Community discussions

Search found 127 matches

by _saik0
Mon Sep 10, 2018 3:20 am
Forum: General
Topic: IPv6 Routing Mark in Firewall > Mangle Rules
Replies: 47
Views: 10307

Re: IPv6 Routing Mark in Firewall > Mangle Rules

Still nothing? Same with v6 NAT. transparent proxy and IPS/IDS implementation depend on this.
Iptables has that feature for a long time, i don't understand why exactly ROS7 is necessary.
by _saik0
Sat Feb 17, 2018 3:22 pm
Forum: General
Topic: directed broadcast and nat
Replies: 4
Views: 1029

Re: directed broadcast and nat

ancient bump...
by _saik0
Tue Nov 07, 2017 11:05 pm
Forum: General
Topic: directed broadcast and nat
Replies: 4
Views: 1029

Re: directed broadcast and nat

bump
by _saik0
Sun Sep 17, 2017 3:47 pm
Forum: General
Topic: CCR temperature reading problem
Replies: 3
Views: 554

Re: CCR temperature reading problem

Warranty from the distributor is long since expired :/
by _saik0
Sun Sep 17, 2017 2:40 pm
Forum: General
Topic: CCR temperature reading problem
Replies: 3
Views: 554

CCR temperature reading problem

Just noticed that one of my CCR's (CCR1036-12G-4S) doesn't display the temperature properly. Basically got two exact same model CRRs on same firmware (3.39) and ROS 6.38.7 and the problematic one shows: > system health pr fan-mode: auto use-fan: main active-fan: main cpu-overtemp-check: yes cpu-over...
by _saik0
Thu Aug 17, 2017 9:46 pm
Forum: General
Topic: directed broadcast and nat
Replies: 4
Views: 1029

Re: directed broadcast and nat

Can someone from MT comment on this?
by _saik0
Wed Aug 16, 2017 1:12 am
Forum: General
Topic: directed broadcast and nat
Replies: 4
Views: 1029

directed broadcast and nat

I have a very specific issue, i want to make my dumb aircon to be discoverable outside its broadcast domain. Basically the APP that does the discovery performs a directed broadcast (they could obviously just use a plain broadcast) inside its subnet and discovers the air con. After a simple discovery...
by _saik0
Thu Aug 03, 2017 12:10 am
Forum: General
Topic: RB2011 packet loss on larger packets over wifi
Replies: 2
Views: 483

Re: RB2011 packet loss on larger packets over wifi

Hmmmm
But those are mostly on 2412
Are they really interfering this much on 2437 ?
I must admit I am puzzled how people even use wifi in a crowded apartment building. I can't imagine I have such a bad situation..

Is there anything I can do here, tweak certain parameters, anything except going 5G?
by _saik0
Wed Aug 02, 2017 7:03 pm
Forum: General
Topic: RB2011 packet loss on larger packets over wifi
Replies: 2
Views: 483

RB2011 packet loss on larger packets over wifi

I'm experiencing issues with wifi with packets larger than 500-600Byte. Basically 15-20% packet loss with ICMP 1000Byte packets. So it isn't a MTU issue, rather something wrong with the radio on the RB itself. Smaller packets are not dropped. Tried both 6.40 and latest bugfix release. Same behaviour...
by _saik0
Sun Oct 02, 2016 3:01 pm
Forum: General
Topic: DHCPv6-client broken since v6.34
Replies: 7
Views: 1858

Re: DHCPv6-client broken since v6.34

Wait what?

A dynamic PD with 24hr reset and every time you are assigned a different v6 prefix?
Is your ISP stupid or what?
by _saik0
Sun Aug 21, 2016 2:43 pm
Forum: General
Topic: Slow IPSec tunnel and windows machines
Replies: 11
Views: 1991

Re: Slow IPSec tunnel and windows machines

Actually with aes256ctr i'm getting more like 50-60Mbps (even with multiple tcp connections!). Win some, lose some... it's like a game with ipsec Here some UDP stats: aes256cbc: ------------------------------------------------------------ Server listening on UDP port 5001 Receiving 1470 byte datagra...
by _saik0
Wed Aug 17, 2016 9:42 pm
Forum: General
Topic: Slow IPSec tunnel and windows machines
Replies: 11
Views: 1991

