MikroTik

Cvan

Cant argue that until I get around to exporting the config.. Perhaps it was already compromised and I did not know.. then by upgrading to the latest stable opened something by default giving unauth access.. I am on my tik regular/daily/weekly with winbox and I typically have a peak at my fw rules wh...

Cvan

So I upgraded my Tik to 6.49.8 from 6.48.* about 48 hours ago. Within 24 hours after the upgrade my router was compromised. Only found out when I was trying to connect to my VPN as I normally do daily.. Had been working fine with no security issues for at least a year.. A list of things that I found...

Cvan

Yes.. no arp entry on source for the target IP when connected to the L2TP VPN..
The l2tp profile is bridged..

Cvan

Okay.. VPN profile is bridged to the primary bridge where all VLANS reside.
I can ping the target device on VLAN and get replies back to the source device connected to L2TP/IPsec VPN.

But still no WOL via VPN L2.. what else to look for?

Cvan

So... Wake on LAN not working over the VPN... L2TP/IPsec
Works good over wifi on LAN.. what am I missing?
I am using VLANS...

Cvan

This temp fixed it for me. Now need the real fix..? /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn Had the issue happen after updating router to 6.47.2 This should be brought to higher attention as it was causing a major pro...

Cvan

Thanks for the reply. Once you get past this, the other steps (routes to non-connected internal subnets reachable via the tunnel) may need to be handled. But the local DHCP server at MT1 is not mandatory of course. If you don't mind that while the inter-site L2 tunnel is down, the PC1 will be unable...

Cvan

Thanks for the reply. So... as long as you only need the PC to talk to other devices in the same VLAN/subnet where it is connected via the tunnel, and to the rest of the world via the WAN of the Mikrotik to which it is connected, what I wrote earlier is enough - the default gateway for that PC will ...

Cvan

Thanks for the reply. Well, yes I was going access two vlans over the EOIP tunnel. Really for troubleshooting and testing purposes. Maybe I do not need an EOIP over SSTP configuration..? I need to login to the domain/AD from the remote office to HQ as if I were in the HQ office... From what I have r...

Cvan

Hi,

I have setup an EOIP tunnel over SSTP from site1 VLAN to site2.
I am trying to split traffic over WAN from site2 on MT2 router to go straight out ISP gateway
instead of LAN gateway over EOIP tunnel.. how would I do this..?

Cvan

Okay, so this was indeed the issue... Long story short; ISP2 was not active. So now, ISP2 is active and I have uplinked it to ether2 on the bridge with its statics. Testing on ISP2 uplink ether2 has succeeded. Ready for the configuration now.. but what to choose.. Bonding; PCC matcher ;..? Pros:Cons?

Cvan

Thanks again..

I tried this test with route to 9.9.9.9 from ether2 via ISP2; and all ICMP requests/responses are timeouts..
So it does not appear that this ISP2 uplink is active or working... I have to further investigate this ISP2
and come back to this post with more info..

Cvan

Okay.. Thanks again for your reply.. So... this is a remotely managed MT router. Unfortunately I don't have the luxury of disabling ether1 w/o losing access. I need to be able to uplink ether2 to ISP2 and test that it is actually active and working from the WAN outside; either by ICMP reply etc... I...

Cvan

Thanks for the reply.. I am stuck on getting the second ISP2 added and working.. have not gotten as far as your detailed information.. load balancing; marking routes etc.. It appeared as though I could simply assign the static IP for ISP2 to ether2 and then add a route for it with a distance of 2 fo...

Cvan

Hi, I am trying to get two ISP connections working on one MT RB4011. I have ISP1 working on ether1 out to ISP1 modem I have ISP2 connected to ether2 which is then connected to ISP2 modem I have 3 statics working on ISP1 through ether1 I have 3 statics for ISP2 I am trying to run through ether2 I ass...

Cvan

Your NPS configuration might be wrong.. Post your network policy for VPN Auth..
Are you using 'ppp' on MT radius config? Show your MT Radius config..

Cvan

Service: ppp,dot1x Called ID: Domain: Address: AD Radius server IP address Protocol: UDP Secret: ******* Auth Port: 1812 Acct port: 1813 Timeout: 300 Account Backup: Realm: my_domain Certificate: none Src. Address: MT router (Radius Client) IP address The AD configuration for the Radius Server is mo...

