No I was about Radius option in OS menu, but if you started about user manager I will as if this can be used to authenticate 802.1x wired connection on switchYou mean user-manager?
all info about save connectionsWhat's in the add.txt file? 0o
nope downloaded from official Mikrotik site!Probably you have download winbox from wrong site and now you have a surprise with winbox.....
for me the same on 7.1.1Looks like SD cards still do not mount on CCR1009-7G-1C-1S+, same on 7.2rc1.
Had to reisntall using Netinstall sad had to do it but was a great experience how to recover device from such a problem.updated my ccr 1009 now its bricked not booting not loading kernel
yeh i understand but i want to test two host instead of one before taking some actionScript can be used to nearly all tings, but do not use ping to test for ip up, use netwatch.
https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch
Do search forum here for example
Thank you kindly for this link to the proper post where it was already answered by Mikrotik.
Thanks mkx will play around for study purpose but the problem is resolved now, you advise is much appreciated!Its actually lack of vlan-filtering=yes setting on bridge. Without it, bridge doesn't enforce any VLAN settings.
so proxy arp is the problem? but i need it for VPN!First line, and that's your answer:
/interface bridge
add arp=proxy-arp name=bridge-lan
could you be more specific on disabling IP forwarding, thank you in advance, this topic is very good.On mikrotik.Disable IP forwarding on mikrotik or on end devise?
Disable IP forwarding on mikrotik or on end devise?Disable IP forwarding on the device.
Thank you kindly!!!In the default firewall configuration, adding it to the end of the forward chain will do.
Thank you a mill, will test tomorrow.As you probably want to exclude any marked connections from fasttracking, you can set connection-mark=no-mark in the action=fasttrack-connection rule, instead of connection-mark=!vpn-mark.
so what is a work aroundI found a way around this. It works like charm and have no issues.
There is nothing to practice both vrrp and hasrp brings in to the same problem thats why i dont want to put dhcp on L3 switchesHey. You can practice with HSRP in Cisco Packet Tracer. And with VRRP in MikroTik world.
sorted out , thank you again.Thank you, would you have more info on powershell workaround?
Thank you, would you have more info on powershell workaround?
Have attached simple network diagramMeans I accidentally posted the same thing twice!
Please provide a diagram as I do not understand your setup.
why duplikate post ?duplicate post
On router B on NAT i have just a usual masquerada rule, and some port forward rules, on firewall just basic firewall nothing what would stop computers on A to ping specific device an site B even i can ping it from A router.And nothing special about x.x.x.10 in mikrotikB config?
No firewall/NAT?
I understand this a reminder , I know that everything can be broken, so let say i would like to know how insecure it is now lets say in scale from 1 to 10.since 6.43
*) ipsec - added warning messages for incorrect peer configuration;
You can use what you want, it's just reminder.
you are 100% right this what i have done today and it works perfectly, you just confirmed it and you are right as always, really appreciate your input.You need to import also CA, not just client cert.
Cert is installed on local machine not userOn Windows, do you have the certificate in "local machine" store? If you put it in "local user" store, which I definitely did at first, because it was more logical when I wanted VPN only for that one user, it doesn't work.
ok i have disabled peer with C site IP address on L2tp server and it worked but this mean my ipsec tunel is down (site to site) and its not good.Do you have location's C IP address added as ipsec peer on the server or not??
I have ipsec tunel between server and site C so yes there is ip on site to site peer ,i have disabled tunel on both sites i mean peers, ipsec policies , proposals on both sides it didnt helpDo you have location's C IP address added as ipsec peer on the server or not??
no where is no aes and modp 1024 set up at all 3 des and mod2048 is set up and vpn works from other 2 or 3 sites but not form this one.Logs say where the error is. ROS side has configured AES and MODP 1024, remote peer supports only 3des and 2048-bit MODP , 256-bit ECP, 384-bit ECP
What are your exact /system logging settings? I am surprised not to see the full list of transforms in the log, only the list of rejected ones.
yes its the same laptop used in both placesSo the Windows client in the office is a different one from the one you use to test it at home? Or it is the very same laptop you use at both places?
Mikrotik router is bridged with ISP gateway device, so static IP is on Mikrotik, all NAT is done by MikrotikDoes the 'Tik running the L2TP/IPsec server have a public IP address directly on itself or you use dst-nat on some device between that 'Tik and the internet?
no i have imported only the one signed with CAHave you imported the CA public cert to your Win machine?