Community discussions

MikroTik App

Search found 8830 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 30
by sindy
Fri May 20, 2022 6:09 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

On the CRS305 can I force a different MAC when I will use sfpplus3 to carry the second wan to the Firewall ? No, you cannot - there is no switch chip rule that can change the source MAC address of a frame, let alone that it could change it inside the payload of the DHCP packets where it is probably...
by sindy
Fri May 20, 2022 12:06 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

Switch Rules is not easy to troubleshoot, no stats no monitoring and If I am correct when there is a Switch Rule matching I cannot have packet capture with streaming ? Correct. I think you can sniff if you force copying of the ingress frames to the CPU, but you have to make sure the traffic volume ...
by sindy
Fri May 20, 2022 11:08 am
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

Observation: the behaviour you describe is a stateful one - a single DHCP renewal changes how multiple subsequent packets are handled. Fact: there is nothing stateful about the switch chip rules themselves. Conclusion: the behaviour you observe is not caused by switch chip rules. Assumption: the L2 ...
by sindy
Fri May 20, 2022 8:47 am
Forum: General
Topic: Download traffic is not showing on Interface!
Replies: 21
Views: 1011

Re: Download traffic is not showing on Interface!

I don't want to install PGP for this single case - can we use just openssl instead? My public key for openssl is -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArauOfFEn3Grb2WhnlKe1 hEG9bwq+7fJiDhFyCK+CcmXwQyGWl4LIop5VCTNUYq/++PSFOAmkoLA1+TMTAN6s f7ukyVErCxpfUMy+xhutVzsVDHIaAS...
by sindy
Fri May 20, 2022 8:18 am
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

I'm not sure I get you right - the statistics you've posted shows both sfp-sfpplus2 and sfp-sfpplus2 to handle both Tx and Rx traffic. Is it that you have some other statistics on the Fortinet that says that there is no Rx on VLAN 112, i.e. that the CRS does not forward frames received at sfp-sfpplu...
by sindy
Mon May 16, 2022 11:45 pm
Forum: General
Topic: problem with public ip and connection tracking
Replies: 4
Views: 404

Re: problem with public ip and connection tracking

If this helps, it means that those thousands of connections are indeed initiated from the internet towards those addresses. Blackholing this destination means that no tracked connections are created in your firewall any more, but once you start actually using some of these the addresses, you'll have...
by sindy
Mon May 16, 2022 4:21 pm
Forum: General
Topic: Priorities for WAN
Replies: 5
Views: 501

Re: Priorities for WAN

When you say "use scripting" what would that involve? Does MT have a scripting language? (can I get references?) https://wiki.mikrotik.com/wiki/Manual:Scripting What would you do if you had the setup I describe It depends on what is the goal. What I've understood was that you wanted the t...
by sindy
Sun May 15, 2022 11:02 pm
Forum: General
Topic: problem with public ip and connection tracking
Replies: 4
Views: 404

Re: problem with public ip and connection tracking

It may or may not be wrong, depending on what hosts are in your LAN subnet and what is their intended activity and what is your configuration. Since your ISP routes traffic for 256 public IPs to you, chances are high that some of the connections are caused by attack attempts coming to these public I...
by sindy
Sun May 15, 2022 8:49 pm
Forum: General
Topic: Priorities for WAN
Replies: 5
Views: 501

Re: Priorities for WAN

The trouble with such an approach is the bursty nature of packet traffic, so the bandwidth occupation is not stable, and since all your uplinks are unrelated, all packets of any given connection must use the same WAN. Another trouble is that when a new connection is established, you don't know in ad...
by sindy
Sat May 14, 2022 8:11 pm
Forum: General
Topic: VPN Issue
Replies: 1
Views: 376

Re: VPN Issue

You have set add-default-route=yes at both the PPPoE client interface (WAN) and the PPTP client interface (VPN), and you haven't specified default-route-distance for either, so both have the default distance value of 1 and thus it is random which one of them becomes active when both interfaces are u...
by sindy
Sat May 14, 2022 6:01 pm
Forum: General
Topic: traceroute output
Replies: 10
Views: 620

Re: traceroute output

Since traceroute when the link is up reaches the first done 10.11.5.146 but during outage it doesn't, it means the connection issue is anywhere between my router and the first node, right? Correct. The question is what goes wrong - the physical link may be down, the address assignment may time out ...
by sindy
Fri May 13, 2022 9:22 pm
Forum: General
Topic: Download traffic is not showing on Interface!
Replies: 21
Views: 1011

Re: Download traffic is not showing on Interface!

In fact, if the ESXi is totally under your control, you can make use of proxy-arp functionality. If you create another interface (ether2) at the CHR, and assign and IP address to it the following way: /ip address add interface=ether2 address=56.56.56.30/32 network=56.56.56.1 and set /interface ether...
by sindy
Fri May 13, 2022 10:29 am
Forum: General
Topic: Using hAP Mini as a LAN to WiFi bridge
Replies: 5
Views: 416

Re: Using hAP Mini as a LAN to WiFi bridge

Unfortunately the AP is not a Mikrotik
Then the station-pseudobridge mode is what you need, as the 4 MAC addresses frame formats are usually incompatible between vendors.
by sindy
Thu May 12, 2022 9:48 pm
Forum: General
Topic: Download traffic is not showing on Interface!
Replies: 21
Views: 1011

Re: Download traffic is not showing on Interface!

I was expecting to see the queue configuration in the export, but never mind, the issue seems to be clear, but please confirm my understanding. There is a gateway in the subnet (.1); you expect that if you put the CHR to the same subnet with an address .3, and tell the PC (address .4) that its gatew...
by sindy
Thu May 12, 2022 8:58 pm
Forum: General
Topic: Using hAP Mini as a LAN to WiFi bridge
Replies: 5
Views: 416

Re: Using hAP Mini as a LAN to WiFi bridge

Bridge the wlan interface with the ethernet one(s) at the hAP mini. If the AP is not a Mikrotik one, or it is a Mikrotik one controlled using CAPsMAN, set the wlan1 mode to station-pseudobridge . Attach a DHCP client to the bridge if you want the hAP mini to get its own IP adress to be manageable vi...
by sindy
Thu May 12, 2022 8:26 pm
Forum: General
Topic: Download traffic is not showing on Interface!
Replies: 21
Views: 1011

Re: Download traffic is not showing on Interface!

Nothing to suggest without a configuration export. What I assume is that you misinterpret what the upload and download means in the vernacular of simple queues - since you use the CHR to hairpin the traffic, you cannot use the interface name as target . Maybe you'll even have to use queue tree rathe...
by sindy
Wed May 11, 2022 7:01 pm
Forum: General
Topic: Connection tracking - forced off vs. auto off
Replies: 24
Views: 1422

Re: Connection tracking - forced off vs. auto off

When you tried to turn the conntrack off, did you have any rule in filter/NAT table? And did the connections table flushed after turning off? Yes to both - there are two NAT rules, and the connections table is empty after setting enabled to no . As soon as I put it back to auto , some connections r...
by sindy
Wed May 11, 2022 6:44 pm
Forum: General
Topic: Connection tracking - forced off vs. auto off
Replies: 24
Views: 1422

Re: Connection tracking - forced off vs. auto off

Because of this I opened this ticket, what that is. The thing is that what you've actually open is not a "ticket" - it is a discussion topic on a peer forum. To open a real support ticket, you have to use https://help.mikrotik.com/servicedesk/servicedesk/customer/user/login?destination=po...
by sindy
Wed May 11, 2022 2:32 pm
Forum: General
Topic: Two mikrotiks, one openvpn server
Replies: 2
Views: 336

Re: Two mikrotiks, one openvpn server

Look at subnets/address ranges used, routing, and firewall rules. Maybe the OVPN clients do not have routes to the LAN subnet of the 2nd Mikrotik, maybe the 2nd Mikrotik doesn't have a route to the subnet (range) from which the 1st one assigns addresses to the OVPN clients, maybe the 1st Mikrotik do...
by sindy
Wed May 11, 2022 11:12 am
Forum: General
Topic: VLAN with VRRP problems
Replies: 1
Views: 244

Re: VLAN with VRRP problems

Such a configuration (VRRPs on multiple VLANs on the same bridge or standalone L2 interface) is fully legal so what you experience must be a misconfiguration or a bug. A non-obvious thing I could think of are firewall rules not allowing incoming VRRP traffic on the VLAN interfaces; if it's not that,...
by sindy
Sun May 08, 2022 9:14 pm
Forum: General
Topic: Nth vs PCC
Replies: 6
Views: 435

Re: Nth vs PCC

I wouldn't expect that avoiding connection marking helps much
It doesn't help performance, but it simplifies the setup.
by sindy
Sun May 08, 2022 9:04 pm
Forum: General
Topic: Connection State New vs. Invalid
Replies: 4
Views: 370

Re: Connection State New vs. Invalid

Thats interesting! Is this somewhere written? The only description I have found is at https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_3_state_and_examples (search for --ctstate INVALID on that page). Does the Invalid-Matcher here takes into account a ICMP echo reply cant be vali...
by sindy
Sun May 08, 2022 8:35 pm
Forum: General
Topic: Nth vs PCC
Replies: 6
Views: 435

Re: Nth vs PCC

The main point is that per-connection-classifier takes a hash of the chosen address and port fields of the packet header, which is the same for every packet belonging to the same direction of a given connection, so you can use it to directly assign a routing-mark value to the packet. So load distrib...
by sindy
Sun May 08, 2022 8:14 pm
Forum: General
Topic: Connection State New vs. Invalid
Replies: 4
Views: 370

Re: Connection State New vs. Invalid

Normally, a packet is attributed with connection state invalid if it does not match the expected state of a connection. But such analysis is only possible for protocols that are stateful on their own, such as TCP or SCTP. So a UDP packet can never be attributed with invalid as the very first packet ...
by sindy
Sat May 07, 2022 9:36 pm
Forum: General
Topic: P2P IPSEC strange behavere
Replies: 4
Views: 320

Re: P2P IPSEC strange behavere

Are both peers on public IP addresses, i.e. is bare ESP used as transport protocol? If so, does the input chain of the firewall at both devices accept ESP packets?
by sindy
Sat May 07, 2022 6:05 pm
Forum: General
Topic: Filter duplicate packages from broadcast mode bonding
Replies: 6
Views: 499

Re: Filter duplicate packages from broadcast mode bonding

There is no way to "fix" this at the level of the bonding implementation, as bonding doesn't add any field to the frames being broadcast that would allow to identify the duplicates. Adding such a field would make the RouterOS implementation of bonding incompatible with other ones and would...
by sindy
Tue May 03, 2022 8:28 pm
Forum: General
Topic: CSR for SSTP VPN
Replies: 7
Views: 454

Re: CSR for SSTP VPN

The certificate-based security works best if the private key to the certificate doesn't ever leave the device that uses the certificate to prove its identity. So to create a CSR directly on the Mikrotik itself: create a /certificate item filled with the required key-usage , common-name , subject-alt...
by sindy
Tue May 03, 2022 8:03 pm
Forum: General
Topic: VoIP calls not reaching from satellite to satellite
Replies: 10
Views: 557

Re: VoIP calls not reaching from satellite to satellite

I cannot see anything in the configurations that should block packet flow between the 192.168.0.0/21 subnets of a pair of satellite sites. The /ppp secret items at the CO router do contain the routes items, the /ip firewall filter rules do not block the traffic between two L2TP server interfaces (an...
by sindy
Wed Apr 27, 2022 9:33 am
Forum: General
Topic: QinQ VLAN's Help needed [SOLVED]
Replies: 63
Views: 17223

Re: QinQ VLAN's Help needed [SOLVED]

I only touch the 7.x softly so far, no deep diving. So no, I haven't.
by sindy
Tue Apr 26, 2022 11:12 pm
Forum: General
Topic: Mikrotik cloud, choose IP interface to update
Replies: 15
Views: 3015

Re: Mikrotik cloud, choose IP interface to update

The trouble is finally over, with google disabling support for the insecure SMTP. Google has introduced a per-device generated password that can be used for this. Mikrotik can send e-mails using TLS. You can also have a look at sending notifications via Telegram - there are several related topics h...
by sindy
Sun Apr 24, 2022 7:58 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

Mikrotik support is rock ! A forum like this is the second best thing to an actual support for the users, but if Mikrotik was to provide this amount of support directly, you would have to pay a lot for a support contract or the equipment would have to cost much more (look at Cisco, there's both, th...
by sindy
Sun Apr 24, 2022 4:34 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 46
Views: 3273

