Community discussions

Search found 58 matches

  • 1
  • 2
by McSee
Fri Aug 23, 2019 7:59 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 15
Views: 1164

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

Looks like you explicitly set my-id for an identity instead of leaving it at auto (it's My ID type in WinBox).
So it should match to ID_R that a client presents.
If that's the case try to set it to auto .
by McSee
Thu Aug 22, 2019 5:51 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 15
Views: 1164

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

EAP auth with cert doesn't work with Mikrotik as an IKEv2 server, it doesn't see client cert at all, as you found, nor recognize auth method. What error message do you see in your Mikrotik's log with Use machine certificates selected on the client ? Isn't it hh:mm:ss ipsec,error can't verify peer's ...
by McSee
Wed Aug 21, 2019 9:39 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 15
Views: 1164

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

If you have dropdown box you are using wrong auth method, it should be Use machine certificates.
ike2.png
by McSee
Wed Aug 21, 2019 9:05 pm
Forum: General
Topic: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]
Replies: 15
Views: 1164

Re: Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error [SOLVED]

If you have more than one certificate installed in Local Computer Personal certificate store that might be used for client authentication , you might need to specify one to be used by MachineCertificateIssuerFilter parameter of a VPN connection. PowerShell command for this is: Set-VpnConnection -Nam...
by McSee
Wed Aug 21, 2019 5:44 pm
Forum: General
Topic: IPIP IPSEC performance
Replies: 2
Views: 379

Re: IPIP IPSEC performance

note2: site 1 is hex and site 2 wAP, I know they are not perfect ..
hEX, if it's RB750Gr3, should be capable of 65 Mbps IPIP/IPsec as it has IPsec hardware offload, wAP is not.
With hAP AC, which has a bit more powerful processor than wAP, I've been able to reach ~30 Mbps in pure IPsec.
by McSee
Wed Aug 21, 2019 4:40 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1250

Re: Slow Gbit speed with Mikrotik hex S

Wow - you reach 1 Gbit.
Do you have the same hardware? hex S?
It was hEX (RB750Gr3) which has the same MTK chipset as hEX S; it's essentially hEX S without SFP and PoE out.
by McSee
Tue Aug 20, 2019 11:22 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1250

Re: Slow Gbit speed with Mikrotik hex S

Use a pair of adjacent ports, and enable FastTrack or disable connection tracking if you don't need NAT / stateful firewall at all.
dupl_nonat_Gr3.PNG
by McSee
Mon Aug 19, 2019 12:14 am
Forum: General
Topic: MAC address list
Replies: 1
Views: 129

Re: MAC address list

You can use /interface bridge filter rules to allow only requests from known MACs go through to DHCP server.
by McSee
Fri Jul 19, 2019 1:50 pm
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1082

Re: IPSEC performance problem

However, even after you have applied the steps you used, the speed is still around 230Mbps.
These are pretty good numbers for IPsec single client / TCP, I've seen similar performance on RB750Gr3, which is pretty close to hAP ac2 in IPsec perf, in my quick tests.
by McSee
Fri Jul 19, 2019 12:46 am
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1082

Re: IPSEC performance problem

In the attachment I am sending screen of devices between which I am doing the test.
Looks like you're testing single core performance of a hAP ac2 by single threaded b-test here.
by McSee
Tue Jun 25, 2019 5:15 pm
Forum: General
Topic: vpn site to site, one behind NAT and dynamic ip
Replies: 3
Views: 235

Re: vpn site to site, one behind NAT and dynamic ip

13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX 13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500] You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified). This sa-src-address=83.46.XXX.XXX would be seco...
by McSee
Tue Jun 25, 2019 4:17 pm
Forum: General
Topic: Push remote route through ppp
Replies: 2
Views: 370

Re: Push remote route through ppp

Hello, so as of now is there any way to push the static route to my subnet through ppp connection (l2tp to be specific) or does it still require doing so manually on client's PC? It's possible by using some third party DHCP server. I use Microsoft DHCP server (within Windows Server) with required s...
by McSee
Thu Jun 20, 2019 5:40 pm
Forum: General
Topic: ipsec ikev2 - iOs 'User authentication failed'
Replies: 2
Views: 303

Re: ipsec ikev2 - iOs 'User authentication failed'

What settings do you have for user auth on an iOS device ?
It shoud be set to none, for detailed instructions on how to set up iOS client look at https://wiki.mikrotik.com/wiki/Manual:I ... figuration
by McSee
Tue Jun 18, 2019 4:31 pm
Forum: General
Topic: CRS 3xx ethernet cable test
Replies: 1
Views: 248

