MikroTik

akarpas

ok after doing some labs I found it does gateway checking automatically even if you open immediate gateway on the route it shows gateway is being checked.

akarpas

In V6 if I use PPPoE with static route gateway ping enabled all worked good, but in V7 if I have gateway check up (ping) enabled it stops working. If I uncheck to check gateway all works good.
Anyone else has the same issue?

akarpas

Lads , please advise. Whatever who has real experience can advise me what would be the best Mikrotik 4G LTE modem / Router that support bridge mode. Wand to use Ireland (EU)
Thanks in advance.

akarpas

I think user-man with an attribute of framed-ip-address=x.x.x.x for that user. If the number of users is not large and you don't want to set up any Radius, you could also use remote-address=x.x.x.x. yep this is what I used to set remote address, and created a firewall rule what that address may acc...

akarpas

What would be the best option to make sure that VPN user is using statically assigned IP address to his VPN secret. In case user edit VPN client and puts other IP the Mikrotik would disable VPN or would not allow to connect.

akarpas

ok more and more people reporting problems so 7.8 is not that stable :) needs a lot of fixes

akarpas

Hello guys, I have set up RB1100AHx4 switching so some vlans, some ports tagged some untagged, all works file on 6.49.7 but once i upgrade to 7.8 all vlans stops working , I have to disable vlan filtering on the bridge and to re-enable to start it working but after reboot of the router all stops wo...

akarpas

Hello guys, I have set up RB1100AHx4 switching so some vlans, some ports tagged some untagged, all works file on 6.49.7 but once i upgrade to 7.8 all vlans stops working , I have to disable vlan filtering on the bridge and to re-enable to start it working but after reboot of the router all stops wor...

akarpas

What would be correct static routing and NAT for network 192.168.15.0/24 on R2 and why. I think this would be handy for anyone learning networks.

akarpas

The only thing I would add is found below....... ................... /interface vlan add name=bridge1.10 interface=bridge1 vlan-id=10 add name=bridge1.20 interface=bridge1 vlan-id=20 /interface bridge vlan add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether2,ether3 untagged=ether4 add bridge=bridge...

akarpas

why prices are hidden?

akarpas

Thank you guys, you are stars

I see now where I did a mistake. Once again a mil thanks for support. I hope this post will help others as well!

akarpas

I know where are a lot of topics created but non of them gave me a positive result I might be overthinking something. I work on RB1100AHx4 Dude Edition. Ether1 = WAN connection Ether2 to 5 are members of bridge1 I have VLAN10 and VLAN20 VLAN1 as default. What I want is that VLAN10 and 20 will go tag...

akarpas

Hey is SSTP broken in version OS V7 ? As it works perfect in version 6 but not in version 7 Certs chain to root problem

akarpas

RADIUS in the ROS menu is about RADIUS client settings (e.g. what RADIUS server to use, and how to connect to that server (port # and secret)) User manager acts as a RADIUS server for RADIUS client requests (is optional package to be installed.) Most services are managed. But for wifi EAP/PEAP (usi...

akarpas

You mean user-manager?

No I was about Radius option in OS menu, but if you started about user manager I will as if this can be used to authenticate 802.1x wired connection on switch

akarpas

Just a dummy question. May or may not Mikrotik Radius act as a Radius server for 802.1X switch port authentication on the network?
Many thanks in advance.

akarpas

Hello maybe someone has some experience and may advise on the problem. I have dude on CHR I had a P1 Trial License that I have upgraded to P1 Perpetual. After upgrade my speeds are slow as hell just in kbps and suppose to give me 1Gbps per interface. Have restarted dude server a couple of times, tri...

akarpas

ok have fixed it, had to delete folder Mikrotik/winbox in %appdata%/roaming. After deleting all back normal.

akarpas

What's in the add.txt file? 0o

all info about save connections

akarpas

Probably you have download winbox from wrong site and now you have a surprise with winbox.....

nope downloaded from official Mikrotik site!

akarpas

Downloaded winbox on windows 11 and with a first run it creates add.txt file on desktop and I cant move it anywhere as then you run winbox again it creates new one is it just me getting this annoyed file or others are getting as well as I have winbox on other two windows 10 machines and none of them...

akarpas

This is the problem "Call" , "Query" but then you call or query or then you ask so then you will have your awaiting stock answer is: "nobody knows, some day sooner or later" :/

akarpas

Not sure if the topic is in the right place but we are facing a problem. Urgently need some of both mentioned routers. The main reliable distributor in Ireland senetic.ie has no in stock need to require with no answer. Some other promoted distributors are just a joke or has only for their own needs....

akarpas

then SD card support will be fixed for CCR1009-7G-1C-1S+ devices????????? or this problem is completely ignored?

akarpas

thanks for the link it has answered fully to the question.

akarpas

OK I have Dude installed on CHR (vhdx) on a hyper-v. Assigned 2 CPU's 4GB of RAM 15GB od storage, P1 license to make sure stable 1Gbps connections. So connecting via Dude client from PC who has I7 up to 5Ghz 32GB of RAM SSD and so on. So if the site I add to dude has around or up to 25 hosts per map...

