MikroTik

jerryroy1

working-2024-04-07_12-08-33.png

jerryroy1

It looks like Mikrotik ROS might have a bug. I am not sure completely but this was resolved by changing the provisioning from "create-dynamic-enabled" to "create-enabled" (Thanks Sindy!) /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,g,gn master-con...

jerryroy1

No ssid's are showing up after they receive the config from capsman

jerryroy1

I have capsman running on a RouterBOARD 750G r3 (hEX) and all my caps for some reason have lost their virtual wlan interfaces that were normally created when they connect to capsman. This has been working for a few years and I have been adding caps one by one and now I have no idea why it's failing....

jerryroy1

Excellent, we works! Thanks to all for your help on this! Much appreciated

jerryroy1

on hAP no ssid, no frequency, no security? How do I "Connect"?

I hit scan, and then connect, it says "Couldn't perform action not running (6)"

jerryroy1

Thanks Gentlemen, OK, now I can connect with BOTH Laptop and phone on the 5Ghz. So Now I want to make this hAP ax2 I just bought, connect to the cAP ax I have. The cAP ax should be the AP (Multiple devices connect) and the hAP ax2 just another client. What do I set each as? the cAP ax only has ap, s...

jerryroy1

36 or 40?

Sorry, I must be confused.

Freq2-2024-02-21_15-58-53.png

Freq-2024-02-21_15-58-53.png

Under "Channel" I get unknown

jerryroy1

I setup a cAP ax and I can connect to it on 2G but not 5G. My computer can see the 2G ssid but the 5G ssid never shows up. My Android Pixel 7 phone and see and connect to it on both 2 and 5G.

Any recommendations? I want to utilize the wifi 6 "AX" speeds.

jerryroy1

I have a few cAP ax units as AP's. Had to move office that was hardwired. Now I would like to install a Mikrotik CPE and have it connect to the cAP ax in another work space. I have zero wired ports in new space to connect equipment to. What CPE would you all recommend that would act as a client to m...

jerryroy1

Hello, I am looking for a 2 gig to 10 gig wireless link for short distances (50 meters) between buildings so we do not have to trench and run fiber. Can anyone recommend a solution? Preferably Mikrotik if available. The closest thing I think that can reach minimum 2 gig bandwidth is a netmetal unit....

jerryroy1

I have used the following script. I want to source from my inside (LAN) interface. I keep getting an error invalid value for argument src-address: invalid value for argument ip-src-address invalid value for argument ip6-src-address #get IPsec src-address from IPsec policies: :local IPsecSrcIP [/ip i...

jerryroy1

Can someone show me how to modify the script to use the source device lan interface IP address?

jerryroy1

Hello, I have a RBD53iG-5HacD2HnD (hAP ac³) configured to route traffic. It has a VPN tunnel up and passing traffic but only if I source the ping from the bridge (LAN side) interface. Hosts on the same LAN subnet cannot get a response to a ping. I have placed this router in parallel to an ASA on sit...

jerryroy1

OK, Ping now works and waiting to test VoIP calls. The route 192.168.0.0/21 did not cover the satellite subnets. I need to go back to routing 101 LOL (Thanks Sindy) I appreciate all that have responded. I will update once I confirm VoIP is indeed working.

jerryroy1

Sindy, please see info on slack.

I am unable to ping from Satellite to Satellite. I will have to confirm if calls go thru server. I will post tomorrow. Thanks!

jerryroy1

Sindy!

Hello, I hope you are well! Thanks for having a look.

The Central Office Server IP is 192.168.1.25. The satellites can ring each other but no Audio. We dial an extension so the call manager is located at the CO.

jerryroy1

See Sanitized Central Office and one of the Satellites. Attached

Thanks for Looking

jerryroy1

Here is the routing of just one satellite. 192.168.0.0/21 covers all the know satellite offices. All Satellites have the same route. 192.168.68.0/24 is the subnet for This satellite.

What else could be a top of your head guess?

jerryroy1

We have a Central office with a bunch of satellite offices. All sites have IPsec or L2TP tunnels between the Central and Satellites. We are able to call the central office from any of the satellites and vice/versa but are unable to call satellite to satellite. What to look for besides route statemen...

jerryroy1

What are you now using for Drawings?

jerryroy1

Solved

We literally had to find the cap interfaces that were assigned to each remote cap by pressing Provision on the capsman and watching the logs. Then we delete those cap interfaces and then press provision again and voila, the ssid shows up. Kind of Lame and maybe a Bug?

jerryroy1

Hello, I thought I had it figured out but none of my AP's are broadcasting a new SSID I created on Capsman router. Any Ideas on what I may be missing? New SSID is FAFC-Guests /caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2G...

