MikroTik

Krusty

Got it working here it is :) # days - Keep the d for days at the end, or can be used w for week # mailto - Email where to send info # subject1 - Email subject for soon to be expired # subject2 - Email subject for expired certificates { :local days 30d; :local mailto "admin@domain.com"; :lo...

Krusty

Thank you, i have made some changes, but Im not succesful with this

{
edited, fixed in next post
}

Krusty

Hello, first of all, Im bad at scripting :/ can I have someone more skilled to do this scenario script? I think Im not the only one who would appreciated this when using certificates in mikrotik (for example for OVPN) - check all certificates in store for days valid - if any certificate is lower tha...

Krusty

LifeSaver, thank you guys you are awesome

Krusty

Id like se relese note for this too. This was hella long nightmare to search for it !

Krusty

Yup, i would like to connect the mikrotik as a router before the unify ap wifi Is there a specific need?

no, check your DHCP pool and if you need some static address just use some from outside this pool

Krusty

Well i want to setup my Mikrotik and set a static ip adddress and send out through the rest of the ports dhcp ...

so basically you want to have DHCP pool for example for 100 adresses and the rest have out of this pool so you can assign them manualy ?

Krusty

I cannot understand what your setup is and what your needs are?

Krusty

Hello, can anybody help me with this think. I have Mikrotik as DHCP server with UserMan as Radius server. I have enabled logging for evets like if somebody without authorized MAC is connected, MT will write event to log with "dhcp,error DHCP: radius authentication failed for xx:25:xx:98:21:xx: ...

Krusty

As I see Im not the only one who had problem with 6.1 and RB1100x2AH. Today I tryed to update all of them to new version. But after update all IPSec tunels stopped working (there is realy many IPSec tunels in our company), and this realy make me sad and it was realy hard 3 hours of debuging and down...

Krusty

nobody ?

Krusty

New think, when I try to ping with ARP ping, than it seems to be ok, I got reply

Krusty

Hello, Im using IPSec for few locations. Today I want to add new location and Im not able to find what is wrong, if somebody can help me with this. SITUATION: IPSec betwen two locations IPSec seems to be established, i see installed sas on both sites Im able to connect to internal network from site ...

Krusty

Wrong interface, in your case use eth02.LAN

oh, thank you, this is it

Krusty

Add a static route on each router, you don't need to a specific gateway, just the desired interface. I have routes on each router first side 0 A S 0.0.0.0/0 109.107.208.41 1 1 ADC 109.107.208.40/29 109.107.208.42 eth01.WAN 0 2 ADC 192.168.1.0/24 192.168.1.1 eth02.LAN 0 5 A S 192.168.2.0/24 eth01.WA...

Krusty

Hello everybody,

I have working IPsec tunel. I can reach remote network, everything works. But im not able to reach first router from second router and vice versa. Is there any trick for this ? I cant ping router from router, even cant ping remote network form router...

Krusty

Hello,

Subject say it all

is it possible to block any connection which IP is not on DHCP Leases list ? Any PC which dont have IP from DHCP server will be blocked? Of course with manualy option to set exceptions ..

thank you

Krusty

Hello everybody, Im trying to configure Radius server for DHCP (User Manager). I have found this http://wiki.mikrotik.com/wiki/User_Manager/DHCP_Example . So I have working DHCP, with pool. I turn on radius for this DHCP, I have configured radius and paired with user manager. I create user, with MA...

Krusty

Hello everybody, Im trying to configure Radius server for DHCP (User Manager). I have found this http://wiki.mikrotik.com/wiki/User_Manager/DHCP_Example . So I have working DHCP, with pool. I turn on radius for this DHCP, I have configured radius and paired with user manager. I create user, with MAC...

Krusty

If you want to allow some sitest in hotspot you have to put them to /ip hotspot walled-garden

Krusty

thank you, this was clear enough, now I have realy good tuned APs

Krusty

http://wiki.mikrotik.com/wiki/Connection_Rate thank you very much for help, your parents will be proud Please, spare my parents, they already are convinced that I spend too much time on PC for nothing. oh your God, litlle bit of tunning and it work like Holywood marriage. Thank you one more thing y...

Krusty

Hello dear geeks and nerds, I have looked for some config, that will do this, if you (someone) could be so kind and help me with this What I have 1. 2x RB411AH as an AP on local network, wlan and LAN port is in bridge mode Situation If some CUF (Common User Frank) want to upload his highly needed pa...

Krusty

Ok, but this is not problem of the mikrotik! This is a property of ipsec. a solution: use openvpn so there is no solution to solve this behavior ? I didnt find any clean OpenVPN client with easy use, I have gourmet users :) Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone c...

Krusty

I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user. This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. I...

Krusty

Hi, thank you for your exhausive explanation :) however, I have problem you described above and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP. (I tested it) eg. if your users behind same firewall and it has a public IP and it is NAT...