Re: Slow IPSec tunnel and windows machines

I can confirm i'm definitely getting better throughput with sha1/aes256ctr (aes128ctr gives similar performance) on windows machines. I'm getting around 70Mbps in either direction both with linux and windows. This is a huge improvement for windows, yet it's about 20-30% worse for linux to linux. Aft...
by _saik0
Tue Aug 16, 2016 9:52 pm
Forum: General
Topic: replace Windows PPTP VPN
Replies: 12
Views: 1541

Re: replace Windows PPTP VPN

From my experience l2tp/ipsec works ok between a windows client and mt server although like pe1chl said, it can be tricky when behind NAT.
Can mac do OpenVPN? Personally i'd go with that with a dedicated server/vm for this purpose.
At least until ROS7 ;)
by _saik0
Tue Aug 16, 2016 9:11 pm
Forum: General
Topic: Slow IPSec tunnel and windows machines
Replies: 11
Views: 1991

Slow IPSec tunnel and windows machines

Hello, I'm experiencing slow transfter speeds when a Windows machine (7 and 10 tested) is involved. The setup: PC1@LAN1 --- CCR1036 ---(pppoe)---ISP--- (pppoe)---CCR1036 --- PC2@LAN2 | ------------- l2tp/ipsec -------------- | Both sites are connected to the same ISP with pppoe (mtu 1492) 100/100Mbp...
by _saik0
Mon Feb 22, 2016 9:05 pm
Forum: Announcements
Topic: v6.32.4 [bugfix] is released!
Replies: 24
Views: 12892

Re: v6.32.4 [bugfix] is released!

but what about RB2011?

There's clearly write sectors info on older ROS.
by _saik0
Sun Feb 21, 2016 4:22 pm
Forum: Announcements
Topic: v6.32.4 [bugfix] is released!
Replies: 24
Views: 12892

Re: v6.32.4 [bugfix] is released!

Uh where do you see sector writes? Did the location change? On my CCRs with 6.34.2 and RB2011 on 6.32.3 sector writes info is missing under /system resources. On my old RB2011 on 5.24 sector writes are visible under resources They are also visible on a x86 6.30.4. I didn't even notice this until the...
by _saik0
Wed Feb 17, 2016 12:50 am
Forum: RouterOS v6 RC and v7 BETA
Topic: 6.16 import stops when there is a duplicate entry
Replies: 15
Views: 6488

Re: 6.16 import stops when there is a duplicate entry

Thank you!
Was also thinking the same - add an option (or make it default) to continue executing/importing the config after an error.
by _saik0
Tue Feb 16, 2016 11:02 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: LLDP
Replies: 126
Views: 42060

Re: LLDP

Also strongly support the notion to add support for LLDP.
It's standard and supported by most vendors nowadays.
by _saik0
Sun Jan 31, 2016 3:05 pm
Forum: General
Topic: Dynamic IPSEC Phase1/Phase2 proposal
Replies: 6
Views: 2173

Re: Dynamic IPSEC Phase1/Phase2 proposal

That was never an issue. Of course i could do it by hand but since both of my locations are on dynamic IP, i have to rely heavily on scripting in order to achieve the same thing. When one of the addresses changes I need to edit GRE interface, ipsec peer and finally ipsec policy on both locations. It...
by _saik0
Sun Jan 31, 2016 4:55 am
Forum: General
Topic: Dynamic IPSEC Phase1/Phase2 proposal
Replies: 6
Views: 2173

Re: Dynamic IPSEC Phase1/Phase2 proposal

Phase1 is exactly the issue here.
Namely GRE interface with ipsec secret enabled creates a dynamic ipsec peer.
That dynamic ipsec peer uses sha1-3des/aes128 for phase1 and that cannot be changed.
There should be an option inside GRE interface to define phase1/phase2 (group actually).
by _saik0
Wed Jan 27, 2016 8:39 pm
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 39
Views: 14889

Re: CCR IPSec performance

It was a single TCP connection per direction with TCP MSS clamping for the GRE tunnel, IPSec in transport mode.
So in the end the actual MTU for the tunnel is 1426B.

