Community discussions

Search found 82 matches

  • 1
  • 2
by akarpas
Tue Jun 25, 2019 5:42 pm
Forum: General
Topic: Mikrotik DHCP with redundant links.
Replies: 4
Views: 464

Re: Mikrotik DHCP with redundant links.

Hey. You can practice with HSRP in Cisco Packet Tracer. And with VRRP in MikroTik world.
There is nothing to practice both vrrp and hasrp brings in to the same problem thats why i dont want to put dhcp on L3 switches
on cisco both vrrp and hsrp is supported.
by akarpas
Tue Jun 25, 2019 4:42 pm
Forum: General
Topic: Mikrotik DHCP with redundant links.
Replies: 4
Views: 464

Mikrotik DHCP with redundant links.

So in the picture you may see the structure of the network. Any advice is appreciated . What would be the best way to set up DHCP so that VLAN devices are getting IP if one of the L3 devices is down, at the moment i see only one option to supernet IP and divide in to half and create two DHCP's with ...
by akarpas
Wed Jun 12, 2019 2:31 pm
Forum: General
Topic: IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]
Replies: 3
Views: 266

Re: IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]

Thank you, would you have more info on powershell workaround?
sorted out , thank you again.
by akarpas
Wed Jun 12, 2019 2:31 pm
Forum: General
Topic: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]
Replies: 4
Views: 666

Re: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED] [SOLVED]

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now I can have...
by akarpas
Wed Jun 12, 2019 1:35 pm
Forum: General
Topic: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]
Replies: 4
Views: 666

Re: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED] [SOLVED]

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now I can have...
by akarpas
Wed Jun 12, 2019 1:12 pm
Forum: General
Topic: IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]
Replies: 3
Views: 266

Re: IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]

Thank you, would you have more info on powershell workaround?
by akarpas
Wed Jun 12, 2019 12:35 pm
Forum: General
Topic: IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]
Replies: 3
Views: 266

IKEv2 RW VPN set up number limitation in WIN 10 [SOLVED]

So i have IKEv2 RW set up to my home based on cert all works perfect, I have IKEv2 RW set up on office mikrotik router as well, so then i set up profile on win 10 t connect to office im getting error "IKE authentication credentials are unacceptable. Does this mean IKEv2 is not able to take the right...
by akarpas
Fri May 24, 2019 11:35 am
Forum: General
Topic: IKEv2 for Windows and iOS
Replies: 10
Views: 455

Re: IKEv2 for Windows and iOS

Next is i found that one location from where ikev2 refuses to connect has double nat. Is where some how to go through double nat? as l2tp does it successful. Double NAT should not be an issue as such, but maybe one of the NATs is doing more or less than a plain NAT. Hm, the site from witch i cant c...
by akarpas
Thu May 23, 2019 6:01 pm
Forum: General
Topic: IKEv2 for Windows and iOS
Replies: 10
Views: 455

Re: IKEv2 for Windows and iOS

I have 3 cert, Certificate authority, Server and Client. Now wait - 3 cert exactly as listed (CA, Server, Client) or 3 cert, one per each client (1 × Win and 2 × iOS) plus CA plus Server? Using the same certificate for all 3 clients may not be wrong but would be unusual. devices are not on the same...
by akarpas
Thu May 23, 2019 2:47 pm
Forum: General
Topic: IKEv2 for Windows and iOS
Replies: 10
Views: 455

Re: IKEv2 for Windows and iOS

I have 3 cert, Certificate authority, Server and Client. Now wait - 3 cert exactly as listed (CA, Server, Client) or 3 cert, one per each client (1 × Win and 2 × iOS) plus CA plus Server? Using the same certificate for all 3 clients may not be wrong but would be unusual. devices are not on the same...
by akarpas
Thu May 23, 2019 11:43 am
Forum: General
Topic: IKEv2 for Windows and iOS
Replies: 10
Views: 455

Re: IKEv2 for Windows and iOS

Does "on the same network" mean "coming from the same public IP as seen by the IPsec responder because the Windows and iOS devices are on a LAN of some NATing router"? devices are not on the same LAN, but under the same Public IP and the same NAT, I have 3 cert, Certificate authority, Server and Cl...
by akarpas
Wed May 22, 2019 5:53 pm
Forum: General
Topic: IKEv2 for Windows and iOS
Replies: 10
Views: 455

