Community discussions

Search found 263 matches

by huntah
Thu Jun 13, 2019 9:24 am
Forum: SwOS
Topic: CSS106 (RB260) VLANs between multiples swicthes and Hybrid port [SOLVED]
Replies: 3
Views: 768

Re: CSS106 (RB260) VLANs between multiples swicthes and Hybrid port [SOLVED]

Hi all, support got back to me! And kudos to mr. Edwards for writing the updated easy to understand Wiki for SwOS! https://wiki.mikrotik.com/wiki/SwOS/CSS106-VLAN-Example Please disregard wiki link in previous post because it is outdated! Always use the one provided above this line! For Hybrid port ...
by huntah
Wed Jun 12, 2019 1:58 pm
Forum: General
Topic: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]
Replies: 5
Views: 877

Re: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED] [SOLVED]

What was the error?
You need PowerShell and not CMD.
It wont work if you have the same CA. I havent tried to specify which cert to use with the same CA (Certificate Authority).

This is useful if you have multiple IKEv2 VPN clients on different locations. And all the servers have different CA.
by huntah
Mon Jun 03, 2019 10:18 pm
Forum: SwOS
Topic: CSS106 (RB260) VLANs between multiples swicthes and Hybrid port [SOLVED]
Replies: 3
Views: 768

CSS106 (RB260) VLANs between multiples swicthes and Hybrid port [SOLVED]

Hi, I thought I have everything figured out.. But again I am buffled :) So I have multiple switches linked together. - port 1 : Uplink to GW (All Tagged) - Port 2 : All Tagged VLANs to hAPAC2 - Port 3: Hybrid Port - Untagged VLAN and Multiple Tagged Ones - Port 4: Hybrid Port - Untagged VLAN and Mul...
by huntah
Thu Apr 04, 2019 9:19 pm
Forum: General
Topic: OTP or 2FA Auth
Replies: 0
Views: 293

OTP or 2FA Auth

HI, is there any plan to add native support for GoogleAuth or FreeOTP or some other OTP client. It would be great to auth VPN users and/or Router Access (Winbox, WEB etc..) I guess it can be done via external Radius Server.. If someone has done it. Please share it would be helpful to others.. I thin...
by huntah
Sun Nov 25, 2018 4:32 pm
Forum: Beginner Basics
Topic: IPSEC RoadWarrior tunnel between Mikrotik and Shrewsoft client
Replies: 1
Views: 317

Re: IPSEC RoadWarrior tunnel between Mikrotik and Shrewsoft client

Hi

You have different settings on client and server..
For example..dh group=2 is modp1024
Also enable..ipsec logging to see what client Sends to MikroTik and vice versa
by huntah
Thu Nov 22, 2018 1:38 pm
Forum: General
Topic: Can't get 1Gbps on CRS125-24G-1S-2HnD
Replies: 7
Views: 569

Re: Can't get 1Gbps on CRS125-24G-1S-2HnD

set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
I think you Are forcing 100mbs on each interface.....
by huntah
Sat Nov 17, 2018 10:48 am
Forum: Beginner Basics
Topic: PCC Load Balancing 2 WAN on Mikrotik HEX
Replies: 16
Views: 2298

Re: PCC Load Balancing 2 WAN on Mikrotik HEX

Does your PCC work with fasttrack enabled ?!
I could not make that work....also in wiki it is mentioned in a note....
by huntah
Fri Nov 16, 2018 2:18 pm
Forum: Beginner Basics
Topic: Best performance on hAP ac lite
Replies: 6
Views: 551

Re: Best performance on hAP ac lite

HI, use the default settings (ie Quickset). This should give you internet on ether1 and a Bridge with HWoffload and Wlan together. Since you have 32 users I hope you have a Gigabit 24port Switch or two :) So all your clients are directly attached to GigaSiwtch (or whatever switch you got) and only o...
by huntah
Sun Nov 11, 2018 10:10 pm
Forum: Beginner Basics
Topic: Bridging TWO network but each interface communicate each other
Replies: 16
Views: 1288

Re: Bridging TWO network but each interface communicate each other

with Lan C do routing like that:

router a: ether1 IP: 10.30.1.1/29
/ip route
add distance=1 dst-address=10.30.13.0/24 gateway=10.30.1.2
router b: ether3 IP: 10.30.1.2/29
/ip route
add distance=1 dst-address=10.30.14.0/24 gateway=10.30.1.1
by huntah
Sat Nov 10, 2018 8:28 pm
Forum: General
Topic: secure winbox port access only by wan ip
Replies: 16
Views: 1388

Re: secure winbox port access only by wan ip

You need to allow also in firewall filter
Place it before drop tule
by huntah
Mon Nov 05, 2018 10:29 am
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

Re: PCC (Dual WAN) not working on hAPAC2 [SOLVED]

I have found the problem it was in RP Filter which was enabled on the Live Router! Wiki has a note about that :) I should RTFM more carefully! Note: PCC setups is not designed to work if RP Filter is enabled On another note..If I set it to Loose it works.. Will the default FW rules in forward chain ...
by huntah
Sun Nov 04, 2018 7:08 pm
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

Re: PCC (Dual WAN) not working on hAPAC2 [SOLVED]

I was searcing the forum and came across this:
viewtopic.php?t=110560

I have disabled the fastrack and now it is much better.

