Community discussions

MikroTik App

Search found 139 matches

by nagylzs
Sun Apr 04, 2021 11:24 pm
Forum: General
Topic: Undocumented ipsec mode config option split-dns ?
Replies: 3
Views: 563

Re: Undocumented ipsec mode config option split-dns ?

Thanks. Sorry for the late reply. Does mikrotik ipsec ikev2 client support split-dns? I can only see that modeconf has this option on the server side.
by nagylzs
Sun Feb 28, 2021 12:23 pm
Forum: General
Topic: policy group comment bug
Replies: 0
Views: 237

policy group comment bug

It is possible to set the comment of any policy group, but it is not displayed, not stored and not exported. [adm@router] /ip ipsec policy group> print Flags: * - default # NAME 0 * default [adm@router] /ip ipsec policy group> set 0 comment="Test" [adm@router] /ip ipsec policy group> print...
by nagylzs
Sun Feb 28, 2021 9:34 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

Okay, I get it now: * I should use as many peers (and technical local addresses) as many ipsec phase1 profiles I have. If I have two different profiles, then I need to add two peers with different technical addresses. Then connect the local addresses by initiator addresses with NAT rules. With NAT r...
by nagylzs
Sat Feb 27, 2021 8:46 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

Just to be clear, I want a solution where I can use different phase1 profiles AND different policies for each identity at the same time. I think you already gave me a solution for policy-identity assignment by assigning them to different policy groups. You also gave me a solution for using different...
by nagylzs
Sat Feb 27, 2021 8:02 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

I'm trying to add policy groups for each initiator. I'm having problems with specifying the different profiles. You wrote this: "You can use it to assign all Phase 2 and many Phase 1 properties individually for each initiator." I don't see how? Phase 1 (/ip ipsec profile) can only be assig...
by nagylzs
Sat Feb 27, 2021 7:01 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

Oh, I always wondered about the usefulness of policy template groups. Thank you, I'll try this.

For me, sometimes it is hard to see the connections between policies, groups, identities and peers. (I work with databases, already tried to draw an ER diagram with these entities but failed to do so.)
by nagylzs
Sat Feb 27, 2021 4:04 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

I didn't know that address=fqdn cannot be used for passive=yes peers, I haven't come across such an application case, can you detail why you need to identify the initiator by the source IP address tracked by fqdn? Is the ID_I value of IKE not sufficient? You can use it to assign all Phase 2 and man...
by nagylzs
Sat Feb 27, 2021 3:32 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

Ah, sorry, I didn't realize the problem is the comparison, not the update. The fastest solution is $good in $old ; here, the first parameter ( $good ) may be an IP address or a prefix, and the second one ( $old ) is always a prefix ( 192.168.0.0 in 192.168.0.0/32 returns true , whereas 192.168.0.0 ...
by nagylzs
Fri Feb 26, 2021 9:19 am
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

The /32 is not a problem, it is added automatically if you set the address to just 1.2.3.4 . It is a problem because the $old != $good condition always evaluates to false. It means that all connections will be dropped periodically, unless I can test for IP change. Possibly I can use tostr to conver...
by nagylzs
Thu Feb 25, 2021 9:39 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

All right then thank you! Meanwhile, I came up with this script: :foreach peer in=[/ip ipsec peer find where comment~"address:.*"] do={ :local name [/ip ipsec peer get $peer name]; :local comment [/ip ipsec peer get $peer comment]; :local fqdn [:pick $comment 8 50]; :local good [/resolve $...
by nagylzs
Thu Feb 25, 2021 8:38 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Re: Automatically update ipsec peer addresses from script

Okay, well remote-peer is not in the wiki ( https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Peers ). Also, I have 6.46.8 on a router and this is what I get: [adm@router] /ip ipsec peer> /ip ipsec peer [adm@router] /ip ipsec peer> set 0 remote-address=example.com expected end of command (line 1 column...
by nagylzs
Thu Feb 25, 2021 3:52 pm
Forum: General
Topic: Automatically update ipsec peer addresses from script
Replies: 27
Views: 1470

Automatically update ipsec peer addresses from script

I have a router that connects to multiple ipsec/ike servers with dynamic IP addresses. I would like to write a script that is executed periodically, updating the remote peer address based on the hostname. My first idea was to use a specfic comment on the peers to store the associated host names. E.g...
by nagylzs
Wed Feb 24, 2021 9:05 pm
Forum: General
Topic: "no such item" error
Replies: 1
Views: 146

"no such item" error

HAP AC2, version: 6.46.8 (long-term) /log print follow Results in: 20:03:25 ipsec,debug dh_group = 1536-bit MODP group:256-bit random ECP group 20:03:25 ipsec,debug -compare proposal #6: Local:Peer 20:03:25 ipsec,debug (lifetime = 86400:28800) 20:03:25 ipsec,debug (lifebyte = 0:0) 20:03:25 ipsec,deb...
by nagylzs
Sun Feb 07, 2021 6:46 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

Re: invalid dhcp server on vlan interface

> But it makes no point to me, because internally all packets are "tagged" (they always have a vlan-id), and the CPU always sees that. It must mean something (because it is allowed by RouterOS). Apparently, there is no difference between adding the bridge CPU port as tagged vs. untagged po...
by nagylzs
Sun Jan 24, 2021 12:36 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

Re: invalid dhcp server on vlan interface

I have added the bridge/bridge port to the vlan table, as you suggested. The dhcp server now works! After adding the bridge cpu port as a tagged port, the vlan table looks like this: [admin@MikroTik] /interface bridge vlan> print Flags: X - disabled, D - dynamic # BRIDGE VLAN-IDS CURRENT-TAGGED CURR...
by nagylzs
Fri Jan 22, 2021 8:17 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

It turned out to be a problem on the ISP side. Although they don't admit this. But I change the SIM card (different ISP) and everything works, no problem whatsoever.
by nagylzs
Fri Jan 22, 2021 5:41 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

Re: invalid dhcp server on vlan interface

Thanks for your help. I decided to use bridge vlan filtering. Dropped all switch-chip vlan config. I read most of "bridge vlan tables" wiki. I understand why I can't manage the device through ether2 and ether3 untagged ports. (They belong to vlan20 and vlan30, and the bridge has pvid=1). I...
by nagylzs
Fri Jan 22, 2021 3:07 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

