!
Replies: 133
Views: 20404

Re: v6.49.1 [stable] is released!

Is there a any solution except netinstall? There are many possible reasons why the DHCP process doesn't succeed, so the first thing to do is sniffing to reveal what actually happens. I'd say open a dedicated topic as your issue doesn't seem to be specific to 6.49.1 and it will need some talk on wha...
by sindy
Wed Nov 24, 2021 9:53 pm
Forum: General
Topic: 6.48.5 doesn't always allow udp established connections
Replies: 2
Views: 409

Re: 6.48.5 doesn't always allow udp established connections

@mkx, I'm afraid that what the OP is trying to illustrate is the fact that the rule doesn't count, but it may be a confusion of cause and consequence. If that rule is alone in the output chain, it should match (and thus count) on each DNS response sent by the router, as such a packet definitely matc...
by sindy
Wed Nov 24, 2021 8:19 pm
Forum: General
Topic: separate circuit
Replies: 7
Views: 476

Re: separate circuit

/interface bridge add name=br-athens protocol-mode=none vlan-filtering=yes pvid=1 /interface bridge vlan add bridge=br-athens vlan-ids=1234 tagged=ether1 add bridge=br-athens vlan-ids=5678 tagged=ether1 /interface bridge port add bridge=br-athens interface=ether1 pvid=1 add bridge=br-athens interfa...
by sindy
Wed Nov 24, 2021 8:13 pm
Forum: General
Topic: Hamachi Relayed Tunnel - Same router Different Networks
Replies: 3
Views: 344

Re: Hamachi Relayed Tunnel - Same router Different Networks

The very issue is that all these systems based on UDP hole punching rely, among other things, on routability of the traffic between the public IP of the first peer (client) and the second peer (server). If the coordinating server can see packets from both peers to come from the same public IP, it ca...
by sindy
Wed Nov 24, 2021 7:18 pm
Forum: General
Topic: separate circuit
Replies: 7
Views: 476

Re: separate circuit

If I understand you right, which may well not be the case, you need a bridge or switch with vlan filtering functionality, with three ports - a trunk one where both VLANs are permitted tagged, and two access ones, one for each VLAN. Or maybe you want the VLANs to remain tagged on their dedicated port...
by sindy
Wed Nov 24, 2021 7:12 pm
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 674

Re: Detecting Viber traffic characteristics?

Layer 7 looks into the contents of the traffic, and has some limitations (0x0 bytes ignored etc.), whilst all the Viber traffic is encrypted (or at least so they say). Hence you have to record the start of multiple voice and video calls and search for an eventual pattern in the initial packet of eac...
by sindy
Wed Nov 24, 2021 7:08 pm
Forum: General
Topic: ASK [CGNAT-port forwarding]
Replies: 9
Views: 732

Re: ASK [CGNAT-port forwarding]

I did not understand what you mean by "involving the server". On the router with public address, there must be a action=dst-nat rule with to-address=the.cgnat.address.of.customer.router On the customer router, which has a CGNAT address on its WAN, there must be an action=dst-nat rule with ...
by sindy
Wed Nov 24, 2021 6:55 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 38
Views: 15330

Re: LHG LTE - Bridge mode???

Will i get some additional speed with passthrough-subnet-selection is set to p2p? (i will test it in some weeks when will visit my parents in village) You have to test, but there is no rational reason why this setting should affect the speed. It's really just that with the /30 or /29 subnet, the 3 ...
by sindy
Tue Nov 23, 2021 6:22 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 574

Re: IPsec Site to Site with one side behind NAT [SOLVED]

I don't think it is an ISP issue. What happens is: 10:08:16 ipsec searching for policy for selector: 192.168.19.0/24 <=> 192.168.80.0/24 given that the traffic selector is in accord with the policy you've posted in the OP, and that the policies are symmetrical (the dst-address of one of them matches...
by sindy
Mon Nov 22, 2021 11:41 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 574

Re: IPsec Site to Site with one side behind NAT [SOLVED]

That's all correct regarding the peers; what I'm afraid of is unknown behaviour of the ISP router, which may decide to replace the source port of a connection initiated by a LAN->WAN packet from port 500 because there is the port forwarding of that port in WAN->LAN direction. And if later a packet f...
by sindy
Mon Nov 22, 2021 11:24 pm
Forum: General
Topic: IKEv2 site2site (V2)
Replies: 6
Views: 419

Re: IKEv2 site2site (V2)

You make mistakes in copy-pasting also when copying rules between routers. It seems you previously had a configuration where the policy was between 192.168.20.0/24 on one router and 192.168.30.0/24 on the other one. And you have created exceptions from the masquerade rule for the traffic towards the...
by sindy
Mon Nov 22, 2021 11:02 pm
Forum: General
Topic: IKEv2 site2site (V2)
Replies: 6
Views: 419

Re: IKEv2 site2site (V2)

When you say "no firewall rules", you mean no firewall rules at all or just no firewall filter rules? Because action=src-nat or action=masquerade rules can prevent the traffic selectors of policies from matching the traffic. Better post the complete configurations, not just the parts you a...
by sindy
Mon Nov 22, 2021 10:51 pm
Forum: General
Topic: IP addresses in the same subnet across multiple interfaces? [SOLVED]
Replies: 8
Views: 689

Re: IP addresses in the same subnet across multiple interfaces? [SOLVED]

No need to be afraid of any loops, as the two interfaces are not bridged on the Windows PC. The only thing I can imagine to happen could be that the PC would respond to the ARP request for one of the addresses also with the MAC address of the "wrong" interface, but /tool sniffer on the Mik...
by sindy
Mon Nov 22, 2021 10:37 pm
Forum: General
Topic: IPsec Site to Site with one side behind NAT [SOLVED]
Replies: 11
Views: 574

Re: IPsec Site to Site with one side behind NAT [SOLVED]

Keeping passive=yes at Mikrotik B prevents issues with NAT on the ISP router from occurring when Mikrotik B eventually starts sending before it receives the first packet from Mikrotik A after power loss at Site B. As you've tried with different settings throughout the time, it's better to keep it li...
by sindy
Mon Nov 22, 2021 9:30 pm
Forum: General
Topic: IKEv2 site2site (V2)
Replies: 6
Views: 419

Re: IKEv2 site2site (V2)

First, the policies at both R1 and R2 are identical rather than mirroring each other (both have the same dst-address and the same src-address ), I suppose it is actually not the case and it's just a copy-paste error? Second, the traffic selection by IPsec policies takes place after regular routing, ...
by sindy
Fri Nov 19, 2021 11:21 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 1714

Re: Working around NAT hairpin [SOLVED]

I needed to take a break, I found out that I was spending way too much time here.
So it was a detox of a kind, OK. With this Covid and alike, I was scared you shifted to Juniper :)
by sindy
Fri Nov 19, 2021 10:15 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 41
Views: 27078

Re: ipsec multisubnet or multi policy issue

Well... IPsec is one of the cases where the RouterOS implementation is quite far from the popular Linux ones, both Openswan and Strongswan.
by sindy
Fri Nov 19, 2021 7:58 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 41
Views: 27078

Re: ipsec multisubnet or multi policy issue

where exactly this information come from? The documentation, this forum, 5 years of hands-on experience with RouterOS, and 15+ with Linux. It seems mikrotik looks at network from a linux-point-of-veiw, am I right? RouterOS is Linux, with quite a lot of in-house development, and a systematized confi...
by sindy
Fri Nov 19, 2021 5:35 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 41
Views: 27078

Re: ipsec multisubnet or multi policy issue

Leaving aside use , the difference between unique and required is that with unique , each policy creates its own pair of security associations with own IDs and keys; with required , multiple policies use a common security association to send the encrypted data. Both peers must use the same approach,...
by sindy
Fri Nov 19, 2021 5:29 pm
Forum: General
Topic: LtAP mini only connects to 3G
Replies: 14
Views: 749

Re: LtAP mini only connects to 3G

what would be the benefit of the new firmware That's what nobody knows, as no patch notes/release notes for LTE modems firmware seem to be published. Over time, people complain about various issues with different operators, and the advice is "keep the modem firmware up to date". Since you...
by sindy
Fri Nov 19, 2021 4:58 pm
Forum: General
Topic: Firewall filter rule ignored?
Replies: 13
Views: 785

Re: Firewall filter rule ignored?

It is easy to confuse as the syntax item=value is the same for all the parameters of a rule, but there are actually 4 distinct categories of them: the match conditions (such as dst-address, protocol, ...) the action to take the parameters of an action (such as jump-target, to-ports, to-addresses) th...
by sindy
Fri Nov 19, 2021 3:34 pm
Forum: General
Topic: LtAP mini only connects to 3G
Replies: 14
Views: 749

Re: LtAP mini only connects to 3G

What do you mean with "pulling it into 2021"? The LtAP mini runs ROS v. 4.49.1 with latest firmware so it runs the latest 'stable' version....... Yeah, but the R11e-LTE has its own firmware (don't confuse it with the RouterBoard "firmware" which is actually a bootloader for Rout...
by sindy
Fri Nov 19, 2021 12:10 pm
Forum: General
Topic: LtAP mini only connects to 3G
Replies: 14
Views: 749

Re: LtAP mini only connects to 3G

I would say let's start from pulling your R11e-LTE into 2021 as it is almost over now. As I could not find how to do firmware upgrade using Winbox, you'll have to try using the command line (you can get a command line window by pressing the [New Terminal] button in Winbox). Make sure that the power ...
by sindy
Thu Nov 18, 2021 8:52 pm
Forum: General
Topic: Firewall filter rule ignored?
Replies: 13
Views: 785

Re: Firewall filter rule ignored?

