MikroTik

TheSirStumfy

Found it.

The Branch Address space for the OVPN connection had a /24 mask. Since the WG now has a different subnet the mask had to be changed to a /16 bit mask.

Nasty one to find, since the OVPN on the Branch was making a dynamic route (and thats default 24 bit)

Thanks to all for the input.

TheSirStumfy

Also to clear the diagram, every VPN is separate with separate subnets. Its not a VPN in VPN in VPN...

TheSirStumfy

Since WireGuard is a VPN, I don't see why you have two other tunneling layers. Your diagram doesn't make it clear, but it looks like you've got L2TP-in-WG-in-OVPN. That sounds like a recipe for all kinds of problems. If you simply your configuration, some of those problems may go away, and at that ...

TheSirStumfy

I have a problem I can not seem to solve. I have a Branch office router that is making an OVPN to Main. I am making a WG interface to the main. Everything on the Main network works over WG but Branch I can not reach. HOWEVER there is also a L2TP connection to Main, and that one can reach Branch no p...

TheSirStumfy

Why does MikroTik have to officially announce every completely unrelated thing? MikroTik doesnt have Covid and also doesn't have WIN32/CIH either.

Log4j is a JAVA problem.

Thank god for that.

TheSirStumfy

After 3 days of testing it seems that MT finally fixed this in 6.48.1 as stated in the patch notes.

No flaps now for the mentioned 3 days even under heavy load conditions.

Here's hoping it stays that way.

TheSirStumfy

Setting speeds does help a bit I noticed as well, but does not fully fix the problem sadly. In my observation I could not find a single definitive evidence what would cause the issue. The flaps just seem completely random. They even happen during the night with almost 0 load on the system. For examp...

TheSirStumfy

Hm.. the only thing honestly that could be a problem is a SFP module. Ok thanks for the idea guys, Ill play around with switching if for a different one, perhaps it could be causing problems.. Did not try that, because it works fine.

TheSirStumfy

Really hope they fix the RB3011 finally. Mine has been flapping for years, I have 2 years of logs to prove it. Some updates ware better some worse, but none fixed it truly. set X cpu-flow-control=no name="Switch x" does help a bit, but never really went away, just went from many flaps a da...

TheSirStumfy

So I wonder if anyone happened to see this in the 6.46.7 (long term) changelog: *) switch - correctly enable and disable CPU Flow Control on RB3011UiAS; Apologies if this isn't news, as I typically only pay attention to long term. I also don't want to get anyone's hopes up :) Thanks for that. Yeah ...

TheSirStumfy

I rechecked my logs regarding the issue, and even with CPU flow control off on latest FW/OS I still get flops on SC1. Much more rare now (weeks instead of multi per day) but still. I do have a SFP connection too. Just seems to me this will never be fixed. CRS devices seem to get constant fixes in ev...

TheSirStumfy

For me the combination of 6.47 and disabled CPU flow control on both switch chips worked.

TheSirStumfy

You only need the root certificate of the service you want to use.

TheSirStumfy

Now I'm completely clueless ... even now the issues remain present ... so on 6.46.4 the flapping also occurs, although very limited so far. Apparently I don't have enough data in my Splunk to go very far back in time to see when these messages first started to appear... Ok 24h of no flapps after di...

TheSirStumfy

For me at least for now the flapping has stopped (for today) after the flow control disable. Need to monitor this for more days. I save logs for 4 months only, but i remembered i have a server on the router since 2019 - 06. So i went to check on those logs and now see that this has been happening al...

TheSirStumfy

Double post ignore this one

TheSirStumfy

Ok thank you, will give it a try.

I did notice a correlation between flapping and CPU usage.
During down time (at night) i get almost 0 flaps, and at high CPU usage times (mostly VPN clients) during day time, the flaps return.

TheSirStumfy

I have one on my office "RouterBOARD 3011UiAS" from 9 Jul 2016, and is still working flawlessly (factory is 6.35.3, now have 6.44.6) Mine was working fine with 6.44.x too, but some days ago I moved to the latest 6.47 stable. Today I was asked by Mikrotik support to make some config-adapti...

TheSirStumfy

Now happening also on a all 1G switch, so the "do not mix speeds" workaround does not seem to work.

Capture.JPG

TheSirStumfy

After I moved off the AP on port 9 it stopped flapping for the whole day now..

Will continue to monitor, but still this would need to get checked out by MT.

TheSirStumfy

Im moving off 100M clients to an external switch 1 by 1 to try to see if this is somehow specific port related. My flapps have been very spread out (over hours) so testing will take some time. But if your config stays stable jvanhambelgium (since you had problems on fabric 1-5) it could be safe to a...

