Community discussions

MikroTik App

Search found 353 matches

  • 1
  • 2
by nagylzs
Mon Feb 05, 2024 11:59 am
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Re: Switch with two SFP port [SOLVED]

Great, then I'll buy with confidence. Thank you!
by nagylzs
Sun Feb 04, 2024 9:31 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Re: Switch with two SFP port [SOLVED]

Well, CRS106 cannot run SwOS. I think that CRS106 with ROS6 would still be a better choice, but I'm not sure if ROS6 will be actively maintained and supported for at least 2-3 more years. Is there any info on that?

Anyone else knows if ROS7 is supported on CRS106 or not?
by nagylzs
Sun Feb 04, 2024 8:56 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Re: Switch with two SFP port [SOLVED]

Anyway, the original question was this: can CRS106-1C-5S run RouterOS 7? I could not find information about this on the product page. (Only that it has license level L5, but nothing else.) Is it officially supported? Why am I asking this? Because I have a HEX Lite that simply refuses to upgrade to R...
by nagylzs
Sun Feb 04, 2024 8:51 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Re: Switch with two SFP port [SOLVED]

For that price none, next switch up is CSS610-8G-2S+IN but that switch is 119 usd. Yes, and it supports SFP+ 10G, which I don't need. By the way, I had very bad experience with CSS610. I ordered some of them when they came out, but SwOS was really buggy on them, and no stable driver was released fo...
by nagylzs
Sun Feb 04, 2024 8:39 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Re: Switch with two SFP port [SOLVED]

SwitchOS is fine. Which switch can provide at least 2 SFP port and one RJ45 port, at similar price? CRS105 is $59.
by nagylzs
Sun Feb 04, 2024 8:30 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 1442

Switch with two SFP port [SOLVED]

Hello, I need to buy a switch with at least two SFP ports, at least one RJ45 gigabit port, and VLAN support. I was looking at switches and the closest that meets all requirements is CRS106-1C-5S, I think. However, it only has 128MB or RAM. Is it okay to run RouterOS 7 with only 128MB of RAM on this ...
by nagylzs
Mon Jan 29, 2024 5:42 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

I always wondered what it meant to set frame-types=admit-only-vlan-tagged on the bridge, then add the bridge to the vlan table as untagged. I guess it means nothing, and it is an errorneous configuration? :-)
by nagylzs
Mon Jan 29, 2024 3:59 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

Actually, I have frame-types=admit-only-vlan-tagged set too, on the bridge.
by nagylzs
Mon Jan 29, 2024 2:14 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

> includes also ports which are implicitly untagged members of that VLAN (e.g. because they have PVID set in /interface/bridge/port Is that so? Even when vlan-filtering=yes and ingress-filtering=yes? If I remember correcly, then setting vlan-filtering=yes will prevent ports dyamically added to the b...
by nagylzs
Mon Jan 29, 2024 11:54 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

Can you post the output of the following command?
/interface/bridge/port/print where interface=ether3-green
I'm sorry I had to solve this quickly and I have already rebooted the router. And now it is working as expected. I did not change any configuration since.
by nagylzs
Mon Jan 29, 2024 11:53 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

I have rebooted the router, and not it works as expected. Is it possible, that I just found a bug in routeros?
by nagylzs
Mon Jan 29, 2024 11:28 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

Re: currently-untagged contradicts untagged [SOLVED]

I just tried to disable and enable the ethernet port, but it does not help either. Here is what happened after toggling disabled on ether3-green: 1 ;;; blue bridge=BR1 vlan-ids=1 tagged=BR1,ether1-trunk untagged=ether4-blue,ether5-blue,wlan-24-blue-master,wlan-5-blue-master current-tagged=BR1,ether1...
by nagylzs
Mon Jan 29, 2024 11:21 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 672

currently-untagged contradicts untagged [SOLVED]

[user@router] /interface/bridge/vlan> print detail Flags: X - disabled, D - dynamic 0 ;;; mgmt bridge=BR1 vlan-ids=127 tagged=BR1,ether1-trunk untagged=ether2-mgmt,wlan-5-mgmt current-tagged=BR1,ether1-trunk current-untagged="" 1 ;;; blue bridge=BR1 vlan-ids=1 tagged=BR1,ether1-trunk unta...
by nagylzs
Mon Nov 20, 2023 11:28 pm
Forum: Scripting
Topic: Calculate number of seconds in last-handshake
Replies: 4
Views: 1296

Re: Calculate number of seconds in last-handshake

What is the type of the value that is printed as 2023-11-20 ? What is the type of the value that is printed as 2023-11-19 20:00:00 ? I think these are just strings... You can check with: [admin@mikrotik] > :put [ :typeof [ /system/clock get date ] ] str Well, I think that the documentation needs to...
by nagylzs
Mon Nov 20, 2023 10:52 pm
Forum: Scripting
Topic: Calculate number of seconds in last-handshake
Replies: 4
Views: 1296

Re: Calculate number of seconds in last-handshake

The last-handshake property is of type "time", and you can just compare that with other times.
[admin@mikrotik] > :put (2s < 5m)
true
[admin@mikrotik] > :put (2d < 5m)  
false
This was very helpful, thank you!
by nagylzs
Mon Nov 20, 2023 4:13 pm
Forum: Scripting
Topic: Calculate number of seconds in last-handshake
Replies: 4
Views: 1296

Calculate number of seconds in last-handshake

I would like to write a script that runs periodically, and toggles (disable + enable) any wireguard peer that has not been seen in a while. This is needed because in my experience, any wireguard peer becomes unusuable when the listen address of the wireguard server socket is changed (e.g. when the r...
by nagylzs
Sun Sep 10, 2023 4:42 pm
Forum: General
Topic: wireguard client not shaking hands
Replies: 2
Views: 1482

Re: wireguard client not shaking hands

All right, this was dumb. I accidentally gave the same listen port for two wireguard interfaces. The second one became invalid. All ip addresses and routes also became invalid. I could not find this out for some hours, because there was no error message and no log message anywhere. The only place wh...
by nagylzs
Sun Sep 10, 2023 12:36 pm
Forum: General
Topic: wireguard client not shaking hands
Replies: 2
Views: 1482

wireguard client not shaking hands

Hello, I would like to connect my routeros device to a wireguard VPN server on Ubuntu linux. The server was setup this way: https://techviewleo.com/install-wireguard-vpn-server-on-ubuntu/?expand_article=1 The linux side has a fixed ip, udp port 51820 opened on the firewall, and a peer is added: #wg ...
by nagylzs
Sat Jul 22, 2023 12:38 pm
Forum: RouterBOARD hardware
Topic: Does HAP-AX3 and HAP-AX2 support hardware accelerated switching with VLANs?
Replies: 3
Views: 2712

Re: Does HAP-AX3 and HAP-AX2 support hardware accelerated switching with VLANs?

Is it any different for 98DX3216 or 98DX3236 (CSS326 and CRS326)?
by nagylzs
Fri Jul 21, 2023 5:56 pm
Forum: RouterBOARD hardware
Topic: Does HAP-AX3 and HAP-AX2 support hardware accelerated switching with VLANs?
Replies: 3
Views: 2712

Does HAP-AX3 and HAP-AX2 support hardware accelerated switching with VLANs?

I can see on the block diagram that the IPQ6010 SoC is responsible for everything, including swtiching: https://i.mt.lv/cdn/product_files/C53UiG5HPaxD2HPaxD_221052.png Can I add two separate bridges with VLANs and use hw accelerated switching on them? Or does it work only when a single bridge is use...
by nagylzs
Fri Jul 21, 2023 12:10 pm
Forum: RouterBOARD hardware
Topic: Migrate from HAP-AC2 to HAP-AX3
Replies: 7
Views: 3121

Re: Migrate from HAP-AC2 to HAP-AX3

All right! It means that I have to replace those with HAP-AX3 or HAP-AX2 models. I use them both as switches and CAPs.

Just one more question. It hw acceleration supported for switching and vlans (at the same time) on HAP-AX3 and HAP-AX2?
by nagylzs
Fri Jul 21, 2023 8:36 am
Forum: RouterBOARD hardware
Topic: Migrate from HAP-AC2 to HAP-AX3
Replies: 7
Views: 3121

Re: Migrate from HAP-AC2 to HAP-AX3

One of them have 256MB memory by accident. Can I at least install on that?
by nagylzs
Wed Jul 19, 2023 10:47 pm
Forum: RouterBOARD hardware
Topic: Migrate from HAP-AC2 to HAP-AX3
Replies: 7
Views: 3121

Re: Migrate from HAP-AC2 to HAP-AX3

Two other CAP devices are also HAP AC2. I'm not sure if I can install wifiwave2 on them.
by nagylzs
Wed Jul 19, 2023 10:37 pm
Forum: RouterBOARD hardware
Topic: Migrate from HAP-AC2 to HAP-AX3
Replies: 7
Views: 3121

Migrate from HAP-AC2 to HAP-AX3

Dear friends, I bought a new HAP-AX3 device. I would like to replace my old HAP-AC2 that has been serving me for years. Primary reasons for the replacement are: faster Wifi, and much faster CPU speed (I would like to use CAKE in queue trees). I did not check on this recently, but I have heard that A...
by nagylzs
Sun Aug 28, 2022 9:51 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

Just a quick update on the topic. I have replaced my script with a version that registers the name into an authoritative DNS, and also the local cache, with ttl=1min. I have also changed it so when the lease times out, then the registration is not changed at all. This way: * When there is no interne...
by nagylzs
Thu Jun 09, 2022 4:28 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

I agree with you that the DNS resolver in RouterOS is a piece of junk and its use should be avoided as much as possible. But then again even a good DNS resolver/server cannot cope with the situation that a domain is known to one next-level server and unknown to another. Even when you set multiple D...
by nagylzs
Thu Jun 09, 2022 4:27 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

There are some drawbacks. First, if the internet connection is down for a site, then they won't be able to do things like printing a document or accessing files on a local samba share, because there will be no DNS. None of those things require functional DNS, unless you like to overcomplicate thing...
by nagylzs
Thu Jun 09, 2022 8:52 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

A good way to avoid such problems is not to invent your own local domain like .visznet but instead register an official domain like .visznet.hu (or whatever TLD) and use that. It will be known by all outside DNS resolvers and it will always work. This is the way to the future anyway, because more a...
by nagylzs
Wed Jun 08, 2022 3:17 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

