MikroTik

McSee

.... First, I want to remove wlan2 from the bridge, but see no method .....

.

br.png

McSee

MBP:~ $ nslookup -q=NS mynetname.net 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find mynetname.net: NXDOMAIN

McSee

I use some MikroTik routers in pseudo-bridge config and it works exactly like has been described above by bpwl . You might also consider to get another inexpensive Huawei router (like Wi-Fi 6 AX3) to extend your network as Huawei routers have аn easy-to-use feature(HiLink mesh) for connecting them w...

McSee

hAP mini here, no problemo
.

hAP mini.png

.

hAP mini1.png

McSee

Uhh huh... And what was the actually reporting throughput at the device?

Screenshot from the device (iPhone 6S) has been added.

McSee

~500 Mbps download with 2x2 client very close to Chateau (no wifiwave2 for Chateau - not expensive enough I guess).

wifi-Cha.png

Chateau_iP6S.png

McSee

Fasttrack doesn't work for me in 7.1beta2 on Chateau. It's shown as active in IP Settings, but counters there and in dummy rules in Firewall are all zeros. Config is pretty basic and fasttrack works with the same config in 7.1beta1. Edit: Also doesn't work with default config in 7.1beta2 and works i...

McSee

Latvian technology innovation companies LMT and MikroTik have jointly created and are starting to sell the “MikroTik LMT LTE18” router.

https://www.lmt.lv/lv/preses-relizes?g=2020&pid=1000

McSee

These kind of testings are subject to cpu power, while you want to test network performance. Therefor I don't need it. The bandwidth test is not sufficient for you? In that case isn't bandwidth test subjected to CPU power as well? As WeWiNet wrote, a simple speed test would be enough, server side o...

McSee

Set STP on the bridge to none.

McSee

Enterprises cannot rely on "beta" software and tons of unfullfilled promises of eveyrhing will be fixed in v7 (which got released without a routing package

V7 released ?? Where can I get it ?

McSee

@mktkRB If those clients are Windows 10 machines you can use Name Resolution Policy ( https://docs.microsoft.com/en-us/powershell/module/dnsclient/set-dnsclientnrptrule?view=win10-ps ) to make clients use different DNS server(s) for different namespaces (subdomains). Also can be done with Group Pol...

McSee

But from what I've read and understand I am doing it wrong and I should rather set up the tunnel using temporary public IP as the remote address (in peers) and stop using the DNS name. Then use scripts to check regularly for IP changes and update my tunnel accordingly. No, it's absolutely fine to u...

McSee

No, "~" is a matching operator. Use it instead of "=", not as a part of the expression - which may be as simple as "^B0:6E:BF", meaning any string that begins with "B0:6E:BF".

McSee

You can use regular expressions with "~" operator -- https://wiki.mikrotik.com/wiki/Manual:S ... _Operators

McSee

Cabling also adds Voltage drop

Have you seen the video posted above ? No cabling there at all.

McSee

@dad2312
On your mtik - what speed do you see in ethernet ports status, is it 100 Mbps Full Duplex ? Is Hw. Offload activated on bridge ports (look at Bridge/Ports for big H next to port numbers) ?

McSee

Why? I didn't see anywhere any limitation about the WAN type of the IKEv2 server regarding this. It is connected via PPPoE to the ISP, yes. The connection works, just, something about this isn't: *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received; ...

McSee

If IKEv2 clients connect to your mikrotik's PPPoE internet connection, split tunneling most probably won't work.

McSee

"The server is at a public, addressable IP, not behind a NAT. "

and server's IP address 192.168.100.2 in logs does not compute.

McSee

Yes, 6.44.6. ( prefer long term unless really need some new features in stable)

No L2TP, just IPsec on this one.

McSee

10.png

McSee

I have a couple of IPsec tunnels with hw crypto running on my RB3011 without any issues.

SA10.png

McSee

its use is indicated in the profile?

Set it to required.

McSee

Windows clients need AssumeUDPEncapsulationContextOnSend registry setting set to yes if your VPN server is behind NAT.

