Community discussions

MikroTik App

Search found 101 matches

by danergo
Mon Nov 29, 2021 8:21 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

As long as the Rx packet rate is below the Tx packet rate, it's still reasonable, as TCP doesn't acknowledge every single packet. Also the speed fluctuation seems a TCP thing to me, because delay of ACK, as well as laziness of the destination to fetch the received data from the input buffer, causes...
by danergo
Sun Nov 28, 2021 8:01 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Hi! I have came across to an interesting detail. Let's reverse now the direction (sending files from initiator to responder). Bandwith in this direction is ~7MBps (according to Ookla): https://i.imgur.com/MICqn0o.png This might be inaccurate, as it measured ~10MBps for the download direction, and I ...
by danergo
Sat Nov 27, 2021 8:20 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Thank you!
by danergo
Sat Nov 27, 2021 5:24 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

One small addition: If I modify the accept rule: add action=accept chain=input comment=\ "defconf: accept all traffic from vpn-clients" ipsec-policy=in,ipsec This also works. Which led me to another question: Which one is more preferred? (this, or the other one with the IP range?) Acceptin...
by danergo
Sat Nov 27, 2021 5:19 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Hello! I've came across to a small finetune: I have here a virtual bridge "vpn-clients-vbridge" with an assigned IP Address "192.168.200.1/24". This virtual bridge is part of an interface list of "LAN" along with the physical bridge: /interface list member add comment=d...
by danergo
Fri Nov 26, 2021 9:06 am
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 673

Re: Detecting Viber traffic characteristics?

Yes, probably that is a good start-point. However, I'm already having more IPs which required (or was required in the past few days) to build up a call. And call establishment doesn't need all IP addresses by those DNS. Call establishment is very specific according to my research (on Android): so ha...
by danergo
Thu Nov 25, 2021 8:10 pm
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 673

Re: Detecting Viber traffic characteristics?

I have only one Android device around, no iPhone or other versions of Android. Also, this device is not rooted, so anything like "netstat" is not available on it (to see by application-level, what application is using what ports and dst IPs). DNS didn't help, I tried, but they are obfuscat...
by danergo
Thu Nov 25, 2021 4:57 pm
Forum: General
Topic: Use IPSec Peer's ID in firewall rule condition?
Replies: 5
Views: 370

Re: Use IPSec Peer's ID in firewall rule condition?

I have plain IPSec, sorry for that - it was a common fact between Sindy and me.
by danergo
Thu Nov 25, 2021 4:47 pm
Forum: General
Topic: Use IPSec Peer's ID in firewall rule condition?
Replies: 5
Views: 370

Re: Use IPSec Peer's ID in firewall rule condition?

Thank you Sindy!
by danergo
Thu Nov 25, 2021 3:54 pm
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 673

Re: Detecting Viber traffic characteristics?

I summarize my results: Best way to handle this, is keeping those ports I mentioned above in the mangle (repeat here for reference): Both TCP and UDP: 4244,5242,5243,7985,7987,9785 Traffic redirection purely based on these ports are enough for Viber Desktop NOT enough for Viber Android If also TCP44...
by danergo
Thu Nov 25, 2021 3:14 pm
Forum: General
Topic: Use IPSec Peer's ID in firewall rule condition?
Replies: 5
Views: 370

Use IPSec Peer's ID in firewall rule condition?

Hi! I'm having multiple IPSec "Active Peers", and they are all getting their dynamic IPs from a shared pool. There is a way to differentiate them, by checking their ID, based on that it's obvious on which IP belongs to which client. Can I somehow add the Peer ID to firewall rules (mangles)...
by danergo
Thu Nov 25, 2021 1:44 pm
Forum: Scripting
Topic: Howto get the PTR record for a single IP?
Replies: 6
Views: 422

Re: Howto get the PTR record for a single IP?