I could also install a rasberry pi with dnsmasq, if nothing else helps. But I would hate to do this: routeros already has a DNS server built in.
by nagylzs
Mon Jun 06, 2022 10:34 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

I set it to five minutes, but today I faced this problem again. What problem did you face again? The problem that a negative cache entry was valid for 24h? While you set your max time to 5 minutes? Yes. When I first tried to resolve borika-pc.kavicsnet then it returned with "not found". T...
by nagylzs
Sun Jun 05, 2022 10:57 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

I advise you to set the MAX TTL in the router not higher than 01:00:00 and when you are serving a lot of systems maybe 00:30:00 or even 00:10:00. That way you avoid the problems that wrong data is cached for a long time, not only for negative but also for positive results. You will not be able to n...
by nagylzs
Thu Jun 02, 2022 5:41 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 631672

Re: Feature requests

Please add a negative-cache-max-ttl option to /ip/dns. This problem was described in 2009 here viewtopic.php?t=36017 and I just ran into it in 2022 here viewtopic.php?t=186327
by nagylzs
Thu Jun 02, 2022 5:38 pm
Forum: General
Topic: Configurable (or shorter) negative DNS cache TTL needed
Replies: 8
Views: 6593

Re: Configurable (or shorter) negative DNS cache TTL needed

This is a very old topic, but the problem still persist. I just ran into the same thing here https://forum.mikrotik.com/viewtopic.php?p=936800#p936800 A workaround would be to write and schedule script that changes the ttl of negative cache records from >1m to 1m. This would only affect the negative...
by nagylzs
Thu Jun 02, 2022 5:32 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

A workaround could be a script that changes ttl values for negative cache items from >1m to 1m. I can schedule this script, and this will solve the problem (and does not affect any other cache records).

But it would be much better to have a negative-ttl option under /ip/dns
by nagylzs
Thu Jun 02, 2022 5:29 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

The problem seems to be old: https://forum.mikrotik.com/viewtopic.php?t=36017 So what is setting of cache-max-ttl on your router (it's in /ip dhcp section)? You may want to set it to some short interval, but beware it also affects TTL of positive replies which may have longer TTL set by their autho...
by nagylzs
Thu Jun 02, 2022 11:16 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

Today it went wrong again, but with a different hostname. I followed your advice and I found the host in the negative cache: [gandalf@router.lacinet] /ip/dns> /ip/dns/cache/all print where negative Flags: N - NEGATIVE Columns: NAME, TTL # NAME TTL 0 N _LDAP._TCP 8h8m17s 1 N channel.status.request.ur...
by nagylzs
Wed Jun 01, 2022 8:42 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

The FWD record TTL is equal the successfully resolved DNS cached name TTL and begin counting down. If the forwarder resolves the name, then it returns the address and its own TTL. E.g. it should not be equal to the TTL of the FWD record, because it has its own TTL. If the forwarder is not available...
by nagylzs
Wed Jun 01, 2022 8:38 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

AFAIK the ending dot is local thing, it doesn't go into DNS packets. If you want to make sure that regexp matches only TLD and not something in the middle of hostname, end it with $. And I don't think that FWD record's TTL should affect anything. It's not real record, only instruction for resolver ...
by nagylzs
Tue May 31, 2022 4:25 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

I get "dns name does not exist" logged when there's already cached negative answer. So it could be that there was query for that before you added FWD record, that got cached, and you need to either wait until it times out of flush cache. It is possible. One and a half days passed, and rig...
by nagylzs
Mon May 30, 2022 9:44 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

Try if this gives you some useful info: /system logging add topics=dns Looks like it does not even try to forward the question: 08:38:59 dns,packet question: borika-pc.kavicsnet.:A:IN 08:38:59 dns query from 10.14.10.105: #51485 borika-pc.kavicsnet. A 08:38:59 dns done query: #51485 dns name does n...
by nagylzs
Mon May 30, 2022 9:38 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

Does resolving of borika-pc.kavicsnet work for clients, connected to problematic router's LAN segment? With router set as DNS server? If yes, what does wireshark trace show, who does recursive queries, client or ROS DNS server? It does not work. Example: ╭─gandalf@laci-desktop nkp-dbeger-laci ~ ╰─$...
by nagylzs
Sun May 29, 2022 6:30 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

The MAC address message comes from ping, and not resolve. [gandalf@router.lacinet] /ip/dns/static> /ping borika-pc.kavicsnet invalid value for argument address: invalid value of mac-address, mac address required invalid value for argument ipv6-address while resolving ip-address: name does not exist ...
by nagylzs
Sun May 29, 2022 6:28 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

It cannot be a routing problem, because a direct DNS request succeeds. It also precludes any firewall config error. [gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet server=192.168.18.254] 192.168.18.199 [gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet] failure: dns name doe...
by nagylzs
Sun May 29, 2022 5:01 pm
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

Re: split DNS setup problem

If that is true, then why it is working for the other network (and other FWD record)?
by nagylzs
Sun May 29, 2022 11:15 am
Forum: General
Topic: split DNS setup problem
Replies: 41
Views: 5370

split DNS setup problem

I have a site-to-site connection between two routers over wireguard. Site A: router.lacinet address 192.168.14.254/24 Site B: router.kavicsnet address 192.168.18.254/24 Split-DNS is not working. Example: [gandalf@router.lacinet] > /ping 192.168.18.254 SEQ HOST SIZE TTL TIME STATUS 0 192.168.18.254 5...
by nagylzs
Thu May 12, 2022 10:48 am
Forum: General
Topic: send_pubkey_test: no mutual signature algorithm [SOLVED]
Replies: 17
Views: 13019

Re: send_pubkey_test: no mutual signature algorithm [SOLVED]

Thanks, it works!

This is all I needed
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
PubkeyAcceptedAlgorithms +ssh-rsa
by nagylzs
Mon May 09, 2022 1:06 pm
Forum: General
Topic: send_pubkey_test: no mutual signature algorithm [SOLVED]
Replies: 17
Views: 13019

Re: send_pubkey_test: no mutual signature algorithm [SOLVED]

Added this into ~/.ssh/config host r01.eger.magnet hostname r01.eger.magnet KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss But I still see this: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id...
by nagylzs
Mon May 02, 2022 5:03 pm
Forum: General
Topic: send_pubkey_test: no mutual signature algorithm [SOLVED]
Replies: 17
Views: 13019

send_pubkey_test: no mutual signature algorithm [SOLVED]

Hello, I just upgraded my OS from Ubuntu 20.04 LTS to 22.04 LTS. Now I cannot login to my ROS 7.2.1 devices using an ssh agent. If I try this from any 20.04 OS (or Windows 10 + Putty), then it works. I have tried to connect with "-vvvv" option and this is what I see in the debug log: debug...
by nagylzs
Sun Apr 10, 2022 7:19 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

This device will probably land in the trash... :-( I'm a bit dissapointed, I'm not going to by another HAP Lite ever.
by nagylzs
Wed Apr 06, 2022 8:49 pm
Forum: General
Topic: LHG 5 AC does not see any SSIDs
Replies: 1
Views: 407

Re: LHG 5 AC does not see any SSIDs

I found out the solution. It is very interesting. Before the upgrade, the device had ROS 6.48.6 installed. In that version, it was possible to set wifi installation type to outdoor, indoor or "any". Originally, this device was set to "any", and it connected to an access point tha...
by nagylzs
Wed Apr 06, 2022 8:41 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

Sorry for the late answer, I was abroad. I tried the 32 bit version, just to be sure, it doesn't work either. (I think that the 32 bit version is compiled for 32 bit windows, but otherwise it sends exactly the same bits on the wire.)
by nagylzs
Wed Mar 30, 2022 8:23 am
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

Do you think that it might be a hardware failure? I doubt it, because there are no error messages anywhere, and the router actually works with the currently installed OS version. But it might be the case.
by nagylzs
Wed Mar 30, 2022 8:21 am
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

Already tried moving first to a more recent 6-version (6.49.5) ? And then take the next hop to 7.1.5 ?
I just tried this. I used 6.49.5 Stable (both netinstall and OS image). It is the same: the OS is not upgraded.
by nagylzs
Wed Mar 30, 2022 8:13 am
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

I see too much different MAC address.. is a collage??? Not a collage. 48:8F:5A:6C:9B:2E is ether1. That port was used with netinstall. After device was rebooted, I connected the same cable to a LAN port, because winbox does not work with ether1 (with the default config). Exactly one cable was conne...
by nagylzs
Tue Mar 29, 2022 10:09 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

It there anything else I could to to save this device? I do not want to use it without upgrades (at least not connected to the internet).

Is there an explanation about why I could updated one device, and not the other? From the same batch.
by nagylzs
Tue Mar 29, 2022 9:29 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

after close and reopen, click on install button... you try it? You mean, install the image, then close netinstall and install it again? All right, I'm doing it. :-) Okay, this is what I did: start HAP Lite in bootp/netinstall mode select and install OS using netinstall close netinstall, and start i...
by nagylzs
Tue Mar 29, 2022 9:20 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

after close and reopen, click on install button... you try it?
You mean, install the image, then close netinstall and install it again? All right, I'm doing it. :-)
by nagylzs
Tue Mar 29, 2022 9:20 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

But, as I already wrote, unbundled installs can not be upgraded to v7, netinstall is the only way. And v7 can not be unbundled. I wonder why MikroTik does not provide smaller images for devices with less flash memory, and why they make it possible to make the image smaller for devices where there i...
by nagylzs
Tue Mar 29, 2022 9:07 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

on "ready" status, close netinstall and open it again without reboot the haplite I just did, but I don't see any difference. After I close netinstall and open it again, I see the device in the list again, in "Ready" status. Here is a list of images: https://imgur.com/a/1mH2cRc B...
by nagylzs
Tue Mar 29, 2022 7:35 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

So netinstall seems the only way. Follow the manual and beware that netinstall is a very fragile process. So do make verything "by the book" and be prepared to do it multiple times. After pressing the reset button for about 20 seconds, the device showed up in the netinstall program. After...
by nagylzs
Tue Mar 29, 2022 7:13 pm
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Re: Cannot upgrade firmware on HAP Lite

You may want to try some of the suggestions in this thread: hap lite, not enough disk space. In that topic, they recommend this: "4. Upgrade using only this packages taking them from the all packages zip:" - but where is that zip file? The whole update can be downloaded as a single npk fi...
by nagylzs
Sun Mar 27, 2022 10:47 am
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 4977

Cannot upgrade firmware on HAP Lite

Using the CLI: [admin@MikroTik] > /system package update [admin@MikroTik] /system package update> print channel: stable installed-version: 6.47.9 latest-version: 6.49.5 status: ERROR: not enough disk space, 7.1MiB is required and only 6.3MiB is free [admin@MikroTik] /system package update> I already...
by nagylzs
Mon Mar 21, 2022 7:10 pm
Forum: General
Topic: LHG 5 AC does not see any SSIDs
Replies: 1
Views: 407

LHG 5 AC does not see any SSIDs

I just came back from a remote site. I have upgraded my LHG 5 AC from Routeros 6 to 7.1 there (Also did the /system/routerboard/upgrade.) After the upgrade, it did not see any wifi signal. Actually, it sees signals if I do "snoop" of "freq usage", but it does not list any SSIDs i...
by nagylzs
Sat Mar 12, 2022 2:05 pm
Forum: SwOS
Topic: RSTP not working properly on CSS106-5G-1S
Replies: 4
Views: 2977

RSTP not working properly on CSS106-5G-1S

I have two CSS106-5G-1S switches: sw01 and sw03. They are connected with a trunk line. There is absolutely no loop in the network. When RSTP is turned on on both switches, then sw03 is "point-to-point forwarding" and sw01 is "point-to-point discarding". Well, actually the link is...
by nagylzs
Mon Mar 07, 2022 9:28 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Upgraded both sides to 7.1.3 and the same problem exists.