Re: Transparent hEX S to change vlan-priority for DHCP request only

I'm not sure I understand well what you want to do. If the traffic should be sent and received tagged with VID 832 at the ONU SFP port, and received and sent tagless at the Fortigate-facing port, that's a normal behavior, you just configure the Fortigate-facing port as an access one to VLAN 832, and...
by sindy
Fri Apr 22, 2022 10:32 pm
Forum: General
Topic: Very strange replacement in export
Replies: 5
Views: 300

Re: Very strange replacement in export

It's a bug, open a support ticket. I have just tested it, and not only that the export shows the internal interface id, but it even shows a wrong one. Try /interface/print where .id=*13 - in my case, it looks as follows: [me@chr-7-1] > routing/filter/rule/print Flags: X - disabled, I - inactive 0 ch...
by sindy
Thu Apr 21, 2022 10:05 pm
Forum: General
Topic: Unable to upgrade to 7.2.1
Replies: 7
Views: 542

Re: Unable to upgrade to 7.2.1

A lot has been said here so far but no one has mentioned the fact that 7.x always uses the bundle package, so if some packages are not installed in the current 6.x installation, the upgrade will fail. I'm not sure whether it is enough to install the missing packages in 6.x or whether only "full...
by sindy
Thu Apr 21, 2022 9:53 pm
Forum: General
Topic: Filter duplicate packages from broadcast mode bonding
Replies: 6
Views: 499

Re: Filter duplicate packages from broadcast mode bonding

L2TP might filter duplicates, you can use BCP mode to transport at L2, but I have never tried to use it this way. No sequence numbers in GRE, let alone EoIP, which also misuses the 4 bytes of tunnel ID by using only 2 bytes for tunnel ID and the other 2 bytes for payload frame size, so firewalls ide...
by sindy
Thu Apr 21, 2022 9:18 am
Forum: General
Topic: IPsec connection unstable [SOLVED]
Replies: 8
Views: 610

Re: IPsec connection unstable [SOLVED]

But I'm still getting these errors: Only the first one is important here, the other two are just consequences. are these the same exact certificates that you downloaded and errors were removed? Interestingly, no, and it seems to be the root cause of your trouble. Leaving aside that your links are h...
by sindy
Wed Apr 20, 2022 11:55 pm
Forum: General
Topic: IPsec connection unstable [SOLVED]
Replies: 8
Views: 610

Re: IPsec connection unstable [SOLVED]

The whole manual from hide.me is weird. It does not suggest loading of the two CA certificates, however you managed to do that, good. I have imported all three certificates to 6.47.10 and to 6.48.6; neither version shows the A(uthority) flag for the two DigiCert CA certificates, but I've found that ...
by sindy
Wed Apr 20, 2022 4:57 pm
Forum: General
Topic: IPsec connection unstable [SOLVED]
Replies: 8
Views: 610

Re: IPsec connection unstable [SOLVED]

Something must have gone wrong, because the certificates you've installed are not marked with A(uthority) in the status column.
by sindy
Wed Apr 20, 2022 4:32 pm
Forum: General
Topic: VLANs not hardware offloaded on hAP AC?
Replies: 2
Views: 240

Re: VLANs not hardware offloaded on hAP AC?

On an 8337, you have to use /interface ethernet switch vlan and /interface ethernet switch port menu to configure VLANs together with hardware offloading, because activation of vlan-filtering in the /interface bridge configuration deactivates hardware forwarding. But be sure there are no loops in yo...
by sindy
Wed Apr 20, 2022 4:07 pm
Forum: General
Topic: propagate packet with special IP from bridge to another ?
Replies: 10
Views: 402

Re: propagate packet with special IP from bridge to another ?

No more ideas here. On the protocol development status page, PIM-SM is shown as fully working, but in the absence of any working example in the manual, it is hard to find out what is wrong.
by sindy
Wed Apr 20, 2022 3:18 pm
Forum: General
Topic: propagate packet with special IP from bridge to another ?
Replies: 10
Views: 402

Re: propagate packet with special IP from bridge to another ?

system/logging/add topics=pim

then try to add the local address of one of the bridges as a static rendezvous point:
/routing/pimsm/static-rp/add address=192.168.9.1 instance=only
by sindy
Wed Apr 20, 2022 2:41 pm
Forum: General
Topic: Failover Single PPPoE
Replies: 5
Views: 739

Re: Failover Single PPPoE

If you don't care which link will be actually used, create a bridge, attach the PPPoE client to it, and set the two physical links as two ports of that bridge with horizon=123 (the actual number is not important, it just must be the same for both ports to prevent looping of frames and it only has a ...
by sindy
Wed Apr 20, 2022 1:41 pm
Forum: General
Topic: propagate packet with special IP from bridge to another ?
Replies: 10
Views: 402

Re: propagate packet with special IP from bridge to another ?

/routing/pimsm/instance/add name=only
/routing/pimsm/interface-template/add instance=only interfaces=bridge1,bridge2


The addresses are the local ones, that's normal.
by sindy
Wed Apr 20, 2022 12:54 pm
Forum: General
Topic: propagate packet with special IP from bridge to another ?
Replies: 10
Views: 402

Re: propagate packet with special IP from bridge to another ?

/routing/pimsm is what you need, but the documentation is a stub so far. The IP address you have provided, 224.0.0.50, is a multicast one. So the device sends a packet to that multicast address from its unicast one; since the destination address is a multicast one, the multicast routing will forwar...
by sindy
Sun Apr 17, 2022 7:47 pm
Forum: General
Topic: load balance lines based on time to use bursts
Replies: 2
Views: 244

Re: load balance lines based on time to use bursts

The purpose of allowing higher bandwidth for connections that just started is to provide better experience for interactive services while limiting regular downloads to the contract bandwidth. Leaving aside the ethical aspects, technically, your approach is unlikely to work unless you have public add...
by sindy
Sun Apr 17, 2022 1:59 pm
Forum: General
Topic: L2TP through IPSEC RDP, WWW
Replies: 1
Views: 146

Re: L2TP through IPSEC RDP, WWW

If you don't mind the large payload packets to get split into two transport ones, use MLPPP on the L2TP link. At both the L2TP server and client, set max-mtu=1100 max-mru=1100 mrru=1504 (change the settings at the server first as the change at the client will cause the connection to reestablish whil...
by sindy
Sun Apr 17, 2022 1:46 pm
Forum: General
Topic: propagate packet with special IP from bridge to another ?
Replies: 10
Views: 402

Re: propagate packet with special IP from bridge to another ?

Look at multicast routing, but you may get disappointed like I did if the recipient of the multicast packets doesn't work properly.
by sindy
Sun Apr 17, 2022 1:44 pm
Forum: General
Topic: ASK [wireguard]
Replies: 9
Views: 471

Re: ASK [wireguard]

i thought that i can manage that from the WG-Server You can but not by means of Wireguard. allowed-address is compared to the destination address of a packet to be sent to the peer, and to source address of a packet received from a peer. So to "manage that at the WG server", you have to u...
by sindy
Sun Apr 17, 2022 1:34 pm
Forum: General
Topic: IPSec to FortiGate with multiple policies Problems
Replies: 4
Views: 364

Re: IPSec to FortiGate with multiple policies Problems

At the Mikrotik side, set level=unique for all the policies. If this is already done, it will require debugging.
by sindy
Sun Apr 17, 2022 1:31 pm
Forum: General
Topic: L2TP Client
Replies: 5
Views: 317

Re: L2TP Client

I'm from China, so the description of the problem is not very detailed How are these things related? If I have many PPPoE links, can I specify which use PPPoE line for all data of L2TP client? for example: l2tp-out2 --》 pppoe-out1 l2tp-out4 --》 pppoe-out2 Not directly, you have to use policy routin...
by sindy
Mon Apr 11, 2022 9:15 pm
Forum: General
Topic: Public IP routing
Replies: 2
Views: 217

Re: Public IP routing

You will get packets for the .144.xx/29 and .91.xx/30 from the ISP; it depends on you how you organize your internal network. If you want to assign all 12 addresses to servers in your network, you have to use a special setup where the address at the 2004 end will be a private one and the public one ...
by sindy
Mon Apr 11, 2022 4:21 pm
Forum: General
Topic: Feature request: add packet mark to packet sniffer filter
Replies: 5
Views: 288

Re: Feature request: add packet mark to packet sniffer filter

If you do it the way I suggest, you'll have local (Mikrotik) timestamps.
by sindy
Mon Apr 11, 2022 1:06 pm
Forum: General
Topic: IPsec between nodes without static IP and CGNAT
Replies: 5
Views: 350

Re: IPsec between nodes without static IP and CGNAT

The configuration seems fine to me, so it is time for debugging.

At both devices, what does /ip firewall connection print interval=1s where dst-address~":4500" and /ip ipsec active-peers print interval=1s show if you let each run for a minute?
by sindy
Mon Apr 11, 2022 9:24 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 34
Views: 9036

Re: blackhole/unreachable with IPSec policies [SOLVED]

It was never possible to use connection marks in routes (to compose routing tables), these were always routing marks. A "routing mark" and a "routing table name" are more or less the same thing, the nuance is that a routing rule (not route) can match on one routing-mark value (as...
by sindy
Sat Apr 09, 2022 7:53 pm
Forum: General
Topic: Simple Queue Not Working
Replies: 2
Views: 219

Re: Simple Queue Not Working

Have you disabled or removed the action=fasttrack-connection rule in chain forward in /ip firewall filter?
by sindy
Sat Apr 09, 2022 7:51 pm
Forum: General
Topic: Feature request: add packet mark to packet sniffer filter
Replies: 5
Views: 288

Re: Feature request: add packet mark to packet sniffer filter

TZSP action is not suitable for me. If the reason is that you need to sniff to file directly at a remote Mikrotik device, there is a workaround. Create an IPIP tunnel with !keepalive (so that it appears to be always up) and set its MTU to, say, 1700. Then, create a route dst-address=100.100.100.100...
by sindy
Fri Apr 08, 2022 11:50 pm
Forum: General
Topic: my traffic doesnt pass through open vpn [SOLVED]
Replies: 12
Views: 985

Re: my traffic doesnt pass through open vpn [SOLVED]

Ah, yes, I need better glasses :)

But as the CHR is running somewhere in France, I didn't even think that the "in Iran the sites that sells VPS doesn't provide Pfsense" statement could be related to the hosting.
by sindy
Fri Apr 08, 2022 9:28 pm
Forum: General
Topic: my traffic doesnt pass through open vpn [SOLVED]
Replies: 12
Views: 985

Re: my traffic doesnt pass through open vpn [SOLVED]

I'm not sure I get the point with pfSense - to my understanding, it is an operating system like RouterOS, not a VPN protocol like OpenVPN or Wireguard. So installing a virtual pfSense instead of CHR and configuring OpenVPN on it might be easier than using a general purpose Linux distribution. And I ...
by sindy
Fri Apr 08, 2022 2:29 pm
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

Look at this post and the few ones after. But my Italian is based on my Romanian which itself is worse than poor :)
by sindy
Fri Apr 08, 2022 1:56 pm
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

Whom exactly :) ? @anav, @sindy, @tangent (in alphabetical order)?
by sindy
Fri Apr 08, 2022 1:33 pm
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

Zerotier may be a solution, but be careful about leakage of traffic between sites of different customers.
by sindy
Fri Apr 08, 2022 9:22 am
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

From your last post it seems that the colocated Mikrotik may be placed between your panel controller and the rest of the customer's LAN, i.e. only the Mikrotik would be directly connected to customer's LAN, and the panel controller would be connected to another interface of the Mikrotik. Is that the...
by sindy
Thu Apr 07, 2022 10:15 pm
Forum: General
Topic: my traffic doesnt pass through open vpn [SOLVED]
Replies: 12
Views: 985

Re: my traffic doesnt pass through open vpn [SOLVED]

You can try Wireguard instead of OpenVPN, or you can run a linux VM instead of CHR in France. But I've just tried the "OpenVPN for Android" application - it allows to configure routing of everything via the tunnel no matter whether the server pushes a route list. In fact, it is even the de...
by sindy
Thu Apr 07, 2022 5:11 pm
Forum: General
Topic: my traffic doesnt pass through open vpn [SOLVED]
Replies: 12
Views: 985

Re: my traffic doesnt pass through open vpn [SOLVED]