Pardon me, but the very first rule in chain input says:

action=accept chain=input dst-port=<ssh-port> protocol=tcp

So why are you surprised that it shadows the action=drop chain=input src-address=<offending-ip> one far later in the list?
by sindy
Thu Nov 18, 2021 8:45 pm
Forum: General
Topic: Im only getting 100MB on a 1GB connection
Replies: 3
Views: 437

Re: Im only getting 100MB on a 1GB connection

for now I just wanted to be sure that the "Link Partner Advertising" is what the Mikrotik device is seeing from the node and that's why The options are grayed out.
Yes. This indicates that the media converter is not advertising the gigabit speed at its copper Ethernet side.
by sindy
Thu Nov 18, 2021 7:40 pm
Forum: General
Topic: LtAP mini only connects to 3G
Replies: 14
Views: 749

Re: LtAP mini only connects to 3G

What is now the frequency? Is this the "Fc" number? So in this case; 1869,9 MHz, (or KHz, or GHz?)? Yes, Fc looks like F requency c hannel; since the fancy 7-segment digits indicate the band and Band 3 is indeed the 1800 MHz one (1.8 GHz). Also one of the small dials below (indicating nei...
by sindy
Thu Nov 18, 2021 4:36 pm
Forum: General
Topic: Firewall filter rule ignored?
Replies: 13
Views: 785

Re: Firewall filter rule ignored?

Can you post the complete output of
/ip firewall filter export
and obfuscate any public addresses you eventually don't want to reveal?

Normally, your rule should indeed prevent the attacker's packets from reaching the ssh service.

Also, what is your RouterOS version?
by sindy
Thu Nov 18, 2021 1:46 pm
Forum: General
Topic: No audio on sip calls over VPN
Replies: 10
Views: 761

Re: No audio on sip calls over VPN

I'm not any the wiser as to why this rule works the way it does The reason is how IPsec interworks with regular routing and the firewall. If the regular routing sends a packet via some interface, and there is a src-nat or masquerade rule matching on that out-interface(-list) that changes the source...
by sindy
Thu Nov 18, 2021 12:49 pm
Forum: General
Topic: LtAP mini only connects to 3G
Replies: 14
Views: 749

Re: LtAP mini only connects to 3G

MNO - Mobile Network Operator, yes, it is the cellphone operator. And yes, LtAP mini, or rather the R11e-LTE used in it, may not cover some bands the operator is using in your particular country. There's the "united market" but still quite some regulations remain country-specific. If the p...
by sindy
Thu Nov 18, 2021 11:45 am
Forum: General
Topic: IPsec ignores connection-mark
Replies: 11
Views: 694

Re: IPsec ignores connection-mark

maybe is not good idea for me to jump here. Because you have replayed on my one. Well, the OP's issue has been resolved and I've commented on it too, so hopefully your piggy-back is not so disturbing. This router is behind NAT, and im using in only for VPN The ipsec-protocol as a parameter of polic...
by sindy
Thu Nov 18, 2021 11:15 am
Forum: General
Topic: No audio on sip calls over VPN
Replies: 10
Views: 761

Re: No audio on sip calls over VPN

(admins - how can I delete an empty post?) Next to the "edit post" button, there should be a "delete post" one - the [X] one in my skin. It asks you for a brief reasoning of the deletion in the next step. Or you press the "edit post" and there are two more options on t...
by sindy
Thu Nov 18, 2021 11:00 am
Forum: General
Topic: IPsec ignores connection-mark
Replies: 11
Views: 694

Re: IPsec ignores connection-mark

in my case i can't see ESP in the connection tracking , not sure why
Two possible explanations come to my mind:
  • there is NAT at at least one end and therefore the ESP gets encapsulated into UDP
  • you use protocol=esp in the search condition whilst the RouterOS name is ipsec-esp.
by sindy
Thu Nov 18, 2021 10:55 am
Forum: General
Topic: IPsec ignores connection-mark
Replies: 11
Views: 694

Re: IPsec ignores connection-mark

Strange, because I know at some point it wasn't passthrough, and therefore the mark could not have been overwritten, so I guess in trying many (many!!!) different things in trying to find a solution, I also fixed another error. A rule with passthrough=no , or any other rule providing a "final ...
by sindy
Wed Nov 17, 2021 10:30 pm
Forum: General
Topic: dual external address, and static routing
Replies: 1
Views: 392

Re: dual external address, and static routing

In a single routing table, at most one route can be active at a time for each dst-address prefix. The distance parameter only determines the priority between routes with identical dst-address in the same routing table if more than one of them is otherwise eligible ( check-gateway is successful or no...
by sindy
Wed Nov 17, 2021 9:53 pm
Forum: General
Topic: L2TP / IPsec issue
Replies: 1
Views: 530

Re: L2TP / IPsec issue

What exactly means the "down" in "recovery after down"? Is it a reboot of the client, a reboot of the server, or the internet connection between them is not transparent for a moment while the two Mikrotiks themselves keep running? While in this state (client is trying to connect ...
by sindy
Wed Nov 17, 2021 9:40 pm
Forum: General
Topic: IPsec ignores connection-mark
Replies: 11
Views: 694

Re: IPsec ignores connection-mark

The behaviour you describe is weird, what is the RouterOS version you use? Strictly speaking it is not an IPsec issue - the generated IPsec policy can only see packets whose headers match the policy, so it is the fact that the action=src-nat rule doesn't match on the connection marked traffic that b...
by sindy
Sat Nov 13, 2021 10:31 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 11
Views: 2441

Re: RouterOS bridge mysteries explained

Yes, but how can you not include the CPU Port in the Bridge Entity ? Easily. The bridge is a software thing, and so is the router, so both run "inside" the CPU, hence the traffic between the "software switch" facing "software port" of the "software router" an...
by sindy
Fri Nov 12, 2021 10:21 pm
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 10
Views: 9102

Re: LT2P/IPSec VPN working no internet access [SOLVED]

I've promised to explain why you should have removed the export file. You've left the public IP in the file you've posted, you've left the complete /ppp secret row there, and your firewall is non-existent as you've missed the fact that the default handling is accept , i.e. if a packet doesn't match ...
by sindy
Fri Nov 12, 2021 9:04 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 11
Views: 2441

Re: RouterOS bridge mysteries explained

It's unfortunately not that simple. The internal Ethernet link between the physical switch chip and the CPU is not a 100 % functional equivalent of the link between the router-facing port of the virtual switch and the virtual-switch-facing port of the router. VLAN frames from wireless and L2-tunnel ...
by sindy
Sun Nov 07, 2021 10:09 am
Forum: General
Topic: Merge 2 ISP bandwidth into one
Replies: 9
Views: 791

Re: Merge 2 ISP bandwidth into one

it uses the ECMP route to choose which nexthop its going to use, establishes the connection using that NAT src-ip for that WAN, then that specific connection stays tracked via that route/nexthop until it destroys My bad. It's the routing cache that makes the difference, not the connection tracking ...
by sindy
Sat Nov 06, 2021 2:40 pm
Forum: General
Topic: Merge 2 ISP bandwidth into one
Replies: 9
Views: 791

Re: Merge 2 ISP bandwidth into one

I use my example without mangles just fine, even for a national ambulance service headquarters. EDIT: it works as @joegoldman describes when routing cache is on. The only drawback may be that the routing cache is flushed every 10 minutes according to the manual. If routing cache is disabled, a mand...
by sindy
Wed Nov 03, 2021 6:03 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

I think that ipsec without EOIP at the same time will be far more palatable. Since the attempt with EoIP has highlighted the MTU issue, bare IPsec would not be sufficient. One way is to circumvent the failing PMTUD using mangle rules, which. would either affect all connections or be a never-ending ...
by sindy
Wed Nov 03, 2021 3:49 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

Read the corresponding thread regarding issues related to your hardware models. But normally the experimental software is used by people who want to actively test it and provide qualified feedback to the developers. In your case, the only reason would be to use wireguard, which I don't consider impo...
by sindy
Tue Nov 02, 2021 11:55 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

There are a lot of big acronyms now being thrown around that have now went over my knowledge base. :D PMTUD = Path MTU Discovery, a process using which the endpoints discover the smallest MTU on the path through the network between them (and subsequently adjust the size of packets they send to each...
by sindy
Tue Nov 02, 2021 9:59 pm
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 10
Views: 9102

Re: LT2P/IPSec VPN working no internet access [SOLVED]

Remove the .rsc file immediately, I'll explain why in the next post.
by sindy
Tue Nov 02, 2021 8:26 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

Given the path MTU discovery issue encountered, L2TP over IPsec, with max-mtu and max-mru set to something like 1400 (depending on the encryption/authentication algorithms used) and mrru set to 1504 would be my choice. Even bare IPsec reduces MTU and therefore requires PMTUD to work, which is clearl...
by sindy
Tue Nov 02, 2021 7:51 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

- Watch movies, play music through my Home Plex server; I could not find any "under the hood" info regarding what this means in terms of protocols, but since Plex allows sending the media over the internet, there is no reason why it should require L2 transparency, i.e. an L3 (routed) VPN ...
by sindy
Tue Nov 02, 2021 6:15 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

since VLAN over tunnels (be it EoIP, L2TP, Wireguard, or otherwise) I'm going to perhaps simplify things a bit until the services become a bit more widespread. If @anav is any indication, Wireguard ought to be able to do this in a more simplified manner, I just have to wait until that is in a stabl...
by sindy
Mon Nov 01, 2021 11:20 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