TheSirStumfy

Same here! Since upgrade to 6.47 on my RB3011. I've generated supout.rif and forwarded it to Mikrotik. In my case, it seems to be ports ether3 (1Gits/s, Unify AP groundfloor) and ether5 (1Gits/s, some D-LINK 8-port small switch connected on the other end on a floor)seeing transitions, but ether5 mu...

TheSirStumfy

The problem has started for me in 6.47.

Never had problems before.

Capture.JPG

TheSirStumfy

Yep, same here, never had any problems on this RB3011 until 6.47. Reboot did not help, again the whole "right" switch chip (or CPU) flapped. Happened only once now, but im not hopeful it will just stop by itself. Capture.JPG If persistent i will have to try downgrade, if that is even possi...

TheSirStumfy

Hello everyone, today i upgraded to 6.47 on my RB3011. Firmware upgraded as well. Everything looking good but i noticed 3x random switch chip resets (at least i think its the switch chips fault since its only interfaces 6-10) Capture.JPG It happened 3 times at random times for no apparent reason. An...

TheSirStumfy

Ok, thank you, i see that you both use address list timeouts.

Im i correct in understanding that this is so IPs that never get detected in the list get removed?

Also i see pre routing is used instead of input, this is to save routing overhead of CPU right?

TheSirStumfy

Hello everyone, Does anyone have any experience with large block lists? I am running an email server and get hit with brute force password attacks from IPs that are commonly found in blacklists. Although the server features and is set up for automatic lockout of IPs that do multiple attempts at pass...

TheSirStumfy

Privacy up down, data collected here there...

Can we expect support for this?

Than users themselves can decide who or what thew want to use, DNS DoH DoT...

TheSirStumfy

Ok i found it. It was a virtual machine, it had a Vswitch that had a random IP. So that was the internal part.

TheSirStumfy

Hello all, i have a quick question. I sometimes find connections in Firewall Connections that have an unknown source (not LAN - not public IP) and unknown destination (not LAN - not public IP). As far as I understand this would mean that something routed trough my ip to somewhere else? My "drop...

TheSirStumfy

Thanks to both for the extensive write up. Very much appreciated it clears up a lot. So the basic gist of it is that server to server happens on 25, than the connection goes into established and is taken over by the default firewall rules. Also from the reply's in getting that is simply impossible t...

TheSirStumfy

Dear all, i am setting up an email server behind a Mikroitk router, and would like some advice on proper port configuration. Since my primary field is system administration, not networking, I would kindly ask for advice if my config is correct and if i perhaps missed sth. Please bare with me. I set ...

TheSirStumfy

Just to clarify this is on CapsMan, not on device wireless.

TheSirStumfy

Hello i have a quick question about encryption on WIFI. Mikrotik allows you to choose aes ccm or tkip, but also allows to leave the field closed (not unchecked but closed - as in never defined). Since the documentation does not state a default state of security.encryption (aes-ccm | tkip; Default: )...

TheSirStumfy

Just to add i did notice that the WIFI DHCP has authoritative 2s delay set up. However this does not cause problems to other clients as mentioned.

TheSirStumfy

Well the WIFI network has its own Bridge defined, and specified in the CAPS config, so i dont see it as the same L2 network, or do you need to go deeper? Also out of at least 100 WIFI clients only one has this problem. (the client is a "smart speaker" so no real way to configure it by itse...

TheSirStumfy

Can you post both router config and CAPAC config?

sadly i can not, against company policy. I can only answer specific questions.

TheSirStumfy

This is what is confusing me here. Cap is set to "WIFIBridge" (it has its own IP pool) and DHCPserver is set to "WIFIbridge" with the same pool defined. All clients follow this, and connect to WIFI Dhcp. They also register in CAPsMAN registration table. But one acts like it is pl...

TheSirStumfy

Ok let me simplify the question:

What is the best way to force a client to register to the CAP interface?

TheSirStumfy

Hello all I have one extremely strange issue. One (and only one) client on my network is constantly connecting to LAN DHCP server even though its connection over CAPsMAN to WLAN. All the settings for the CAP are correct, and other clients correctly report @cap1 join to wifi and WLAN dhcp. However on...

TheSirStumfy

One of those days i guess..

Cable replacement solved all issues.

TheSirStumfy

Hello,

i have similar problems, however i have narrowed it down to a single client causing this (an iPhone).

Everything works fine, but when this client connects it causes this loop, and capsman goes down.

same problem with client to client on or off.

Any ideas?