RouterOS does not support pushing routes in OpenVPN. You have to configure the route manually - after the client connects, run
route add 0.0.0.0 MASK 0.0.0.0 ip.of.the.gw from command line. You may have to add a route to your Mikrotik in France and remove the existing default route.
by sindy
Wed Apr 06, 2022 8:33 pm
Forum: General
Topic: NAT local user address pool to internet address pool [SOLVED]
Replies: 5
Views: 329

Re: NAT local user address pool to internet address pool [SOLVED]

Just need to query, what will happens to the other local IP addresses? for example, 192.168.2.2, ...., 192.168.2.220 will be src-nated to address xxx.xxx.xxx.66 or xxx.xxx.xxx.67 as of the original suffix and so on? or some of the local IP addresses (192.168.0.0/22) will NAT-ed as the original suff...
by sindy
Wed Apr 06, 2022 8:20 pm
Forum: General
Topic: ESXi hypervisor behind hAP ac3 and IPv4/IPv6 config
Replies: 5
Views: 264

Re: ESXi hypervisor behind hAP ac3 and IPv4/IPv6 config

I'm not sure I understand why setting a gazilion of port forwarding rules on pfSense should be easier than setting the same gazilion of port forwarding rules directly on the hAP? It's a single rule as follows per each service: chain=dstnat in-interface-list=WAN dst-port=X action=dst-nat to-addresses...
by sindy
Wed Apr 06, 2022 7:20 pm
Forum: General
Topic: Site to site VPN + client to site VPN
Replies: 3
Views: 263

Re: Site to site VPN + client to site VPN

@svt11, what is the issue you need help with? The fact that you cannot access management of R2 from R1 or something else?
by sindy
Wed Apr 06, 2022 7:14 pm
Forum: General
Topic: send route to vpn l2tp
Replies: 2
Views: 203

Re: send route to vpn l2tp

What Windows sends in order to obtain a routing table is a specific DHCP message, DHCPINFORM. It is not possible to attach a DHCP server to an L3 interface, and despite its name, L2TP only supports L2 tunnels if both the server and the client support it. As far as I know, Mikrotik only responds DHCP...
by sindy
Wed Apr 06, 2022 7:06 pm
Forum: General
Topic: Copy speed via trunk simply too slow
Replies: 8
Views: 416

Re: Copy speed via trunk simply too slow

What surprised me was that you've configured ether8 and ether9 as member ports of the trunk, but you've made them individual ports of the bridge, rather than assigning the trunk port to the bridge. But the main issue is still the fact that you've got multiple bridges and/or that you ask CRS125 to ro...
by sindy
Wed Apr 06, 2022 7:02 pm
Forum: General
Topic: NAT local user address pool to internet address pool [SOLVED]
Replies: 5
Views: 329

Re: NAT local user address pool to internet address pool [SOLVED]

netmap substitutes the prefix and keeps the original suffix of the address. So with this rule, 16 private addresses, 192.168.0.1, 192.168.0.65, 192.168.0.129, ..., 192.168.3.193 will all be src-nated to xxx.xxx.xxx.65. If you are OK with that, go ahead. masquerade differs from src-nat in two tightl...
by sindy
Wed Apr 06, 2022 12:18 pm
Forum: General
Topic: ESXi hypervisor behind hAP ac3 and IPv4/IPv6 config
Replies: 5
Views: 264

Re: ESXi hypervisor behind hAP ac3 and IPv4/IPv6 config

Just to add some context to what @AidanAus wrote - as you mention "access some service s on VM s " but just a single "fixed public IPv4", there is no way to handle this without port forwarding anyway, no matter whether that single public IP is assigned to the hAP ac3 or to a virt...
by sindy
Tue Apr 05, 2022 8:34 pm
Forum: General
Topic: GRE Tunnel with Interface as a Gateway
Replies: 7
Views: 450

Re: GRE Tunnel with Interface as a Gateway

Yes I can see the interface using /interface gre print , please see below for output. The output shows that RouterOS considers the tunnel interface to be down. When keepalive is activated, the tunnel interface is considered down if it receives no packets for a certain period of time. My understandi...
by sindy
Mon Apr 04, 2022 11:19 pm
Forum: General
Topic: GRE Tunnel with Interface as a Gateway
Replies: 7
Views: 450

Re: GRE Tunnel with Interface as a Gateway

Is the tunnel shown as running in /interface gre print? Because I can see no other reason why the route with GRE_Tunnel as gateway should be down (gateway unreachable).
by sindy
Mon Apr 04, 2022 2:27 pm
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

Let's put it another way - does the panel controller need to talk to other devices in the customers' LAN, or is it enough that you can reach it "somehow"? I.e. do the customers provision the contents to show on the panels, or deliver it live, via LAN or do the customers tell you what to co...
by sindy
Sun Apr 03, 2022 1:17 pm
Forum: General
Topic: Swapping from IPSec to WireGuard - not working - FranceLondon
Replies: 9
Views: 550

Re: Swapping from IPSec to WireGuard - not working - FranceLondon

I now have access but it's slower that expected. The question is what have you expected. hAP ac doesn't support hardware encryption for IPsec, and the encryption algorithm used by Wireguard should be a bit faster than the aes256 you were using in IPsec, but not 10 times. I'm wondering whether I dis...
by sindy
Sat Apr 02, 2022 10:53 pm
Forum: General
Topic: Swapping from IPSec to WireGuard - not working - FranceLondon
Replies: 9
Views: 550

Re: Swapping from IPSec to WireGuard - not working - FranceLondon

Ah... you have disabled the IPsec peers and/or identities, but not the static policies. An IPsec policy intercepts matching packets even if no security association is established. This is by design, not a bug.
by sindy
Sat Apr 02, 2022 10:13 pm
Forum: General
Topic: Swapping from IPSec to WireGuard - not working - FranceLondon
Replies: 9
Views: 550

Re: Swapping from IPSec to WireGuard - not working - FranceLondon

I used the .3 just as an example of a particular destination address, to illustrate the shadowning effect. You only use 10.255.255.1 and 10.255.255.2 as gateway IPs, so the routes to 192.168.64.0/24 and 192.168.65.0/24 have 10.255.255.x as gateway , rather than the Wireguard interface name directly....
by sindy
Sat Apr 02, 2022 9:06 pm
Forum: General
Topic: Swapping from IPSec to WireGuard - not working - FranceLondon
Replies: 9
Views: 550

Re: Swapping from IPSec to WireGuard - not working - FranceLondon

I'll first try to give you an overview rather than detailed instructions what to change. Wireguard works different than IPsec, where the traffic selector of a policy overrides the results of the normal routing. Think of the Wireguard process as of another router. To deliver a packet with destination...
by sindy
Sat Apr 02, 2022 7:09 pm
Forum: General
Topic: vpn for remote control
Replies: 18
Views: 831

Re: vpn for remote control

What you seem to ask for is an L2 tunnel between your support center and the customer's LAN. This is possible, but it is a security nightmare, as any malware eventually squatting in one of your customers' LANs can infect your support PC, and then it can spread to other customers' LANs once you conne...
by sindy
Sat Apr 02, 2022 6:32 pm
Forum: General
Topic: Pings not working through GRE tunnel, all other traffic fine
Replies: 4
Views: 292

Re: Pings not working through GRE tunnel, all other traffic fine

The routers on each end show the ping requests and replies and they are small pings so not larger than the MTU so I'm at a loss here. So you can sniff on the routers at both ends of the tunnel, and you can see both requests and responses at both ends? If so, I'd expect something about the ICMP echo...
by sindy
Fri Apr 01, 2022 10:07 pm
Forum: General
Topic: Dstnat in output chain? [SOLVED]
Replies: 23
Views: 8430

Re: Dstnat in output chain? [SOLVED]

@sindy: I don't want to risk overheating my brain, but wouldn't this also help with your L2TP/IPSec loop? If "help with" is an euphemism for "allow to get rid of", then yes - the sole purpose of the hairpin tunnel was to work around the unavailability of src-nat on input in ROS ...
by sindy
Fri Apr 01, 2022 8:33 pm
Forum: General
Topic: Dstnat in output chain? [SOLVED]
Replies: 23
Views: 8430

Re: Dstnat in output chain? [SOLVED]

Another application case - two VPN clients on the same router that need to connect to the same remote server via different WANs of the router. For some VPN types (L2TP), you can specify source-address and use policy routing to link each to another WAN; for other ones (SSTP), the source-address param...
by sindy
Tue Mar 29, 2022 4:37 pm
Forum: General
Topic: Mangle nth
Replies: 5
Views: 317

Re: Mangle nth

a question arises ... do you need a VPN to a CHR to appear from a single IP? Or does it work like in PCC load balance? The VPN server on the CHR will tolerate that the client connects from another IP address unless you explicitly prevent that. For UDP based VPNs, the choice of WAN may only change i...
by sindy
Tue Mar 29, 2022 10:59 am
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

Последний конфиг, который я вижу - от 24 марта. В нем нет маршрутов через OpenVPN в сети на стороне ASUS, значит я не знаю, чего еще в нем нет. Не вижу ничего, что бы объясняло, почему Микротик отвечает на пинг, а управлять им невозможно, при выключенном брандмауре . Как именно ты выключил брандмаур...
by sindy
Tue Mar 29, 2022 9:58 am
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

Отключение firewall не помогло. Отключать файрвол (брандмаур, межсетевой экран) всегда плохая идея. В чем сейчас может быть проблема? Если адрес Микротика пингуется со стороны Асуса, но управление им через тот же адрес невозможно, проблема может быть в файрволе, в настройке разрешенных адресов прям...
by sindy
Tue Mar 29, 2022 8:37 am
Forum: General
Topic: vpn traffic
Replies: 5
Views: 346

Re: vpn traffic

That's the very essence of my suggestion - as the only available policy matches on 10.0.5.0/24 at the Mikrotik side, you have to src-nat the traffic from 192.168.4.0/24 to make it match the policy.
by sindy
Tue Mar 29, 2022 8:31 am
Forum: General
Topic: vpn problems with my isp
Replies: 3
Views: 291

Re: vpn problems with my isp

i mean with unstable (elevated ping, Frequent VPN disconnection, even sometime can't connect). and sometimes work fine best ping with no problem. OK, so indeed intermittent problems. the problem increase with some isp ips range You mean depending on what address you get from your local ISP? i prefe...
by sindy
Tue Mar 29, 2022 8:21 am
Forum: General
Topic: Mangle nth
Replies: 5
Views: 317

Re: Mangle nth

Exactly, just modify the interfaces and addresses according to your actual environment.
by sindy
Mon Mar 28, 2022 11:42 pm
Forum: General
Topic: Mangle nth
Replies: 5
Views: 317

Re: Mangle nth

hello, I have two fttc with 50 mbps in download ... is it possible using the mangle nth to add the two downloads and get 100mbps? Yes, but... a single download using a single TCP session will always use only one of the fttc links (exceptions exist but a number of factors have to contribute for it t...
by sindy
Mon Mar 28, 2022 11:38 pm
Forum: General
Topic: Where do i see mikrotik public WAN ip?
Replies: 56
Views: 2293

Re: Where do i see mikrotik public WAN ip?

how do i setup the private IP from the management VLAN1 (192.168.11.254)? /ip address add address=192.168.11.254/24 interface=???? Replace the questionmarks with the name of an interface where you want this address to be placed. As you mention management VLAN 1, the proper interface would be the in...
by sindy
Mon Mar 28, 2022 11:28 pm
Forum: General
Topic: DSCP in QoS
Replies: 8
Views: 420

Re: DSCP in QoS

I am afraid the person who told you that a CRS328 can shape traffic on egress (which seems to be what you actually ask for - to drop low-priority traffic that exceeds the 100 Mbit bandwidth of the egress port rather than queueing it in a common queue with the high-priority one) didn't have enough in...
by sindy
Mon Mar 28, 2022 10:14 pm
Forum: General
Topic: L2TP/IPSec - Multiple IPSec Profiles [SOLVED]
Replies: 5
Views: 453

Re: L2TP/IPSec - Multiple IPSec Profiles [SOLVED]

The whole magic consists in creating the IPsec configuration ( peer & identity ) dynamically from the configuration data of the L2TP and hidden templates for both, using the default profile , and then creating a policy using the template in the default policy group (to which the policy-group par...
by sindy
Mon Mar 28, 2022 2:38 pm
Forum: General
Topic: vpn traffic
Replies: 5
Views: 346

Re: vpn traffic

If you cannot change the setup of the right side, and it doesn't accept additional traffic selectors proposed by the peer at the left, your only chance is to src-nat the traffic from 192.168.4.0/24 to some address(es) from 10.0.5.0/24, as below: /ip firewall nat add chain=srcnat place-before=as-appr...
by sindy
Mon Mar 28, 2022 10:25 am
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

Конечно не работает - дело ведь не в отсутствии маршрутов на Микротике в сторону сабнетов за Асусом, а в отсутствии маршрутов на Асусе в сторону сабнетов за Микротиком. OpenVPN сервер - это фактически самостоятельный маршрутизатор. Маршрутизация операционной системы ему отдаст трафик для всех пиров,...
by sindy
Mon Mar 28, 2022 9:09 am
Forum: General
Topic: vpn problems with my isp
Replies: 3
Views: 291

Re: vpn problems with my isp

the connection become unstable my the not open Please translate what exactly means "unstable". To me, "unstable" means that it sometimes works and sometimes doesn't, or that the speed is changing. i created my own cloud vpn using routeros So if I understand properly, the VPN ser...
by sindy
Mon Mar 28, 2022 9:00 am
Forum: General
Topic: Where do i see mikrotik public WAN ip?
Replies: 56
Views: 2293

Re: Where do i see mikrotik public WAN ip?

