MikroTik

sindy

On the CRS305 can I force a different MAC when I will use sfpplus3 to carry the second wan to the Firewall ? No, you cannot - there is no switch chip rule that can change the source MAC address of a frame, let alone that it could change it inside the payload of the DHCP packets where it is probably...

sindy

Switch Rules is not easy to troubleshoot, no stats no monitoring and If I am correct when there is a Switch Rule matching I cannot have packet capture with streaming ? Correct. I think you can sniff if you force copying of the ingress frames to the CPU, but you have to make sure the traffic volume ...

sindy

Observation: the behaviour you describe is a stateful one - a single DHCP renewal changes how multiple subsequent packets are handled. Fact: there is nothing stateful about the switch chip rules themselves. Conclusion: the behaviour you observe is not caused by switch chip rules. Assumption: the L2 ...

sindy

I don't want to install PGP for this single case - can we use just openssl instead? My public key for openssl is -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArauOfFEn3Grb2WhnlKe1 hEG9bwq+7fJiDhFyCK+CcmXwQyGWl4LIop5VCTNUYq/++PSFOAmkoLA1+TMTAN6s f7ukyVErCxpfUMy+xhutVzsVDHIaAS...

sindy

I'm not sure I get you right - the statistics you've posted shows both sfp-sfpplus2 and sfp-sfpplus2 to handle both Tx and Rx traffic. Is it that you have some other statistics on the Fortinet that says that there is no Rx on VLAN 112, i.e. that the CRS does not forward frames received at sfp-sfpplu...

sindy

If this helps, it means that those thousands of connections are indeed initiated from the internet towards those addresses. Blackholing this destination means that no tracked connections are created in your firewall any more, but once you start actually using some of these the addresses, you'll have...

sindy

When you say "use scripting" what would that involve? Does MT have a scripting language? (can I get references?) https://wiki.mikrotik.com/wiki/Manual:Scripting What would you do if you had the setup I describe It depends on what is the goal. What I've understood was that you wanted the t...

sindy

It may or may not be wrong, depending on what hosts are in your LAN subnet and what is their intended activity and what is your configuration. Since your ISP routes traffic for 256 public IPs to you, chances are high that some of the connections are caused by attack attempts coming to these public I...

sindy

The trouble with such an approach is the bursty nature of packet traffic, so the bandwidth occupation is not stable, and since all your uplinks are unrelated, all packets of any given connection must use the same WAN. Another trouble is that when a new connection is established, you don't know in ad...

sindy

You have set add-default-route=yes at both the PPPoE client interface (WAN) and the PPTP client interface (VPN), and you haven't specified default-route-distance for either, so both have the default distance value of 1 and thus it is random which one of them becomes active when both interfaces are u...

sindy

Since traceroute when the link is up reaches the first done 10.11.5.146 but during outage it doesn't, it means the connection issue is anywhere between my router and the first node, right? Correct. The question is what goes wrong - the physical link may be down, the address assignment may time out ...

sindy

In fact, if the ESXi is totally under your control, you can make use of proxy-arp functionality. If you create another interface (ether2) at the CHR, and assign and IP address to it the following way: /ip address add interface=ether2 address=56.56.56.30/32 network=56.56.56.1 and set /interface ether...

sindy

Unfortunately the AP is not a Mikrotik

Then the station-pseudobridge mode is what you need, as the 4 MAC addresses frame formats are usually incompatible between vendors.

sindy

I was expecting to see the queue configuration in the export, but never mind, the issue seems to be clear, but please confirm my understanding. There is a gateway in the subnet (.1); you expect that if you put the CHR to the same subnet with an address .3, and tell the PC (address .4) that its gatew...

sindy

Bridge the wlan interface with the ethernet one(s) at the hAP mini. If the AP is not a Mikrotik one, or it is a Mikrotik one controlled using CAPsMAN, set the wlan1 mode to station-pseudobridge . Attach a DHCP client to the bridge if you want the hAP mini to get its own IP adress to be manageable vi...

sindy

Nothing to suggest without a configuration export. What I assume is that you misinterpret what the upload and download means in the vernacular of simple queues - since you use the CHR to hairpin the traffic, you cannot use the interface name as target . Maybe you'll even have to use queue tree rathe...

sindy

When you tried to turn the conntrack off, did you have any rule in filter/NAT table? And did the connections table flushed after turning off? Yes to both - there are two NAT rules, and the connections table is empty after setting enabled to no . As soon as I put it back to auto , some connections r...

sindy

Because of this I opened this ticket, what that is. The thing is that what you've actually open is not a "ticket" - it is a discussion topic on a peer forum. To open a real support ticket, you have to use https://help.mikrotik.com/servicedesk/servicedesk/customer/user/login?destination=po...

sindy

Look at subnets/address ranges used, routing, and firewall rules. Maybe the OVPN clients do not have routes to the LAN subnet of the 2nd Mikrotik, maybe the 2nd Mikrotik doesn't have a route to the subnet (range) from which the 1st one assigns addresses to the OVPN clients, maybe the 1st Mikrotik do...

sindy

Such a configuration (VRRPs on multiple VLANs on the same bridge or standalone L2 interface) is fully legal so what you experience must be a misconfiguration or a bug. A non-obvious thing I could think of are firewall rules not allowing incoming VRRP traffic on the VLAN interfaces; if it's not that,...

sindy

I wouldn't expect that avoiding connection marking helps much

It doesn't help performance, but it simplifies the setup.

sindy

Thats interesting! Is this somewhere written? The only description I have found is at https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_3_state_and_examples (search for --ctstate INVALID on that page). Does the Invalid-Matcher here takes into account a ICMP echo reply cant be vali...

sindy

The main point is that per-connection-classifier takes a hash of the chosen address and port fields of the packet header, which is the same for every packet belonging to the same direction of a given connection, so you can use it to directly assign a routing-mark value to the packet. So load distrib...