TheSirStumfy

Funny enough this upgrade caused a loop for me, until i also upgraded the firmware, now resolved.

Also as mentioned HAp lite is on the ragged edge of space, i had a backup on it and it could not upgrade until removed.

TheSirStumfy

1. what is the difference wrt the load on the CPU for both methods. 2. if i basically in my forward chain simply allow lan to wan traffic and have a generic drop all rule last, - does that stop traffic between bridges and thus don't need many rules just one! Regarding this, perhaps someone with som...

TheSirStumfy

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing. But Mikrotik for some reason does this for you. So to break this link all i did was: /ip route rule add action=drop dst-address=192.168.aa.0/24 src-address=19...

TheSirStumfy

Id guess that only if the clients are not connected or want to connect at the same time. I use the same client cer for multiple machines in OVPN. However since i am the user they can not connect at the same time.

TheSirStumfy

I ended up just making a routing rule that drops between both networks.

Seems to me the cleanest way to do this.

TheSirStumfy

Hello, Is it possible to do network isolation using VRF? Lets say u have 10.0.10.1 and 10.0.11.1 set up with all the bridges, networks, dhcp etc. As far as I understand Mikrotik will do routing between them automatically. So if u want them to be isolate, can u do it via VRF or do you need rules like...

TheSirStumfy

Thanks a bunch, the documentation was not updated yet.

Regards.

TheSirStumfy

Hello, quick question, the change-log states that a "replace" command was added in 6.45.1, however if i do "action=replace" or if i just do action=*tab* no replace command is available.

TheSirStumfy

[/quote]

I cannot confirm that....
[/quote]

Well i can, i can give logs. About 3-4 attempts every day, usually 3 tries per attempt.

Also others are complaining about it here: https://whatismyipaddress.com/ip/141.98.80.115

TheSirStumfy

Just to add to this This seems to be a widespread attack, i have it on 3 separate instances. Same IP

TheSirStumfy

Just to add a nooby question, what is a good place in the FW steps to put such rules? Right on top?

TheSirStumfy

The performance hit is present but not huge. Address lists are vety effrctive and use RAW filtering so it won't reach connection tracking. I see, guess theres nothing to it than? Im on RB3011 so i guess it should chew trough a list like that no problem? The problem is people also use VPN for missus...

TheSirStumfy

How much of a hit on performance does a FW drop list make? For example there are lists of VPN servers, but the lists are in the 10s of thousands. One i found is 30.000 lines, with about 20k of those in range form /24. Would such a list kill your router, or not really since it needs to check only inc...

TheSirStumfy

Hello just a quick question, on Ovpn connects i get "debug duplicate packet, dropping" every time i connect. The connections does go trough, its just very strange.. Also i am wondering if this can be effecting performance? The connection is not what you would call "full speed of the l...

TheSirStumfy

Yeah the log! OK got it, thanks, i have a disk set up for logging anyway, memory and space wont be a problem.

Is it normal BTW to see a lot of "drop all not coming from LAN" traffic"?

Regards

TheSirStumfy

Hello,

Quick question,

If you are getting a lot of hits on a FW rule, what is the best way to find what connection is causing this?

Regards

TheSirStumfy

You mean there is another router (provide by ISP?) before the mikrotik? If so see if that router can set to "bridge mode"

sometime DMZ won't solve double nat problem

Its seems this DMZ actually does what it says

TheSirStumfy

Yeah in front there is the standard modem/switch/wifi thing the ISP gives you, since they dont allow PPPOE direct on the Microtik.

TheSirStumfy

Regarding VPN i had to DMZ the main router on the modem/router to get trough, in case anyone in future helps.

TheSirStumfy

Called ISP, there fault, incorrect gateway settings on there modem.

Facepalm

TheSirStumfy

tried all of suggested stuff, nothing. still no ping from outside.

TheSirStumfy

Config removed for safety

TheSirStumfy

Its a static public IP form ISP. internet on the router works fine, but pinging it form outside seems impossible

TheSirStumfy

Ok this will be a super noob question, but im having problems setting up a VPN. The setup didnt work, so i tried to just ping my static IP and i get no response even there. I also have no idea what is cutting it off? Ping works if i am connected to the router (to public ip) but from outside (lets sa...

TheSirStumfy

Oh i see, thanks!

TheSirStumfy

Is there a way to do a ping -t equivalent on router, that would run regardless of admin signed in or not.

I tried
ping 192.168.xx.xx count 0 interval 5
but if i log out the ping stops. Also ping stops form the ping tool in tools / ping.

Any ideas?