Only thing am not sure about is my ISP router us still working as router, matter of fact i am typing this post via the wireless of the ISP router so am not sure why people keep saying after IP passthrough is setup i cant access ISP router anymore, i still CAN and i can at the ISP local ip still The...
by sindy
Mon Mar 28, 2022 8:50 am
Forum: General
Topic: Routing outbound for one device?
Replies: 12
Views: 597

Re: Routing outbound for one device?

I havent done any packet capture on that port 1000 traffic to see if there is anything I can us to direct it to one box or the other. Even if there was, it would be at application level, which the firewall cannot work with if the connection is a TCP one, and can work quite unreliably if the connect...
by sindy
Sun Mar 27, 2022 10:01 pm
Forum: General
Topic: route traffic to specific pppoe-client and don't hop to the next route [SOLVED]
Replies: 3
Views: 462

Re: route traffic to specific pppoe-client and don't hop to the next route [SOLVED]

/routing/rule
add routing-mark=pppoe1 action=lookup-only-in-table table=pppoe1
add routing-mark=pppoe2 action=lookup-only-in-table table=pppoe2
by sindy
Sun Mar 27, 2022 8:20 pm
Forum: General
Topic: Advice with CCR2004 with 2 x CRS switches
Replies: 14
Views: 629

Re: Advice with CCR2004 with 2 x CRS switches

why do routers have many ports? Routers may be used in more complex scenarios than just a single WAN and multiple (V)LANs. Also the bandwidth of a single port may not be sufficient to host all the traffic volume. And it would probably be too complicated to manufacture multiple routers with the same...
by sindy
Sun Mar 27, 2022 8:11 pm
Forum: General
Topic: Double NAT Load balance [issue]
Replies: 1
Views: 174

Re: Double NAT Load balance [issue]

That sounds like a weak router that cannot deal with the traffic volume without using fasttracking in the firewall, or like a powerful enough router where you forgot to disable fasttracking so only few packets actually take the proper way. The fact that we talk about RB951 here suggests that it is t...
by sindy
Sun Mar 27, 2022 8:01 pm
Forum: General
Topic: Where do i see mikrotik public WAN ip?
Replies: 56
Views: 2293

Re: Where do i see mikrotik public WAN ip?

BUT the ISP router is still working as router. What is going on? Am i doing something wrong? There are two explanations. Either you've set the public IP address on your Mikrotik's WAN interface in parallel to some other one (you can even have a dhcp client and multiple manually configured addresses...
by sindy
Sun Mar 27, 2022 4:50 pm
Forum: General
Topic: L2TP/IPSec - Multiple IPSec Profiles [SOLVED]
Replies: 5
Views: 453

Re: L2TP/IPSec - Multiple IPSec Profiles [SOLVED]

As @Kentzo has pointed out, there is only a single L2TP server that listens at all addresses, but this is not the limitation in this case. The IPsec connection has to get established first, before the L2TP exchange begins, so there is no way how the PPP user credentials could be used to choose an IP...
by sindy
Sun Mar 27, 2022 4:33 pm
Forum: General
Topic: Analysing a new connection and decision-based routing?
Replies: 16
Views: 767

Re: Analysing a new connection and decision-based routing?

You cannot put processing of a packet on hold, but normally the protocol stack (in case of TCP connection) or the application (in case of UDP connection) takes more than a single attempt to initiate a connection before giving up. So dropping the very first packet of each connection should not be too...
by sindy
Thu Mar 24, 2022 10:42 pm
Forum: General
Topic: How to set up a link between options 60 and 43 in a DHCP server
Replies: 23
Views: 1152

Re: How to set up a link between options 60 and 43 in a DHCP server

Forgot to ask. Does this apply to both versions RouterOS and 6 and 7? No idea. However, you are right - although I personally consider it a bug (or at least a strange design), you have to assign some pool to the server even if other pools are linked to it via the vendor-class-id records. But that &...
by sindy
Thu Mar 24, 2022 9:26 pm
Forum: General
Topic: How to set up a link between options 60 and 43 in a DHCP server
Replies: 23
Views: 1152

Re: How to set up a link between options 60 and 43 in a DHCP server

When sindy adds a dhcp-server he doesn't specify a pool.
As a result, value = static-only and in this case, no addresses were given to the phones.
So I used the RTU_OthersPhones pool there.
I'm surprised, that should not be necessary, the pool should be chosen based on the VID.
by sindy
Thu Mar 24, 2022 7:06 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

Все заработало как надо поле добавления в НАТ сеть openvpn маскарадит. А это уже вопрос другой. Маскарада - одно решение, которого достаточно, если во всех соединениях оборудование в ЛАН Микротика выступает клиентом. А если вдруг нужно подключаться через ВЧС с Асус-конца, маскарада не поможет, так ...
by sindy
Thu Mar 24, 2022 12:36 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

/ip/firewall/mangle/print where chain=prerouting
/ip/firewall/mangle/add place-before=0 chain=prerouting in-interface-list=LAN dst-address=192.168.0.0/16 action=accept
by sindy
Thu Mar 24, 2022 12:07 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

с самого роутера могу достучаться до сервера и машин за ними, а вот с машин за клиентом не получается. Все что я пытался прописать в /ip route не сработало, не пойму как это реализовать при двух провайдерах на клиенте. Мне кажется, что правила, которые обеспечивают выбор нужной дополнительной табли...
by sindy
Wed Mar 23, 2022 10:51 pm
Forum: General
Topic: How to set up a link between options 60 and 43 in a DHCP server
Replies: 23
Views: 1152

Re: How to set up a link between options 60 and 43 in a DHCP server

By the way, maybe I found a bug in dhcp-server. When I tried to use the network 172.22.102.160/28 for Fanvil X7A phones, the dhcp-server gave the address 172.22.102.160 to the phone, i.e. network address, not first host address (172.22.102.161) :? It is not a bug. The address item on an /ip dhcp-se...
by sindy
Sat Mar 19, 2022 7:59 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

@sindy i installed a LTAP LTE6 this week. I noticed nothing strange compared to other MikroTIK LTE devices i' ve used ( WAP, WAP LTE6, LHGG,) as far as the configuration is concerned . As @Amm0 wrote above, there is a difference between the default configuration script of an LtAP "LTE(6) kit&q...
by sindy
Sat Mar 19, 2022 7:56 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

How can I grab the 7.1.3 output of the /system/default-config from my LtAP?
The way I've suggested above. But you don't need to do that - @Amm0 has already posted the result a few posts earlier.

Simply put: your LtAP behaves exactly as intended and documented by Mikrotik, it ain't broken.
by sindy
Sat Mar 19, 2022 7:47 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

I would suggest you to reset to defaults, then upgrade to 7.1.3 and test again... Look into the default configuration script of 7.1.3 as posted by @Amm0 in this post . It sets exactly what OP is getting. No point in spawning it over and over again, the result will be the same. It is a question for ...
by sindy
Sat Mar 19, 2022 7:17 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

Where can I get a good known working copy of 7.1.3 then? I obtained mine from MikrTik's website.
I don't say it broke during download. If it indeed doesn't set the items you're missing, it has been broken in development.
by sindy
Sat Mar 19, 2022 7:07 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

I just wanted to see if this is normal LtAP behavior or if mine is goofy right out of the box. That's why I've suggested you to dump the default configuration script and see whether it adds the IP address etc. Since you can add all that manually, the hardware is not broken. Hence the most likely th...
by sindy
Sat Mar 19, 2022 6:54 pm
Forum: General
Topic: How to set up a link between options 60 and 43 in a DHCP server
Replies: 23
Views: 1152

Re: How to set up a link between options 60 and 43 in a DHCP server

I periodically study the wiki for my understanding of the wisdom of Mikrotik. But, unfortunately, I did not see anything similar to my first question there, nor a description of setting up a DHCP server with multiple pools. It's not there this clear. /ip pool add name=for-fanvil ranges=192.168.34.1...
by sindy
Sat Mar 19, 2022 2:35 pm
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

I have tried netinstall several times. The question is how does the default configuration look like in case of 7.1.3 on LtAP. /system/default-configuration/print file=defconf will place the default configuration script into a file named defconf.txt, which you can download and inspect. Other than th...
by sindy
Sat Mar 19, 2022 8:48 am
Forum: General
Topic: LtAP setup issues with LTE [SOLVED]
Replies: 40
Views: 1906

Re: LtAP setup issues with LTE [SOLVED]

Are there any export of interface that I can do and import them to save time? You cannot save a backup of the configuration and load it on another model. But you can export the configuration into a script and run that script on another device regardless its architecture. In order to make it run suc...
by sindy
Sat Mar 19, 2022 8:35 am
Forum: General
Topic: CHR cannot be installed in Hetzner Cloud because they need an ISO [SOLVED]
Replies: 10
Views: 4628

Re: CHR cannot be installed in Hetzner Cloud because they need an ISO [SOLVED]

I was unable to replace disk image, all I got is:
ERROR: could not find disk!
Please attach it somewhere else.
It sounds as if the VM has been created in an unusual way. Before entering that wget... | funzip | dd ... line, what does ls /dev/ show?
And what does mount | grep sd show?
by sindy
Wed Mar 16, 2022 7:38 pm
Forum: General
Topic: Solution for insufficient USB power [SOLVED]
Replies: 12
Views: 601

Re: Solution for insufficient USB power [SOLVED]

But I wonder if it's ok if I plugged a 1A adapter and won't fried the routerboard? It depends on whether the wires are just in parallel or whether there is some diode setup preventing current from feeding the Mikrotik.If they are parallel, a slightly higher voltage on the external source may give t...
by sindy
Tue Mar 15, 2022 11:33 pm
Forum: General
Topic: Set MTU of IKEv2 Tunnel for Output Traffic
Replies: 1
Views: 242

Re: Set MTU of IKEv2 Tunnel for Output Traffic

In order to handle the own traffic of the router, such as the one of the socks5, the action=change-mss rules must be in chains output and input of mangle.
by sindy
Tue Mar 15, 2022 10:31 pm
Forum: General
Topic: IPSec VPN Timeout behind NAT
Replies: 1
Views: 217

Re: IPSec VPN Timeout behind NAT

Just a wild guess, but the symptoms sounds similar to me like this issue . So try sniffing on the 4011 to check what's actually going on and whether packets arriving from the WAN side and reassembled do not exceed the MTU of the PC's interface because the MTU of the LAN bridge is set too high. Maybe...
by sindy
Mon Mar 14, 2022 11:53 pm
Forum: General
Topic: High latency over IPSEC
Replies: 7
Views: 509

Re: High latency over IPSEC

I suppose this would also be some kind of proof that IPsec is working with barely any delay? Yup, IPsec encryption and decryption is not the reason of the jitter. You may try a ping to the CHR's public address using slightly larger packets, matching the size of the ESP ones, to see whether it's the...
by sindy
Mon Mar 14, 2022 10:40 pm
Forum: General
Topic: High latency over IPSEC
Replies: 7
Views: 509

Re: High latency over IPSEC

I can paste my configurations here but I'll need time to clean them up before posting them here. More eyes usually see more, hence worth it. Are there any other performance tests between routers that I can do beside the usual ICMP ping and bandwidth test? Just sniff at the WAN interface of the 4011...
by sindy
Mon Mar 14, 2022 12:31 pm
Forum: General
Topic: High latency over IPSEC
Replies: 7
Views: 509

Re: High latency over IPSEC

Are there any known common causes of such issues? The ISP at the location is not perfect but I suppose it shouldn't make such a drastic difference? The location with difficulties in question runs on a WISP provider. The locations that work properly are on LTE and Fiber. Can't deny that it might be ...
by sindy
Sun Mar 13, 2022 7:33 pm
Forum: General
Topic: Is using 3rd party VPN on Mikrotik safe?
Replies: 4
Views: 290

Re: Is using 3rd party VPN on Mikrotik safe?