Cvan

On your NPS do you have the network policy configured with correct vendor settings and VLAN for Mikrotik?

Is the log message you have 'radius timeout' from the Mikrotik radius log;?

Cvan

Cvan

I am going to add some more to this because of curiosity... I thought I would remote in and test Spectrum location again. So I remote into one WIndows 10 Pro PC (192.133.1.4) ; I check the NIC and states 1Gbps; I run speedtest and I get 150Mbps...\ Then... I remote into another different PC still wi...

Cvan

I have queues but I still use a fasttrack connection fw rule. I queue the whole subnet and then fasttrack specific groups of ips by using address lists in the fw rule... Checklist... Are you testing from a 1Gbps NIC on your test PC Does your Spectrum modem support 1Gbps Are using a 1Gbps port on the...

Cvan

Well.. after quick glance; does not look like you have any fasttrack rules in place in your firewall. For me this is critical for performance on the cpu.. This marks the packets so the cpu does not peg out.

Cvan

I do not know what make or model of modem they installed, nor do I know what was there before. Only that the old one supported 300Mbps and the new supported 1Gbps which was all I really cared about.. This is a remote managed site with a six stack. I was not there during the upgrade/install. I will s...

Cvan

Got the same exact board as you and same ISP in LA (Spectrum).. Was already upgraded to 6.45.7 ROS Looking at the config now and I don't even have ether1 on any bridge.. We had a Spectrum plan at 100Mbps plan and got some free upgrade to Spectrum business 400Mbps. On initial speed test was getting a...

Cvan

Maybe its not this simple, but can you add block2 to MT1 and then pass all traffic for block2 straight over vlan interface to MT2 via filtering and NAT rules?
Then assign the block2/interface on MT2 so that MT2 routes out block2 for WAN? idk..?

Cvan

Okay, the how... ROS (6.45.6) MT RB2011 (NO WIFI): MT RB2011 (WAN facing) is radius client for 'ppp (VPN)' and 'dot1x (Ether)' NPS (Windows 2012 Server) vlan trunk configured (vlan ids 7,8,9) MT RB2011 is the DHCP server for all. Bridge vlan filtering enabled - Yes.. Three dhcp servers running on RB...

Cvan

I am using the same SSID on all devices, they are all managed by capsman.. I need to decrease the signal strength for 2.4 so 5ghz is stronger and...; MT hAP ac^2 is the caps manager device and everyone seems to always connect to that MT no matter if another MT is closer like the RBcAPGi-5acD2nD OR T...

Cvan

ehhh wrong!! NM all, I figured this one out surprisingly.. hit me up if you want to know my tricks! No, I did not use the DHCP server (service) to handle the Radius request.. cheers My Setup: Radius = Windows Server NPS+AD MT RB2011 (no wireless) (ROS 6.45.6) MT hAP ac^2 (ROS 6.45.6) MT RBcAPGi-5acD...

Cvan

I can get wireless vlans working if I choose 'use tag' and add vlan id per wifi interface. But not able to get dynamic wireless vlans working from a singular SSID where the vlan id sent to the dhcp server in the response from radius server and then assigned IP by matching dhcp vlan server My Mikroti...

Cvan

How to have any wireless devices to connect to the closest Mikrotik Wireless access point when roaming etc.. like laptops moving around..
How can I accomplish this with capsman configuration + 3 Mikrotik WAPs; and I want them to try the 5ghz first before 2.4ghz; 2.4ghz should be last resort...?

Cvan

Wired - MT RB2011 ( ROS 6.45.6 )with dynamic vlans (50,60,70) dot1x with Radius Auth Wireless - MT hAP ac^2 on Ether 5 of MT RB2011 as wireless capsman How can I extend my dynamic vlans to my wireless clients or can I through Radius Auth or can I? I have made some attempts with different configs but...

Cvan

Still works for me.. What is your issue? However, I never did get the Framed-Pool attribute to work for Radius Wifi connections. The attribute gets returned by NPS as I can see it in the log; but the client never gets assigned an IP address from the MT address pool that is referenced by framed-pool ...