jerryroy1

Hello, We have a link between two buildings using a Wireless Wire Cube's (RB CubeG-5ac60ad units). There are trees that have grown and now the signal is getting bad to where they are losing connection. We cannot cut the trees and are looking to implement a work around. I am giving each device within...

jerryroy1

Hello All, Can someone recommend a Modem that will work with T-Mobile on a NetMetal AC2? We currently have a T-Mobile sim and a R11e-LTE6 and cannot pass traffic. Come to find out that T-Mobile has dropped support for the R11e-LTE6 Modem https://lifehacker.com/these-19-devices-will-lose-t-mobile-net...

jerryroy1

Converted the string to hex and then appended 0x to the front. Does this make sense? http://string-functions.com/string-hex.aspx /ip dhcp-server option> add name="option-242" code=242 value=0x4d4349504144443d3139322e3136382e322e31352c4d43504f52543d313731392c48545450535256523d3139322e313638...

jerryroy1

tried the following. It failed. Anyone with a working example?

/ip dhcp-server option> add name="option-242" code=242 value="MCIPADD=192.168.2.15,MCPORT=1719,HTTPSRVR=192.168.2.15,L2QVLAN=11"
failure: Unknown data type!
/ip dhcp-server option>

jerryroy1

We have a bridged network (I know, I know) I just started managing with dozens of routers. I have applied the standard ssh/winbox "Brute-Force" rules to the systems and they are showing me ton's of mac addresses in the logs. My assumption is the WAN interface of many of these routers have ...

jerryroy1

I have 10 New HP servers and all have 10gb and 25GB ports. Our Current HPE switches do not have 25gb support. Which Mikrotik Switches support this? I was unable to see this standard on the routerboard site.

QSFP28
SFP28

jerryroy1

Hey @sindy

Forgive me. Was away on a project and I finally am "Out of Jail" So sorry to not communicate for so long and abandon our communication. I am trying to send you a PM but I am not sure why I cannot. Can you contact via Slack again? I would like to offer you something to ponder.

jerryroy1

@sindy, you available to chat?

jerryroy1

Hello, Thank you for contacting MikroTik Support. It looks like you have created a VLAN interface on the secondary (ether) interface rather than the primary (bridge) interface on the wAP ac. If you are looking for VLAN filtering between bridge ports and tagged/untagged port configuration, perhaps ta...

jerryroy1

Same here, many hours to finally find this out, this is nuts. I can see in logs the request. Is MikroTik at least looking at this? What gets me is I have a wAP ac connected to a Cisco switch and a Hex router connected to same switch for internet. The wAP ac unit has the default vlan (1) and a second...

jerryroy1

Hi all, We have a x.x.81.128/25 subnet that has a CCR1072 with an IP x.x.81.130 assigned at a data canter. The GW for the CCR is x.x.81.129. I can reach both IP's from across the internet. The subnet is on vlan 1066 and it's a fiber connection coming in to a sfp-plus1 port on the CCR. We have anothe...

jerryroy1

Can you clarify in more detail this statement? With mode-config which assigns an address, it is necessary that one policy was auto-generated per each subnet specified in the split-include list of the mode-config to which the identity at responder side refers as src-address at the responder side and ...

jerryroy1

I have seen in the past MTU cause an issue with pppoe sites and Cisco routers doing Ipsec with gre. The pppoe header is 6 bytes plus 2 for protocol so 8. Then you have 24 for ipsec and then another 4 for GRE. So typically we would have an mtu on the interface of 1472 in our config templates (it was ...

jerryroy1

Doesn't work still

jerryroy1

Can you share a sanitized example of both sides? I still cannot get traffic to flow in one direction.

jerryroy1

Masquerade has been removed and a static route has been added so it will use interface on the Main router. I hope I did it right. I used the same username that I have already created under the Secrets menu on this interface. Still no traffic in one direction from main side 192.168.1.0/24 to spoke su...

jerryroy1

OK, so help me out here. 1st time using a L2TP server binding interface. So with this, I can now add a route to a remote location using the interface? How do I bind it to a user? Does the username under the secrets get placed here under username?

jerryroy1

How do I create a route on the core side to the spoke subnet if there is no interface or IP to use? The interface is created dynamically when the spoke mikrotik connects.

jerryroy1

OK, traffic in one direction is resolved with a masquerade rule on the spoke side. Masq.png I have the routers all working in one direction they can all ping thru to the core network 192.168.1.0/24. What the current issue is the route back, the Production router can ping the inside interface of each...

jerryroy1

For the record, I do not consider this solved just yet :) I was hoping to end up with Multiple GRE/IPSec tunnels using IKEv2 in a Hub and Spoke design. All spokes having either dhcp/pppoe or static IP assignments :)