sindy

Normally, a packet is attributed with connection state invalid if it does not match the expected state of a connection. But such analysis is only possible for protocols that are stateful on their own, such as TCP or SCTP. So a UDP packet can never be attributed with invalid as the very first packet ...

sindy

Are both peers on public IP addresses, i.e. is bare ESP used as transport protocol? If so, does the input chain of the firewall at both devices accept ESP packets?

sindy

There is no way to "fix" this at the level of the bonding implementation, as bonding doesn't add any field to the frames being broadcast that would allow to identify the duplicates. Adding such a field would make the RouterOS implementation of bonding incompatible with other ones and would...

sindy

The certificate-based security works best if the private key to the certificate doesn't ever leave the device that uses the certificate to prove its identity. So to create a CSR directly on the Mikrotik itself: create a /certificate item filled with the required key-usage , common-name , subject-alt...

sindy

I cannot see anything in the configurations that should block packet flow between the 192.168.0.0/21 subnets of a pair of satellite sites. The /ppp secret items at the CO router do contain the routes items, the /ip firewall filter rules do not block the traffic between two L2TP server interfaces (an...

sindy

I only touch the 7.x softly so far, no deep diving. So no, I haven't.

sindy

The trouble is finally over, with google disabling support for the insecure SMTP. Google has introduced a per-device generated password that can be used for this. Mikrotik can send e-mails using TLS. You can also have a look at sending notifications via Telegram - there are several related topics h...

sindy

Mikrotik support is rock ! A forum like this is the second best thing to an actual support for the users, but if Mikrotik was to provide this amount of support directly, you would have to pay a lot for a support contract or the equipment would have to cost much more (look at Cisco, there's both, th...

sindy

I'm not sure I understand well what you want to do. If the traffic should be sent and received tagged with VID 832 at the ONU SFP port, and received and sent tagless at the Fortigate-facing port, that's a normal behavior, you just configure the Fortigate-facing port as an access one to VLAN 832, and...

sindy

It's a bug, open a support ticket. I have just tested it, and not only that the export shows the internal interface id, but it even shows a wrong one. Try /interface/print where .id=*13 - in my case, it looks as follows: [me@chr-7-1] > routing/filter/rule/print Flags: X - disabled, I - inactive 0 ch...

sindy

A lot has been said here so far but no one has mentioned the fact that 7.x always uses the bundle package, so if some packages are not installed in the current 6.x installation, the upgrade will fail. I'm not sure whether it is enough to install the missing packages in 6.x or whether only "full...

sindy

L2TP might filter duplicates, you can use BCP mode to transport at L2, but I have never tried to use it this way. No sequence numbers in GRE, let alone EoIP, which also misuses the 4 bytes of tunnel ID by using only 2 bytes for tunnel ID and the other 2 bytes for payload frame size, so firewalls ide...

sindy

But I'm still getting these errors: Only the first one is important here, the other two are just consequences. are these the same exact certificates that you downloaded and errors were removed? Interestingly, no, and it seems to be the root cause of your trouble. Leaving aside that your links are h...

sindy

The whole manual from hide.me is weird. It does not suggest loading of the two CA certificates, however you managed to do that, good. I have imported all three certificates to 6.47.10 and to 6.48.6; neither version shows the A(uthority) flag for the two DigiCert CA certificates, but I've found that ...

sindy

Something must have gone wrong, because the certificates you've installed are not marked with A(uthority) in the status column.

sindy

On an 8337, you have to use /interface ethernet switch vlan and /interface ethernet switch port menu to configure VLANs together with hardware offloading, because activation of vlan-filtering in the /interface bridge configuration deactivates hardware forwarding. But be sure there are no loops in yo...

sindy

No more ideas here. On the protocol development status page, PIM-SM is shown as fully working, but in the absence of any working example in the manual, it is hard to find out what is wrong.

sindy

system/logging/add topics=pim

then try to add the local address of one of the bridges as a static rendezvous point:
/routing/pimsm/static-rp/add address=192.168.9.1 instance=only

sindy

If you don't care which link will be actually used, create a bridge, attach the PPPoE client to it, and set the two physical links as two ports of that bridge with horizon=123 (the actual number is not important, it just must be the same for both ports to prevent looping of frames and it only has a ...

sindy

/routing/pimsm/instance/add name=only
/routing/pimsm/interface-template/add instance=only interfaces=bridge1,bridge2

The addresses are the local ones, that's normal.

sindy

/routing/pimsm is what you need, but the documentation is a stub so far. The IP address you have provided, 224.0.0.50, is a multicast one. So the device sends a packet to that multicast address from its unicast one; since the destination address is a multicast one, the multicast routing will forwar...

sindy

The purpose of allowing higher bandwidth for connections that just started is to provide better experience for interactive services while limiting regular downloads to the contract bandwidth. Leaving aside the ethical aspects, technically, your approach is unlikely to work unless you have public add...

sindy

If you don't mind the large payload packets to get split into two transport ones, use MLPPP on the L2TP link. At both the L2TP server and client, set max-mtu=1100 max-mru=1100 mrru=1504 (change the settings at the server first as the change at the client will cause the connection to reestablish whil...

sindy

Look at multicast routing, but you may get disappointed like I did if the recipient of the multicast packets doesn't work properly.

sindy

i thought that i can manage that from the WG-Server You can but not by means of Wireguard. allowed-address is compared to the destination address of a packet to be sent to the peer, and to source address of a packet received from a peer. So to "manage that at the WG server", you have to u...

sindy

At the Mikrotik side, set level=unique for all the policies. If this is already done, it will require debugging.

sindy

I'm from China, so the description of the problem is not very detailed How are these things related? If I have many PPPoE links, can I specify which use PPPoE line for all data of L2TP client？ for example： l2tp-out2 --》 pppoe-out1 l2tp-out4 --》 pppoe-out2 Not directly, you have to use policy routin...

sindy

You will get packets for the .144.xx/29 and .91.xx/30 from the ISP; it depends on you how you organize your internal network. If you want to assign all 12 addresses to servers in your network, you have to use a special setup where the address at the 2004 end will be a private one and the public one ...

sindy

If you do it the way I suggest, you'll have local (Mikrotik) timestamps.

sindy

The configuration seems fine to me, so it is time for debugging.