Cvan

So I am trying to get this Framed-Pool attribute working with MT router for wireless clients authenticating against AD/NPS. I have it configured in the NPS to return Framed-Pool="staging". On MT router I have pool setup called 'staging'. In IP Address I have address setup matching the pool...

Cvan

Add port 1700 and put these two rules before any input drop rules.. do not specify dst or src address.. or interface-in/out chain=input action=accept protocol=udp dst-port=1700,1812,1813 log=yes log-prefix="Radius UDP" chain=input action=accept protocol=tcp dst-port=1700,1812,1813 log=yes ...

Cvan

oh.. this rule you have... should be on the input not on the forward chain. input chain = MT router radius server = MT router forward chain = everything else connected to the MT router add chain=forward comment="Allow Radius Traffic" dst-address=192.168.88.2 \ dst-port=1812,1813 in-interfa...

Cvan

If you are saying that when you disable the drop-all firewall rule then the radius server authentication is working against your radius clients, then do; Add a firewall rule to accept input before your drop-all rule in the firewall chain for protocol UDP and ports 1812,1813; or whatever ports you ha...

Cvan

Turn on Radius debug on the MT Ros radius server to see more details about the radius 'client' timing out during authentication attempts to the radius server. Perhaps you are using the wrong auth protocols between client and server...? In PPP/Secrets/PPP Authentication&Accounting you have turned...

Cvan

Add ports 1812 and 1813?

Turn on radius logging?

Monitor log for firewall rule that is blocking radius coms?

Turn on verbose in win AD auth log?

Cvan

Your radius server is not found... start there. Your firewall is probably blocking somewhere. I have it setup with no issues on both ppp and wireless for radius accounting with win AD+domain. If radius server found it would look something like this in radius, debug, packet: new request 1b:00 code=Ac...

Cvan

I think you can achieve this through address pool assignment on hotspot server and user profiles. If ap3_user connects to ap3; will get only an IP from specified pool from the ap3_dhcp server. If ap3_user connects to ap2; then ap3_dhcp will give IP from ap3 pool to user ap3, you block/reject/control...

Cvan

Never mind... I figured this out. So for reference.. what happened was through CAPsMAN; a new virtual interface (wlan%) for virtual AP is auto-created; in my case I am up to wlan44... I had to add that interface to the correct bridge and now it gets an IP from the correct dhcp server on the virtual ...

Cvan

Your apology is accepted. So I figured out my error, was using the incorrect discovery interface; which caused this error to occur. Now I am trying to get my dhcp server for my virtual wireless AP guest interface to assign an IP to clients when using CAPsMAN. But it will not for some reason unbeknow...

Cvan

MT hap ac2:
local radios on MT router (wlan1 and wlan2) keep disconnecting from capsman with error??
removing stale connection because of ident conflct with [[BA:55:F4:22:02:11]]

Cvan

Excellent, thanks for that response.

Cvan

NBN... National Broadband Network (AUS) FTTC... Fiber to the Curb.. ridiculous.. NCD... Network Connection Device TPG... ??? So to get my MT working with this new NBN it was a bit of a headache. So posting this for reference and someone else can avoid the same headache. First off... TPG is the ISP o...

Cvan

That is a good idea, and should effectively do the same thing, but cleaner w/o having to muck around with markup. Just need to set the trial to the right time window for CNA completion.

Thanks for that, Normis.

Cvan

It is a BYOD (bring your own device) environment and we are not allowed to modify any of the BYOD devices; we have virtually no control over them, so unfortunately we can not setup iOS profiles. Otherwise, yes that would be a great solution.

Cvan

Some slight of hand so to speak. Let them login passively and allow the CNA to do its remediation; then force them off and redirect them to external auth page where they can complete the registration process. All is transparent to the user. Using CNA web browser detection as well to make logic decis...

Cvan

The CNA browser has limited functionality. For our external authentication process; we need the users to download and install a file. Unfortunately, the CNA browser can not download files. The CNA provides a nice seamless intuitive user experience that we want to keep, rather then adding captive.app...

