MikroTik

Pericynthion

Hi everyone. I have both ipv4 and v6 running on my network, but also some specific clients that I want to keep as exclusively as ipv4 on!y due to some name resolution issues. I can't disable ipv6 locally on the client stack as it on!y has basic config options - so interested in any suggestions from ...

Pericynthion

Anyone managed to try the new S+RJ10 with the 4011 yet? (the /r2 hardware revision)

Pericynthion

Awesome - thanks for this! I had recently transferred my working IPv6 config manually from a HexGR3 to a new 4011, and for the life of me couldn't figure out why I was getting an IPv6 address from the service provider, but none of internal clients were. Walking through this write-up I realized I'd m...

Pericynthion

what version of RouterOS are you running? I hit a similar problem recently when I upgraded to v6.45beta6 on my rb4011 - the SFP modules failed to even register in the hardware port.
As soon as I downgraded to the latest stable build, everything started workgin.

Pericynthion

Hi everyone! Hope someone can help me understand an optimal config for the RB4011 - specifically with a 10GB SFP trunk connected. Based on the block diagram below; https://i.mt.lv/cdn/rb_files/RB4011iGSplusRM-180905135303.png In the default out of the box config, Eth1 is allocated for the external r...

Pericynthion

The CRS can do wirespeed Switching, All routing (Incl Inter Vlan Traffic) goes via CPU and limited by that

Aha - that was the critical thing I was missing - thanks for the clarification team!

Pericynthion

sorry for hijacking the thread, but I had a similar question. Is there any downside anyone can see running the CRS305-1G-4S+IN in RouterOS mode using the 1G copper SFP's, over something like a Hex S as the router? Other than the cost of course, I was trying to be a little more 'future proof' with a ...

Pericynthion

its odd, because I've got; -a username and password (the same ones I use when connection via L2TP etc - no FQDN, just a regular username/pwd) -a L2TP pre-shared key (which is the same one I'm currently using for the IPSEC peer) -an 'IKEv2 Remote ID' (which is just a domain name) When I flip to pre-s...

Pericynthion

I'm sure people have got better things to do than DOS my router or my VPN provider (famous last words) Looks to me like the negotiation seems fine right up until ' INTERNAL_ADDRESS_FAILURE' , then it bails and deletes the SA. From what I can find in the Cisco documentation, this is likely to be a se...

Pericynthion

So I spotted a problem - for some reason configuring it through the webfig, it never applies the mode-config. Guess its a GUI issue with the latest beta (v6.44 beta20) [dickie@MikroTik] /ip ipsec peer> set 0 mode-config request-only [dickie@MikroTik] /ip ipsec peer> print Flags: X - disabled, D - dy...

Pericynthion

Ok - so now we're getting somewhere ;-) [dickie@MikroTik] /system logging> /ip ipsec peer print Flags: X - disabled, D - dynamic, R - responder 0 address=104.237.61.xx/32 profile=default auth-method=pre-shared-key secret="mysecret" generate-policy=port-override policy-template-group=defaul...

Pericynthion

@kennerblick - I think you and I are going to be spending a lot of time together on here :) #1 LT2P/IPSEC works... for now (VPN provider dependent) This was also one of the main reasons I switched over to Mikrotik - with the ability to split traffic using the routing/connection marking and the mangl...

Pericynthion

Ok team, I'm back from vacation and looking at this. Creating the peer to the VPN provider, seems to establish without any problem - although it doesnt seem to assign me an address, nor does it seem to require any authentication (presumably not needed for ph1)? Q: Looking at this, does this imply th...

Pericynthion

Thanks for the detailed explanation sindy - now it makes a lot more sense - it actually sounds a lot easier than I thought. So I think I have a plan; 1) Leverage the standard, default routing table (with default gateway direct to the ISP) 2) Define an ipsec policy based on a src-address list (a hand...

Pericynthion

Ok - so can I still route down the IP tunnel independently in the same way as if it was an interface? i.e. have a different default route/gateway depending on the routing mark? Also do I create it as a 'raw' IP sec configuration (e.g. setup the IPSEC peers directly or just simply as a new IP tunnel ...

Pericynthion

Hi everyone! I searched the forum but couldn't find an answer to this one - happy if anyone can point me at something I missed; 1) Current setup is a HexGr3 which has an authenticated (username/password) L2TP/IPSEC interface to a VPN provider. Using a combination of some DHCP reservations and some m...

Pericynthion

So managed to catch it dropping - if my understanding is correct, the LCP ProtRej are because I am running IPv6 on the Mikrotik, but the VPN server only supports IPV4. From the state of the hungup, it looks like my end (70.95.93.xx) sent the termination - and if I read the CDN message (result-code=1...

Pericynthion

Hi everyone! So I had a L2TP/IPSEC tunnel via a VPN provider, that was working and has recently started having problems. I'm trying to figure out if this is down to something they changed at their end, or something in one of the later RouterOS releases. I'm currently on RouterOS 6.44beta14 The initi...

Pericynthion

That looks more like the device can’t communciate with something somewhere (external server etc) and so it bounces its stack every 20 seconds to try and re-establish a connection (eventually it does a complete reset which is where you see the port drop) as a last resort. I see this a lot with Nest c...

Pericynthion

Probably need a little more details on where that other subnet is connected, and where are the connections going to originate from?
In theory you just need to add an IP static route with the appropriate metric and gateway IP address to point to the subnet (assuming its a local subnet).