Re: invalid dhcp server on vlan interface

I want to operate dhcp servers for these vlans. I need a single interface for that. So I guess I must use the bridge vlan method, and not the switch vlan method?
by nagylzs
Fri Jan 22, 2021 2:50 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

Re: invalid dhcp server on vlan interface

Set pvid on ether2 and ether3
/interface bridge port
add bridge=bridge interface=ether4
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=30
add bridge=rescue interface=wlan1
Doesn't help either.
by nagylzs
Fri Jan 22, 2021 1:20 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 697

invalid dhcp server on vlan interface

I'm trying to setup a router with this config: * ether1 goes to ISP * ether2, ether2 and ether4 are part of a bridge * there are two vlans vlan20 and vlan30 * ether2 should be untagged access port on vlan20 * ether3 should be untagged access port on vlan30 * ether4 should be tagged trunk port for vl...
by nagylzs
Fri Jan 22, 2021 8:40 am
Forum: General
Topic: Mistyped certificate key size, CPU is about to burn
Replies: 1
Views: 167

Re: Mistyped certificate key size, CPU is about to burn

A complete reboot solved the problem, but that is destructive. I think there should be a way to cancel certificate signing. It can be a really big problem: you just hit an extra key accidentally and you have to reboot. :-(
by nagylzs
Fri Jan 22, 2021 8:37 am
Forum: General
Topic: Mistyped certificate key size, CPU is about to burn
Replies: 1
Views: 167

Mistyped certificate key size, CPU is about to burn

I have mistyped the key-size parameter of a certificate. Instead of 2048 bits, I accidentally typed in 20488 bits. I just noticed this after I started to sign it. * Ctrl+C resulted in "failure: Process is uninterruptible, it will finish in background" * I cannot delete the certificate, I h...
by nagylzs
Thu Jan 21, 2021 12:39 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

I'm almost sure this is a problem on the ISP side. [gandalf@palfi] > /tool traceroute telex.hu # ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS 1 100% 8 timeout 2 10.254.49.226 85.. 8 timeout 23.4 23.4 23.4 0 3 10.254.49.226 85.. 7 timeout 18.6 18.6 18.6 0 packet filtered from 10.254.49.226 4 ...
by nagylzs
Thu Jan 21, 2021 11:43 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

I found out something. When there are lots for TCP connection errors, then ping gives back ICMP 3 / 10 "admin prohibited", something like this: [gandalf@palfi] > /system telnet [/resolve telex.hu] 80 Connecting to 104.26.3.85 telnet: connect() failed: No route to host Welcome back! [gandal...
by nagylzs
Thu Jan 21, 2021 11:04 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

Okay so I excluded all possible local errors: * connected directly to a computer via ethernet/UTP cable * set fixed lte band * locked modem to tower Signal strength is excellent ( never goes below -77 dBm), there is nothing in the logs, but it still does not work. Sometimes I'm not able to connect w...
by nagylzs
Thu Jan 21, 2021 9:59 am
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

Locked band to B20, network-mode to lte. Locked modem to tower. Now testing again (but it does not look good)
by nagylzs
Mon Jan 18, 2021 11:27 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

Re: intermittent connection errors on RBSXTR

By the way, system uptime is 3d5h, and the number of link downtimes is 5: 4 R name="lte1" type="lte" mtu=1450 actual-mtu=1450 mac-address=AC:FF:FF:00:00:00 last-link-down-time=jan/18/2021 22:21:32 last-link-up-time=jan/18/2021 22:21:41 link-downs=5 Most of them are because of man...
by nagylzs
Mon Jan 18, 2021 11:11 pm
Forum: Wireless Networking
Topic: intermittent connection errors on RBSXTR
Replies: 6
Views: 509

intermittent connection errors on RBSXTR

I have an SXT LTE kit, and a NAT-ed LAN behind it. There are intermittent connection errors. When somebody wants to load a website, then there is 50% chance that he will get a connection error. This is intermittent - if you try again, the it usually works. Or maybe you have to try two or three times...
by nagylzs
Sat Jan 09, 2021 3:11 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

I already spent days with this. I'm putting together a site-to-site VPN tutorial (in Hungarian). If you don't mind then I would share some of your ideas there.
by nagylzs
Fri Jan 08, 2021 11:15 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

1) I'm not sure why you have sa-src-address=192.168.13.254, which is part of LAN subnet. But that probably don't have any negative effect. It is coming from /ip ipsec peer menu, local-address attribute was set to it. I set it to 0.0.0.0 - after I did that, the sa-src-address attribute was changed t...
by nagylzs
Fri Jan 08, 2021 9:58 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

Let's say they are "half-ignored". Valid route to destination must exist, it fails when it doesn't, but default route is enough for this. But it seems that beyond check for existence, it's not really used for routing decision. When I remove dummy/blackhole route, it works fine without it,...
by nagylzs
Thu Jan 07, 2021 11:08 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

There are two things: 1) Routing and outgoing interface. Based on routes, outgoing interface should be vpn-blackhole. And that's true when IPSec is not active. Active IPSec clearly changes routing decision in some way. Again, it's not completely wrong, because it reflects where those packets really...
by nagylzs
Thu Jan 07, 2021 9:46 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

I assumed that you used same rules, so it was strange why it would work on one device and not on another. If the working one has ipsec-policy=out,none, then it explains it. Yes I'm sorry I did not notice that difference at first. But I still don't understand why ipsec-policy=out,none is needed. Giv...
by nagylzs
Thu Jan 07, 2021 7:34 pm
Forum: General
Topic: IKEv2 - issues
Replies: 5
Views: 596

Re: IKEv2 - issues

Okay, so there are a few that support AES-256-GCM, they are the most expensive ones. Interestingly, SHA384 is not listed anywhere, I guess it means that SHA384 is not supported on any of them.
by nagylzs
Thu Jan 07, 2021 6:53 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

All right, so the production version was working because of the extra "ipsec-policy=out,none" condition was added to the masquerade rule. If I remove that on the production system then it also fails. But here is the interesting part: it only works if ipsec-policy=out,none is specified AND ...
by nagylzs
Thu Jan 07, 2021 6:42 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

Also tried to add "ipsec-policy=out,none" on the CHR (that was the only notable difference that I could see) but it did not help for about one minute.

Then after a minute, it started to work.