Cvan

I need to somehow get past the Apple CNA (Captive Network Assistant) for hotspot. The CNA still needs to popup w/o giving internet access. Need to trick the CNA to think its online but still be restricted so user authentication can be processed externally before given full access. Anyone got an idea...

Cvan

winbox->IP->dhcp server->network tab->select designated network->under domain text field put: "domainA.domainB domainC.domainD" I tried this and it does not work... take example; network 192.168.1.0/24 IN 'Domain text field' I have "domainA domainB.com" domainA works when I ping...

Cvan

Common missed setting for MAC OS VPN clients is the checkbox or radio button to 'SEND ALL TRAFFIC OVER VPN (This Connection)' in the VPN advanced configuration on the MAC client. You will be able to connect to the VPN but no access to the intranet w/o that flag checked off, so no email. Guy above al...

Cvan

Bravo! I knew the answer would eventually surface! You are exactly precisely correct, vecernik87 - Thanks for that I am more and more convinced that @JordanR and @Cvan are talking about dynamic interfaces. Not static ones which I earlier identified as most probable solution. In both cases (both dyna...

Cvan

Same issue here... with PPTP and L2TP; when the interface falls out due to loss of connectivity... It can not re-establish the correct interface and always resets back to an unused sfp interface in fw rules and unknown in routes.. have not searched extensively for a solution as it has not gotten ann...

Cvan

And what does the event viewer say in the AD/NPS logs on the Windows Server?

Are you specifying the domain attribute on the RADIUS client?

NAS-Port-type should be 5 (Virtual)

Cvan

@cvan : He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS. @krsz : Hi, tried to replicate it and ended up with same situation - OVPN does not work withou...

Cvan

Did you turn on 'use radius' in your MT router PPP / Secrets - PPP Authentication&Accounting ?

Good point... turn on radius logging

Cvan

Set your MT as the radius client for the Radius server, and check hotspot and use passthrough method

Cvan

Your RADIUS client is your Mikrotik router? And your RADIUS Server is?

Cvan

I am using Active directory RADIUS server and mAP lite as the radius client and it works fine with AD/Radius Authentication (MS-CHAPv2).

Cvan

Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta! MIKROTIK MAP LITE In wireless security profile: GENERAL tab WPA EAP / WPA2 EAP unicast/group ciphers aes ccm / tkip RADIUS tab nothing checked EAP tab EAP Methods = passthrough TLS Mdoe: dont verify ...

Cvan

Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!

Cvan

Has anyone had success using MT as a Radius client connecting to NPS (Radius Server) with Active Directory?? I think I am close to getting it working, just missing something.. I have radius ppp working with VPN, but not radius wireless. I have a network policy setup on Windows 2012 server for authen...

Cvan

I had the same issue. What worked for me was loading a fresh clean install of Windows XP on a laptop with no updates and plugged straight into the router RB2011. After trying Netinstall that way; the install button worked for me. Before that; it was doing the same thing you describe when clicking in...

Cvan

So after capturing some DNS logging to file I was able to pinpoint what looks like a PC that is infected that is sending random DNS queries for non-existent internal hosts; example (jnyyhwarsradr.fic) what to make of this? dns,packet --- got query from 10.0.0.169:50391: Nov/09/2018 14:12:35 dns,pack...

Cvan

Okay, so I enabled system logging for DNS and what I noticed was that DNS queries made by PCs on the internal domain 'host.mtdomain' are being sent out to the ISP's DNS servers for an Answer and getting a reply back from the ISP's DNS servers with 'name error' maybe that is where the 0.0.0.0 is gett...

Cvan

Same here. I don't have high DNS CPU usage but I DO have the unknown TYPE DNS entries in cache all internal...
Don't know what is causing them. Infected PC on the intrAnet...? How can I debug this, how can I track to the root?
And what does the 'N' stand for in the first column of the DNS cache table

Cvan

Turn windows firewall off. Turn all network security stuff off. Run in Windows XP...reboot and Try that

Cvan

I get the same unknown entries; except the entries are for internal nodes on intrAnet..
I already have the DNS firewall rules in place for WAN.. why do I get these UNKNOWN type entries in MT DNS cache??

Cvan

I got this working today using openSuse 42.3 and network-manager-l2tp plugin + Mate desktop.