Thanks for your input :) It is GREATLY APPRECIATED!

jerryroy1

I have two Mikrotiks. One side as L2TP server (Main) and other as L2TP Client (Spoke). I am unable to pass traffic beyond the Lan interface of either side. The L2TP client side (Spoke) obtains IP address via DHCP from ISP. It connects to Main and I can ping from Main (L2TP server) side IP from IP 19...

jerryroy1

Hey Sindy, thanks for responding. You know, I am not even sure anymore LOL. I think all the changes the ROS has been introducing, though the majority of them good, has got me a bit frustrated that I have to relearn stuff when I just want to get it to work and move on. I am in a situation where I hav...

jerryroy1

So no way to set sa-src-address and sa-dst-address anymore? I have a site with 6.47 I was using loopback with private ip in prior version.

jerryroy1

I have attached the latest Main.rsc file. Forgive me but I have been trying a bunch of different scenarios and it may be a mess :) Also, see a snippet of the logs from last test attempt using this configuration. I am not going to make any more changes at the moment and come back to it. I would prefe...

jerryroy1

OK, IKE2 allows me to use a pool so I created a pool with the entire subnet of 192.168.99.0/24. The message I am now receiving is

searching for policy for selector: 192.168.99.0/24 <=> 192.168.99.254 (The IP it pulled from the pool)

Still searching

jerryroy1

Thank you for your input. My first response is, I have built a large network with a very large retailer with over 2600 IPsec gre tunnels to all their stores on Cisco. It works with static, dynamic (pppoe and dhcp) and it works well. There should be no technological reason that this should not work u...

jerryroy1

I have built a GRE inside of IPsec tunnel between one MT (Main office) and another at a remote office. The Main office has a static IP and the remote has a dynamic (dhcp) assigned IP. It works and passes traffic as expected. I have six more locations that will have this same requirement all connecti...

jerryroy1

ip dhcp-client never gets an address on the bridge or ether1 interface. I added a static IP and route and still no access. I can only get to it via the IP>Neighbor from the slave unit with telnet or mac-telnet.

jerryroy1

The IP used to be assigned to the bridge and I could not manage so I moved to ether1. I have moved it back to the bridge interface and still same issue. Any other Ideas?

jerryroy1

Hello Mikrotikonians! Need some help understanding management access to both ends of a Wireless-Wire 60ghz bridge. I have traffic passing thru but am unable to access one end (master) with winbox or ssh. I used to be able to manage to both ends. The setup is: Main Office in first Bldg with WirelessW...

jerryroy1

Thanks! That worked but I am trying to understand why it worked before I configured for ipsec/gre tunnel

jerryroy1

I recently added Ipsec using GRE tunnel to a running Mikrotik router (remote routers have dynamic WAN IP) that has been serving PPTP and L2TP clients successfully. Now users can connect and ping the gateway (LAN interface of Mikrotik) but cannot ping or access anything beyond that. My assumption is ...

jerryroy1

OK, I currently have the Mikrotik on the DMZ interface of an ASA. What do you think would need to change to bring it in to the inside (LAN) of the ASA so it can get to the Notakey server? I assume I am going to need to create a new server certificate since the WAN IP of the MT will now be private? J...

jerryroy1

OK, Now they are asking for 2 Factor authentication for users that have been assigned machine certificates. I am not sure where to start. I was sent this by MT support. https://www.notakey.com/products/ I would like to get some recommendations on a method that will not require a lot of support and m...

jerryroy1

OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples

jerryroy1

Found it. Bonehead move on my part. The screen is so small that I only disabled the Domain and Private FW, not the public on the Mission Win10 machine. Thank You for your attention to detail! [SOLVED]

jerryroy1

OK, You are correct. It would just make sense to post all since I have already given most of the security related info anyways. I will keep that in mind. I appreciate the theory tremendously. It helps fill in some gray areas in my understanding! I went ahead and added ipsec-policy=in,none to the act...

jerryroy1

Looking..... Sorry, I don't see what you may be referring to. See attached with a dump for the following commands for both ends. /ip ipsec exp h /ip fi filt exp h /ip fi nat exp h /ip fi mang exp h /ip rou exp h Thanks for Looking! BTW, WAN IP on both sides is dhcp. Default route is learned thru dhcp.

jerryroy1

Hello all, Odd one here. I have IPSEC tunnel up between two Mikrotik 951's that have latest RouterOS (upgraded with stable version today) I can ping from LAN interface of one side to LAN interface of the other and vice-versa. I cannot ping beyond the Mikrotik LAN interface of either side when going ...