Krusty

Ok, I will try your config, but I have openvpn config too in our routers and it is same. There are in the secret IPs of user: local and remote. If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ....

Krusty

Come on guys

Krusty

nobody ?

Krusty

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user. (but this is a idea I haven't done l2tp only openvpn and ipsec tunnel) yes, there is posibility to turn on only one server and users are dynamic no, ever...

Krusty

still nobody ?

Krusty

U need to explane a bit more. Maybe with your config. thank you for reaction. I will try to explain my problem more... Im trying to use L2TP/IPSec VPN. For now I have router with public IP and working VPN server, configured by several manuals to work with windows.... but the problem is this. When a...

Krusty

somebody must know something about this

Krusty

nobody ? :/

Krusty

Hello,

i need little help with L2TP/IPSec VNP. ere is what is going...

I got working VPN on ROS, which is on Public IP and two clients on same LAN on remote location.
One client is able to connect and the second isnt, is it possible to resolve this in some way ?

thank you for reply

Krusty

Yes web proxy can block IP adresses and domain names

Krusty

hello again :) I think last question about this kind of VPN. For now I have working L2TP/IPSec VPN. Last think I want do do is to set diferent IP range to VPN clients and diferent range to LAN. Here is what I think about.... My LAN is 192.168.1.0/24 I want VPN client to take address from ROS pool (1...

Krusty

Hello, I have same problem, Im trying to configure L2TP/IPSec client (Win7) to server (ROS). Client is behind NAT (in almost all scenarios), server is with public IP. I have tryied this guide http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP but it didnt work When I try to c...

Krusty

Hello, I have same problem, Im trying to configure L2TP/IPSec client (Win7) to server (ROS). Client is behind NAT (in almost all scenarios), server is with public IP. I have tryied this guide http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP but it didnt work When I try to co...

Krusty

do we know any solution ? have same problem here (MT 5,14). Tryied to import PEM, crt, cer, key, nothing works... :/

Krusty

I don't understand why you are using WDS. If they are connected to the same wired network, just set the same SSID and, of course, the same authentication parameters. The clients will connect to the strongest signal.

you want to say me it is that easy? Shame on me, if yes

)

Krusty

Hello everybody, can somebody be please so kind and help me with WDS setup? Here is scenario. I have two wireless APs on my company, both are connected to same LAN and for now they are configured as stand alone AP. All I want is create WDS Wireless APs with same SSID, so that users coming from one A...

Krusty

That's a FAQ.

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Thank you, thats exactly what I need !!! works

Krusty

Hello everybody, I need a little help.... My situation is.... I have server on network 192.168.1.0/24 (192.168.1.6 is exact internal IP) and have one IP on routers WAN port for example 45.12.14.5. So I need to be able from inside of network connect to this external IP and be redirected to internal 1...

Krusty

same issue here, cannot drag & drop, cannot use alt + up or down Im running Win7 Pro x64, UAC disabled, administrator account, I have tryied older mikrotik OS and also the newest OS, older winbox and also newest winbox only one way I can run and work with winbox is using WinXP mode, whitch is an...

Krusty

ok, in that case, contact the seller, sorry

no need to apologize, I am glad that you try to help me

thanks for help

Krusty

OK, do the following: 1. connect a simple ethernet cable from this pc to the first port of the RB750 2. turn off ALL firewall and antivirus programs on this PC, try to do this on a non-Vista machine :) you can even right-click and run Netinstall as administrator 3. Run netinstall and enable PXE in ...

Krusty

As I said, you need to change the PC first
and dont like my ethernet card
Like I said, it's a windows driver issue

I tried to connect to MAC from one PC, where It works, same error "index missing"....

Krusty

you must use Winbox on the first startup, it will ask you about config, and you will have the ability to push the "remove config" button. NO configuration needs to be added in your laptop. Use Winbox over MAC address if you wish I think you dont read what I wrote up there :) and dont like...

Krusty

1. RB450 also has default configuration, exactly the same as RB750. Strange that you didn't notice 2. at first startup, RouterOS asks you if you want to remove it, this is an option 3. Index Missing is not a RouterOS issue, but a Windows issue. Try to connect from another PC and make sure you use p...

Krusty

why do you need to netinstall anyway? did you try to reset it first? as I say, my installation of MT is corrupted, Im not able co connect via winbox, because it says "index missing" if I try to connect via telnet and run "check-install" than I got plenty of errors, that some fil...

Krusty

There is no need to run one more tunnel, as IpSec is already configured for tunnel mode.

If you have masquerade on those routes, then make sure that you have accept rule for ipsec traffic.

