Community discussions

MikroTik App

Search found 29 matches

by fflo
Sun Sep 27, 2020 3:06 am
Forum: RouterOS v7 BETA
Topic: VRF status with RouterOS v7
Replies: 2
Views: 357

Re: VRF status with RouterOS v7

Support for both: VPNv4 and VPNv6 would be awesome using the new BGP4 implementation.
by fflo
Sun Sep 13, 2020 4:26 pm
Forum: RouterOS v7 BETA
Topic: VRF status with RouterOS v7
Replies: 2
Views: 357

VRF status with RouterOS v7

Hi,

what's the current status of VRF support with RouterOS v7 (beta)?

VRF now seems to have moved from IPv4 only to support both IPv4 and IPv6 (hey that's awesome in combination with BGP4 and MPLS), but I am unable to find a way to configure "Route Distinguisher" and Import and Export Route Targets.
by fflo
Wed Jun 24, 2020 8:51 am
Forum: General
Topic: DoH corrupting DNS cache? DNS cache full with invalid data?
Replies: 14
Views: 2752

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

... My current DNS setting [admin@GittuTik] /ip dns> print servers: 8.8.8.8,8.8.4.4 dynamic-servers: 103.86.96.100,103.86.99.100 use-doh-server: https://dns.google/dns-query verify-doh-cert: yes allow-remote-requests: yes max-udp-packet-size: 4096 query-server-timeout: 10s query-total-timeout: 15s ...
by fflo
Sat Jun 20, 2020 4:39 pm
Forum: General
Topic: IPsec (in)security: phase2 pfs-group
Replies: 4
Views: 980

Re: IPsec (in)security: phase2 pfs-group

In my experience with traditional IPSec site-to-site tunnels, when PFS group doesn't match on both peers, the tunnel can be brought up in only one direction. The reverse direction will always fail. I don't recall which condition was which though. I imagine the side with better PFS would downgrade t...
by fflo
Fri Jun 19, 2020 10:29 pm
Forum: General
Topic: IPsec (in)security: phase2 pfs-group
Replies: 4
Views: 980

Re: IPsec (in)security: phase2 pfs-group

I think you see the mismatch only if session key is about to expire and rekeying fails. So did you test for more than just session startup? L2TP IPsec tunnels configured with mismatching PFS-Group settings in phase2 are running seamlessly without noticeable interruptions. At least combinations with...
by fflo
Fri Jun 19, 2020 2:49 pm
Forum: General
Topic: IPsec (in)security: phase2 pfs-group
Replies: 4
Views: 980

IPsec (in)security: phase2 pfs-group

Hi, seems to me that current RouterOS versions are ignoring the IPsec phase2 (Proposals) PFS-Group setting. Mixing this setting on client/server-side with different values (i.e. modp-1024 and none) has no actual effect on the connection. I guess the weakest setting wins. Do you have a hint on how to...
by fflo
Sun Mar 01, 2020 2:58 am
Forum: Forwarding Protocols
Topic: Default Originate with BGP vpn4 (VRFs)
Replies: 1
Views: 1920

Re: Default Originate with BGP vpn4 (VRFs)

@Mikrotik: no hint for this issue?
by fflo
Fri Feb 28, 2020 2:58 am
Forum: Forwarding Protocols
Topic: VRF Management
Replies: 7
Views: 6023

Re: VRF Management

We work with this the other way around, management via main routing table and customer traffic in VRFs. We drink our own Kool-Aid though, so our own offices have routers where our traffic is in a VRF and we subsequently didn't have access to routers from within our own network. The following rules ...
by fflo
Sun Feb 23, 2020 6:51 pm
Forum: RouterOS v7 BETA
Topic: Feature Request - Wireguard Protocol
Replies: 163
Views: 45300

Re: Feature Request - Wireguard Protocol

Implementation of something like https://github.com/burghardt/easy-wg-quick would be awesome.