OK, still not willing to go through those configs as they got modified, but there's a catch that is not obvious and is likely related: if you keep the mtu parameter of an EoIP interface on the default value auto , RouterOS finds the gateway interface for the EoIP transport packets, reduces the MTU o...
by sindy
Mon Nov 01, 2021 11:03 pm
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 158
Views: 86984

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

You can use connection-limit for SYN packets towards the OVPN listening port to ban source addresses of these brute force attempts, assuming that legal clients will authenticate properly so they won't need to establish the TCP session more than once to successfully connect. But this only works again...
by sindy
Mon Nov 01, 2021 10:51 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

The way you describe the current issue, it again resembles me about those I had in the past, where I had to disable the GRE tunnel for 10 minutes, which is the connection tracking timeout for both ESP and GRE, so maybe I was bitching at GRE all the time whilst the actual reason was IPsec (although I...
by sindy
Sun Oct 31, 2021 10:36 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 107
Views: 5222

Re: VPN to connect home network to cottage

@anav has asked me to have a look here. As the newest exports are from Friday and there have been several rounds of updates, I don't go investigating them, and instead just ask - the symptoms you describe (an SSH session authenticates but doesn't continue, some web pages do not load) sound like an M...
by sindy
Fri Oct 29, 2021 9:49 pm
Forum: General
Topic: 3 VPN networks intercommunication
Replies: 5
Views: 563

Re: VPN networks intercommunication

Can any one tell me or guide me Your description was not clear enough. If I get you right, the same Mikrotik in your local office acts both as a VPN server for multiple "local" users and as a VPN client of another VPN server in another city. But how is that related to local users not bein...
by sindy
Fri Oct 29, 2021 2:14 pm
Forum: General
Topic: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)
Replies: 4
Views: 746

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Mikrotik needs to find tls-client usage in the certificate presented by a Windows initiator. The Mikrotik manual says that for Mikrotik acting as a responder, it is enough that tls-server usage is set in its own certificate it presents to Windows initiators. As I am not sure whether Windows won't co...
by sindy
Fri Oct 29, 2021 1:00 am
Forum: General
Topic: IPSEC performance problem
Replies: 17
Views: 4083

Re: IPSEC performance problem

from where 8 bits/byte comming from? Someone's decision in late 1960s I guess, as the number of bits had to be a "round" power of 2 and 4 was already too few by that time? https://en.wikipedia.org/wiki/8-bit_computing If you have in mind that the calculation is not precise because on top ...
by sindy
Thu Oct 28, 2021 3:33 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

Maybe using two bridges? You can't bridge bridges together, so this won't work. Could there be a bug in RouterOS or the switch that my config is not working? I cannot imagine any other explanation at the moment. Because if "accept" rules alone, followed by no "drop" rules, break...
by sindy
Thu Oct 28, 2021 2:04 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

If the DHCP client wants to verify that the IP it got leased from the server is not used by any other host, it may send an ARP request for that address before starting to use it, but it should consider the fact that it doesn't receive any response as a positive outcome of the test. As you say that i...
by sindy
Thu Oct 28, 2021 9:15 am
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

The point is to prevent wireless clients associated to different cAPs from talking to each other, plus it needs to be selective per VLAN. So your remark is important in terms that switch chip rules cannot prevent 2.4 GHz clients of a cAP from talking to 5 GHz clients of the same cAP, but due to the ...
by sindy
Thu Oct 28, 2021 12:04 am
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

Where can you see it? In the sniff running on the cAP? It's crazy - the Offer should be coming from the same src-mac like the ACK, and as the Request came from the client, it means that the Offer must have made it to the client. So I don't get why the ACK doesn't. Can you check the src-address of th...
by sindy
Wed Oct 27, 2021 10:34 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

Now you didn't get me. It's not dst-address-list=79.127.127.21, it's just dst-address=79.127.127.21.
by sindy
Wed Oct 27, 2021 10:27 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

Show me /ip firewall nat print in the "manual" case while the tunnel is up.
by sindy
Wed Oct 27, 2021 10:21 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

It's not "src-address-list in connection-mark". You can specify either or even both on the /ip ipsec mode-config row, and corresponding srcnat rules are created each time the IPsec "session" is established, one per each item. So if you specify both src-address-list=some-list and ...
by sindy
Wed Oct 27, 2021 9:29 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

I think you misunderstood my question or I didn't understand your answer, I want to route some websites or at least their IPs out of my VPN, with my current configuration I believe all of the traffics would go trough VPN and I want to keep it this way except for few websites. Okay, yes, with my lim...
by sindy
Wed Oct 27, 2021 3:54 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

Well, my remark applies in the context of IPsec, not in the context of DSCP/priority manipulation where it is quite easy to imagine that the intended modification of the priority field can actually modify other fields due to an endianness bug. More than that - here in particular, to deliver the thre...
by sindy
Wed Oct 27, 2021 12:31 am
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

I keep forgetting about it as it is not very logical - to sniff both directions on an interface, you have to set hw=no on the respective /interface bridge port row even if the frames you're interested in go to/from the CPU, which is always the case for ethernet <=> wifi frames. Doing so should not b...
by sindy
Wed Oct 27, 2021 12:26 am
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

I didn't understand this part could you please paraphrase it. Once the "normal" routing and firewall processing including NAT is done and the last thing to do is to send the packet out the chosen interface, the IPsec processing compares the source and destination IP address, IP protocol (...
by sindy
Wed Oct 27, 2021 12:14 am
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

It could be an endianness bug? I've definitely seen endianness bugs (e.g. vlan-protocol in /interface bridge filter ), but I cannot imagine how endianness bug could be related here. @loca995, what are the exact models of the "pppoe via wireless" and "pppoe via xDSL" devices you'...
by sindy
Tue Oct 26, 2021 6:54 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

@pe1chl, I'm afraid evidence suggests the issue is inside the Mikrotik - in this post , we can clearly see that the ESP packets do arrive from the HQ to the BO Mikrotik (so the Zyxel did not block them), but there is no response. Which means that the ESP packets don't get decrypted (or they do but t...
by sindy
Mon Oct 25, 2021 11:54 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

with the rules enabled, WLAN traffic arrives at the gateway, but the gateway does not pass the switch filters as the client keeps asking "Who is ..." via ARP and never receives a DHCP lease. I double-checked the MAC address. If the client keeps sending ARP requests, it should mean it has ...
by sindy
Mon Oct 25, 2021 11:38 pm
Forum: General
Topic: What are routing filters?
Replies: 4
Views: 1039

Re: What are routing filters?

These rules are evaluated whenever a route is about to be added into a routing table by any dynamic process (dynamic routing protocols or just DHCP). AFAIK, change of state of an already existing route (e.g. when its gateway interface changes state) doesn't trigger evaluation of these rules. I'm not...
by sindy
Mon Oct 25, 2021 11:34 pm
Forum: General
Topic: Single TCP Connection issue
Replies: 14
Views: 1232

Re: Single TCP Connection issue

what do I have to sniff?
The idea of sniffing is to see whether the throughput is limited by delays between packets or by losses and subsequent retransmissions. So you should sniff the test TCP session and then use Wireshark to look for anomalies.
by sindy
Mon Oct 25, 2021 11:31 pm
Forum: General
Topic: 3 VPN networks intercommunication
Replies: 5
Views: 563

Re: 3 VPN networks intercommunication

My idea is that you may not be familiar with how the firewall works. Unless you need to use something else than the destination address to choose which traffic should go via a VPN tunnel and which should not, you should not need any mangle rules and mere filter rules should do - in particular, you m...
by sindy
Mon Oct 25, 2021 11:24 pm
Forum: General
Topic: L2TP authenticated, then terminated
Replies: 4
Views: 707

Re: L2TP authenticated, then terminated

I remember someone here to recommend to completely remove the VPN configuration at Windows side and start from scratch, or even to remove all VPNs - try to find that post with the details on what exactly needs to be done as it did help the OP. Can't give you more clue unfortunately.
by sindy
Mon Oct 25, 2021 11:18 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

The only thing to come to my mind is to avoid tracking of ESP connections in hope that the behaviour is caused by a bug in connection tracking. In particular: /ip firewall raw add chain=prerouting protocol=ipsec-esp src-address-list=allowed-ipsec-peers action=notrack add chain=output protocol=ipsec-...
by sindy
Mon Oct 25, 2021 11:02 pm
Forum: General
Topic: How do I combine the speed of 4 ADSL lines into one?
Replies: 13
Views: 791

Re: How do I combine the speed of 4 ADSL lines into one?

One possibility is load distribution among the 4 lines as others have stated, look at any "load sharing" guide here on the forum. If you opt for per-connection-classifier , you'll avoid some problems by using only source IP address as the hash base. This approach should be sufficient if yo...
by sindy
Mon Oct 25, 2021 10:51 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

No, it is not normal. The rekeying of the data SA seems to fail and as a consequence, the whole IPsec session gets re-established. My wild guess is that it is caused by different interpretation of the RFC regarding PFS, try setting pfs-group in proposal to none . In IKEv2, PFS is used always, using ...
by sindy
Mon Oct 25, 2021 1:13 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

As you use the first approach, i.e. an additional IP address assigned to the initiator router by the responder, I'd say your best bet is to use the connection marking approach for both cases. Instead of src-address-list , set the connection-mark parameter of the /ip ipsec mode-config row to e.g. via...
by sindy
Mon Oct 25, 2021 10:08 am
Forum: General
Topic: 2 public ip in mikrotik !!!!
Replies: 6
Views: 602

Re: 2 public ip in mikrotik !!!!