akarpas

Hello Geeks, I have installed a virtual router (dude) an hyper v (vhdx file) and on Synology NAS (vhdx) all works ok nice cool but one what is really anoying is dude client loading times!!!! Its so slow in kbps only . Is it a limitation of free license ? If yes were to get a proper license?

akarpas

Thank you lads, used ftp to create folder and transfer files.

akarpas

My home Router is CCR 1009 OS v7 I have downloaded The Dude VHDX 6.49.5 and installed it as a virtual router on Synology NAS. All works great no problems crashes monitors whole my home network, having a good play with SNMP as was able to set a network map nearly the same as per physical layout. I'm ...

akarpas

I need to import sophos.min.txt to dude mibs folder but do not see any possibilities to do it nor via dude nor via winbox can somebody explain me followed some forum topics but got lost as i do not see ability to create folder dude/mibs/liebert can somebody bring in some light as got lost with such ...

akarpas

Thanks, got that yesterday. Just installed quickly a fresh VHDX type Dude and checked the startup of discovery after proper obsorvation all was clear on how to manage this. But anyway thanks mate good advise.

akarpas

After installing the dude, the local network was scanned by auto and mapped, playing around I made lots of mess and did all devices deletion from local map thinking I will be able to do auto rescan but not only I see I have to add networks to be scanned I do not see the option to auto-scan local net...

akarpas

SD card still doesnt work on my CCR1009-7G-1C-1S+

akarpas

Yes, you can add Sophos XG firewall in transparent mode between you Mikrotik facing WAN and LAN. The transparent mode works as a bridge for traffic from Mikrotik and LAN and from LAN to Mikrotik and all this traffic is protected by Sophos XG firewall. Really nice setup to protect a network, one I do...

akarpas

question do you have upgrade or clean install ? is you hardware fully supported? Yes, it is fully supported, and I did an upgrade. 7.1 to 7.1.1 I would not expect to give major issues like that. I do not have a tilera based system to test on, but everything I have upgraded has gone fine from 7.1 to...

akarpas

it might have a minor bugs , minor is acceptable but not then device gets in to bricked mode were you have to re-image it. What version was it on before you upgraded? Re: Win11 I am on Windows 11 and am experiencing some extremely annoying bugs, mostly to do with 4K scaling and the start menu stops...

akarpas

what release its considered to be stable version free of bugs isnt? "Free of bugs"? No, that's not what MikroTik's definition of "stable" means. You won't find any vendor where a "stable" release is 100% free of bugs, it just doesn't happen. "Stable" in Mikro...

akarpas

Looks like SD cards still do not mount on CCR1009-7G-1C-1S+, same on 7.2rc1.

for me the same on 7.1.1

akarpas

not sure why but after update as I have said my ccr 1009 didnt boot anymore had to use netinstall to reimage and now its not recognising mikrosd car tried 2 of them no luck You could have read both of these things above. It really pays off to read the release topic before attempting to upgrade! wha...

akarpas

not sure why but after update as I have said my ccr 1009 didnt boot anymore had to use netinstall to reimage and now its not recognising mikrosd car tried 2 of them no luck

akarpas

updated my ccr 1009 now its bricked not booting not loading kernel

Had to reisntall using Netinstall sad had to do it but was a great experience how to recover device from such a problem.

akarpas

updated my ccr 1009 now its bricked not booting not loading kernel

akarpas

ok made a query and later on found an answer at this topic: https://forum.mikrotik.com/viewtopic.php?f=2&t=139273&p=878614#p878614 Manage how to tell windows 10 witch cert to use. Now, if you have more than one IKE2 RSA VPN's created, you should specify which certificate Windows should use, ...

akarpas

Mate, million thanks to you for sharing the PowerShell part on how to make IKEv2 to use the proper cert. Thanks gain.

akarpas

Hi geeks, I have IKEv2 set up to site A all works great no problems, connecting, speed is ok, stable. I have made set up to site B and gues what it doesnt work. Cinfig is ok , certs are installed as they have to be installed. But the I click to connect to site B, Windows 10 sends site A client certi...

akarpas

I have found this configuration for dual wan with no balance and simplified it see below: Method 2 - Dual WAN failover with MULTIPLE remote host ping check (ISP1 - Static IP; ISP2 - PPPoE) We have two uplinks: MAIN (GW1 IP - 88.196.6.185) and BACKUP (GW2 - PPoE IP: 10.10.1.1) - usually those gateway...

akarpas

Real -world scenario: If you can't distingush the functions, and you do not have any desire to understand, leave the default values. Because if you change them, without any form of knowledge of what you doing, you only risk making a mess. This is very rude answer, I have went via Mikrotik wiki page...

akarpas

Then would you use arp, proxy-arp and local-proxy-arp. Please don refer me to Mikrotik pages, give me a real-world scenario, thank you in advance.

akarpas

https://mum.mikrotik.com/presentations/US12/steve.pdf

Thank you.

akarpas

Hi guys, testing this conf of dual wan: Before detailed example overview, in a setup where we have private IP addresses behind the public IP, we should configure source NAT: /ip/firewall/nat add chain=srcnat action=masquarade out-interface=ether1 add chain=srcnat action=masquarade out-interface=ethe...