This would allow secure and fast VPN client configuration using a simple QR code to scan.
by fflo
Sun Feb 23, 2020 6:39 pm
Forum: RouterOS v7 BETA
Topic: VRF IPv6 support with RouterOS v7
Replies: 4
Views: 3808

Re: VRF IPv6 support with RouterOS v7

Yes, it will. At the moment VRFs are still not enabled.
Any update on this feature? Would love to see this coming soon. Thx.
by fflo
Sun Feb 23, 2020 6:12 pm
Forum: General
Topic: NordVPN IKEv2 EAP VPN tunnel: DNS leak
Replies: 7
Views: 2682

Re: NordVPN IKEv2 EAP VPN tunnel: DNS leak

Bumping this topic, I recently had strange DNS leak issue and was able to pinpoint it to NordVPN's dynamic server in /ip dns Skimming through, I don't think there's a simple solution (yet) to ignore the dynamic dns set by Nord's IKEv2 tunnel I am using the following bugfix, to decide which DNS serv...
by fflo
Sat Feb 22, 2020 11:36 pm
Forum: Forwarding Protocols
Topic: Default Originate with BGP vpn4 (VRFs)
Replies: 1
Views: 1920

Default Originate with BGP vpn4 (VRFs)

Hi, do you have a hint how I can inject "Default Originate" default-routes into VRFs? Imported default-routes (0.0.0.0/0) originating from an imported other VRF do not get redistributed, although the "Redistribute Other BGP" option is configured for the VRF. Currently, I am using the following worka...
by fflo
Thu Feb 20, 2020 4:04 am
Forum: RouterOS v7 BETA
Topic: Feature request: per interface rp-filter
Replies: 6
Views: 2629

Re: Feature request: per interface rp-filter

+1 useful option and easy to implement.
by fflo
Mon Jan 13, 2020 6:21 am
Forum: General
Topic: NordVPN IKEv2 EAP VPN tunnel: DNS leak
Replies: 7
Views: 2682

Re: NordVPN IKEv2 EAP VPN tunnel: DNS leak

"DNS leak" in VPN scenario usually denotes "resolving names through DNS server other than VPN provider's". If you'll route traffic from a "client group" (identified with network addresses, ports, L7 patterns used, whatever) to a VPN, but don't use VPN provider's DNS servers to resolve names for thi...
by fflo
Sat Jan 11, 2020 5:25 pm
Forum: General
Topic: NordVPN IKEv2 EAP VPN tunnel: DNS leak
Replies: 7
Views: 2682

Re: NordVPN IKEv2 EAP VPN tunnel: DNS leak

@Mikrotik: Is it possible to block the DNS configuration parameters for an IKEv2 EAP VPN tunnel setup?
How does RouterOS select which DNS server is used from the list of available static and dynamic DNS servers?
by fflo
Sat Jan 11, 2020 5:21 pm
Forum: General
Topic: Feature request: Virtual Extensible LAN (VXLAN)
Replies: 30
Views: 15471

Re: Feature request: Virtual Extensible LAN (VXLAN)

+1

Please add this feature to v7. It's a requirement to use CCR equipment for hosting flexible K8S clouds.
by fflo
Mon Jan 06, 2020 4:25 am
Forum: General
Topic: NordVPN IKEv2 EAP VPN tunnel: DNS leak
Replies: 7
Views: 2682

NordVPN IKEv2 EAP VPN tunnel: DNS leak

Since firmware version v6.45, Mikrotik routers support dialing out an IKEv2 EAP VPN tunnel. For configuration, it's necessary to create a new "/ip ipsec mode-config" with responder=no that will request configuration parameters from the VPN provider's server. Example configuration: https://nordvpn.co...
by fflo
Mon Dec 02, 2019 1:27 am
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 3587