Hmm, but how do I add IPSec tunnel to WAN list? You don't as there is currently no virtual interface associated to IPsec. The in-interface attribute of IPsec payload packets is inherited from the transport packets that brought them. Normally, there is an ipsec-policy match condition, which matches ...
by sindy
Sun Mar 13, 2022 6:51 pm
Forum: General
Topic: Find out which certificate was used for the new ike2 SA (R)
Replies: 4
Views: 355

Re: Find out which certificate was used for the new ike2 SA (R)

Your /certificate crl print shows an empty list, and under /certificate settings , use of crls is disabled. Hence when inspecting a certificate received from an initiator, the responder does not look for it on the CRL. There is no point in having two mechanisms for that, so there is no "shortcu...
by sindy
Sun Mar 13, 2022 2:33 pm
Forum: General
Topic: Ipsec vpn - disable tunnel ?
Replies: 2
Views: 209

Re: Ipsec vpn - disable tunnel ?

The thing is that the action=src-nat rule matching on the src-address-list specified on the /ip ipsec mode-config row is only consulted when the very first packet of a new connection is processed. Once a connection gets established, its subsequent packets get NATed to the address assigned by the VPN...
by sindy
Sun Mar 13, 2022 1:59 pm
Forum: General
Topic: Sip Tracing
Replies: 4
Views: 321

Re: Sip Tracing

Can anyone with sip tracing skills help me out with some wireshark pcap files and logs privately?
Here's how you can send me your contact info privately: viewtopic.php?p=902082#p902082 (a few posts after there are more details if needed).
by sindy
Sun Mar 13, 2022 1:07 pm
Forum: General
Topic: Problem with l2tp VPN: can surf the net only one device at a time
Replies: 7
Views: 513

Re: Problem with l2tp VPN: can surf the net only one device at a time

Are you bombenfest that those multiple users can be connected to the Mikrotik L2TP/IPsec server from behind the same public IP? Because that's the actual issue here, and the resource you've linked doesn't address it in any way.
by sindy
Sun Mar 13, 2022 1:03 pm
Forum: General
Topic: Find out which certificate was used for the new ike2 SA (R)
Replies: 4
Views: 355

Re: Find out which certificate was used for the new ike2 SA (R)

The information which phase 1 has been authenticated using which remote certificate is not available as a status one (i.e. is not available among properties of an active-peers item). The only way to find it is to activate logging of ipsec and direct it to a disk. But when you mention revoked certifi...
by sindy
Sat Mar 12, 2022 6:36 pm
Forum: General
Topic: VLAN over EoIP [SOLVED]
Replies: 5
Views: 410

Re: VLAN over EoIP [SOLVED]

Yes, disable RSTP on bridge2s, as there is no risk of looping (at least until you add another site and connect it to both). RSTP should live tagless on bridge1, so it will not leak to bridge2 via /interface vlan vlan-id=10 , but it would leak from bridge2 to bridge1 and get tagged on the way. Other ...
by sindy
Sat Mar 12, 2022 2:42 pm
Forum: General
Topic: VLAN over EoIP [SOLVED]
Replies: 5
Views: 410

Re: VLAN over EoIP [SOLVED]

I must be missing something here. If I can get the blocking done, this solution would be perfect for my scenario. This way I don't have to deal with complicated configuration with multiple bridges bridging interfaces that already sit on top of another bridge. It has been reported by multiple users ...
by sindy
Sat Mar 12, 2022 11:06 am
Forum: General
Topic: Fasstrack and rules
Replies: 13
Views: 616

Re: Fasstrack and rules

Well, you've referred to CCR 2004 and 600 Mbit/s, but the configuration you've posted is from a CRS326, which is much weaker as a router (a single 32-bit CPU core at 800 MHz vs four 64-bit CPU cores at 1700 MHz, that's 8 times more throughput even if leaving the 32/64 aside). With queueing, the adva...
by sindy
Sat Mar 12, 2022 9:29 am
Forum: General
Topic: IPSec - no policy found/generated [SOLVED]
Replies: 3
Views: 504

Re: IPSec - no policy found/generated [SOLVED]

It appears that the remote peer asks for another policy in addition to the existing one. So everything works via the policy you actually need, but the peer keeps trying to establish another one that is configured at its end but not at yours. The log should confirm this - you've only shown the lines ...
by sindy
Thu Mar 10, 2022 7:34 am
Forum: General
Topic: What is using up my memory?
Replies: 13
Views: 888

Re: What is using up my memory?

I do use DoH.
See viewtopic.php?t=174836 .

The number of address-list items and tracked connections is so low that it cannot be related to high memory usage.
by sindy
Tue Mar 08, 2022 6:24 pm
Forum: General
Topic: Can't Revoke Certificates after Importing to new hardware - has private key
Replies: 7
Views: 430

Re: Can't Revoke Certificates after Importing to new hardware - has private key

It should be possible to create an individual identity , matching on that particular certificate, and give it a specific policy template group with no template in it. So that peer would be able to complete phase 1 but not create any policy. First try whether it works using one of the peers with a ce...
by sindy
Tue Mar 08, 2022 5:00 pm
Forum: General
Topic: Issue with IOS/Strongswan Roadwarrior Clients IKEv2 EAP+RADIUS [SOLVED]
Replies: 5
Views: 420

Re: Issue with IOS/Strongswan Roadwarrior Clients IKEv2 EAP+RADIUS [SOLVED]

I can see no reason why the Strongswan app on the mobile, acting as an initiator, should send the certificate of your Mikrotik as its own identifier (ID_I), as the log indicates. If your desired setup is where the responder (the Mikrotik) authenticates itself to the initiator using a certificate, an...
by sindy
Tue Mar 08, 2022 2:11 pm
Forum: General
Topic: RouterOS v7 - WAN failover
Replies: 6
Views: 871

Re: RouterOS v7 - WAN failover

Can you elaborate a bit further, please ? Do you mean that, for this to work, "chosen references (here 8.8.8.8 and 8.8.4.4) SHOULD act as ARP proxy but they don't" ? Not the references themselves (they are far away so our ARP requests cannot reach them), the routers to which WAN1 and WAN2...
by sindy
Tue Mar 08, 2022 12:06 pm
Forum: General
Topic: Can't Revoke Certificates after Importing to new hardware - has private key
Replies: 7
Views: 430

Re: Can't Revoke Certificates after Importing to new hardware - has private key

If you export the CA certificate and the issued certificates, the links between them indeed break as they are not exported. Do you need to revoke the certificate on an external CRL server or you just want to prevent the holder of that certificate from establishing a VPN connection to the Mikrotik it...
by sindy
Tue Mar 08, 2022 11:24 am
Forum: General
Topic: RouterOS v7 - WAN failover
Replies: 6
Views: 871

Re: RouterOS v7 - WAN failover

The problem is that in the real world, this is not always how WAN fails - there are many issues that could stop internet service for a particular WAN interface. Yes, and that's the very motivation for this whole setup, where the WAN "transparency" is being checked using pings to the Refer...
by sindy
Tue Mar 08, 2022 10:39 am
Forum: General
Topic: ASK [LTE] [SOLVED]
Replies: 13
Views: 726

Re: ASK [LTE] [SOLVED]

To me it seems that even though you tell the LTE interface to use the APN profile named telstra using Winbox, this setting has not made it to the configuration. So try setting it using the command line - /interface lte set lte1 apn-profiles=telstra , and see whether a subsequent export shows it, it ...
by sindy
Tue Mar 08, 2022 12:09 am
Forum: General
Topic: Stalling PPP links
Replies: 4
Views: 319

Re: Stalling PPP links

@MtHoodlum, L2TP does not use TCP as transport so what you say is unrelated. Plus it is also misleading - TCP meltdown is definitely a bad thing but it is not the reason of the particular behavior described in the OP even in SSTP or OpenVPN case, nor is it a "bug". And last, not everyone i...
by sindy
Mon Mar 07, 2022 11:30 pm
Forum: General
Topic: ASK [LTE] [SOLVED]
Replies: 13
Views: 726

Re: ASK [LTE] [SOLVED]

What does /interface lte export show before the reboot when it works and after the reboot when it doesn't? And what is the RouterOS version?
by sindy
Mon Mar 07, 2022 2:03 pm
Forum: General
Topic: ASK [LTE] [SOLVED]
Replies: 13
Views: 726

Re: ASK [LTE] [SOLVED]

I'm not sure I understand the actual issue. I've added an /interface lte apn row with a non-standard apn value, and configured the /interface lte to use that row. It survives both a restart of the LTE modem using /system routerboard usb power-reset and a reboot of the whole router. What exact steps ...
by sindy
Mon Mar 07, 2022 10:21 am
Forum: General
Topic: Stalling PPP links
Replies: 4
Views: 319

Re: Stalling PPP links

What version are you running? My experience in 6.47.10 is different - when the client device gets a new dynamic address, it creates a new (sstp in my case) connection but the old connection survives for minutes at server side until all timeouts expire, so I cannot communicate with the subnets on tha...
by sindy
Mon Mar 07, 2022 9:45 am
Forum: General
Topic: VRF+PPP Secret Routes [SOLVED]
Replies: 1
Views: 195

Re: VRF+PPP Secret Routes [SOLVED]

It doesn't seem to be implemented. Even at client side, if you set add-default-route to yes and the interface is in a vrf, the default route is added to routing table main . Only the conected route is added to the vrf table. As a workaround, you should be able to create a copy of the /ppp profile ro...
by sindy
Sun Mar 06, 2022 9:19 pm
Forum: General
Topic: GRE performance problems
Replies: 5
Views: 380

Re: GRE performance problems

I did do that -- wireshark shoes a lot of retransmits and sequence events -- but I'm sure what I can do about it. The MTU is 1280, not 14xx, TCP MSG is set, what else is there to do? I don't say sniffing is a solution, it should just show whether the packets are actually lost or only shuffled. A sm...
by sindy
Sun Mar 06, 2022 4:47 pm
Forum: General
Topic: GRE performance problems
Replies: 5
Views: 380

Re: GRE performance problems

I can look at this as two possible ways: The wireguard AllowdIPs should simply be CHR=192.168.88.2 and 5009=192.168.88.1 The wireguard AllowedIPs on the CHR end should be 199.181.204.128/26 and the 5009=0.0.0.0/0 The second way is right. Normal routing sends the packets to the Wireguard process; th...
by sindy
Sun Mar 06, 2022 9:22 am
Forum: General
Topic: What is using up my memory?
Replies: 13
Views: 888

Re: What is using up my memory?

