Community discussions

Search found 63 matches

by McSee
Sun Oct 20, 2019 9:28 pm
Forum: General
Topic: IN v6.45.6 L2TP not use MPPE 128 ?
Replies: 21
Views: 1083

Re: IN v6.45.6 L2TP not use MPPE 128 ?

its use is indicated in the profile?
Set it to required.
by McSee
Mon Oct 07, 2019 3:13 am
Forum: General
Topic: L2TP/IPSec - Works from Android and Mikrotik but not Windows?
Replies: 3
Views: 1313

Re: L2TP/IPSec - Works from Android and Mikrotik but not Windows?

Windows clients need AssumeUDPEncapsulationContextOnSend registry setting set to yes if your VPN server is behind NAT.
by McSee
Fri Sep 27, 2019 8:10 pm
Forum: General
Topic: CRS 326 Bonding no TX in torch and packet sniffer
Replies: 1
Views: 240

Re: CRS 326 Bonding no TX in torch and packet sniffer

You may need to disable hardware offload on bridge ports.
by McSee
Thu Sep 05, 2019 4:33 am
Forum: Announcements
Topic: SwOS version 2.9 released!
Replies: 72
Views: 25832

Re: SwOS version 2.9 released!

2.10 is already available for upgrade on devices. What's new in v2.10: *) do not ignore RSTP port state when forwarding DHCP, PPPoE or IGMP snooped packets; *) IGMP snooping: send out IGMPv3 queries by default; *) IGMP snooping: handle IGMPv3 leaves much better; *) IGMP snooping: handle dropped IGMP...
by McSee
Mon Sep 02, 2019 9:38 pm
Forum: General
Topic: SSTP No Default Gateway - Setup for gateway [SOLVED]
Replies: 3
Views: 557

Re: SSTP No Default Gateway - Setup for gateway [SOLVED]

Routes in PPP Secret are not for clients ( https://wiki.mikrotik.com/wiki/Manual:PPP_AAA#Properties_2 ), it makes no sense to put local IP there. Currently RouterOS can push routes only to IKEv2 VPN clients. But you still can have default and class based routes added by Windows VPN client itself (pi...
by McSee
Fri Aug 23, 2019 7:59 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2001

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

Looks like you explicitly set my-id for an identity instead of leaving it at auto (it's My ID type in WinBox).
So it should match to ID_R that a client presents.
If that's the case try to set it to auto .
by McSee
Thu Aug 22, 2019 5:51 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2001

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

EAP auth with cert doesn't work with Mikrotik as an IKEv2 server, it doesn't see client cert at all, as you found, nor recognize auth method. What error message do you see in your Mikrotik's log with Use machine certificates selected on the client ? Isn't it hh:mm:ss ipsec,error can't verify peer's ...
by McSee
Wed Aug 21, 2019 9:39 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2001

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

If you have dropdown box you are using wrong auth method, it should be Use machine certificates.
ike2.png
by McSee
Wed Aug 21, 2019 9:05 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 16
Views: 2001

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

If you have more than one certificate installed in Local Computer Personal certificate store that might be used for client authentication , you might need to specify one to be used by MachineCertificateIssuerFilter parameter of a VPN connection. PowerShell command for this is: Set-VpnConnection -Nam...
by McSee
Wed Aug 21, 2019 5:44 pm
Forum: General
Topic: IPIP IPSEC performance
Replies: 2
Views: 488

Re: IPIP IPSEC performance

note2: site 1 is hex and site 2 wAP, I know they are not perfect ..
hEX, if it's RB750Gr3, should be capable of 65 Mbps IPIP/IPsec as it has IPsec hardware offload, wAP is not.
With hAP AC, which has a bit more powerful processor than wAP, I've been able to reach ~30 Mbps in pure IPsec.
by McSee
Wed Aug 21, 2019 4:40 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1458

Re: Slow Gbit speed with Mikrotik hex S

Wow - you reach 1 Gbit.
Do you have the same hardware? hex S?
It was hEX (RB750Gr3) which has the same MTK chipset as hEX S; it's essentially hEX S without SFP and PoE out.
by McSee
Tue Aug 20, 2019 11:22 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1458

Re: Slow Gbit speed with Mikrotik hex S

Use a pair of adjacent ports, and enable FastTrack or disable connection tracking if you don't need NAT / stateful firewall at all.
dupl_nonat_Gr3.PNG
by McSee
Mon Aug 19, 2019 12:14 am
Forum: General
Topic: MAC address list
Replies: 1
Views: 211