Doing some more tests...
by nagylzs
Thu Jan 07, 2021 6:39 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

Okay here is the production network that works. Office side has LAN address 192.168.13.0/24 running on RouterBOARD 750G r3 (6.46.8), branch01 has LAN address 192.168.14.0/24 running on HAP AC2 (6.46.8) On the office site I have these static routes: /ip route add comment="Blackhole for RCF 1918 ...
by nagylzs
Thu Jan 07, 2021 6:27 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat - RouterOS bug?

Test on branch01 router. First disabled the NAT masquerade bypass rule and added logging to the general masquerade rule: /ip firewall nat add action=accept chain=srcnat disabled=yes dst-address=172.16.0.0/12 log=yes src-address=172.16.0.0/12 add action=masquerade chain=srcnat log=yes out-interface=e...
by nagylzs
Thu Jan 07, 2021 6:12 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

It's something with IPSec, I can reproduce it. When I add logging rule in forward chain, then with peer disabled it shows vpn-blackhole as outgoing interface, but with peer enabled it changes to ether1-internet. It's kind of right, because it's actually where packets go to, but I'm not sure if fire...
by nagylzs
Wed Jan 06, 2021 9:36 pm
Forum: General
Topic: IKEv2 - issues
Replies: 5
Views: 596

Re: IKEv2 - issues

Hence in ProtonVPN example I can go to AES-256-GCM in Phase 2 but lack of SHA2-384 and PRF allows me to set up initial SA but then it disconnects me and reconnects. To avoid this situation I had to downgrade it to AES-256-CBC Well it is worse than that. AES-256-GCM is supported by RouterOS, but it ...
by nagylzs
Wed Jan 06, 2021 8:36 pm
Forum: General
Topic: Output chain question
Replies: 9
Views: 624

Re: Output chain question

My mistake. Actually I always put this in the forward chain. :-D
by nagylzs
Wed Jan 06, 2021 7:37 pm
Forum: General
Topic: IPSEC - NAT question
Replies: 4
Views: 306

Re: IPSEC - NAT question

Okay, so these policies have a dst-port and an src-port attribute. You can add dst-port=25 to limit the packets that needs to be encapsulated and encrypted. Don't forget to update your NAT rules as well. You need to have a NAT rule that will masquerade all packets that were not encapsulated. For exa...
by nagylzs
Wed Jan 06, 2021 4:43 pm
Forum: General
Topic: IPSEC - NAT question
Replies: 4
Views: 306

Re: IPSEC - NAT question

How did you add your ipsec policies? Can you please post your config?
by nagylzs
Wed Jan 06, 2021 3:38 pm
Forum: General
Topic: Output chain question
Replies: 9
Views: 624

Re: Output chain question

One useful output rule that I like to use is to block all trafic to tcp/25. Nobody uses simple SMTP to reach remote SMTP servers nowdays. Except worms and trojan programs that send out spam through misconfigured SMTP servers.
by nagylzs
Wed Jan 06, 2021 9:24 am
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Re: Adding static route won't bypass nat

I don't see it, but srcnat's condition is out-interface=ether1-internet, so it will match only connections going out via ether1-internet. That will happen when router thinks that route to destination leads there. And that should only happen when your static route is either not active, or if there's...
by nagylzs
Tue Jan 05, 2021 9:54 pm
Forum: General
Topic: Adding static route won't bypass nat
Replies: 19
Views: 1123

Adding static route won't bypass nat

I have two routers connected via IPSEC/IKEv2 in tunnel mode. They don't have explicit firewall NAT bypass rules added. They have this instead: /interface bridge add name=vpn-blackhole /ip route add comment="Blackhole for RFC 1918" distance=5 dst-address=10.0.0.0/8 gateway=vpn-blackhole add...
by nagylzs
Thu Dec 31, 2020 1:22 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

To prevent packets which should be delivered via an IPsec tunnels from leaking the wrong way, you have to use a route whose gateway is a specially created bridge with no member ports. And this is only necessary if the policy is created dynamically - a static policy matches the packets and diverts t...
by nagylzs
Thu Dec 31, 2020 12:04 am
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

The solution that you suggested also works because it provides a fake route with a non-wan interface for layer 3 routing. This prevents matching the masquerade nat rule. I do not like using dummy routes because it can be misleading. If you look at that route alone, then you might think that those pa...
by nagylzs
Wed Dec 30, 2020 10:09 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

Default firewall needs no adjustments for ipsec tunneling to work. I'm sorry but you are mistaken here. After some research I realized that the default masquerade NAT rule was changing the src addresses of the packets BEFORE they were processed by the ipsec policy rules. The actual change required ...
by nagylzs
Tue Dec 29, 2020 11:35 pm
Forum: Wireless Networking
Topic: HAP AC2 5Ghz interface was not running 2 days
Replies: 8
Views: 869

Re: HAP AC2 5Ghz interface was not running 2 days

The ssid was not visible. I tried to connect but no beacons were coming out. There was nothing to connect to. Could not reproduce since I rebooted the router.
by nagylzs
Tue Dec 29, 2020 10:40 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

But also suspecting the power supply.
The HAP Lite devices are brand new. I bought them to test and experiment with CAPsMAN before I do a bigger installation. I don't think that both of them have faulty (and brand new) power supplies.
by nagylzs
Tue Dec 29, 2020 10:33 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

As I wrote: hAP lite is capable of Tx power 16 dBm or 18 dBm when transmitting at high symbol rates. Your setting of 20 dBm does not override that. hAP ac2 did get slightly limited by your setting, but there's still difference of 2 to 4 dB. I manually set TX power to 10, 13 and 15dBm. I think it di...
by nagylzs
Mon Dec 28, 2020 10:18 pm
Forum: Wireless Networking
Topic: HAP AC2 5Ghz interface was not running 2 days
Replies: 8
Views: 869

Re: HAP AC2 5Ghz interface was not running 2 days

Can you clarify, what you mean by "not running"? did you scan with various mobile devices and simply did not see such SSID? or you mean something else? Look at the status. It does not have the "R" flag. It is not running. And yes, the ssid was not visible from any device.The rad...
by nagylzs
Mon Dec 28, 2020 12:10 pm
Forum: Wireless Networking
Topic: HAP AC2 5Ghz interface was not running 2 days
Replies: 8
Views: 869