akarpas

Hei geeks, I have one router with dual wan recursive failover set up, all works ok ut have some issues with some firewall rules. add action=drop chain=forward in-interface=vlan10 out-interface=\ !ether1-WAN add action=drop chain=forward in-interface=vlan11 out-interface=\ !ether1-WAN add action=drop...

akarpas

So as I said I'm new to Mikrotik wireless never used it before. One of my clients is in a place where no internet cable can be provided so I'm looking for alternatives. I came to LTE antenna LHGG LTE6 KIT. So is this antenna just LTE modem or its has a fully functioning Mikrotik OS and can be used a...

akarpas

Found it. Winbox app was concidered as: Application Detail Name Torrent Clients P2P Category P2P Risk Very High Characteristics Excessive Bandwidth, Loss of productivity, Vulnerabilities, Transfer files, Transfer files Technology P2P Dependency None Applicable on 16.01.0 Build 101 and above Descript...

akarpas

Winbox is an app, so it makes sense that it would be blocked by whatever list the Sophos has for apps. Where are several levels of policy with different app categories in it. The one I'm applying is level 5 considered the most dangerous apps on the net and winbox should not be in it. I was able to ...

akarpas

I'm gonna be short do not expect too many answers as this is not directly up to Mikrotik but more to Sophos but might be we have people who use Mikrotik with Sophos as well. So scenario: Mikrotik router is an edge router / firewall + Sophos XG Firewall between Mikrotik and LAN in a transparent bridg...

akarpas

BODMAS just went out of my mind then it came to Mikrotik scripting :D I'm new to Mikrotik scripting but with your help guys doing progress. Thanks a mill again.

akarpas

Note that (A || B && C) means (A || (B && C)) due to operator precedence, not ((A || B) && C). If you want the latter, you need to use parentheses as shown. It's like 1+2*3 is 7, not 9. Emil thanks a mill for clearing this, changed it as per your explanation and it works now...

akarpas

:if ([/ping 1.1.1.1 count=5] !=0 || [/ping 2.2.2.2 count=5] != 0 && [/interface vrrp get vrrp2 priority]=90) do={[/interface vrrp set vrrp2 priority=150]} let's say if to change vrrep2 priority to 155 on a line to test if this line works. So by the logic, if host A or Host B is pingable AND ...

akarpas

Jotne thank you, this worked like a charm no I have a simple script with two hosts check-up and different do scenarios, I really appreciate your advice's.

akarpas

Script can be used to nearly all tings, but do not use ping to test for ip up, use netwatch.
https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch

Do search forum here for example

yeh i understand but i want to test two host instead of one before taking some action

akarpas

Yes you can use as many if and else you like. Example :if (version>=6.5) do={ # Do some stuff } else={ # Do some other stuff :if (host=27) do={ # Do some other stuff here } } Thanks, just another question is the syntax ok if I want to ping host A and B and both are down switch of C :if ([/ping 10.1...

akarpas

Can I use if after else?
if (safsafasfasfasfasfa);
else:
if(safasfsafasfasf)
or its not possible in Mikrotik scripting?

akarpas

The key here is the "policy routing" as mentioned above, which is a shortcut for "routing which takes into account not only the destination address but also other properties of the packet being routed". In particular, you have to distinguish from where a packet came in. If it ca...

akarpas

As suggested by @tdw, you actually don't need any script if the primary default route of each router goes via its own WAN and the secondary one goes via the second router, and you use the script-free monitoring of transparency of both WANs, as described here . Or you can even use any of those fancy...

akarpas

need a script which would monitor two host min as 8.8.8.8 and 1.1.1.1 if both, are down disable VRRP bridge and if 8.8.8.8 OR 1.1.1.1 is up do nothing or bring VRRP bridge back up. So I would be hell happy with this scenario. Only I wouldn't be able to script this in Mikrotik environment so need to ...

akarpas

So as I understand the best option would be to stick one ISP on one router let's say cable ISP on master router and DLS on backup router. next to set up Netwatch tool to monitor 8.8.8.8 from master router and if it gets to down state allow it to switch off VLAN for VRRP or switch it back if ping to ...

akarpas

Hi guys. I'm playing around with this topology. So on LAN side everything is clear, configured and working.(VRRP + RSTP + DHCP on server). But wats about WAN connections. for ISP 2 Cable broadband I have only 1 static IP issued from ISP and ISP1 DSL connects via PPPoE and again single static IP. So ...

akarpas

From another thread in May 2019 I got a reply from @support: Unfortunately, we cannot recommend any Smart Card for use in MikroTik devices. The Smart Card support in RouterOS requires significant rebuild and currently it is on hold due to higher priority projects. My question for MT staff, nowhere ...

akarpas

No, I think you interpret it wrong. "It can be used with any of our products that have miniPCIe slot". But CCR1009 does not have it. Products RB800 and RB4011 do have miniPCIe slot, but still it cannot be used in those. The CCR1009 has USB. You can use a 4G USB stick (not every model, but...

akarpas

Yes it has a SIM card slot, but I am not aware that it has a PCIe slot where you could install the R11e-LTE6. Where did you find that information? The SIM card slot on the CCR routers is afaik only used to store certificates for encryption protocols, and even that seems seldomly used and difficult ...