McSee

You may need to disable hardware offload on bridge ports.

McSee

2.10 is already available for upgrade on devices. What's new in v2.10: *) do not ignore RSTP port state when forwarding DHCP, PPPoE or IGMP snooped packets; *) IGMP snooping: send out IGMPv3 queries by default; *) IGMP snooping: handle IGMPv3 leaves much better; *) IGMP snooping: handle dropped IGMP...

McSee

Routes in PPP Secret are not for clients ( https://wiki.mikrotik.com/wiki/Manual:PPP_AAA#Properties_2 ), it makes no sense to put local IP there. Currently RouterOS can push routes only to IKEv2 VPN clients. But you still can have default and class based routes added by Windows VPN client itself (pi...

McSee

Looks like you explicitly set my-id for an identity instead of leaving it at auto (it's My ID type in WinBox).
So it should match to ID_R that a client presents.
If that's the case try to set it to auto .

McSee

EAP auth with cert doesn't work with Mikrotik as an IKEv2 server, it doesn't see client cert at all, as you found, nor recognize auth method. What error message do you see in your Mikrotik's log with Use machine certificates selected on the client ? Isn't it hh:mm:ss ipsec,error can't verify peer's ...

McSee

If you have dropdown box you are using wrong auth method, it should be Use machine certificates.

ike2.png

McSee

If you have more than one certificate installed in Local Computer Personal certificate store that might be used for client authentication , you might need to specify one to be used by MachineCertificateIssuerFilter parameter of a VPN connection. PowerShell command for this is: Set-VpnConnection -Nam...

McSee

note2: site 1 is hex and site 2 wAP, I know they are not perfect ..

hEX, if it's RB750Gr3, should be capable of 65 Mbps IPIP/IPsec as it has IPsec hardware offload, wAP is not.
With hAP AC, which has a bit more powerful processor than wAP, I've been able to reach ~30 Mbps in pure IPsec.

McSee

Wow - you reach 1 Gbit.
Do you have the same hardware? hex S?

It was hEX (RB750Gr3) which has the same MTK chipset as hEX S; it's essentially hEX S without SFP and PoE out.

McSee

Use a pair of adjacent ports, and enable FastTrack or disable connection tracking if you don't need NAT / stateful firewall at all.

dupl_nonat_Gr3.PNG

McSee

Bandwidth-based load-balancing with failover. The easy way.
https://mum.mikrotik.com/presentations/US12/tomas.pdf

McSee

You can use /interface bridge filter rules to allow only requests from known MACs go through to DHCP server.

McSee

However, even after you have applied the steps you used, the speed is still around 230Mbps.

These are pretty good numbers for IPsec single client / TCP, I've seen similar performance on RB750Gr3, which is pretty close to hAP ac2 in IPsec perf, in my quick tests.

McSee

In the attachment I am sending screen of devices between which I am doing the test.

Looks like you're testing single core performance of a hAP ac2 by single threaded b-test here.

McSee

13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX 13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500] You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified). This sa-src-address=83.46.XXX.XXX would be seco...

McSee

Hello, so as of now is there any way to push the static route to my subnet through ppp connection (l2tp to be specific) or does it still require doing so manually on client's PC? It's possible by using some third party DHCP server. I use Microsoft DHCP server (within Windows Server) with required s...

McSee

What settings do you have for user auth on an iOS device ?
It shoud be set to none, for detailed instructions on how to set up iOS client look at https://wiki.mikrotik.com/wiki/Manual:I ... figuration

McSee

https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet#Detect_Cable_Problems Currently cable-test is implemented on the following devices: CCR series devices CRS1xx series devices CRS2xx series devices OmniTIK series devices RB450G series devices RB951 series devices RB2011 series devices RB4011 ...

McSee

I do it like this for L2TP/IPsec client: 1. Add the rule to мark connections /ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark dst-port=1701,500,4500 new-connection-mark=L2TP_VPN passthrough=yes protocol=udp - 2. Add the lines below into "On Down" script i...

McSee

60ad.png

McSee

Would you like to see the first or the second row in your logs: 11:43:06 wireless,info CC:25:EF:01:36:A7@wlan1: disconnected, group key exchange timeout 11:43:06 wireless,info CC:25:EF:01:36:A7(Johns-iPhone)@wlan1: disconnected, group key exchange timeout :) Maybe something like this would do ? . #...

McSee

same problem with l2tp server binding.

running v6.44.2

I guess I should not count on this feature then.

You can set only-one=yes in PPP Profile for that user to prevent second connection.

McSee

I am not sure what to chose if Switch MikroTik RB260GSP or Routerboard MikroTik RB960PGS. 1) Should I go with switch or with router and change the setup to switch? Pros / cons? 2) Can I use SFP to connect RB4011iGS+RM with RB260GSP or RB960PGS? 3) If I use router and configure it as switch can I us...

McSee

My question is what is the porpuse of the aux connector. Sorry to be Captain Obvious but the purpose of the aux connector is to connect second chain of LTE MIMO antenna to your routerboard, literally :) So I reckon the real question would be why use MIMO antenna in the first place, and the answer t...

McSee

And you can't use different subnet for LAN1 ?

McSee

LTE MIMO antenna uses both connectors obviously.

McSee

I think I found a bug: Basically I think the user flag in the /system ssh command is not working and it also doesn't auto complete with available options user parameter is used to specify remote user name , not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from...

McSee

Use action=accept, it skips all other rules in Raw only.

McSee

peinamuertos,
do you really have the same MAC address on both clients' bridges ?

McSee

One thing I've noticed that might need attention is that you NAT outgoing traffic to the internet from public 2.2.2.2/28 addresses.

McSee

You can't block MAC WinBox with IP firewall, that's expected.
Would you still be able to connect from ether1 with allowed-interface-list set to LAN ?

McSee

Look at these 5 routes below on your mikrotik after they have been added. How many of them are active ? . add distance=1 dst-address=8.8.4.4/32 gateway=10.93.192.17 scope=10 add distance=2 dst-address=8.8.4.4/32 gateway=192.168.12.1 scope=10 add distance=3 dst-address=8.8.4.4/32 gateway=192.168.34.1...

McSee

Sorry mate, I don't really understand you. Can't see how you can have load balancing with routes with only one gateway each and without routing marks. If you have several routes with the same destination (0.0.0.0/0) and all of them without routing-marks, only one will be active at a time. This is fa...

McSee

Distance in the route manually added can't be less than 1 as I already wrote earlier (starting with X=1).
Do you understand that this config means only one provider active at a time ?

McSee

Add a route to your VPN server if you want to send all traffic there or uncheck "Add Default Route" in the client settings if you don't.

McSee

In one routing table you have to use different hosts to check connectivity against.
Add distance=X to default routes as required starting with X=1.

McSee

This required Policy routing, but i worry it may has conflic with my WAN load balance. No, it doesn't require policy routing if all you need is a single active default route (=one routing table). Just like this (using IPs from OP) : /ip route add dst-address=8.8.8.8/32 gateway=10.10.10.1 scope=10 c...

McSee

Recursive routes do the trick.

https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

McSee

Guys, IPsec policy 'out, none' criterion works just fine for me in a NAT rule.
As well as 'out, ipsec' as can be seen in the screenshot below.
.

IPsec_noNAT.PNG

McSee

Can't believe that RoS console still doesn't have such basic feature as a command history search ! Like Ctrl-R/Ctrl-S in bash. Type Ctrl-R then few letters and it will show you previous command from the history with these letters, with Ctrl-R to move to the next result up and Ctrl-S down. And no fil...

McSee

Sob, have you seen Mikrotik's very own Trafr utility? ( download link -- http://www.mikrotik.com/download/trafr.tgz ) Which is supposed to make proper ".pcap" from TZSP. Then there is also Tzsp2pcap ( https://github.com/thefloweringash/tzsp2pcap ). And it might be possible to remove extra ...

McSee

Looks like the only thing you can do to stop this leaking is to clear connection tracking table with "/ip firewall connection remove [find ]", or at least to delete those records that have Reply-Dst-Address that equals to public IP of "failed" interface.

McSee

"udp port 37008" is not a good solution since on both MacOS / Arch I get bytes missing in capture file when I follow the stream filter-stream option seems to have no effect macos's `brew cask install wireshark` does NOT have this Code: 3 (Post unreachable) problem :-? UPDATE: Actually I s...

McSee

I do not have these "port unreachable" icmp packets in my capture (see below). Settings as follows: only-headers: no memory-limit: 1000KiB memory-scroll: yes file-name: file-limit: 30000KiB streaming-enabled: yes streaming-server: 192.168.10.101 filter-stream: yes filter-interface: bridge ...

McSee

You may try to use "udp port 37008" as a capture filter in Wireshark, it works for me.

And it's also a good idea to filter stream on mikrotik's side at least down to a certain interface as poor Wireshark
gets confused by the same packets captured several times.

McSee

Something like this ?

:foreach i in=[/interface find actual-mtu=1480 running] do={/ip address print where interface=[/interface get value-name=name $i]}

McSee

I tried different configurations with Tx\Rx power, different band types and frequency.

Have you used RoS wi-fi tools (spectral-history, frequency-monitor) to find less busy channel(s) ?
Do you use 20MHz channel width ?

McSee

I can't verify myself if it works this way but you may want to try - on first mikrotik - set up "bandwidth controlled port" as a separate interface - then execute "/ip address add address=xx.xx.xx.98/32 interface="bandwidth controlled port" network=xx.xx.xx.99" on the s...

McSee

It's simple - use "/tool fetch " to download that version then ":execute {/system reboot;}".
But you may want to add some safeguards like checking current version as the upgrade of pre-6.41(master-port config) might break some things.

McSee

You can't. Bridge is L2 and what you want to do is L3. What you would be able to do with bridge is a MAC address NAT.

McSee

Hi,

As shown in the figure below (the blue line), I can't access from one to another router in the same range of IP's.

It's not the same range. If you look at the route that PPPoE client adds, you won't see a netmask.

McSee

You should use IP address of the modem instead of interface as a gateway in the route. It's actually doesn't matter, I tried both to use interface and the modem's ip 192.168.8.1. Well, it might work in this case with the interface as a gateway since LTE is not true ethernet. But you definitely need...

McSee

Adding LTE with the static route and new route-mark as well as adding a rule in IP -> Routes -> Rules didn't help, LTE interface doesn't go to the internet. What I'm doing wrong if it's possible to get 3 channels working without VRF? Thanks. You should use IP address of the modem instead of interfa...

McSee

Looks like your PPPoE session got stuck, most likely ISP's equipment didn't like how it was closed by mikrotik. Also a limit of one session per user at a time is set up, as is pretty common for providers. BUT - usually PPPoE servers have pretty short keepalive timeout - a couple of minutes at most, ...

McSee

You may want to try srcnat rule with action=sct-nat instead of masquerade using an address within DHCP subnet range of your cellular modem/router.
Set this address on ether1 manually instead of DHCP client and also manually add the same default route as DHCP client did.

McSee

You can't have several active routes to the same dest (0.0.0.0/0) in one routing table = same routing mark in your case. First and second routes are in different routing tables as the first has routing mark specified. So if you want the third rule to be active you have to specify different routing m...

McSee

There are variables user and remote-address accessible within On Up and On Down scripts in ppp profile which you can use to add and remove static DNS entries.

McSee

So I had to add each ip one by one into allowed-bit .

That's the way it works - you add several IPs by one and then have a single address list with multiple single IPs and use it in filter rules.
Or I misunderstood the question ?

McSee

Do you have fast track enabled ? And have you tried to add most generic srcnat log rule at the bottom to look at those "bad" packets ?

McSee

I think there is a Bug that wasn't in 6.42.12:

Running that command on 6.42.12 works:
Code: Select all
:log info ([/interface pppoe-client monitor pppoe-WAN as-value]->"status")

It's not a bug it's a feature

Now you need to add "once" after an interface name.

Search found 85 matches