IKEv2 for Windows and iOS

is it possible to configure IKEv2 to work for windows and iOS paltforms at the same time.
I have Ikev2 working for windows but cant get working for iOS and whatever i do then i try to connect ipad it kills connection on windows pc's within the same network
by akarpas
Sun Mar 10, 2019 12:54 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

thanks for mangle rule, yes it register or logs packets coming via firewall from outside (internet). That mangle rule sees packets from outside that already passed through router and are leaving via the interface where y.y.y.y is connected to. You try reverse rule, to see if anything is coming back...
by akarpas
Sat Mar 09, 2019 3:39 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

akarpas I dont think you need any of those rules for the following reasons. Layer two separation is achieved by using different LANs, using Bridges, using VLANS. Thus two LANS are not layer 2 connected Two Bridges are not layer 2 connected A lan(subnet) and a bridge are not layer two connected A VL...
by akarpas
Sat Mar 09, 2019 3:32 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

akarpas I dont think you need any of those rules for the following reasons. Layer two separation is achieved by using different LANs, using Bridges, using VLANS. Thus two LANS are not layer 2 connected Two Bridges are not layer 2 connected A lan(subnet) and a bridge are not layer two connected A VL...
by akarpas
Sat Mar 09, 2019 3:20 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

Means I accidentally posted the same thing twice!
Please provide a diagram as I do not understand your setup.
Have attached simple network diagram
by akarpas
Sat Mar 09, 2019 2:49 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

You can either use Tools->Torch on interface where y.y.y.y is connected to and look for packets to y.y.y.y:<2000-2015> or you can do the same using logging rule: /ip mangle add chain=postrouting dst-address=y.y.y.y protocol=tcp dst-port=2000-2015 action=log If you see any packets, it means they suc...
by akarpas
Fri Mar 08, 2019 11:34 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

duplicate post
why duplikate post ?
by akarpas
Fri Mar 08, 2019 11:33 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

Okay some things I noted. In general only use the word LAN for one particular purpose you have LAN all over the place and its confusing. (1)/interface bridge port for WIFI missing (and by the way ethernet definition for wlan also missing)??? something like /interface bridge port add bridge=bridge L...
by akarpas
Fri Mar 08, 2019 10:07 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

post your complete config /export hide-sensitive file=yourlatestconfig # mar/08/2019 19:50:36 by RouterOS 6.44 # software id = GJR0-2DJD # # model = RouterBOARD 3011UiAS # serial number = xxxxxxxxxx /interface bridge add arp=proxy-arp name="bridge LAN" add name="bridge LAN CCTV" add name="bridge1-F...
by akarpas
Fri Mar 08, 2019 6:23 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

add action=dst-nat chain=dstnat connection-type="" dst-address=a.a.a.a \ dst-port=2000-2015 in-interface=ether1-WAN protocol=tcp to-addresses=\ y.y.y.y Other than the bolded bit your rule looks right, not saying the bolded part is incorrect just dont use it. For your information, all ports with dst...
by akarpas
Fri Mar 08, 2019 4:01 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

Re: forwarded ports are closed

- ISP can be blocking some ports (check dstnat rule's packet counter if there's incoming traffic) - you may have some mistake in "/ip firewall filter" (check with torch or logging rule in postrouting if packets pass through router) - there can be some problem on a.a.a.a, service not running or bloc...
by akarpas
Fri Mar 08, 2019 3:02 pm
Forum: General
Topic: forwarded ports are closed
Replies: 20
Views: 771

forwarded ports are closed

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ x.x.x.x/24 add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ y.y.y.y/24 add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ z.z.z.z/22 add action=dst-nat chain=dst...
by akarpas
Sat Mar 02, 2019 12:25 pm
Forum: General
Topic: huge amount of TCP DNS queries from outside
Replies: 6
Views: 408

huge amount of TCP DNS queries from outside

So we found that router was compromised so we have cleaned it and properly secured, but from this moment router is receiving a huge amount of packets coming form outside to DNS TCP , afcourse as i have said all this is secured and outside DNS queries are dropped. But all this traffic comming to my r...
by akarpas
Thu Dec 20, 2018 5:00 pm
Forum: General
Topic: Microtik ISP failower with the same IP
Replies: 0
Views: 239

Microtik ISP failower with the same IP

My question is : is it possible with mikrotik to configure wan failover keeping the main isp IP working. What i mean is lets say we have 2 ISP's ISP 1 gives IP x.x.x.x/x ISP2 gives IP y.y.y.y/y So if ISP 1 fails ISP2 takes over but IP of ISP 1 is still working and used as a main. Im asking this ques...
by akarpas
Wed Dec 12, 2018 4:45 pm
Forum: General
Topic: Cant ping scales from A to B but can fro C to B via IPSEC tunel
Replies: 0
Views: 175

Cant ping scales from A to B but can fro C to B via IPSEC tunel

So in short I have scales in site B, i can ping scales from any other site bur not from site A. Pinging via IPSec tunel. From site A i may ping any other device on the network as switch AP PC all of them are ok to ping but not scales . As mentioned I able to ping scales from any other site via IPSec...
by akarpas
Mon Oct 22, 2018 12:46 pm
Forum: General
Topic: what vpn protocol in client to server conf supports multi connection from the same network behind the NAT
Replies: 0
Views: 217

what vpn protocol in client to server conf supports multi connection from the same network behind the NAT

what vpn protocol in client to server conf supports multi connection from the same network behind the NAT.