Re: CRS 3xx ethernet cable test

https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet#Detect_Cable_Problems Currently cable-test is implemented on the following devices: CCR series devices CRS1xx series devices CRS2xx series devices OmniTIK series devices RB450G series devices RB951 series devices RB2011 series devices RB4011 ...
by McSee
Thu Jun 13, 2019 9:18 pm
Forum: General
Topic: VPN down on failover
Replies: 2
Views: 291

Re: VPN down on failover

I do it like this for L2TP/IPsec client: 1. Add the rule to мark connections /ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark dst-port=1701,500,4500 new-connection-mark=L2TP_VPN passthrough=yes protocol=udp - 2. Add the lines below into "On Down" script in the ppp ...
by McSee
Wed Jun 12, 2019 10:31 pm
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 576

Re: Annoyed with Mikrotik 'Support'

60ad.png
by McSee
Thu Jun 06, 2019 4:31 pm
Forum: General
Topic: Assigning a identity/hostname to a MAC address
Replies: 5
Views: 3821

Re: Assigning a identity/hostname to a MAC address

Would you like to see the first or the second row in your logs: 11:43:06 wireless,info CC:25:EF:01:36:A7@wlan1: disconnected, group key exchange timeout 11:43:06 wireless,info CC:25:EF:01:36:A7(Johns-iPhone)@wlan1: disconnected, group key exchange timeout :) Maybe something like this would do ? . #...
by McSee
Wed Jun 05, 2019 9:27 pm
Forum: General
Topic: OpneVPN server binding issues
Replies: 6
Views: 828

Re: OpneVPN server binding issues

same problem with l2tp server binding.

running v6.44.2

I guess I should not count on this feature then.
You can set only-one=yes in PPP Profile for that user to prevent second connection.
by McSee
Wed Jun 05, 2019 8:49 pm
Forum: General
Topic: RB260GSP or RB960PGS to go with RB4011iGS+RM?
Replies: 11
Views: 535

Re: RB260GSP or RB960PGS to go with RB4011iGS+RM?

I am not sure what to chose if Switch MikroTik RB260GSP or Routerboard MikroTik RB960PGS. 1) Should I go with switch or with router and change the setup to switch? Pros / cons? 2) Can I use SFP to connect RB4011iGS+RM with RB260GSP or RB960PGS? 3) If I use router and configure it as switch can I us...
by McSee
Sat Jun 01, 2019 12:38 am
Forum: General
Topic: Aux port? [SOLVED]
Replies: 6
Views: 505

Re: Aux port? [SOLVED]

My question is what is the porpuse of the aux connector. Sorry to be Captain Obvious but the purpose of the aux connector is to connect second chain of LTE MIMO antenna to your routerboard, literally :) So I reckon the real question would be why use MIMO antenna in the first place, and the answer t...
by McSee
Fri May 31, 2019 11:50 pm
Forum: General
Topic: One MAC many IP
Replies: 4
Views: 519

Re: One MAC many IP

And you can't use different subnet for LAN1 ?
by McSee
Fri May 31, 2019 5:10 pm
Forum: General
Topic: Aux port? [SOLVED]
Replies: 6
Views: 505

Re: Aux port? [SOLVED]

LTE MIMO antenna uses both connectors obviously.
by McSee
Wed May 29, 2019 4:56 pm
Forum: General
Topic: ssh from routeros to linux server
Replies: 6
Views: 388

Re: ssh from routeros to linux server

I think I found a bug: Basically I think the user flag in the /system ssh command is not working and it also doesn't auto complete with available options user parameter is used to specify remote user name , not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from...
by McSee
Fri May 17, 2019 11:57 pm
Forum: General
Topic: /ip filter raw action=return
Replies: 1
Views: 172

Re: /ip filter raw action=return

Use action=accept, it skips all other rules in Raw only.
by McSee
Sat May 11, 2019 4:15 am
Forum: General
Topic: VLAN based on PSK
Replies: 1
Views: 172

Re: VLAN based on PSK

It's not possible. More info - viewtopic.php?t=123551
by McSee
Sat May 11, 2019 3:53 am
Forum: General
Topic: Two EOIP tunnels and traffic problem
Replies: 14
Views: 624

