MikroTik

hpet

@sindy Yu8NmiOG5VUfETx8sqigP8+XWtRRofi2i7zvdBFfWbf7R07MW2OuyAeWD+oeU5s8 WdhIhYnVg0764VBih4KHaphzGmnw0Wf6tnWZ4LtsnHLbgC/FyDKcqmlshu2JsaEQ 7+ZkutRGKaCHayvYcy/sfQZbYMShqGSuHDubrLT2Ebys4b3O9r42PYieMBM6hpsE lqkaMbSuo5jT9Rpfx5QrQ419DYqPrPV3r6587WdLxWmzm8fZnMJ+7Ai2q3LaCHju VrQSV3+U9jwYzUacmGkbY8rIXAPFBpdSA...

hpet

@sindy, will do openssl and post back. @nichky: I just forced lower mss (payload size) between networks when payload is larger then 1350. This is just a quick solution and as I understand is goes against idea of MLPPP. At the moment I am just happy it works. Due to other pressing work I can't dive d...

hpet

I will try your suggestion in a near future. Currently we are under some work pressure and they are already looking me sideways :) and don't want to touch that at the moment. Sad imaš neki razlog da sljedeči put staneš u Mariboru, samo da ova korona prođe. Neznam kako da ti šaljem email ili možeš da...

hpet

Sindy, I would realy like to thank you tons for sticking out and helping me.
Sorry if I misled you somewhere along the way. Wasn't on purpose, just my lack of knowledge.
Imaš pivo i više ako ikad dođeš u Maribor!

hpet

I was running iperf in default (tcp) mode yes.
Unless when you told me to run as udp.

Oh man, did I just spend two days of our lifes due to my stupidity?

wireshark capture was iperf UDP mode.

hpet

Yes, I can confirm. Everything is working as it should now. Tried file transfers, iperf, all ways, running smoothly. Maaaaaan, no wonder I am getting gray hair :D The mistery will remain why one pc from network was working regardless of this rule. Does this rule makes sense to you in all this situat...

hpet

Sindy, I think I got it. I added this mangle rule on both sides (with reverse addresses on another side) and I think I have full bandwidth now. Let me test some more... If this proves to be a fix I would appreciate if we can make some sense out of it. /ip firewall mangle add chain=forward action=cha...

hpet

left is sender: iperf -u -c 172.31.3.99
right is receiver: iperf -s

I sorted columns and positioned.

hpet

If this capture is a snapshot of what goes into the tunnel and capture what comes on the other side out, then it means that something is lost between mikrotiks?

hpet

Packets on central site (initiating iperf) are in sequence.
Packets captured on remote site (iperf receiver) are kind of not in sequence, has gaps.
Did I capture it right?

hpet

I did try to initiate a file copy from both sites to both sites and it is not going anywhere.
Will start capturing traffic now.

hpet

I am about to start capture, but I noticed something interesting. If I run iperf server on remote site and iperf client on central site, I get slow connection - this is how I was running it. But now I ran iperf client on remote site and iperf server on central site - I get normal result on problemat...

hpet

Updates. 1. ISP reset/flushed/checked their modems. They are in bridged mode, no filtering enabled Problem remains. Not a modem issue. 2. Physicaly replugged working <=> nonworking pc Problem remains. working pc is still working even if plugged elsewhere... nonworking pc still not working even if pl...

hpet

Just for "fun" I asked they to plug some "faulty" pc into port on which the working pc is. Could it mean something that working pc is the first in the ip pool? 50... all later don't work. You took some shortcut here, I did't get what you actually mean. Are you saying that any PC...

hpet

Morning. I am not good with this sniffing, but I made two screen shots: - pinging from central site to remote site computer to which traffic runs well - ping from central site to remote site computer to which traffic runs extremly slow (also couple of other computers on remote network) That seems ok...

hpet

I downgraded both routers to long-term 6.47.9, clear reset all configuration, reset both routers... same problem. Only one PC on remote network seem unaffected... everything else is running unusably slow over l2tp/ipsec. Created new tunnel, nothing. If I turn off ipsec, everything works. That is jus...