jerryroy1

Sindy, Thanks for all your support. It has been a pleasure to work with you and I am so Thankful for your dedication to seeing this completed. It is all working as expected. I can't Thank You enough :D I even got the Class based routing issue resolved. (see image) class-based-win10.jpg I hope I am i...

jerryroy1

OK, the Long and winding road. LOL, It is finally working. I had to create all new certs on the 1100 with all the settings all over again to get this to work. I finally have Windows 10 clients connecting with IKEv2 to the Mikrotik 1100AHx2. It still displays erratic behavior. Maybe just because I ha...

jerryroy1

Back in office. I am having issue importing certs exported from working system. BTW, passphrase does not accept spaces! I generated the certs with a Pass Phrase! not a password :( The certs imported but do not have same values, for Example, the CA cert only shows Authority and Trusted. It is missing...

jerryroy1

Please clarify this step. - on new: - verify you have a connectivity to old router (ping, traceroute..) - import certificates with passphrase - reload openvpn (or sstp..) Why connectivity to old router? Do you mean open a browser to WAN old router? How are you connecting and importing on new router?

jerryroy1

Set the modconf back to just the LAN subnet of the MT and was not able to ping in both directions for a bit, then it started to work again. At the moment, Win7 environment. When I get to go back to office, I will have access to all Win10 systems. No chances to test and I delete dups until I do. Than...

jerryroy1

Walked away for an hour or so and now traffic is passing in both directions and the route is in the routing table for the lan of the MT. Not sure what changed, but it is working. Going to see if I can duplicate the configuration on the original RB1100AHx2. Can I move CA certs and others between syst...

jerryroy1

Under mode config, If I place a split of 0.0.0.0/0 I get traffic encrypted and decrypted and can ping from the LAN side of MT to Road Warrior = (RW) IP and get a response. The pings do not get a response from the RW side to the MT LAN because they are using default route instead of tunnel path. Any ...

jerryroy1

OK, doing what you suggested, I get traffic in one direction, I can see the bytes increasing from the 172.24.x.x (workstation on LAN of MT) to the 10.0.88.10 (Road Warrior IP) while pinging but still no response since it is not returning. Firewalls on windows systems both sides are completely disabl...

jerryroy1

Sorry for the long delay in responding. Corona Virus be damned! ;) A Complete "Do OVER" I think the issue on Windows 10 is it does not install the Certificate in the correct Store. I need someone to validate this. In Any case, I have redone it completely on a different Mikrotik and now I c...

jerryroy1

20:19:51 ipsec matched proposal:
20:19:51 ipsec adding payload: CERTREQ

CERTREQ is there

Second, please post the output of /certificate print detail where name~"jroy"

See Attached>

jerryroy1

So double-check your settings at Windows. The certificate for Windows must be imported as a machine one, not a user one. It was imported as a machine one. The Windows Certificate was generate using the process from this tutorial https://www.youtube.com/watch?v=fQokeBcrjdc ALL Cert generation starts...

jerryroy1

IKE2-fail.png

Do I have something wrong in one of my certs?

So are both my ID and Remote ID set to Auto?

jerryroy1

IKE2.png

Changed but still same message about Identity not found for peer and it shows my private IP assigned via my AP on network

jerryroy1

Is this not it? It is in the file I uploaded. /ip ipsec identity add auth-method=digital-signature certificate=vpn.corp.company.net \ generate-policy=port-strict match-by=certificate mode-config=\ modeconfig.vpn.corp.company.net peer="peer my.ip.add.r" \ policy-template-group="group v...

jerryroy1

Hi Sindy, See attached.

Thanks for looking!

cert-names.png

jerryroy1

I keep getting "identity not found for peer: ADDR4: 192.168.86.26" The IP here is the ip assigned to me thru my AP at home. Any ideas?

jerryroy1

Thanks, I had all the chain of trust of the CA in both the client and server. The client certificate had its key too. I am really surprised not to find any information how to get a better error log on the windows vpn client... That would point me into the right direction instead of playing half bli...

jerryroy1

Who can share rules that would drop traffic between ports without having vlans?

jerryroy1

Is this all you have in "/ip firewall filter"? The usual way is to use stateful firewall, i.e. start with: /ip firewall filter add chain=forward connection-state=established,related add action=drop chain=forward connection-state=invalid and then follow with other rules (I prefer to end ev...

jerryroy1

I am using Active directory RADIUS server and mAP lite as the radius client and it works fine with AD/Radius Authentication (MS-CHAPv2).