PPP settings:
MTU/MRU 1400
All Auth methods are checked

Also got PPTP working as well; had to modify default suse firewall rules to get it to work though.

Cvan

If I ping hotmail or outlook.com from the MT terminal, I get a reply MOST times w/o failure... Puzzled still. Then of course after that gets added to the DNS cache I can ping both from my computer and get a reply; no problem. Somewhere a bad DNS entry is getting added for both hotmail and outlook ra...

Cvan

[admin@***] /ip dns> print servers: dynamic-servers: 59.86.160.27,125.213.172.129 allow-remote-requests: yes max-udp-packet-size: 4096 query-server-timeout: 2s query-total-timeout: 10s max-concurrent-queries: 100 max-concurrent-tcp-sessions: 20 cache-size: 2048KiB cache-max-ttl: 10s cache-used: 295K...

Cvan

ping hotmail.com 'Ping request could not find host hotmail.com. Please check the name and try again.' Mikrotik IP/DNS/flush cache.. ping hotmail.com... Reply from 204.79.197.212: bytes=32 time=6ms TTL=118' I have to do this everyday I come on otherwise endpoints connected to internet via Mikrotik ro...

Cvan

I knew you were going to say that.
That is true; I posted wrong in the topic; as I have S-RJ01 SFP module.

Cvan

Okay, so we have established the one I have (S-RJ01) is indeed compatible with RB2011..
So how do I make it work like another Gbit interface? I set auto-negotiation off and it shows link up but it will NOT take an IP from DHCP... and then?

Cvan

I am confused then... This is the one I bought

Official MT document? Check this out:

http://shop.duxtel.com.au/pdf/sfp_modul ... 115330.pdf

Cvan

Mikrotik says its tested and approved with RB2011

Cvan

I was thinking I would be able to use it as another 1GB Lan port, but how? It will not get an IP from DHCP at the moment... And then?

RB2011 have a fan? Not sure.. But why do you ask?

Cvan

Maybe we can get a compatibility list of successful setups with MT (SFP Modules) for ADSL and providers...

AT&T?
Sprint?
Verizon?
Vodafone?
Telstra?
TPG?

Cvan

BTW, this worked, and I was able to use the additional IP's with your changes, thanks many

Cvan

So if I have another RB2011 and another SFP module same as first one I can link these two RB2011 through SFP... and then?

Cvan

Whenever my VPN Interface loses connection then the FW and route rules switch to 'unknown' interface. I have to manually reset the rules to the correct interface (ex; lt2p-offsite). Is there way to have have the FW and Route automatically setup the correct interface after loss of connectivity from p...

Cvan

What can I do with this SFP module?
I plugged it into my RB2011 and I am thinking I can use it like another interface?

Pros?

Cvan

Thanks for that, your way sounds like the correct way of doing it. I will try your configuration and see how it goes.

Cvan

Status Update: I did get this working but only with the two IP's the ISP said were usable. 189/30 and 190/30. What I did was this - Added a new ppp profile with pool for 188/30 ( not sure if I necessary ) Assigned the ppp profile to the pppoe-out connection Created a bridge and put the pppoe-out con...

Cvan

Not true. Nearly the same exact situation happened to mine. RB2011UiAS. It was running an old ROS. I tried to update it online.., Once it was done it freaked out and went into a constant reboot and just said 'ether boot' on the led screen. Sent emails to support, they did reply but was not much help...

Cvan

Okay... final notes.. So backtracked my switch vlan stuff. Noticed that on switch2 vlan mode was enabled, even though I thought I had it disabled.. So through the ROS GUI I went into [Switch] and [Port] and reset [switch2 cpu] and in [vlan] removed port 9/10. Through the GUI these change did NOT sti...

Cvan

I plug the mAP-LiTe into vlan3 port (switch1 of RB2011) and gets an IP with no problem.....?
I plug the mAP-LiTe into port 9/10 (switch2 of RB2011) (no vlans) and it will not take the IP from DHCP server on RB2011....