At both devices, what does /ip firewall connection print interval=1s where dst-address~":4500" and /ip ipsec active-peers print interval=1s show if you let each run for a minute?

sindy

It was never possible to use connection marks in routes (to compose routing tables), these were always routing marks. A "routing mark" and a "routing table name" are more or less the same thing, the nuance is that a routing rule (not route) can match on one routing-mark value (as...

sindy

Have you disabled or removed the action=fasttrack-connection rule in chain forward in /ip firewall filter?

sindy

TZSP action is not suitable for me. If the reason is that you need to sniff to file directly at a remote Mikrotik device, there is a workaround. Create an IPIP tunnel with !keepalive (so that it appears to be always up) and set its MTU to, say, 1700. Then, create a route dst-address=100.100.100.100...

sindy

Ah, yes, I need better glasses

But as the CHR is running somewhere in France, I didn't even think that the "in Iran the sites that sells VPS doesn't provide Pfsense" statement could be related to the hosting.

sindy

I'm not sure I get the point with pfSense - to my understanding, it is an operating system like RouterOS, not a VPN protocol like OpenVPN or Wireguard. So installing a virtual pfSense instead of CHR and configuring OpenVPN on it might be easier than using a general purpose Linux distribution. And I ...

sindy

Look at this post and the few ones after. But my Italian is based on my Romanian which itself is worse than poor

sindy

Whom exactly

? @anav, @sindy, @tangent (in alphabetical order)?

sindy

Zerotier may be a solution, but be careful about leakage of traffic between sites of different customers.

sindy

From your last post it seems that the colocated Mikrotik may be placed between your panel controller and the rest of the customer's LAN, i.e. only the Mikrotik would be directly connected to customer's LAN, and the panel controller would be connected to another interface of the Mikrotik. Is that the...

sindy

You can try Wireguard instead of OpenVPN, or you can run a linux VM instead of CHR in France. But I've just tried the "OpenVPN for Android" application - it allows to configure routing of everything via the tunnel no matter whether the server pushes a route list. In fact, it is even the de...

sindy

RouterOS does not support pushing routes in OpenVPN. You have to configure the route manually - after the client connects, run
route add 0.0.0.0 MASK 0.0.0.0 ip.of.the.gw from command line. You may have to add a route to your Mikrotik in France and remove the existing default route.

sindy

Just need to query, what will happens to the other local IP addresses? for example, 192.168.2.2, ...., 192.168.2.220 will be src-nated to address xxx.xxx.xxx.66 or xxx.xxx.xxx.67 as of the original suffix and so on? or some of the local IP addresses (192.168.0.0/22) will NAT-ed as the original suff...

sindy

I'm not sure I understand why setting a gazilion of port forwarding rules on pfSense should be easier than setting the same gazilion of port forwarding rules directly on the hAP? It's a single rule as follows per each service: chain=dstnat in-interface-list=WAN dst-port=X action=dst-nat to-addresses...

sindy

@svt11, what is the issue you need help with? The fact that you cannot access management of R2 from R1 or something else?

sindy

What Windows sends in order to obtain a routing table is a specific DHCP message, DHCPINFORM. It is not possible to attach a DHCP server to an L3 interface, and despite its name, L2TP only supports L2 tunnels if both the server and the client support it. As far as I know, Mikrotik only responds DHCP...

sindy

What surprised me was that you've configured ether8 and ether9 as member ports of the trunk, but you've made them individual ports of the bridge, rather than assigning the trunk port to the bridge. But the main issue is still the fact that you've got multiple bridges and/or that you ask CRS125 to ro...

sindy

netmap substitutes the prefix and keeps the original suffix of the address. So with this rule, 16 private addresses, 192.168.0.1, 192.168.0.65, 192.168.0.129, ..., 192.168.3.193 will all be src-nated to xxx.xxx.xxx.65. If you are OK with that, go ahead. masquerade differs from src-nat in two tightl...

sindy

Just to add some context to what @AidanAus wrote - as you mention "access some service s on VM s " but just a single "fixed public IPv4", there is no way to handle this without port forwarding anyway, no matter whether that single public IP is assigned to the hAP ac3 or to a virt...

sindy

Yes I can see the interface using /interface gre print , please see below for output. The output shows that RouterOS considers the tunnel interface to be down. When keepalive is activated, the tunnel interface is considered down if it receives no packets for a certain period of time. My understandi...

sindy

Is the tunnel shown as running in /interface gre print? Because I can see no other reason why the route with GRE_Tunnel as gateway should be down (gateway unreachable).

sindy

Let's put it another way - does the panel controller need to talk to other devices in the customers' LAN, or is it enough that you can reach it "somehow"? I.e. do the customers provision the contents to show on the panels, or deliver it live, via LAN or do the customers tell you what to co...

sindy

I now have access but it's slower that expected. The question is what have you expected. hAP ac doesn't support hardware encryption for IPsec, and the encryption algorithm used by Wireguard should be a bit faster than the aes256 you were using in IPsec, but not 10 times. I'm wondering whether I dis...

sindy

Ah... you have disabled the IPsec peers and/or identities, but not the static policies. An IPsec policy intercepts matching packets even if no security association is established. This is by design, not a bug.

sindy

I used the .3 just as an example of a particular destination address, to illustrate the shadowning effect. You only use 10.255.255.1 and 10.255.255.2 as gateway IPs, so the routes to 192.168.64.0/24 and 192.168.65.0/24 have 10.255.255.x as gateway , rather than the Wireguard interface name directly....

sindy

I'll first try to give you an overview rather than detailed instructions what to change. Wireguard works different than IPsec, where the traffic selector of a policy overrides the results of the normal routing. Think of the Wireguard process as of another router. To deliver a packet with destination...