I think I'll replace IKEv2/IPSEC with wireguard now.
by nagylzs
Mon Mar 07, 2022 6:57 pm
Forum: General
Topic: Cannot upgrade firmware on HAP AC2
Replies: 2
Views: 616

Re: Cannot upgrade firmware on HAP AC2

That was a dumb question. I realized that one of them is on long-term branch, the other is on stable.
by nagylzs
Mon Mar 07, 2022 6:53 pm
Forum: General
Topic: Cannot upgrade firmware on HAP AC2
Replies: 2
Views: 616

Cannot upgrade firmware on HAP AC2

This is on one of my routers: /system routerboard> print routerboard: yes board-name: hAP ac^2 model: RBD52G-5HacD2HnD serial-number: ************ firmware-type: ipq4000L factory-firmware: 6.44 current-firmware: 6.49.4 upgrade-firmware: 6.49.4 This is on another: /system routerboard> print routerboa...
by nagylzs
Mon Mar 07, 2022 10:42 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Surprise. It was working for more than a day. But suddenly, it stopped working. I see the same behaviour: the response packets come in, they hit the ACCEPT rule in the firewall, and then it acts like nothing happened: timeout.
by nagylzs
Sat Mar 05, 2022 11:01 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

After almost two months, I have found a workaround! I figured out that the difference between this ipsec client (router02, "magzatom") and all the others is that only this client has vlans. So I guessed, if I create new addresses on both sides that do not belong to any vlan and bridge, the...
by nagylzs
Thu Mar 03, 2022 10:30 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

One question, needs adding policy matching for reply packet accept? Short answer: you specify the policy for outgoing traffic, but it also works for incoming traffic. When you create a policy, you always specify the outgoing direction (e.g. src-address is on the local side of the tunnel and dst-add...
by nagylzs
Wed Mar 02, 2022 8:29 pm
Forum: General
Topic: CRS326-24S+2Q+RM divides all speed by 3
Replies: 13
Views: 1447

Re: CRS326-24S+2Q+RM divides all speed by 3

Correct me if I'm wrong, but I think you only need 1Gbps on the WAN side. You could use RB4011iGS+RM for that. If you look at the performance test results here https://mikrotik.com/product/rb4011igs_rm#fndtn-testresults then you will see that it can almost always route more than 1Gbps. The RB4011 ca...
by nagylzs
Mon Feb 28, 2022 7:29 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I'm thinking about buying a RB5009 router and replace router1 in this setup with that. It is also arm based (like HAP AC2), but it has routeros 7 installed. Do you think that might fix this problem? I'm a bit affraid of that device because ROS v7.0 is not really stable. I know, it is said to be stab...
by nagylzs
Mon Feb 28, 2022 7:26 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Tip is connection state invalid and packet dropped. Try disable conntrack on RAW prerouting chain with ipsec policy filter ipsec-in,ipsec action notrack, and RAW output chain ipsec-out ipsec action notrack. In my last tests, "/ip firewall raw" was empty, and my input chain started like th...
by nagylzs
Tue Feb 22, 2022 5:30 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I got an answer within a day, but I think they did not understand the problem. Hello, I suspect the issue is with routing/bridging configuration. Your current setup is kind of a mess. I would suggest removing the gateway=ipsec routes which are not valid in the first place. And if you require the tra...
by nagylzs
Mon Feb 21, 2022 10:16 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

SUP-75097 created, thank you for your help!
by nagylzs
Sun Feb 20, 2022 11:36 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

All right, here is another test with raw packets: [gandalf@router.lacinet] /tool sniffer packet> print detail 0 time=2.074 num=1 direction=rx src-mac=00:01:5C:AB:A6:45 dst-mac=B8:69:F4:09:BE:F9 interface=ether5-wan src-address=192.168.19.254 dst-address=192.168.14.254 protocol=ip ip-protocol=icmp si...
by nagylzs
Sun Feb 20, 2022 10:07 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Hi Sindy! I did this on both sides: /tool sniffer set filter-ip-address=192.168.14.254/32,192.168.19.254/32 filter-ip-protocol=icmp start Then I did this on router1: [gandalf@router.lacinet] > /ping 192.168.19.254 count=1 SEQ HOST SIZE TTL TIME STATUS 0 192.168.19.254 timeout sent=1 received=0 packe...
by nagylzs
Sun Feb 20, 2022 7:31 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I have uploaded a demonstration video here: https://www.youtube.com/watch?v=dWtVSEqPvDs Even if I change action=accept and move it to position zero, the ping command times out. Most probably this is not a routing problem, and also not a firewall problem. The accept rule counter counts, so the ICMP r...
by nagylzs
Sun Jan 16, 2022 2:50 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Yes, DNS is also wrong. This is from 192.168.14.106 computer: C:\Users\nagyl>nslookup nas.magnet 192.168.14.254 Server: router.lacinet Address: 192.168.14.254 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. ***...
by nagylzs
Sun Jan 16, 2022 2:12 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

When packets are dropped by rp-filter or IPsec policy matching, I hazily remember they are dropped between prerouting and the filter chains (because that's where routing takes place). So keep the passthrough rule in mangle/prerouting, remove dst-address from it, add the same rule as the first stati...
by nagylzs
Sun Jan 16, 2022 2:02 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Another reason why sniffing doesn't show the responses may be that you have hw=yes on the /interface bridge port row for the port to which the PC is connected, or maybe even the WAN port is a member port of a bridge? It makes no logical sense as the packets in question are sent to the port from the...
by nagylzs
Sun Jan 16, 2022 1:59 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Again, all these questions and assumptions would be unnecessary if you posted the complete configurations. Here goes the complete configuration. I was recultant to send it all, because it is quite long, and I'm not sure if I could replace all sensitive information. router 1: # jan/16/2022 12:46:02 ...
by nagylzs
Sun Jan 16, 2022 12:02 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

/ip firewall raw is totally empty on both sides.
by nagylzs
Sun Jan 16, 2022 12:00 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I think your mangle rule was mistype, if I use this: chain=prerouting action=passthrough protocol=icmp src-address=192.168.19.254 dst-address=192.168.14.0/24 then I see counters increasing. They are also increasing when I try to ping router2 from router1. First I reset counters, then I do this: [gan...
by nagylzs
Sun Jan 16, 2022 11:55 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

Also tried traceroute from the computer: C:\Users\nagyl>tracert 192.168.19.254 Tracing route to r01.magnet [192.168.19.254] over a maximum of 30 hops: 1 3 ms <1 ms <1 ms router.lacinet [192.168.14.254] 2 30 ms 34 ms 20 ms r01.magnet [192.168.19.254] Trace complete. I think it is next to impossible t...
by nagylzs
Sun Jan 16, 2022 11:42 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I did this on router 1: /ip firewall mangle add src-address=192.168.19.254 dst-address=192.168.19.254 protocol=icmp action=passthrough comment=x chain=prerouting place-before=1 /ip firewall mangle print stats interval=1s Then I started to ping 192.168.19.254 from 192.168.19.106 and this happened on ...
by nagylzs
Sun Jan 16, 2022 11:28 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I think there are no overlapping ipsec policies. Here are the policies on router 1, public IPs replaced with dummy ones: [gandalf@router.lacinet] /ip ipsec policy> print Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default # PEER TUN SRC-ADDRESS DST-ADDRES...
by nagylzs
Sun Jan 16, 2022 11:23 am
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

This was given on both sides:
/ip settings
set rp-filter=strict
Changed to rp-filter=no but it still doesn't work.
by nagylzs
Sat Jan 15, 2022 9:17 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

5 minutes later, I tried again and now it works. [gandalf@router.lacinet] /ip firewall nat> /ping 192.168.19.254 SEQ HOST SIZE TTL TIME STATUS 0 192.168.19.254 56 64 25ms 1 192.168.19.254 56 64 29ms 2 192.168.19.254 56 64 12ms 3 192.168.19.254 56 64 14ms 4 192.168.19.254 56 64 18ms sent=5 received=5...
by nagylzs
Sat Jan 15, 2022 9:10 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

When I ping router2 (192.168.19.254) from router1 (192.168.14.254), then this is what I see on router 2: /tool sniffer> quick ip-protocol=icmp ip-address=192.168.19.254 INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS ether5-wan 0.758 1 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B 192.168.14.254 eth...
by nagylzs
Sat Jan 15, 2022 4:19 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

BTW I have other IPSEC/IKEv2 clients connected to router1 (lacinet), with different subnets on the remote side. All of them work, except this one. I can't figure out why.
by nagylzs
Sat Jan 15, 2022 4:15 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

Re: ping and dns problem on ipsec tunnel

I already have this route added on side1: add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 gateway=ipsec pref-src=192.168.14.254 add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=ipsec pref-src=192.168.14.254 And this one on side ...
by nagylzs
Fri Jan 14, 2022 7:07 pm
Forum: General
Topic: ping and dns problem on ipsec tunnel
Replies: 41
Views: 7291

ping and dns problem on ipsec tunnel

I have two HAP AC2 devices. * Side #1 is called "lacinet", it has address 192.168.14.254/24 on BASE (management) vlan. * Side #2 is called "magnet", it has 192.168.19.254/24 main address on BASE (management) vlan. * There are also other networks with different vlans on both sides...
by nagylzs
Thu Nov 04, 2021 8:01 pm
Forum: General
Topic: RBSXTR&R11e-LTE6 random connection errors
Replies: 0
Views: 698

RBSXTR&R11e-LTE6 random connection errors

I have a RouterOS 6.49 on RBSXTR&R11e-LTE6. The mobile connection is like this (some information is replaced with * characters): [gandalf@lte.lacinet] /system package update> /interface lte info 0 pin-status: ok registration-status: registered functionality: full manufacturer: "MikroTik&quo...
by nagylzs
Thu Nov 04, 2021 9:09 am
Forum: General
Topic: L2TP authenticated, then terminated
Replies: 4
Views: 3642

Re: L2TP authenticated, then terminated

Look for the log entry for the Remote Connection. If error code is 720, then Yes, error code was 720. Removed all miniport devices, rebooted the system and now it works. Thank you! Side note: I hate when Windows works like this: there is a misterious error that cannot be explained, and cannot be pr...
by nagylzs
Wed Nov 03, 2021 3:08 pm
Forum: General
Topic: What are routing filters?
Replies: 4
Views: 1397

Re: What are routing filters?