akarpas

Hi guys. Have cable broadband connected to CCR1009-7G-1C-1S+PC. Now thinking about the possibility to get cellular backup from any 4G provider. I see a device R11e-LTE6 PCIe card that might be installed on CCR1009-7G-1C-1S+PC and CCR1009-7G-1C-1S+PC has a SIM card slot (smart card(mini-sim)). I can'...

akarpas

viewtopic.php?t=130815

Thank you kindly for this link to the proper post where it was already answered by Mikrotik.

akarpas

You should check if your firewall is configured properly, because normally a router should have little reason to reply to UDP packets sent to it from internet. it says the problem is with kernel the way IP stack sends UDP packets, I doubt its firewall problem, I will extract firewall configuration ...

akarpas

Today we have got a PCI DSS External Vulnerability Scan on one of the sites where we have Mikrotik Router. All went ok except this: THREAT: The host transmits UDP packets with a constant IP Identification field. This behavior may be exploited to discover the operating system and approximate kernel v...

akarpas

by default, OpenVPN uses pfifo type queue, with queue size ~50packets. Make your openvpn interface static (if the link comes up, do copy and rename it). Now you have an interface, where you can change interface queue. Make a new queue type called openvpn-default, with type pfifo and size ~250 set t...

akarpas

As I said works as a charm, no problems. Ok, I see. It works because you use only one port of the bridge (you basically can omit the bridge completely). Keep in mind, that in general, when multiple ports are used, that won't work properly without bridge vlan filtering: https://wiki.mikrotik.com/wik...

akarpas

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN simple interVLAN trunking as cisco say router on a stick

akarpas

I completely skipped the switch part of the config, assuming that it was copied from my first posts in this thread regarding the OP case. But now, as I see that the whole part is missing, I have only one question - how on earth does it work in the first place? I guess it can somehow, if downstream ...

akarpas

I completely skipped the switch part of the config, assuming that it was copied from my first posts in this thread regarding the OP case. But now, as I see that the whole part is missing, I have only one question - how on earth does it work in the first place? I guess it can somehow, if downstream ...

akarpas

Its actually lack of vlan-filtering=yes setting on bridge. Without it, bridge doesn't enforce any VLAN settings.

Thanks mkx will play around for study purpose but the problem is resolved now, you advise is much appreciated!

akarpas

so proxy arp is the problem? but i need it for VPN! Yes and no. Proxy arp together with lack of proper firewall rules are a reason of what you described above. it does ! add action=drop chain=forward out-interface=!ether1-WAN src-address=\ 192.168.11.0/24 this rule allows guest wifi only access to ...

akarpas

And btw your firewall also doesn't restrict communication between vlans. it does ! add action=drop chain=forward out-interface=!ether1-WAN src-address=\ 192.168.11.0/24 this rule allows guest wifi only access to internet out want port all other is blocked/droped So how to resolve bridge arp problem...

akarpas

First line, and that's your answer:

/interface bridge
add arp=proxy-arp name=bridge-lan

so proxy arp is the problem? but i need it for VPN!

akarpas

I don't want to start arguing here I know your expertise in Mikrotik is 100times better my one, but then this lad created this topic I have tested and yes then I'm logged to public tagged wifi and change IP corresponding to my internal untagged LAN my wifi connected devise gets full connectivity !!...

akarpas

So then the guest connects to guests WIFI and if he changes IP received from guest DHCP to static corresponding to bridge LAN guest gets access to bridge LAN Nope, it does not. Even if your firewall is not operating with interfaces instead of addresses. I don't want to start arguing here I know you...

akarpas

If you dont want the VLANs to be able to communicate with each other on layer 3, i.e. ICMP traffic, you should block this with firewall rules Then regarding "duplicate ping packets", think it will be best to show this in a packet capture as evidence, I personally dont think you should dis...

akarpas

Disable IP forwarding on mikrotik or on end devise?
On mikrotik.

could you be more specific on disabling IP forwarding, thank you in advance, this topic is very good.

akarpas

Disable IP forwarding on the device.

Disable IP forwarding on mikrotik or on end devise?

akarpas

Ok, in short, I have configured OpenVPN (client to server) all good connection established I may ping and access all I need on the remote side. But the problem is my local client-side traffic goes not via tunnel but just out via local WAN connection. If I check IP shows local WAN IP, not OpenVPN ser...

akarpas

In Site 1 via VPN tunnel 40Mbps of download and 30Mbps of upload is maximum you can theoretically get (restricted by Site 1 and Site 2 upload speeds). it should not be the case but sounds logical but I have said if I use Sophos router on site 2 I'm getting more then 100Mbps speed on-site 1 via L2TP...

akarpas

In the default firewall configuration, adding it to the end of the forward chain will do.