HAP AC2 5Ghz interface was not running 2 days

The 5Ghz interface was not running on my HAP AC2. It started about 2 days ago. I set frequency to 5180MHz. That is channel 36. It is not a DFS channel. Also removed almost all non-default config. /interface wireless> print Flags: X - disabled, R - running 0 name="lacinet_5" mtu=1500 l2mtu=...
by nagylzs
Sun Dec 27, 2020 6:12 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

High level of interference actually explains the difference in achievable speeds on both units which initiated this thread: hAP lite has much lower Tx power (16-18 dBm at highest rates) compared to hAP ac2 (23-24 dBm at same high rates). 6dB makes quite some difference in SINR which at the end of t...
by nagylzs
Sun Dec 27, 2020 5:40 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

Not what you are asking, but it might give you some hints: https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 I have heard about EoIP but I never tried. Since EoIP emulates an ethernet wire, it might forward all broadcast packets? I won't ask more questions about this before I try EoIP myse...
by nagylzs
Sun Dec 27, 2020 5:32 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

Not what you are asking, but it might give you some hints: https://forum.mikrotik.com/viewtopic.php?f=23&t=169538 I have heard about EoIP but I never tried. Since EoIP emulates an ethernet wire, it might forward all broadcast packets? I won't ask more questions about this before I try EoIP myse...
by nagylzs
Sun Dec 27, 2020 5:27 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

Re: IPSEC IKEv2 network-to-network problems

Oh, and here is one thing that I don't understand. According to the documentation ( https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policies ) the sa-src-address and sa-dst-address properties are read only . But if I do "/ip ipsec policy export" then they are exported! So maybe they are not...
by nagylzs
Sun Dec 27, 2020 5:01 pm
Forum: General
Topic: IPSEC IKEv2 network-to-network problems
Replies: 11
Views: 871

IPSEC IKEv2 network-to-network problems

I would like to create a site-to-site connection with IPSEC IKEv2. The connection should connecte two internal networks, as shown below: https://imgur.com/a/dRV3TR1 The real IP addresses have been replaced with 1.2.3.188 and 1.2.3.161. I could already setup the two routers. I'm going to post (most o...
by nagylzs
Sun Dec 27, 2020 4:41 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

Thank you for your time! I'll experiment some more.
by nagylzs
Sun Dec 27, 2020 1:32 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

Here I'm again. I replaced my phone with my laptop. It can provide more information about the wifi network. It turned out that almost everybody is using channels 1,6 and 11 in the neighborhood. So I changed frequency and tried the speed with channel 1 (2412 Mhz) and 6 (2437 Mhz). I have also reduced...
by nagylzs
Sat Dec 26, 2020 11:08 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

Thank you for your exhausting response! It will take a while for me to catch up and understand everything that you wrote. I'm going to come back later when I (hopefully) understand everything you write and tried all possible fixes.
by nagylzs
Sat Dec 26, 2020 1:07 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

What is in the wireless registration table of the AP? Looks like : TX rate= 144Mbps/40Mhz/1s/SGI I'm trying to answer all questions, I hope we can find out what is causing the difference. For HAP Lite, I see this: tx rate 144.4Mbps-20Mhz/2S/SGI rx rate=12Mbps Tx signal=0 Rx signal=-39 but if I look...
by nagylzs
Sat Dec 26, 2020 12:47 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

A setting suggestion I would have, if you don't already have it, is to try enabling "adaptive noise immunity" on the CAP device itself. This is done through the advanced tab of the wireless interface. You will have to temporarily switch off the CAP functionality in order to change this se...
by nagylzs
Fri Dec 25, 2020 11:45 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

Oh, I see. In that case, one phyisical 802.11n frame can contain up to 40 L2 frames. @bpwl just mentioned that CAPsMAN reduces the A-MSDU to 2048 by default. If that is true, then this also cannot explain the big difference in speed. I wonder if A-MSDU can be configured in any way? A-MDPU is even m...
by nagylzs
Fri Dec 25, 2020 10:54 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

The mAP Lite and cAP Lite have a MIPSBE cpu, and 64MB of RAM. Only the hAP Lite and hAP mini have this lower hardware: SMIPS cpu and 32 MB of RAM. (SMIPS seems to be a different instruction set as the RouterOS barely gets into the 16 MB ROM when SMIPS is used. There have been workarounds on the for...
by nagylzs
Fri Dec 25, 2020 10:28 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

There's no point in using 40MHz channels with 2.4GHz. You are a lot better off reducing that. Okay, I'll try that too. Also, FYI, the bridge=bridge in your datapath settings doesn't do anything since you are using local forwarding, so it doesn't really have to be set at all (although it doesn't hur...
by nagylzs
Fri Dec 25, 2020 6:56 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

To soften a bit the sadness about the hAP Lite. The 300 Mbps is the PHY rate of the interface. It is never the payload, the data throughput, of a 802.11 wifi connection, whatever brand or model of AP.. The wifi overhead is known to be a very important part of the airtime available. With large packe...
by nagylzs
Fri Dec 25, 2020 6:07 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

All right, I have arrived to the office. I did a quick test and re-checked the CPU usage. /tool profile shows 9% max cpu0 usage and 10% max wireless usage on the HAP Lite. The HAP AC2 actually used more CPU during the test: about 14% main CPU (7%+7%, two cores used simultaneously), and 10% wireless....
by nagylzs
Fri Dec 25, 2020 3:33 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

I'm using local forwarding. I'm going to post the config here in the evening. I still could not get into the office.
by nagylzs
Fri Dec 25, 2020 12:33 pm
Forum: General
Topic: Mistake in MikroTik Wiki
Replies: 0
Views: 244

Mistake in MikroTik Wiki

Hello! I'm not sure where to submit this issue. I hope somebody who has access to the wiki will read this. There is a mistake here: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#RouterOS_client_configuration In the example, first we create a profile and a proposal: It is advised to create a separat...
by nagylzs
Fri Dec 25, 2020 12:30 am
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

That being said: hAP ac2 has a beast of a CPU compared to hAP lite ... Maybe I accidentally looked at the wrong profiler when I was testing the HAP Lite? I can believe that this will be the root of the problem. I did not pay enough attention to the CPU. I was using WPA2 + AES encryption, so yes tha...
by nagylzs
Thu Dec 24, 2020 4:59 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