Re: MAC address list

You can use /interface bridge filter rules to allow only requests from known MACs go through to DHCP server.
by McSee
Fri Jul 19, 2019 1:50 pm
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1214

Re: IPSEC performance problem

However, even after you have applied the steps you used, the speed is still around 230Mbps.
These are pretty good numbers for IPsec single client / TCP, I've seen similar performance on RB750Gr3, which is pretty close to hAP ac2 in IPsec perf, in my quick tests.
by McSee
Fri Jul 19, 2019 12:46 am
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1214

Re: IPSEC performance problem

In the attachment I am sending screen of devices between which I am doing the test.
Looks like you're testing single core performance of a hAP ac2 by single threaded b-test here.
by McSee
Tue Jun 25, 2019 5:15 pm
Forum: General
Topic: vpn site to site, one behind NAT and dynamic ip
Replies: 3
Views: 276

Re: vpn site to site, one behind NAT and dynamic ip

13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX 13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500] You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified). This sa-src-address=83.46.XXX.XXX would be seco...
by McSee
Tue Jun 25, 2019 4:17 pm
Forum: General
Topic: Push remote route through ppp
Replies: 2
Views: 478

Re: Push remote route through ppp

Hello, so as of now is there any way to push the static route to my subnet through ppp connection (l2tp to be specific) or does it still require doing so manually on client's PC? It's possible by using some third party DHCP server. I use Microsoft DHCP server (within Windows Server) with required s...
by McSee
Thu Jun 20, 2019 5:40 pm
Forum: General
Topic: ipsec ikev2 - iOs 'User authentication failed'
Replies: 2
Views: 599

Re: ipsec ikev2 - iOs 'User authentication failed'

What settings do you have for user auth on an iOS device ?
It shoud be set to none, for detailed instructions on how to set up iOS client look at https://wiki.mikrotik.com/wiki/Manual:I ... figuration
by McSee
Tue Jun 18, 2019 4:31 pm
Forum: General
Topic: CRS 3xx ethernet cable test
Replies: 1
Views: 283

Re: CRS 3xx ethernet cable test

https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet#Detect_Cable_Problems Currently cable-test is implemented on the following devices: CCR series devices CRS1xx series devices CRS2xx series devices OmniTIK series devices RB450G series devices RB951 series devices RB2011 series devices RB4011 ...
by McSee
Thu Jun 13, 2019 9:18 pm
Forum: General
Topic: VPN down on failover
Replies: 2
Views: 348

Re: VPN down on failover

I do it like this for L2TP/IPsec client: 1. Add the rule to мark connections /ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark dst-port=1701,500,4500 new-connection-mark=L2TP_VPN passthrough=yes protocol=udp - 2. Add the lines below into "On Down" script in the ppp ...
by McSee
Wed Jun 12, 2019 10:31 pm
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 657

Re: Annoyed with Mikrotik 'Support'

60ad.png
by McSee
Thu Jun 06, 2019 4:31 pm
Forum: General
Topic: Assigning a identity/hostname to a MAC address
Replies: 6
Views: 4260

Re: Assigning a identity/hostname to a MAC address

Would you like to see the first or the second row in your logs: 11:43:06 wireless,info CC:25:EF:01:36:A7@wlan1: disconnected, group key exchange timeout 11:43:06 wireless,info CC:25:EF:01:36:A7(Johns-iPhone)@wlan1: disconnected, group key exchange timeout :) Maybe something like this would do ? . #...
by McSee
Wed Jun 05, 2019 9:27 pm
Forum: General
Topic: OpneVPN server binding issues
Replies: 6
Views: 902

Re: OpneVPN server binding issues

same problem with l2tp server binding.

running v6.44.2

I guess I should not count on this feature then.
You can set only-one=yes in PPP Profile for that user to prevent second connection.
by McSee
Wed Jun 05, 2019 8:49 pm
Forum: General
Topic: RB260GSP or RB960PGS to go with RB4011iGS+RM? [SOLVED]
Replies: 12
Views: 855

Re: RB260GSP or RB960PGS to go with RB4011iGS+RM? [SOLVED]

I am not sure what to chose if Switch MikroTik RB260GSP or Routerboard MikroTik RB960PGS. 1) Should I go with switch or with router and change the setup to switch? Pros / cons? 2) Can I use SFP to connect RB4011iGS+RM with RB260GSP or RB960PGS? 3) If I use router and configure it as switch can I us...
by McSee
Sat Jun 01, 2019 12:38 am
Forum: General
Topic: Aux port? [SOLVED]
Replies: 6
Views: 597