sindy

What you seem to ask for is an L2 tunnel between your support center and the customer's LAN. This is possible, but it is a security nightmare, as any malware eventually squatting in one of your customers' LANs can infect your support PC, and then it can spread to other customers' LANs once you conne...

sindy

The routers on each end show the ping requests and replies and they are small pings so not larger than the MTU so I'm at a loss here. So you can sniff on the routers at both ends of the tunnel, and you can see both requests and responses at both ends? If so, I'd expect something about the ICMP echo...

sindy

@sindy: I don't want to risk overheating my brain, but wouldn't this also help with your L2TP/IPSec loop? If "help with" is an euphemism for "allow to get rid of", then yes - the sole purpose of the hairpin tunnel was to work around the unavailability of src-nat on input in ROS ...

sindy

Another application case - two VPN clients on the same router that need to connect to the same remote server via different WANs of the router. For some VPN types (L2TP), you can specify source-address and use policy routing to link each to another WAN; for other ones (SSTP), the source-address param...

sindy

a question arises ... do you need a VPN to a CHR to appear from a single IP? Or does it work like in PCC load balance? The VPN server on the CHR will tolerate that the client connects from another IP address unless you explicitly prevent that. For UDP based VPNs, the choice of WAN may only change i...

sindy

Последний конфиг, который я вижу - от 24 марта. В нем нет маршрутов через OpenVPN в сети на стороне ASUS, значит я не знаю, чего еще в нем нет. Не вижу ничего, что бы объясняло, почему Микротик отвечает на пинг, а управлять им невозможно, при выключенном брандмауре . Как именно ты выключил брандмаур...

sindy

Отключение firewall не помогло. Отключать файрвол (брандмаур, межсетевой экран) всегда плохая идея. В чем сейчас может быть проблема? Если адрес Микротика пингуется со стороны Асуса, но управление им через тот же адрес невозможно, проблема может быть в файрволе, в настройке разрешенных адресов прям...

sindy

That's the very essence of my suggestion - as the only available policy matches on 10.0.5.0/24 at the Mikrotik side, you have to src-nat the traffic from 192.168.4.0/24 to make it match the policy.

sindy

i mean with unstable (elevated ping, Frequent VPN disconnection, even sometime can't connect). and sometimes work fine best ping with no problem. OK, so indeed intermittent problems. the problem increase with some isp ips range You mean depending on what address you get from your local ISP? i prefe...

sindy

Exactly, just modify the interfaces and addresses according to your actual environment.

sindy

hello, I have two fttc with 50 mbps in download ... is it possible using the mangle nth to add the two downloads and get 100mbps? Yes, but... a single download using a single TCP session will always use only one of the fttc links (exceptions exist but a number of factors have to contribute for it t...

sindy

how do i setup the private IP from the management VLAN1 (192.168.11.254)? /ip address add address=192.168.11.254/24 interface=???? Replace the questionmarks with the name of an interface where you want this address to be placed. As you mention management VLAN 1, the proper interface would be the in...

sindy

I am afraid the person who told you that a CRS328 can shape traffic on egress (which seems to be what you actually ask for - to drop low-priority traffic that exceeds the 100 Mbit bandwidth of the egress port rather than queueing it in a common queue with the high-priority one) didn't have enough in...

sindy

The whole magic consists in creating the IPsec configuration ( peer & identity ) dynamically from the configuration data of the L2TP and hidden templates for both, using the default profile , and then creating a policy using the template in the default policy group (to which the policy-group par...

sindy

If you cannot change the setup of the right side, and it doesn't accept additional traffic selectors proposed by the peer at the left, your only chance is to src-nat the traffic from 192.168.4.0/24 to some address(es) from 10.0.5.0/24, as below: /ip firewall nat add chain=srcnat place-before=as-appr...

sindy

Конечно не работает - дело ведь не в отсутствии маршрутов на Микротике в сторону сабнетов за Асусом, а в отсутствии маршрутов на Асусе в сторону сабнетов за Микротиком. OpenVPN сервер - это фактически самостоятельный маршрутизатор. Маршрутизация операционной системы ему отдаст трафик для всех пиров,...

sindy

the connection become unstable my the not open Please translate what exactly means "unstable". To me, "unstable" means that it sometimes works and sometimes doesn't, or that the speed is changing. i created my own cloud vpn using routeros So if I understand properly, the VPN ser...

sindy

Only thing am not sure about is my ISP router us still working as router, matter of fact i am typing this post via the wireless of the ISP router so am not sure why people keep saying after IP passthrough is setup i cant access ISP router anymore, i still CAN and i can at the ISP local ip still The...

sindy

I havent done any packet capture on that port 1000 traffic to see if there is anything I can us to direct it to one box or the other. Even if there was, it would be at application level, which the firewall cannot work with if the connection is a TCP one, and can work quite unreliably if the connect...

sindy

/routing/rule
add routing-mark=pppoe1 action=lookup-only-in-table table=pppoe1
add routing-mark=pppoe2 action=lookup-only-in-table table=pppoe2

sindy

why do routers have many ports? Routers may be used in more complex scenarios than just a single WAN and multiple (V)LANs. Also the bandwidth of a single port may not be sufficient to host all the traffic volume. And it would probably be too complicated to manufacture multiple routers with the same...

sindy

That sounds like a weak router that cannot deal with the traffic volume without using fasttracking in the firewall, or like a powerful enough router where you forgot to disable fasttracking so only few packets actually take the proper way. The fact that we talk about RB951 here suggests that it is t...

sindy

BUT the ISP router is still working as router. What is going on? Am i doing something wrong? There are two explanations. Either you've set the public IP address on your Mikrotik's WAN interface in parallel to some other one (you can even have a dhcp client and multiple manually configured addresses...

sindy

As @Kentzo has pointed out, there is only a single L2TP server that listens at all addresses, but this is not the limitation in this case. The IPsec connection has to get established first, before the L2TP exchange begins, so there is no way how the PPP user credentials could be used to choose an IP...

sindy

You cannot put processing of a packet on hold, but normally the protocol stack (in case of TCP connection) or the application (in case of UDP connection) takes more than a single attempt to initiate a connection before giving up. So dropping the very first packet of each connection should not be too...

sindy

Forgot to ask. Does this apply to both versions RouterOS and 6 and 7? No idea. However, you are right - although I personally consider it a bug (or at least a strange design), you have to assign some pool to the server even if other pools are linked to it via the vendor-class-id records. But that &...

sindy

When sindy adds a dhcp-server he doesn't specify a pool.
As a result, value = static-only and in this case, no addresses were given to the phones.
So I used the RTU_OthersPhones pool there.

