MikroTik

fritzme

update 1: according to some videos about setting up the EOIP : site1: I've delete the address assigned to interface eop-router01 and add that interface to bridge site2: I've delete the address assigned to interface eop-router02 and add that interface to bridge Now, site1 can ping public IP of site2 ...

fritzme

SITe1 HAP AX2 WAN ethernet1 LAN in bridge mode /interface/eoip/pr detail 0 R name="eoip-tunnel-core-router01" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=02:72:FD:38:FB:CC arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-prot...

fritzme

@colinardo

God/Buddha/Allah/ bless you,

finally I've manage to make that retard iPhone [wireless vlan300] to see my network printer [vlan 100]

fritzme

Some ppl drive a Buick and complaint it is not as fast as a Lambo

For docker complainers, 1st must understand their equipment/resources/limits...

fritzme

Hello, For anyone facing similar issue with starting of more then one container even if start-on-boot has been enabled. I have updated my router running on 7.6 and only one container has been started after reboot. Here is a workaround script add dont-require-permissions=yes name=start_containers own...

fritzme

Hello, Since I've moved to FO, I have an old SXT Lite5 ac, that I want to decommission it... However I'd like to have an outdoor AP to cover the garden (~700mp) I realized SXT Lite5 ac has license level 3 (has lots of limitations) as it was used in a P-t-P configuration. I would like now to use it a...

fritzme

For VPN on Android:

if ROS 6 => iKEv2
if ROS 7 => iKEv2 or Wireguard

fritzme

+ don't know if normal,
I do have sync internet 1G up 1G down,
...and I see if I put something to download and speed is over 500mbs , CPU load reaches ~38% ...

fritzme

Thanks,

Indeed once is it working don't change it,
Was more curios about taking the 2nd approach, to use the switch mode

fritzme

Hello, Again I'm a bit lost related to what would be the best approach in my case 1. router RB450Gx4 - ether1 WAN - ether5 trunk port =>SW1 /interface bridge vlan add bridge=BR1 tagged=BR1,ether5 vlan-ids=80 add bridge=BR1 tagged=BR1,ether5 vlan-ids=99 add bridge=BR1 tagged=ether5,BR1 vlan-ids=10 ad...

fritzme

We are still working on container support, it will return

this year ?!

fritzme

@powershell approach (run powershell as admin) IKEV2 Win10/11 A. import CErt Import-PfxCertificate -FilePath .\xyz.pfx -Password (ConvertTo-SecureString -String '12345' -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root B. export CA cert to cer format $cert=Get-ChildItem Cert:\LocalMach...

fritzme

Ye, so far I am quite satisfied by the new updated userman.
Some minor issues, but now I can fully use for wireless auth, also for some network switches.

fritzme

radius-eap-accounting=no This should be set to "yes". ---------------------------------------------------- 2022-04-07_15-23-08.png do you use profiles in user-man? 2022-04-07_15-22-23.png Flawless :) Everything is working: radius, win, android, linux However, have any idea how to force cl...

fritzme

Hello, https://help.mikrotik.com/docs/display/ROS/Certificates#Certificates-Let'sEncryptcertificates Did you use passthrough or PEAP? honestly, I was trying to replicate your config "MSCHAPv2" and I was unsuccessful. For the active session log that will work if you use user-man as radius,...

fritzme

Hello, I just have upgraded my RB450Gx4 to ROS 7.1.5 ...and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working... It's working fine. You should check this Document. https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+securit...

fritzme

Hello, I just have upgraded my RB450Gx4 to ROS 7.1.5 ...and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working... router has multiple vlans ( my case vlan 80 [192.168.80.3] has direct connection to unifi AP) [admin@core-router] > /user-...

fritzme

Hello, I just took yesterday a leap of faith and I just installed ROS 7.1.5 on my Router ( RB450gx4) SO, here is current setup: 1. router+ UM : IP: 192.168.90.3 - /user-manager profile add name=prof1 name-for-users=prof1 /user-manager user group add inner-auths=peap-mschap2 name=tsa outer-auths=msch...

fritzme

Although many people use to talk about a VLAN when they actually have in mind a subnet, and vice versa, these are not synonyms. Sometimes it doesn't matter, sometimes it does. Since we've just got through subnet to subnet policies, I guess you indeed talk about an L2 transparent tunnel now? That is...

fritzme

Although many people use to talk about a VLAN when they actually have in mind a subnet, and vice versa, these are not synonyms. Sometimes it doesn't matter, sometimes it does. Since we've just got through subnet to subnet policies, I guess you indeed talk about an L2 transparent tunnel now? That is...