Re: IPv6 issues via HE tunnel

Did you check that protocol 41 is not blocked in-transit (in- and outbound to HE)?
Have you cross-checked the IPv4 addresses to be static on both ends?
by fflo
Fri Nov 22, 2019 2:16 am
Forum: General
Topic: howto setup static ipv6 prefix from ipv6 pool
Replies: 2
Views: 746

Re: howto setup static ipv6 prefix from ipv6 pool

Ack.
@Mikrotik: any hint when this issue will be fixed?
by fflo
Mon Nov 18, 2019 3:17 am
Forum: General
Topic: howto setup static ipv6 prefix from ipv6 pool
Replies: 2
Views: 746

howto setup static ipv6 prefix from ipv6 pool

Hi how can I set up static subnet prefixes for connected interfaces from a provider DHCPv6 assigned IPv6 pool with RouterOS? Using this configuration does not work on RouterOS: [admin@mikrotik-labdemo] /ipv6 pool> print Flags: D - dynamic # NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER 0 D DSL-IPV6-POOL 2...
by fflo
Fri Nov 01, 2019 11:13 pm
Forum: RouterOS v7 BETA
Topic: VRF IPv6 support with RouterOS v7
Replies: 4
Views: 3808

VRF IPv6 support with RouterOS v7

Hi,

does RouterOS v7 support IPv6 with VRF?

-fflo
by fflo
Thu Oct 31, 2019 5:32 am
Forum: General
Topic: BGP multithreaded
Replies: 18
Views: 7321

Re: BGP multithreaded

Any news about BGP routing on RouterOS v7 Beta?
On which software is the new implementation based on?
by fflo
Thu Oct 31, 2019 5:28 am
Forum: General
Topic: ip dhcp-server network configuration with VRF
Replies: 0
Views: 544

ip dhcp-server network configuration with VRF

Hi, working excessively with VRFs I noted one drawback. How can I configure different DHCP network settings in case different VRFs share the same network? For example if several VRFs use common networks like 192.168.1.0/24? /ip dhcp-server network does not offer a possibility to bind network setting...
by fflo
Thu Jun 20, 2019 6:23 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 4402

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

As a sum up current recommended workaround bugfix is adding the following filters to the firewall until the patched packages are available? /ip firewall raw add action=drop chain=prerouting protocol=tcp tcp-mss=0-535 tcp-flags=syn log=no log-prefix="SACK" comment="SACK Panic: CVE-2019-11477, CVE-201...
by fflo
Thu Jun 20, 2019 4:46 pm
Forum: General
Topic: SACKpanic CVE-2019-11477
Replies: 1
Views: 1025

SACKpanic CVE-2019-11477

Hi, is Mikrotik RouterOS affected by CVE-2019-11477, CVE-2019-11478 and CVE-2019-5599? https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html https://access.redhat.com...
by fflo
Tue May 07, 2019 2:46 am
Forum: General
Topic: BGP multithreaded
Replies: 18
Views: 7321

Re: BGP multithreaded

Any update on this topic?
Using CCR1072 equipment no-one likes to get stuck with a hanging routing table on one core and route insert or modification times of 15-20 minutes.
by fflo
Sat Mar 23, 2019 11:04 am
Forum: General
Topic: BGP multithreaded
Replies: 18
Views: 7321

Re: BGP multithreaded

@Mikrotik
Is it possible to integrate FRRouting into RouterOS 6?
- https://frrouting.org/
- https://github.com/FRRouting/frr

Going this step should add BGP multithread support + full MPLS IPv6 / VPNv6 support.
by fflo
Sat Mar 23, 2019 9:59 am
Forum: General
Topic: Feature Request: 6VPE (VPNv6) - ipv6 address family
Replies: 4
Views: 1645

Re: Feature Request: 6VPE (VPNv6) - ipv6 address family

Any update on this issue?
by fflo
Wed Jan 02, 2019 3:29 pm
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 6556

Re: NordVpn and mikrotik?

@Mikrotik: Can you please add EAP authentication as initiator for RouterOS v6 to fix this issue?
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.