MikroTik

zett93

UPDATE - i have response from official Mikrotik support, sadly - address-lists rules doesen't work with wireless/capsman.

zett93

@ gotsprings - so, ending that subject block - now it's working :) but that's crazy that in all tutorials (including official MUM pdfs) i read, was written, that in local forwarding mode "discovery interfaces" should be empty, and only "capsman addresses" should be set to proper ...

zett93

@ gotsprings - yes, "discovery interfaces" was disabled when i tried to configure CAPsMAN adresses - but it never start to work for me (error with "no capsman found etc..) @ anav - i understand the "division rule", but my question was about setting 866Mbps connection, becaus...

zett93

Hi, sorry for delay, that was busy weekend, @ BrateloSlava, here is export from one of my cAPs: All works fine over L2, but if I disable "discovery interfaces" in CAP setting, and set CAPsMAN IP address it never works for me - i don't know why (IP address on CAP is set and i can ping to th...

zett93

UPDATE - with L2TP tunnel it works (address is added to address list), so what should I do to make it work with capsman too.

zett93

Hi, i have a question for You - i configured UM + RADIUS, and CAPsMAN to authorize WiFi clients. All works fine except one thing: in User Manager --> Users --> user edit --> attributes i created attribute "Mikrotik-Address-List", but when WiFi Client connects with that user credentials, hi...

zett93

OK, in my case it can be L2 option (but I don't understand why IP connection doesn't work - maybe this will be next lesson for me :)) And about local forwarding - that was my missclick in Configurations tab (i missed that in one configuration "Local forwarding" option was not hidden, and n...

zett93

Then maybe I misunderstood something, because reading various information (including MUMs) everywhere using the Local forwarding option (in datapath on CAPSMAN), on CAP discovery interfaces was empty, and capsman address was given. An interesting fact is that if I leave discovery interfaces set, mas...

zett93

OK, thanks for the comprehensive answer :) I think it was the last answer that most described what I was thinking of. However, as far as CAPsMAN is concerned - local forwarding does not work for me, the moment I turn off "Discovery Interfaces" I get the error "CAP did not find suitabl...

zett93

Hi, this may not be the answer to your problem, but I wanted to write that I recently did some updates to my cAPs. I'm doing the update via winbox and here's a question, which update channel do you choose? Another thing, see before updating if the firmware version is the same as the RouterOS version...

zett93

Hey. i have this question, is it possible to do something to bump up the transmission speed to the maximum possible (866Mbps)? My Macbook Pro practically always sets the connection at 390Mbps, sometimes higher values fall in. From what I've noticed, there's no difference if I take the measurement at...

zett93

I changed the rule in google vpn, now the policy includes both subnets (even though the GUI doesn't suggest at all that you can enter a subnet from a different region), threw out the google_fra config completely, added that subnet in the policy using google_peer and now everything works fine. Finall...

zett93

If both tunnels were in the same region, that could be a solution. On the other hand, one tunnel compiles to Poland, the other to Germany, so perhaps this is the bug....

Especially since I have exactly these two subnets tied up in another location using Fortigate - no problem there....

zett93

After reset peers and pinging only gcloud_peer_fra it looks like this. Ok, did You have any ideas how to resolve that problem? I see something like that first time in my carreer. Flags: S - seen-traffic; H - hw-aead; A - AH, E - ESP 12 HE spi=0xD2F455E src-address=ip-gcloud_peer_fra dst-address=ip-l...

zett93

Check now :) Flags: S - seen-traffic; H - hw-aead; A - AH, E - ESP 0 SHE spi=0x2034A30 src-address=ip-gloud_peer_fra dst-address=ip-local_router state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="05144e43ff7ba0e7a5541fea953cb8b7d9732a66ab8138c77f0a2acc2e39c627&q...

zett93

It looks like this /ip ipsec active-peers print Flags: R - RESPONDER; N - NATT-PEER Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS 6 R ip-gloud_peer_fra established 24s 1 ip-gloud_peer_fra 7 R ip-gcloud_peer established 24s 1 ip-gcloud_peer /ip ipsec installed-sa print where.... Flags: S - SE...

zett93

Thanks for the reply @sindy I know it's nothing unusual (on this Mikrotik I have 4 more tunnels to other locations and with them there was no problem, the only difference is exchange-mode=main). This router has a direct connection to the internet (via PPPoE). An interesting fact is that if I have bo...

zett93

Hey, I have a problem as described below: I have two regions in gcloud with two different addresses (192.xx.xx.0/24 and 192.yy.yy.0/24) a tunnel (IKE2) is created for each of these addresses each of the tunnels works on my router, however, when I want to run two at the same time, traffic stops going...

zett93

Anyone know the answer?? :)

zett93

You got the point, in my connection tracking src-address was from my.wan1 and reply-dst-address was my.wan2.

Now, after change src-nat NAT rules all works fine, temporary all traffic will go through wan1, next i'll tune src-nat rules.