Thanks for your comments. I already left the office, I can only check these tomorrow. I think that these frequencies are allowed, I have selected the correct country. I understand that other APs can cause interference but this still does not explain the difference in average speed. Especially that a...
by nagylzs
Thu Dec 24, 2020 1:52 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

I have two HAP Lite devices. I just tried the other one. Same result: 30Mbps actual maximum speed. The phone shows that the connection is 144Mbps at -35 dBm.
by nagylzs
Thu Dec 24, 2020 1:06 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Re: Inconsistent speed HAP AC2 vs HAP Lite

What speed is the client connected on both CAP's?
The phone shows 144 Mbps for both CAPs and rx signal strength between -30 and -40 dBm
by nagylzs
Thu Dec 24, 2020 12:22 pm
Forum: Wireless Networking
Topic: Inconsistent speed HAP AC2 vs HAP Lite
Replies: 35
Views: 2576

Inconsistent speed HAP AC2 vs HAP Lite

I have a CAPsMAN with a single 2.4Ghz configuration. I have connected a HAP AC2 device. The CAP master interface shows this: Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running 0 MDBR name="caps03-hapac2-1" mac-address=48:8F:5A:A1:AB:30 arp-timeout=auto radio...
by nagylzs
Mon Dec 21, 2020 5:16 pm
Forum: General
Topic: Undocumented ipsec mode config option split-dns ?
Replies: 3
Views: 563

Undocumented ipsec mode config option split-dns ?

When I print my mode config options, I see something like this: /ip ipsec mode-config> print Flags: * - default, R - responder 0 * name="request-only" responder=no use-responder-dns=exclusively 1 R name="modeconf vpn.mydomain.com" system-dns=no static-dns=10.0.88.1 address-pool=p...
by nagylzs
Mon Dec 14, 2020 8:56 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

It was a dumb question, sorry. I can see it at https://mikrotik.com/download

I'm going to try that now.
by nagylzs
Mon Dec 14, 2020 8:50 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

You may find the new queue types in RouterOS 7 will meet your requirements better since they are more advanced and can deal with fluctuating total bandwidth amounts.
Great, I would like to try it. Can I install on HAP AC2? Is it still beta?
by nagylzs
Mon Dec 14, 2020 8:40 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Why do you keep only guaranteeing 10kb/s on these two queues anyways? Is that all thats truly desired to have gauranteed? As I told earlier, my end goal is to prioritize all TCP traffic. Anything that I put into limit-at will be given. Even if it is not used. If you try to put all TCP traffic into ...
by nagylzs
Mon Dec 14, 2020 8:27 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

If you find that is 350Mbps then your queue tree structure should be limited to 350Mbps. Of course then you will never end up being able to use the extra 150Mbps when it is available.
Well, I had two simple main goals. Being able to use the full bandwidth was one of them.
by nagylzs
Mon Dec 14, 2020 8:18 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

For #2, that is what limit-at is for, basically. You will get closer to the results you want in the previous test you did if you set the priority=3 queue for limit-at=167M. However you'll want to make sure all bandwidth is accounted for in the queueing. The issue with your queue tree setup is all t...
by nagylzs
Mon Dec 14, 2020 7:54 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

I'm afraid you have a misunderstanding of the priority values as being ratio based (1/3) - they aren't. First of all, it gives all the bandwidth it can to the priority 1 queue, once that is all allocated, it gives whatever is left to the priority 2 queue, once that is allocated, it gives what is le...
by nagylzs
Mon Dec 14, 2020 7:15 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

All right, here is another try. I tried to create a test that is as easy to repeat as possible. I'm going to use these speedtest regular HTTP links for testing the speeds: server1: http://speedtest.tele2.net/ http://speedtest.tele2.net/10GB.zip measured 42MB/sec before the test server2: http://speed...
by nagylzs
Mon Dec 14, 2020 8:06 am
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

One difference I noticed is that mducharme used postrouting chain for packet marking instead of forward chain. I looked at the packet flow diagrams and I can see that HTB Global queue tree is processed at the end of the input chain, and also at the end of postrouting ( https://wiki.mikrotik.com/wiki...
by nagylzs
Mon Dec 14, 2020 12:04 am
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Regarding prioritizing the upload direction, the connection-mark value is common for both directions of a connection. So you can translate the same connection-mark to a packet-mark e.g. depending on in-interface . But if the root parents of queues are interfaces, you can use the same packet-mark fo...
by nagylzs
Sun Dec 13, 2020 10:03 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

I believe adjusting bucket size is where you will find your answer. I still have my test setup together. I can try to verify this evening. That would be great, thank you. I just went through the token bucket algorithm wiki again ( https://wiki.mikrotik.com/wiki/Manual:HTB-Token_Bucket_Algorithm ). ...
by nagylzs
Sun Dec 13, 2020 9:43 pm
Forum: General
Topic: Queue bucket-size option explained
Replies: 25
Views: 57636

Re: Queue bucket-size option explained

We have made documentation for the new Token Bucket option, it is new exciting and powerful feature for queues and bandwidth limitation. Detailed information and configuration example are here, http://wiki.mikrotik.com/wiki/Manual:HTB-Token_Bucket_Algorithm Can I suggest some changes to that wiki? ...
by nagylzs
Sun Dec 13, 2020 7:13 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Thank you for the tips! These are my new mangle rules: /ip firewall mangle add action=mark-connection chain=prerouting comment="SSH connection" protocol=tcp dst-port=22,2222 connection-mark=no-mark new-connection-mark=ssh_con add action=mark-connection chain=prerouting comment="SSH co...
by nagylzs
Sat Dec 12, 2020 11:00 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Sorry, this is what I intended to post. Okay so for every mark-connection rule, I need to add connection-state=new. For example: chain=prerouting action=mark-connection new-connection-mark=ssh_con connection-state=new protocol=tcp dst-port=22,2222 Thanks for catching that. I still don't understand ...
by nagylzs
Sat Dec 12, 2020 9:09 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

If it helps, read also this post (except my first paragraph there) - the way you've configured your mangle rules, you waste the CPU by matching every single packet against multiple mangle rules.
You accidentally posted your profile url.
by nagylzs
Sat Dec 12, 2020 9:07 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Changed queue tree config to this: /queue tree add limit-at=10M max-limit=10M name=local_out parent=bridge add comment="SSH 10k guaranteed, high priority" limit-at=10k max-limit=10M name=ssh_to_bridge packet-mark=ssh parent=\ local_out priority=1 add comment="Backup server SSH, low pr...
by nagylzs
Fri Dec 11, 2020 10:19 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