These rules are evaluated whenever a route is about to be added into a routing table by any dynamic process (dynamic routing protocols or just DHCP). AFAIK, change of state of an already existing route (e.g. when its gateway interface changes state) doesn't trigger evaluation of these rules. I'm no...
by nagylzs
Mon Oct 25, 2021 9:11 am
Forum: General
Topic: What are routing filters?
Replies: 4
Views: 1397

Re: What are routing filters?

Nobody knows?
by nagylzs
Mon Oct 25, 2021 9:02 am
Forum: General
Topic: L2TP authenticated, then terminated
Replies: 4
Views: 3642

L2TP authenticated, then terminated

RouterOS 6.47.10 on HAP AC2. I have an L2TP server on that. There are multiple Windows 10 clients connected to it. One of the clients suddenly stopped working. The others are okay. This is what I see in the logs when I try to connect from that client: 07:55:15 ipsec,info respond new phase 1 (Identit...
by nagylzs
Mon Sep 27, 2021 1:38 pm
Forum: General
Topic: RBSXTR&R11e-LTE6 disconnects randomly
Replies: 3
Views: 1342

Re: RBSXTR&R11e-LTE6 disconnects randomly

R11e-LTE6_V027 is know as stable one. Now we have v028 and v029 is prepared. You can do upgrade to 028 first. Upgraded to 028, now I need to wait until (if) it goes wrong again. btw, rsrp: -106dBm & sinr: -5dB not give big hopes with good speed, maybe you can move it in better place ? Yes, the ...
by nagylzs
Mon Sep 27, 2021 12:13 pm
Forum: General
Topic: RBSXTR&R11e-LTE6 disconnects randomly
Replies: 3
Views: 1342

RBSXTR&R11e-LTE6 disconnects randomly

RouterOS 6.47.10, software id = 1K7N-NETK This is what I see after one or two days of operation: [admin@router] /interface lte> info 0 pin-status: ok functionality: tx and rx rf circuit disabled manufacturer: "MikroTik" model: "R11e-LTE6" revision: R11e-LTE6_V027 imei: 3*********...
by nagylzs
Wed Aug 18, 2021 6:20 pm
Forum: General
Topic: What are routing filters?
Replies: 4
Views: 1397

What are routing filters?

There is a documentation here: https://wiki.mikrotik.com/wiki/Manual:Routing/Routing_filters but it lacks the usual description at the beginning. Some questions: * what process is checking these rules? * what is the event that triggers the evaluation of these rules? I'm in particular interested in h...
by nagylzs
Tue Aug 17, 2021 10:00 am
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now? Probably rajo was right, and this is related to ARP reques...
by nagylzs
Mon Aug 16, 2021 5:39 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

That is an acceptable answer for me too. The original explanation ("don't use that ISP) defied reality, but this one agrees with it, as far as I can tell. :-)
by nagylzs
Mon Aug 16, 2021 4:01 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

haris013 I tired to contact you in a private message but I can't - there is no way to do it on this forum (or I could not find it) Please contact me at gmail, user name nagylzs - I think it would be much more efficient to try to solve this problem using some remote desktop connection. (Well, only if...
by nagylzs
Mon Aug 16, 2021 3:52 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

> Is there any way to trace the packets, were they are going? It is unbelievable/ Yes, there is. It is called packet sniffer. For sniffing ICMP packets, prepare your terminal with this command (on Windows): ping 192.168.2.240 -c 1 Then on routeros, go to this menu: /tool sniffer set filter-ip-protoc...
by nagylzs
Sun Aug 15, 2021 9:15 am
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Okay, please try the following: 1. Open Properties of VPN connection 2. Go to Networking tab 3. Open Properties of Internet Protocol Version 4 (TCP/IPv4) (and unckeck TCP/IPv6) 4. Click Advanced... button 5. Change to IP Settings tab Then do this: * Uncheck "Use default gateway on remote networ...
by nagylzs
Sat Aug 14, 2021 9:15 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

You would either have to configure proxy arp on the Windows client or, better yet, assign your VPN addresses from its own separate network pool and add appropriate routing for that VPN network. The latter would be the most versatile and low-maintenance solution. I also have setups where the L2TP cl...
by nagylzs
Fri Aug 13, 2021 8:50 am
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Oh, so his problem was that he could not access the local LAN? I thought he could not access the remote LAN. :-) The second thing I wrote was this: You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip se...
by nagylzs
Wed Aug 11, 2021 9:55 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

I'm comparing your config with mine. I don't have bridge=bridge on /ppp profile in my configs. Also, I don't have arp=proxy-arp in my bridge. The problem might be that these packets are not routed, because your ppp interface is added to your bridge as a port. One more thing to try: remove bridge=bri...
by nagylzs
Wed Aug 11, 2021 8:50 am
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Disclaimer: I'm just guessing now. I don't know what is wrong. But it seems that your accept rule's counter is almost zero.

Please try to add a more specific route, as administrator:

route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185

I doubt that it will help but let's try.
by nagylzs
Tue Aug 10, 2021 4:14 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

I'm sorry I'm just trying to find out what the problem is. It may not help, but try this. On the router, set a fixed address for a user, and allow forward packets: /ppp secret set remote-address=192.168.2.185 where name=XXXXX /ip firewall filter add chain=forward action=accept src-address=192.168.2....
by nagylzs
Tue Aug 10, 2021 3:54 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Is there any chance that ISP is the problem? Is something blocked from ISP side? or is any NAT related problem? ICMP ping packets go through your ipsec tunnel. Any other packet goes through the same tunnel. If it was a problem with your ISP then nothing would work. not even ping. Can you please pos...
by nagylzs
Tue Aug 10, 2021 8:55 am
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

There is an "interface-list" setting under /ppp profile. I suspect that if you specify interface-list=L2TP then it will put the dynamically created L2TP interfaces into that interface list automatically. But it is not documented. At least not here: https://wiki.mikrotik.com/wiki/Manual:PPP...
by nagylzs
Mon Aug 09, 2021 8:20 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Your routes are okay, I think. You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip settings. All of your traffic goes through the L2TP connection. I think that this will be a firewall problem. Look at t...
by nagylzs
Sat Aug 07, 2021 8:04 pm
Forum: General
Topic: Roaad Warrior L2TP/IPSEC VPN cannot access LAN
Replies: 53
Views: 8422

Re: Roaad Warrior L2TP/IPSEC VPN cannot access LAN

Hello, * Why do you have two ppp profiles? One of them is not assigned to the bridge. The second one references VPN_pool which is not defined. Didn't you delete something important from the export? * After L2TP client is connected, can you ping the remote router? 192.168.2.1 * Please enable ICMP in ...
by nagylzs
Thu Aug 05, 2021 8:56 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

It looks like you want to make this question emotional. Why instead of asking MikroTik to fix the other toys' problems, they don't ask the manufacturer directly to fix the crap they did in DHCP Client? I think it is not the "problem of the toy". It is the problem of the user, who has no o...
by nagylzs
Thu Aug 05, 2021 8:52 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

It looks like you want to make this question emotional.
Why instead of asking MikroTik to fix the other toys' problems, they don't ask the manufacturer directly to fix the crap they did in DHCP Client?
Censorship in China is not a toy.
by nagylzs
Thu Aug 05, 2021 8:24 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

Those who make these requests (solve the bugs of other manufacturers) can think nothing but themselves, because it suits him at that moment... And if this option, once added, bothers other devices that instead have the software written wrong and do not go if they receive a option not required? Or i...
by nagylzs
Thu Aug 05, 2021 8:20 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

This sounds like "I would rather not use Mikrotik products because there is no way to workaround DHCP client bugs in some 3rd party products, but keep using those buggy 3rd party products..." You make it appear like it was a choice. Actually the feature is needed because of the cases when...
by nagylzs
Wed Aug 04, 2021 10:43 pm
Forum: General
Topic: cant update router
Replies: 8
Views: 1229

Re: cant update router

wendor325, what are you trying to achieve? If you want double NAT, then you need to connect ether1 to your ISP router, and change back your MT router's static address to 192.168.88.2 (or anything else EXCEPT 192.168.1.x, because you shouldn't NAT between identical IP subnets). Is you don't want doub...
by nagylzs
Wed Aug 04, 2021 7:57 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21333

Re: Feature request: Force sending of DHCP options to clients

You should compare a DHCP server to a shop, e.g. an online shop. The client orders some items from the shop, and receives a package back containing some of those items. E.g. it has ordered item number 1,2,3,10 and it receives 1,2 and 10. It does not receive 3 because the store does not have it. Tha...
by nagylzs
Wed Aug 04, 2021 7:10 pm
Forum: General
Topic: ipsec ikev2 + Windows 10 klient Routes are not transmitted to the client
Replies: 2
Views: 2075

Re: ipsec ikev2 + Windows 10 klient Routes are not transmitted to the client

After connecting to the vpn server, please send the output of this (as administrator):

router print -4
by nagylzs
Wed Aug 04, 2021 6:55 pm
Forum: General
Topic: Can VLAN traffic be excluded from routing?
Replies: 6
Views: 1237

Re: Can VLAN traffic be excluded from routing?