What is the output of the following commands if you run both now and then both e.g. 8 hours later?
:put [:len [/ip firewall address-list find]]
:put [:len [/ip firewall connection find]]


Do you use DoH (DNS over HTTPS)?
by sindy
Fri Mar 04, 2022 2:18 pm
Forum: General
Topic: VRF Isolation
Replies: 8
Views: 590

Re: VRF Isolation

I also need to test and scale the same setup for my friend and his family so I wonder if the hAP AC can handle it (1 CPU). Potentially 4 separate networks all with Internet access (and possibly a 5th for IoT). The key question here is what is the uplink bandwidth. Here is a test done using 6.4x wit...
by sindy
Fri Mar 04, 2022 8:40 am
Forum: General
Topic: User can login with SSH password when a ssh-key exists for the user
Replies: 4
Views: 343

Re: User can login with SSH password when a ssh-key exists for the user

For some reason, /ip/ssh/set always-allow-password-login=no is not mentioned in the new (confluence-based) documentation, although this setting has not been removed at least until ROS 7.1.3. Also, no , which means that password authentication is disabled for any user whose key has been installed, is...
by sindy
Thu Mar 03, 2022 12:40 pm
Forum: General
Topic: ASK[Email] [SOLVED]
Replies: 20
Views: 2499

Re: ASK[Email] [SOLVED]

What I can see is that the action=src-nat rule matching on out-interface=vpls-xxxx (through which the current default route goes) is restricted to src-address-list=OriginCustomer . Whereas 192.168.0.1 does match that address list, the own address assigned to that interface (172.31.1.66), which is ch...
by sindy
Thu Mar 03, 2022 11:56 am
Forum: General
Topic: ASK[Email] [SOLVED]
Replies: 20
Views: 2499

Re: ASK[Email] [SOLVED]

from the ospf i'm receiving 700+ routes
OK, so post just the output of /ip route print detail where 8.8.8.8 in dst-address , that should be just a few routes.
by sindy
Thu Mar 03, 2022 11:54 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

The two ipaddress (192.168.19.254, 192.168.14.254) and IP endpoints of the tunnel sit on a vlan 99 tagged interface named BASE_VLAN so you are practically trying to transfer a L2 vlan through the L3 tunnel. That's not how it works. If a packet for an own IP address arrives to the router, the router...
by sindy
Thu Mar 03, 2022 9:46 am
Forum: General
Topic: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]
Replies: 15
Views: 712

Re: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]

i tried to do one pppoe and one lan its work all fine with no problem i need to know how to force the in and out packet and traffic to go to some specific wan without any overlap and any missing in lan to wan traffic by the firewall and the mtu is not 1500 just in the first pppoe1 which is on ether...
by sindy
Thu Mar 03, 2022 9:01 am
Forum: General
Topic: ASK[Email] [SOLVED]
Replies: 20
Views: 2499

Re: ASK[Email] [SOLVED]

Since dynamic routing (OSPF) is active, what does /ip route print detail show? And what src-address you must add to ping 8.8.8.8 in order that it worked?
by sindy
Wed Mar 02, 2022 9:30 pm
Forum: General
Topic: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]
Replies: 15
Views: 712

Re: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]

So bypassing the MTU discovery on the MT helps how?? If the ISP is still putting out the MTU/ICMP requirements how does that help with external sites............ It's not bypassing the MTU discovery, it's substituting the MTU discovery. Instead of letting the PMTUD iteratively reduce the size of th...
by sindy
Wed Mar 02, 2022 8:45 pm
Forum: General
Topic: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]
Replies: 15
Views: 712

Re: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]

Where did I say that Mikrotik was doing something wrong? The mangle rule is used to work around the fact that the ICMP is blocked somewhere else on the path between the client and the server. The MTU bottleneck is most likely the PPPoE connection - the L2 MTU of an Ethernet interface is typically 15...
by sindy
Wed Mar 02, 2022 7:52 pm
Forum: General
Topic: VRF Isolation
Replies: 8
Views: 590

Re: VRF Isolation

But what if I wanted to take this from Layer 3 isolation to Layer 2? Sorry, I don't get the connection. VRF is an L3 concept, so it works with interfaces on the L3 layer. A VLAN on an L2 link has to be made accessible to the L3 layer by adding an /interface vlan taking care about tagging and untagg...
by sindy
Wed Mar 02, 2022 1:50 pm
Forum: General
Topic: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]
Replies: 15
Views: 712

Re: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]

Why do you have to mangle to change MTU?
Because you don't. The mangle rule doesn't change the MTU - it works around an issue with path MTU discovery.
by sindy
Wed Mar 02, 2022 11:18 am
Forum: General
Topic: ASK[Email] [SOLVED]
Replies: 20
Views: 2499

Re: ASK[Email] [SOLVED]

That sounds as if you have a multi-WAN setup, the traffic to 8.8.8.8 is routed via another WAN than the one chosen by the default route in routing table main, and there is no masquerade rule for traffic leaving via WANs that is sent by the router itself. Can't say anything more precise without seein...
by sindy
Wed Mar 02, 2022 10:59 am
Forum: General
Topic: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]
Replies: 15
Views: 712

Re: HELP WITH ROUTING 3 LAN TO DIFFERNET 3WAN IN SAME ROUTERBOARD [SOLVED]

When some TCP-based services have unspecified problems, the most frequent reason are issues related to Path MTU discovery if the WAN MTU is not 1500 bytes, which is your case here (PPPoE and even VLANs in use). So my first question is - have you tried to backup the configuration, remove all that &qu...
by sindy
Wed Mar 02, 2022 10:43 am
Forum: General
Topic: VRF Isolation
Replies: 8
Views: 590

Re: VRF Isolation

The order of firewall rules, the understanding of the role of chains, and the understanding of what a stateful firewall means (to me, "state-aware" would be a more explanatory name but English is not my native language) are the key. For your goal you don't actually need a VRF. Drop rules a...
by sindy
Wed Mar 02, 2022 10:31 am
Forum: General
Topic: ASK[Email] [SOLVED]
Replies: 20
Views: 2499

Re: ASK[Email] [SOLVED]

What kind of assistance do you need? So far even the goal is not clear to me - from the srcnat rule it seems that you want to srcnat sessions towards the smtp server to LAN IPs, which makes little sense to me. So you have to be a bit more verbose about the overall scenario.
by sindy
Mon Feb 28, 2022 7:44 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

After second phase, conntrack not known who requested this packet, only just see an answer and cant match source destination address pairs for connection state established. In order to be dropped by the action=drop connection-state=invalid rule, the packet would have to be a TCP one (where session ...
by sindy
Mon Feb 28, 2022 3:47 pm
Forum: General
Topic: Retail ISP line Bonding
Replies: 6
Views: 456

Re: Retail ISP line Bonding

First - without which encryption, the PPP one or the IPsec? Second, have you set max-mtu, max-mru and mrru at all ends, to replace IP level fragmentation by MLPPP level splitting? It sometimes helps performance if the network between the client and the server is weird.
by sindy
Sun Feb 27, 2022 2:10 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

So I figure the log does not reveal the cause for selector 0.0.0.0/0 <=> 0.0.0.0/0, neither does it reveal which side (RouterOS or Cisco) is causing this? It does reveal that the requirement for selector 0.0.0.0/0 <=> 0.0.0.0/0 came from the Cisco side. Why Cisco requires it is a different story - ...
by sindy
Sun Feb 27, 2022 10:36 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Do you know how policy's level fits into this configuration? Cannot quite grasp when I would want to touch it, but from the description it seems to be useful here. The description in the manual is not really clear, but level only controls the process of setting up SAs. So for action=none , it is ir...
by sindy
Sat Feb 26, 2022 11:53 am
Forum: General
Topic: Retail ISP line Bonding
Replies: 6
Views: 456

Re: Retail ISP line Bonding

what exactly should go into src-address in l2tp-client? What single address do I use here? If the addresses assigned to your WANs are static (even if assigned by DHCP), you can use directly these addresses. If they are not, you have to use some other addresses that are active on the router; you can...
by sindy
Sat Feb 26, 2022 11:21 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

I find wireshark captures helpful to debugging some fundamental protocol misunderstanding (it's also very educational), since they can be straightforwardly mapped into actual RFCs. Logs are, after all, results of Mikrotik's processing and may hide the issue. Wireshark is perfect to tell you what ha...
by sindy
Fri Feb 25, 2022 8:57 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

I'd rather understand where this "0.0.0.0/0 <=> 0.0.0.0/0 selector" issue is stemming from? Is this something I misconfigured on the RouterOS side? What exactly causes this on the Cisco side? You've provided just a short excerpt from the log, but from there it seems to me that the offer f...
by sindy
Fri Feb 25, 2022 8:37 pm
Forum: General
Topic: Retail ISP line Bonding
Replies: 6
Views: 456

Re: Retail ISP line Bonding

Indirectly - there is a parameter src-address on the /interface l2tp-client row. And then you use /ip route rule to choose a routing table. /ip route rule add src-address=ip.of.wan.1 action=lookup-only-in-table table=via-WAN1 add src-address=ip.of.wan.2 action=lookup-only-in-table table=via-WAN2 /ip...
by sindy
Fri Feb 25, 2022 8:28 pm
Forum: General
Topic: Can I make a dstnat and srcnat for the same sock?
Replies: 2
Views: 235

Re: Can I make a dstnat and srcnat for the same sock?

Yes.
chain=dstnat dst-address=2.2.2.2 dst-port=80 action=dst-nat to-addresses=192.168.1.3
chain=srcnat dst-address=192.168.1.3 dst-port=80 action=src-nat to-addresses=192.168.1.2
by sindy
Fri Feb 25, 2022 8:17 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

It doesn’t, but it can be tolerated as traffic selector is not a route selector. I.e. the router shouldn’t start routing all traffic through IPsec, merely use the same SA for all its traffic. On Mikrotik (and in vanilla IPsec in general) it's different - traffic selector of an enabled policy overri...
by sindy
Fri Feb 25, 2022 2:29 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

As they ask for a 0.0.0.0/0<=>0.0.0.0/0 traffic selector, this looks to me as if they now had a VID at Cisco side.

Something is telling me that with IKE (v1), traffic selectors cannot be negotiated, just accepted or rejected. But I can't give you a reference to a particular RFC.
by sindy
Tue Feb 22, 2022 6:59 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

RouterOS generates a default Proposal (phase 2) with a lifetime of 1d, and a default Profile (phase 1) with a lifetime of 1h. Shouldn't the longer lifetime be assigned to phase 1? On which RouterOS version this happens, and how exactly do you create the profile and proposal? When I add a new profil...
by sindy
Tue Feb 22, 2022 5:40 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

I'm affraid they do not have the time to examine this case. With the neverending stream of RouterOS 7.x is issues pouring in, you may well be right that this niche case may get less attention right now. It would likely need to replicate the configuration and reduce it to the bare bone, so that noth...
by sindy
Tue Feb 22, 2022 3:25 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

"Policy" is linked with "Proposal", right? A policy is what links a traffic selector (which does not exist as a separate configuration item, its components are parameters on the policy row), proposal , and peer together. And it is related to establishing a security association f...
by sindy
Tue Feb 22, 2022 1:05 pm
Forum: General
Topic: UDP connection tracking not working (OpenVPN)
Replies: 7
Views: 609

Re: UDP connection tracking not working (OpenVPN)

What I have problems to accept is that connection marking and routing marking should behave differently depending on IP protocol type (TCP, UDP), and that it should depend on which particular application sends it. So I'd definitely run /ip firewall connection print detail interval=1s where dst-addre...
by sindy
Mon Feb 21, 2022 9:46 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

Wireshark can import hex dumps, the result is as follows: Request: (frame header, Ethernet header - not important) Internet Protocol Version 4, Src: 192.168.14.254, Dst: 192.168.19.254 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN:...
by sindy
Sun Feb 20, 2022 10:58 pm
Forum: General
Topic: WireGuard and routing tables
Replies: 19
Views: 1836

Re: WireGuard and routing tables

I'd expect the missing src-nat to be the cause - not only that the allowed-address of a wireguard peer chooses the traffic to be sent to that peer, but it also drops traffic from a peer if its source address doesn't match any of the prefixes in the allowed-address list of that peer. Do you have allo...
by sindy
Sun Feb 20, 2022 10:17 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

The identification number is different. I guess this is not normal? It's the IP ID, which is used to match together IP fragments. The ICMP echo ID is not shown here - you have to sniff into files and open them using Wireshark, or read the hex dump of the packets ( /tool sniffer packet print raw if ...
by sindy
Sun Feb 20, 2022 8:09 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 3173

Re: ping and dns problem on ipsec tunnel

Did you try to sniff the received traffic at both ends of the tunnel, to check that the ping responses match the requests?
by sindy
Sun Feb 20, 2022 7:55 pm
Forum: General
Topic: mikrotik as repeater
Replies: 4
Views: 431

Re: mikrotik as repeater

Why does DHCP not work on the equipment connected to the mikrotik? Because there are only three MAC addresses in the wireless frames normally used, so the DHCP server sees all the traffic from the devices at the wired side of your Mikrotik as coming from the Mikrotik's MAC address. As mode=station-...
by sindy
Sun Feb 20, 2022 5:09 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

If you bring back lte2, should this configuration also work? It depends - although the name of the interface is always lteN , the actual interface type, and therefore the behaviour of RouterOS, depends on the behaviour of the modem. So if the default route added dynamically by RouterOS has gateway=...
by sindy
Sun Feb 20, 2022 11:04 am
Forum: Announcements
Topic: v7.2rc2 and v7.2rc3 is released!
Replies: 229
Views: 52328

Re: v7.2rc2 and v7.2rc3 is released!

How is PPTP any less secure than running IPIP, EoIP or any other VPN protocol with no cipher enabled that will show no such warning? ... There is no need for Mikrotik to be babysitting it's users. I'm afraid that's only related to the thing of perceived security. There is no username and password s...
by sindy
Sun Feb 20, 2022 10:54 am
Forum: General
Topic: Why does my IPIP tunnel disconnect?
Replies: 2
Views: 286

Re: Why does my IPIP tunnel disconnect?