I just have to put it into ":do" ?
by danergo
Thu Nov 25, 2021 1:37 pm
Forum: Scripting
Topic: Howto get the PTR record for a single IP?
Replies: 6
Views: 422

Re: Howto get the PTR record for a single IP?

To use it in the script
:local ptr  [:resolve 18.196.34.14]
This will resolve the IP and save it to the variable ptr

Thank you! How can I make sure to not crash my script if I give it some invalid address? Like:
:local ptr  [:resolve 192.168.88.100]
?
by danergo
Thu Nov 25, 2021 1:31 pm
Forum: Scripting
Topic: Howto get the PTR record for a single IP?
Replies: 6
Views: 422

Re: Howto get the PTR record for a single IP?

OMG, thank you.
(I read a lot of old post and by that time this was unsupported)
by danergo
Thu Nov 25, 2021 12:22 pm
Forum: Scripting
Topic: Howto get the PTR record for a single IP?
Replies: 6
Views: 422

Howto get the PTR record for a single IP?

Folks, I'm looking for pretty obvious need: getting the PTR (string) for an IP address in my script. For example: having " 18.196.34.14 " in a variable, and I want to get it's PTR (name): " ec2-18-196-34-14.eu-central-1.compute.amazonaws.com. " (even if it's a non-authoritative a...
by danergo
Wed Nov 24, 2021 10:25 am
Forum: General
Topic: Detecting Viber traffic characteristics?
Replies: 11
Views: 673

Detecting Viber traffic characteristics?

Folks, I'd like to detect Viber's traffic on my Tik, to let it route different gateway (not the default). I have studied this document: https://commons.erau.edu/cgi/viewcontent.cgi?article=1477&context=jdfsl , which helped a lot, and also this one (used ports for Viber Desktop): https://help.vib...
by danergo
Sun Oct 17, 2021 3:03 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Changing "Tunnel ID" to a different value, then saving EoIP interface solved this. Now I have 6 channels. :)
by danergo
Sun Oct 17, 2021 2:21 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

One more thing, as I have added more IPSec tunnels, 5 is working, but then the 6th is not: It's copied from the others with care (as the previous 3 on top of the existing 2). Policies are communicated into responder, and both routers are seeing the Active peers with 6 IPSec tunnels. On Initiator sid...
by danergo
Sun Oct 17, 2021 1:10 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

One more update (I guess last for now) :) Using 5 tunnels, problem seems to be solved: all tunnels are low-speed (4-5Mbps) which doesn't bother the provider. I could use that for more than 30mins. This is well suited for my needs, and from time to time MikroTik always amazes me how flexible and conf...
by danergo
Sun Oct 17, 2021 10:41 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Uhh. It works for 10 minutes only. It's a hard limit by isp. Moving them to another port resets the speed, but I guess they keep remembering on my earlier banned ports for a while, so port-hopping technique seems not feasible. I might have to use a lot of combinations to fool them. Instead, I'm thin...
by danergo
Sun Oct 17, 2021 9:08 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Sindy, sorry for robbing your precious time. I have overlooked it. Changing the UDP ports immediately solved the speed-limitation. Now I'm considering this post as a "startpoint" when the tunnels are got back to work. I'll know then how much time could they survive. Also I've realised that...
by danergo
Sun Oct 17, 2021 8:53 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

If I disable one EoIP at both ends, overall bonding's speed is not concerned. I.e. with 2 EoIPs it can reach now 3.5Mbps, and with disabled one channel can go up to ~3.3. Same test method can reach 24Mbps now on default gateway. Lowering the MTU to 1300 makes it a bit worse, not reaching above 2Mbps...
by danergo
Sat Oct 16, 2021 10:39 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Surely will do tomorrow, it's getting too late now, and I don't want to make any troubles :)