Can you export your radius config portions?

jerryroy1

Can you export your config so we can see what you have set?

jerryroy1

I wish the Mikrotik supported it. It is a Linux Derivative.

jerryroy1

Hello all, I have a customer looking at 6 Ubiquiti AF-24 units vs. 3 Mikrotik RBLHGG-60adkit (Kits). The Price is radically different but his argument is they have a Network Controller? Is that a centralized management interface like a Cisco WLAN controller and what can I recommend for a Management ...

jerryroy1

Hello, I have 4 Mikrotiks. 3 x Groove A-52HPn r2 1 x Metal 5SHPn I want to create a ptmp connection. I will use 1 groove as the base station and the three remaining Mikrotiks as stations. Do I set the base station as AP bridge and the three other Mikrotiks as station-bridge or as station wds? Which ...

jerryroy1

Can a wireless-wire kit act as both a bridge and AP? What mode would each side be configured to if so?

jerryroy1

Can someone please post a "complete" Dual broadband config (Both WAN are dhcp) that uses mangle rules?

jerryroy1

No routing protocols, just IPsec settings. I create the file for a site with the necessary fields (IP's, etc...) by pulling the fields in brackets from a database. This is what's in my template. /ip ipsec policy add action=encrypt disabled=no dst-address=216.231.x.x/29 dst-port=any ipsec-protocols=e...

jerryroy1

Hello, We deploy the Mikrotik hEX (GR3) to many customers. We have run into something and I believe it is a bug. I wanted to know if anyone has experienced this 1st hand? When applying the ipsec policy, the template has sa-src-address set as all zero’s, example sa-src-address=0.0.0.0 But after the t...

jerryroy1

What I have found to work is to duplicate the script (use the copy command when you open original) and name it something different. Then point your scheduler or a new scheduler at the new script. For some reason it does not like to run against the original name. This only happens sometimes as we hav...

jerryroy1

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.

jerryroy1

Can we confirm the RouterOS versions please?

We have 5.26 on hundreds of 750GL's. Is it a firmware issue or an RouterOS issue? It does not seem clear from this thread.

Also, what about GR2 and GR3/Hex? What versions are invulnerable?

Thanks,

Jerry

jerryroy1

Why even have a forum MikroTik if you are not going to respond clearly?

jerryroy1

The above poster is correct. You need to reconfigure the wAPac unit first. The default config has the ethernet port configured as DHCP client, so by default, it is exptected you will plug the ethernet into your ISP/switch, not as in your diagram.

How do I reconfigure? What should I now do?

jerryroy1

Corrected flow, added RB260GS Switch

The flow is Internet <-->.Serverroom <---> RBwAPG-60ad SLAVE <---> RBwAPG-60ad MASTER <---> RB260GS Switch <---> wAP AC

jerryroy1

I don't understand, do I set bridge interface or ethernet interface as dhcp-client? I have the ethernet interface of wAPac plugged into the RB260 switch, not directly into the RBWAPG-60AD.

jerryroy1

You are talking about the wAP AC unit? It has a bridge interface with dhcp-client enabled

jerryroy1

Does the settings on the RBwAPG-60ad Master and Slave look correct?

Master set as Bridge
https://photos.app.goo.gl/QjdYRCx0OmVMvNxo1

Slave set as Station Bridge
https://photos.app.goo.gl/UzuHPijZkCmoWSAj1

jerryroy1

6.41.1 Firmware was applied and the AP rebooted and it came up in CAP mode? This happened with 3 out of 7 units. How in the world can that happen? After upgrading to 6.41.2 they are all back. I was even able to connect to the wAP unit connected to the RBwAPG-60ad and to the internet. It worked for a...

jerryroy1

All, I have a RBwAPG-60ad (WirelessWire) bridge between two buildings. I can reach both sides from my server room with ping and winbox so I know link is up. The slave is setup on the server room building and the master is setup on the building across an alley. I plug in ether1 from RBwAPG-60ad Maste...

jerryroy1

I have a simple ping script used to initiate IPsec tunnel from a dynamic IP site that is not working in 6.40.5. Did you ever receive a solution?

jerryroy1

Please send presentation to to jroy at pomeroy dot com

Thanks Very Much for your help

jerryroy1

Hello, I have a CCR1009-7G-1C-1S+ and have connected its port 3 to a Dell 3324 switch on its gigabit port 1 (trunking). I have another Dell 3324 and have connected from its gigabit port 1 to port 4 on the CCR (should also be trunking). I have created 10 vlans and want all 10 vlans to be available on...

jerryroy1

I have a CCR1009-7G-1C-1S+ so no switch chip. I have deleted the bridge and added the following and still no trunking to the CRS. Does my CRS config listed above look correct? /interface vlan add interface=ether2 name=ether2.vlan2 vlan-id=2 add interface=ether2 name=ether2.vlan3 vlan-id=3 add interf...

jerryroy1

Hi Pe1chi,

I have a bridge because I have 45 vlan's and only so many ports. So Ip assigned to vlan and vlan assigned to bridge then trunk the bridge interface to the CRS.