Thank you kindly!!!

akarpas

If placed to a correct position in the chain, and if ether2 is your WAN interface, then yes. And the protocol=tcp one should be sufficient, I don't think any SMTP server listens at UDP. By saying "correct position" what it should be" If lets say default firewall configuration is used?

akarpas

Mail server is installed on the network , need to block outgoing 25 but allowing this for the mail server? Are these two rules enough to make sure nobody else except mail server can do port 25 out? add action=drop chain=forward comment=\ "Drop Non Mail Srv SMTP Out 25" dst-port=25 out-inte...

akarpas

anyone else any ideas?

akarpas

Could it be something related to firewall FastTrack rule? Even I have two IPSec IN and OUT excluding rules above fasttrack rule and it doesn't count any packets as it would if I had a site to site tunnel. Fasttracking only interferes with IPsec processing, queueing, and marking in firewall of packe...

akarpas

The only thing to come to my mind - the default-profile under /interface l2tp-server server is set to default-encryption by default. But this activates the MPPE encryption, which is a) done in software, so may slow down the connection, and b) is useless as the L2TP packets are encrypted using IPsec...

akarpas

L2TP VPN.PNG Hello Guys! So in the picture, I have described the L2TP Road Warrior connection. Device models used. ISP service provided. Set up is ok connection is ok stable no problems. The only problem is slow VPN speed. In Site 1 PC (L2TP client) is able to receive only max 40Mbps of download an...

akarpas

As you probably want to exclude any marked connections from fasttracking, you can set connection-mark=no-mark in the action=fasttrack-connection rule, instead of connection-mark=!vpn-mark.

Thank you a mill, will test tomorrow.

akarpas

How to exclude more than one Connection Mark in Firewall Fasttrack rule? I have Express VPN set up on my Mikrotik all works good, but if I want to change location all the time I have to go to P"TP client and change server URL. I got and the idea just to create two L2TP clients pointing to diffe...

akarpas

ok found solution
/system routerboard upgrade
/yes

worked as a charm

akarpas

Hi guys, I want to do a bulk Mikrotik router board firmware upgrades. The thing is stopping me after the line: /system routerboard upgrade I have to hit enter and type in yes or no as confirm. Is anyhow I can write in the same line and be accepted something like: /system routerboard upgrade | yes or...

akarpas

/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new add action=fasttrack-connection routing-mark=vpn connection-state=new If you switch to IKEv2 the you double the speed of 70 MBit/s to around 1...

akarpas

/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new add action=fasttrack-connection routing-mark=vpn connection-state=new If you switch to IKEv2 the you double the speed of 70 MBit/s to around 1...

akarpas

/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new add action=fasttrack-connection routing-mark=vpn connection-state=new If you switch to IKEv2 the you double the speed of 70 MBit/s to around 1...

akarpas

BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which root certificate ExpressVPN is using and load that in the router. Yeh IKEv2 would better but at first, I want to understand snd this to the end, as if I disable FastTrack on firewal...

akarpas

This done in Mangle by Mark routing in your case. Then only fasttrack traffic that is not marked to be routed through that VPN connection. Only mark new traffic for fasttracking. BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which ro...

akarpas

Traffic going through a VPN can not be fasttracked so please check if your traffic is not fasttracked. ok maybe my question will be too silly but how I should make that LAN witch goes via VPN is not fast-tracked while all other traffic going not via VPN is fast-tracked, thanks for the advice in adv...

akarpas

So quickly I need some advice. Did a set up L2TP client to ExpressVPN all works but the speed is very slow basically unusable, broadband speed is 70Mbps not much but Tunnel speed drops to something like 3-to10Mbps but the thing that looks like it has connection gaps or DNS problems as connectivity t...

akarpas

I found a way around this. It works like charm and have no issues.

so what is a work around

akarpas

Hi guys. So I decided to play around with the Mikrotik feature: hotspot! Basically what I need is then the user connects to wifi he doesn't have to authenticate and is redirected to the promotional website. I found this locked topic. "That's much simpler than you think. First, create a user pro...

akarpas

Hey. You can practice with HSRP in Cisco Packet Tracer. And with VRRP in MikroTik world.

There is nothing to practice both vrrp and hasrp brings in to the same problem thats why i dont want to put dhcp on L3 switches
on cisco both vrrp and hsrp is supported.

akarpas

So in the picture you may see the structure of the network. Any advice is appreciated . What would be the best way to set up DHCP so that VLAN devices are getting IP if one of the L3 devices is down, at the moment i see only one option to supernet IP and divide in to half and create two DHCP's with ...

akarpas

viewtopic.php?f=2&t=147070&p=723661#p723661
Thank you, would you have more info on powershell workaround?

sorted out , thank you again.

akarpas

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now ...

akarpas

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now ...

akarpas

viewtopic.php?f=2&t=147070&p=723661#p723661

Thank you, would you have more info on powershell workaround?

akarpas

So i have IKEv2 RW set up to my home based on cert all works perfect, I have IKEv2 RW set up on office mikrotik router as well, so then i set up profile on win 10 t connect to office im getting error "IKE authentication credentials are unacceptable. Does this mean IKEv2 is not able to take the ...

akarpas

Next is i found that one location from where ikev2 refuses to connect has double nat. Is where some how to go through double nat? as l2tp does it successful. Double NAT should not be an issue as such, but maybe one of the NATs is doing more or less than a plain NAT. Hm, the site from witch i cant c...

akarpas

I have 3 cert, Certificate authority, Server and Client. Now wait - 3 cert exactly as listed (CA, Server, Client) or 3 cert, one per each client (1 × Win and 2 × iOS) plus CA plus Server? Using the same certificate for all 3 clients may not be wrong but would be unusual. devices are not on the same...