Re: Two EOIP tunnels and traffic problem

peinamuertos,
do you really have the same MAC address on both clients' bridges ?
by McSee
Fri May 03, 2019 12:54 am
Forum: General
Topic: Customers IPSEC tunnel comes up, won't pass tunneled traffic through my Mikrotik
Replies: 4
Views: 275

Re: Customers IPSEC tunnel comes up, won't pass tunneled traffic through my Mikrotik

One thing I've noticed that might need attention is that you NAT outgoing traffic to the internet from public 2.2.2.2/28 addresses.
by McSee
Thu May 02, 2019 4:49 pm
Forum: General
Topic: CRS112-8P-4S-IN cannot block MAC Winbox
Replies: 5
Views: 365

Re: CRS112-8P-4S-IN cannot block MAC Winbox

You can't block MAC WinBox with IP firewall, that's expected.
Would you still be able to connect from ether1 with allowed-interface-list set to LAN ?
by McSee
Tue Apr 30, 2019 4:12 pm
Forum: General
Topic: 5 WAN and 2 LAN PCC Load Balance
Replies: 3
Views: 445

Re: 5 WAN and 2 LAN PCC Load Balance

Look at these 5 routes below on your mikrotik after they have been added. How many of them are active ? . add distance=1 dst-address=8.8.4.4/32 gateway=10.93.192.17 scope=10 add distance=2 dst-address=8.8.4.4/32 gateway=192.168.12.1 scope=10 add distance=3 dst-address=8.8.4.4/32 gateway=192.168.34.1...
by McSee
Mon Apr 29, 2019 5:23 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 491

Re: IP Route > check-address GONE ???

Sorry mate, I don't really understand you. Can't see how you can have load balancing with routes with only one gateway each and without routing marks. If you have several routes with the same destination (0.0.0.0/0) and all of them without routing-marks, only one will be active at a time. This is fa...
by McSee
Sun Apr 28, 2019 3:31 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 491

Re: IP Route > check-address GONE ???

Distance in the route manually added can't be less than 1 as I already wrote earlier (starting with X=1).
Do you understand that this config means only one provider active at a time ?
by McSee
Sat Apr 27, 2019 1:06 pm
Forum: General
Topic: VPN
Replies: 22
Views: 1003

Re: VPN

Add a route to your VPN server if you want to send all traffic there or uncheck "Add Default Route" in the client settings if you don't.
by McSee
Sat Apr 27, 2019 12:34 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 491

Re: IP Route > check-address GONE ???

In one routing table you have to use different hosts to check connectivity against.
Add distance=X to default routes as required starting with X=1.
by McSee
Fri Apr 26, 2019 7:58 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 491

Re: IP Route > check-address GONE ???

This required Policy routing, but i worry it may has conflic with my WAN load balance. No, it doesn't require policy routing if all you need is a single active default route (=one routing table). Just like this (using IPs from OP) : /ip route add dst-address=8.8.8.8/32 gateway=10.10.10.1 scope=10 c...
by McSee
Fri Apr 26, 2019 6:45 pm
Forum: General
Topic: IP Route > check-address GONE ???
Replies: 9
Views: 491

Re: IP Route > check-address GONE ???

by McSee
Fri Apr 26, 2019 6:15 pm
Forum: General
Topic: Ping IPSEC host from router
Replies: 20
Views: 867

Re: Ping IPSEC host from router

Guys, IPsec policy 'out, none' criterion works just fine for me in a NAT rule.
As well as 'out, ipsec' as can be seen in the screenshot below.
.
IPsec_noNAT.PNG
by McSee
Sat Apr 20, 2019 1:41 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1131
Views: 198510

Re: Feature requests

Can't believe that RoS console still doesn't have such basic feature as a command history search ! Like Ctrl-R/Ctrl-S in bash. Type Ctrl-R then few letters and it will show you previous command from the history with these letters, with Ctrl-R to move to the next result up and Ctrl-S down. And no fil...
by McSee
Sat Apr 20, 2019 12:30 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 847

Re: /tool sniffer Code: 3 (Port unreachable)

Sob, have you seen Mikrotik's very own Trafr utility? ( download link -- http://www.mikrotik.com/download/trafr.tgz ) Which is supposed to make proper ".pcap" from TZSP. Then there is also Tzsp2pcap ( https://github.com/thefloweringash/tzsp2pcap ). And it might be possible to remove extra TZSP bits ...
by McSee
Fri Apr 19, 2019 7:09 pm
Forum: General
Topic: Issues with internal traffic not getting NATed
Replies: 21
Views: 1031