And another regular resolver is the best choice for most users, because they don't have own DoH resolvers, and if they would add local static record with current address of some public one, they can't be sure if it's going to be the same tomorrow. You are right, most users don't have their own DoH ...
by nagylzs
Fri Dec 11, 2020 10:06 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

Okay, I could setup a test environment and play with it. Here are the results. 1. Do we need a regular DNS server for resolving the hostname of the DoH server? The answer is no, we don't. Static dns entries can be used for resolving the hostname of the DoH http server. I have tested this the followi...
by nagylzs
Thu Dec 10, 2020 8:53 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

At least, you have learned something after that. :-) Scientists do experiments to find out how things are, because they don't have a choice. I tend to learn things from documentations (and from others) when possible. It is just more effective. Of course, there is a good side of learning something t...
by nagylzs
Thu Dec 10, 2020 8:49 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

I do not disagreee with you. It's just that when I need to know something, I rather spend few minutes testing it than waiting and hoping that someone gives me the answer. For me, it would take hours setup a working, usable test environment. I'm not lazy, but I may not be clever enough to do it in l...
by nagylzs
Thu Dec 10, 2020 3:15 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Re: Queue tree not working as expected

Anybody, please.
by nagylzs
Thu Dec 10, 2020 3:14 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

I don't know the answer and right now I'm too lazy to test it. But you can easily do it yourself. To watch default behaviour, just add logging rule in output for destinations with tcp/443 (or whatever your DoH server uses). And then in output again, you can block (reject/drop) connections to select...
by nagylzs
Wed Dec 09, 2020 8:35 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 2620

Re: CSS610-8G-2S+IN - no firmware to download?

Are there similar problems with CSS326-24G-2S+RM ? I'm thinking about getting CSS326-24G-2S+RM units instead of CSS610. I just want to make sure that they don't have such obvious problems before I buy them.
by nagylzs
Wed Dec 09, 2020 8:17 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 2620

Re: CSS610-8G-2S+IN - no firmware to download?

Today I have returned my CSS610 devices to the seller. Shipping cost was lost. :-(
by nagylzs
Wed Dec 09, 2020 7:47 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

Stupid question, but how does router know to which IP address to resolve cloudflare-dns.com domain, if you use only DoH? I already gave an answer for that. But I'm going to paste it here for you. https://wiki.mikrotik.com/wiki/Manual:IP/DNS#DNS_over_HTTPS Note that you need at least one regular DNS...
by nagylzs
Wed Dec 09, 2020 7:12 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

DNS round robin does not provide fault tolerance, it provides crude way of load balancing. You are wrong in many ways. 1. DNS rr does provide fault tolerance. I'm actually the operator of a website that partly uses DNS rr for fault tolerance. (Also mentioned here: https://en.wikipedia.org/wiki/Roun...
by nagylzs
Wed Dec 09, 2020 2:37 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

I thought that was the whole idea of use router DNS Services. It would attempt to resolve DNS for you. a. via its own cache b. via your dynamic server entries c. via your ISP connection if all above failed. There are at least two DNS lookups involved. One is used to resolve IP address for the domai...
by nagylzs
Wed Dec 09, 2020 2:13 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

Round Robin in on the server side and not the client side. RouterOS is here a client. Yes, it is plays the role of an https client. All major browsers do this. They fetch all addresses and if an address fails, then they will try another one until they can connect. I think many other tools are doing...
by nagylzs
Wed Dec 09, 2020 12:01 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

Re: DNS over HTTPS, round robin support

I'm sorry, that was not the question. The question was this: does RouterOS handles round-robin A records for dns-over-http? So for example, if the first address is not available for the given domain, then will it try to use the second one? Or will it fail with SRVFAIL? Please note that cloudflare wa...
by nagylzs
Wed Dec 09, 2020 8:39 am
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1453

DNS over HTTPS, round robin support

Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). Something like this: /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes This is the example from https://wiki.mikrotik.com/wiki/Manual:IP/DNS. Well, cloudflare-dns.com has multiple IP ad...
by nagylzs
Tue Dec 08, 2020 10:23 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 2445

Queue tree not working as expected

My queue tree does not work as expected, I wonder why. I have a HAP AC2 router with ISP theoretical max. speed= 500Mbps down, 22 Mbps up. The WAN interface is called "ether1-UPC". The LAN part uses all remaining ports in a bridge called "bridge". I wanted to create a queue tree t...
by nagylzs
Fri Nov 13, 2020 5:56 pm
Forum: SwOS
Topic: CSS610-8G-2S+ Management Access from SFP+ Port
Replies: 218
Views: 23584

Re: CSS610-8G-2S+ Management Access from SFP+ Port

This is like selling a car that has no wheels. We may classify this problem as a "software bug". But this is an obvious fault, and the product could never work with the simplest configuration.
by nagylzs
Wed Nov 11, 2020 2:20 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN SFP+ Management acces problem from trunk SFP1+
Replies: 2
Views: 553

Re: CSS610-8G-2S+IN SFP+ Management acces problem from trunk SFP1+

Next time you create a new thread, please check if somebody has already posted something similar. The SwOS topic is currently full of CSS610 problems: https://forum.mikrotik.com/viewtopic.php?f=17&t=167952 https://forum.mikrotik.com/viewtopic.php?f=17&t=168159 https://forum.mikrotik.com/view...
by nagylzs
Thu Nov 05, 2020 9:09 pm
Forum: SwOS
Topic: CSS610-8G-2S+ and VLANs
Replies: 21
Views: 3287

Re: CSS610-8G-2S+ and VLANs

MikroTik has released their new product with unstable firmware (release candidate) it is full of bugs. This is not what they usually do. I'm disappointed. There are some CSS610 devices sitting on my self right now, and I'm not sure what to do with them. :-(
by nagylzs
Thu Nov 05, 2020 1:08 pm
Forum: SwOS
Topic: CSS610-8G-2S+ and VLANs
Replies: 21
Views: 3287