@ingdaka is probably right, but maybe there is some match condition other than in-interface=ether2, which did no fit to the screenshot. Hard to guess without the export.
by sindy
Sun Oct 24, 2021 11:05 pm
Forum: General
Topic: 2 public ip in mikrotik !!!!
Replies: 6
Views: 602

Re: 2 public ip in mikrotik !!!!

Post an export as per my automatic signature below rather than screenshots where half of the necessary info is missing.
by sindy
Sun Oct 24, 2021 11:03 pm
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 22
Views: 1730

Re: Block p2p from IP cameras - RB4011iGS+RM

Generally speaking, you don't necessarily need a dedicated VLAN for each subnet, so yes, a dedicated subnet for the cameras sharing a common (V)LAN with another subnet is also an option. But things complicate quickly if you want addresses from both subnets to be assigned dynamically using DHCP, as y...
by sindy
Sun Oct 24, 2021 10:42 pm
Forum: General
Topic: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]
Replies: 21
Views: 1302

Re: IKEV2 routing config on router (behind NAT-dynamic ip) [SOLVED]

You are kind of mixing things together (or maybe you don't but it is hard to find out because elements related to both ways are disabled in the config you've posted). So one way is to ask the responder for a single IP address using the mode-config=request-only on the /ip ipsec identity row; the addr...
by sindy
Sun Oct 24, 2021 9:08 pm
Forum: General
Topic: Bricked Routers
Replies: 9
Views: 942

Re: Bricked Routers

There are two bootloaders - the newer one is activated when you just connect the power, the backup one is activated if you first push the reset button and only then connect the power - https://wiki.mikrotik.com/wiki/Manual:Reset In these cases it sometimes helps to restore factory default by pressin...
by sindy
Sun Oct 24, 2021 8:42 pm
Forum: General
Topic: Routing using VRRP Interfaces [SOLVED]
Replies: 2
Views: 583

Re: Routing using VRRP Interfaces [SOLVED]

If you insist that the packets will leave with the source MAC address of the respective VRRP interface, you have to use multiple routing tables, one per each VRRP interface, and in each of them, create a default route with gateway=ga.te.way.ip % vrrpN manually. So for two interfaces, it would look a...
by sindy
Wed Oct 20, 2021 11:06 pm
Forum: General
Topic: route all traffic from a VM to another which runs a VPN
Replies: 3
Views: 544

Re: route all traffic from a VM to another which runs a VPN

I don't understand what you don't understand :) Here's a link on "internet connection sharing" on Windows . Use the VPN interface as the "internet" uplink to be shared. The Windows VM becomes a router with NAT, acting as a DHCP server on its LAN side. On the virtualbox, you need ...
by sindy
Tue Oct 19, 2021 10:43 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 3558

Re: WAP-R [SOLVED]

Also, under /interface detect-internet, set all the lists to none. That feature only causes headache.
by sindy
Tue Oct 19, 2021 10:41 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 3558

Re: WAP-R [SOLVED]

In the last export, there is disabled=yes on the /ip dhcp-server row. Change that to disable=no.

And do not attempt to attach a dhcp client to the LTE interface, it is not necessary.
by sindy
Tue Oct 19, 2021 5:10 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

I have done that in the past to remove entries related to my SIP phone, which also caused trouble in some cases. Well... my personal preference is analysis first, workarounds next :) So far we only suspect that the issue has something to do with connection tracking although no NAT is involved, so i...
by sindy
Tue Oct 19, 2021 4:47 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

Any idea?
At both ends, use /ip firewall connection print detail where protocol~"esp" before and after doing the pppoe cycle, look for differences between "before" and "after" state.
by sindy
Tue Oct 19, 2021 1:11 pm
Forum: General
Topic: Routing betwin too interface [SOLVED]
Replies: 6
Views: 765

Re: Routing betwin too interface [SOLVED]

It should not surprise you that a thing called "router" is primarily designed for routing :) It should be possible to do it your complicated way if you really need so. Assuming that the "main" 192.168.1.0/24 is attached to ether3 and the "client-only" 192.168.1.0/24&quo...
by sindy
Tue Oct 19, 2021 12:50 pm
Forum: General
Topic: L2TP/IPSEC issues with Windows 10
Replies: 4
Views: 564

Re: L2TP/IPSEC issues with Windows 10

I can't see the SYNs and ACKs explicitly but it looks like packets from 10.10.10.254 (client) are reaching 10.10.1.51 (server on my LAN) which is trying to respond. To see the TCP layer flags, you have to stop the sniffer and then use tool sniffer packet print detail , but that's not the key here. ...
by sindy
Mon Oct 18, 2021 11:49 am
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

Unfortunately, it seems to be impossible to enter the safe mode via SSH commands. I don't think safe mode is necessary during non-interactive script access. It is really helpful when you try the configuration changes manually, but you should use only previously validated commands in non-interactive...
by sindy
Mon Oct 18, 2021 11:03 am
Forum: General
Topic: L2TP/IPSEC issues with Windows 10
Replies: 4
Views: 564

Re: L2TP/IPSEC issues with Windows 10

Start by sniffing on the virtual l2tp-server interface corresponding to the Windows client ( /tool sniffer quick interface=<l2tp-username> protocol=tcp ), to see whether the SYN packets arrive from the Windows machine at all. Normally I would expect a firewall issue or a MTU handling issue. As you s...
by sindy
Sun Oct 17, 2021 8:33 pm
Forum: General
Topic: Setting priority for IPsec traffic
Replies: 7
Views: 1069

Re: Setting priority for IPsec traffic

Setting priority in mangle should have an effect only transports that support some L2 priority field, which is normally Ethernet and wireless. So in this sense, yes, priority is a metadata item, until the packet reaches the Ethernet or wireless driver that can extract the value from that item and st...
by sindy
Sun Oct 17, 2021 8:06 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

Oops. I haven't encountered an ISP to use compression on PPPoE yet, so I've never noticed that Wireshark doesn't inflate the payload. The only information I could find is that this has been the case 8 years ago. Try to disable compression on the /ppp profile row used by the PPPoE client (by setting ...
by sindy
Sun Oct 17, 2021 5:46 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

I've just tried exactly the same (in my "real" rules, I match on a particular mac-protocol): /interface ethernet switch rule add new-dst-ports="" ports=ether1 src-mac-address=64:D1:54:xx:xx:x3/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=5 This does block traffic from 64:D1:54:xx:xx:...
by sindy
Sat Oct 16, 2021 10:50 pm
Forum: General
Topic: Is there any way to limit VLAN traffic while connection tracking is off
Replies: 2
Views: 422

Re: Is there any way to limit VLAN traffic while connection tracking is off

The fact that connection tracking is disabled doesn't affect packet marks and/or queues. It makes it impossible to use connection marks, so you cannot assign packet-mark values s based on connection-mark , connection-state , or connection-nat-state , but you can assign them based on any other match ...
by sindy
Sat Oct 16, 2021 10:35 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Try lowering the MTU to 1300 on the bonding interfaces at both ends and see whether it changes anything, But if you say it worked at full speed and now it doesn't, it sounds like another trick of the ISP. What if you disable one of the EoIP tunnels at both ends, does the speed fall to 1/2?
by sindy
Sat Oct 16, 2021 10:25 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

I had to have a look at my own switch chip rules to spot the issue. There's a catch - whereas in /interface bridge filter rules, the value specified as mac-protocol is always matched against offset 12 of the frame, and there is a separate match field, vlan-protocol , to match the protocol field insi...
by sindy
Sat Oct 16, 2021 10:12 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

I do remember the setup. However, what I didn't get from what you wrote now, nor could I find it in the history of this topic, is whether the throughput via the bonded interface was ever higher that this. MTU is generally an issue with tunnels - if set too high on the EoIP interfaces, the TCP sends ...
by sindy
Sat Oct 16, 2021 8:40 pm
Forum: General
Topic: LHG LTE - Bridge mode???
Replies: 38
Views: 15330

Re: LHG LTE - Bridge mode???

The mysterious "passthrough" mode is actually very simple - in fact, it is very close to what you might call "bridge mode". You choose an L2 interface, and RouterOS creates a DHCP server on it, which responds to a request from a single client - either to the very first one to sen...
by sindy
Sat Oct 16, 2021 6:39 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming [SOLVED]
Replies: 55
Views: 4122

Re: Client isolation within VLAN and fast roaming [SOLVED]

How does the rest of the configuration look like? Switch chip rules are normally just working, so it looks really strange. Is VLAN 3 tagged on the switch ports to which the cAPs are connected?
by sindy
Sat Oct 16, 2021 4:03 pm
Forum: General
Topic: Router error
Replies: 1
Views: 311

Re: Router error

Such an information on the display should normally only appear as a result of a controlled shutdown. Which may be caused by a script, a malware, or a bug.