hpet

Are there any kind of ipsec caching tables I could flush/reset?
It is obviously something with IPsec.
Asked remote user to connect to a different port (doesn't hurt to try :) but still the same.
Also changed cable, just in case. No joy.

hpet

Just started sniffing packets etc. when I received a call from one person on remote location and she said everything is working well for her. I immediately ran iperf against her computer and on my surprise everything is running as expected. Now I am lost. iperf yielding 65Mbps against her and 300kbp...

hpet

Silly question, how do I downgrade?
...but will try to sniff packets before doing that.

hpet

removed that, but still the same.
it works only when I remove ipsec on l2tp.

hpet

Ok. I can point finger to IPSec now. I disabled IPSec on L2TP client and iperf jump to 70Mbps+ as would be expected. I remeber couple of days ago we discussed L2TP to happily continue if IPSec session terminates. We discussed some firewall rules... and then you pitched in with additional ipsec polic...

hpet

I excluded wireless to cut down on config. I did notice some "left overs" on remote site, like under ppp profile *default-encryption had some "unknown" interface... removed that. Or under /ip dns static had some invalid dns... removed that. Or under BR1 had ether1 (wan) member, w...

hpet

HE - indicator is shown. I just rebooted both routers and problem remains. No QoS rules, no policy routing. Preaty much vanila setup. I used iperf before and it was showing expected figures. I am not throttling anything, at least not on purpose :) I will post config, maybe something shows up in ther...

hpet

iperf tcp mode.
udp mode is just a bit higher, varies around 1Mbps, no major difference.
round trip time varies between 11-15ms

hpet

I am testing throughput usng iperf. I run iperf server on client side of l2tp and iperf -c <host> on server side of l2tp. Before running iperf traffic is from 0-100kbps, when running iperf it varies arround 400kbps. I don't recall of any "major" changes on routers (both RB4011). Just added...

hpet

For some reason my L2TP/IPsec client/server connection runs very very slow... in kbs instead of Mbs. I tested internet performance on both ends and is 600/100 Mbps. This was working fine till today and nothing realy changed. Before I was getting around 80Mbps over tunnel. Today couple hundred kbs. I...

hpet

I am on 6.48.
Attached my ipsec policy printscreen - if I am following you correctly.

hpet

However, several RouterOS releases ago, the policies created dynamically if L2TP is configured with use-ipsec set to yes or required started to be placed to the very end of the policy list, so this method cannot be used any more. You mean top? My dynamic policy is placed at the top, above template....

hpet

Thank you tdw for such important detail.
Will apply!

hpet

Thanks :) Will have to do it later as tunnel is active at the moment. But I have good enough pointers to make this work. Which option do you prefer considering long term and variation in number of remote sites? The first one sounds good to me - "set and forget". If I remove remote site I d...

hpet

Hi Sindy, I just added interface list as BASE on l2tp client and server profiles. Do I need to reconnect tunnel for new settings to apply? Because currently I am still not getting through.

hpet

Hello, I have two locations setup and working as desired. Setup is almost identical on both sites. Site B connects site A using L2TP/IPsec client. Routes are setup so that both networks are fully reachable (I can ping and access devices on both networks from both networks). But for some reason I can...

hpet

Thank you all for help.
Works perfectly as suggested.

hpet

Ah, yes. Correct.Thank you Sindy. Still need to wrap my head around all this a bit, but otherwise I think I have everything I need to make it work. Thanks for pointing out that I can use the same tunnel for other L3 routed traffic too. I had idea to have 2 tunnels: 1. l2tp bcp for stretching voip: I...

hpet

Was a bit late with my "edit" to post :) where I added my current config.
vlan 20 is already member of main bridge, how do I add it as member of another bridge?

hpet

Hi Sindy, thanks. Will do that on Monday. I only need to "stretch" this one vlan, voip.I don't control this vlan, and there is no IP configuration attached to it. It is in its own static setup. I just put PBX and phones on it and it is already part of the main bridge - hybrid setup for pho...

hpet

I have couple of vlans managed under bridge vlan filtering. I have hybrid ports configured. So traffic on my bridge is tagged... as I understand it. I think I understand classic l2tp tunnel so I will focus only on l2tp bcp for voip, vlan 20: l2tp bcp configured client dials in and dynamic interface ...