Do you have a config example you can share?

jerryroy1

I am driving myself crazy, this should be simple, what am I doing wrong? I want to trunk between a Cloud Core Router on ethernet4 (Bridge2) and a Cloud Core Switch Ethernet1. On the CCR I did the following: /interface vlan add interface=bridge2-Trunk name=vlan2 vlan-id=2 add interface=bridge2-Trunk ...

jerryroy1

All, I have a bunch of wAP AC units. I configured one manually with all parameters required for the location I am deploying. I have 2 questions: 1) I have backed up the config (In Winbox -> "files, backup") that I want installed on all wAP AC units. I just make slight changes to the config...

jerryroy1

I am really lost since you added the Vlan 200. Why did you do this? I have a RB2011 with builtin 2ghz AP and a wAP ac with both 2ghz and 5ghz radios. I want to manage with capman in the same single vlan1. I can manage the 2ghz on the 2011 and the 2ghz on the wAP ac but never the 5 ghz.

jerryroy1

We have a 150 locations that all have recently added and additional tunnel to a Cisco. The IPsec tunnel comes up and we can pass traffic but after an unknown length of time (lifetime?) the tunnels drop and will not renegotiate until we login to the Mikrotik and flush the SA's. Any Ideas?

jerryroy1

I Did a snmp walk and this is what they needed in Red

OID=.1.3.6.1.2.1.1.1.0, Type=OctetString, Value=RouterOS RB750GL
OID=.1.3.6.1.2.1.1.2.0, Type=OID, Value=1.3.6.1.4.1.14988.1

jerryroy1

OID_Example.jpg We are working with HP on their Network Automation Product and they are creating a driver for us. Can anyone tell us what the "System OID" is for the 750 running 5.26 firmware? HP keeps saying we are providing the wrong OID but all we can find is this "system.sysDescr...

jerryroy1

This link does not follow standard practices here in the US. http://www.wirelessinfo.be/index.php/mi ... s/overflow

It shows a dhcp client setup for both ISP1 and ISP2 but it sets static routes??? How do we make this work with dhcp client where the GW is assigned by the ISP?

jerryroy1

I have 6.17 installed on a RB2011UAS-2HnD and there is no choice in quickset for Home VPN? Am I missing a package?

jerryroy1

How do I just insert rules between others? /ip firewall filter add action=accept chain=input comment="Netgear Switch access" disabled=no src-address-list="Netgear Switch Access" add action=accept chain=input comment="default configuration" disabled=no dst-port=123 proto...

jerryroy1

How do you unNAT? or force to go thru? What would this rule look like?

jerryroy1

I think we should mount a joint effort to get Apple IOS fixed. Why is it that Cisco, Mikrotik and other all need to change their code when it is Apple who screwed it up?

jerryroy1

OK, So how do I enable the 750 to use the switch chip? I have a Cisco 1811 router that has Fa2 trunked to a MT750. The Vlan interfaces are assigned on the 1811 and Phy interfaces on the MT750 are assigned to the correct vlan. I can't pass any tagged traffic from traffic between the 750 and 1811. Any...

jerryroy1

Did you ever get this worked out?

Have you tried to do GRE inside IPSec? I do it with Cisco all day long. You would have an interface to use for the tunnel.

jerryroy1

Ya, This is absolutely the worst process I have ever seen for mass provisioning. It is a shame that they don't get it. I have hit and miss luck with this. They fail also to document that you must be connected port one on a 750GL for this to work. Why wouldn't it attempt to do the update from any por...

jerryroy1

Hello all. I am in need of you Guru's to review and let me know if these are done correctly. I have a 750GL with two Aruba rap105 connected on the lan side via dhcp. One is for voice and the other is data. I want to apply these queues to allow voip traffic (port 6061) and Non-isakmp (Nat-T 4500) tra...

jerryroy1

The Mikrotik has the absolute lamest way ever to set a config. The most frustrating design ever. I can't believe that I can't just generate a text file and upload and reload. It seems the unit would have had the smarts on reload of a file to 1) wipe config 2) parse and order file 3) load with ALL pa...

jerryroy1

Ok, Port 1 worked. Whoever has access to the documents on the wiki should note that :) Only problem is it still does not get entire config. I export a file called fullconfig.rsc that has all my settings and then I reset router back to what it came with from "factory" (Lan 192.168.88.0/24, ...

jerryroy1

I also tried this process and I am directly connected on port 5 to the 750. Trieds from two different laptops (firewall and antivirus disabled) http://wiki.mikrotik.com/wiki/Manual:Flashfig Does NOT work. Pretty frustrating that just uploading a text file with a complete config can be unsupported by...