TheSirStumfy

Last i heard about this was "probably in rOs V7"...

TheSirStumfy

MVP right here,

Exactly the problem some old package left on the memory.

Cheers.

TheSirStumfy

Im trying to upgrade an CRS 125 from 6.43.2 to 6.43.4 and get error

20:04:41 system,error can not install wireless-fp-6.19: system-6.19 is not installed, but is required

after it reboots.

Im doing install straight from System / packages.

Any idea what could cause this?

TheSirStumfy

Is there a way to reset only a specific set of settings on the router.

for example can i reset only CAPsMAN or only Interfaces to default settings, without touching the reset of the setting?

Regards.

TheSirStumfy

I would like to thank everyone for the help.

the issue was in fact that the ISP router was set to the same SSID and pwd as the Mikrotik.

This of course made devices wander around.

Regards.

TheSirStumfy

The ether1 where the ISP is does not seem to be bridged.

Capture.JPG

I understand there is a hide sensitive export, but still it has many external IP addresses for VPN, OVPN client names, SSIDs etc... Still a bit too sensitive for internet.

TheSirStumfy

The config is very long and includes a lot of info id not put on the internet, is there really not a specific section to post? Also yes i was thinking it could be the ISP router. Problem is this is an "inherited" network from previous admin, so i need to dig up the router pwd somehow, to c...

TheSirStumfy

What part of config would you like?

TheSirStumfy

Hello, i have a strange issue where devices connected to the router sometimes switch DHCP network to the gateway from the ISP router. A device on the MT router would be on xx.xx.88.1 gateway, than just after a disconnect and reconnect it would jump to IPS gateway of xx.xx.1.1, but trough the same Wi...

TheSirStumfy

Here is a newbie question for all. :D What would be a good firewall rule to exclude a single static IP from the internet, but still maintain full LAN network functionality of said IP address? Would a rule like add chain=forward src-address="staicIPofPC" dst-address=!"LAN" action=...

TheSirStumfy

Can confirm:

Capture.JPG

TheSirStumfy

I see. No way to turn it off than i presume? I do have one idea now and will test. The openVPN clients are used to connect remote routers (out of main HQ) to the main netowrk, Could it be that remote router DHCPclient is pushing the DNSs to the main one? Will test and will add to mentioned thread. T...

TheSirStumfy

OpenVPN clients and L2TP client for VPN.

TheSirStumfy

sorry to drag this thread out of the basement but i have a question.

I have DHCP client disabled, but im still getting some dynamic DNSs. is there somewhere other settings that can effect this?

Capture.JPG

TheSirStumfy

Ok, never-mind i downloaded the wrong package,

FACEPLAM.

TheSirStumfy

Ok i ended up giving it a USB drive to store the upgrades: The CAP was manually upgraded (so it is already running the new version) but i tried to trigger it again and i get: 11:34:43 caps,error [xxx:5C/11/5cde,Run,[xxx:5C]] upgrade status: failed, failed to download file 'routeros-smips-6.43.4.npk'...

TheSirStumfy

Hello, my router is showing it has 11MB used, but i dont see any files on it

Is it counting the OS instalation as well? I wanted to upload the package for a CAPsMAN install to CAPS on it but i have no space:

Capture.JPG

TheSirStumfy

I resolved the issue.

Turns out a driver update on the wifi card on the PC side resolved the issue. Very strange it was only happening in this service and everything else was fine.

Thanks for the help.

TheSirStumfy

Steveocee suggested disabling fasttrack, it sadly did not work.

TheSirStumfy

I have re posted the question to another post, because this one took almost a day to appear here.

Please refer to viewtopic.php?f=13&t=140438

also a mod can close this, so there wont be 2 same questions.

TheSirStumfy

Here is the FW setup > /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=ac...

TheSirStumfy

I will post the firewall in 1h, when i get back to the router, but i can tell you now its a QucikSet default rule set found in defconf. Also nothing except the routers quickset was changed. (noob - thats why i need help :D ) What really confuses me is that it was working fine than just out of nowher...

TheSirStumfy

I really need some help please. Yesterday i was using a service that uses UDP ports in the 20000 ranges. Everything works fine, than after 10 min of usage the connection was dropped. After that it was impossible to reconnect. When i check the router the traffic seems to go into the "drop invali...

TheSirStumfy

Ok im a noob when it comes to MikroTik but i have a problem. I was trying to play a game after upgrading to a MikroTik router. It worked fine for a bout 15 min then disconnected. I checked the firewall and i see that the login packets get sent into the defconf: drop invalid. Strange thing is that it...

Search found 92 matches