Thank you!
by danergo
Sat Oct 16, 2021 10:27 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Sindy: after we succeed with the creation of the bonding, it could easily reached 20-24MBps. So it worked at my full available TX speed. MTU is a nice idea, I checked it, on both routers (initiator, responder): https://i.imgur.com/pd25vUg.png It's kindof odd that the bonding itself has 1500 while th...
by danergo
Wed Oct 13, 2021 9:22 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Hello! Today I've came across to a strange situation: @Sindy, I have two EoIPs which is then bonded together, as you might not remember this. I'm routing the desired traffic to that bonding, (instead going out on default gw). However this bonding interface can't really go higher than 8-10MBps, while...
by danergo
Thu Sep 30, 2021 10:50 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

So what happens to Scenario 2 if you add ipsec-policy=in,none to rule 1?
What happens? It solves all my issues 8) 8) 8) 8)

Thank you so much Sindy! This was a huge investigation, I'm very thankful!
by danergo
Thu Sep 30, 2021 10:22 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 996

Re: An easy routing question [SOLVED]

So a routing entry with routing-mark is prioritized over another one without routing-mark, even if both have the same dst-address and distance?
by danergo
Thu Sep 30, 2021 6:21 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 996

Re: An easy routing question [SOLVED]

Thank you both of you! /ip route add distance=1 gateway=x add distance=2 gateway=y add distance=2 gateway=y routing-mark=some_mark I don't get why do I need "add distance=2 gateway=y"? Isn't this enough? /ip route add distance=2 gateway=x add distance=1 gateway=y routing-mark=some_mark
by danergo
Thu Sep 30, 2021 5:59 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 996

An easy routing question [SOLVED]

Hi, Let's say I have two default routes in MikroTik. In the documentation, this is stated: Candidate route with the lowest distance becomes an active route. If there is more than one candidate route with the same distance, selection of active route is arbitrary Alright, but what happens if those rou...
by danergo
Thu Sep 30, 2021 4:26 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

/interface bridge add admin-mac=MAC_OF_BRIDGE auto-mac=no comment=defconf name=bridge add name=site2site-tunnel-vbridge add comment="Remote VPN Clients" name=vpn-clients-vbridge /interface ethernet set [ find default-name=ether1 ] name=wan /interface eoip add local-address=192.168.20.3 ma...
by danergo
Wed Sep 29, 2021 10:33 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Thanks!

Can I share it with you somehow more privately, by any chance?
by danergo
Wed Sep 29, 2021 9:29 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Okay, what infos do you need exactly? Firewall only? Or Firewall+IPsec? Or Firewall+Route+IPsec?

Thank you!
by danergo
Wed Sep 29, 2021 9:06 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Well - you've said before you wanted something "future-proof", i.e. something that would work even if you change the IP addresses used at the remote end of the tunnel. So the use of connection tracking to clip a connection to the in-interface of the initial packet addresses exactly this r...
by danergo
Wed Sep 29, 2021 1:32 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Sindy, thank you so much for summarizing this for me, I can't be thankful enough. Although, I have the intention that I won't need mangles: as for me it seems they are extremely helpful if (for example) you need to direct specific packets from the same subnet to not go towards default route(s). Howe...
by danergo
Tue Sep 28, 2021 11:12 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Ok, I got this, thank you. Please consider this other scenario: Phone ~~~ VPN ~~~ TIK0 ~~~ TUNNEL ~~~ TIK1 ~~~ WAN Let's say phone first joins to TIK0 via VPN, and TIK0's mangle rules marks some connections and packets, to routing them (instead TIK0's default gateway) towards the TIK1 through the TU...
by danergo
Tue Sep 28, 2021 4:53 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

When Mangle marks the connection, does that mean for MikroTik, that it will have to use the "incoming interface of the packet" when sending back the response?
by danergo
Tue Sep 28, 2021 12:23 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

