Hi everyone. I have both ipv4 and v6 running on my network, but also some specific clients that I want to keep as exclusively as ipv4 on!y due to some name resolution issues. I can't disable ipv6 locally on the client stack as it on!y has basic config options - so interested in any suggestions from ...
Awesome - thanks for this! I had recently transferred my working IPv6 config manually from a HexGR3 to a new 4011, and for the life of me couldn't figure out why I was getting an IPv6 address from the service provider, but none of internal clients were. Walking through this write-up I realized I'd m...
what version of RouterOS are you running? I hit a similar problem recently when I upgraded to v6.45beta6 on my rb4011 - the SFP modules failed to even register in the hardware port.
As soon as I downgraded to the latest stable build, everything started workgin.
Hi everyone! Hope someone can help me understand an optimal config for the RB4011 - specifically with a 10GB SFP trunk connected. Based on the block diagram below; https://i.mt.lv/cdn/rb_files/RB4011iGSplusRM-180905135303.png In the default out of the box config, Eth1 is allocated for the external r...
sorry for hijacking the thread, but I had a similar question. Is there any downside anyone can see running the CRS305-1G-4S+IN in RouterOS mode using the 1G copper SFP's, over something like a Hex S as the router? Other than the cost of course, I was trying to be a little more 'future proof' with a ...
its odd, because I've got; -a username and password (the same ones I use when connection via L2TP etc - no FQDN, just a regular username/pwd) -a L2TP pre-shared key (which is the same one I'm currently using for the IPSEC peer) -an 'IKEv2 Remote ID' (which is just a domain name) When I flip to pre-s...
I'm sure people have got better things to do than DOS my router or my VPN provider (famous last words) Looks to me like the negotiation seems fine right up until ' INTERNAL_ADDRESS_FAILURE' , then it bails and deletes the SA. From what I can find in the Cisco documentation, this is likely to be a se...
So I spotted a problem - for some reason configuring it through the webfig, it never applies the mode-config. Guess its a GUI issue with the latest beta (v6.44 beta20) [dickie@MikroTik] /ip ipsec peer> set 0 mode-config request-only [dickie@MikroTik] /ip ipsec peer> print Flags: X - disabled, D - dy...
@kennerblick - I think you and I are going to be spending a lot of time together on here :) #1 LT2P/IPSEC works... for now (VPN provider dependent) This was also one of the main reasons I switched over to Mikrotik - with the ability to split traffic using the routing/connection marking and the mangl...
Ok team, I'm back from vacation and looking at this. Creating the peer to the VPN provider, seems to establish without any problem - although it doesnt seem to assign me an address, nor does it seem to require any authentication (presumably not needed for ph1)? Q: Looking at this, does this imply th...
Thanks for the detailed explanation sindy - now it makes a lot more sense - it actually sounds a lot easier than I thought. So I think I have a plan; 1) Leverage the standard, default routing table (with default gateway direct to the ISP) 2) Define an ipsec policy based on a src-address list (a hand...
Ok - so can I still route down the IP tunnel independently in the same way as if it was an interface? i.e. have a different default route/gateway depending on the routing mark? Also do I create it as a 'raw' IP sec configuration (e.g. setup the IPSEC peers directly or just simply as a new IP tunnel ...
Hi everyone! I searched the forum but couldn't find an answer to this one - happy if anyone can point me at something I missed; 1) Current setup is a HexGr3 which has an authenticated (username/password) L2TP/IPSEC interface to a VPN provider. Using a combination of some DHCP reservations and some m...
So managed to catch it dropping - if my understanding is correct, the LCP ProtRej are because I am running IPv6 on the Mikrotik, but the VPN server only supports IPV4. From the state of the hungup, it looks like my end (70.95.93.xx) sent the termination - and if I read the CDN message (result-code=1...
Hi everyone! So I had a L2TP/IPSEC tunnel via a VPN provider, that was working and has recently started having problems. I'm trying to figure out if this is down to something they changed at their end, or something in one of the later RouterOS releases. I'm currently on RouterOS 6.44beta14 The initi...