Post an anonymised export of the configuration as per the hint in my automatic signature below.
by sindy
Fri Oct 15, 2021 11:34 pm
Forum: General
Topic: ARP traffic on from MAC address
Replies: 1
Views: 456

Re: ARP traffic on from MAC address

Unless proxy-arp is permitted on ether3, the router should not respond to ARP requests regarding other IP addresses than its own ones. Post an anonymized export of your config if this answer is not sufficient.
by sindy
Fri Oct 15, 2021 11:31 pm
Forum: General
Topic: Routing betwin too interface [SOLVED]
Replies: 6
Views: 765

Re: Routing betwin too interface [SOLVED]

This normally works automatically if different subnets are attached to each interface. So if you assign e.g. 192.168.1.1/25 to the first interface, and 192.168.1.129/25 to the second one, and give the host connected to the second interface an address like 192.168.1.130/25 instead of 192.168.1.101/? ...
by sindy
Fri Oct 15, 2021 11:23 pm
Forum: General
Topic: dstnat on a specific VPN [SOLVED]
Replies: 4
Views: 699

Re: dstnat on a specific VPN [SOLVED]

Yes, read this post , starting from the last paragraph which relates it to your context. Think about your two VPN tunnels as WANs. Loosely related - PPTP provides almost no security, its encryption is ridiculously week from nowaday's perspective. L2TP/IPsec is equally simple (or complex) to configur...
by sindy
Fri Oct 15, 2021 11:16 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

Looking at your minimalistic configurations, I can currently imagine only the following things: something weird regarding handling packets that cannot be routed anywhere in RouterOS kernel - the only routes the packets between 10.199.199.0 and 10.199.199.1 can take are the default ones, and the only...
by sindy
Thu Oct 14, 2021 9:42 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

You forgot to obfuscate HQ.rsc, maybe you want to withdraw it and post it again once anonymized?
by sindy
Thu Oct 14, 2021 9:14 pm
Forum: General
Topic: 1:1 NATting of /29 subnet
Replies: 3
Views: 510

Re: 1:1 NATting of /29 subnet

The two rules as such should do what you expect them to do. However, the firewall rules work as a system where mutual order matters and rules in different chains must work in accord. So it is possible that these rules are shadowed by other ones, or that you do not permit dst-nated connections in for...
by sindy
Thu Oct 14, 2021 9:08 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 276
Views: 46485

Re: v7.1rc4 [development] is released!

Export started at oct/12/2021 10:40:20 by RouterOS 7.1rc4, and it's been stuck on this for 14 minutes so far
In previous 7.1rcX, adding verbose to the export used to make it work - have you tried that?
by sindy
Wed Oct 13, 2021 11:40 pm
Forum: General
Topic: Revoked certificates contunue to work
Replies: 11
Views: 5808

Re: Revoked certificates contunue to work

Ok, Last try - 127.0.0.1 - the same thing, revoked certificate still works. Upgraded to 7.1beta1 - the same thing. So I've returned to this and found that the old (wiki) manual is really insufficient, and the new (Confluence) one even misleading, as it tells you to self-sign all certificates. The n...
by sindy
Wed Oct 13, 2021 8:01 pm
Forum: General
Topic: Route site or ip out of the VPN [SOLVED]
Replies: 7
Views: 947

Re: Route site or ip out of the VPN [SOLVED]

So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way? That's a complex topic. First, you can choose whether to establish a connection via VPN or directly depending on the destination IP address, but multiple sites apparently unrel...
by sindy
Tue Oct 12, 2021 7:38 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 13091

Re: How to create multiple EoIP tunnels ?

It may be counter-intuitive, but same horizon value on a pair of ports means that traffic can not be forwarded between them. So set horizon at the ether2 row of /interface bridge port to none and see whether it helps. Or, if you do not need to prevent forwarding from one tunnel to another, set horiz...
by sindy
Tue Oct 12, 2021 3:40 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 13091

Re: How to create multiple EoIP tunnels ?

To prevent traffic from being forwarded between two ports of the same bridge, set the same horizon value for both. E.g.:
/interface bridge port set [find where interface~"eoip[23]"] horizon=1
will prevent traffic forwarding between eoip2 and eoip3.
by sindy
Tue Oct 12, 2021 2:33 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 903

Re: CRS112 and problem with vlans

Again - the hardware "offloading" on CRS 1xx is available only for L2 forwarding between ports in the same VLAN. If the CRS itself has to route between the subnets in the two VLANs, this is done by CPU, and the CPU in CRS1xx is weak, hence it reaches 100 % with relatively low traffic volum...
by sindy
Tue Oct 12, 2021 1:01 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 13091

Re: How to create multiple EoIP tunnels ?

Now, to make client traffic passing through Eth2 at HQ, do i have to bridge all 24 EoIP interface with the Eth2? Yes, exactly, as suggested above. Add-ons can be applied: if the client eventually wants each BO site to be reachable via a different VLAN at ether2 of the HQ site, you would activate vl...
by sindy
Mon Oct 11, 2021 10:45 pm
Forum: General
Topic: L2TP/IPsec does not remove dynamic IPsec entries when disabled
Replies: 3
Views: 362

Re: L2TP/IPsec does not remove dynamic IPsec entries when disabled

I've just tried it on a CHR running 6.47.9, it works normally - once I disable the /interface l2tp-client , the dynamically created IPsec configuration items disappear as they should. You may try to export ( not backup) the configuration into a file, download the file to the PC, netinstall the machi...
by sindy
Mon Oct 11, 2021 10:07 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 32
Views: 13091

Re: How to create multiple EoIP tunnels ?

Now what i want to know is : how to pass all the 24 tunnels through the Eth2 ? Supposing I've understood what you actually wanted properly, make a bridge and make eth2 and all the EoIP interfaces member ports if that bridge: /interface bridge add name=eoip-bridge /interface bridge port add bridge=e...
by sindy
Mon Oct 11, 2021 10:03 pm
Forum: General
Topic: L2TP/IPsec does not remove dynamic IPsec entries when disabled
Replies: 3
Views: 362

Re: L2TP/IPsec does not remove dynamic IPsec entries when disabled

I'd start by upgrading from 6.47 to 6.47.10. If still the same, it's worth opening a ticket at Mikrotik support. And until they solve it, create static copies of the dynamically created IPsec configuration rows (you'll have to use different names for the named ones) and then uncheck use-ipsec=yes on...
by sindy
Mon Oct 11, 2021 9:50 pm
Forum: General
Topic: find PPPoE user vlan
Replies: 2
Views: 332

Re: find PPPoE user vlan

Run

/tool sniffer quick mac-address=mac:add:ress:of:the:user

and wait...

But that will only show you the VLAN, is that enough?
by sindy
Mon Oct 11, 2021 9:43 pm
Forum: General
Topic: Route site or ip out of the VPN [SOLVED]
Replies: 7
Views: 947

Re: Route site or ip out of the VPN [SOLVED]

Thanks but it didn't worked, and just made that ip inaccessible. It's because Ilir probably hasn't noticed that you've got no srcnat rule except the one for out-interface=L2TP_XXXX . So you can e.g. copy that rule and change out-interface=L2TP_XXXX to out-interface=ether10 in the copy. Or instead y...
by sindy
Mon Oct 11, 2021 3:07 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 694

Re: Source NAT Multiple ISP

So i want to give the IP of ISP 1 to Tenant 1. But when they surf i want them to pass through ISP 2. The maximum you can get is that you give ISP1 addresses and dst-nat rules for incoming connections to tenants who want to run servers locally, but you use ISP2's addresses for src-nat. So instead of...
by sindy
Mon Oct 11, 2021 8:16 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 175
Views: 45563

Re: v6.48.5 [long-term] is released!

Have you tried booting into the previous version of the bootloader by pressing the reset button before applying power? See the "reset button" manual for details.
by sindy
Sun Oct 10, 2021 11:16 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 903

Re: CRS112 and problem with vlans

I would say remove all the /interface ethernet switch config, and try the basic common configuration with bridge vlan filtering activated: /interface bridge vlan add bridge=bridge_szkielet vlan-ids=30 tagged=bridge_szkielet,4_omni add bridge=bridge_szkielet vlan-ids=200 tagged=bridge_szkielet,4_omni...
by sindy
Sun Oct 10, 2021 10:17 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 903

Re: CRS112 and problem with vlans

In the egress direction, the rule has to be reverse - it must match on customer-vid=30 and assign new-customer-vid=0.
by sindy
Sun Oct 10, 2021 9:10 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 903

Re: CRS112 and problem with vlans

If you connect a Windows PC instead of the BCS and it works, the misconfiguration on the CRS 112 is in the egress direction. The thing is that the network card drivers of Windows strip any VLAN tags received. The CRS1xx/2xx manual is not really verbose regarding tag handling on egress, so maybe it i...
by sindy
Sun Oct 10, 2021 8:02 pm
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 812

Re: pppoe clients with multiple ISP links

Once again - it's not the load distribution as such that causes the trouble, it's the particular rules you use to distribute the traffic that make the difference. You must distribute the connections of the clients among the uplinks, otherwise you would have to use only one of the uplinks for all of ...
by sindy
Sun Oct 10, 2021 7:39 pm
Forum: General
Topic: What is the best way to mark packet in this case
Replies: 4
Views: 724

Re: What is the best way to mark packet in this case

I have 7 LANs without any bridges, if i removed src address or dst how could i mark packet upload and download in mangle? That's why I said "if the action=mark-connection rule is the only one ever to assign the connection-mark value QUIC ". Because if it is, this connection-mark value is ...
by sindy
Sun Oct 10, 2021 5:17 pm
Forum: General
Topic: What is the best way to mark packet in this case
Replies: 4
Views: 724

Re: What is the best way to mark packet in this case

If the first rule is the only one to ever assign the connection mark value QUIC , you don't need that the action=mark-packet rules also match on address-list Allowed_Users . If you remove this match condition, you save a little bit of CPU by not doing these matches. And yes, by adding connection-sta...
by sindy
Sun Oct 10, 2021 5:02 pm
Forum: General
Topic: L2TP VPN suddenly stop working
Replies: 1
Views: 397