So the problem is not in TIK1, I have many options to send back the reply: Static route Mangle NAT The problem is that after TIK0 receives the reply, it tries to send it to 192.168.200.200, which is the phone's Dynamic Address in IPsec, and this packet doesn't seem arriving into the phone. So I migh...
by danergo
Tue Sep 28, 2021 11:28 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Sindy, thank you so much! Yes, all goes through VPN, except traffic to the public address of the responder (VPN server). At first, I didn't get this. RouterOS is doing the magic in terms that even if the src-address of a policy includes the WAN IP from which the IPsec transport packets are sent, and...
by danergo
Mon Sep 27, 2021 11:03 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Also, I've came across another thing, which I really need to solve. It's kind of merging two threads, Sindy. We have created a nice EoIP tunnels with bonding over IPsec earlier. I'm marking some packets to go into this tunnel instead getting out on public WAN. This also works for this VPN clients, i...
by danergo
Mon Sep 27, 2021 10:39 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Actually, if I check "myip" from Android during VPN, I can see TIK's public address. So I believe it all goes through VPN, just I had some fear because of the packet logs. So you are saying, that this implementation I've done here in this thread can be considered as "bare IPsec",...
by danergo
Mon Sep 27, 2021 9:30 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Folks, I'm finetuning this solution, and something came across to me: I have an active peer in IPsec/Active Peers tab, for my phone when it's connected onto VPN: https://i.imgur.com/0Lqw59e.png I have a webserver running in the LAN (192.168.2.100, port 80), and I added 2 logs into "Firewall/Fil...
by danergo
Sat Sep 25, 2021 9:20 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Thank you, everything is clear/perfect now.
by danergo
Fri Sep 24, 2021 8:52 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Folks, I don't understand one another thing: In active peers, I can see my VPN client perfectly. Its "Local Address" is "192.168.1.10", which is the IP of the Tik from outside (assigned by ISP). Why? I mean where did we defined this, or how IPsec knows this? Everything works perf...
by danergo
Fri Sep 24, 2021 4:50 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Try disabling and re-enabling the second identity (or both) and see whether it starts working then.
This indeed worked :o

Now Android is joined to this lovely Tik.

Other question with the DH mismatch would be still interesting though.

Thank you!
by danergo
Fri Sep 24, 2021 4:24 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Guys, I've started from scratch and found one basic root-cause: UDP500 was not accepted on the input chain, and therefore it never reached the IKE2 routines. After adding that, a much nicer and more verbose log was created which however needs some explanation for me, if you could do that: 15:00:23 i...
by danergo
Fri Sep 24, 2021 3:33 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

I'm going into a much more easier direction now: I've disabled the persistent tunnel, so now there are no active peers. This way I'll have the chance to test the VPN server from Windows, and this would be extremely helpful, as my Win is now behind another Tik, so logging will be perfect. I'll get ba...
by danergo
Fri Sep 24, 2021 3:00 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

@Sindy, Maybe from this config: /ip ipsec policy add template=yes src-address=0.0.0.0/0 dst-address=192.168.200.0/[b]24[/b] proposal=vpn-clients group=vpn Anyway, I have recreated the Policy from scratch, and rebooted the router also. Now, it's much worse than before: it seems no packet arrives from...
by danergo
Fri Sep 24, 2021 12:38 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

The notification about your update to that thread from this July never made it to my mailbox. I assume you've resolved it? No problem at all, it was some ISP error, it actually has resolved itself after some days (I was far away, couldn't reboot anything) So it seems Traffic Selector has some issue...
by danergo
Fri Sep 24, 2021 8:51 am
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

You should not have exported the CA certificate using the passphrase, as the private key of the CA should never leave the CA. But this is "only" a security issue (anyone having the CA certificate together with its private key can sign additional certificates that will be trusted by whoeve...
by danergo
Thu Sep 23, 2021 5:26 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Sindy: I have exported the certificates (both ca and both the client) from winbox, in PKCS format, and providing a passphrase. Then I've sent over those two files onto my android phone, and then I have opened them, my phone asked me the passphrase, then certificate type ("VPN and app user certi...
by danergo
Thu Sep 23, 2021 3:13 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

mbaute:

"Public IP assigned to Tik": 8.7.6.5 is assigned to ISP's router, not to Tik.