I'm surprised, that should not be necessary, the pool should be chosen based on the VID.

sindy

Все заработало как надо поле добавления в НАТ сеть openvpn маскарадит. А это уже вопрос другой. Маскарада - одно решение, которого достаточно, если во всех соединениях оборудование в ЛАН Микротика выступает клиентом. А если вдруг нужно подключаться через ВЧС с Асус-конца, маскарада не поможет, так ...

sindy

/ip/firewall/mangle/print where chain=prerouting
/ip/firewall/mangle/add place-before=0 chain=prerouting in-interface-list=LAN dst-address=192.168.0.0/16 action=accept

sindy

с самого роутера могу достучаться до сервера и машин за ними, а вот с машин за клиентом не получается. Все что я пытался прописать в /ip route не сработало, не пойму как это реализовать при двух провайдерах на клиенте. Мне кажется, что правила, которые обеспечивают выбор нужной дополнительной табли...

sindy

By the way, maybe I found a bug in dhcp-server. When I tried to use the network 172.22.102.160/28 for Fanvil X7A phones, the dhcp-server gave the address 172.22.102.160 to the phone, i.e. network address, not first host address (172.22.102.161) :? It is not a bug. The address item on an /ip dhcp-se...

sindy

@sindy i installed a LTAP LTE6 this week. I noticed nothing strange compared to other MikroTIK LTE devices i' ve used ( WAP, WAP LTE6, LHGG,) as far as the configuration is concerned . As @Amm0 wrote above, there is a difference between the default configuration script of an LtAP "LTE(6) kit&q...

sindy

How can I grab the 7.1.3 output of the /system/default-config from my LtAP?

The way I've suggested above. But you don't need to do that - @Amm0 has already posted the result a few posts earlier.

Simply put: your LtAP behaves exactly as intended and documented by Mikrotik, it ain't broken.

sindy

I would suggest you to reset to defaults, then upgrade to 7.1.3 and test again... Look into the default configuration script of 7.1.3 as posted by @Amm0 in this post . It sets exactly what OP is getting. No point in spawning it over and over again, the result will be the same. It is a question for ...

sindy

Where can I get a good known working copy of 7.1.3 then? I obtained mine from MikrTik's website.

I don't say it broke during download. If it indeed doesn't set the items you're missing, it has been broken in development.

sindy

I just wanted to see if this is normal LtAP behavior or if mine is goofy right out of the box. That's why I've suggested you to dump the default configuration script and see whether it adds the IP address etc. Since you can add all that manually, the hardware is not broken. Hence the most likely th...

sindy

I periodically study the wiki for my understanding of the wisdom of Mikrotik. But, unfortunately, I did not see anything similar to my first question there, nor a description of setting up a DHCP server with multiple pools. It's not there this clear. /ip pool add name=for-fanvil ranges=192.168.34.1...

sindy

I have tried netinstall several times. The question is how does the default configuration look like in case of 7.1.3 on LtAP. /system/default-configuration/print file=defconf will place the default configuration script into a file named defconf.txt, which you can download and inspect. Other than th...

sindy

Are there any export of interface that I can do and import them to save time? You cannot save a backup of the configuration and load it on another model. But you can export the configuration into a script and run that script on another device regardless its architecture. In order to make it run suc...

sindy

I was unable to replace disk image, all I got is:
ERROR: could not find disk!
Please attach it somewhere else.

It sounds as if the VM has been created in an unusual way. Before entering that wget... | funzip | dd ... line, what does ls /dev/ show?
And what does mount | grep sd show?

sindy

But I wonder if it's ok if I plugged a 1A adapter and won't fried the routerboard? It depends on whether the wires are just in parallel or whether there is some diode setup preventing current from feeding the Mikrotik.If they are parallel, a slightly higher voltage on the external source may give t...

sindy

In order to handle the own traffic of the router, such as the one of the socks5, the action=change-mss rules must be in chains output and input of mangle.

sindy

Just a wild guess, but the symptoms sounds similar to me like this issue . So try sniffing on the 4011 to check what's actually going on and whether packets arriving from the WAN side and reassembled do not exceed the MTU of the PC's interface because the MTU of the LAN bridge is set too high. Maybe...

sindy

I suppose this would also be some kind of proof that IPsec is working with barely any delay? Yup, IPsec encryption and decryption is not the reason of the jitter. You may try a ping to the CHR's public address using slightly larger packets, matching the size of the ESP ones, to see whether it's the...

sindy

I can paste my configurations here but I'll need time to clean them up before posting them here. More eyes usually see more, hence worth it. Are there any other performance tests between routers that I can do beside the usual ICMP ping and bandwidth test? Just sniff at the WAN interface of the 4011...

sindy

Are there any known common causes of such issues? The ISP at the location is not perfect but I suppose it shouldn't make such a drastic difference? The location with difficulties in question runs on a WISP provider. The locations that work properly are on LTE and Fiber. Can't deny that it might be ...

sindy

Hmm, but how do I add IPSec tunnel to WAN list? You don't as there is currently no virtual interface associated to IPsec. The in-interface attribute of IPsec payload packets is inherited from the transport packets that brought them. Normally, there is an ipsec-policy match condition, which matches ...

sindy

Your /certificate crl print shows an empty list, and under /certificate settings , use of crls is disabled. Hence when inspecting a certificate received from an initiator, the responder does not look for it on the CRL. There is no point in having two mechanisms for that, so there is no "shortcu...

sindy

The thing is that the action=src-nat rule matching on the src-address-list specified on the /ip ipsec mode-config row is only consulted when the very first packet of a new connection is processed. Once a connection gets established, its subsequent packets get NATed to the address assigned by the VPN...

sindy

Can anyone with sip tracing skills help me out with some wireshark pcap files and logs privately?