akarpas

I have 3 cert, Certificate authority, Server and Client. Now wait - 3 cert exactly as listed (CA, Server, Client) or 3 cert, one per each client (1 × Win and 2 × iOS) plus CA plus Server? Using the same certificate for all 3 clients may not be wrong but would be unusual. devices are not on the same...

akarpas

Does "on the same network" mean "coming from the same public IP as seen by the IPsec responder because the Windows and iOS devices are on a LAN of some NATing router"? devices are not on the same LAN, but under the same Public IP and the same NAT, I have 3 cert, Certificate auth...

akarpas

is it possible to configure IKEv2 to work for windows and iOS paltforms at the same time.
I have Ikev2 working for windows but cant get working for iOS and whatever i do then i try to connect ipad it kills connection on windows pc's within the same network

akarpas

thanks for mangle rule, yes it register or logs packets coming via firewall from outside (internet). That mangle rule sees packets from outside that already passed through router and are leaving via the interface where y.y.y.y is connected to. You try reverse rule, to see if anything is coming back...

akarpas

akarpas I dont think you need any of those rules for the following reasons. Layer two separation is achieved by using different LANs, using Bridges, using VLANS. Thus two LANS are not layer 2 connected Two Bridges are not layer 2 connected A lan(subnet) and a bridge are not layer two connected A VL...

akarpas

akarpas I dont think you need any of those rules for the following reasons. Layer two separation is achieved by using different LANs, using Bridges, using VLANS. Thus two LANS are not layer 2 connected Two Bridges are not layer 2 connected A lan(subnet) and a bridge are not layer two connected A VL...

akarpas

Means I accidentally posted the same thing twice!
Please provide a diagram as I do not understand your setup.

Have attached simple network diagram

akarpas

You can either use Tools->Torch on interface where y.y.y.y is connected to and look for packets to y.y.y.y:<2000-2015> or you can do the same using logging rule: /ip mangle add chain=postrouting dst-address=y.y.y.y protocol=tcp dst-port=2000-2015 action=log If you see any packets, it means they suc...

akarpas

duplicate post

why duplikate post ?

akarpas

Okay some things I noted. In general only use the word LAN for one particular purpose you have LAN all over the place and its confusing. (1)/interface bridge port for WIFI missing (and by the way ethernet definition for wlan also missing)??? something like /interface bridge port add bridge=bridge L...

akarpas

post your complete config /export hide-sensitive file=yourlatestconfig # mar/08/2019 19:50:36 by RouterOS 6.44 # software id = GJR0-2DJD # # model = RouterBOARD 3011UiAS # serial number = xxxxxxxxxx /interface bridge add arp=proxy-arp name="bridge LAN" add name="bridge LAN CCTV"...

akarpas

add action=dst-nat chain=dstnat connection-type="" dst-address=a.a.a.a \ dst-port=2000-2015 in-interface=ether1-WAN protocol=tcp to-addresses=\ y.y.y.y Other than the bolded bit your rule looks right, not saying the bolded part is incorrect just dont use it. For your information, all port...

akarpas

- ISP can be blocking some ports (check dstnat rule's packet counter if there's incoming traffic) - you may have some mistake in "/ip firewall filter" (check with torch or logging rule in postrouting if packets pass through router) - there can be some problem on a.a.a.a, service not runni...

akarpas

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ x.x.x.x/24 add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ y.y.y.y/24 add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\ z.z.z.z/22 add action=dst-nat chain=dst...

akarpas

So we found that router was compromised so we have cleaned it and properly secured, but from this moment router is receiving a huge amount of packets coming form outside to DNS TCP , afcourse as i have said all this is secured and outside DNS queries are dropped. But all this traffic comming to my r...

akarpas

My question is : is it possible with mikrotik to configure wan failover keeping the main isp IP working. What i mean is lets say we have 2 ISP's ISP 1 gives IP x.x.x.x/x ISP2 gives IP y.y.y.y/y So if ISP 1 fails ISP2 takes over but IP of ISP 1 is still working and used as a main. Im asking this ques...

akarpas

So in short I have scales in site B, i can ping scales from any other site bur not from site A. Pinging via IPSec tunel. From site A i may ping any other device on the network as switch AP PC all of them are ok to ping but not scales . As mentioned I able to ping scales from any other site via IPSec...

akarpas

what vpn protocol in client to server conf supports multi connection from the same network behind the NAT.

PPTP is not an oprion
L2TP doesnt support not an oprtion
OpenVPN doesnt support UDP not an option.
IKEv2 what about this one??????????

akarpas

And nothing special about x.x.x.10 in mikrotikB config?
No firewall/NAT?

On router B on NAT i have just a usual masquerada rule, and some port forward rules, on firewall just basic firewall nothing what would stop computers on A to ping specific device an site B even i can ping it from A router.

akarpas

OK have added a simple network picture to simplify my description. 3 sites A, B and C GRE tunnel between A and B GRE tunnel Between C and B GRE tunnels works no problem! on site B i have device x.x.x.10 i'm able to ping that device from site C via tunnel as well as all other devices on that network....

akarpas

this can be closed found the problem all networks works great now

akarpas

ok i have site A and B Created GRE Tunnel between site A and B site A networks x.x.x.x and y.y.y.y site B networks c.c.c.c so have routed networks via tunnel. x.x.x.x works with c.c.c.c with no problem all good y.y.y.y doesn't work. c.c.c.c doesn't see y.y.y.y.y while y.y.y.y is able to ping c.c.c.c...

akarpas

since 6.43
*) ipsec - added warning messages for incorrect peer configuration;

You can use what you want, it's just reminder.