Tik is behind this ISP's router, and it gots an internal IP assigned by ISP's router.

Is your suggestion considered this fact?

Thank you!
by danergo
Wed Sep 22, 2021 12:11 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 48
Views: 2618

Setting up IKEv2 VPN Server behind NAT [SOLVED]

Folks, My Tik is behind NAT (due to ISP), and it gets an internal IP from them. I want to setup an IKE2 VPN Server on this Tik to allow my Android phone to be part of the LAN. Phone (192.168.0.10) ----> ISP1 (192.168.0.1, 4.3.2.1) -----> INTERNET -----> ISP2 (8.7.6.5, 192.168.1.1) -----> TIK (192.16...
by danergo
Tue Jul 06, 2021 6:33 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

@sindy: I hope you're all good. I'm taking into account you don't have a crystal ball, but without too much details, can you give me some lights in this please: I've setup the IPSec tunnels, and EoIP tunnels, and bonding, which was working soo great for long months or even a year. Now I realized it ...
by danergo
Wed Feb 24, 2021 9:14 am
Forum: Scripting
Topic: Fetch program aborts with timeout
Replies: 0
Views: 590

Fetch program aborts with timeout

I'm having a very slow/bad internet connection under my MT. I want to download a large file (2GB) from a remote location. My computer is perfectly fine doing that, but it reconnects a lot of times during the reception. I don't really like that as during this operation my computer needs to be switche...
by danergo
Fri Jul 31, 2020 8:33 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Hi, I'm trying to figure out this IKEv2 connection, but something seems missing. I've basically copied everything from the previous tunnel configs: [admin@MT_Responder] > ip ipsec proposal print Flags: X - disabled, * - default 3 ;;; Proposal for Windows clients name="default-Remote" auth-...
by danergo
Tue Jul 28, 2020 12:30 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Which router is "this", the initiator in the multi-EoIP arrangement or the responder? The responder. I'd like to connect securely from a Windows machine to the current responder, when I'm out of the range of the current initiator, that's the main goal. if you use IKEv2 to connect those cl...
by danergo
Mon Jul 27, 2020 2:50 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Hello, just wanted to give a quick review of this solution. It is working flawless since then with 100% reliability. Rock solid, thanks a lot for this! And I'm thinking on opening the IPSEC VPN to smaller clients (like Windows notebook) to this router. I know it's possible, but I'd like to know if I...
by danergo
Thu May 14, 2020 12:23 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

One small addition to your linked topic: In your example, at the last line there is a typo: add chain=prerouting connection-mark=handling-A action=mark-routing new-routing-mark=handling-B Here I think connection-mark shall be also "handling-B". Otherwise, I needed another rule into mangle ...
by danergo
Thu May 14, 2020 12:18 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

I just realized by myself: fasttrack on responder is OK, as it has no policy-based routing with mangle rules.

All stuff seems working very smooth and fast with low CPU on Tiks now, thank you very much. This topic can be marked as solved now, I guess.

Thanks!
by danergo
Thu May 14, 2020 9:17 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thank you sindy!

This is another great post!

Just one quick question left here:
I disabled fasttrack on initator and suddenly everything started working.

But you mentioned fasttrack is for both directions. So in theory I have to disable it for the responder side also, no?
by danergo
Wed May 13, 2020 11:00 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

OMG! This was it. :?
After disabling the fasttrack, it works perfectly.

I should leave fasttrack disabled when I use the tunnel? Or filter more for dst addresses that are not my home ip?
What is the best solution for keeping fasttrack and having mangle too?