PPTP is not an oprion
L2TP doesnt support not an oprtion
OpenVPN doesnt support UDP not an option.
IKEv2 what about this one??????????
by akarpas
Thu Oct 18, 2018 9:16 am
Forum: General
Topic: Cant ping one network device via GRE while able to ping all other devices.
Replies: 3
Views: 266

Re: Cant ping one network device via GRE while able to ping all other devices.

And nothing special about x.x.x.10 in mikrotikB config?
No firewall/NAT?
On router B on NAT i have just a usual masquerada rule, and some port forward rules, on firewall just basic firewall nothing what would stop computers on A to ping specific device an site B even i can ping it from A router.
by akarpas
Wed Oct 17, 2018 11:59 pm
Forum: General
Topic: Cant ping one network device via GRE while able to ping all other devices.
Replies: 3
Views: 266

Cant ping one network device via GRE while able to ping all other devices.

OK have added a simple network picture to simplify my description. 3 sites A, B and C GRE tunnel between A and B GRE tunnel Between C and B GRE tunnels works no problem! on site B i have device x.x.x.10 i'm able to ping that device from site C via tunnel as well as all other devices on that network....
by akarpas
Tue Oct 09, 2018 6:49 pm
Forum: General
Topic: GRE with IPSec only one ntwork works second no
Replies: 1
Views: 205

Re: GRE with IPSec only one ntwork works second no

this can be closed found the problem all networks works great now
by akarpas
Tue Oct 09, 2018 5:30 pm
Forum: General
Topic: GRE with IPSec only one ntwork works second no
Replies: 1
Views: 205

GRE with IPSec only one ntwork works second no

ok i have site A and B Created GRE Tunnel between site A and B site A networks x.x.x.x and y.y.y.y site B networks c.c.c.c so have routed networks via tunnel. x.x.x.x works with c.c.c.c with no problem all good y.y.y.y doesn't work. c.c.c.c doesn't see y.y.y.y.y while y.y.y.y is able to ping c.c.c.c...
by akarpas
Wed Sep 19, 2018 1:02 pm
Forum: General
Topic: IPSec with preshared key security warning os. 6.43.1
Replies: 6
Views: 700

Re: IPSec with preshared key security warning os. 6.43.1

since 6.43
*) ipsec - added warning messages for incorrect peer configuration;

You can use what you want, it's just reminder.
I understand this a reminder , I know that everything can be broken, so let say i would like to know how insecure it is now lets say in scale from 1 to 10.
by akarpas
Wed Sep 19, 2018 12:34 pm
Forum: General
Topic: IPSec with preshared key security warning os. 6.43.1
Replies: 6
Views: 700

IPSec with preshared key security warning os. 6.43.1

I have GRE with IPSec enabled with preshared key. After OS update to 6.43.1 im getting a warning that its not secure configuration and i should use certificates. But i don't see option to use certificates for GRE secured with IPSec. Let say my secret is 30 symbols long so how successful hacker would...
by akarpas
Tue Sep 18, 2018 1:18 am
Forum: General
Topic: IPsec IKE2 can find valid sertificate [SOLVED]
Replies: 5
Views: 515

Re: IPsec IKE2 can find valid sertificate [SOLVED]

You need to import also CA, not just client cert.
you are 100% right this what i have done today and it works perfectly, you just confirmed it and you are right as always, really appreciate your input.
by akarpas
Mon Sep 17, 2018 4:38 pm
Forum: General
Topic: IPsec IKE2 can find valid sertificate [SOLVED]
Replies: 5
Views: 515

Re: IPsec IKE2 can find valid sertificate [SOLVED]

Could someone show all steps creating certs for ikev2 for windows 10
by akarpas
Mon Sep 17, 2018 4:37 pm
Forum: General
Topic: IPsec IKE2 can find valid sertificate [SOLVED]
Replies: 5
Views: 515

Re: IPsec IKE2 can find valid sertificate [SOLVED]