Without any firewall rule, I give you a hint: on IP / Settings disable ip-forward, this stop auto-forwarding between subnets. This cause a separation (only on Layer 3) between subnets (on VLAN or not) Sorry if I do not have time to explain better at this moment. After disabling ip-forward, how is i...
by nagylzs
Wed Aug 04, 2021 6:22 pm
Forum: General
Topic: Bridge vlan solution without adding interface vlan
Replies: 30
Views: 3138

Re: Bridge vlan solution without adding interface vlan

> I explained the reason for needing vLan above. (36 cabinets * 48 Ports = 1728 vLan) I still don't get the point. VLANs are not created for "ports" but for specific network domains (for example, company departments, for classes of network traffic etc.) You just explained that you have 172...
by nagylzs
Wed Aug 04, 2021 6:00 pm
Forum: General
Topic: creating l2tp server
Replies: 17
Views: 10924

Re: creating l2tp server

Thanks for taking the time to reply, I think the settings I have are OK (but I have added them below just in case I'm overlooking something). As I wrote before, the connection itself works (can be seen also from the screenshot). Just that one firewall rule for protocol 50 (ipsec-esp) - or the need ...
by nagylzs
Tue Aug 03, 2021 10:26 am
Forum: General
Topic: creating l2tp server
Replies: 17
Views: 10924

Re: creating l2tp server

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there. /interface l2tp-server server set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes You can ...
by nagylzs
Tue Aug 03, 2021 9:57 am
Forum: General
Topic: creating l2tp server
Replies: 17
Views: 10924

Re: creating l2tp server

Hi all, have been playing a bit with the L2TP server on my home router and got the VPN tunnel working. The only thing that slightly bothers me is that I'm not getting any hits on this firewall rule when clients connect: /ip firewall filter add chain=input action=accept protocol=ipsec-esp Am I missi...
by nagylzs
Mon Aug 02, 2021 1:18 pm
Forum: General
Topic: Bridge vlan solution without adding interface vlan
Replies: 30
Views: 3138

Re: Bridge vlan solution without adding interface vlan

Yoncu, are you trying to bridge together different vlans?
by nagylzs
Mon Aug 02, 2021 11:38 am
Forum: General
Topic: cant update router
Replies: 8
Views: 1229

Re: cant update router

Wrong. It sets the dafault route to the router itself. Default route should poinf to the ISP's IP. Maybe, I misunderstood his problem? He did not say that he was using the same HAP device for connecting to the ISP and he also did not say that he wants to use this router as a DHCP server... Well, we...
by nagylzs
Mon Aug 02, 2021 8:29 am
Forum: General
Topic: cant update router
Replies: 8
Views: 1229

Re: cant update router

Most likely, you either need to add a DHCP client or manually add a route e.g.

/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1

If you are using default config then there is no DHCP client configured, but there is a dchp server - you need to disable/delete that under /ip dhcp-server
by nagylzs
Mon Aug 02, 2021 8:24 am
Forum: General
Topic: cant update router
Replies: 8
Views: 1229

Re: cant update router

Can you please /export hide-sensitive ?
by nagylzs
Sun Aug 01, 2021 11:02 pm
Forum: General
Topic: CRS326, queue hw acceleration
Replies: 3
Views: 685

Re: CRS326, queue hw acceleration

Well except CRS317-1G-16S+ :-)
by nagylzs
Sun Aug 01, 2021 10:58 pm
Forum: General
Topic: CRS326, queue hw acceleration
Replies: 3
Views: 685

Re: CRS326, queue hw acceleration

This is interesting. So there is no stable CRS switch that could handle QoS (other than global egress/ingress rate limiting) by the hardware. I think that without hw offloading, the relatively slow CPU is not able to handle queues when it matters (e.g. when there is congestion on a 1 gig link). When...
by nagylzs
Sun Aug 01, 2021 9:02 pm
Forum: General
Topic: CRS326, queue hw acceleration
Replies: 3
Views: 685

CRS326, queue hw acceleration

As far as I understand, Css326 and crs326 switches have the same hardware, the only difference is in the installed software. I wonder if queue trees (especially mangled by dscp/priority tagging) are hardware accelerated in crs326 or not. (Or maybe it is not an issue, because CPU requirements for que...
by nagylzs
Thu Jul 29, 2021 10:52 pm
Forum: RouterBOARD hardware
Topic: Going above 1Gbps - should I replace my router?
Replies: 7
Views: 3305

Re: Going above 1Gbps - should I replace my router?

Just get a CRS305 and use router-on-a-stick to give you 3 SFP+ ports to do anything with. Actually, the 2.5G copper module will use one SFP+ slot on the switch, the 10Gb DAC cable will use another SFP+ slot (e.g. connect RB4011 with CRS305). That leaves only two free SFP+ slots on the switch, and 1...
by nagylzs
Wed Jul 21, 2021 9:12 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Both sw01 and sw02 are connected to other bridges. (Namely: sw01 is connected to r01 and sw03; sw02 is connected to r02). It means that sw02.P1-Sw01 port (the port on sw02 that faces sw01) MUST NOT be an edge port. But sw02 switch says it is an edge port. So maybe sindy is right - the ARP request (o...
by nagylzs
Wed Jul 21, 2021 8:56 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

The P1-SW01 port on SW02 has type=edge. It is totally wrong.
by nagylzs
Wed Jul 21, 2021 8:52 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Another question, what are your STP settings on all the devices involved? Could it be that the CSS doesn't start forwarding on one of the interfaces? On r01, protocol-mode=rstp [admin@r01.magnet] /interface bridge> print detail Flags: X - disabled, R - running 0 R name="BR1" mtu=auto actu...
by nagylzs
Wed Jul 21, 2021 8:09 pm
Forum: Wireless Networking
Topic: Does RBSXTR&R11e-LTE6 support passthrough?
Replies: 4
Views: 1863

Re: Does RBSXTR&R11e-LTE6 support passthrough?

Whew, this is strange. I can see that both devices have that public IP! The local vlan interface on the LTE kit is assigned to the public ip. But also the vlan interface on the passthrough client is assigned to the same ip. Is this normal? It contradicts the documentation ("In this configuratio...
by nagylzs
Wed Jul 21, 2021 7:57 pm
Forum: Wireless Networking
Topic: Does RBSXTR&R11e-LTE6 support passthrough?
Replies: 4
Views: 1863

Does RBSXTR&R11e-LTE6 support passthrough?

The documentation here https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Passthrough_Example says that > Warning: Passthrough is not supported by all chipsets. But chipsets are not specified. The product home page https://mikrotik.com/product/sxt_lte6_kit#fndtn-specifications does not tell if this...
by nagylzs
Wed Jul 21, 2021 9:05 am
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Maybe I'll try to replace that CSS router with a different model, set it up exactly the same way and test if it works the same way. I don't have a different switch at hand, I can only do this later.

Thank you for your help!
by nagylzs
Wed Jul 21, 2021 12:11 am
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

@anav, you've already helped a lot. Now I'm sure that all packets that should be tagged, are tagged. I still don't understand why it does not work with vlan receive=tagged only, any why is it happening only on one specific port of a specific switch. But I can live with the vlan receive=any setting, ...
by nagylzs
Tue Jul 20, 2021 11:37 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Just for giggles on Router2 put in the following dst route if just a switch dst: 0.0.0.0/0 gwy 192.168.19.1 also ensure you have an interface list entry that includes the base subnet and ensure that interface is selected in tools mac winbox mac server The default gateway is on r01, address 192.168....
by nagylzs
Tue Jul 20, 2021 11:29 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

I could regain access to sw02 by changing back strict/only tagged/leave as is on sw01.port3 (that is connected to sw02)
by nagylzs
Tue Jul 20, 2021 11:25 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Okay so If I get this straight, ether1 from the first router is a TRUNK port carrying 10,20.30 and 99 to the first switch. Yes. Just for giggles to mirror my Swos settings change SWITCH ONE to the following. VLAN for trunk port (from router and to Swos2) VLAN MODE - ENABLED VLAN RCVE - ANY DEFAULT ...
by nagylzs
Tue Jul 20, 2021 10:54 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

last two logs filtered with protocol=arp: r01: /tool sniffer packet> print detail where protocol=arp Empty, I guess it means that the mac address was taken from the local arp table. r02: /tool sniffer packet> print detail where protocol=arp 0 time=28.135 num=140 direction=rx src-mac=08:55:31:E7:F3:6...
by nagylzs
Tue Jul 20, 2021 10:47 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Very good, I could have never figured this out. :-) Although... doesn't ARP has a cache timeout? I would think that the MAC address was already in the MAC table when I changed the switch config. But this is no time for guessing. Here is the test! r01 has ip=192.168.19.254 mac=08:55:31:E7:F3:67 r02 h...
by nagylzs
Tue Jul 20, 2021 7:03 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

I'm going to paste the bridge configs anyway. This is r01 config, I only left the ports that are used in this example. /interface bridge add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 vlan-filtering=yes /interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged i...
by nagylzs
Tue Jul 20, 2021 6:54 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Okay I will look at this sometime today but your network diagram is basically useless as it doesnt indicate the vlans running through the ports........ The vlan that I'm using there is vlanid=99. All the others can be ignored, they are irrelevant. I gather that each connecting port between devices ...
by nagylzs
Tue Jul 20, 2021 6:18 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

All right here is what I did: * started sniffing on both devices * then I changed "vlan receive=only tagged" on sw02 port2 (the port that is connected directly to r02) - at this point my ssh connection to r02 was lost * then I sent one ping from r01 to r02: [adm@r01.magnet] /tool sniffer> ...
by nagylzs
Tue Jul 20, 2021 6:12 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

All right, I put back sw02 and repeated the same test, with vlan receive=any on sw02. This is on r01: /tool sniffer packet> print detail 0 time=11.498 num=1 direction=tx src-mac=08:55:31:E7:F3:67 dst-mac=08:55:31:E7:E1:8E interface=BASE_VLAN src-address=192.168.19.254 dst-address=192.168.19.253 prot...
by nagylzs
Mon Jul 19, 2021 9:21 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Okay, this is how I setup sniffer on both r01 and r02: /tool sniffer set filter-ip-protocol=icmp set filter-ip-address=192.168.19.0/24 set filter-direction=any start Then I did this on r01: /ping r02.magnet count=1 stop Packets sniffed on r01: [admin@r01.magnet] /tool sniffer packet> print detail 0 ...
by nagylzs
Mon Jul 19, 2021 9:06 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Today I can only do this without sw02. Tomorrow I'll add sw02 again and do sniff again.
by nagylzs
Mon Jul 19, 2021 7:54 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Okay, so the problem still exists. I have removed sw02 to make it work. But I still don't understand what is wrong. I'm almost 100% percent sure that my routeros config is good. When the sw02is not between the routers, then they work just fine. (But sw01 is still between them, and it causes no probl...
by nagylzs
Sun Jul 18, 2021 10:11 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