Thank you so much!
by danergo
Wed May 13, 2020 10:33 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Perfect, it works very nice, thank you! I've realized one thing: players are different. There are players which buffers, i.e it uses the maximal uplink at the beginning, and there are players which doesn't buffer. Now I'm focusing the latter, which does not buffer. Now my connection seems more solid...
by danergo
Tue May 12, 2020 10:21 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

OK. So first, use the DDNS name of the responder as the peers' address items at the initiator if you haven't yet - that's still within the scope of the previous discussion. Yes, I'm using this, but with caution. Whenever you write DNS names in these fields, it's get resolved only once, and then whe...
by danergo
Tue May 12, 2020 6:03 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

:D

All sides are dynamic, so I need DDNS for the IPsecs too, yes.
For now I used the responder's public (not so often changing) dynamic IP.
by danergo
Tue May 12, 2020 5:15 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thank you. I'd like to ask one more thing here: To access my devices on the remote LAN, I used simple port forwards with dyndns earlier. Now as the tunnel is up, probably faster (and some time later can also be more secure), I'd like to use it for accessing remote LAN devices. In the initiator Tik I...
by danergo
Tue May 12, 2020 1:26 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

New fact: In IPsec proposal at responder PFS group was configured to modp2048 while at initiator it was set to none. Now I set to none also at responder (sorry!). It seems working now (at least for 35mins). Proposal's lifetime is not being respected now, active peers' uptime can raise above 30mins (...
by danergo
Tue May 12, 2020 11:54 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

"created" means you have actually sniffed them or just prepared a size limit of 2 MB? I have actually sniffed until around 2Mb (limit was set to 4096, but it increased so slow that I stopped around 2megs). Just double-check you've set filter-ip-address at each end to the public IP of the ...
by danergo
Tue May 12, 2020 9:23 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

I have created two sniffs (2Mb each), on both ends' WAN traffic towards other ends' public IP.

I can only start the sniffers once the connection drops (ie. Videoplayer stops), I hope that would be enough.

What shall I check in the sniff files?

Thank you!
by danergo
Mon May 11, 2020 10:47 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Understood, alright.
I'll sniff the tunnel traffic, and post it tomorrow.

Thank you!
by danergo
Mon May 11, 2020 10:28 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

I haven't done any sniffing yet, but here is a diagram of the behavior: https://i.imgur.com/CoOqdB0.png The video was streamed, and where I've drew the black line there it stopped (roughly). So the player has some buffer. At the black line when I realized it stop, I disable/enable both IPsec tunnels...
by danergo
Mon May 11, 2020 9:52 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Indeed strange for me too, I will post some more details if I find out the reason. My uplink ISP can ban the connection without explicit closing, then when I close it manually it release and let the new one (with same port) connect. Normally, is it wise to keep these tunnels open alltime 7/24? Or it...
by danergo
Sun May 10, 2020 11:01 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Ok, I finetune this observation: I think some ISP in the middle blocks the large traffic. I've tried to stream a 20mins video, it plays smooth until 10mins, then immediately stopped. For some time EoIPs seem to be up, but then the stop as well, however IPsec tunnels are shown as active. If I disable...
by danergo
Sun May 10, 2020 4:55 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

There is a small mistake though. After some time an idle IPsec tunnel gets destroyed. Only one thing changes: EoIPs stop running. (Responder's IP is unchanged) Looking at IPsec, it shows active peers as before. However the only way (or one way) to restore is disabling and reenabling the IPsec peers ...
by danergo
Sun May 10, 2020 3:52 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

This is my latest test with 2 EoIPs in one bonding (MTUs on EoIPs are 1400 everywhere, thus IPsec shall not use the default 4500port at all): https://i.imgur.com/OcNErSC.png I can't describe how happy I'm now! Thank you so much, 5star solution and support! Videos now can be played directly on TV. Am...
by danergo
Sun May 10, 2020 2:54 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Wow! There is some secret here. I created 4 EoIPs earlier with 4 different policies. After we realized that it won't work I disabled everything. Today I started my measures with EoIP tunnel1 (firstly created). Measurements were disappointing. But then I disabled EoIP tunnel1, and started to play wit...
by danergo
Sun May 10, 2020 1:04 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thanks, MTU is 1400 on both sides of EoIP. Now the avg bandwidth is 3.93 , but sometimes it goes up to even above 8: With 1300 it was worse than with 1400. The current bandwidth can be changing, but in general testing almost at identical time, with 1300 and 1400, 1400 gives better results. This imag...
by danergo
Sun May 10, 2020 11:26 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Now EoIPs are set to use 1400 as MTU, all other interfaces use 1500 by default (I haven't changed).
by danergo
Sun May 10, 2020 10:54 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