Re: CSS610-8G-2S+ and VLANs

Please look at threads written by others before you ask something that has already been asked. Everybody is having problems with CS610-8G-2S+ devices https://forum.mikrotik.com/viewtopic.php?f=17&t=167891 https://forum.mikrotik.com/viewtopic.php?f=17&t=168475 https://forum.mikrotik.com/viewt...
by nagylzs
Fri Oct 30, 2020 9:37 am
Forum: SwOS
Topic: CSS610-8G-2S+ Management Access from SFP+ Port
Replies: 218
Views: 23584

Re: CSS610-8G-2S+ Management Access from SFP+ Port

Well, I bought these units for a concrete installation, and now I'm not able to use them. I have a deadline. Since they cannot tell when it will be fixed, I have to use something else. When I bought them, I did not know that web management and DHCP client won't work on SPF+ port. It also turned out ...
by nagylzs
Thu Oct 22, 2020 11:28 pm
Forum: SwOS
Topic: CSS610-8G-2S+ Management Access from SFP+ Port
Replies: 218
Views: 23584

Re: CSS610-8G-2S+ Management Access from SFP+ Port

It is not just the management interface. It seems that DCHP client is also affected. On the DHCP server side I see that address was "offered" to the switch, but the switch is not bound to the offered address.
by nagylzs
Thu Oct 22, 2020 8:52 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 2620

Re: CSS610-8G-2S+IN - no firmware to download?

By the way, the factory installed firmware is a release candidate, and there is no stable/final version that could be downloaded. You were right, I could find the downloadable firmwares under https://mikrotik.com/download, but CS610-8G-2S+IN firmware is not among them. So I guess I have to use a rel...
by nagylzs
Thu Oct 22, 2020 8:45 pm
Forum: SwOS
Topic: CSS610-8G-2S+ Management Access from SFP+ Port
Replies: 218
Views: 23584

Re: CSS610-8G-2S+ Management Access from SFP+ Port

> Can anyone of you, also owning that switch, try if you have the same issue?

I can also confirm this problem. I just plugged in two identical CSS610-8G-2S+ switches, connected them via SPF+. I can access both of their web interfaces through RJ45 port, but not with SFP+ port.
by nagylzs
Thu Oct 22, 2020 7:55 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 2620

Re: CSS610-8G-2S+IN - no firmware to download?

Well I'm sorry. I was looking for it under "Support and **downloads**" on the product's page.

Still don't know why I get the "probably no internet connection" error message?
by nagylzs
Thu Oct 22, 2020 5:55 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 2620

CSS610-8G-2S+IN - no firmware to download?

Hi! I just got my brand new CSS610-8G-2S+IN and it is running SwOS 2.12rc2. The /index.html#upgrade page on its web interface says: > ERROR: Could not determine latest version, probably no internet connection. Use manual upgrade. But there is nothing wrong with the internet connection. Is this a bug...
by nagylzs
Mon Oct 12, 2020 11:33 am
Forum: General
Topic: L2TP client and IPSEC on RouterBOARD hAP Lite
Replies: 8
Views: 1693

Re: L2TP client and IPSEC on RouterBOARD hAP Lite

L2TP will add some extra overhead, on the other hand if I remember correctly, the limit of the Windows embedded client is AES-128, so the encryption/decryption will be a bit less CPU intensive. But nevertheless, I'd recommend you to consider using bare IKEv2, RouterOS allows to push routes to the W...
by nagylzs
Sat Oct 10, 2020 4:35 pm
Forum: SwOS
Topic: IEEE 802.3ad (LACP) transmit-hash-policy on SwOs
Replies: 0
Views: 448

IEEE 802.3ad (LACP) transmit-hash-policy on SwOs

Hi! The documentation az https://help.mikrotik.com/docs/display/ROS/Bonding says this about IEEE 802.3ad (LACP): > The ARP link monitoring is not recommended, because the ARP replies might arrive only on one slave port due to transmit hash policy on the LACP peer device. This can result in unbalance...
by nagylzs
Tue Jun 16, 2020 8:17 am
Forum: General
Topic: L2TP client and IPSEC on RouterBOARD hAP Lite
Replies: 8
Views: 1693

Re: L2TP client and IPSEC on RouterBOARD hAP Lite

But that's the only way I can test it now.
Thank you for taking the effort! So this is on the edge: it might work, but in some cases it can be slow. (I can go down with the bitrates for VNC)
by nagylzs
Mon Jun 15, 2020 10:46 pm
Forum: General
Topic: L2TP client and IPSEC on RouterBOARD hAP Lite
Replies: 8
Views: 1693

Re: L2TP client and IPSEC on RouterBOARD hAP Lite

For one or two clients per site, it would probably be better to setup windows l2tp client for each one of them. For 50 clients per site, a dedicated VPN is much better. This site currently has 5 client computers. I'm not sure what would be better... It is not just setting up the L2TP connection on W...
by nagylzs
Mon Jun 15, 2020 10:19 pm
Forum: General
Topic: L2TP client and IPSEC on RouterBOARD hAP Lite
Replies: 8
Views: 1693

L2TP client and IPSEC on RouterBOARD hAP Lite

I need to access many computers with VNC and RDP at a company's remote site. I will do this only when they have a problem. (One or two times weekly.) I had this idea of buying a cheaper MikroTik router and use l2tp-client and ipsec for this. I cannot change their internal network, but I could instal...
by nagylzs
Wed Mar 25, 2020 3:30 pm
Forum: General
Topic: l2tp-out2 not running
Replies: 0
Views: 1417

l2tp-out2 not running

Below in the logs, my problematic mikrotik router has address 1.2.3.4 and name my.client.machine.com. I also have two other mikrotik routers at some_domain_1.com and some_domain_2.com (which is 9.8.7.6 in the example below). My goal is to connect my.client.machine.com (as an L2TP client) to both som...
by nagylzs
Fri Dec 06, 2019 9:22 pm
Forum: General
Topic: L2TP client (ubuntu) fails to connect
Replies: 2
Views: 2574

Re: L2TP client (ubuntu) fails to connect

In the Ubuntu log, I think this is the part when it first goes wrong: dec 06 11:52:59 my-client-pc NetworkManager[23171]: <info> [1575629579.1350] vpn-connection[0x5653596f20e0,f06adc21-dd22-4c95-b5ce-376124f31822,"my.router.com",0]: VPN plugin: state changed: starting (3) dec 06 11:53:13 ...
by nagylzs
Fri Dec 06, 2019 12:56 pm
Forum: General
Topic: L2TP client (ubuntu) fails to connect
Replies: 2
Views: 2574

L2TP client (ubuntu) fails to connect

I'm trying to connect to a MikroTik L2TP/IPSEC server from an Ubuntu Linux 18.04.3 LTS client. The router has this config: /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=modp2048 /ip ipsec policy set 0 dst-address=0.0.0...
by nagylzs
Tue Oct 08, 2019 8:39 pm
Forum: General
Topic: Allow users to access clients connected with L2TP
Replies: 2
Views: 939

Re: Allow users to access clients connected with L2TP

Okay, that was the problem. I did not know that the new version of Windows 10 firewall disables ICMP ping requests by default. I could also open port TCP/5900. So the problem was fully with the client, not MikroTik settings.