Re: Issues with internal traffic not getting NATed

Looks like the only thing you can do to stop this leaking is to clear connection tracking table with "/ip firewall connection remove [find ]", or at least to delete those records that have Reply-Dst-Address that equals to public IP of "failed" interface.
by McSee
Fri Apr 19, 2019 4:40 pm
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 847

Re: /tool sniffer Code: 3 (Port unreachable)

"udp port 37008" is not a good solution since on both MacOS / Arch I get bytes missing in capture file when I follow the stream filter-stream option seems to have no effect macos's `brew cask install wireshark` does NOT have this Code: 3 (Post unreachable) problem :-? UPDATE: Actually I saw it on M...
by McSee
Fri Apr 19, 2019 6:00 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 847

Re: /tool sniffer Code: 3 (Port unreachable)

I do not have these "port unreachable" icmp packets in my capture (see below). Settings as follows: only-headers: no memory-limit: 1000KiB memory-scroll: yes file-name: file-limit: 30000KiB streaming-enabled: yes streaming-server: 192.168.10.101 filter-stream: yes filter-interface: bridge filter-mac...
by McSee
Fri Apr 19, 2019 2:52 am
Forum: General
Topic: /tool sniffer Code: 3 (Port unreachable)
Replies: 15
Views: 847

Re: /tool sniffer Code: 3 (Port unreachable)

You may try to use "udp port 37008" as a capture filter in Wireshark, it works for me.

And it's also a good idea to filter stream on mikrotik's side at least down to a certain interface as poor Wireshark
gets confused by the same packets captured several times.
by McSee
Fri Apr 19, 2019 2:11 am
Forum: General
Topic: List Active PPP with ip address(where mtu 1480) [SOLVED]
Replies: 3
Views: 306

Re: List Active PPP with ip address(where mtu 1480) [SOLVED]

Something like this ?
:foreach i in=[/interface find actual-mtu=1480 running] do={/ip address print where interface=[/interface get value-name=name $i]}
by McSee
Thu Apr 18, 2019 5:26 pm
Forum: General
Topic: Unstable WiFi RB2011UiASS-2HnD
Replies: 4
Views: 300

Re: Unstable WiFi RB2011UiASS-2HnD

I tried different configurations with Tx\Rx power, different band types and frequency.
Have you used RoS wi-fi tools (spectral-history, frequency-monitor) to find less busy channel(s) ?
Do you use 20MHz channel width ?
by McSee
Thu Apr 18, 2019 5:00 pm
Forum: General
Topic: Make external IP address accessible on secondary port
Replies: 8
Views: 486

Re: Make external IP address accessible on secondary port

I can't verify myself if it works this way but you may want to try - on first mikrotik - set up "bandwidth controlled port" as a separate interface - then execute "/ip address add address=xx.xx.xx.98/32 interface="bandwidth controlled port" network=xx.xx.xx.99" on the second - set up xx.xx.xx.99/29 ...
by McSee
Tue Apr 16, 2019 10:50 pm
Forum: General
Topic: Installing routeros specific version
Replies: 2
Views: 212

Re: Installing routeros specific version

It's simple - use "/tool fetch " to download that version then ":execute {/system reboot;}".
But you may want to add some safeguards like checking current version as the upgrade of pre-6.41(master-port config) might break some things.
by McSee
Tue Apr 16, 2019 10:28 pm
Forum: General
Topic: NAT in Transparent Mode
Replies: 1
Views: 175

Re: NAT in Transparent Mode

You can't. Bridge is L2 and what you want to do is L3. What you would be able to do with bridge is a MAC address NAT.
by McSee
Mon Apr 15, 2019 6:32 pm
Forum: General
Topic: Can't Reach IP in PPPOE
Replies: 3
Views: 297

Re: Can't Reach IP in PPPOE

Hi,

As shown in the figure below (the blue line), I can't access from one to another router in the same range of IP's.
It's not the same range. If you look at the route that PPPoE client adds, you won't see a netmask.
by McSee
Sat Apr 13, 2019 6:32 pm
Forum: General
Topic: 3 ISP channels needed to work simultaneously
Replies: 8
Views: 520

Re: 3 ISP channels needed to work simultaneously

You should use IP address of the modem instead of interface as a gateway in the route. It's actually doesn't matter, I tried both to use interface and the modem's ip 192.168.8.1. Well, it might work in this case with the interface as a gateway since LTE is not true ethernet. But you definitely need...
  • 1
  • 2