The switches used here, seems to me they are not any of CRS3XX Series... So if the OP uses Bridge VLAN Filtering will loose the Hardware offload on the Bridge, which is a very bad performance loss... I'm aware of that. But r01 is used for routing only, and r02 will be used mainly as a wireless acce...
by nagylzs
Sun Jul 18, 2021 8:49 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

> I have already read that article, multiple times. If I connect r01.ether1 to sw01.port3, then everything works. The problem only comes when sw02 is between sw01 and r02. BTW that article concentrates on routeros. It does not explain configuration of CSS/SwOs devices. I guess that the problem is wi...
by nagylzs
Sun Jul 18, 2021 8:43 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Clear Network diagram might help and no clue why you have two routers and where is the internet. I'm not sure why do we need to know that. This problem is independent of "the internet". Here is the diagram anyway: https://imgur.com/a/WKxL7G6 Also get rid of capsman until you have a workin...
by nagylzs
Sun Jul 18, 2021 1:01 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

More info. This is not strictly about my problem, but it might sched light on it. If I set receive vlan=any and setup caps-man on r01 and cap on r02, then r02 can "see" caps-man on r01 but it fails to join: 11:50:02 caps,info CAP selected CAPsMAN r01.magnet (::ffff:192.168.19.254:5246) 11:...
by nagylzs
Sat Jul 17, 2021 11:45 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Uploaded demonstration here: https://www.youtube.com/watch?v=-zzwTJ7mKGU
by nagylzs
Sat Jul 17, 2021 11:00 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

I was experimenting some more. If I set "vlan receive=only untagged" on port 2 of sw02 (that is directoy connected to r02) then connection is lost. If I set "vlan receive=only tagged", then connection is lost. The connection can only be established if I set "vlan receive=any...
by nagylzs
Sat Jul 17, 2021 3:13 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, short circuit error

I wanted to share another interesting thing. When I connected the two switches with two RGBPOE on both sides, then I could only get a 100M full duplex link. When I removed one of the injectors, then I got 1Gbps link. I was experimenting this for a while. Always got 1Gbps link, except when there was ...
by nagylzs
Sat Jul 17, 2021 12:09 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Re: Cannot access router over trunk+switch

Both switches are RB260GSP, running SwOs 2.13. If r02 is connected to Port2-Trunk on sw01, then everything works. If r02 is connected to Port2-To-R02 on sw02, then it can't be accessed in any way. If I change the vlan config of Port2-To-R02 to vlan receive=any then it is working! Does anybody know w...
by nagylzs
Sat Jul 17, 2021 11:58 am
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 3079

Cannot access router over trunk+switch

I have this config: * router 01 called "r01", 192.168.19.254 * router 02 called "r02", 192.168.19.253 * switch 01 called "sw01", 192.168.19.244 * switch 02 called "sw02", 192.168.19.243 There are vlan configs, the management vlan id = 99 is associated with 192...
by nagylzs
Fri Jul 16, 2021 6:37 pm
Forum: General
Topic: Strange routing behaviour
Replies: 3
Views: 946

Re: Strange routing behaviour

BTW, this whole "blackhole bridge" trick is only necessary when the IPsec policy is generated dynamically. If a policy with action=encrypt exists, it always intercepts packets matching its traffic selector. If a security association is currently linked to that policy, the packets are sent...
by nagylzs
Fri Jul 16, 2021 6:11 pm
Forum: General
Topic: Strange routing behaviour
Replies: 3
Views: 946

Re: Strange routing behaviour

I see, so the "host unreachable" comes in every 3s because there was no answer to the ARP requests. And the normal timeout comes because there was no ICMP answer.

But I still don't understand the source ip for "host unreachable". Why is it coming from my WAN/public IP?
by nagylzs
Sun Jul 11, 2021 11:24 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, short circuit error

The long cable setting works!
by nagylzs
Sun Jul 11, 2021 5:56 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, short circuit error

Do you know there should be a "Port1 PoE In Long Cable" setting on the System tab? I did not know about that. I'll definitely try this, just I'm not sure when. (Probably tomorrow?) Then I'll come back with the test results again. By the way, the input voltage sensor has at least 5% error....
by nagylzs
Sun Jul 11, 2021 4:28 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, short circuit error

As I promised, I'm back with the results. I have tested the RB260GSP input/output characteristics in a lab. Test environment: Power supply is a precision laboratory power supply that is able to output 24V 20A. It also has adjustable overcurrent protection and adjustable output voltage. I have added ...
by nagylzs
Sat Jul 10, 2021 4:45 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, short circuit error

Regarding RBGPOE "pairing" - check this post out: viewtopic.php?f=2&t=120841
Fantastic!
by nagylzs
Sat Jul 10, 2021 3:51 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

The 1A max comes from the specs of the RB260GSP ( https://mikrotik.com/product/RB260GSP ) There is no power diagram, and no information on short burst overcurrent that is allowed. (What usually is the case.) I only was thinking on the non-linearity of the voltage drop that a current limiter would i...
by nagylzs
Sat Jul 10, 2021 3:45 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

I do not know and really I do not understand why matter if is used to "extract" current than "inject" I matters, because if it does not have isolation then it will also go into POE-IN port of any connected device - and in my case, it means that I cannot use this trick with devic...
by nagylzs
Sat Jul 10, 2021 3:36 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

Nono, I talk about power on RGBPOE, can be injected and can be... extracted!!! You can use 2 PoE: one at the start with power provided from jack, the other at the end (in reverse direction) to extract power from female jack RGBPOE has female barrel jack only. If I can use RGBPOE on both ends, then ...
by nagylzs
Sat Jul 10, 2021 2:57 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

"One example, not the truth" and "(depends on type and model)" are here for prevent those questions... you are always calculating with max power consumption and worst case scenarios Must be done on that way!!! The peak current does not reach 1A in my case You must use a professi...
by nagylzs
Sat Jul 10, 2021 2:24 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

One example, not the truth: If power source provide exactly 24V, what are the max Watt or Ampere? That info is provide when no device are attached, the internal resistance/use cause Ampere increase and Voltage drop. I'm not sure what you mean. The power supply is rated 24V 2.5A DC, that is about 60...
by nagylzs
Sat Jul 10, 2021 8:10 am
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

More thinking. The power output of sw01 equals the power consumption of sw02 + r01, plus losses on the wire. The power output of sw02 equals to the power consumption of r01. So sw01 will always output more power than sw02. Despite this fact, sw01 never complains about short circuit, but sw02 always ...
by nagylzs
Sat Jul 10, 2021 7:33 am
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

You are probably right, I'll try with RGBPOE, and also a splitter before sw01. But I'm still not sure if that will help. You say that RB260GSP has 5W power consumption, but that is the max. I have measured and this one actually draws 1.1W. Nothing else is connected to it, it does nothing just sits t...
by nagylzs
Fri Jul 09, 2021 10:33 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

Re: RB260GSP, sort circuit error

I just measured again. Input voltage on sw01 is 23.5V. Input voltage on sw02 is 22.7V. That is 0.8V voltage drop, and it includes the (supposed) power FET inside sw01 and the 10m long wire1. We can safely suppose that sw02 won't drop more than 2V, so the HAP-AC2 must be getting more than 20V on its ...
by nagylzs
Fri Jul 09, 2021 10:29 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10215

RB260GSP, short circuit error

Hello, I have a network with these devices connected: 24V power supply --> sw01 (RB260GSP) -- (wire1)---> sw02 (RB260GSP) --(wire2)--> r01 (HAP-AC2) Very strange thing is happening. The web interface of sw02 displays 22.6V on passive poe-in (on ether1). If I connect r01 (HAP-AC2) to it, then the red...
by nagylzs
Wed Jul 07, 2021 8:17 pm
Forum: General
Topic: Strange routing behaviour
Replies: 3
Views: 946

Strange routing behaviour

I have a VPN client with LAN address 192.168.19.254/24 and VPN server with remote LAN address 192.168.14.254/24. Let's suppose that the VPN connection is established, but the server does not respond to ICMP requests. Here is the actual (active) ipsec policy: [admin@client] /ip ipsec policy> print Fl...
by nagylzs
Sun Jun 27, 2021 11:36 pm
Forum: General
Topic: How can I use a custom ipsec profile for L2TP server?
Replies: 4
Views: 1562

Re: How can I use a custom ipsec profile for L2TP server?

I have been here on this forum for a while, and got lots of help from people like you. I'm really grateful.

I had to learn a lot in the past few months, and now I think I fully understand your answer. :-)
by nagylzs
Sun Jun 27, 2021 4:45 pm
Forum: General
Topic: How can I use a custom ipsec profile for L2TP server?
Replies: 4
Views: 1562

Re: How can I use a custom ipsec profile for L2TP server?

I cloud also eliminate the "failed to pre-process ph2 packet" error by removing the manual policy and the group-l2tp group, re-enabling the default ::0/0 policy template, and rebooting the router. It seems that the default ipsec profile is always used for l2tp server. But I don't see this ...
by nagylzs
Sun Jun 27, 2021 4:13 pm
Forum: General
Topic: How can I use a custom ipsec profile for L2TP server?
Replies: 4
Views: 1562

Re: How can I use a custom ipsec profile for L2TP server?

After going though the logs, I could finish phase1 with this: /ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 name=profile_l2tp Maybe Windows can do modp2048 in phase1 after all? But it can't use sha256? If that is the case, then the MikroTik do...
by nagylzs
Sun Jun 27, 2021 2:21 pm
Forum: General
Topic: How can I use a custom ipsec profile for L2TP server?
Replies: 4
Views: 1562

How can I use a custom ipsec profile for L2TP server?

I would like to use a custom (phase 1) ipsec profile for my l2tp server. The most secure settings that are compatible with Windows 10 and RouterOs are probably: phase 1 (profile): SHA256 AES-256-CBC modp1024 phase 2 (proposal): SHA1 AES-256-CBC none This info was taken from: https://wiki.mikrotik.co...
by nagylzs
Mon Jun 21, 2021 7:39 pm
Forum: General
Topic: Pass DHCP packets through router [SOLVED]
Replies: 2
Views: 1018

Re: Pass DHCP packets through router [SOLVED]

Just to clarify: are you trying to get an address on a dhcp client on router3, from a dhcp server that is connected to router 1? I hope I understand your question.