Re: Aux port? [SOLVED]

My question is what is the porpuse of the aux connector. Sorry to be Captain Obvious but the purpose of the aux connector is to connect second chain of LTE MIMO antenna to your routerboard, literally :) So I reckon the real question would be why use MIMO antenna in the first place, and the answer t...
by McSee
Fri May 31, 2019 11:50 pm
Forum: General
Topic: One MAC many IP
Replies: 4
Views: 584

Re: One MAC many IP

And you can't use different subnet for LAN1 ?
by McSee
Fri May 31, 2019 5:10 pm
Forum: General
Topic: Aux port? [SOLVED]
Replies: 6
Views: 597

Re: Aux port? [SOLVED]

LTE MIMO antenna uses both connectors obviously.
by McSee
Wed May 29, 2019 4:56 pm
Forum: General
Topic: ssh from routeros to linux server
Replies: 6
Views: 456

Re: ssh from routeros to linux server

I think I found a bug: Basically I think the user flag in the /system ssh command is not working and it also doesn't auto complete with available options user parameter is used to specify remote user name , not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from...
by McSee
Fri May 17, 2019 11:57 pm
Forum: General
Topic: /ip filter raw action=return
Replies: 1
Views: 210

Re: /ip filter raw action=return

Use action=accept, it skips all other rules in Raw only.
by McSee
Sat May 11, 2019 4:15 am
Forum: General
Topic: VLAN based on PSK
Replies: 1
Views: 201

Re: VLAN based on PSK

It's not possible. More info - viewtopic.php?t=123551
by McSee
Sat May 11, 2019 3:53 am
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 14
Views: 761

Re: Two EOIP tunnels and traffic problem

peinamuertos,
do you really have the same MAC address on both clients' bridges ?
by McSee
Fri May 03, 2019 12:54 am
Forum: General
Topic: Customers IPSEC tunnel comes up, won't pass tunneled traffic through my Mikrotik
Replies: 4
Views: 314

Re: Customers IPSEC tunnel comes up, won't pass tunneled traffic through my Mikrotik

One thing I've noticed that might need attention is that you NAT outgoing traffic to the internet from public 2.2.2.2/28 addresses.
by McSee
Thu May 02, 2019 4:49 pm
Forum: General
Topic: CRS112-8P-4S-IN cannot block MAC Winbox
Replies: 5
Views: 421

Re: CRS112-8P-4S-IN cannot block MAC Winbox

You can't block MAC WinBox with IP firewall, that's expected.
Would you still be able to connect from ether1 with allowed-interface-list set to LAN ?
by McSee
Tue Apr 30, 2019 4:12 pm
Forum: General
Topic: 5 WAN and 2 LAN PCC Load Balance
Replies: 3
Views: 556

Re: 5 WAN and 2 LAN PCC Load Balance

Look at these 5 routes below on your mikrotik after they have been added. How many of them are active ? . add distance=1 dst-address=8.8.4.4/32 gateway=10.93.192.17 scope=10 add distance=2 dst-address=8.8.4.4/32 gateway=192.168.12.1 scope=10 add distance=3 dst-address=8.8.4.4/32 gateway=192.168.34.1...
by McSee
Mon Apr 29, 2019 5:23 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 562

Re: IP Route > check-address GONE ???

Sorry mate, I don't really understand you. Can't see how you can have load balancing with routes with only one gateway each and without routing marks. If you have several routes with the same destination (0.0.0.0/0) and all of them without routing-marks, only one will be active at a time. This is fa...
by McSee
Sun Apr 28, 2019 3:31 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 562

Re: IP Route > check-address GONE ???

Distance in the route manually added can't be less than 1 as I already wrote earlier (starting with X=1).
Do you understand that this config means only one provider active at a time ?
by McSee
Sat Apr 27, 2019 1:06 pm
Forum: General
Topic: VPN
Replies: 22
Views: 1246

Re: VPN

Add a route to your VPN server if you want to send all traffic there or uncheck "Add Default Route" in the client settings if you don't.
by McSee
Sat Apr 27, 2019 12:34 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 562

Re: IP Route > check-address GONE ???

In one routing table you have to use different hosts to check connectivity against.
Add distance=X to default routes as required starting with X=1.
by McSee
Fri Apr 26, 2019 7:58 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 562

Re: IP Route > check-address GONE ???