If I made IPsec only, than it dont work. Its from MT v 3, before this version IPsec works by it self

Krusty

please look at the quick guide: http://www.routerboard.com/pricelist/download_file.php?file_id=106 it says there: Hold this button during boot time longer, until LED turns off, then release it to make RB750 look for Netinstall servers. I try this before, 1st and 5th port, netinstall dont see that RB

Krusty

you have to create IPIP or EoIP tunel and make IPsec go through it

Krusty

same here, I got RB750 (bought for tests) and need to reinstall, no serial connector, netinstall dont see it and dont work, Im trying port 1 and port 5, no beep while booting, cause it dont have any speaker... I tried to power off, push reset, and while holding reset turn power on, it seems to boot ...

Krusty

You can use the sys-note feature. Create a text file named sys-note.txt and ftp it into the router or just drag and drop it into the files folder in winbox. The content of that file is displayed whenever someone log-in via terminal, telnet or ssh. hmmm, thanks this is solution if we connect through...

Krusty

True. In that case you'd manually go into the router via the second interface and change the default route. I'm glad you found a solution that works for you. Use it if it's right for you. But your solution means that all users behind the router are down for a while every x minutes when your script ...

Krusty

Don't monitor some random server out on the net, monitor the first hop on the route. Make sure (possibly with firewall drop rules) that you can't reach that hop via the backup gateway. I think abou this option, we can setup this, but than we will have another problem.... If I monitor some hop/serve...

Krusty

yes I got it :) for those who are interested with this, there is no need of complicated scripting, here is one of many solutions :) you will need two internet connections, one wich gateway xxx.xxx.xxx.1 distance 1 and second xxx.xxx.xxx.2 distance 2. If first GW is disabled than comes second and you...

Krusty

Don't monitor some random server out on the net, monitor the first hop on the route. Make sure (possibly with firewall drop rules) that you can't reach that hop via the backup gateway. I think abou this option, we can setup this, but than we will have another problem.... If I monitor some hop/serve...

Krusty

Hello MK people,

can you please add somethink like admin comment ? I think kind of comment, that can be used to store information for other administrators. Somewhere in the menu can be button "admin comment" and this will open box, in witch can be stored various notes... ?

thanks

Krusty

Hello good people :) If somebody be so kind and make me script, Im not so good in this :) here is situation we have We got RouterBoard as router, I got configured two default gateways in route list, one to xxx.xxx.xxx.1, this one in main and second with IP xxx.xxx.xxx.2 - this is backup gateway. I g...

Krusty

hmm, because nobody can help, than I will tell what I found....

I had to update from version 3,24 to version 3,28
Had to set priority to 1 (2, 3 , 4 etc.)
Had to set ipsec protocol to 255 instead of 254, like it was in older version

now it works, thanks for great support !!!

Krusty

here I got config picture

Krusty

Hello again :) I got one question.... I got configured IPIP tunel and IPsec tunel throught this IPIP. It seems to work, one network can reach second network. But If I look to /ip ipsec installed-sa and to /ip ipsec remote-peers there is nothing to see, does this mean that the tunel is not encrypted ?

Krusty

nobody ?

Krusty

Hello everybody, we use RB333 with MK v3,27 as a AP in bridge mode with Wireless (Atheros AR5413). If I use it only for internet, than there is no problem, it goes fast as hell :) but if I try to download something from server or another station through wifi, it goes realy slow and CPU load is 100% ...

Krusty

[quote="NAB"][/quote]

flawless, seems to work perfectly
thanks lot

Krusty

you have to setup IPIP or EoIP tunel and then setup IPsec to go through this tunel.

Krusty

but MT may internally implement something like the script mentioned above: periodically check for IP address changes for selected DNS names and correct firewall rules accordingly

this is great idea

may be someone so nice and write me this script?
I would be very grateful

Krusty

Yes, but not directly. You'll have to write a script which resolves the hostname and updates the firewall rule accordingly. You'll then have to schedule the script to run regularly. Thanks, but this is unnecessarily complicated :( In the future, will be any chance to make setup simpler ? like some ...

Krusty

Hello everybody, I got simple question. is there any chance to add firewall rule to DST host not to DST IP example I need to add this rule add action=accept chain=forward comment="" disabled=no dst-address=217.31.55.217 dst-port=40000-50000 in-interface=eth2-LAN out-interface=eth1-WAN prot...

Krusty

What about this?; /ip firewall filter add chain=input protocol=tcp tcp-flags=!,syn etc still dont work :( I have tried this: tcp-flags=!,syn tcp-flags=syn tcp-flags=!,ack tcp-flags=ack tcp-flags=!,urg tcp-flags=urg tcp-flags=!,cwr tcp-flags=cwr dont know about other but I think there wont be differ...

Krusty

somebody help please ...
24 reads and no reply ???

Krusty

Hello everybody I got this problem: I use firewall to block access to the router from the Internet and my proxy does not work. so I have found a solution Make sure you allow established TCP connections with tcp option 'non-syn-only' to the router before blocking everything else. In v2.5, the rule is...

Search found 75 matches