DHCP works on layer 2, it can't cross routers. Unless you do something about it. My first tip would be to use eoip.
by nagylzs
Mon Jun 21, 2021 7:30 pm
Forum: General
Topic: IPSEC VPN only works one way
Replies: 2
Views: 621

Re: IPSEC VPN only works one way

Can you please draw a diagram? Others might understand this network without a diagram, but I'm not confused.
by nagylzs
Mon Jun 21, 2021 7:21 pm
Forum: General
Topic: One ipsec policy and two peers
Replies: 5
Views: 2335

Re: One ipsec policy and two peers

I might be wrong but I think policies are not connecting to anyting. Peers are. You can setup initiator / responder side in the peer configuration, that decides who connects to who. But I don't know what happens when a policy (not a policy template!) is assigned to two peers, and connection is estab...
by nagylzs
Mon Jun 21, 2021 7:08 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 853

Re: VLANs and address assignment

I think it is the same if ether1 is not a port of a bridge. If you don't add an IP address to ether1 itself, then it won't have an IP address.
by nagylzs
Mon Jun 21, 2021 7:04 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 853

Re: VLANs and address assignment

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs? If so, is there a way to disable this? If you have a bridge, and you have ether1 added as a tagged port, then you won't want to assign an ...
by nagylzs
Mon Jun 21, 2021 2:19 pm
Forum: General
Topic: DHCP client on Vlan won't find IP
Replies: 2
Views: 484

Re: DHCP client on Vlan won't find IP

@anav Now you are not forgetting things. ;-)
by nagylzs
Sun Jun 20, 2021 8:02 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

Okay, this makes sense now. So the wireless driver and the bridge can both do tagging/untagging. It is just an arbitrary decision of the CAPsMAN package to do this in the wireless driver.

I'm feeling smarter already. :-)
by nagylzs
Fri Jun 18, 2021 3:01 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

Well, then there is something else wrong with my config because I can obtain IP addres on ether2-blue, but I can't do it on blue ssid. Rebooted them and they started to work magically. Everything is fine, I'm a happy camper now. I just need to digest these strangenesses in RouterOs. Thank you for y...
by nagylzs
Fri Jun 18, 2021 11:45 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

The wlan1, wlan2, wlan24, wlan25 devices are added under the correct vlan id, but they are added as tagged ports. I would like them to be untagged. (Otherwise dumb WiFi clients won't be able to connect.) That's correct and won't cause any problem ... wlan interfaces are tagged from bridge point of ...
by nagylzs
Fri Jun 18, 2021 8:47 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

Okay, connection between CAP and CAPsMAN works on all devices now. But there is something wrong with the bridge vlan tables. If I add vlan-mode=use-tag in the datapath: /caps-man datapath add local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tag add local-forwarding=yes name=datapath-...
by nagylzs
Fri Jun 18, 2021 7:19 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

After adding this rule: /ip firewall filter add action=accept chain=input dst-address-type=local src-address-type=local It works! Here is the log: 06:06:37 caps,debug CAP None->Discover 06:06:37 caps,debug CAP discovery target list: 06:06:39 caps,debug CAP discovery over, results: 06:06:39 caps,debu...
by nagylzs
Fri Jun 18, 2021 12:09 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

Might want to take a look here: https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#CAP_in_CAPsMAN All right, I'll try this tomorrow. But it would be very surprising if that was the problem. Ip firewall can only block ip packets, right? Ip firewall rules should only matter when using ip base...
by nagylzs
Thu Jun 17, 2021 11:31 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

Set the capsman discovery interface (on both the cap and capsman config) to the VLAN interface where you want the caps to capsman communication to happen. Yes, already tried this: /caps-man manager interface set [ find default=yes ] forbid=yes add disabled=no interface=BASE_VLAN /interface wireless...
by nagylzs
Thu Jun 17, 2021 10:43 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

Re: CAPsMAN on layer2 + vlans

After removing all firewall rules, discovery succeeded: 19:24:14 caps,debug CAP Sulking->Discover 19:24:14 caps,debug CAP discovery target list: 19:24:16 caps,debug CAP discovery over, results: 19:24:16 caps,debug router.magnet (::ffff:192.168.19.254:5246) 19:24:16 caps,debug CAP Discover->Select 19...
by nagylzs
Thu Jun 17, 2021 8:37 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 3431

CAPsMAN on layer2 + vlans

I'm trying to use CAPsMAN on a network that has vlans. In the first step, I wanted to do something very simple: add CAPsMAN and CAP on the same (main) router just to see if it works. I have used CAPsMAN before with success, but I have never used it on a vlan filtered bridge. The caps-man is assigned...
by nagylzs
Tue Jun 15, 2021 11:51 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 2431

Re: Howto use HAP AC2 as switch+AP on vlan(s)

The first setting (creation of vlan interface) means interface BR1 has to be tagged member of VLAN 99 on bridge BR1. The third setting (bridge vlan configuration) does configure it indeed. But is there any other member interface? No. As long as you don't have vlan-filtering=yes set on bridge, the s...
by nagylzs
Tue Jun 15, 2021 7:33 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 2431

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership. So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your ...
by nagylzs
Mon Jun 14, 2021 9:34 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 2431

Howto use HAP AC2 as switch+AP on vlan(s)

I have a network that consists of a WAN router, a switch and another router. They are connected like this: https://imgur.com/a/F0Le04M My original network without the access point was discussed here: https://forum.mikrotik.com/viewtopic.php?f=2&t=175973 It is now working fine. In the next step, ...
by nagylzs
Sat Jun 12, 2021 10:29 am
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

Hello, I have tried your suggestions. 1. A dhcp server network address was missing indeed. 2. I'm aware of the missing firewall rules. Just because this was my very first attempt to create a network with vlans, I did not want to add restrictions before I made sure that the vlan works. But certainly ...
by nagylzs
Fri Jun 11, 2021 11:39 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

I have changed default vlanid on switch port5 from 99 to 1 and now it does work. Then I have tried different default vlan ids, and everything works except vlan 99. Then I checked the documentation here : https://wiki.mikrotik.com/wiki/SwOS/RB250_RB260 And found this: Switch will treat both untagged ...
by nagylzs
Fri Jun 11, 2021 11:19 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

I just noticed one error, interface list WAN incorrectly had a member ether1. But it seems that this is not the main problem. [admin@Router] /interface list> member [admin@Router] /interface list member> print Flags: X - disabled, D - dynamic # LIST INTERFACE 0 WAN ether1 1 VLAN BASE_VLAN 2 VLAN BLU...
by nagylzs
Fri Jun 11, 2021 11:12 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

Physical connection and SwOs settings here https://imgur.com/a/Xkh7218
by nagylzs
Fri Jun 11, 2021 10:47 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

Exported config attached. Thank you for your time!
by nagylzs
Fri Jun 11, 2021 9:36 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

Also tried the same config with all firewall rules deleted, and winbox allowed from all ports. Result: * I can login to the router with mac winbox, after vlan filtering is enabled, using its ether5-wan port (which is not part of the BR1 bridge) * I can also access the switch on 192.168.19.253 by con...
by nagylzs
Fri Jun 11, 2021 9:01 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

All right, I went through that tutorial. I have created my own version of the first example from the tutorial. I had to change it because I have a different router with different number and type of ports. Here are the only things that I have changed: - trunk ports are ether1,ether2,ether3,ether4 - m...
by nagylzs
Thu Jun 10, 2021 10:57 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

Re: dhcp on vlan trunk not working

As stated read the link that will solve any router vlan issues. I'm reading it now. In fact I have factory-reset my router and trying the first example from that tutorial. The barebones switches from MT are a biatch to work with. Do not limit any access connectivity within the menus available (keep...
by nagylzs
Thu Jun 10, 2021 6:31 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 5165

dhcp on vlan trunk not working

Hello! I have RouterOS HAP AC2 with 3 vlans: vlan10 and vlan20 for private/public access and vlan99 for management access. This router connects (and powered by) RB260GSP. ether1 on HAP AC2 is a trunk port, connected to RB260GSP port 5 which should also be a trunk port. The DHCP server on vlan99 does...
by nagylzs
Wed Jun 09, 2021 3:20 pm
Forum: Scripting
Topic: Yet another DHCP to DNS script
Replies: 34
Views: 40722

Re: Yet another DHCP to DNS script

One of the best script I have ever seen for the purpose. I also wrote another one that adds entries for already bound leases: /system script remove resetDhcpToStaticDns; /system script add name="resetDhcpToStaticDns" source={ :local DHCPtag :local topdomain; :local hostname; :local hostip;...
by nagylzs
Sun Apr 04, 2021 11:24 pm
Forum: General
Topic: Undocumented ipsec mode config option split-dns ?
Replies: 3
Views: 2661

Re: Undocumented ipsec mode config option split-dns ?

Thanks. Sorry for the late reply. Does mikrotik ipsec ikev2 client support split-dns? I can only see that modeconf has this option on the server side.
by nagylzs
Sun Feb 28, 2021 12:23 pm
Forum: General
Topic: policy group comment bug
Replies: 0
Views: 492

policy group comment bug

It is possible to set the comment of any policy group, but it is not displayed, not stored and not exported. [adm@router] /ip ipsec policy group> print Flags: * - default # NAME 0 * default [adm@router] /ip ipsec policy group> set 0 comment="Test" [adm@router] /ip ipsec policy group> print...
by nagylzs
Sun Feb 28, 2021 9:34 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

Okay, I get it now: * I should use as many peers (and technical local addresses) as many ipsec phase1 profiles I have. If I have two different profiles, then I need to add two peers with different technical addresses. Then connect the local addresses by initiator addresses with NAT rules. With NAT r...
by nagylzs
Sat Feb 27, 2021 8:46 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

Just to be clear, I want a solution where I can use different phase1 profiles AND different policies for each identity at the same time. I think you already gave me a solution for policy-identity assignment by assigning them to different policy groups. You also gave me a solution for using different...
by nagylzs
Sat Feb 27, 2021 8:02 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

I'm trying to add policy groups for each initiator. I'm having problems with specifying the different profiles. You wrote this: "You can use it to assign all Phase 2 and many Phase 1 properties individually for each initiator." I don't see how? Phase 1 (/ip ipsec profile) can only be assig...
by nagylzs
Sat Feb 27, 2021 7:01 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

Oh, I always wondered about the usefulness of policy template groups. Thank you, I'll try this.