fritzme

OK, and from here on, you can start discovering the what-if way. Change the selector at one side (say, src-address at R1 and thus dst-address at R2) in both static policies to 0.0.0.0/0 , you should still be able to access R1 LAN subnets from R2 LAN subnets and vice versa, but also access "the...

fritzme

So: R1 /ip ipsec policy group add name=ikev2 /ip ipsec policy add dst-address=192.168.30.0/24 group=ikev2 proposal=ikev2 src-address=192.168.20.0/24 template=yes add dst-address=192.168.30.0/24 group=ikev2 proposal=ikev2 src-address=192.168.70.0/25 template=yes R2 /ip ipsec policy group add name=ike...

fritzme

R1 can't ping anything on R2 That's no surprise - your export shows that the only IPsec policy at R1 is the dynamically created one, with src-address=0.0.0.0/0 and dst-address=192.168.20.2 (based on the address=192.168.20.2 and split-include=0.0.0.0/0 in the mode-config row). So only traffic to 192...

fritzme

Would it help you more to talk about it using voice? You keep switching between approaches and there is always some missing bit, maybe a systematic explanation might help?

I do think so...

anyway, here are the exported configs

R2.rsc

R1.rsc

fritzme

Hm... I just wiped out the entire configs and I have now following situation: R1 [WAN:192.158.50.7] (HQ) modecofig /ip ipsec mode-config add address=192.168.20.2 name=R2 split-include=0.0.0.0/0 system-dns=no /ip ipsec policy group add name=ikev2 /ip ipsec policy add dst-address=192.168.20.0/24 group...

fritzme

Capture.PNG Source of inspiration :) https://www.youtube.com/watch?v=n5_Af2vllOA So to resume R2 (branch office to connect to R1 HQ) all machines should communicate to each others. 1. certificates created /imported, tunnel established. BUT right after, NO LAN machines from R2 can't communicate to L...

fritzme

So, I just re-checked everything, Sorry if looks a bit stoopid but just watched couples of videos related to this and made me even more confused about the right options :) On R1: /ip firewall raw add action=notrack chain=prerouting dst-address=0.0.0.0/0 log=yes log-prefix=RAW src-address=192.168.40....

fritzme

R1 /ip firewall filter add action=accept chain=input protocol=ipsec-ah add action=accept chain=input protocol=ipsec-esp /ip firewall nat add action=accept chain=srcnat dst-address=192.168.20.0/24 src-address=192.168.30.0/24 add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168....

fritzme

First, the policies at both R1 and R2 are identical rather than mirroring each other (both have the same dst-address and the same src-address ), I suppose it is actually not the case and it's just a copy-paste error? Second, the traffic selection by IPsec policies takes place after regular routing,...

fritzme

Hello, I do try to emulate a site2site setup in GNS3 == Capture.PNG == Setup: branch office: (R2) WAN: 192.168.50.8 LAN: 192.168.30.0/24 HQ: (R1) WAN: 192.168.50.7 LAN1: 192.168.20.0/24 LAN2: 192.168.60.0/25 BOTH routers have blank firewall configs cert generated on R1, imported on R2 connection est...

fritzme

[/system clock get time] - 24h ???

23:35:00 - 24h = -00:25:00

array -> :toarray ?

Oke, I just modified ([/system clock get time] - 5m)
Still, have no clue about "find" to get the IP ....

fritzme

Hello, I'm trying to modify a script that is searching the log file for a specific message and to extract the IP and then create firewall rule: local loglist [:toarray [/log find time>([/system clock get time] - 24h) message~"no IKEv1 peer config"]] # for all error do :foreach i in=$loglis...

fritzme

Case closed, everything is working as designed.

On the other hand, MIkrotik documentation require serious updates !!!

fritzme

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500 diverts any TCP connection c...

fritzme

I have disabled mangle rules: Here are all firewall rules: for IKEv2 I'm using pool: 10.0.60.0/24 [admin@core-router] > ip firewall filter export /ip firewall filter add action=drop chain=input log-prefix="blocked attack" src-address-list=IPSEC add action=accept chain=input comment="d...

fritzme

++ update !! Yes, indeed, I have multiple peers defined with exchange-mode=ike2. After I have disabled all peers except the one for android I can connect:) But this raised 1 more questions: AFTER I have established connection, I can ping from phone external sites (DNS resolves) but can't connect to ...

fritzme

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like? I also hazily remember I had cases where I had to rem...

fritzme

Hello, For a couple of days I'm struggling to make my android phone to connect to a IKEv2 vpn Setup: MIKROTIK ROS 6.47.9 LTS 4 windows machines ( certificated create + imported on each machine ) => ALL of them can establish connection. /certificate pr detail K I name="xena@local.cz" digest...