Re: L2TP VPN suddenly stop working

activate detailed logging of IPsec: /system logging add topics=ipsec,!packet run /log print follow-only file=l2tp-ipsec-start where topics~"ipsec" try to connect from one of the clients, wait until it reports failure break the /log print ... , download the file l2tp-ipsec-start.txt to you...
by sindy
Sat Oct 09, 2021 9:17 pm
Forum: General
Topic: 3rd party plugins
Replies: 3
Views: 508

Re: 3rd party plugins

A soultion could be to use RouterOS scripting to deliver the information.
by sindy
Sat Oct 09, 2021 2:33 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 78
Views: 49281

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

The fact that one policy has dst-port=1701 and the other one doesn't is the key - see the last two paragraphs of chapter The root cause in the OP. I'd assume the reason in your case is that you use different client implementations. The L2TP standard says that both the client and the server bind to t...
by sindy
Sat Oct 09, 2021 11:56 am
Forum: General
Topic: Single TCP Connection issue
Replies: 14
Views: 1232

Re: Single TCP Connection issue

Have you tried to sniff at the iperf server and iperf client themselves? I don't comment on CCR10xx as there indeed the concept of many relatively weak cores may affect single-stream throughput; I have in mind when testing with the CCR2xxx.
by sindy
Sat Oct 09, 2021 1:49 am
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 656

Re: router behind firewall, use vpn only to manage it

as the second router is available on internet due its public IP, the local one isn't, the providers give always a 10. class A private, so it should initiate the connection and the second one should listen about it. Does wireguard do that? From your words I suppose on 6.48.3 there isn't any other wa...
by sindy
Sat Oct 09, 2021 1:10 am
Forum: General
Topic: Single TCP Connection issue
Replies: 14
Views: 1232

Re: Single TCP Connection issue

For me, all these single TCP session throughput issues always boiled down to packet loss so far - either caused merely by low quality network or by a too coarse bandwidth shaping. So watch for this at first.
by sindy
Fri Oct 08, 2021 1:37 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 919

Re: NP16 VLANs leaking, what am I missing?

But the xSTP part is not off-topic - even if you configure access, trunk, hybrid ports as needed and ingress-filtering on all ports, the "loop" will still be detected by xSTP. So if you still want to use the 60 GHz path for some VLANs and the 5 GHz path for other VLANs simultaneously, you ...
by sindy
Thu Oct 07, 2021 11:51 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 919

Re: NP16 VLANs leaking, what am I missing?

I second to @tdw in that I don't get what is the intended behaviour. From what you describe, you've connected two bridges by two physical links (it doesn't matter much that one of them is a 60 GHz PtP one and the other one is a 5 GHz AP-to-CPE one), and you complain that STP cuts one of the connecti...
by sindy
Thu Oct 07, 2021 11:38 pm
Forum: General
Topic: NP16 VLANs leaking, what am I missing?
Replies: 13
Views: 919

Re: NP16 VLANs leaking, what am I missing?

No. Ingress filtering drops ingress frames tagged with VIDs not permitted on that port.
by sindy
Thu Oct 07, 2021 9:47 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 78
Views: 49281

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

I guess the change log *) l2tp - fixed multiple tunnel establishment from the same remote IP address (introduced in v6.47); refers to that ? I was discussing that with someone when 6.47 has been released, and Emils has stated that it was an issue of bare L2TP, without IPsec. So completely unrelated...
by sindy
Thu Oct 07, 2021 9:37 pm
Forum: General
Topic: hap mini - not enough space
Replies: 10
Views: 1014

Re: hap mini - not enough space

This still does not work. Disable all packages but system, npk file does not fit. try to uninstall individual packages and says can not uninstall. It cannot uninstall them because they came in the bundled file. But it normally can replace the ones marked for use by same packages of a different vers...
by sindy
Wed Oct 06, 2021 2:54 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

right now the configs is as follows, the 10.10.5.0 address are for management only, and the are on the interfaces vlan 50 on both routers. it is not the issue. I understand this is not the issue, but to get rid of the actual issue, the configuration of the SXTs has to be changed. And since an SXT o...
by sindy
Tue Oct 05, 2021 9:36 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

I have created one bridge and added all my vlans, also associated all vlan to the bridge, Including wlan also. Unfortunately, from the last config export it seems you've totally misunderstood how the bridging configuration works in Mikrotik. I can suggest you the correct configuration, but I need a...
by sindy
Tue Oct 05, 2021 6:54 pm
Forum: General
Topic: hap mini - not enough space
Replies: 10
Views: 1014

Re: hap mini - not enough space

The procedure is to disable packages you don't need (if any, this may be an issue) and reboot (maybe not absolutely necessary); then download the "additional packages" archive of 6.47.10, extract it, upload only those packages which you have left enabled; if they fit, reboot the router, an...
by sindy
Mon Oct 04, 2021 12:47 pm
Forum: General
Topic: Downgade
Replies: 2
Views: 318

Re: Downgade

After the reboot, check the log - it should explain what went wrong. I'd assume some package is missing in the 6.42 version which is enabled in the 6.47 one. Disabling that package (if safe!) before the downgrade should resolve the issue.
by sindy
Mon Oct 04, 2021 12:39 pm
Forum: General
Topic: LTE Bridge Vlan help.
Replies: 11
Views: 992

Re: LTE Bridge Vlan help.

As anticipated. You've got no /ip route configured on the LtAP, and you've got only a single /interface lte apn item defined, so the LtAP itself doesn't get its own IP address and default route from the LTE modem (I'm not sure how your mobile operator would deal with this, it works with some operato...
by sindy
Mon Oct 04, 2021 11:36 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

I'm out of ideas then.
by sindy
Mon Oct 04, 2021 11:34 am
Forum: General
Topic: Multiple VPNs but one per port
Replies: 2
Views: 359

Re: Multiple VPNs but one per port

Yes, as you've already found, the key is "policy routing" (not to be confused with IPsec policies). In short it means that you define multiple routing tables, and you use additional criteria like source address, source port, destination port, ingress interface etc. to choose a particular r...
by sindy
Mon Oct 04, 2021 11:09 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

I would say permit both VLANs at both ports.
by sindy
Mon Oct 04, 2021 10:56 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

Are both vlans (167,2607) permitted under /interface bridge vlan? The thing is that on CRS3xx, most of the switch chip configuration is inherited from the bridge configuration.
by sindy
Mon Oct 04, 2021 9:19 am
Forum: General
Topic: RSTP Root Port Issue
Replies: 2
Views: 393

Re: RSTP Root Port Issue

There cannot be a root port on a root bridge, because a root port is the one through which the root bridge is currently reachable, and there is just a single root bridge unless the network drops apart into isolated islands. Since the Netonix shows a root port and an alternate port, it is clear that ...
by sindy
Mon Oct 04, 2021 9:01 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

Developers need to read this post and respond plz
A post on the forum is not sufficient for this. You have to open a support ticket. Officially, it should even be raised via your reseller. But it can only succeed if the switch chip used supports such functionality.
by sindy
Sun Oct 03, 2021 10:52 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

I can imagine only two possible explanations why a single rule is sufficient on the Huawei: when learning the MAC address into the forwarding table for VLAN 2607 from an ingress packet with VID 167, the switch stores a remark that the VID has to be translated from 2607 to 167 on egress the VID trans...
by sindy
Sun Oct 03, 2021 10:36 pm
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 812

Re: pppoe clients with multiple ISP links

In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each. I only know Matrox as a graphic card vendor, but x64 and 5×10 Gbit/s interfaces indicate that packet throughput is not an issue. Load balancing have a issue that it break https connections. This gives ...
by sindy
Sun Oct 03, 2021 6:18 pm
Forum: General
Topic: 1036 and VLANs - dumb question
Replies: 2
Views: 329

Re: 1036 and VLANs - dumb question

If it is the first and last VLAN to ever be handled there: /interface vlan add vlan-id=1000 interface=sfp+1 name=sfp+1.1000 add vlan-id=1000 interface=sfp+2 name=sfp+2.1000 /interface bridge add name=br.1000 protocol-mode=none /interface bridge port add bridge=br.1000 interface=sfp+1.1000 add bridge...
by sindy
Sun Oct 03, 2021 5:22 pm
Forum: General
Topic: IPsec tunnel established but no traffic. [SOLVED]
Replies: 1
Views: 365

Re: IPsec tunnel established but no traffic. [SOLVED]

There are two (or even more) independent packet streams in IPsec - the "control session" (the IKE SA) and the "session(s) transporting the payload" (the data SA(s)). If there is a NAT somewhere between the peers, all the SAs use the same UDP stream; if there is not, the data SAs ...
by sindy
Sun Oct 03, 2021 4:54 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 1183

Re: vlan translation help

@hashbang, do you really want to translate 2607 to 167, or do you actually want to add an outer tag 167 to frames passing through the leftmost CRS from left to right on your drawing? Or do you want to insert the 167 as the inner tag, so that the outer one remained 2607? In another words, the text do...
by sindy
Sun Oct 03, 2021 4:46 pm
Forum: General
Topic: cAP AC Ventialtion Requirments?
Replies: 3
Views: 366

Re: cAP AC Ventialtion Requirments?