all devices were connected with a single 1Gbps link.
by _saik0
Tue Jan 26, 2016 8:35 pm
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 39
Views: 14889

Re: CCR IPSec performance

So i've finally bought two of CCR1036 and am currently trialing them for GRE/IPSec VPN connectivity. Using 6.34rc41 this is the result of running iperf in dualtest TCP mode. PC1 ---- CCR1 --- [gre/ipsec_sha1_aes256cbc] --- CCR2 ---- PC2 http://i.imgur.com/8EEZ7ZK.gif?1 I'm releaved that the CCR is a...
by _saik0
Fri Jan 15, 2016 8:52 pm
Forum: General
Topic: VRF aware management services (winbox, ssh, http)
Replies: 2
Views: 972

VRF aware management services (winbox, ssh, http)

Is it possible to have at least winbox/ssh VRF aware so that one could access the router through both primary and backup ISP (e.g. 3G stick) at the same time? Assigning ppp interface and a default gw to backup_mgmt-vr works and ICMP seem to respond properly. But not winbox/ssh... 0 A S dst-address=0...
by _saik0
Thu Jan 14, 2016 1:23 am
Forum: Announcements
Topic: v6.33.5 [current] is released!
Replies: 120
Views: 33534

Re: v6.33.5 [current] is released!

Just upgraded both of my CCR1036.

IPSEC issue still present - [Ticket#2015122766000277] CCR IPSEC in-state-sequence-errors
Left duplex iperf tests for a few hours and was greeted with a downed tunnel and state sequence errors.
by _saik0
Fri Jan 08, 2016 10:21 pm
Forum: General
Topic: v6.33.3 [current] is released!
Replies: 59
Views: 18539

Re: v6.33.3 [current] is released!

Is there any info on issues with IPSEC in CCR? To be precise - [Ticket#2015122766000277] CCR IPSEC in-state-sequence-errors Basically few hours after the tunnel had been established (actually next morning), it gets terminated one of the routers had increasing in-state-sequence-errors under ipsec sta...
by _saik0
Tue Dec 29, 2015 2:28 pm
Forum: General
Topic: Dynamic IPSEC Phase1/Phase2 proposal
Replies: 6
Views: 2173

Re: Dynamic IPSEC Phase1/Phase2 proposal

bump
by _saik0
Sat Dec 26, 2015 12:16 am
Forum: General
Topic: Dynamic IPSEC Phase1/Phase2 proposal
Replies: 6
Views: 2173

Dynamic IPSEC Phase1/Phase2 proposal

Is it possible to define default Phase1/Phase2 proposals for dynamic policies, e.g. ipsec enabled within GRE and L2TP config? I want to use sha1/aes256cbc for my GRE tunnels but sha1/aes128 is the default. For Phase2 apparently only the "Default" proposal can be altered to get the desired behavior, ...
by _saik0
Sun Nov 22, 2015 8:57 pm
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 39
Views: 14889

Re: CCR IPSec performance

Thanks for the input!

Well yes, that pretty much answers my question and confirms my fears...

Seems i'd really be better of with two multi-core x86 servers/workstations :/
Yes it can handle a lot more than 500Mbps
Comments?
by _saik0
Sun Nov 22, 2015 1:12 pm
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 39
Views: 14889

Re: CCR IPSec performance

I'm planning on getting two CCR1036 for connecting two sites via VPN and need to have answers... So in the end, did ANYONE succeed in creating a single IPSec/L2TP(or GRE) tunnel between two say CCR1036 and got 500Mbps+ between two clients from two routed networks behind those two CCRs ? There's a mi...
by _saik0
Wed Aug 26, 2015 1:48 pm
Forum: Announcements
Topic: v6.30.4 bugfix release
Replies: 104
Views: 26245

Re: v6.30.4 bugfix release

Ah very nice, was actually worried MT had abandoned the promised bugfix track as 6.31 was released and 6.32rcs started appearing... A very basic question, currently i'm on 6.30.2 release but winbox doesn't show update track choice (bugfix, and current), so i'd have to manually download the npk and d...
by _saik0
Sun Aug 16, 2015 8:56 pm
Forum: Announcements
Topic: v6.30.2 bugfix release
Replies: 148
Views: 37630