Cvan

mAP lite firmware

[admin@maplite] /system routerboard> print
routerboard: yes
board-name: mAP lite
model: RouterBOARD mAP L-2nD
revision: r2
serial-number:
firmware-type: qca9531L
factory-firmware: 3.41

Cvan

I plug a windows laptop in and get an IP from DHCP server on RB2011 with no problems. I plug the mAP-LiTe in and it does not get an IP from the DHCP server on RB2011 mAP-LiTe config # sep/18/2018 11:26:56 by RouterOS 6.42.3 # software id = RGGA-3ASW # # model = RouterBOARD mAP L-2nD # serial number ...

Cvan

Yes, same thing happened to me with an RB2011. I tried to upgrade to the latest ROS and when it rebooted it would just beep and reboot nonstop. Something about ether boot on the led screen.. Anyway, I had to use Netinstall to bring it back to life, and it took many attempts to get netinstall working...

Cvan

RB2011 = 6.42.6
mAP lite = 6.40.8

Tried different cables, tried different mAP lites..
Still no go

Cvan

Spinning on this one for a while..

I plug a mAP lite in on eth1 to RB2011 eth10
and the lite will not bind to the IP offered to it from
the DHCP server on RB2011.. Just stays in lease offered state.

The mAP lite has been reset to fac default.

????

Cvan

I guess I will get this one, V5311 VDSL2 SFP Bridge (Telco Model), unless other suggestions..? Not having any experience with this, what is a good MT router to pair with this SFP module? Any compatibility issues to be aware of with SFP and MT routers? VPI/VCI - 8/35 Encap - VCMUX Service - PVC:8/35 ...

Cvan

Okay thanks

Cvan

Any option available to use an ADSL connection straight from a Mikrotik Router? Mini PCI ADSL card?

Cvan

That is exactly what I am wanting and intending to do... Route traffic to different vlans from these public IPs to vmware servers and keep one ip then for SMS maintenance stuff..
Can I do this without losing connectivity for any amount of time on the pppoe-out interface?

Cvan

Those IPs both work as well for torch from my phone to pppoe-out1 via ICMP. Does this mean I can use those also?

Cvan

I do see ICMP results in torch when I ping *.*.135.189 on pppoe-out1 interface from my iPhone on 4G. Same result with *.*.135.190. My current public static IP is same.same.209.206 So I am thinking I can use both *.*.135.189 & *.*.135.190 along with my current static of same.same.209.206; giving ...

Cvan

This was their response:

Network IP *.*.135.188/30
Subnet Mask *.*.255.252
Host IP's *.*.135.189 & *.*.135.190 (Usable IP's)
Broadcast *.*.135.191

Cvan

The ISP gave out / 30, static IP assignment. Lets assume a clean situation, do I need to make another pppoe client connection to the ISP, one for each IP?
It sounds like NOT... Assign the additional static IP to the existing pppoe-client out connection on eth1 interface? Or how to?

Cvan

And for public IP space?

ISP has provisioned two Static public IP addresses.
Is there a way to have both public IPs come through eth1 interface via pppoe client connection to ISP or how?

Cvan

Can you? and how can you connect multiple static IPs to one interface (eth1)
Is there a limit? Best way to do this in routerOS?

Cvan

Okay, Thanks for that bit of info. But before I get to that configuration part, I first need to setup the two pppoe client connections on ether1. I have read some posts and it sounds like I need to create a WAN bridge and assign it as the interface for pppoe-cl1 and pppoe-cl2 and assign each IP to t...

Cvan

I have two static IPs from ISP - A and B Can I have them both public IPs connected at the same time via pppoe-client connection through a single interface (ether1)? Then can I separate the traffic; say for example have all IO traffic for vlan2 routed through IP (A) and all IO traffic for vlan3 route...

Cvan

With said device is this automatic or is additional configuration needed? RB2011?

Cvan

No, between 2 MT routers works great and between my iPhone and MT router I have had it stay connected for a day w/o dropping

Cvan

Can I use a wireless repeater or extender for 5G? or what is the best way to strengthen 5G signal?

Cvan

I have an L2TP connection between countries and it has been up steady for 6d 22:34:41 .. no issues.. the only problem it has is when the ISP connection on either side drops out, but then it re-connects as soon as the line is back. However, I do have to fix the fw rules to re-select the L2TP interfac...