hpet

Well, just read that bridged l2tp doesn't support bridge vlan filtering, which is in place. It doesn't pass tagged frames, only untagged.

hpet

Thanks for "brainstorming" this with me. I am preaty new to all this any maybe I am overcomplicating things, but this is only due to so many different ways things can be done with mikrotiks and things can easily go bad by mixing things that don't mix well :) As I understand there is no dif...

hpet

Hi, exploring various options connecting two sites considering vlans and subnets: EoIP, L2TP etc. I came to a little puzzle on how to connect sites in most "optimal and the right way". In my case I have on the primary site couple of vlans, including pbx on vlan 20. Same vlans are replicate...

hpet

I think I need to "reset" myself and start fresh :) if you are still willing to explain/help I would appreciate. Attached is my current running setup. HO (172.31.1.0/24) - running: 1. bridge vlan filtering (V10 PCs, V20 VoIP) 2. voip pbx is from my ISP provider and I don't have control ove...

hpet

Need to process all this on my own a bit. I lost my self somwhere. Will get back to it 😊

hpet

Yes, although the IP could be encapsulated in VID 11 + 12 at one end, and VID 21 + 22 at the other. I assumed that 192.168.1.0/24 + 192.168.12.0/24 etc are IP addresses assigned to a VLAN interfaces (under /ip addresses). Now I think I don't get it again :) What are: 192.168.11.0/24 + 192.168.12.0/...

hpet

If you had Head: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 By this you mean V10 and V20 (example) IP addresses on Head and Remote? So this is something along L3 VLAN (simple VLAN routing) I am just reading about here: https://wiki.mikrotik.com/wiki/Manual:Inter...

hpet

Ok. I think it is a bit clearer now :) I had it a bit wrong there how L2/L3 relate to eachother. If I go back to my original goal and want to connect head office with remote office and want to bridge L2 between sites then I need to use some kind of EoIP or BCP protocol. This way I can extend VLANs o...

hpet

I am trying to wrap my head around all this. I think I am still missing some peices to understand correctly. - Ethernet is L2 - VLAN is ethernet construct and therefore also L2. - bridge is also operating on L2 as it is kind of a "virtual" switch between interfaces - as long as I have inte...

hpet

Hopefully L2TP/IPsec, plain L2TP is either not or weakly encrypted and the MSCHAPv2 password can have the NT hash and an equivalent password recovered. Definately with IPsec. Similar yes, in fact you can have both L2 & L3 if desired. One thing to watch out for is that BCP doesn't play nicely wi...

hpet

Hello, I am exploring options to connect my "home office" with "work office". Initial quick eoip setup (also currently running) looked preaty much what I wanted, but looking at it more closely I noticed couple of particularities, like internet gateway. Because EoIP is L2, DHCP is...

hpet

I have been back and forth with comments to make them make sense :) I am a sw developer otherwise and writing comments is my weak spot, they make perfect sense now but year later a head scratch :D Your advise taken. Now to the next adventure - l2tp/ipsec tunnel to my "home office" :) Thank...

hpet

Hello, Over the weekend I had an opportunity to play with my mikrotik setup and finally managed VLANs to behave as expected. I think I understand all parts (mostly), maybe some vague spots here and there :) Below is my currently running setup (left out wlans and sfp for clarity). I would appreciate ...

hpet

Hello guys, thank you both for your valuable input. I have a limited access to play with this MT setup so please excuse my slow reponse. I think mkx knows what I am after, so the following explanation is maybe more for anav. My "wanna be" setup is as follows: I have two small dislocated of...

hpet

Pozdravljen Metod! Thank you for your extensive explanation. I gave it a go today, unfortunately with a left foot start. For some reason router bricked (failed to boot after a configuration reset). After "whyme" minute I at least had an opportunity to learn how to netinstall it. In my orig...

hpet

Hello, I have some basic network knowledge, but never did anything more complex (like VLANs, tunnels etc.) and it is also my first Mikrotik experience. Studying documentation and various sources, forums, I came up with some basic setup and would appreciate if you can check it and comment on where I ...

Search found 53 matches