I understand this a reminder , I know that everything can be broken, so let say i would like to know how insecure it is now lets say in scale from 1 to 10.

akarpas

I have GRE with IPSec enabled with preshared key. After OS update to 6.43.1 im getting a warning that its not secure configuration and i should use certificates. But i don't see option to use certificates for GRE secured with IPSec. Let say my secret is 30 symbols long so how successful hacker would...

akarpas

You need to import also CA, not just client cert.

you are 100% right this what i have done today and it works perfectly, you just confirmed it and you are right as always, really appreciate your input.

akarpas

Could someone show all steps creating certs for ikev2 for windows 10

akarpas

On Windows, do you have the certificate in "local machine" store? If you put it in "local user" store, which I definitely did at first, because it was more logical when I wanted VPN only for that one user, it doesn't work.

Cert is installed on local machine not user

akarpas

Setting up ikev2 road worrior set up. Following step on mikrotik wiki. Cteated CA signed, created server cert signed with CA, created windows client cert signed with CA. Exported windows client cert and installed on windows 10 . No matter what i do getting error ike failed to find vald cert on local...

akarpas

Hi geeks need some help. I want to test and run on TP Link EAP tow wifi lans one tagged one not. 1. Mikrotik has a bridge , ports 2 to 4 are members of the bridge. 2. Bridge has assigned LAN IP adress 3 Vlan is created 1010 and goes via bridge 4 . no vlan filtering enabled This mikrtoik conf works g...

akarpas

Do you have location's C IP address added as ipsec peer on the server or not??

ok i have disabled peer with C site IP address on L2tp server and it worked but this mean my ipsec tunel is down (site to site) and its not good.

akarpas

Do you have location's C IP address added as ipsec peer on the server or not??

I have ipsec tunel between server and site C so yes there is ip on site to site peer ,i have disabled tunel on both sites i mean peers, ipsec policies , proposals on both sides it didnt help

akarpas

The settings on the router in the office don't matter. The settings on the home router do. If one of the home router's peers has the remote attribute set to the public IP address of the office, any IPsec ISAKMP request coming from that address matches on that peer rather than the one with remote=0....

akarpas

Check if any of configured specific ipsec peer addresses do not match office address you are connecting from. Looks to me that you have peer with that IP and specified aes + modp1024 yes i have on the mikrotik router from where im connecting several IPSec tunnels (site to site) but they have their ...

akarpas

I don't get it. My settings are: /system logging add topics=ipsec and I filter the log using /log print follow-only where topics~"ipsec" And I have debug messages in the log which show the proposal coming from the peer, see example below. In your case, there are no debug messages. So some...

akarpas

I don't get it. My settings are: /system logging add topics=ipsec and I filter the log using /log print follow-only where topics~"ipsec" And I have debug messages in the log which show the proposal coming from the peer, see example below. In your case, there are no debug messages. So some...

akarpas

Logs say where the error is. ROS side has configured AES and MODP 1024, remote peer supports only 3des and 2048-bit MODP , 256-bit ECP, 384-bit ECP

no where is no aes and modp 1024 set up at all 3 des and mod2048 is set up and vpn works from other 2 or 3 sites but not form this one.

akarpas

What are your exact /system logging settings? I am surprised not to see the full list of transforms in the log, only the list of rejected ones.

all the debug and log settings are as you have asked me to set up

akarpas

As said, I would like to see the log from proposal comparison for the successful and unsuccessful cases, otherwise we won't get anywhere. One thing one could easily imagine is some packet size limitation on one of the paths, causing the proposal to be truncated, except that the recipient should not...

akarpas

The same error or exactly the same complaints in the log? 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group 10:...

akarpas

The same error or exactly the same complaints in the log? 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group 10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group 10:...

akarpas

OK. The log shows you what the peer (the windows client) proposes, so configure the Mikrotik's peer proposal in a compatible way (keep Hash Algorithm unchanged as there are no complaints, add 3des to Encryption Algorithm, and add modp2048 to DH Group) and try again. I tried the same results and if ...

akarpas

So the Windows client in the office is a different one from the one you use to test it at home? Or it is the very same laptop you use at both places?

yes its the same laptop used in both places

akarpas

OK. So do the same what you did with l2tp: /system logging add topics=ipsec Then, start /log print follow-only file=ipsec-log where topics~"ipsec" , try to connect the VPN client, and when it fails, stop the /log print and download the file. Then use find&replace to obfuscate the addr...

akarpas

Does the 'Tik running the L2TP/IPsec server have a public IP address directly on itself or you use dst-nat on some device between that 'Tik and the internet?