This required Policy routing, but i worry it may has conflic with my WAN load balance. No, it doesn't require policy routing if all you need is a single active default route (=one routing table). Just like this (using IPs from OP) : /ip route add dst-address=8.8.8.8/32 gateway=10.10.10.1 scope=10 c...
by McSee
Fri Apr 26, 2019 6:45 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 562

Re: IP Route > check-address GONE ???

by McSee
Fri Apr 26, 2019 6:15 pm
Forum: General
Topic: Ping IPSEC host from router
Replies: 20
Views: 1076

Re: Ping IPSEC host from router

Guys, IPsec policy 'out, none' criterion works just fine for me in a NAT rule.
As well as 'out, ipsec' as can be seen in the screenshot below.
.
IPsec_noNAT.PNG
by McSee
Sat Apr 20, 2019 1:41 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208634

Re: Feature requests

Can't believe that RoS console still doesn't have such basic feature as a command history search ! Like Ctrl-R/Ctrl-S in bash. Type Ctrl-R then few letters and it will show you previous command from the history with these letters, with Ctrl-R to move to the next result up and Ctrl-S down. And no fil...
by McSee
Sat Apr 20, 2019 12:30 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 1000

Re: /tool sniffer Code: 3 (Port unreachable)

Sob, have you seen Mikrotik's very own Trafr utility? ( download link -- http://www.mikrotik.com/download/trafr.tgz ) Which is supposed to make proper ".pcap" from TZSP. Then there is also Tzsp2pcap ( https://github.com/thefloweringash/tzsp2pcap ). And it might be possible to remove extra TZSP bits ...
by McSee
Fri Apr 19, 2019 7:09 pm
Forum: General
Topic: Issues with internal traffic not getting NATed
Replies: 21
Views: 1126

Re: Issues with internal traffic not getting NATed

Looks like the only thing you can do to stop this leaking is to clear connection tracking table with "/ip firewall connection remove [find ]", or at least to delete those records that have Reply-Dst-Address that equals to public IP of "failed" interface.
by McSee
Fri Apr 19, 2019 4:40 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 1000

Re: /tool sniffer Code: 3 (Port unreachable)

"udp port 37008" is not a good solution since on both MacOS / Arch I get bytes missing in capture file when I follow the stream filter-stream option seems to have no effect macos's `brew cask install wireshark` does NOT have this Code: 3 (Post unreachable) problem :-? UPDATE: Actually I saw it on M...
by McSee
Fri Apr 19, 2019 6:00 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 1000

Re: /tool sniffer Code: 3 (Port unreachable)

I do not have these "port unreachable" icmp packets in my capture (see below). Settings as follows: only-headers: no memory-limit: 1000KiB memory-scroll: yes file-name: file-limit: 30000KiB streaming-enabled: yes streaming-server: 192.168.10.101 filter-stream: yes filter-interface: bridge filter-mac...
by McSee
Fri Apr 19, 2019 2:52 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 1000

Re: /tool sniffer Code: 3 (Port unreachable)

You may try to use "udp port 37008" as a capture filter in Wireshark, it works for me.

And it's also a good idea to filter stream on mikrotik's side at least down to a certain interface as poor Wireshark
gets confused by the same packets captured several times.
by McSee
Fri Apr 19, 2019 2:11 am
Forum: General
Topic: List Active PPP with ip address(where mtu 1480) [SOLVED]
Replies: 3
Views: 354

Re: List Active PPP with ip address(where mtu 1480) [SOLVED]

Something like this ?
:foreach i in=[/interface find actual-mtu=1480 running] do={/ip address print where interface=[/interface get value-name=name $i]}
by McSee
Thu Apr 18, 2019 5:26 pm
Forum: General
Topic: Unstable WiFi RB2011UiASS-2HnD
Replies: 4
Views: 350

Re: Unstable WiFi RB2011UiASS-2HnD

I tried different configurations with Tx\Rx power, different band types and frequency.
Have you used RoS wi-fi tools (spectral-history, frequency-monitor) to find less busy channel(s) ?
Do you use 20MHz channel width ?
by McSee
Thu Apr 18, 2019 5:00 pm
Forum: General
Topic: Make external IP address accessible on secondary port
Replies: 8
Views: 541

Re: Make external IP address accessible on secondary port

I can't verify myself if it works this way but you may want to try - on first mikrotik - set up "bandwidth controlled port" as a separate interface - then execute "/ip address add address=xx.xx.xx.98/32 interface="bandwidth controlled port" network=xx.xx.xx.99" on the second - set up xx.xx.xx.99/29 ...
by McSee
Tue Apr 16, 2019 10:50 pm
Forum: General
Topic: Installing routeros specific version
Replies: 2
Views: 241