Here's how you can send me your contact info privately: viewtopic.php?p=902082#p902082 (a few posts after there are more details if needed).

sindy

Are you bombenfest that those multiple users can be connected to the Mikrotik L2TP/IPsec server from behind the same public IP? Because that's the actual issue here, and the resource you've linked doesn't address it in any way.

sindy

The information which phase 1 has been authenticated using which remote certificate is not available as a status one (i.e. is not available among properties of an active-peers item). The only way to find it is to activate logging of ipsec and direct it to a disk. But when you mention revoked certifi...

sindy

Yes, disable RSTP on bridge2s, as there is no risk of looping (at least until you add another site and connect it to both). RSTP should live tagless on bridge1, so it will not leak to bridge2 via /interface vlan vlan-id=10 , but it would leak from bridge2 to bridge1 and get tagged on the way. Other ...

sindy

I must be missing something here. If I can get the blocking done, this solution would be perfect for my scenario. This way I don't have to deal with complicated configuration with multiple bridges bridging interfaces that already sit on top of another bridge. It has been reported by multiple users ...

sindy

Well, you've referred to CCR 2004 and 600 Mbit/s, but the configuration you've posted is from a CRS326, which is much weaker as a router (a single 32-bit CPU core at 800 MHz vs four 64-bit CPU cores at 1700 MHz, that's 8 times more throughput even if leaving the 32/64 aside). With queueing, the adva...

sindy

It appears that the remote peer asks for another policy in addition to the existing one. So everything works via the policy you actually need, but the peer keeps trying to establish another one that is configured at its end but not at yours. The log should confirm this - you've only shown the lines ...

sindy

I do use DoH.

See viewtopic.php?t=174836 .

The number of address-list items and tracked connections is so low that it cannot be related to high memory usage.

sindy

It should be possible to create an individual identity , matching on that particular certificate, and give it a specific policy template group with no template in it. So that peer would be able to complete phase 1 but not create any policy. First try whether it works using one of the peers with a ce...

sindy

I can see no reason why the Strongswan app on the mobile, acting as an initiator, should send the certificate of your Mikrotik as its own identifier (ID_I), as the log indicates. If your desired setup is where the responder (the Mikrotik) authenticates itself to the initiator using a certificate, an...

sindy

Can you elaborate a bit further, please ? Do you mean that, for this to work, "chosen references (here 8.8.8.8 and 8.8.4.4) SHOULD act as ARP proxy but they don't" ? Not the references themselves (they are far away so our ARP requests cannot reach them), the routers to which WAN1 and WAN2...

sindy

If you export the CA certificate and the issued certificates, the links between them indeed break as they are not exported. Do you need to revoke the certificate on an external CRL server or you just want to prevent the holder of that certificate from establishing a VPN connection to the Mikrotik it...

sindy

The problem is that in the real world, this is not always how WAN fails - there are many issues that could stop internet service for a particular WAN interface. Yes, and that's the very motivation for this whole setup, where the WAN "transparency" is being checked using pings to the Refer...

sindy

To me it seems that even though you tell the LTE interface to use the APN profile named telstra using Winbox, this setting has not made it to the configuration. So try setting it using the command line - /interface lte set lte1 apn-profiles=telstra , and see whether a subsequent export shows it, it ...

sindy

@MtHoodlum, L2TP does not use TCP as transport so what you say is unrelated. Plus it is also misleading - TCP meltdown is definitely a bad thing but it is not the reason of the particular behavior described in the OP even in SSTP or OpenVPN case, nor is it a "bug". And last, not everyone i...

sindy

What does /interface lte export show before the reboot when it works and after the reboot when it doesn't? And what is the RouterOS version?

sindy

I'm not sure I understand the actual issue. I've added an /interface lte apn row with a non-standard apn value, and configured the /interface lte to use that row. It survives both a restart of the LTE modem using /system routerboard usb power-reset and a reboot of the whole router. What exact steps ...

sindy

What version are you running? My experience in 6.47.10 is different - when the client device gets a new dynamic address, it creates a new (sstp in my case) connection but the old connection survives for minutes at server side until all timeouts expire, so I cannot communicate with the subnets on tha...

sindy

It doesn't seem to be implemented. Even at client side, if you set add-default-route to yes and the interface is in a vrf, the default route is added to routing table main . Only the conected route is added to the vrf table. As a workaround, you should be able to create a copy of the /ppp profile ro...

sindy

I did do that -- wireshark shoes a lot of retransmits and sequence events -- but I'm sure what I can do about it. The MTU is 1280, not 14xx, TCP MSG is set, what else is there to do? I don't say sniffing is a solution, it should just show whether the packets are actually lost or only shuffled. A sm...

sindy

I can look at this as two possible ways: The wireguard AllowdIPs should simply be CHR=192.168.88.2 and 5009=192.168.88.1 The wireguard AllowedIPs on the CHR end should be 199.181.204.128/26 and the 5009=0.0.0.0/0 The second way is right. Normal routing sends the packets to the Wireguard process; th...

sindy

What is the output of the following commands if you run both now and then both e.g. 8 hours later?
:put [:len [/ip firewall address-list find]]
:put [:len [/ip firewall connection find]]

Do you use DoH (DNS over HTTPS)?

sindy

I also need to test and scale the same setup for my friend and his family so I wonder if the hAP AC can handle it (1 CPU). Potentially 4 separate networks all with Internet access (and possibly a 5th for IoT). The key question here is what is the uplink bandwidth. Here is a test done using 6.4x wit...