Pericynthion

Well, if you know what is necessary to do to force-synchronize an Oracle database cluster after it has diverged... Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue.. . Gadgets opening ports for http access from outside, hmmm :-) Are they at least decent enough to look like ...

Pericynthion

Sindy - do you have an Amazon wish-list or something I can see? ;-) Can't thank you enough - I've been staring at this for a month now, and you've solved it in 2 posts. Thankyou again. Everything is working exactly as planned - one last and final question... (I promise). One of the main reasons for ...

Pericynthion

No , sorry for too much info ;-) The connection marking is working correctly for all connections from the client. But despite the connection and routing apparently going through the correct srcnat and routing table entry, the client is unable to reach any external sites. Back to your original commen...

Pericynthion

Here you go - thankyou again for taking the time to look this one over! To clarify the setup I have an L2TP/IPSEC VPN interface which is my preferred default route when it is up and running, and if that interface drops it follows the default route direct via the ISP (so 2 dynamic default routes with...

Pericynthion

So I think its 'sort of working' Sindy - all the fasttrack non-marked connections are working fine, but I'm still seeing some of the connections I expected to be marked as flowing through fasttrack without a connection mark. The configuration is pretty simple in terms of the mangle - just one non-de...

Pericynthion

Perfect. Thanks for the detailed response - I’ll try reworking the config today!

Sent from my iPhone using Tapatalk

Pericynthion

Follow up question Sindy. As I understand it , as soon as I touch policy based routing with a mark-routing mangle rule, I can’t use the fasttrack feature (hence I have that default firewall rule disabled). Is there anyway I can still leverage fasttrack for the non-marked packets or am I just stuck w...

Pericynthion

Got it - thanks for the clarification everyone! We're up and running (with a much simpler config!)

Pericynthion

So I think anav pointed out the minor flaw in my plan - if I point the mark-routing static route at the ISP gateway via the ISP gateway IP address then everything works (thanks anav!!) I was originally routing the static route at the Eth1 interface, on the understanding that the IP address at the ot...

Pericynthion

So this is a follow on (but discrete) question from another thread - I think I'm missing something obvious. 1) I have 2 dynamic default routes on my Hex. (i) with a metric of 2 via the Eth1 WAN interface (ii) with a metric of 1 via an L2TP interface 2) I have srcnat masquerade NAT rules in place for...

Pericynthion

So I think my config would help you then! If you set a mangle-rule to 'mark-routing' for the subnet or addresses you want to 'force' over the VPN, then have a default route which includes that routing mark via the VPN interface - those packets will only every follow that route. All the traffic with ...

Pericynthion

Continued thought.... I changed the L2TP to add a default route, and it added one - but without the routing mark for L2TP so thats not going to work. Maybe I answered my own question in the previous post - I need to create a VRF/FIB for that routing mark (which has the dual-default gateways with dif...

Pericynthion

Yes - thats what I already have , but it still blackholes those packets if the L2TP is down - the IP address is technically reachable (via the default, default route) but without the VPN the traffic is non routable at the far end. # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 l2tp-out1 1 1...

Pericynthion

Hi Everyone! quick Mangle question from someone new to RouterOS. I have my Hex up and running with a L2TP IPSec tunnel to a VPN provider, and top of my mangle list is a mark-routing for my local subnet to flag all outgoing traffic via the VPN. add action=mark-routing chain=prerouting comment="T...

Pericynthion

Just stumbled on this thread with exactly the same problem after a few days head scratching. Just wanted to say huge thanks again Sindy!

Pericynthion

Solved - in case anyone else finds this with a search; So I managed to track this down with the additional logging; /system logging add prefix=ipsec topics=ipsec And the key message in the log was 'NO-PROPOSAL-CHOSEN' , so after a bit of research I deduced that the default PFS (modp1024) is required...

Pericynthion

So I've been doing some research and concluded that the 'use IPSEC' option in the L2TP client will try and automatically generate the IPSEC config, so I dont need this option if I'm configuring the policy manually (and the auto-option doesnt seen to work). Ok , so onto the policy (obvious info obscu...

Pericynthion

Hi everyone - new routeros user here! Hopefully this is an easy one that someone can help with... I'm trying to set a VPN endpoint as my primary route (such that all outbound Eth1 traffic is encrypted - and ideally accelerated in the hardware of the RB750Gr3). When I'm using just a straight L2TP cli...

Search found 38 matches

Exclude specific clients for IPv6 address pools?

Re: RB4011

Re: First time setting up IPv6

Re: SFP Module - port no connection?

RB4011iGS+RM - optimal config?

Re: Choosing router+switch pair for home net

Re: Choosing router+switch pair for home net

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: switching from L2TP/IPSEC to IKEv2/IPSEC interface?

switching from L2TP/IPSEC to IKEv2/IPSEC interface?

Re: L2TP/IPSEC keeps failing (I think its L2TP)

L2TP/IPSEC keeps failing

Re: Plume, DHCP issue on hEX

Re: SSTP VPN Mikrotik

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Re: Static Default Route - I'm missing something [SOLVED]

Static Default Route - I'm missing something [SOLVED]

Re: Conditional 'Mark Routing' only if interface available

Re: Conditional 'Mark Routing' only if interface available

Re: Conditional 'Mark Routing' only if interface available

Conditional 'Mark Routing' only if interface available

Re: ROS 6.41 Policy routing help? [SOLVED]

Re: SOLVED - [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link

Re: [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link

SOLVED* [noob IPSEC] trying to establish hardware accelerated VPN as primary outbound link