On Windows, do you have the certificate in "local machine" store? If you put it in "local user" store, which I definitely did at first, because it was more logical when I wanted VPN only for that one user, it doesn't work.
Cert is installed on local machine not user
by akarpas
Sun Sep 16, 2018 5:50 pm
Forum: General
Topic: IPsec IKE2 can find valid sertificate [SOLVED]
Replies: 5
Views: 515

IPsec IKE2 can find valid sertificate [SOLVED]

Setting up ikev2 road worrior set up. Following step on mikrotik wiki. Cteated CA signed, created server cert signed with CA, created windows client cert signed with CA. Exported windows client cert and installed on windows 10 . No matter what i do getting error ike failed to find vald cert on local...
by akarpas
Fri Aug 31, 2018 4:48 pm
Forum: General
Topic: Mikrotik bridge vlan and tp link switch +EAP
Replies: 0
Views: 306

Mikrotik bridge vlan and tp link switch +EAP

Hi geeks need some help. I want to test and run on TP Link EAP tow wifi lans one tagged one not. 1. Mikrotik has a bridge , ports 2 to 4 are members of the bridge. 2. Bridge has assigned LAN IP adress 3 Vlan is created 1010 and goes via bridge 4 . no vlan filtering enabled This mikrtoik conf works g...
by akarpas
Wed Jun 13, 2018 5:49 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

Do you have location's C IP address added as ipsec peer on the server or not??
ok i have disabled peer with C site IP address on L2tp server and it worked but this mean my ipsec tunel is down (site to site) and its not good.
by akarpas
Wed Jun 13, 2018 5:44 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

Do you have location's C IP address added as ipsec peer on the server or not??
I have ipsec tunel between server and site C so yes there is ip on site to site peer ,i have disabled tunel on both sites i mean peers, ipsec policies , proposals on both sides it didnt help
by akarpas
Wed Jun 13, 2018 5:20 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

The settings on the router in the office don't matter. The settings on the home router do. If one of the home router's peers has the remote attribute set to the public IP address of the office, any IPsec ISAKMP request coming from that address matches on that peer rather than the one with remote=0....
by akarpas
Wed Jun 13, 2018 4:53 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

Check if any of configured specific ipsec peer addresses do not match office address you are connecting from. Looks to me that you have peer with that IP and specified aes + modp1024 yes i have on the mikrotik router from where im connecting several IPSec tunnels (site to site) but they have their ...
by akarpas
Wed Jun 13, 2018 2:20 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

I don't get it. My settings are: /system logging add topics=ipsec and I filter the log using /log print follow-only where topics~"ipsec" And I have debug messages in the log which show the proposal coming from the peer, see example below. In your case, there are no debug messages. So something must...
by akarpas
Wed Jun 13, 2018 2:09 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

I don't get it. My settings are: /system logging add topics=ipsec and I filter the log using /log print follow-only where topics~"ipsec" And I have debug messages in the log which show the proposal coming from the peer, see example below. In your case, there are no debug messages. So something must...
by akarpas
Wed Jun 13, 2018 1:39 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

Logs say where the error is. ROS side has configured AES and MODP 1024, remote peer supports only 3des and 2048-bit MODP , 256-bit ECP, 384-bit ECP
no where is no aes and modp 1024 set up at all 3 des and mod2048 is set up and vpn works from other 2 or 3 sites but not form this one.
by akarpas
Wed Jun 13, 2018 1:10 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

What are your exact /system logging settings? I am surprised not to see the full list of transforms in the log, only the list of rejected ones.

all the debug and log settings are as you have asked me to set up
by akarpas
Wed Jun 13, 2018 12:07 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

As said, I would like to see the log from proposal comparison for the successful and unsuccessful cases, otherwise we won't get anywhere. One thing one could easily imagine is some packet size limitation on one of the paths, causing the proposal to be truncated, except that the recipient should not...
by akarpas
Tue Jun 12, 2018 11:35 am
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

The same error or exactly the same complaints in the log? 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group 10:...
by akarpas
Mon Jun 11, 2018 8:17 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

The same error or exactly the same complaints in the log? 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group 10:...
by akarpas
Mon Jun 11, 2018 2:44 pm
Forum: General
Topic: L2TP IPSec (no suit proposal found)
Replies: 58
Views: 11640

Re: L2TP IPSec (no suit proposal found)

OK. The log shows you what the peer (the windows client) proposes, so configure the Mikrotik's peer proposal in a compatible way (keep Hash Algorithm unchanged as there are no complaints, add 3des to Encryption Algorithm, and add modp2048 to DH Group) and try again. I tried the same results and if ...
  • 1
  • 2