Re: Installing routeros specific version

It's simple - use "/tool fetch " to download that version then ":execute {/system reboot;}".
But you may want to add some safeguards like checking current version as the upgrade of pre-6.41(master-port config) might break some things.
by McSee
Tue Apr 16, 2019 10:28 pm
Forum: General
Topic: NAT in Transparent Mode
Replies: 1
Views: 192

Re: NAT in Transparent Mode

You can't. Bridge is L2 and what you want to do is L3. What you would be able to do with bridge is a MAC address NAT.
by McSee
Mon Apr 15, 2019 6:32 pm
Forum: General
Topic: Can't Reach IP in PPPOE
Replies: 3
Views: 333

Re: Can't Reach IP in PPPOE

Hi,

As shown in the figure below (the blue line), I can't access from one to another router in the same range of IP's.
It's not the same range. If you look at the route that PPPoE client adds, you won't see a netmask.
by McSee
Sat Apr 13, 2019 6:32 pm
Forum: General
Topic: 3 ISP channels needed to work simultaneously
Replies: 8
Views: 579

Re: 3 ISP channels needed to work simultaneously

You should use IP address of the modem instead of interface as a gateway in the route. It's actually doesn't matter, I tried both to use interface and the modem's ip 192.168.8.1. Well, it might work in this case with the interface as a gateway since LTE is not true ethernet. But you definitely need...
by McSee
Sat Apr 13, 2019 3:24 pm
Forum: General
Topic: 3 ISP channels needed to work simultaneously
Replies: 8
Views: 579

Re: 3 ISP channels needed to work simultaneously

Adding LTE with the static route and new route-mark as well as adding a rule in IP -> Routes -> Rules didn't help, LTE interface doesn't go to the internet. What I'm doing wrong if it's possible to get 3 channels working without VRF? Thanks. You should use IP address of the modem instead of interfa...
by McSee
Sat Apr 13, 2019 4:10 am
Forum: General
Topic: Cannot connect PPPoE after disconnect
Replies: 1
Views: 266

Re: Cannot connect PPPoE after disconnect

Looks like your PPPoE session got stuck, most likely ISP's equipment didn't like how it was closed by mikrotik. Also a limit of one session per user at a time is set up, as is pretty common for providers. BUT - usually PPPoE servers have pretty short keepalive timeout - a couple of minutes at most, ...
by McSee
Sat Apr 13, 2019 3:26 am
Forum: General
Topic: Issues with internal traffic not getting NATed
Replies: 21
Views: 1126

Re: Issues with internal traffic not getting NATed

You may want to try srcnat rule with action=sct-nat instead of masquerade using an address within DHCP subnet range of your cellular modem/router.
Set this address on ether1 manually instead of DHCP client and also manually add the same default route as DHCP client did.
by McSee
Sat Apr 13, 2019 2:13 am
Forum: General
Topic: 3 ISP channels needed to work simultaneously
Replies: 8
Views: 579

Re: 3 ISP channels needed to work simultaneously

You can't have several active routes to the same dest (0.0.0.0/0) in one routing table = same routing mark in your case. First and second routes are in different routing tables as the first has routing mark specified. So if you want the third rule to be active you have to specify different routing m...
by McSee
Wed Apr 10, 2019 6:47 pm
Forum: General
Topic: PPP Secrets - DNS Server
Replies: 3
Views: 333

Re: PPP Secrets - DNS Server

There are variables user and remote-address accessible within On Up and On Down scripts in ppp profile which you can use to add and remove static DNS entries.
by McSee
Wed Apr 10, 2019 5:04 pm
Forum: General
Topic: Mutliple IP exclude issue in firewall block rule
Replies: 6
Views: 457

Re: Mutliple IP exclude issue in firewall block rule

So I had to add each ip one by one into allowed-bit .
That's the way it works - you add several IPs by one and then have a single address list with multiple single IPs and use it in filter rules.
Or I misunderstood the question ?
by McSee
Wed Apr 10, 2019 4:56 pm
Forum: General
Topic: Issues with internal traffic not getting NATed
Replies: 21
Views: 1126

Re: Issues with internal traffic not getting NATed

Do you have fast track enabled ? And have you tried to add most generic srcnat log rule at the bottom to look at those "bad" packets ?
by McSee
Fri Mar 29, 2019 10:33 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9619

Re: v6.43.13 [long-term] is released!

I think there is a Bug that wasn't in 6.42.12:

Running that command on 6.42.12 works:
:log info ([/interface pppoe-client monitor pppoe-WAN as-value]->"status")
It's not a bug it's a feature :)
Now you need to add "once" after an interface name.