You mention dynamic addresses of nodes, could that be related? Besides, if there are dynamic addresses, I suppose you use DDNS (Mikrotik Cloud DNS or other) as IPIP's remote-address , there may also be a delay when updating the DDNS data. An IPIP tunnel is always shown as running unless you use a ke...
by sindy
Sat Feb 19, 2022 11:09 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

Strange. Have you tried to set the gateway of the route towards 9.9.9.9 to ppp-out1 and the gateway of the route towards 1.1.1.1 to lte1 as I've suggested? The thing is that in RouterOS 6, the recursive nexthop search only worked if all the gateway parameters of the routes involved in the recursion ...
by sindy
Fri Feb 18, 2022 12:10 am
Forum: General
Topic: UDP connection tracking not working (OpenVPN)
Replies: 7
Views: 609

Re: UDP connection tracking not working (OpenVPN)

I don't know whether it is a consequence of anonymisation that went wrong, but if not, it should be the real reason: /interface list member add interface=ether1 list="True WAN" add interface=ISP_B list="True WAN" add interface= ISP_A list="True WAN" /ip firewall mangle ...
by sindy
Thu Feb 17, 2022 8:07 pm
Forum: General
Topic: UDP connection tracking not working (OpenVPN)
Replies: 7
Views: 609

Re: UDP connection tracking not working (OpenVPN)

In that case, follow the advice in my automatic signature below. Something must be wrong in the config (or, less likely, in RouterOS 7).
by sindy
Thu Feb 17, 2022 5:13 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

found (Applicable for ROS7). Creating custom routing tables for each of the providers /routing/table/add but I can't figure out with /ip/route/add routing-mark Sorry, my bad (or Mikrotik's bad, for changing things without an actual purpose): it is now /ip/route/add routing -table whereas in mangle ...
by sindy
Thu Feb 17, 2022 4:07 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

You can try to set the gateway of the route to 9.9.9.9 to ppp-out1 instead of 10.112.112.xxx . If the routes via 9.9.9.9 remain available after that, great. If not, it will require a script in /ppp profile to update the gateway of those routes with the up-to-date one, in that case come back.
by sindy
Thu Feb 17, 2022 2:50 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

sindy, I really wanted to build a configuration with traffic aggregation between both ppp-out1 and lte1. Indeed, in such a configuration, as far as I understand, everything will work even when one of the interfaces exits. So no specific handling for specific traffic, ok. As for "everything wil...
by sindy
Thu Feb 17, 2022 1:03 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

sindy, you can write easier. After your last message, I'm at a loss as to what to do next.
Next, express what behaviour you expect from the "combination" of the WANs. The complexity or simplicity of the setup depends on what you want it to do.
by sindy
Thu Feb 17, 2022 12:23 pm
Forum: General
Topic: Help Chateau LTE12 how to dual wan lte
Replies: 94
Views: 4779

Re: Help Chateau LTE12 how to dual wan lte

There are two extremities - one is to keep using one of the WANs for all the connections as long as it works, and only use the second one if the first one fails, and the other one is to distribute the traffic among both of them per individual connection (so two consecutive reloads of the same web pa...
by sindy
Thu Feb 17, 2022 12:15 am
Forum: General
Topic: 5 WAN IP's, one Wan port = dropping incoming packets
Replies: 6
Views: 511

Re: 5 WAN IP's, one Wan port = dropping incoming packets

I'm not sure if connection table is cleared as well if the whole rule gets removed or disabled. It doesn't - the rules in the srcnat and dstnat chains only handle the initial packet of each connection. The connection data in connection tracking store the verdict of each of these chains, including t...
by sindy
Wed Feb 16, 2022 1:59 pm
Forum: General
Topic: Cannot dial out wifi-call from mobile phone [SOLVED]
Replies: 79
Views: 14276

Re: Cannot dial out wifi-call from mobile phone [SOLVED]

If you mean below rule, then this rule just blocks everything. /ip firewall raw add action=notrack chain=prerouting in-interface=!bridge Sure, the idea was that instead of positive matching on in-bridge-port(-list) , you have to use negative matching on IP interface ( in-interface=!bridge ), becaus...
by sindy
Wed Feb 16, 2022 12:24 pm
Forum: General
Topic: Cannot dial out wifi-call from mobile phone [SOLVED]
Replies: 79
Views: 14276

Re: Cannot dial out wifi-call from mobile phone [SOLVED]

Mangle would be too late, but I've realized in the meantime that in-bridge-port-list would act during the second pass as well, which is not what we want.

So in-interface=!bridge should do the job.
by sindy
Wed Feb 16, 2022 12:10 pm
Forum: General
Topic: Cannot dial out wifi-call from mobile phone [SOLVED]
Replies: 79
Views: 14276

Re: Cannot dial out wifi-call from mobile phone [SOLVED]

In fact you should not need the out-interface in raw to make it work. in-bridge-port-list matching to an interface list consisting of all ports of the bridge should alone be sufficient to do the trick.
by sindy
Wed Feb 16, 2022 11:54 am
Forum: General
Topic: Cannot dial out wifi-call from mobile phone [SOLVED]
Replies: 79
Views: 14276

Re: Cannot dial out wifi-call from mobile phone [SOLVED]

Just to double-check, when talking about Bridge IP Firewall, do you have in mind /interface bridge filter or indeed /interface bridge settings set use-ip-firewall=yes ? In the latter case, yes, that causes a lot of trouble with NAT because the L2 frames pass through the firewall already before routi...
by sindy
Wed Feb 16, 2022 10:16 am
Forum: General
Topic: RouterOS 7 - Wireguard site-to-site over multiple wans [SOLVED]
Replies: 7
Views: 742

Re: RouterOS 7 - Wireguard site-to-site over multiple wans [SOLVED]

The main problem is that every wireguard interface on one routerboard/CCR/CHR has the same public key, so I can't use the same approach for GRE over IPSEC, if I understood what you meant Unless some "older" 7.x.y version was creating the same key pair for all interfaces, the only other re...
by sindy
Wed Feb 16, 2022 12:38 am
Forum: General
Topic: modem R11e-LTE & band setup [SOLVED]
Replies: 4
Views: 408

Re: modem R11e-LTE & band setup [SOLVED]

I've just tested that on an actual R11e-LTE (before, I was testing using R11e-LTE6) - I've ran cell monitor first to see what is around, then set band only to the bands shown. It took a while before the info started showing full functionality, and then cell monitor was showing only a single channel ...
by sindy
Tue Feb 15, 2022 11:34 pm
Forum: General
Topic: Is bridging a virtual interface possible for VxLAN
Replies: 7
Views: 490

Re: Is bridging a virtual interface possible for VxLAN

assuming that ether4 and ether5 on the CCR are currently unused: /interface bridge vlan add bridge=BRIDGE-VXLAN-VNI-101 vlan-ids=703 tagged=vxlan101,ether2 add bridge=BRIDGE-VXLAN-VNI-101 vlan-ids=704 tagged=vxlan101,ether2 /interface bridge port add bridge=BRIDGE-VXLAN-VNI-101 interface=ether4 pvi...
by sindy
Tue Feb 15, 2022 11:11 pm
Forum: General
Topic: Is bridging a virtual interface possible for VxLAN
Replies: 7
Views: 490

Re: Is bridging a virtual interface possible for VxLAN

So you want to use some Ethernet ports on the CCR instead of ether2 and ether3 on the 750, each serving as an access port to one of the VLANs. The CCR itself doesn't need to access the VLANs, i.e. you will only connect the external equipment that was connected to 750's ether2 and ether3 to the newly...
by sindy
Tue Feb 15, 2022 10:39 pm
Forum: General
Topic: Is bridging a virtual interface possible for VxLAN
Replies: 7
Views: 490

Re: Is bridging a virtual interface possible for VxLAN

I'm not sure I understand your concern. you can make a VxLAN interface a member port of any bridge, and it doesn't matter whether the other member ports of that bridge are physical Ethernet ports, virtual L2 ports (such as EoIP or other VxLAN), or no other ports at all for that matter. You can also ...
by sindy
Tue Feb 15, 2022 6:49 pm
Forum: General
Topic: DUplicate encryption setting for L2TP + IPsec
Replies: 1
Views: 179

Re: DUplicate encryption setting for L2TP + IPsec

If not, what is the Use Encryption setting for in the PPP Profile? It activates MPPE (Microsoft Point-to-Point Encryption), and indeed you can use the /ppp profile with no use-encryption=no if you protect L2TP using IPsec. MPPE is not considered secure enough these days so it doesn't provide any se...
by sindy
Tue Feb 15, 2022 4:30 pm
Forum: General
Topic: Site-To-Site VPN AWS problem
Replies: 46
Views: 2753

Re: Site-To-Site VPN AWS problem

your last post said invert src and dst so reconfirming if I understood correctly It only said so because you've apparently already tried with the correct src and dst and it failed, and you haven't given any details regarding which of the subnets is at which end until the previous post, so I wasn't ...
by sindy
Tue Feb 15, 2022 3:20 pm
Forum: General
Topic: Site-To-Site VPN AWS problem
Replies: 46
Views: 2753

Re: Site-To-Site VPN AWS problem

If so, that would be wrong. DST at Mikrotik must be the AWS subnet and SRC at Mikrotik must be the remote subnet.
by sindy
Tue Feb 15, 2022 2:34 pm
Forum: General
Topic: Switchports with multi VLANs
Replies: 5
Views: 830

Re: Switchports with multi VLANs

I'm surprised you said it was a mess. I repeat, everything was correctly configured. Well, my concern was that you use the "one bridge per VLAN" approach, which normally excludes hardware-accelerated bridging - but maybe on CRS, this is not an issue as long as each such bridge uses a dist...
by sindy
Tue Feb 15, 2022 11:06 am
Forum: General
Topic: Ports open and allowing "Internet" access to Webfig. Shodan.io report.
Replies: 48
Views: 2132

Re: Ports open and allowing "Internet" access to Webfig. Shodan.io report.

... or you could call it "cloud nmap", allowing you to audit your network from the outside.
by sindy
Tue Feb 15, 2022 10:36 am
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

You only need to refer to a mode-config row on the identity row if you are an initiator asking for an IP address to use and list of remote subnets to access ( split-include ), or when you are a responder providing this information to the initiator. For a site2site VPN, none of these is necessary (al...
by sindy
Tue Feb 15, 2022 9:20 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Cisco's IPsec DVTI does not seem to require any <-> any policy as it expects a set of specific policies.
...
In that case, I didn't dig deep enough into Cisco's settings. I've only seen an any<->any offer.
by sindy
Tue Feb 15, 2022 9:14 am
Forum: General
Topic: UDP connection tracking not working (OpenVPN)
Replies: 7
Views: 609

Re: UDP connection tracking not working (OpenVPN)

When you use /tool sniffer quick port=1194 ip-address=ip.of.the.client, can you see the OVPN client requests incoming via ISP B to be indeed responded via ISP B?
by sindy
Tue Feb 15, 2022 12:28 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

But then you kind of throw away much of the protocol and render many aspects of IKEv2 redundant. Don't you end up with a completely different beast in that case that's only somewhat based on IPsec's IKEv2? If you understand "protocol" in the wider sense, i.e. including the required handli...
by sindy
Tue Feb 15, 2022 12:17 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Cisco, Fortinet, ...

2.9.2 is not actually relevant, it basically just says "don't screw an already negotiated TS during rekeying".
by sindy
Tue Feb 15, 2022 12:13 am
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

The passive parameter should actually say passive-only - if it is set to no , the peer both attempts to actively initiate a connection towards the actual peer specified by address and responds to incoming connections from that peer (if any arrive). You cannot have an "initiator-only" peer....
by sindy
Mon Feb 14, 2022 11:48 pm
Forum: General
Topic: modem R11e-LTE & band setup [SOLVED]
Replies: 4
Views: 408

Re: modem R11e-LTE & band setup [SOLVED]

After unset 0 band, try to power-cycle the modem using /system routerboard usb power-cycle bus=0 duration=10s.
by sindy
Mon Feb 14, 2022 11:37 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

I still don't understand why a VTI requires negotiation of 0.0.0.0/0<->0.0.0.0/0 before other policies can be applied. Because the IPsec RFC requires that the traffic selector was negotiated as part of the process of establishing the pair of security associations for transport of encrypted payload ...
by sindy
Mon Feb 14, 2022 11:18 pm
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

Does this mean you cannot have two IPsec peers with ::/0 addresses? Indeed, you cannot have multiple peers with identical ( address , local-address , exchange-mode ) tuple, as these three parameters are used to choose the best matching peer; if multiple peers with all these parameters identical exi...
by sindy
Mon Feb 14, 2022 9:29 pm
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

Can you explain why the new policy (9) is invalid? On the command line, the policies are marked as I (nvalid) if the peer they are linked to is disabled. In Winbox, the I is not shown but instead they appear in red. Other than that, policy 9 is not shadowed by any of the previous ones (except the t...
by sindy
Mon Feb 14, 2022 6:53 pm
Forum: General
Topic: how does L3HW actually works?
Replies: 42
Views: 5232

Re: how does L3HW actually works?

Thank you, @raimondsp. I wish all the documentation was written this way.
by sindy
Mon Feb 14, 2022 6:46 pm
Forum: General
Topic: GRE tunnel functionality (high level question)
Replies: 1
Views: 192

Re: GRE tunnel functionality (high level question)

1. yes, you can. However, there are scenarios where setting a particular local-address does make sense. 2. yes, but in another way - it will re-resolve the fqdn to an address each time the previous DNS response expires, and if the address in the new response differs from the previous one, it will re...
by sindy
Mon Feb 14, 2022 6:29 pm
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

The mikrotiks A and B are both edge routers/firewalls, and both have public IP's which are dynamic. ... I've been reading about the various options you suggest GRE is even more outated than L2TP; IKE (v1) which is used as part of the standardized L2TP/IPsec combo is kind of outdated too but since b...
by sindy
Mon Feb 14, 2022 4:30 pm
Forum: General
Topic: Ports open and allowing "Internet" access to Webfig. Shodan.io report.
Replies: 48
Views: 2132

Re: Ports open and allowing "Internet" access to Webfig. Shodan.io report.

8291 is Winbox, 8278 is API - see IP->Services. 2000 is bandwidth test server (not shown under IP->Services).
by sindy
Mon Feb 14, 2022 3:33 pm
Forum: General
Topic: Sofware VLAN/Bridge on RuterOS explained.
Replies: 68
Views: 37085

Re: Sofware VLAN/Bridge on RuterOS explained.

Feel free to use GUI to configure, but show the current configuration in the form of a text export, not as screenshots. The information density per pixel is much worse with screenshots, text search cannot be done, etc. The "best current practice" is to host each IP subnet in its own VLAN. ...
by sindy
Mon Feb 14, 2022 3:21 pm
Forum: General
Topic: Site-To-Site VPN AWS problem
Replies: 46
Views: 2753

Re: Site-To-Site VPN AWS problem

in template src-address and dst-address should not be changed? Not in the template, but maybe in the static policy after all - I have missed that in the original log, the highlighted part was a response from AWS to our suggestion for 0.0.0.0/0<->0.0.0.0/0, so the meaning of the TS_I and TS_R fields...
by sindy
Mon Feb 14, 2022 2:38 pm
Forum: General
Topic: Ports open and allowing "Internet" access to Webfig. Shodan.io report.
Replies: 48
Views: 2132

Re: Ports open and allowing "Internet" access to Webfig. Shodan.io report.

... Also I see logon attempts in my logs, but I missed to copy them and not sure how to restore those log entries. I am seriously concerned about this and do not want it . Never had it before using Mikrotik. It was blank. Advice? There are no rules whatsoever in chain input of /ip firewall filter ,...
by sindy
Mon Feb 14, 2022 1:47 pm
Forum: General
Topic: Site-To-Site VPN AWS problem
Replies: 46
Views: 2753

Re: Site-To-Site VPN AWS problem

Strange, so try the following: /ip ipsec policy disable [find peer=AWS] /ip ipsec policy group add name=AWS /ip ipsec policy add template=yes group=AWS proposal=AWS-proposal /ip ipsec identity set [find peer=AWS] policy-template-group=AWS generate-policy=port-strict and see what happens. Because in ...
by sindy
Mon Feb 14, 2022 1:04 pm
Forum: General
Topic: How add routes to switch site-to-site tunnel from PPTP to IKEv2
Replies: 15
Views: 853

Re: How add routes to switch site-to-site tunnel from PPTP to IKEv2

In bare IPsec, there are no routes, there are just the traffic selectors of policies. So if you want networks A1, A2, A3 to freely talk to networks B1, B2, B3, you need 9 policies to cover all possible src/dst pairs. Which quickly turns into a prescription to a headache. You can allow one side to cr...
by sindy
Mon Feb 14, 2022 12:33 pm
Forum: General
Topic: RouterOS 7 - Wireguard site-to-site over multiple wans [SOLVED]
Replies: 7
Views: 742

Re: RouterOS 7 - Wireguard site-to-site over multiple wans [SOLVED]

There seems to be a dispute in progress in Riga currently whether to permit the same remote public key for peers under different Wireguard interfaces on the same machine. So for the time being, use different keys for each wireguard "link". Forever, use different Wireguard interfaces (one p...
by sindy
Mon Feb 14, 2022 12:10 pm
Forum: General
Topic: cant set password with certain special chars from command line
Replies: 6
Views: 522

Re: cant set password with certain special chars from command line

Escape the question mark using a \ , same like you'd have to escape a $ or a " . Or create the user with a bogus password, and then use /user edit abcde password to set the one you really want. (Just a joke: or upgrade to RouterOS 7 where the ? has been replaced by [F1] for invocation of the he...
by sindy
Mon Feb 14, 2022 12:00 pm
Forum: General
Topic: Site-To-Site VPN AWS problem
Replies: 46
Views: 2753

Re: Site-To-Site VPN AWS problem

The answer is in this part: Feb/14/2022 09:09:46 ipsec processing payload: TS_I Feb/14/2022 09:09:46 ipsec 172.31.0.0/16 Feb/14/2022 09:09:46 ipsec processing payload: TS_R Feb/14/2022 09:09:46 ipsec 10.10.10.0/24 Feb/14/2022 09:09:46 ipsec my vs peer's selectors: Feb/14/2022 09:09:46 ipsec 0.0.0.0/...
by sindy
Mon Feb 14, 2022 11:25 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

From the end - from the usage point of view, what is called "VTI" in the IPsec context is equivalent to any plain point-to-point tunnel like all the flavors of PPP, GRE in L3 mode, or IPIP (IPencap) - what you throw in at one end will fall out at the other end. So no way to link a group of...
by sindy
Sun Feb 13, 2022 8:09 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Why do you say two VTIs? Simply because VTI is a Virtual Tunnel Interface , so the packets are sent into the tunnel through one VTI at one router and emerge from the tunnel via the other VTI on the other router. Hence "traffic between two VTIs". Couldn’t one still have an interface with t...
by sindy
Sun Feb 13, 2022 6:43 pm
Forum: General
Topic: Treat multiple IKEv2 connections through same remote host differently
Replies: 6
Views: 431

Re: Treat multiple IKEv2 connections through same remote host differently

Pre 7.x to be precise. Whereas creating a client certificate the right way (i.e. generating a CSR on the Windows, delivering it to the CA for signing, and importing the signed certificate back to the Windows) is complicated on the Windows to put it softly, I haven't found any way how to do this on A...
by sindy
Sun Feb 13, 2022 5:36 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Whatever reverse-matches a traffic selector of an existing IPsec policy, even of an inactive one, but did not arrive via the security association linked to that policy, must be dropped. Use of VTI breaks this principle. I know, I know, so does you-name-it over IPsec. But it may be a bit complex to i...
by sindy
Sun Feb 13, 2022 5:12 pm
Forum: General
Topic: Treat multiple IKEv2 connections through same remote host differently
Replies: 6
Views: 431

Re: Treat multiple IKEv2 connections through same remote host differently

And btw, have I understood properly that you consider using a common certificate for multiple IPsec initiators? Because doing so is technically possible but it is a very bad idea. The Windows embedded client is unfortunately unable to request the password for the private key of the certificate at VP...
by sindy
Sun Feb 13, 2022 5:05 pm
Forum: General
Topic: Treat multiple IKEv2 connections through same remote host differently
Replies: 6
Views: 431

Re: Treat multiple IKEv2 connections through same remote host differently

What I am saying is that IPsec on Mikrotik doesn't create any virtual interfaces, and you also don't need to add any address at the router side. Bare IPsec steals packets matching its traffic selectors and redirects them via the IPsec connection. So whe the Windows client connects using IKEv2, you'l...
by sindy
Sun Feb 13, 2022 4:00 pm
Forum: General
Topic: Can't get untagged ports from hEX PoE (switch)
Replies: 4
Views: 317

Re: Can't get untagged ports from hEX PoE (switch)

Under /interface bridge port, change frame-types from admit-only-untagged-and-priority-tagged to admit-all for ether2, doing so will make it a hybrid port.
by sindy
Sun Feb 13, 2022 3:32 pm
Forum: General
Topic: IKEv2 policy error upon connection
Replies: 8
Views: 608

Re: IKEv2 policy error upon connection

So there is a chance that in a real life setup, the connection will survive. It indeed does. I've realized that an old Sextant was collecting dust in my attic, so I've made it a 7.1.2 User Manager, added a row with auth-mode=eap-radius to /ip ipsec identity at the same 6.47.10 responder to which th...
by sindy
Sun Feb 13, 2022 1:07 pm
Forum: General
Topic: IKEv2 policy error upon connection
Replies: 8
Views: 608

Re: IKEv2 policy error upon connection

You say EAP is not supported on ROS v6, but I do see these options on 6.49.2 Do you mean they don’t function? Are you talking about /ip ipsec identity ( auth-mode=eap-radius , eap-methods ) or about the User Manager? I had no need to run 6.49.2 yet, but I haven't noticed anything related to User Ma...
by sindy
Sun Feb 13, 2022 12:57 pm
Forum: General
Topic: IKEv2 policy error upon connection
Replies: 8
Views: 608

Re: IKEv2 policy error upon connection

Regarding UN/PW for connection, I'm running routerOS 6.49, I think upgrading the OS is more than I can handle at this point. But I'll keep an eye on when that's working. I don't mind distributing my own CA cert to users, but creating a per user cert is painful. For now I think I'll create one cert ...
by sindy
Sun Feb 13, 2022 11:47 am
Forum: General
Topic: Treat multiple IKEv2 connections through same remote host differently
Replies: 6
Views: 431

Re: Treat multiple IKEv2 connections through same remote host differently

I will have multiple users at a remote site connecting into my local site using IKEv2. ... I THINK that I need to create a new 'identity' which identifies them by their cert, and then assigns them IP's from a different pool (with a different interface, different local IP). Then I can use that IP po...
by sindy
Sun Feb 13, 2022 11:36 am
Forum: General
Topic: IKEv2 policy error upon connection
Replies: 8
Views: 608

Re: IKEv2 policy error upon connection

The above does work indeed, but not with the Windows native VPN client - unless authentication using machine certificate is chosen at Windows side, the embedded client always uses an IP address as the initiator ID, and you cannot specify ADDR4 as a remote ID type on an /ip ipsec identity row. Leavin...
by sindy
Sun Feb 13, 2022 11:14 am
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 75
Views: 3513

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

I am wondering since it has the setting " mode tunnel " in it... ... I am assuming that my Mikrotik configuration is the equivalent to what Cisco calls "crypto map", is this correct? It's a vernacular issue. IPsec distinguishes between "transport mode" and "tunnel...
by sindy
Sun Feb 13, 2022 10:56 am
Forum: General
Topic: route internal traffic to L2TP VPN [SOLVED]
Replies: 9
Views: 593

Re: route internal traffic to L2TP VPN [SOLVED]

after I removed those policies I disabled the l2tp client connection and enabled again and those policies were added back in. It's two different things. Yes, when you set use-ipsec to yes or required in /interface l2tp-server server settings, a peer and identity are created dynamically, using the d...
by sindy
Sat Feb 12, 2022 10:24 pm
Forum: General
Topic: [EoIP over DSL] throughput expectations?
Replies: 2
Views: 265

Re: [EoIP over DSL] throughput expectations?

I have seen issues related to randomly lost fragments on multiple unrelated networks, so I wonder whether that can be related to your experience here too. Have you set the MTU of the EoIP interfaces low enough to be sure the transport (EoIP) packets wouldn't be fragmented? Other than that, I had bet...
by sindy
Sat Feb 12, 2022 10:00 pm
Forum: General
Topic: IKEv2 policy error upon connection
Replies: 8
Views: 608

Re: IKEv2 policy error upon connection

You've shown neither the complete configuration nor the debug log from Mikrotik, so the only possible response is "something is wrong". Add ipsec debug logging: /system logging add topics=ipsec,!packet as the log will be quite verbose and might not fit to th ememory buffer, run /log print ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 30