fritzme

As many on this forum I've run into multiple issues trying to figure out howto make a win10 machine to auth to a mikrotik l2tp/ipsec server. P.S. this setup allow both: android + win10 clients to auth. "Official" Mikrotik tutorials => failed miserable Others sources => partially success So...

fritzme

You probably don't want to include ether1 to bridge at all (unless you have some particularly good reason for that), so simply configure ether1 with WAN setup. Other ether ports should be members of same bridge, ether2 and ether3 settings same as ether2 on AP1. What do you mean by writing "eth...

fritzme

_network1.png Hello, as you can see I do have following setup:: So here's config for AP1 aka HAP-AC2 /interface bridge add name=BR1 protocol-mode=none vlan-filtering=no # VLAN80 /interface bridge port add bridge=BR1 interface=wlan1 pvid=80 add bridge=BR1 interface=wlan2 pvid=80 # VLAN400 /interface...

fritzme

Please read this great tutorial: https://forum.mikrotik.com/viewtopic.php?t=143620 Hi @erlinden , Now, supposing that i choose router-switch setup, where HAPAC2 is acting as router and HAPAC2 as switch/AP [admin@HAP-AC_AP] > interface br pr Flags: X - disabled, R - running 0 R name="br_ipcam&q...

fritzme

Hello, Hereis my setup, Any help is highly appreciated... [router] HAPAC2 :: br_vlan10_100 VLAN10/100 ether4 => SW1 VLAN10/100 ether5 => SW2 br_ap (192.168.200.3/24) ether2 => AP1 ether4 => AP2 ip addresses: vlan10 (192.168.10.3/24) vlan100 (192.168.100.3/24) DHCP servers configured for vlan10, vlan...

fritzme

Hello, I do have following setup: hap-ac with wireless/PEAP 2. radius servers: 2.1. both radius servers are using the same ldap backend server on a different machine. # model = RouterBOARD 962UiGS-5HacT2HnT # serial number = 8A7709E56724 /radius add address=192.168.50.10 comment="primary radius...

fritzme

Ok, so here is my setup: 1 main router HEX S( ether1=>WAN, ether5=>AP1, ether4=>AP2) 2. AP1: HAP AC 3.AP2: TP LINK On HEX S: created a vlan200 and a dhcp server for both access points (192.168.200.2/24). Now, I have created a virtual wireless interface for wlan1 and created a hotspot server profile ...

fritzme

Hello,

1st thing: I will be using HAP AC2 as router and existing HAP AC I'd like to setup as AP only.
What exactly do I have to do ?

2nd : on my current HAP AC I do have setup a hotspot
Can I export the firewall rules regarding hotspot from hac ac and import them to hpa ac2 ?

fritzme

Hm, So, should I consider this setup as incorrect ? [admin@MikroTik] > /interface vlan print Flags: X - disabled, R - running # NAME MTU ARP VLAN-ID INTERFACE 0 vlan10 1500 proxy-arp 10 ether5 1 vlan100 1500 proxy-arp 100 ether5 [admin@MikroTik] > ip dhcp-server pr Flags: D - dynamic, X - disabled, ...

fritzme

Hello, I'm a bit confused about the proper way of configuring vlans on HAP AC2: Here is what I want: WAN => eth1 VLAN10 => ether2,4 VLAN100 => ether3 VLAN150 =>ether5 Ok, now here is the part that I don't get it bridge menu : create bridge150=> assign ether5 to it interfaces menu: create vlan150=> a...

fritzme

Did someone noticed any wireless performance drops after upgrading to 6.46.2 ?
... for both 2.4 Ghz and 5 Ghz....

fritzme

my hapac is broken,red light wont flash,and I can not connect with adress 192.168.88.1,only with mac adress,and does not occur home ap dual!!!
What could I do?

revert to 6.44.6 (Long-term) or 6.45.7

fritzme

962UiGS-5HacT2HnT => The new release pissed me off more then the law allow... Just to resume: after upgrade from 6.45.7 - NONE of devices could connect on 5g interface - performance of 2.4G was mediocre, - got intermittent disconnect of a direct cable connection between the hap-ac and computer. - af...

fritzme

Here is my situation: ISP1 => ether1; ip static = 1.1.1.1 ISP2 => LTE: ip dhcp bridge1: ether2-4 : ip static = 192.168.100.3/24 So, what I'd like to do: IF destination = youtube.com or if destination=netflix.com or if destination = 10.0.0.100/27 => then outgoing ISP = LTE otherwise the rest of the t...

Search found 52 matches