Cvan

So... I switched everyone over to L2TP VPN. Works great except slower then PPTP because less / no encryption I assume. L2TP is more consistent with a wide variety of connecting devices over 3G/4G , ADSL, Fiber, NBN etc... Android, iPhone, Mac, Windows... But some here still just stuck on PPTP and th...

Cvan

Good answer!, thanks for that.

Cvan

I am thinking more of a script that will send an email or SMS message to me when specific conditions are met.
Surely there is a way to send an HTTP request from router OS when a log event or fw event is triggered...?

Cvan

Maybe, how can I log to file every time our connection drops out from the carrier/ISP??

We keep losing our L2TP tunnel as well and have to constantly rebuild the tunnel and reset the FW rules..

Cvan

Fiber (FTTP)

Not really sure if it is carrier or not. So asking what tools available can I use to unveil such mysteries..?

Cvan

Port based VLAN isolation setup. My concern is if this is an attack of some sort

ROS version stable 6.42.6

Cvan

pppoe, ppp, info pppoe-out1:terminating... disconnected
pppoe, ppp, info pppoe-out1:disonnected
pppoe, ppp, info pppoe-out1:connecting
pppoe, ppp, info pppoe-out1:terminating...

etc; exact details in attached image

Cvan

Our pppoe-out internet connection has gone down twice now over the past two weeks.
Each time for nearly exactly 60 seconds. What red flags should be raised? What additional logging/actions should be taken?
Talked to the ISP and they said no known network outages during those times...

Cvan

Ahh, I see now where my failure is from your post. I totally missed it from my view. I do have DNS blocking rules in my firewall on the input chain. That seems like it would make sense. However, I have 3 ppp profiles for my vpn clients. One for admins allowing all access, which is on the same subnet...

Cvan

Should DNS resolution from the vpn client be working with this config? At the moment it is not, I can ping by IP but that’s it .?

Cvan

I have an MT RB2011 and RBD52G-5HacD2HnD-TC: hAP ac² Dual-Concurrent 2.4/5GHz AP Port based vlans bridge vlan2 (ether2) 1Gbps vlan3 (ether 3/4) 1Gbps I have a ReadyNas media device connected on vlan3/ether3. on snet 192.168.5.3/24 bonded nics @ 1Gbps I have a MT hAP device connected to vlan3/ether4 ...

Cvan

Great info, thanks for that

Cvan

Thanks for that added information. I will keep that in mind as I go forward with my configurations.

Cvan

User port strict and obey under Peers

Cvan

I have 3 vlans.
v1
v2
v3

I want certain PPP / secret (accounts) to only have access to certain vlans.
At the moment, any VPN user has access to all vlans.

For example:

VPN user1 can ONLY access v1
VPN user2 can ONLY access v2
VPN user3 can access both v1 and v2

Is this possible?

Cvan

Okay, the FastTrack connection made ALL the difference. On vlan3 Rx to vlan2 I went from 20 MB/s to 93 MB/s over the switch chip. Not quite as fast as the physical layer but that is well within acceptable ranges. Also - I did watch the CPU and it went from 100% before FastTrack to 92% after FastTrac...

Cvan

Thanks for all the responses. I will try the FastTrack and report back.

Cvan

port based vlan
RB2011U

Switch1 1Gbps
Bridge1
Vlan(1) 10.0.0.3/24 ether 3

Bridge2
Vlan(2) 192.168.2.0/24 ether 4/5
Vlan(3) 192.168.7.0/24 ether 2

Maybe I can use FastTrack to speed it up?

Cvan

I have 3 vlans... v1 v2 v3 I have a storage ReadyNAS device on v2 I have a winbox on v2 that is Gigabit connected.. When I download a 6Gig ISO file from the ReadyNas device (SMB) to my winbox on v2 I get 110MB /sec (Nominal) Then when I take that same Winbox and connect it to v1 or v3 and download t...

Cvan

Hello, My mAP Lite goals: 1: Connect mAP lite to Wireless AP to receive internet. RESULT=SUCCESS 2: Connect to mAP lite virtual Wireless AP bridge and get internet. RESULT=SUCCESS 3: Connect to mAP lite virtual Wireless AP bridge when mAP lite Wireless station can NOT connect to external AP for inte...

Search found 129 matches