jerryroy1

They are kidding right? From the link you sent: "Note that it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing. " This makes no sense, almost ever...

jerryroy1

Hi All, We are deploying hundreds of RB 750's. We have a database that stores all the WAN, LAN and miscellaneous settings for the customers location (Broadband type settings such as pppoe ,dhcp or static, serial# of 750 etc...). We run a web interface that just requires us to enter the serial of the...

jerryroy1

New and faster Wi-Fi and LTE is coming to the masses soon with creative methods - Gonna Rock!

http://hardware.slashdot.org/story/12/1 ... th-algebra

http://arxiv.org/pdf/0809.5022.pdf

http://www.code-on.org/

jerryroy1

All, We have an IPSec hub and spoke design. I have a 750GL (spoke) that is connected via IPsec back to a Juniper (Hub). I initiate the connection from the 750 and it creates a tunnel (2 SA's) and then I can ping to a device sitting behind the Juniper. If I try and ping back from the device behind th...

jerryroy1

I would like to buy one. Anyone have stock here in the US?

jerryroy1

Try a MAC bypass and see if this will stay connected. Enable mac address authentication in your hotspot server profile.

/ip hotspot ip-binding
add mac-address=xx:xx:xx:xx:xx:xx type=bypassed

jerryroy1

What is the CipherLab unit supposed to help you accomplish? If other devices connect correctly and don't drop, its the CipherLab box. I would find their competitor and see if its box also drops.

jerryroy1

Sounds like it was a broadband circuit issue or another device had the same IP assigned (if it actually has been resolved). FYI, you can setup logging for ipsec by going to System > Logging > and hit the plus sign. Then under topic choose ipsec and click ok. Now go back and select log in your winbox...

jerryroy1

Run a port scanner to the wan of the box. Does 8291 show open? Did you try the web interface or ssh?

jerryroy1

Go under walled garden in Hotspot. Does the IP or URL show the Letter "D" for dynamic?

jerryroy1

By default if you use the "Hotspot Setup" under Hotspot, you should get a default landing page. Have you tried it?

jerryroy1

Disable WPA and test again. Does it stay connected?

jerryroy1

Check it for what?

jerryroy1

Yes, you are able to block all outbound but what would be the purpose? You would have no connectivity. If you want to see open ports, plug a device into the wans subnet and run a port scanner - http://www.radmin.com/products/previous ... canner.php

jerryroy1

Confirm your FW rules. Can you ping public IP?

jerryroy1

This "should" work

http://wiki.mikrotik.com/wiki/Policy_Base_Routing

jerryroy1

This should be simple

Go to bridge and create new bridge1
Go to ports and add ports to bridge1
Add vlan interface and add bridge1 to vlan
assign IP to vlan interface

Remember a "bridge" can create a bridge between physical ports and a logical interface

jerryroy1

I have a "hub and spoke" Ipsec VPN network. On the hub side is Juniper router. We have 900 Cisco 881 routers on the spoke side all with standard broadband links (pppoe, dhcp and static w/dsl, cable or wireless) connecting back to it. We have a loopback address assigned on each cisco that i...

jerryroy1

Hello, I have 750g that acts as pppoe server and assigns public IP's when a user authenticates. Now I want dhcp users to obtain private IP on of Lan side from dhcp server and masquerade and nat to the ether1-gateway interface IP which is the "public" IP for pppoe server. Can this be done? ...

jerryroy1

I have 5.18 on 1100AHx2 and it is all effed up. Unable to create a simple dhcp server with wizard or manually. I reset to factory and port 12 on the case is now "ethernet1" interface with the 192.168.88.1 IP??? I was using NeighborViewer to see which port to connect to and they all said 0....

jerryroy1

All, Having a difficult time getting RB750 to pass traffic thru to Juniper 5200 with IPsec tunnel aggressive mode. Can someone take a look and see what I did wrong? I believe I am having a Nat/Routing issue now but cannot figure out. I don't completely understand the masquerading and IP chains. The ...

jerryroy1

So... Based on this thread. Does OpenVpn and Mikrotik work? And if so, is it only between Mikrotik and Mikrotik? If this is the case, does Mikrotik have a VMWare appliance I can run? Then I can have the MT to MT scenario with their version of openvpn

jerryroy1

Can someone please clear up this doc. What a mess. http://wiki.mikrotik.com/wiki/Setting_up_an_IPv6_tunnel_via_a_tunnel_broker THIS DOES NOT work on 5.14 /ipv6 route add dst-address=2000::/3 gateway=::216.66.80.26 THIS works on 5.14 /ipv6 route add dst-address=2000::/3 gateway=::209.197.5.66%sixbone

jerryroy1

I have two MT 532's with newly upgraded 5.12 code. Each has an ethernet connection to a wireless radio and seem to pass traffic ok until we transfer a large file. The file starts out transferring and gets about half way or so and then the connection drops. I have noticed the "R" next to th...