Re: v6.30.2 bugfix release

I'm still having constant router reboots, whenever my PPPoE connection is reset. A week or so ago (ROS x86 6.28) i had almost daily reboots, ALWAYS exactly when my ISP PPPoE connection gets reset (24hrs mandatory reconnect). I'm suspecting this has to do either with PPPoE or more likely IPsec as the...
by _saik0
Tue Apr 07, 2015 12:38 am
Forum: General
Topic: Cloud Core IPSEC performance
Replies: 15
Views: 6680

Re: Cloud Core IPSEC performance

Hmm, strongly considering buying a ccr1009 to replace my rb2011 for a 100/100 link. My setup relies on l2tp over ipsec, so i've been reading a lot about ipsec throughput on ccr1009. Turns out many people have issues and there are LOTS of threads regarding ccr and ipsec. Beside you two guys, what thr...
by _saik0
Mon Apr 06, 2015 7:52 am
Forum: General
Topic: Suggestions for IPv6 configuration
Replies: 4
Views: 1177

Re: Suggestions for IPv6 configuration

Did you try running DHCPv6 client on the ROS x86 router on the LTE interface? The only correct solution to this is if you get DHCPv6 PD advertised. Then you can split that prefix into smaller subnets if necessary and/or assign it to your LAN-bound interface. If you get no PD, then perhaps you could ...
by _saik0
Mon Apr 06, 2015 3:39 am
Forum: General
Topic: l2tp server bindings not respected on reconnect
Replies: 1
Views: 401

l2tp server bindings not respected on reconnect

I'm noticing that sometimes on reconnecting a l2tp session, server bindings aren't respected and a new dynamic l2tp server interface is created, e.g. <l2tp- username > even though I created static bindings for certain usernames. This is an issue for firewall rules. Anyone else noticed this? Using an...
by _saik0
Tue Mar 31, 2015 11:05 pm
Forum: Announcements
Topic: v6.28 final RC testing
Replies: 92
Views: 31095

Re: v6.28 final RC testing

pppoe - fixed crash when big ppp packets with were sent over EOIP; Could explain the symptoms of this issue? Your router could either have a high memory usage or reboot itself. Hmmm... just upgraded from 5.14 to 6.27 and had two sudden reboots in the last 3 days. I do have a pppoe client session to...
by _saik0
Fri Mar 20, 2015 7:29 pm
Forum: General
Topic: RB2011 IPSec throughput
Replies: 6
Views: 4234

Re: RB2011 IPSec throughput

Hm,

Was expecting a bit more :/
by _saik0
Thu Mar 19, 2015 9:56 pm
Forum: General
Topic: RB2011 IPSec throughput
Replies: 6
Views: 4234

Re: RB2011 IPSec throughput

Anyone?
by _saik0
Mon Mar 16, 2015 11:48 pm
Forum: General
Topic: RB2011 IPSec throughput
Replies: 6
Views: 4234

Re: RB2011 IPSec throughput

hm, ipsec statistics doesn't seem to show any rapidly increasing counters. I do have some static values tho: > /ip ipsec statistics print in-errors: 0 in-buffer-errors: 0 in-header-errors: 0 in-no-states: 21399 in-state-protocol-errors: 27 in-state-mode-errors: 0 in-state-sequence-errors: 73 in-stat...
by _saik0
Sun Mar 15, 2015 12:43 am
Forum: General
Topic: RB2011 IPSec throughput
Replies: 6
Views: 4234

RB2011 IPSec throughput

Can anyone say what is the typical throughput with AES128 IPsec configuration for RB2011? Currently i'm getting 100% CPU with NAT masquerade, 20-30 firewall rules, IPSec/L2TP VPN connection with about 20Mbps transfer. I was expecting a bit more than that.... On the other end of the same VPN is a x86...
by _saik0
Thu Aug 07, 2014 8:11 pm
Forum: General
Topic: v6.18
Replies: 109
Views: 29373

Re: v6.18

Still same issues regarding IPsec like in 6.17.
L2TP/IPSec tunnels disconnecting and only SA policy flush helps - no log messages indicating problems visible.
by _saik0
Tue Jul 29, 2014 10:33 pm
Forum: Forwarding Protocols
Topic: OSPF database table
Replies: 1
Views: 840

OSPF database table

Is it possible to see the OSPF database with all possible routes?

"routing ospf route" shows only the ospf routes that are actually installed in the routing table.
I'd like to see all the alternative paths not installed in the routing table...
by _saik0
Tue Jul 29, 2014 5:58 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 87761

Re: Feature Request: OpenVPN [ovpn] udp tunnels

Oh, we're making progress!
Few years ago it was almost written in stone that no UDP support is ever planned.
Those are good news, at least they are considering it now.
by _saik0
Wed Jul 23, 2014 1:49 am
Forum: General
Topic: Switch chip - port security
Replies: 11
Views: 6419

Re: Switch chip - port security

I edited the first post for more clarification...

I want to drop all incoming packets with MAC other than aaaa.bbbb.cccc just like port security on e.g. cisco switch works. Switchport functionality only.
by _saik0
Wed Jul 23, 2014 1:44 am
Forum: General
Topic: Switch chip - port security
Replies: 11
Views: 6419

Re: Switch chip - port security

Thanks for the fast response!

Uh this should be a switchport functionality so no CPU involved...
by _saik0
Wed Jul 23, 2014 1:34 am
Forum: General
Topic: Switch chip - port security
Replies: 11
Views: 6419

Switch chip - port security

RB2011UAS-2HnD with latest OS/fw. Is it possible to set static mac address for a certain switch port so that no other host/mac is allowed - much like port security? It doesn't seem to be possible to define a rule to drop any mac address under /interface ethernet switch host With host entry to drop m...
by _saik0
Tue Jul 22, 2014 1:31 am
Forum: General
Topic: v6.16/v6.17
Replies: 187
Views: 46176

Re: v6.16/v6.17

Did an upgrade from 6.15->6.17 with 3.18 fw. IPSec behavior is again like on 6.14, SAs don't get updated properly and only SA flush helps. L2TP/IPSEC/OSPF VPNs in question. Also SNMP, not getting interface traffic info anymore. MT, it's like children playing with the code... 6.x is terrible from wha...
by _saik0
Wed Jun 11, 2014 10:16 pm
Forum: General
Topic: v6.14 released
Replies: 115
Views: 24157

Re: v6.14 released

I seriously hope that torrent comment "yes why not" way sarcastic...

Any improvements on IPSec in 6.14?
Since 6.13 SAs keep dying and only flush every few hours helps.
by _saik0
Mon May 19, 2014 7:38 pm
Forum: General
Topic: v6.13 released!
Replies: 177
Views: 48352

Re: v6.13 released!

OSPF failing for me is just the result of L2TP tunnel terminating again as a result of IPSec failing. Anyhow, as i described above, similar issues - IPSec indeed seems very unstable in the whole 6.x release. In fact it's getting worse with every new version. Fully support you on that one mate, MT st...
by _saik0
Mon May 19, 2014 3:37 pm
Forum: General
Topic: v6.13 released!
Replies: 177
Views: 48352

Re: v6.13 released!

Hi, Don't know if there should be a separate topic, but here goes. I'm running a L2TP/IPSec/OSPF VPN between multiple MikroTik 2011UAS routers. I'm having issues on 6.13 where I have to frequently flush SAs to reconnect dropping L2TP connections. On 6.10 this happened from time to time, but on 6.13 ...
by _saik0
Thu Apr 17, 2014 2:46 am
Forum: General
Topic: RB2011 unaccessible - possibly related to ipsec/l2tp/ospf
Replies: 1
Views: 547

RB2011 unaccessible - possibly related to ipsec/l2tp/ospf

I'm experiencing issues similar to what is described in the following topic: http://forum.mikrotik.com/viewtopic.php?f=2&t=83293 system: rb2011uas-2hnd ros: 6.12, 6.10 The router simply isn't accessible over ethernet/wifi after a while. I still didn't have the time to connect over the console once t...