That looks more like the device can’t communciate with something somewhere (external server etc) and so it bounces its stack every 20 seconds to try and re-establish a connection (eventually it does a complete reset which is where you see the port drop) as a last resort. I see this a lot with Nest c...
Probably need a little more details on where that other subnet is connected, and where are the connections going to originate from?
In theory you just need to add an IP static route with the appropriate metric and gateway IP address to point to the subnet (assuming its a local subnet).
Well, if you know what is necessary to do to force-synchronize an Oracle database cluster after it has diverged... Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue.. . Gadgets opening ports for http access from outside, hmmm :-) Are they at least decent enough to look like ...
Sindy - do you have an Amazon wish-list or something I can see? ;-) Can't thank you enough - I've been staring at this for a month now, and you've solved it in 2 posts. Thankyou again. Everything is working exactly as planned - one last and final question... (I promise). One of the main reasons for ...
No , sorry for too much info ;-) The connection marking is working correctly for all connections from the client. But despite the connection and routing apparently going through the correct srcnat and routing table entry, the client is unable to reach any external sites. Back to your original commen...
Here you go - thankyou again for taking the time to look this one over! To clarify the setup I have an L2TP/IPSEC VPN interface which is my preferred default route when it is up and running, and if that interface drops it follows the default route direct via the ISP (so 2 dynamic default routes with...
So I think its 'sort of working' Sindy - all the fasttrack non-marked connections are working fine, but I'm still seeing some of the connections I expected to be marked as flowing through fasttrack without a connection mark. The configuration is pretty simple in terms of the mangle - just one non-de...
Follow up question Sindy. As I understand it , as soon as I touch policy based routing with a mark-routing mangle rule, I can’t use the fasttrack feature (hence I have that default firewall rule disabled). Is there anyway I can still leverage fasttrack for the non-marked packets or am I just stuck w...
So I think anav pointed out the minor flaw in my plan - if I point the mark-routing static route at the ISP gateway via the ISP gateway IP address then everything works (thanks anav!!) I was originally routing the static route at the Eth1 interface, on the understanding that the IP address at the ot...
So this is a follow on (but discrete) question from another thread - I think I'm missing something obvious. 1) I have 2 dynamic default routes on my Hex. (i) with a metric of 2 via the Eth1 WAN interface (ii) with a metric of 1 via an L2TP interface 2) I have srcnat masquerade NAT rules in place for...
So I think my config would help you then! If you set a mangle-rule to 'mark-routing' for the subnet or addresses you want to 'force' over the VPN, then have a default route which includes that routing mark via the VPN interface - those packets will only every follow that route. All the traffic with ...
Continued thought.... I changed the L2TP to add a default route, and it added one - but without the routing mark for L2TP so thats not going to work. Maybe I answered my own question in the previous post - I need to create a VRF/FIB for that routing mark (which has the dual-default gateways with dif...
Yes - thats what I already have , but it still blackholes those packets if the L2TP is down - the IP address is technically reachable (via the default, default route) but without the VPN the traffic is non routable at the far end. # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 l2tp-out1 1 1...
Hi Everyone! quick Mangle question from someone new to RouterOS. I have my Hex up and running with a L2TP IPSec tunnel to a VPN provider, and top of my mangle list is a mark-routing for my local subnet to flag all outgoing traffic via the VPN. add action=mark-routing chain=prerouting comment="T...
Solved - in case anyone else finds this with a search; So I managed to track this down with the additional logging; /system logging add prefix=ipsec topics=ipsec And the key message in the log was 'NO-PROPOSAL-CHOSEN' , so after a bit of research I deduced that the default PFS (modp1024) is required...
So I've been doing some research and concluded that the 'use IPSEC' option in the L2TP client will try and automatically generate the IPSEC config, so I dont need this option if I'm configuring the policy manually (and the auto-option doesnt seen to work). Ok , so onto the policy (obvious info obscu...
Hi everyone - new routeros user here! Hopefully this is an easy one that someone can help with... I'm trying to set a VPN endpoint as my primary route (such that all outbound Eth1 traffic is encrypted - and ideally accelerated in the hardware of the RB750Gr3). When I'm using just a straight L2TP cli...