Community discussions

MUM Europe 2020

Search found 37 matches

by Pericynthion
Wed May 15, 2019 9:29 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 371
Views: 75223

Re: RB4011

Anyone managed to try the new S+RJ10 with the 4011 yet? (the /r2 hardware revision)
by Pericynthion
Sun Mar 24, 2019 7:55 pm
Forum: General
Topic: First time setting up IPv6
Replies: 7
Views: 759

Re: First time setting up IPv6

Awesome - thanks for this! I had recently transferred my working IPv6 config manually from a HexGR3 to a new 4011, and for the life of me couldn't figure out why I was getting an IPv6 address from the service provider, but none of internal clients were. Walking through this write-up I realized I'd m...
by Pericynthion
Sun Mar 24, 2019 7:26 pm
Forum: General
Topic: SFP Module - port no connection?
Replies: 3
Views: 374

Re: SFP Module - port no connection?

what version of RouterOS are you running? I hit a similar problem recently when I upgraded to v6.45beta6 on my rb4011 - the SFP modules failed to even register in the hardware port.
As soon as I downgraded to the latest stable build, everything started workgin.
by Pericynthion
Sat Jan 19, 2019 11:14 pm
Forum: General
Topic: RB4011iGS+RM - optimal config?
Replies: 1
Views: 478

RB4011iGS+RM - optimal config?

Hi everyone! Hope someone can help me understand an optimal config for the RB4011 - specifically with a 10GB SFP trunk connected. Based on the block diagram below; https://i.mt.lv/cdn/rb_files/RB4011iGSplusRM-180905135303.png In the default out of the box config, Eth1 is allocated for the external r...
by Pericynthion
Thu Dec 13, 2018 5:56 am
Forum: Beginner Basics
Topic: Choosing router+switch pair for home net
Replies: 7
Views: 778

Re: Choosing router+switch pair for home net

The CRS can do wirespeed Switching, All routing (Incl Inter Vlan Traffic) goes via CPU and limited by that
Aha - that was the critical thing I was missing - thanks for the clarification team!
by Pericynthion
Wed Dec 12, 2018 7:32 pm
Forum: Beginner Basics
Topic: Choosing router+switch pair for home net
Replies: 7
Views: 778

Re: Choosing router+switch pair for home net

sorry for hijacking the thread, but I had a similar question. Is there any downside anyone can see running the CRS305-1G-4S+IN in RouterOS mode using the 1G copper SFP's, over something like a Hex S as the router? Other than the cost of course, I was trying to be a little more 'future proof' with a ...
by Pericynthion
Sat Oct 27, 2018 7:19 pm
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

its odd, because I've got; -a username and password (the same ones I use when connection via L2TP etc - no FQDN, just a regular username/pwd) -a L2TP pre-shared key (which is the same one I'm currently using for the IPSEC peer) -an 'IKEv2 Remote ID' (which is just a domain name) When I flip to pre-s...
by Pericynthion
Sat Oct 27, 2018 1:27 am
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

I'm sure people have got better things to do than DOS my router or my VPN provider (famous last words) Looks to me like the negotiation seems fine right up until ' INTERNAL_ADDRESS_FAILURE' , then it bails and deletes the SA. From what I can find in the Cisco documentation, this is likely to be a se...
by Pericynthion
Fri Oct 26, 2018 10:14 pm
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

So I spotted a problem - for some reason configuring it through the webfig, it never applies the mode-config. Guess its a GUI issue with the latest beta (v6.44 beta20) [dickie@MikroTik] /ip ipsec peer> set 0 mode-config request-only [dickie@MikroTik] /ip ipsec peer> print Flags: X - disabled, D - dy...
by Pericynthion
Fri Oct 26, 2018 9:40 pm
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Ok - so now we're getting somewhere ;-) [dickie@MikroTik] /system logging> /ip ipsec peer print Flags: X - disabled, D - dynamic, R - responder 0 address=104.237.61.xx/32 profile=default auth-method=pre-shared-key secret="mysecret" generate-policy=port-override policy-template-group=default exchange...
by Pericynthion
Fri Oct 26, 2018 8:30 pm
Forum: General
Topic: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider
Replies: 11
Views: 5236

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

@kennerblick - I think you and I are going to be spending a lot of time together on here :) #1 LT2P/IPSEC works... for now (VPN provider dependent) This was also one of the main reasons I switched over to Mikrotik - with the ability to split traffic using the routing/connection marking and the mangl...
by Pericynthion
Fri Oct 26, 2018 2:48 am
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Ok team, I'm back from vacation and looking at this. Creating the peer to the VPN provider, seems to establish without any problem - although it doesnt seem to assign me an address, nor does it seem to require any authentication (presumably not needed for ph1)? Q: Looking at this, does this imply th...
by Pericynthion
Fri Oct 12, 2018 4:47 am
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Thanks for the detailed explanation sindy - now it makes a lot more sense - it actually sounds a lot easier than I thought. So I think I have a plan; 1) Leverage the standard, default routing table (with default gateway direct to the ISP) 2) Define an ipsec policy based on a src-address list (a hand...
by Pericynthion
Thu Oct 11, 2018 5:14 am
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Ok - so can I still route down the IP tunnel independently in the same way as if it was an interface? i.e. have a different default route/gateway depending on the routing mark? Also do I create it as a 'raw' IP sec configuration (e.g. setup the IPSEC peers directly or just simply as a new IP tunnel ...
by Pericynthion
Thu Oct 11, 2018 2:02 am
Forum: General
Topic: switching from L2TP/IPSEC to IKEv2/IPSEC interface?
Replies: 13
Views: 4912

switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Hi everyone! I searched the forum but couldn't find an answer to this one - happy if anyone can point me at something I missed; 1) Current setup is a HexGr3 which has an authenticated (username/password) L2TP/IPSEC interface to a VPN provider. Using a combination of some DHCP reservations and some m...
by Pericynthion
Wed Oct 03, 2018 5:36 am
Forum: General
Topic: L2TP/IPSEC keeps failing
Replies: 1
Views: 489

Re: L2TP/IPSEC keeps failing (I think its L2TP)

So managed to catch it dropping - if my understanding is correct, the LCP ProtRej are because I am running IPv6 on the Mikrotik, but the VPN server only supports IPV4. From the state of the hungup, it looks like my end (70.95.93.xx) sent the termination - and if I read the CDN message (result-code=1...
by Pericynthion
Tue Oct 02, 2018 9:05 pm
Forum: General
Topic: L2TP/IPSEC keeps failing
Replies: 1
Views: 489

L2TP/IPSEC keeps failing

Hi everyone! So I had a L2TP/IPSEC tunnel via a VPN provider, that was working and has recently started having problems. I'm trying to figure out if this is down to something they changed at their end, or something in one of the later RouterOS releases. I'm currently on RouterOS 6.44beta14 The initi...
by Pericynthion
Sun Sep 02, 2018 4:00 am
Forum: General
Topic: Plume, DHCP issue on hEX
Replies: 1
Views: 269

Re: Plume, DHCP issue on hEX

That looks more like the device can’t communciate with something somewhere (external server etc) and so it bounces its stack every 20 seconds to try and re-establish a connection (eventually it does a complete reset which is where you see the port drop) as a last resort. I see this a lot with Nest c...
by Pericynthion
Sun Aug 26, 2018 8:23 pm
Forum: General
Topic: SSTP VPN Mikrotik
Replies: 3
Views: 513

Re: SSTP VPN Mikrotik

Probably need a little more details on where that other subnet is connected, and where are the connections going to originate from?
In theory you just need to add an IP static route with the appropriate metric and gateway IP address to point to the subnet (assuming its a local subnet).
by Pericynthion
Sun May 06, 2018 10:30 pm
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Well, if you know what is necessary to do to force-synchronize an Oracle database cluster after it has diverged... Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue.. . Gadgets opening ports for http access from outside, hmmm :-) Are they at least decent enough to look like ...
by Pericynthion
Sun May 06, 2018 9:23 pm
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Sindy - do you have an Amazon wish-list or something I can see? ;-) Can't thank you enough - I've been staring at this for a month now, and you've solved it in 2 posts. Thankyou again. Everything is working exactly as planned - one last and final question... (I promise). One of the main reasons for ...
by Pericynthion
Sun May 06, 2018 9:33 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

No , sorry for too much info ;-) The connection marking is working correctly for all connections from the client. But despite the connection and routing apparently going through the correct srcnat and routing table entry, the client is unable to reach any external sites. Back to your original commen...
by Pericynthion
Sun May 06, 2018 7:37 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Here you go - thankyou again for taking the time to look this one over! To clarify the setup I have an L2TP/IPSEC VPN interface which is my preferred default route when it is up and running, and if that interface drops it follows the default route direct via the ISP (so 2 dynamic default routes with...
by Pericynthion
Sat May 05, 2018 11:33 pm
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

So I think its 'sort of working' Sindy - all the fasttrack non-marked connections are working fine, but I'm still seeing some of the connections I expected to be marked as flowing through fasttrack without a connection mark. The configuration is pretty simple in terms of the mangle - just one non-de...
by Pericynthion
Sat May 05, 2018 6:38 pm
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Perfect. Thanks for the detailed response - I’ll try reworking the config today!


Sent from my iPhone using Tapatalk
by Pericynthion
Sat May 05, 2018 2:07 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Follow up question Sindy. As I understand it , as soon as I touch policy based routing with a mark-routing mangle rule, I can’t use the fasttrack feature (hence I have that default firewall rule disabled). Is there anyway I can still leverage fasttrack for the non-marked packets or am I just stuck w...
by Pericynthion
Sat May 05, 2018 1:27 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

Got it - thanks for the clarification everyone! We're up and running (with a much simpler config!)
by Pericynthion
Sat May 05, 2018 1:14 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Re: Static Default Route - I'm missing something [SOLVED]

So I think anav pointed out the minor flaw in my plan - if I point the mark-routing static route at the ISP gateway via the ISP gateway IP address then everything works (thanks anav!!) I was originally routing the static route at the Eth1 interface, on the understanding that the IP address at the ot...
by Pericynthion
Sat May 05, 2018 12:09 am
Forum: General
Topic: Static Default Route - I'm missing something [SOLVED]
Replies: 21
Views: 3325

Static Default Route - I'm missing something [SOLVED]

So this is a follow on (but discrete) question from another thread - I think I'm missing something obvious. 1) I have 2 dynamic default routes on my Hex. (i) with a metric of 2 via the Eth1 WAN interface (ii) with a metric of 1 via an L2TP interface 2) I have srcnat masquerade NAT rules in place for...
by Pericynthion
Fri May 04, 2018 6:17 pm
Forum: Beginner Basics
Topic: Conditional 'Mark Routing' only if interface available
Replies: 6
Views: 876

Re: Conditional 'Mark Routing' only if interface available

So I think my config would help you then! If you set a mangle-rule to 'mark-routing' for the subnet or addresses you want to 'force' over the VPN, then have a default route which includes that routing mark via the VPN interface - those packets will only every follow that route. All the traffic with ...
by Pericynthion
Thu May 03, 2018 8:02 pm
Forum: Beginner Basics
Topic: Conditional 'Mark Routing' only if interface available
Replies: 6
Views: 876

Re: Conditional 'Mark Routing' only if interface available

Continued thought.... I changed the L2TP to add a default route, and it added one - but without the routing mark for L2TP so thats not going to work. Maybe I answered my own question in the previous post - I need to create a VRF/FIB for that routing mark (which has the dual-default gateways with dif...
by Pericynthion
Thu May 03, 2018 7:50 pm
Forum: Beginner Basics
Topic: Conditional 'Mark Routing' only if interface available
Replies: 6
Views: 876

Re: Conditional 'Mark Routing' only if interface available

Yes - thats what I already have , but it still blackholes those packets if the L2TP is down - the IP address is technically reachable (via the default, default route) but without the VPN the traffic is non routable at the far end. # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 l2tp-out1 1 1...
by Pericynthion
Thu May 03, 2018 12:27 am
Forum: Beginner Basics
Topic: Conditional 'Mark Routing' only if interface available
Replies: 6
Views: 876

Conditional 'Mark Routing' only if interface available

Hi Everyone! quick Mangle question from someone new to RouterOS. I have my Hex up and running with a L2TP IPSec tunnel to a VPN provider, and top of my mangle list is a mark-routing for my local subnet to flag all outgoing traffic via the VPN. add action=mark-routing chain=prerouting comment="Tag al...
by Pericynthion
Tue Apr 03, 2018 10:28 pm
Forum: General
Topic: ROS 6.41 Policy routing help? [SOLVED]
Replies: 3
Views: 796

Re: ROS 6.41 Policy routing help? [SOLVED]

Just stumbled on this thread with exactly the same problem after a few days head scratching. Just wanted to say huge thanks again Sindy!
by Pericynthion
Tue Mar 27, 2018 2:46 am
Forum: Beginner Basics
Topic: SOLVED* [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link
Replies: 2
Views: 981

Re: SOLVED - [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link

Solved - in case anyone else finds this with a search; So I managed to track this down with the additional logging; /system logging add prefix=ipsec topics=ipsec And the key message in the log was 'NO-PROPOSAL-CHOSEN' , so after a bit of research I deduced that the default PFS (modp1024) is required...
by Pericynthion
Mon Mar 26, 2018 6:38 pm
Forum: Beginner Basics
Topic: SOLVED* [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link
Replies: 2
Views: 981

Re: [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link

So I've been doing some research and concluded that the 'use IPSEC' option in the L2TP client will try and automatically generate the IPSEC config, so I dont need this option if I'm configuring the policy manually (and the auto-option doesnt seen to work). Ok , so onto the policy (obvious info obscu...
by Pericynthion
Sat Mar 24, 2018 1:38 am
Forum: Beginner Basics
Topic: SOLVED* [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link
Replies: 2
Views: 981

SOLVED* [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link

Hi everyone - new routeros user here! Hopefully this is an easy one that someone can help with... I'm trying to set a VPN endpoint as my primary route (such that all outbound Eth1 traffic is encrypted - and ideally accelerated in the hardware of the RB750Gr3). When I'm using just a straight L2TP cli...