There is still something interesting in this topic: Now the current native speed of iperf (with public IPs and basic NAT): 10.1Mbits/sec at receiver's side. Ping is 160ms, constantly. If I create only 1 IPsec policy and peer, and one EoIP tunnel on top of it, with correctly set routes, I got for the...
by danergo
Sat May 09, 2020 4:58 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Yes, I understand this, might try out later once get back to the router. In the meantime I did some iperf tests and realized a new aspect: During the day I could measure 10MBps avg bandwidth with native (without tunnels) single tcp flow. But later, and night it drops back to even 2-3. Did also a tra...
by danergo
Sat May 09, 2020 2:51 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Do I need to have IPsec tunnels to use EoIP and bonding?

I'm thinking on utilizing the bonding somehow without complex tunneling, with just basic NAT tools as they seem faster here.
by danergo
Sat May 09, 2020 1:52 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

One more question: What shall be the bottleneck of this setup? Without the tunnel, I can measure 5-6Mbps, but within the tunnel it's only 2-2.5Mbps. I'm pretty sure I can't reach the native speed because obviously there is overhead, but how shall I check which point is the weakest one? Encryption is...
by danergo
Sat May 09, 2020 1:45 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

is it possible to introduce some buffering mechanism? Or that's not gonna help? The buffering mechanism is expected to be embedded into the TCP receiving side - it should indicate a large enough buffer to the sender. Try another player, if it doesn't help, you'll have to copy the media to a local f...
by danergo
Sat May 09, 2020 1:27 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Just have tried with the problematic software, but it does not really work OK. It's a NAS streaming my media => latency can be high, but bandwidth is needed, now the stream plays, then stops for buffering and then play again. At least now it's going through the tunnel :) If this is because the appli...
by danergo
Sat May 09, 2020 11:42 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Now, my results: There are 4 IPsec tunnels, all spawn 1 EoIP tunnel EoIPs are bonded together with a bonding interface in balance-rr mode Everything is up and running! 8) Bandwith however is not so great: [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-60.00 sec 16.3 MBytes 2.27 Mbits/sec 69 sender...
by danergo
Sat May 09, 2020 10:20 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thank you, yes, changing level to unique makes the connection rock solid, now ping works, and it seems roundrubin also.
Bandwidth is not increased too much yet with only 2 EoIPs, now I'm gonna add 1-2 more then retest, and post my updates here.
by danergo
Sat May 09, 2020 8:44 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

In long run, during the night, did not change, one EoIP of responder is not running. If I disable the other IPsec tunnel (which is under the EoIP that runs), the not running EoIP starts running. Then after reenabling the IPsec tunnel does not ruins this, i.e. both EoIPs are running, but only for a s...
by danergo
Fri May 08, 2020 10:46 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Well, this is just one of the few "we know better than you what you want to do" features of RouterOS. What a nice hack! Real think-out-of-the-box solution :) I think I've setup everything in order, but the performance is getting worse. Things I've done: Static DNS New peer, policy, identi...
by danergo
Fri May 08, 2020 7:42 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

If the throughput is reduced due to the IPsec encryption, you can save some CPU by using null encryption if the actual client-server connection is TLS-encrypted or if you don't care. Yes, I did this way, as the connection is already TLS-encrypted. Now wait... what did you actually want to write? Yo...
by danergo
Fri May 08, 2020 4:58 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thank you! It was simple port fwd, but now with these new routes there is no need to forward anything, I can ping each other, and direct TCP works perfect too. So now I had the chance to redo the iperf tests too, here are the results via EoIP/IPsec: [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-6...
by danergo
Fri May 08, 2020 2:57 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