For me, sometimes it is hard to see the connections between policies, groups, identities and peers. (I work with databases, already tried to draw an ER diagram with these entities but failed to do so.)
by nagylzs
Sat Feb 27, 2021 4:04 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

I didn't know that address=fqdn cannot be used for passive=yes peers, I haven't come across such an application case, can you detail why you need to identify the initiator by the source IP address tracked by fqdn? Is the ID_I value of IKE not sufficient? You can use it to assign all Phase 2 and man...
by nagylzs
Sat Feb 27, 2021 3:32 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

Ah, sorry, I didn't realize the problem is the comparison, not the update. The fastest solution is $good in $old ; here, the first parameter ( $good ) may be an IP address or a prefix, and the second one ( $old ) is always a prefix ( 192.168.0.0 in 192.168.0.0/32 returns true , whereas 192.168.0.0 ...
by nagylzs
Fri Feb 26, 2021 9:19 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

The /32 is not a problem, it is added automatically if you set the address to just 1.2.3.4 . It is a problem because the $old != $good condition always evaluates to false. It means that all connections will be dropped periodically, unless I can test for IP change. Possibly I can use tostr to conver...
by nagylzs
Thu Feb 25, 2021 9:39 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

All right then thank you! Meanwhile, I came up with this script: :foreach peer in=[/ip ipsec peer find where comment~"address:.*"] do={ :local name [/ip ipsec peer get $peer name]; :local comment [/ip ipsec peer get $peer comment]; :local fqdn [:pick $comment 8 50]; :local good [/resolve $...
by nagylzs
Thu Feb 25, 2021 8:38 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Re: Automatically update ipsec peer addresses from script

Okay, well remote-peer is not in the wiki ( https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Peers ). Also, I have 6.46.8 on a router and this is what I get: [adm@router] /ip ipsec peer> /ip ipsec peer [adm@router] /ip ipsec peer> set 0 remote-address=example.com expected end of command (line 1 column...
by nagylzs
Thu Feb 25, 2021 3:52 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 26
Views: 5325

Automatically update ipsec peer addresses from script

I have a router that connects to multiple ipsec/ike servers with dynamic IP addresses. I would like to write a script that is executed periodically, updating the remote peer address based on the hostname. My first idea was to use a specfic comment on the peers to store the associated host names. E.g...
by nagylzs
Wed Feb 24, 2021 9:05 pm
Forum: General
Topic: "no such item" error
Replies: 1
Views: 434

"no such item" error

HAP AC2, version: 6.46.8 (long-term) /log print follow Results in: 20:03:25 ipsec,debug dh_group = 1536-bit MODP group:256-bit random ECP group 20:03:25 ipsec,debug -compare proposal #6: Local:Peer 20:03:25 ipsec,debug (lifetime = 86400:28800) 20:03:25 ipsec,debug (lifebyte = 0:0) 20:03:25 ipsec,deb...
by nagylzs
Sun Feb 07, 2021 6:46 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

Re: invalid dhcp server on vlan interface

> But it makes no point to me, because internally all packets are "tagged" (they always have a vlan-id), and the CPU always sees that. It must mean something (because it is allowed by RouterOS). Apparently, there is no difference between adding the bridge CPU port as tagged vs. untagged po...
by nagylzs
Sun Jan 24, 2021 12:36 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

Re: invalid dhcp server on vlan interface

I have added the bridge/bridge port to the vlan table, as you suggested. The dhcp server now works! After adding the bridge cpu port as a tagged port, the vlan table looks like this: [admin@MikroTik] /interface bridge vlan> print Flags: X - disabled, D - dynamic # BRIDGE VLAN-IDS CURRENT-TAGGED CURR...
by nagylzs
Fri Jan 22, 2021 8:17 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

It turned out to be a problem on the ISP side. Although they don't admit this. But I change the SIM card (different ISP) and everything works, no problem whatsoever.
by nagylzs
Fri Jan 22, 2021 5:41 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

Re: invalid dhcp server on vlan interface

Thanks for your help. I decided to use bridge vlan filtering. Dropped all switch-chip vlan config. I read most of "bridge vlan tables" wiki. I understand why I can't manage the device through ether2 and ether3 untagged ports. (They belong to vlan20 and vlan30, and the bridge has pvid=1). I...
by nagylzs
Fri Jan 22, 2021 3:07 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

Re: invalid dhcp server on vlan interface

I want to operate dhcp servers for these vlans. I need a single interface for that. So I guess I must use the bridge vlan method, and not the switch vlan method?
by nagylzs
Fri Jan 22, 2021 2:50 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

Re: invalid dhcp server on vlan interface

Set pvid on ether2 and ether3
/interface bridge port
add bridge=bridge interface=ether4
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=30
add bridge=rescue interface=wlan1
Doesn't help either.
by nagylzs
Fri Jan 22, 2021 1:20 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3151

invalid dhcp server on vlan interface

I'm trying to setup a router with this config: * ether1 goes to ISP * ether2, ether2 and ether4 are part of a bridge * there are two vlans vlan20 and vlan30 * ether2 should be untagged access port on vlan20 * ether3 should be untagged access port on vlan30 * ether4 should be tagged trunk port for vl...
by nagylzs
Fri Jan 22, 2021 8:40 am
Forum: General
Topic: Mistyped certificate key size, CPU is about to burn
Replies: 1
Views: 415

Re: Mistyped certificate key size, CPU is about to burn

A complete reboot solved the problem, but that is destructive. I think there should be a way to cancel certificate signing. It can be a really big problem: you just hit an extra key accidentally and you have to reboot. :-(
by nagylzs
Fri Jan 22, 2021 8:37 am
Forum: General
Topic: Mistyped certificate key size, CPU is about to burn
Replies: 1
Views: 415

Mistyped certificate key size, CPU is about to burn

I have mistyped the key-size parameter of a certificate. Instead of 2048 bits, I accidentally typed in 20488 bits. I just noticed this after I started to sign it. * Ctrl+C resulted in "failure: Process is uninterruptible, it will finish in background" * I cannot delete the certificate, I h...
by nagylzs
Thu Jan 21, 2021 12:39 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

I'm almost sure this is a problem on the ISP side. [gandalf@palfi] > /tool traceroute telex.hu # ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS 1 100% 8 timeout 2 10.254.49.226 85.. 8 timeout 23.4 23.4 23.4 0 3 10.254.49.226 85.. 7 timeout 18.6 18.6 18.6 0 packet filtered from 10.254.49.226 4 ...
by nagylzs
Thu Jan 21, 2021 11:43 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

I found out something. When there are lots for TCP connection errors, then ping gives back ICMP 3 / 10 "admin prohibited", something like this: [gandalf@palfi] > /system telnet [/resolve telex.hu] 80 Connecting to 104.26.3.85 telnet: connect() failed: No route to host Welcome back! [gandal...
by nagylzs
Thu Jan 21, 2021 11:04 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

Okay so I excluded all possible local errors: * connected directly to a computer via ethernet/UTP cable * set fixed lte band * locked modem to tower Signal strength is excellent ( never goes below -77 dBm), there is nothing in the logs, but it still does not work. Sometimes I'm not able to connect w...
by nagylzs
Thu Jan 21, 2021 9:59 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

Locked band to B20, network-mode to lte. Locked modem to tower. Now testing again (but it does not look good)
by nagylzs
Mon Jan 18, 2021 11:27 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

Re: intermittent connection errors on RBSXTR

By the way, system uptime is 3d5h, and the number of link downtimes is 5: 4 R name="lte1" type="lte" mtu=1450 actual-mtu=1450 mac-address=AC:FF:FF:00:00:00 last-link-down-time=jan/18/2021 22:21:32 last-link-up-time=jan/18/2021 22:21:41 link-downs=5 Most of them are because of man...
by nagylzs
Mon Jan 18, 2021 11:11 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 1290

intermittent connection errors on RBSXTR

I have an SXT LTE kit, and a NAT-ed LAN behind it. There are intermittent connection errors. When somebody wants to load a website, then there is 50% chance that he will get a connection error. This is intermittent - if you try again, the it usually works. Or maybe you have to try two or three times...
by nagylzs
Sat Jan 09, 2021 3:11 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

I already spent days with this. I'm putting together a site-to-site VPN tutorial (in Hungarian). If you don't mind then I would share some of your ideas there.
by nagylzs
Fri Jan 08, 2021 11:15 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

1) I'm not sure why you have sa-src-address=192.168.13.254, which is part of LAN subnet. But that probably don't have any negative effect. It is coming from /ip ipsec peer menu, local-address attribute was set to it. I set it to 0.0.0.0 - after I did that, the sa-src-address attribute was changed t...
by nagylzs
Fri Jan 08, 2021 9:58 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

Let's say they are "half-ignored". Valid route to destination must exist, it fails when it doesn't, but default route is enough for this. But it seems that beyond check for existence, it's not really used for routing decision. When I remove dummy/blackhole route, it works fine without it,...
by nagylzs
Thu Jan 07, 2021 11:08 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

There are two things: 1) Routing and outgoing interface. Based on routes, outgoing interface should be vpn-blackhole. And that's true when IPSec is not active. Active IPSec clearly changes routing decision in some way. Again, it's not completely wrong, because it reflects where those packets really...
by nagylzs
Thu Jan 07, 2021 9:46 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

I assumed that you used same rules, so it was strange why it would work on one device and not on another. If the working one has ipsec-policy=out,none, then it explains it. Yes I'm sorry I did not notice that difference at first. But I still don't understand why ipsec-policy=out,none is needed. Giv...
by nagylzs
Thu Jan 07, 2021 7:34 pm
Forum: General
Topic: IKEv2 - issues
Replies: 5
Views: 1991

Re: IKEv2 - issues

Okay, so there are a few that support AES-256-GCM, they are the most expensive ones. Interestingly, SHA384 is not listed anywhere, I guess it means that SHA384 is not supported on any of them.
by nagylzs
Thu Jan 07, 2021 6:53 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

All right, so the production version was working because of the extra "ipsec-policy=out,none" condition was added to the masquerade rule. If I remove that on the production system then it also fails. But here is the interesting part: it only works if ipsec-policy=out,none is specified AND ...
by nagylzs
Thu Jan 07, 2021 6:42 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 3488

Re: Adding static route won't bypass nat

Also tried to add "ipsec-policy=out,none" on the CHR (that was the only notable difference that I could see) but it did not help for about one minute.

Then after a minute, it started to work.

Doing some more tests...
  • 1
  • 2