Thank you for your help!
by nagylzs
Tue Oct 08, 2019 7:36 pm
Forum: General
Topic: Allow users to access clients connected with L2TP
Replies: 2
Views: 939

Allow users to access clients connected with L2TP

Hello, I'm using L2TP with pre-shared key. Here is my current firewall configuration: /ip firewall filter add action=accept chain=input comment="L2TP szerver 2/1" port=1701,500,4500 protocol=udp add action=accept chain=input comment="L2TP szerver 2/2" protocol=ipsec-esp add actio...
by nagylzs
Sun Jul 21, 2019 3:52 pm
Forum: General
Topic: Please help me understand how VLAN assignment works [SOLVED]
Replies: 3
Views: 891

Re: Please help me understand how VLAN assignment works [SOLVED]

I'm beginning to grasp what you wrote. I was not aware of the two sides of vlan interfaces. :-)
by nagylzs
Sun Jul 21, 2019 3:26 pm
Forum: General
Topic: Please help me understand how VLAN assignment works [SOLVED]
Replies: 3
Views: 891

Re: Please help me understand how VLAN assignment works [SOLVED]

I have removed vlan10_guest24 and vlan10_guest5, this also removed the vlan interfaces from bridge_guest. I have also changed vlan_mode=no_tag for both virtual interfaces. The guest network is still working. So I do not need to use VLANs for making a guest network at all. BTW I was following this ar...
by nagylzs
Sun Jul 21, 2019 1:30 pm
Forum: General
Topic: Please help me understand how VLAN assignment works [SOLVED]
Replies: 3
Views: 891

Please help me understand how VLAN assignment works [SOLVED]

I have followed a tutorial to create a guest wifi network that is separated from the private network, using a VLAN. I'm not sure if I have done everything right, but this setup does work. I'm going to post the basic configuration below before I ask. My private network has two wireless radios and two...
by nagylzs
Fri Jul 19, 2019 8:04 pm
Forum: General
Topic: L2TP server, malformed cookie received or the spi expired [SOLVED]
Replies: 7
Views: 1945

Re: L2TP server, malformed cookie received or the spi expired [SOLVED]

Worked like a charm! And it was so easy to do, I think it is easier than modifying the registry on a single computer! Just for completeness, if the public ip is 1.2.3.4 and the WAN interface (connected to the outer/NAT router) is your-wan-interface then this will do it: /interface bridge add name=&q...
by nagylzs
Fri Jul 19, 2019 10:58 am
Forum: General
Topic: L2TP server, malformed cookie received or the spi expired [SOLVED]
Replies: 7
Views: 1945

Re: L2TP server, malformed cookie received or the spi expired [SOLVED]

Very intriguing. :-) I have to try this (but I can only do it later).
by nagylzs
Fri Jul 19, 2019 7:23 am
Forum: General
Topic: L2TP server, malformed cookie received or the spi expired [SOLVED]
Replies: 7
Views: 1945

Re: L2TP server, malformed cookie received or the spi expired [SOLVED]

On the other router, the suggested changes worked, I can now login. So the remaining problem is with the ISP's router, it cannot do NAT on IPSEC. I have to call them. Than you for your help!
by nagylzs
Thu Jul 18, 2019 11:51 pm
Forum: General
Topic: L2TP server, malformed cookie received or the spi expired [SOLVED]
Replies: 7
Views: 1945

Re: L2TP server, malformed cookie received or the spi expired [SOLVED]

Okay, this is what I did: /ip ipsec identity remove 1 /ip ipsec peer remove 1 /interface l2tp-server server set ipsec-secret "*********************" The current config looks like this: /ip ipsec export /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algor...
by nagylzs
Thu Jul 18, 2019 10:21 pm
Forum: General
Topic: L2TP server, malformed cookie received or the spi expired [SOLVED]
Replies: 7
Views: 1945

L2TP server, malformed cookie received or the spi expired [SOLVED]

I have two routers that had been working with L2TP windows clients before. After upgrading to 6.44.3 clients cannot connect from Windows anymore. I'm getting messages in the log like this: 21:10:41 ipsec,debug 11.22.33.44 malformed cookie received or the spi expired. where 11.22.33.44 is the IP addr...
by nagylzs
Fri Jul 12, 2019 9:40 pm
Forum: Wireless Networking
Topic: Can I use NV2 and "normal" Wifi on the same device?
Replies: 4
Views: 1074

Re: Can I use NV2 and "normal" Wifi on the same device?

Wireless Wire seems very promising. :-) But it is not omni-directional. Are you suggesting to use a WAP_60g in the main office, and multiple wireless wire devices in the secondary offices, directed to the main office?
by nagylzs
Fri Jul 12, 2019 8:56 pm
Forum: Wireless Networking
Topic: Can I use NV2 and "normal" Wifi on the same device?
Replies: 4
Views: 1074

Can I use NV2 and "normal" Wifi on the same device?

I have a place where the main office is using a HAP AC2 router for wifi, both 2.4GHz and 5.Ghz. I need to connect secondary office buildings with AP clients (point to multi point) that are about 50m away. I would like to use these access points in bridge mode (probably RouterBOARD LHG 5 or similar)....
by nagylzs
Mon Jul 08, 2019 4:38 pm
Forum: Scripting
Topic: Script to check whether a destination port is open
Replies: 3
Views: 10060

Re: Script to check whether a destination port is open

Sorry for being a necromancer. I also need to test if a port is open. But I cannot use fetch, because this is not http, https or ftp protocol. The fetch tool can only use these protocols. Is there way tell if a port is open in general? (I need to test TCP 6055 and UDP 6055 in particular, and I know ...