The addresses attached to the bridge should be /32 ones so no network as such. And the A, B, C classes have been obsoleted quite some time ago, so use 10.0.1.1/30 at one end and 10.0.1.2/30 on the other end, again just to reduce confusion. You could use 10.0.0.10/24 and 10.0.0.20/24 and still 10.0....
by danergo
Fri May 08, 2020 2:22 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Can I chose an address from the virtual bridge's network? (Actually it's not from its network, but like 10.0.0.10 and 10.0.0.20 for the two sides?)
by danergo
Fri May 08, 2020 11:46 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

To transport the EoIP using the IPsec, I'd recommend to create, at the initiator, an /interface bridge without any member ports, attach to it a private /32 IP address outside the LAN subnets of both the initiator and the responder, and create a policy with this address as src-address and the respon...
by danergo
Thu May 07, 2020 11:06 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Okay, that was the problem, accepting 4500UDP @server Tik eventually let the IPsec to stand up. One quick question: now that I opened UDP4500, anyone knows my IP (and preshared key + sets the correct ID for identity) can create an IPsec tunnel to my MT (As long as server's identity is set for matchi...
by danergo
Thu May 07, 2020 6:46 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Don't I need to add accept rule for UDP4500 on input chain (server side)?
by danergo
Thu May 07, 2020 6:43 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Okay, thank you, I'm here now: On the server, passive=yes was set (I think that was automatical). "On the responder (server) side, add generate-policy=port-strict policy-template-group=ike1-site2 to the identity" - OK, done this. Moreover did these on the server: [server] > ip ipsec policy...
by danergo
Thu May 07, 2020 1:04 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thanks! I have started to create the IPsec tunnel, and I'd appreciate if you could validate this before I run into a problems that's caused by myself: Server side MikroTik's name: server Server side NAT router of ISP: isp_server Client side MikroTik's name: client Client side NAT router of ISP: isp_...
by danergo
Wed May 06, 2020 10:25 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Thank you! This seems a bit complicated for me from the first sight but I like MTs very much and always up for learning new things. So, you're suggesting me to first creat an IPsec tunnel and retry the iperf tests, am I right? Creating IPsec tunnel would be good based on this example: https://wiki.m...
by danergo
Wed May 06, 2020 10:07 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

I'm not sure that I understand correctly what you are trying to mean here, sorry. . sorry to interfere only for beeing so nitpicky ... I have to give the tcp-default ... but ... mutiple "routes" ? ... nöh . 39494 39500 39498 39496 . root@badger:~# iperf -c 192.168.67.140 -P 4 -------------...
by danergo
Wed May 06, 2020 9:29 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

Try setting up a GRE tunnel between the two if both have public IP addresses. If it works, it could be that the ISP won't limit GRE per connection. If it doesn't work, the only way to split a single TCP flow among several paths is to use bonding in balance-rr mode, but bonding can only bond togethe...
by danergo
Wed May 06, 2020 9:24 am
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Re: Split traffic then merge [SOLVED]

can only measure 5MBps from the server->client. But only if I measure with a single thread. If I measure with parallel option of iperf3 (this way it creates multiple connections), the bandwidth can reach the uplink limits (25MBps) even through the abroad ISP. . little bit unclear how long you did t...
by danergo
Tue May 05, 2020 8:39 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 99
Views: 13475

Split traffic then merge [SOLVED]

I'd like to solve a strange ISP limitation. Let's consider this topology: Server -- MT1 -- ISP1 -- inland internet -- ISP2 -- MT2 -- Client In this topology, if I run iperf3, which is a network bandwidth tester, bandwidth from server->client can easily reach the uplink bandwidth limit which is curre...