Strictly speaking there will be no ventilation at all, so all the air in the closet will eventually get warm enough that the temperature gradient across the thickness of the ceiling, walls, and doors will be sufficient to dissipate the max. 13 Watts of power to the ambient environment. Most of it vi...
by sindy
Sun Oct 03, 2021 4:21 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

As said, CRS3xx can only add/remove a single tag on a single pass between ports. So provided the VLAN IDs never collide (you never get VLAN 10 in the inner tag from somewhere and VLAN 10 in the outer tag somewhere else), you can do the following to get the retagging done in hardware: /interface brid...
by sindy
Sun Oct 03, 2021 3:19 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Well, of course it is no copy-paste job, hence my question regarding the roles of the management addresses and via which VLAN they should be accessible. I don't think there is a reason why the SXTs should be accessible from all (both here) VLANs they forward at L2.
by sindy
Sun Oct 03, 2021 2:54 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

This is a standalone manual page explaining that setup. Please also note that they use mode=bridge at one device and mode=station-bridge at the other one, whilst you've got mode=bridge on both devices. Also here, maybe it works that way in 6.30.2, but it is unlikely to work in current RouterOS vers...
by sindy
Sun Oct 03, 2021 2:21 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

As @pe1chl wrote, there may be firewall/NAT issues associated with the PPPoE flap. If there is NAT somewhere between the peers, both IKE (or IKEv2) and the transport packets use the same UDP stream, and either Mikrotik's own NATs or those on the ISP's devices may behave in an unexpected way when the...
by sindy
Sun Oct 03, 2021 2:02 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

First, RouterOS can transport VLAN-tagged frames via a wireless link without any additional encapsulation, but I hazily remember this capability became available as late as with the vlan-filtering capability of bridges in ROS 6.41 (and it is not clearly described in either the wireless manual page o...
by sindy
Sat Oct 02, 2021 7:41 pm
Forum: General
Topic: High CPU CRS354-48G-4S+2Q+
Replies: 4
Views: 476

Re: High CPU CRS354-48G-4S+2Q+

Change the setup to a single bridge with VLANs. Multiple bridges and VLANs directly attached to Ethernet interfaces cause the device to bridge in software.
by sindy
Sat Oct 02, 2021 11:36 am
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 276
Views: 46485

Re: v7.1rc4 [development] is released!

All VPN initiators on Mikrotik keep retrying until the connection gets up - SSTP, IPsec, L2TP... if the remote address is indicated as fqdn, the retrying includes re-resolving of the peer address from the fqdn. But that does not necessarily mean that it's the same case with Wireguard - there, the re...
by sindy
Sat Oct 02, 2021 10:52 am
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 914

Re: ASK [caps-manager]

can you update the wiki, saying that this features does not work for local forwarding Again, the feature is totally unrelated to local forwarding. Local forwarding sets the way how the traffic to/from the wireless clients is handled by the CAP; this feature is how the CAP gets its own configuration.
by sindy
Sat Oct 02, 2021 10:46 am
Forum: General
Topic: Blocking Routers
Replies: 11
Views: 842

Re: Blocking Routers

You can permit access only from a registered MAC address on a given port - this will cause an additional administrative load, and the customer can set the MAC address of their own router to the registered one and still connect the device from which the MAC address has been cloned behind their own ro...
by sindy
Sat Oct 02, 2021 9:42 am
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1303

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

The picture is clear, but the configuration expors from both SXTs are missing. See my automatic signature for a hint.
by sindy
Sat Oct 02, 2021 9:40 am
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 586

Re: Guest wifi security configuration

Everything correct except the firewall rules - the two rules you've posted are fine as such, but if they are the only rules in the filter, it makes a security hole at least in terms of the guests not being prevented from accessing the management services of the router itself. So post the complete an...
by sindy
Sat Oct 02, 2021 9:23 am
Forum: General
Topic: pppoe clients with multiple ISP links
Replies: 7
Views: 812

Re: pppoe clients with multiple ISP links

The quality of the answer depends on the quality of the question, and there's a lot missing in your question. Your router is the PPPoE server for the clients, correct? And what is the setup with the upstream ISP - can you agree on bonding the three links together with the ISP, or is it three indepen...
by sindy
Fri Oct 01, 2021 10:27 pm
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 914

Re: ASK [caps-manager]

To give you a practical example where that /ip dhcp-server network parameter is useful - imagine there is a CAPsMAN somewhere, there is a CAP somewhere else, and there is a DHCP server, from which the CAP gets its IP address and other configuration. And the CAP asks this DHCP server for a CAPsMAN ad...
by sindy
Fri Oct 01, 2021 9:54 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1566

Re: Combining two routers

Torch is very useful, but correct me if I'm wrong, it only can see packets coming into the router on a specified interface, and not packets leaving the router on a specified interface. Torch shows both directions on an interface, but its notion of "in" and "out" may be confusing...
by sindy
Fri Oct 01, 2021 9:03 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1566

Re: Combining two routers

I did create a confusion that got brought up earlier in that LAN 200 IS actually the DSL (now fiber) WAN interface. Obviously Sindy assume (reasonably) that LAN 200 was just another one of the LANs. Exactly. Conclusion: you're much better in reading my mind than I am in reading yours :D It's these ...
by sindy
Fri Oct 01, 2021 8:12 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 194
Views: 165619

Re: Using RouterOS to VLAN your network

I really wish Mikrotik wouldn't have chosen the name bridge for the switch-like grouping of ports AND for the Layer 3 (CPU-Port) capabilities. It is very confusing.
@iegg, please have a look at this post and tell me whether it helps remove some of that confusion.
by sindy
Fri Oct 01, 2021 3:34 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 194
Views: 165619

Re: Using RouterOS to VLAN your network

Please create a new topic for this, preferably in the General subforum.
by sindy
Fri Oct 01, 2021 3:20 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1566

Re: Combining two routers

@anav, I've come across a tutorial on cultural differences (on LinkedIn I suppose, but don't remember exactly) - in some cultures, people expect first the explanation of the reasons and then a suggestion of the solution, whilst on others, they want to hear the solution first and then the reasons tha...
by sindy
Fri Oct 01, 2021 12:03 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1566

Re: Combining two routers

This looks funny to me. /ip route rule add action=lookup-only-in-table interface=E10-Fiber table=via-FO It's what Sindy recommended above. I actually haven't recommended that, but it needs a deeper explanation. In firewall rules, you can match on both in-interface(-list) and on out-interface(-list)...
by sindy
Thu Sep 30, 2021 11:20 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 996

Re: An easy routing question [SOLVED]

So a routing entry with routing-mark is prioritized over another one without routing-mark, even if both have the same dst-address and distance? You can put it this way - it is not exactly "priority" in this case but yes, if a packet has routing-mark X and a route with routing-mark X exist...
by sindy
Thu Sep 30, 2021 10:01 pm
Forum: General
Topic: Public IP instead of private IP as Peer ID in IPSEC tunnel
Replies: 3
Views: 427

Re: Public IP instead of private IP as Peer ID in IPSEC tunnel

By default, RouterOS generates the ID automatically, depending on the authentication type and other circumstances.

To set your public IP rather than the private one as your ID, set my-id=address:the.pub.lic.ip on the respective /ip ipsec identity row.
by sindy
Thu Sep 30, 2021 9:57 pm
Forum: General
Topic: Public IP instead of private IP as Peer ID in IPSEC tunnel
Replies: 3
Views: 427

Re: Public IP instead of private IP as Peer ID in IPSEC tunnel

Unless you've obfuscated them manually, delete your config export immediately and post it without the secret values on /ip ipsec identity rows.
by sindy
Thu Sep 30, 2021 9:54 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 996

Re: An easy routing question [SOLVED]

The distance parameter is only used to set mutual priority of routes with identical dst-address and identical routing-mark values. If several such routes exist, and their gateway interfaces are up, only the one with lowest value of distance is made active.
by sindy
Thu Sep 30, 2021 9:33 pm
Forum: General
Topic: ASK [caps-manager]
Replies: 10
Views: 914

Re: ASK [caps-manager]

That setting is unrelated to local-forwarding or to any settings of the CAPsMAN-controlled operation. It just tells the DHCP server "if the client asks you for the address of a CAPsMAN server, tell it this value". Normally, the only clients to ask for this field (DHCP option) will be the C...
by sindy
Thu Sep 30, 2021 9:23 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

From what I can see in your mangle rules: 0 action=accept chain=prerouting connection-mark=no-mark connection-state=established,related 1 action=accept chain=prerouting connection-state=established,related in-interface-list=incoming 2 action=mark-routing chain=prerouting connection-mark=ipsec-site2s...
by sindy
Thu Sep 30, 2021 8:15 pm
Forum: General
Topic: Compress EoiP Tunnel
Replies: 4
Views: 696

Re: Compress EoiP Tunnel

If you'd be using the EoIP tunnel only for IP traffic, why would you need an EoIP tunnel?