Mikrotik router is bridged with ISP gateway device, so static IP is on Mikrotik, all NAT is done by Mikrotik

akarpas

Glad to help. tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used. As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-rela...

akarpas

Have you imported the CA public cert to your Win machine?

no i have imported only the one signed with CA

akarpas

Glad to help. tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used. As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-rela...

akarpas

Glad to help. tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used. As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-rela...

akarpas

Out of ideas, everything here seems fine to me. Just check one more time whether the username in Windows client matches the name in /ppp secret and whether the password settings match between the two. ok got connected , what i did ? deleted vpn profile on windows and recreated . And it worked. Than...

akarpas

Out of ideas, everything here seems fine to me. Just check one more time whether the username in Windows client matches the name in /ppp secret and whether the password settings match between the two. Yep I don't understand why it doesn't work as well, as on other site it works with no problem with...

akarpas

The log shows that the Windows client doesn't respond to some of our requests after the session got established; I'm not an L2TP specialist so I don't know whether ignoring what you don't understand is a legal behaviour or not. So please post the output of the following: /interface l2tp-server serv...

akarpas

OK. Let's ignore for a while that your firewall is not safe because there is no "drop the rest" rule in input chain (i.e. you let in anything except known threats which is not a good idea), but the firewall is not the reason why the L2TP does not come up. By default, only events with seve...

akarpas

Yes, there is a lot of "default" items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships. If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the...

akarpas

Yes, there is a lot of "default" items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships. If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the...

akarpas

/log print where topics~"ipsec" is much more useful than screenshots. The log says searching for policy for selector x.x.x.x:1701 ip proto:17 <=> y.y.y.y:1701 ip proto:17 no template matches So it points back to what I've written before: Bear in mind that the automatically created peer al...

akarpas

/log print where topics~"ipsec" is much more useful than screenshots. The log says searching for policy for selector x.x.x.x:1701 ip proto:17 <=> y.y.y.y:1701 ip proto:17 no template matches So it points back to what I've written before: Bear in mind that the automatically created peer al...

akarpas

Disable the manually created one and set use-ipsec to yes or require and configure the ipsec-secret in the L2TP configuration. Bear in mind that the automatically created peer always uses the policy template group called "default" and the proposal of the policy template belonging to that ...

akarpas

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec Very detailed info that I used and works on Blackberry OS10 and Win10 clients as well. Be careful with the settings for windows clients as Microsoft does not allow very tight security regarding Phase 1 (Peer) and Phase 2 (Proposal) proposal sets. The a...

akarpas

Well, you haven't pasted the log, but let's try without if first. The first issue is that you have two peers with (remote) address=0.0.0.0/0 , the one for L2TP and another one for IKEv2. I'm not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be m...

akarpas

Well, you haven't pasted the log, but let's try without if first. The first issue is that you have two peers with (remote) address=0.0.0.0/0 , the one for L2TP and another one for IKEv2. I'm not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be m...

akarpas

Use the "terminal" window of Winbox or WebFig, or a command line connection (ssh), and place the following command: /log print where topics~"ipsec" file=some-file-name Then download the file and use "find&replace" in text editor to systematically replace the public...

akarpas

Use the "terminal" window of Winbox or WebFig, or a command line connection (ssh), and place the following command: /log print where topics~"ipsec" file=some-file-name Then download the file and use "find&replace" in text editor to systematically replace the public...

akarpas

Can someone help me to create proper certificate on mikrotik to use with IKE2 on mikrotik and client.
The one i have created following mikrotik doesnt work
Thank you.

akarpas

Hi guys. I have setting up L2TP IPSec tunel (client-server type). connecting form windows 10 PC. L2TP server , prifile, secret, settings I believe are ok. Then i try to connect im getting error no good proposal found phase1 failing. I did debug see attached picture. Can someone explain what is wrong...

akarpas

Hi, guys, I have RouterBOARD 962UiGS-5HacT2HnT router. My ISP give me 360Mbps download. I have basic firewall configured. ip firewall filter add action=accept chain=input comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=input commen...

akarpas

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal. Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subne...

akarpas

I suspect your IPSec tunnels go down during the evening as there are no "interesting" traffic flowing through. There should be no reason to restart routers, a ping through the tunnel should suffice. Without seeing your config, very difficult to say what your current problem is Thanks for ...

akarpas

I have ipsec tunnels configured , they were working fine for a long time , the sat few days every morning i come to office some of ipsec tunnels are not working after router restart they comes's back . On the next morning the same. This morning total disaster. Router was upgraded to newest version 6...

akarpas

Disable the action=fasttrack-connection rule. If it fixes the "slow VPN" problem, read the IPsec manual one more time to learn how to disable it selectively only for traffic which needs to be matched by the IPsec policy, because otherwise you'll have an "fast VPN but slow everything ...

akarpas

so two sites , ipsec tunel between them, on site A we have service that is accessed from site B via ipsec tunel firewall basic recommended configuration. /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=&qu...

akarpas

Thank you guys I really appreciated your help, both of you are right and your advise resolved my problem.

akarpas

So i have 3(A, B, C) sites, ipsec tunnels between sites. On site C i have this rule enabled add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe On site A i have PRTG monitoring. So PRTG icmp ...

akarpas

So need some light on about this device. Got it week ago, using basically the default configuration just with slight changes on port naming and addressing the rest seems to be good for me. Device itself works good no troubles. All LAN goes in 1Gbps negotiation with other end. I have service of 360Mb...

Search found 193 matches