Thanks for help, you're great!

zett93

any ideas? :)

zett93

None of the rules you've posted refers to connection-state . So it is not possible to find out what is wrong. Post the complete export of the firewall (including the address lists) and indicate the subnets at local and fortigate side which should be able to talk to each other. Check my automatic si...

zett93

Hi, i have a stupid issue with my MT HEX gr3. I have IPSec tunnel between MT and FortiGate. Tunnel works fine (peer is active, all policies are estabilished), but there is no traffic through that. I have some rules in Firewall/NAT/RAW, see below. /ip firewall filter 21 ;;; FROM L2TP Clients chain=fo...

zett93

Here is reply from official MT support. Hello, Thank you for contacting MikroTik Support. Unfortunately, CRS354 device has some issues creating bonding interfaces and we look forward to fixing this on upcoming RouterOS versions, unfortunately, I cannot provide any ETA now. As a workaround, you could...

zett93

Here is reply from official MT support. Hello, Thank you for contacting MikroTik Support. Unfortunately, CRS354 device has some issues creating bonding interfaces and we look forward to fixing this on upcoming RouterOS versions, unfortunately, I cannot provide any ETA now. As a workaround, you could...

zett93

Hi,

my problem is that my Mikrotik never send any LACP packets to my server, and LACP didn't works fine. Linux says, that communication is churned.

Could You help me in that case?

zett93

Hi, i have problem with my configuration. My switch works like a hub. EQ. When i ping 2 servers, from third tshark can see that packets. Can Yuu help with that case? # mar/21/2020 19:12:08 by RouterOS 6.45.8 # software id = IIHG-S4TB # # model = CRS354-48G-4S+2Q+ # serial number = B8450B37B913 /inte...

zett93

It doesen't work.. After 30 seconds i have loop storm on my switches, and they goes down. Additionally linux bridge didn't set root bridge id from one of my mt switches..

zett93

Hello, I have some problems with my infrastructure. I have 2 CRS354 connected together via qsfp. I need to connect a debian server to both, via two bonded interfaces, one to the first CRS, the other to the other. Below is a picture of the infrastructure and configuration. The problem is that when I ...

zett93

Here is reply from Mikrotik support center Sniffer, Torch and use-ip-firewall=yes will disable the bridge fast-path (also fast-forward when only two bridge ports are running). Perhaps the issue is related to this feature? You can manually disable the fast-path under bridge settings and fast-forward ...

zett93

I added the bonding later than the problems started, it has no effect.

However, I got a response from Mikrotik technical support.
They suspect problems with bridge fast-path and fast-forward.
In the evening I will send them a binlog and wait for an answer.

zett93

All network configuration is fine. I have 2 addresses on that bridge because i found unknown network device in my LAN and i want to check that - that's fine and that works. VPN configuration also works fine. My question only applies to the firewall on the bridge. LAN is unstable when I disable "...

zett93

@WeWiNet - yes, i removed it from list, and added ether1 to them. Yes, RADIUS works fine for authentication in L2TP tunnel. Here is my fresh export # feb/10/2020 18:22:40 by RouterOS 6.45.8 # software id = QCX6-3PXK # # model = RB750Gr3 # serial number = 8AFF0BFxxxx /interface bridge add comment=&qu...

zett93

OK, i removed wan bridge (i created it for future dual-wan plans (maybe?

)), and changed all things assigned to it.

No changes, after disabling "Use IP Firewall" LAN breaks and send a lot of timeouts...

zett93

Sorry, 1xWAN, 4xLAN of course. I know, that it should work out of the box, but it doesent. # feb/10/2020 16:18:51 by RouterOS 6.45.8 # software id = QCX6-3PXK # # model = RB750Gr3 # serial number = 8AFF0BFxxxx /interface bridge add comment="ALL WAN INTERFACES" name=bridge0wan /interface br...

zett93

Hi, I have a question about the correct operation of the bridge. Namely, I have a simple network (RB750GR3 - 1WAN + 4xWAN in the bridge). The bridge only works properly with the "Use IP Firewall" option selected or Torch running. Otherwise, traffic only works properly on a port that has th...

Search found 36 matches

Re: User Manager - add to address list

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: User Manager - add to address list

User Manager - add to address list

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: cAP ac bricked after update

cAP AC + CAPsMAN - transmission speed not as high as it can be

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Re: Problem with 2 IPSec IKE2 tunnels to GCloud

Problem with 2 IPSec IKE2 tunnels to GCloud

Re: L2TP/IPSec without push DNS servers to the clients

Re: IPSec and ConnTrack

Re: IPSec and ConnTrack

Re: IPSec and ConnTrack

IPSec and ConnTrack

Re: CRS354-48G+4S+2Q works like a hub

Re: CRS354-48G+4S+2Q 802.3ad between switch and debian didn't works

CRS354-48G+4S+2Q 802.3ad between switch and debian didn't works

CRS354-48G+4S+2Q works like a hub

Re: Proper way to configure RSTP/Loop protection

Proper way to configure RSTP/Loop protection

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

Re: LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled