I have a VRF with a directly connected interface and a few static routes, and a main table with a default route. Looking at the FIB wiki https://wiki.mikrotik.com/wiki/Manual:IP/Route#Forwarding_Information_Base there's an implicit catch-all rule where lookup for routes that don't exist in a VRF is ...
Is it possible to route leak a VRF table and the main table? I have a main table that has OSPF routes and I have a VRF. I want to leak everything from the main table towards the VRF, and from VRF i just need to leak directly connected routes. I know I can do it over mangle, route policy rules, stati...
Still nothing? Same with v6 NAT. transparent proxy and IPS/IDS implementation depend on this.
Iptables has that feature for a long time, i don't understand why exactly ROS7 is necessary.
Just noticed that one of my CCR's (CCR1036-12G-4S) doesn't display the temperature properly. Basically got two exact same model CRRs on same firmware (3.39) and ROS 6.38.7 and the problematic one shows: > system health pr fan-mode: auto use-fan: main active-fan: main cpu-overtemp-check: yes cpu-over...
I have a very specific issue, i want to make my dumb aircon to be discoverable outside its broadcast domain. Basically the APP that does the discovery performs a directed broadcast (they could obviously just use a plain broadcast) inside its subnet and discovers the air con. After a simple discovery...
Hmmmm
But those are mostly on 2412
Are they really interfering this much on 2437 ?
I must admit I am puzzled how people even use wifi in a crowded apartment building. I can't imagine I have such a bad situation..
Is there anything I can do here, tweak certain parameters, anything except going 5G?
I'm experiencing issues with wifi with packets larger than 500-600Byte. Basically 15-20% packet loss with ICMP 1000Byte packets. So it isn't a MTU issue, rather something wrong with the radio on the RB itself. Smaller packets are not dropped. Tried both 6.40 and latest bugfix release. Same behaviour...
Actually with aes256ctr i'm getting more like 50-60Mbps (even with multiple tcp connections!). Win some, lose some... it's like a game with ipsec Here some UDP stats: aes256cbc: ------------------------------------------------------------ Server listening on UDP port 5001 Receiving 1470 byte datagra...
I can confirm i'm definitely getting better throughput with sha1/aes256ctr (aes128ctr gives similar performance) on windows machines. I'm getting around 70Mbps in either direction both with linux and windows. This is a huge improvement for windows, yet it's about 20-30% worse for linux to linux. Aft...
From my experience l2tp/ipsec works ok between a windows client and mt server although like pe1chl said, it can be tricky when behind NAT.
Can mac do OpenVPN? Personally i'd go with that with a dedicated server/vm for this purpose.
At least until ROS7
Hello, I'm experiencing slow transfter speeds when a Windows machine (7 and 10 tested) is involved. The setup: PC1@LAN1 --- CCR1036 ---(pppoe)---ISP--- (pppoe)---CCR1036 --- PC2@LAN2 | ------------- l2tp/ipsec -------------- | Both sites are connected to the same ISP with pppoe (mtu 1492) 100/100Mbp...
Uh where do you see sector writes? Did the location change? On my CCRs with 6.34.2 and RB2011 on 6.32.3 sector writes info is missing under /system resources. On my old RB2011 on 5.24 sector writes are visible under resources They are also visible on a x86 6.30.4. I didn't even notice this until the...
That was never an issue. Of course i could do it by hand but since both of my locations are on dynamic IP, i have to rely heavily on scripting in order to achieve the same thing. When one of the addresses changes I need to edit GRE interface, ipsec peer and finally ipsec policy on both locations. It...
Phase1 is exactly the issue here.
Namely GRE interface with ipsec secret enabled creates a dynamic ipsec peer.
That dynamic ipsec peer uses sha1-3des/aes128 for phase1 and that cannot be changed.
There should be an option inside GRE interface to define phase1/phase2 (group actually).
It was a single TCP connection per direction with TCP MSS clamping for the GRE tunnel, IPSec in transport mode.
So in the end the actual MTU for the tunnel is 1426B.
all devices were connected with a single 1Gbps link.
So i've finally bought two of CCR1036 and am currently trialing them for GRE/IPSec VPN connectivity. Using 6.34rc41 this is the result of running iperf in dualtest TCP mode. PC1 ---- CCR1 --- [gre/ipsec_sha1_aes256cbc] --- CCR2 ---- PC2 http://i.imgur.com/8EEZ7ZK.gif?1 I'm releaved that the CCR is a...
Is it possible to have at least winbox/ssh VRF aware so that one could access the router through both primary and backup ISP (e.g. 3G stick) at the same time? Assigning ppp interface and a default gw to backup_mgmt-vr works and ICMP seem to respond properly. But not winbox/ssh... 0 A S dst-address=0...
IPSEC issue still present - [Ticket#2015122766000277] CCR IPSEC in-state-sequence-errors
Left duplex iperf tests for a few hours and was greeted with a downed tunnel and state sequence errors.
Is there any info on issues with IPSEC in CCR? To be precise - [Ticket#2015122766000277] CCR IPSEC in-state-sequence-errors Basically few hours after the tunnel had been established (actually next morning), it gets terminated one of the routers had increasing in-state-sequence-errors under ipsec sta...
Is it possible to define default Phase1/Phase2 proposals for dynamic policies, e.g. ipsec enabled within GRE and L2TP config? I want to use sha1/aes256cbc for my GRE tunnels but sha1/aes128 is the default. For Phase2 apparently only the "Default" proposal can be altered to get the desired ...
I'm planning on getting two CCR1036 for connecting two sites via VPN and need to have answers... So in the end, did ANYONE succeed in creating a single IPSec/L2TP(or GRE) tunnel between two say CCR1036 and got 500Mbps+ between two clients from two routed networks behind those two CCRs ? There's a mi...
Ah very nice, was actually worried MT had abandoned the promised bugfix track as 6.31 was released and 6.32rcs started appearing... A very basic question, currently i'm on 6.30.2 release but winbox doesn't show update track choice (bugfix, and current), so i'd have to manually download the npk and d...
I'm still having constant router reboots, whenever my PPPoE connection is reset. A week or so ago (ROS x86 6.28) i had almost daily reboots, ALWAYS exactly when my ISP PPPoE connection gets reset (24hrs mandatory reconnect). I'm suspecting this has to do either with PPPoE or more likely IPsec as the...
Hmm, strongly considering buying a ccr1009 to replace my rb2011 for a 100/100 link. My setup relies on l2tp over ipsec, so i've been reading a lot about ipsec throughput on ccr1009. Turns out many people have issues and there are LOTS of threads regarding ccr and ipsec. Beside you two guys, what thr...
Did you try running DHCPv6 client on the ROS x86 router on the LTE interface? The only correct solution to this is if you get DHCPv6 PD advertised. Then you can split that prefix into smaller subnets if necessary and/or assign it to your LAN-bound interface. If you get no PD, then perhaps you could ...
I'm noticing that sometimes on reconnecting a l2tp session, server bindings aren't respected and a new dynamic l2tp server interface is created, e.g. <l2tp- username > even though I created static bindings for certain usernames. This is an issue for firewall rules. Anyone else noticed this? Using an...
pppoe - fixed crash when big ppp packets with were sent over EOIP; Could explain the symptoms of this issue? Your router could either have a high memory usage or reboot itself. Hmmm... just upgraded from 5.14 to 6.27 and had two sudden reboots in the last 3 days. I do have a pppoe client session to...
Can anyone say what is the typical throughput with AES128 IPsec configuration for RB2011? Currently i'm getting 100% CPU with NAT masquerade, 20-30 firewall rules, IPSec/L2TP VPN connection with about 20Mbps transfer. I was expecting a bit more than that.... On the other end of the same VPN is a x86...
Still same issues regarding IPsec like in 6.17.
L2TP/IPSec tunnels disconnecting and only SA policy flush helps - no log messages indicating problems visible.
Is it possible to see the OSPF database with all possible routes?
"routing ospf route" shows only the ospf routes that are actually installed in the routing table.
I'd like to see all the alternative paths not installed in the routing table...
Oh, we're making progress!
Few years ago it was almost written in stone that no UDP support is ever planned.
Those are good news, at least they are considering it now.
I want to drop all incoming packets with MAC other than aaaa.bbbb.cccc just like port security on e.g. cisco switch works. Switchport functionality only.
RB2011UAS-2HnD with latest OS/fw. Is it possible to set static mac address for a certain switch port so that no other host/mac is allowed - much like port security? It doesn't seem to be possible to define a rule to drop any mac address under /interface ethernet switch host With host entry to drop m...
Did an upgrade from 6.15->6.17 with 3.18 fw. IPSec behavior is again like on 6.14, SAs don't get updated properly and only SA flush helps. L2TP/IPSEC/OSPF VPNs in question. Also SNMP, not getting interface traffic info anymore. MT, it's like children playing with the code... 6.x is terrible from wha...
OSPF failing for me is just the result of L2TP tunnel terminating again as a result of IPSec failing. Anyhow, as i described above, similar issues - IPSec indeed seems very unstable in the whole 6.x release. In fact it's getting worse with every new version. Fully support you on that one mate, MT st...
Hi, Don't know if there should be a separate topic, but here goes. I'm running a L2TP/IPSec/OSPF VPN between multiple MikroTik 2011UAS routers. I'm having issues on 6.13 where I have to frequently flush SAs to reconnect dropping L2TP connections. On 6.10 this happened from time to time, but on 6.13 ...
I'm experiencing issues similar to what is described in the following topic: http://forum.mikrotik.com/viewtopic.php?f=2&t=83293 system: rb2011uas-2hnd ros: 6.12, 6.10 The router simply isn't accessible over ethernet/wifi after a while. I still didn't have the time to connect over the console on...
I'm performing throughput testing with iperf on a PC and when testing upstream UDP the router crashes instantly. When testing downstream UDP, there are no issues. PC->RB(nat)->Internet The packet rate I try doesn't matter, even few KB/s cause the same issue. RB has NAT masquerade configured. Running...
Hi, I have L2TP/IPsec tunnels between multiple sites (all of them are on dynamic ip ...) like this, all of those have site2site VPN setup. siteA-----siteB----siteC |__________________| Currently I have a completely static setup but am thinking of using OSPF. Is it possible to have an alternative rou...
Can someone please clarify this for me. I'm trialing ROS 6.x and got confused regarding QoS. I was running double QoS on 5.x - mangle prerouting + global-in to prioritise traffic - mangle forwarding + global-out for PCQ to give each client equal bw Just like found on many MT presentations and docume...
I am currently trialing ROS 6.x and noticed that when trying to import a certificate CPU ends up at 100%.
It's a clean netinstall using the latest 6.5 version.
Has anyone had success combining these two? Im on 5.25 but theres nothing in /system/ports. Only serial0 for the console.. The Huawei is recognized in /system/resources/usb though. The wiki mentions E1762 as supported, but then again i've seen posts of people claiming they got 1752 workin (different...
Just to report on my progress regarding this issue. I also contacted support and got the same answer as @macsrwe. The tricky part was to actually get the RB2011 to netboot/etherboot. After spending at least an hour I managed to reinstall using netboot. Reapplied the configuration using the exported ...
Hmmm.... Recently (actually i'm running the unit for a few months) i've started experiencing loss of connection between the left (gigabit switch) port group 1-5 and the CPU. The ports on the 100Mb switch work fine tho. Phy on machines seems working but no way to access the RB from those ports. I got...
Hi all, I've found some rather old posts concerning this issue but that was back on 3.x sw version and we're now at 5.x (6.x even). While saving the backup (configuration) using the '/system backup save' command I end up getting: > system backup save Saving system configuration Configuration backup ...
So far i know using channels other than 1, 6 and 11 (actually 1, 5, 9, 13 for 11g) @2.4G is a big no-no as it brings more interference due to the fact single connection uses ~20MHz width and each channel is only 5MHz. But.. I'm at rather loose terms with my knowledge on wireless networks so hopefull...
Hi all, This is the situation i'm having right now at my place: http://www.deviantpics.com/images/2013/04/29/ssid_scan_20130429.th.png 'gbit6wlan' is my SSID. My RB is RB2011UAS-2HnD. Currently using CH1+5 in 802.11n mode @2.4Ghz. What channel would you suggest I choose? CH13 is out of the question ...
Ok so I may have found the reason and a workaround... The forwarding chain isn't supposed to see the IPsec traffic as encryption happens after postrouting chain. Since I marked traffic in forwarding chain before it was encrypted, that mark must have been copied to the ipsec packet itself and the glo...
Maybe the best way to describe my problem is this: http://www.deviantpics.com/images/2013/04/07/mikrotik_ipsec2.png As you can see in mangle rules 'all-us' is upload traffic marked in forward chain. It should also catch traffic from l2tp interface. The red/blue marked line in mangle is the only plac...
Hi, I'm trying to mark the actual traffic encrypted with IPsec (tunneled) so i can perform QoS. I'm using queue-tree, forwarding chain and global-out. Interface ether10-gateway is for WAN and includes NATting. Interface l2tp-site1site2_cli is L2TP towards site2. Traffic between local subnets on site...
I suspect the issue was related to the fact i'm using masquerade/nat so the connection tracking didn't like the combination of the rules. I'm successfully using these rules now: (...) add action=mark-connection chain=prerouting connection-bytes=0-500000 \ new-connection-mark=http_req-conn port=80,44...
Hi, I'm having issues with packet counters on the mangle rules. Packet counters for mangle marking rules in the prerouting chain don't get incremented when forwarding chain overwrites those markings i.e. when I start a 10Mbps http download the global-out (forward) is seeing the whole traffic. But at...
Wow... I'm getting only 30Mbps at MOST (11n) on a 2011UAS in a crowded apartment building with ~40-50 APs around...
After (and if ever) I get to sort things out with QoS, i'm definitely going to investigate the WiFi.
Then you could possibly help with the issue I have. Like I said I'm following the Megis approach. I tried to setup QoS in 2 steps: 1. prioritisation (prerouting packet mangling - global-in HTB), 2. PCQ (forward packet mangling - global-out HTB) I'm experiencing the issue where prerouting rules don't...
Can you explain those "no packet quantifiers" comments? I'm also following the Megis approach but apparently traffic/packet counters for prerouting mangle rules don't work when forwarding rules for same traffic are applied. Can the prerouting marked packets in global-in HTB still get prior...
Hi, As most of the people that went to investigate QoS, I started with the presentation from Megis. The PCQ is mostly clear, even though I had to investigate further to configure this properly for a NATting router. The config for the PCQ part was inspired by this thread: http://forum.mikrotik.com/vi...
I wouldn't mind that DNS suffix can't be supplied from MT to the client, but the problem is that my W7 l2tp client with manually configured dns suffix looses that config once the client connects. The DNS suffix can't be applied not even manually on a windows client. Is there a way around that at lea...
A rather disappointing turn of events for OpenVPN. UDP support seems essential to me. Why even implement it in such a limited way, it's not like this helps much. I would suggest pumping up the "votes" on the wiki request page: http://wiki.mikrotik.com/wiki/MikroTik_RouterOS/Feature_Request...
I was able to successfully configure and connect with L2TP/IPSEC/NAT-T/PSK from a windows7 client. Using ROS5.14 Next i tried to setup a rsa signature mode for ipsec peer. I created a CA, server and client rsa cert/key pairs (pem format for mikrotik), imported the CA.crt, server and client cert/key ...
I can also confirm that L2TP+IPSEC+PSK+NAT-T+ ROS 5.14 works with windows registry modification and main-l2tp peer setting.
What about certificates instead of PSK?
Did anyone actually managed to connect mikrotik with public IP and client behind NAT using L2TP/IPSec/NAT-T on 5.x? When the client isn't behind NAT it works without problems on 5.14, but when it's behind NAT I simply cannot get it to work... A confirmation that it really is working and a complete c...
Right now on ROS 5.14 and apparently l2tp+ipsec (preshared key) + client behind NAT doesn't work.
When the client isn't behind NAT everything goes smoothly...
Did anyone ever managed to get the above setup (client behind NAT) working??
I have a DSL connection to my ISP that forces reconnect every 24hrs and the ipv4 WAN address changes. I'm updating my DNS and tunnel IPs with a script that is triggered by netwatch. Sadly i simply can't get it to always work like that. I have netwatch configured to ping a known outside IP every 2 se...
actually my question is...
can mikrotik's dhcp upon host ip negotiation send hostname + ip to a bind server?
I know that /tool dns-update exists... but is there a possibility to run it automatically upon host registers itself on dhcp?
Does such a setup have any point: http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/ ? Currently I got some important hosts assigned a static IP via DHCP and also got them a static DNS entry with a suffix ".home". In both scenarios you'd have to manually edit DHCP and assign ip->m...
Anyhow... would be nice if mikrotik finally added DHCPv6 with an option to only update DNS if address already autoconfigured. Something like a AdvOtherConfigFlag flag where all parameters except IP would be given. That way autoconfig would work per default and DHCPv6 would help windows hosts to get ...
So basically (not talking about DHCPv6), IPv6 stateless autoconfig doesn't currently offer extensions for DNS config? I mean I realise mikrotik passes DNS in RADVD but since it's still not a IETF standard there's no official support eg. Windows. I see there's a IETF draft from 2001 (!) about DNS sta...
Is it possible to make some mangle/filter rule that would mark wireless traffic that is on the same subnet as wired? Currently there's an unmanaged switch that connects mikrotik router with the rest of the wired clients as well as an AP. So far i know the AP (WL-5460AP) isn't able to mark traffic. S...
In case somebody uses the HE.net DNS service that recently added DDNS support here's the script I use. Just check your ROS supports fetch url parameter. # Update Hurricane Electric DDNS IPv4 address :local ddnshost "dyndnshost" :local key "key" :local updatehost "dyn.dns.he....
Got ROS 3.30.
I'm trying to use WOL but have been unable to make it work.
i'm using the syntax /tool wol <mac> interface=<if>
Nothing happens... anyone been successful on using WOL on this version?
I'm using mikrotik as dns caching server for my local network (all DNS requests are redirected to mikrotik). I added few static enties for my hosts such as host1.local, host2.local etc. The problem is, when resolving such a domain name from a W7 PC (tried two different PCs) there's a delay of around...
Are u using NAT masquerading? If so, isn't the problem here with queue type Internet_Upload? "InternetIface" only sees one srcNATed IP address so it can't group traffic by it's real local IP address... You would have to use global-out as it's the only one aware of real IP addresses i think...
Sadly I cannot delete topics I created so bare with me... Mods are free to delete my last QoS topic. Got ADSL link and am behind NAT masquerading. Firstly, can somebody point me to a working and tested ADSL QoS setup on mikrotik? I was trying to follow the Megis QoS Best practice ( link ) but encoun...
The rules for FTP work when using unencrypted FTP because i'm marking a whole connection that gets started when accesing remote 21 port. I'm getting upload traffic on the Queue tree rule 4 (ftp_ul).
Hmmm... MIGHT have discovered the problem. Since i'm connected to pppoe there's an option to change MSS. Indeed there are 2 rules for mangle (only shown with print all in console): [vobelic@core] > ip firewall mangle print all Flags: X - disabled, I - invalid, D - dynamic 0 D chain=forward action=ch...
I'm experiencing weird problems when using mangle rules with forwarding chain. I tried to setup a simple PCQ rule. ROS 3.30, ADSL connection with NAT (masquerade)... 10.1.0.0/24 is the LAN network behind the NAT pppoe-out1 is the ADSL connection When mangle rules 10 and 11 are active as it's the cas...
I presume ipv6 DNS servers don't handle A records? Had a strange situation just a while ago. I have some static DNS cache entries (to ipv4 addresses) on mikrotik and the client (W7) had manually configured DNSv6 server pointing to mikrotik. Yesterdays I was able to resolve those ipv4 addresses from ...
There are few things I don't understand. Using XP/7 on my network that is ipv6 enabled (stateless autoconfig). The router is connected to ipv6 trough HE 6to4 tunnel. Clients get EUI64 address and the network prefix from the router. Routing and all works. The thing I noticed, the ipv6 DNS server isn'...
If input manages packets whose destination is one of the router's IPs...
Then WHY did it matter when i eg disabled rule no. 5 in the setup i showed on the beginning?
With rule 5 disabled ping didn't pass, with rule 5 enabled i was able to ping the ip cam from outside.
How come?
I want to setup a 6to4 tunnel using SixXS IPv6 tunnel broker service. My IPv4 connection to my ISP is a forced dynamic IP configuration (forced 24h reset). I came upon this wiki page for setting a tunnel: https://www.sixxs.net/wiki/RouterOS Is it possible to setup this using a dynamic ip endpoint? H...
just noticed that i can't be pinged from the outside
checked my firewall and UDP and ICMP is allowed
using PPPoE client with ADSL modem for outside connection
Yes you can. One user can see his own ip address's graph. tools --> graphing --> Queue rules --> queue (name) -- allow address (one address other than all) Note: you need to add ip/name on simple queue thanks! also is it possible to present graphs in B/s, not in b/s ? thanks in advanced
hi all i tried adding some static IP's and if i defined a custom client-id (instead of the mac address) the clients didn't want to catch that IP i defined but were acting as if the dhcp static lease wasn't defined what's up with that? i thought client-ip was something optional and any custom string ...
Wanted to know if there's a way to invoke the script that reports the IP on every boot/reboot or dsl line reconnect?
also what's that policy setting while creating new scripts ?
same here! tho i'm using 2.9.27 does anyone know if there's a solution to that? i tried 4 ethernet cards so far!!!! d-link 550TX (i think) drops packages like mad, 2 weren't recognized, one 10Mbps realtek can't be enabled (reports failure (6), and the newest (linksys but actually it's got realted 81...