sindy

For some reason, /ip/ssh/set always-allow-password-login=no is not mentioned in the new (confluence-based) documentation, although this setting has not been removed at least until ROS 7.1.3. Also, no , which means that password authentication is disabled for any user whose key has been installed, is...

sindy

Explanation and solution here.

sindy

What I can see is that the action=src-nat rule matching on out-interface=vpls-xxxx (through which the current default route goes) is restricted to src-address-list=OriginCustomer . Whereas 192.168.0.1 does match that address list, the own address assigned to that interface (172.31.1.66), which is ch...

sindy

from the ospf i'm receiving 700+ routes

OK, so post just the output of /ip route print detail where 8.8.8.8 in dst-address , that should be just a few routes.

sindy

The two ipaddress (192.168.19.254, 192.168.14.254) and IP endpoints of the tunnel sit on a vlan 99 tagged interface named BASE_VLAN so you are practically trying to transfer a L2 vlan through the L3 tunnel. That's not how it works. If a packet for an own IP address arrives to the router, the router...

sindy

i tried to do one pppoe and one lan its work all fine with no problem i need to know how to force the in and out packet and traffic to go to some specific wan without any overlap and any missing in lan to wan traffic by the firewall and the mtu is not 1500 just in the first pppoe1 which is on ether...

sindy

Since dynamic routing (OSPF) is active, what does /ip route print detail show? And what src-address you must add to ping 8.8.8.8 in order that it worked?

sindy

So bypassing the MTU discovery on the MT helps how?? If the ISP is still putting out the MTU/ICMP requirements how does that help with external sites............ It's not bypassing the MTU discovery, it's substituting the MTU discovery. Instead of letting the PMTUD iteratively reduce the size of th...

sindy

Where did I say that Mikrotik was doing something wrong? The mangle rule is used to work around the fact that the ICMP is blocked somewhere else on the path between the client and the server. The MTU bottleneck is most likely the PPPoE connection - the L2 MTU of an Ethernet interface is typically 15...

sindy

But what if I wanted to take this from Layer 3 isolation to Layer 2? Sorry, I don't get the connection. VRF is an L3 concept, so it works with interfaces on the L3 layer. A VLAN on an L2 link has to be made accessible to the L3 layer by adding an /interface vlan taking care about tagging and untagg...

sindy

https://en.wikipedia.org/wiki/Path_MTU_Discovery

sindy

Why do you have to mangle to change MTU?

Because you don't. The mangle rule doesn't change the MTU - it works around an issue with path MTU discovery.

sindy

That sounds as if you have a multi-WAN setup, the traffic to 8.8.8.8 is routed via another WAN than the one chosen by the default route in routing table main, and there is no masquerade rule for traffic leaving via WANs that is sent by the router itself. Can't say anything more precise without seein...

sindy

When some TCP-based services have unspecified problems, the most frequent reason are issues related to Path MTU discovery if the WAN MTU is not 1500 bytes, which is your case here (PPPoE and even VLANs in use). So my first question is - have you tried to backup the configuration, remove all that &qu...

sindy

The order of firewall rules, the understanding of the role of chains, and the understanding of what a stateful firewall means (to me, "state-aware" would be a more explanatory name but English is not my native language) are the key. For your goal you don't actually need a VRF. Drop rules a...

sindy

What kind of assistance do you need? So far even the goal is not clear to me - from the srcnat rule it seems that you want to srcnat sessions towards the smtp server to LAN IPs, which makes little sense to me. So you have to be a bit more verbose about the overall scenario.

sindy

After second phase, conntrack not known who requested this packet, only just see an answer and cant match source destination address pairs for connection state established. In order to be dropped by the action=drop connection-state=invalid rule, the packet would have to be a TCP one (where session ...

sindy

First - without which encryption, the PPP one or the IPsec? Second, have you set max-mtu, max-mru and mrru at all ends, to replace IP level fragmentation by MLPPP level splitting? It sometimes helps performance if the network between the client and the server is weird.

sindy

So I figure the log does not reveal the cause for selector 0.0.0.0/0 <=> 0.0.0.0/0, neither does it reveal which side (RouterOS or Cisco) is causing this? It does reveal that the requirement for selector 0.0.0.0/0 <=> 0.0.0.0/0 came from the Cisco side. Why Cisco requires it is a different story - ...

sindy

Do you know how policy's level fits into this configuration? Cannot quite grasp when I would want to touch it, but from the description it seems to be useful here. The description in the manual is not really clear, but level only controls the process of setting up SAs. So for action=none , it is ir...

sindy

what exactly should go into src-address in l2tp-client? What single address do I use here? If the addresses assigned to your WANs are static (even if assigned by DHCP), you can use directly these addresses. If they are not, you have to use some other addresses that are active on the router; you can...

sindy

I find wireshark captures helpful to debugging some fundamental protocol misunderstanding (it's also very educational), since they can be straightforwardly mapped into actual RFCs. Logs are, after all, results of Mikrotik's processing and may hide the issue. Wireshark is perfect to tell you what ha...

sindy

I'd rather understand where this "0.0.0.0/0 <=> 0.0.0.0/0 selector" issue is stemming from? Is this something I misconfigured on the RouterOS side? What exactly causes this on the Cisco side? You've provided just a short excerpt from the log, but from there it seems to me that the offer f...

sindy

Indirectly - there is a parameter src-address on the /interface l2tp-client row. And then you use /ip route rule to choose a routing table. /ip route rule add src-address=ip.of.wan.1 action=lookup-only-in-table table=via-WAN1 add src-address=ip.of.wan.2 action=lookup-only-in-table table=via-WAN2 /ip...

sindy

Yes.
chain=dstnat dst-address=2.2.2.2 dst-port=80 action=dst-nat to-addresses=192.168.1.3
chain=srcnat dst-address=192.168.1.3 dst-port=80 action=src-nat to-addresses=192.168.1.2

sindy

It doesn’t, but it can be tolerated as traffic selector is not a route selector. I.e. the router shouldn’t start routing all traffic through IPsec, merely use the same SA for all its traffic. On Mikrotik (and in vanilla IPsec in general) it's different - traffic selector of an enabled policy overri...

sindy

As they ask for a 0.0.0.0/0<=>0.0.0.0/0 traffic selector, this looks to me as if they now had a VID at Cisco side.