jerryroy1

Can you shared config? I have same scenario and no worky. I keep getting Hash Mismatch and I know they are correct.

jerryroy1

Can someone tell me what I did wrong with these filter rules? I want to allow only IPsec-esp, ssh, isakmp 500 and 4500. But I am unable to BLOCK ssh as a test. 0 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip src-address=0.0.0.0/0 dst-addres...

jerryroy1

Can you tell me what I have wrong here? I want to allow only IPsec-esp, ssh, isakmp 500 and 4500. But I am unable to BLOCK ssh as a test. [admin@MikroTik] > interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE MTU L2MTU 0 R ether1-gateway ether 1500 1526 1 R ether2-lo...

jerryroy1

Yes. You can either turn on IP firewall filters for bridged traffic (under "/interface bridge"), or you can use bridge filters directly. On a 750G you will have to turn off the switch chip for that to work - that traffic isn't processed by the CPU. You'll have to software bridge things (w...

jerryroy1

Can a RB750G switch act as a layer 2 firewall where I can just drop into a network transparently?

jerryroy1

My files are addresses.wbx and it will not recognize the file. Is there a way to convert the file so it can be recognized?

jerryroy1

I installed windows 7. I have old drive attached and wanted to find the file that has all the original IP's, passwords Etc... that inbox had previously displayed. I can run the original winbox.exe from the original drive location but when it comes up all my routerboard IP's are gone. Where and what ...

jerryroy1

I have a RB493AH that has a LOT of VLANs (one Vlan w/24 subnet per office). I want all Vlans to be able to get to a Vlan with a shared scheduling application so offices can schedule time in our shared conference room. All offices can get to internet with no issues. I would assume they could get to o...

jerryroy1

So Can I just copy and paste this? Are there additional notes. I am remote and I do not want to deny myself. I don't see any lines that suggest I won't be denied as well.

Thanks,

JR

jerryroy1

Thanks for the response. It really shouldn't matter, consider it all in the same office but I have two office buildings. New Building is on the right. I only have 4 cat5e cables between the two offices (the guy failed to run more or even install fiber and I have no way of adding more). These two pep...

jerryroy1

I have two peplink internet sharing routers that do vrrp and supply a virtual IP to a single rb450g. I want to add a second 450g for redundancy but I want to know what IP should I assign to WAN of the rb450G on the bottom left? Will this work? I also want to set the 2 450g's in vrrp on the lan side ...

jerryroy1

How do I add multiple ports to the same vlan?

jerryroy1

Ok, I got it to connect but can I do this?

Can it connect to one site via pptp, ping a bunch of devices, email if pings don't work, hang up pptp connection and repeat for site # 2? devices on #2 site might be different (more or less IP's to monitor)?

TIA for any support

jerryroy1

I have all static IP's but I am a little confused o how to implement. Can you offer more details?

Thanks!

jerryroy1

Can someone send over the link to the Dallas MUM Mesh presentations? Hi Uldis, Whats the Latest and greatest secrets about Mikrotik mesh? Any more work being done here?

jerryroy1

Yup, IDE gone bad on Board. Kind sucks since it was only 2 years old.

jerryroy1

Are there any SCSI drivers I can use to get RouterOS 2.9.46 or 3.0.6 to boot on a Dell 2450 that has only U160 SCSI controllers? I have tried to boot both version and it keeps giving a "Fatal Error" No Harddrives found. I boot Fedora Live and it finds drives without a problem.

jerryroy1

mneumark: Like you suggested, I upgraded to .42. Also added some firewall rules through the winbox web interface (enabled both protect router and protect customer). I also changed the Public interface to use the DLink card. Things were fine for a few days. Now the same problem is back, although sli...

jerryroy1

All, Deploying a new Hotspot with a RB133. I keep getting disconnected when using winbox. When it does connect it is up for up to 5 minutes and is extremely slow showing any details such as license or IP’s inside of winbox before the disconnect. I upgraded to 2.9.42 and I still have the same issue. ...

jerryroy1

Anyone know if I can recover from the following message?

RouterBIOS v1.2.7 MikroTik (tm) 2003-2004

RouterBOARD 230 (CPU revision B1)
CPU frequency: 266 MHz
Memory size: 64 MB

Press any key within 1 second to enter setup..

FATAL: IDE drive not found

Search found 168 matches