To answer your question, packing should work, as an EoIP interface is like any other L2 interface from this perspective.
by sindy
Thu Sep 30, 2021 2:57 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

Tag should not be modified. It should bridge the interfaces together. GW side is only single tagged VLANs. So why does the picture indicate a trunk with VLANs 111 and 222 towards the GW? Again - when a frame arrives as v600.10 from the customer trunk, how should it be sent to the GW trunk? v111.600...
by sindy
Wed Sep 29, 2021 9:38 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Just post the full output of /export hide-sensitive after substituting public IPs and usernames in /ppp secret section. You can also remove static dhcp leases. Certificates and user names are not part of export even without hide-sensitive . The thing is that you never know where the issue is hidden....
by sindy
Wed Sep 29, 2021 9:34 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 804

Re: TCP port forwarding not working

If the machine was ever exposed to internet without the "drop everything except established/related and icmp" rules in filter/input, I'd even recommend to netinstall it, not just upgrade. In the past (6.4x, so even newer versions than your 6.30.2), there used to be vulnerabilities that all...
by sindy
Wed Sep 29, 2021 9:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Show me the complete anonymized configuration from TIK0. As adding the route to phone's address at TIK1 was enough to make the responses reach TIK0, the idea with another IPsec policy at TIK0 is clearly not the answer, so it must be some misconfiguration of the firewall at TIK0.
by sindy
Wed Sep 29, 2021 8:50 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 804

Re: TCP port forwarding not working

RouterOS 6.30.2??? Are you joking? Leaving all the security issues aside, no one here remembers what all has been fixed since then. So you may be hunting for a bug that has been solved years ago.
by sindy
Wed Sep 29, 2021 6:35 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Although, I have the intention that I won't need mangles: ... I've validated this, my packets are going back and forth, without adding any mangle-rules into TIK1 . Well - you've said before you wanted something "future-proof", i.e. something that would work even if you change the IP addre...
by sindy
Wed Sep 29, 2021 6:04 pm
Forum: General
Topic: Bridging VLANs only (and not untagged traffic)
Replies: 3
Views: 512

Re: Bridging VLANs only (and not untagged traffic)

When vlan-filtering is set to yes on the bridge, you can set frame-types on the individual /interface bridge port rows to admit-only-vlan-tagged . When vlan-filtering is set to no on the bridge, you can use /interface bridge filter rules to drop packets not matching mac-protocol=vlan .
by sindy
Wed Sep 29, 2021 2:34 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

I understand the customer side part, but you haven't shown the complete tag stack at the GW side.

A frame that came with v600.10 from the customer should go to the GW as v111.600.10 or as v111.10?
by sindy
Wed Sep 29, 2021 11:11 am
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

I tried on one site but I have the same issue! Could it mean that I have some issue on the HQ firewall? ... The only difference is that in the other enviroments the GRE-IPIP tunnel is not the default gateway in the BO: is it possible that cause the issue? Hopefully one of these is the reason, other...
by sindy
Wed Sep 29, 2021 10:54 am
Forum: General
Topic: load balance l2tp ExpressVPN
Replies: 8
Views: 825

Re: load balance l2tp ExpressVPN

It is normal that it gets disconnected, but it should re-connect again. The source address you set must be up on the router, is it? The action=src-nat (or action=masquerade ) rules in nat and action=mark-routing rules in mangle , or instead rules in /ip route rule , must exist in order that it worke...
by sindy
Wed Sep 29, 2021 9:15 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

The statement regarding the mangle marks being virtual and not being added to the actual packet data is absolutely correct, but you miss some information. The stateful firewall is built around a key component called connection tracker (conntrack module of Linux netfilter). This component maintains a...
by sindy
Tue Sep 28, 2021 5:24 pm
Forum: General
Topic: 2 PPOE Server Links in a Single Line
Replies: 2
Views: 438

Re: 2 PPOE Server Links in a Single Line

If it's really just 4 users in total and not just a simplified example, you can use bridge filter rules or even switch chip rules to forward traffic from each user to the corresponding ISP-facing port and to prevent traffic from leaking between the two ISP-facing ports. The latter is critical, other...
by sindy
Tue Sep 28, 2021 5:21 pm
Forum: General
Topic: Failover Single PPPoE
Replies: 3
Views: 492

Re: Failover Single PPPoE

It depends on the configuration of the remote end - is the same RAS accessible via both links? One architecture I could imagine would be that the ISP would have a switch with STP and would expect you to have one too, and both your local bridge and the ISP's switch would prefer the optical link when ...
by sindy
Tue Sep 28, 2021 5:08 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

It's just one of the components of the complete setup. You also need another mangle rule, assigning a routing-mark (in fact, a routing table name) to packets sent from LAN side depending on the connection-mark value, and the routing table itself, typically consisting of just a single default route v...
by sindy
Tue Sep 28, 2021 4:27 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 1184

Re: Wireguard Server behind different router / gateway

- make sure the "server"-port is THE SAME for peers on both server and client side. From your config above it seems this was not the case. To be precise - packets sent by router A to a configured "endpoint IP and port" must reach router B's "listen port", or packets se...
by sindy
Tue Sep 28, 2021 3:51 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

The essence of the setup outlined in the post I've linked is "send the response packets of a connection via the same interface through which the initial request of that connection has arrived to you", and it doesn't matter much whether that interface is a real WAN or a tunnel. So at the ro...
by sindy
Tue Sep 28, 2021 3:02 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

OK, so show the complete tag stack coming from/expected to be sent to the customer-facing ports, and the complete tag stack coming from/expected to be sent to the server-facing ports. The drawing didn't suggest anything about QinQ.
by sindy
Tue Sep 28, 2021 2:59 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 1184

Re: Wireguard Server behind different router / gateway

Maybe I just didn't get your OP right when you wrote that the traffic is trapped in the Audience? My feeling was that Umbra can ping 192.168.66.1, which would prove the tunnel itself to be working allright (which the configurations suggest), but it cannot get anywhere else. If that's the case, make ...
by sindy
Tue Sep 28, 2021 2:46 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

@pe1chl, unfortunately the PITA the OP has described exists in addition to the two you've mentioned. I've done all my homework to work these around (exemption of GRE from "drop invalid", measures to make sure that IPsec recovers from an interruption/restart of a mid-path router properly, f...
by sindy
Tue Sep 28, 2021 12:52 pm
Forum: General
Topic: GRE over IPSec stops working when PPPoE interface flaps.
Replies: 66
Views: 4350

Re: GRE over IPSec stops working when PPPoE interface flaps.

Meanwhile I opened a case with Mikrotik and I sent this thread... let's see what happen
So to contribute - if I remember right, I had this problem when CHR was at one end and RB1000AHx4 at the other one.
by sindy
Tue Sep 28, 2021 12:12 am
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 1184

Re: Wireguard Server behind different router / gateway

What I can see is that the Audience is a DHCP client, so the Fritzbox is most likely the default gateway on the LAN. So unless the Fritzbox tells its other DHCP clients that the gateway of the route to 192.168.66.0/24 is the IP address of the Audience, they send responses to requests coming from Umb...
by sindy
Mon Sep 27, 2021 11:35 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

So I'm considering something more elegant. Like some masq, or srcnat in TIK0? Or anything? Do you maybe have some ideas on this? How is this to be solved elegant in MikroTik's beautiful world? :) The solution is included in this post . Start reading it from the last paragraph, which explains the re...
by sindy
Mon Sep 27, 2021 11:32 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Actually, if I check "myip" from Android during VPN, I can see TIK's public address. So I believe it all goes through VPN, just I had some fear because of the packet logs. Yes, all goes through VPN, except traffic to the public address of the responder (VPN server). So you are saying, tha...
by sindy
Mon Sep 27, 2021 10:25 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

There is a common problem - when the VPN tunnel becomes the default gateway for the VPN client, you have to make sure that it is not used for routing the transport packets, for obvious reasons. And whilst on Mikrotik, you must take care about this manually for all types of VPN except bare IPsec wher...
by sindy
Mon Sep 27, 2021 9:13 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1684

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Okay... let's do another thing then, set the port parameter on the /ip ipsec peer row at the client to 500, and sniff at both the server and the client with port=500 (still with IKEv2, not L2TP/IPsec). What's the result?
by sindy
Mon Sep 27, 2021 9:00 pm
Forum: General
Topic: Port forwarding dual wan, replies get sent over wrong wan
Replies: 5
Views: 553

Re: Port forwarding dual wan, replies get sent over wrong wan

@CappyT, maybe have a look at this post and start reading it from the last paragraph, which links it to your context.
by sindy
Mon Sep 27, 2021 8:56 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1684

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

If so, and since the whole exercise is only for evaluation of sha512, leave it as it is, just be ready that the CHR may start sending tons of spam somewhere. And revert back to investigation why packets to port 500 do make it through whilst packets to port 4500 don't. When you enable the peer & ...
by sindy
Mon Sep 27, 2021 8:52 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

what kind of connection do you mean An external patchcord. To "map" two VIDs to one in hardware, the only thing you can do on a CRS3xx is to untag the frame on one pass through the switch, and tag it again with the other VID on another pass. You can map a single VID to another single one ...
by sindy
Mon Sep 27, 2021 8:45 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1684

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

Should I tell the guy for netinstall or just do it myself, I mean cause it's on the vmware after resetting am I gonna be able to access it? If it's on a VMware you can manage, just delete the VM and deploy it again from the template, but do not connect the internet-facing interface before you set u...
by sindy
Mon Sep 27, 2021 8:17 pm
Forum: General
Topic: HW offload bridging
Replies: 24
Views: 1773

Re: HW offload bridging

Depending on the port it came through ...
Yes, but that only works if there is a separate port for each VLAN.
by sindy
Mon Sep 27, 2021 8:11 pm
Forum: General
Topic: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]
Replies: 36
Views: 1684

Re: Router to router (site to site) IKEV2 with Dynamic IP [SOLVED]

OK, so I have swapped the roles of the routers when checking the configurations, and the one without a firewall is actually the server one, with the public IP directly on itself. Great. The right thing to do would be to disconnect it from the internet, netinstall it with the default configuration, r...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 27