Something is telling me that with IKE (v1), traffic selectors cannot be negotiated, just accepted or rejected. But I can't give you a reference to a particular RFC.

sindy

RouterOS generates a default Proposal (phase 2) with a lifetime of 1d, and a default Profile (phase 1) with a lifetime of 1h. Shouldn't the longer lifetime be assigned to phase 1? On which RouterOS version this happens, and how exactly do you create the profile and proposal? When I add a new profil...

sindy

I'm affraid they do not have the time to examine this case. With the neverending stream of RouterOS 7.x is issues pouring in, you may well be right that this niche case may get less attention right now. It would likely need to replicate the configuration and reduce it to the bare bone, so that noth...

sindy

"Policy" is linked with "Proposal", right? A policy is what links a traffic selector (which does not exist as a separate configuration item, its components are parameters on the policy row), proposal , and peer together. And it is related to establishing a security association f...

sindy

What I have problems to accept is that connection marking and routing marking should behave differently depending on IP protocol type (TCP, UDP), and that it should depend on which particular application sends it. So I'd definitely run /ip firewall connection print detail interval=1s where dst-addre...

sindy

Wireshark can import hex dumps, the result is as follows: Request: (frame header, Ethernet header - not important) Internet Protocol Version 4, Src: 192.168.14.254, Dst: 192.168.19.254 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN:...

sindy

I'd expect the missing src-nat to be the cause - not only that the allowed-address of a wireguard peer chooses the traffic to be sent to that peer, but it also drops traffic from a peer if its source address doesn't match any of the prefixes in the allowed-address list of that peer. Do you have allo...

sindy

The identification number is different. I guess this is not normal? It's the IP ID, which is used to match together IP fragments. The ICMP echo ID is not shown here - you have to sniff into files and open them using Wireshark, or read the hex dump of the packets ( /tool sniffer packet print raw if ...

sindy

Did you try to sniff the received traffic at both ends of the tunnel, to check that the ping responses match the requests?

sindy

Why does DHCP not work on the equipment connected to the mikrotik? Because there are only three MAC addresses in the wireless frames normally used, so the DHCP server sees all the traffic from the devices at the wired side of your Mikrotik as coming from the Mikrotik's MAC address. As mode=station-...

sindy

If you bring back lte2, should this configuration also work? It depends - although the name of the interface is always lteN , the actual interface type, and therefore the behaviour of RouterOS, depends on the behaviour of the modem. So if the default route added dynamically by RouterOS has gateway=...

sindy

How is PPTP any less secure than running IPIP, EoIP or any other VPN protocol with no cipher enabled that will show no such warning? ... There is no need for Mikrotik to be babysitting it's users. I'm afraid that's only related to the thing of perceived security. There is no username and password s...

sindy

You mention dynamic addresses of nodes, could that be related? Besides, if there are dynamic addresses, I suppose you use DDNS (Mikrotik Cloud DNS or other) as IPIP's remote-address , there may also be a delay when updating the DDNS data. An IPIP tunnel is always shown as running unless you use a ke...

sindy

Strange. Have you tried to set the gateway of the route towards 9.9.9.9 to ppp-out1 and the gateway of the route towards 1.1.1.1 to lte1 as I've suggested? The thing is that in RouterOS 6, the recursive nexthop search only worked if all the gateway parameters of the routes involved in the recursion ...

sindy

I don't know whether it is a consequence of anonymisation that went wrong, but if not, it should be the real reason: /interface list member add interface=ether1 list="True WAN" add interface=ISP_B list="True WAN" add interface= ISP_A list="True WAN" /ip firewall mangle ...

sindy

In that case, follow the advice in my automatic signature below. Something must be wrong in the config (or, less likely, in RouterOS 7).

sindy

found (Applicable for ROS7). Creating custom routing tables for each of the providers /routing/table/add but I can't figure out with /ip/route/add routing-mark Sorry, my bad (or Mikrotik's bad, for changing things without an actual purpose): it is now /ip/route/add routing -table whereas in mangle ...

sindy

You can try to set the gateway of the route to 9.9.9.9 to ppp-out1 instead of 10.112.112.xxx . If the routes via 9.9.9.9 remain available after that, great. If not, it will require a script in /ppp profile to update the gateway of those routes with the up-to-date one, in that case come back.

sindy

sindy, I really wanted to build a configuration with traffic aggregation between both ppp-out1 and lte1. Indeed, in such a configuration, as far as I understand, everything will work even when one of the interfaces exits. So no specific handling for specific traffic, ok. As for "everything wil...

sindy

sindy, you can write easier. After your last message, I'm at a loss as to what to do next.

Next, express what behaviour you expect from the "combination" of the WANs. The complexity or simplicity of the setup depends on what you want it to do.

sindy

There are two extremities - one is to keep using one of the WANs for all the connections as long as it works, and only use the second one if the first one fails, and the other one is to distribute the traffic among both of them per individual connection (so two consecutive reloads of the same web pa...

sindy

I'm not sure if connection table is cleared as well if the whole rule gets removed or disabled. It doesn't - the rules in the srcnat and dstnat chains only handle the initial packet of each connection. The connection data in connection tracking store the verdict of each of these chains, including t...

sindy

If you mean below rule, then this rule just blocks everything. /ip firewall raw add action=notrack chain=prerouting in-interface=!bridge Sure, the idea was that instead of positive matching on in-bridge-port(-list) , you have to use negative matching on IP interface ( in-interface=!bridge ), becaus...

sindy

Mangle would be too late, but I've realized in the meantime that in-bridge-port-list would act during the second pass as well, which is not what we want.

So in-interface=!bridge should do the job.

Search found 8830 matches