Must fasttrack be disabled with PCC? Can someone confirm this..
by huntah
Sun Nov 04, 2018 6:35 pm
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

Re: PCC (Dual WAN) not working on hAPAC2 [SOLVED]

OK now I am totally confused :) It kinda works on both devices in my lab. On both there are problems with some sites loading all the images ...or not loaded entirely. Subjective guess it happens more often on hAP-AC2.. Steps to reprodude: 1. Reset config to default 2. remove ether4 from bridge 3. re...
by huntah
Sun Nov 04, 2018 1:51 pm
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

Re: PCC (Dual WAN) not working on hAPAC2 [SOLVED]

Ah OK.. did not know that in the wiki.. But tried several scripts but none work on live system with hAP-AC2 so passthrough is definitly an oversight on my side... I just dont get it why it does work on hAP-lite even though it was set incorrectly.. I have just got one spare hAP-AC2 and will try the s...
by huntah
Sun Nov 04, 2018 11:09 am
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

Re: PCC (Dual WAN) not working on hAPAC2 [SOLVED]

It does not matter if I set it to passthrough :/
Also in Wiki there are not passthrough enabled..
https://wiki.mikrotik.com/wiki/Manual:PCC
As I said it works on hAP-lite just not hAP-AC2.
Have you tried it on hAP-AC2.. has anyone?
by huntah
Sat Nov 03, 2018 3:41 pm
Forum: General
Topic: PCC (Dual WAN) not working on hAPAC2 [SOLVED]
Replies: 8
Views: 849

PCC (Dual WAN) not working on hAPAC2 [SOLVED]

Hi, can anyone confirm if PCC (Dual WAN) has problems on hAP-AC2? I have tried ROS6.42.9 and latest currunt 6.43.4. Then I used the same Mangle Rules on Hap-Lite and it worked. Using ROS6.44beta28.. WAN1: DHCP-Client no default route (Cable with static IP assigned) WAN2: DHCP-Client no default route...
by huntah
Tue Oct 30, 2018 7:19 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

HI,
ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
just got word back from support. They have found the problem with split-include and it will be fixes in next beta..
Will test then again and post back the results!
by huntah
Tue Oct 30, 2018 11:24 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

I check exactly like that.. but there arent any routes from split-include.. IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.122 55 127.0.0.0 255.0.0....
by huntah
Tue Oct 30, 2018 9:46 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

I have default configuration (eth1 -> DHCLient to my private network)
All drop rules disabled
DHCPServer on Bridge (Default with IP pool 192.168.88.0)
VPN Pool is 192.168.222.0/24
I have attached the full config export compact
by huntah
Tue Oct 30, 2018 12:45 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

OK my bad :)

Here is the Wireshark capture from Mikrotik..
There are DHCP Inform messages but I am not able to interpret them :/
by huntah
Mon Oct 29, 2018 11:51 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

I dont get any DHCPInform..
Attached is the wireshark and then connect to VPN..
I cant put DHCP Server on WAN port ...

guess we will wait for Mktik guys to wake up :)
Night all and thnx for tips and help sindy!
by huntah
Mon Oct 29, 2018 11:03 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

I tried with ether1 (my wan on test router) but nothing is catcing in the sniffer when I connect or disconnect. I dont really understand what DNS (udp/53) has to do with DHCP (udp/67-68) If I change it to correct ports I get: 0 14.46 ether1 192.168.222.146:68 (bootpc) 255.255.255.255:67 (bootps) udp...
by huntah
Mon Oct 29, 2018 8:25 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

I just installed beta28 on brand new HapLite (default Settings). added Certificates and ipsec ike2 RSA setup: /certificate add common-name=TESTCA name=TESTCA days-valid=3650 sign TESTCA ca-crl-host=192.168.3.124 add common-name=192.168.3.124 subject-alt-name=DNS:192.168.3.124 key-usage=tls-server na...
by huntah
Mon Oct 29, 2018 4:33 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80461

Re: v6.44beta [testing] is released!

ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
Any Examples?

If I am not mistanken this means that split tunneling will now work!
by huntah
Sat Aug 25, 2018 12:11 pm
Forum: General
Topic: Sofware VLAN/Bridge on RuterOS explained.
Replies: 53
Views: 13355

Re: Sofware VLAN/Bridge on RuterOS explained.

Very nice post but one thing is missing,
Final configuration export with your last picture..
by huntah
Sat Aug 25, 2018 12:07 pm
Forum: General
Topic: how open port 1194 in mikrotik?
Replies: 10
Views: 2421

Re: how open port 1194 in mikrotik?

you have not specified where is your VPN server? On the router (mikrotik) or do you have to port forward it to internal OpenVPN server.. If you just need the client it should work out of the box because there are no limitation for outbound limits. So if you have openVPN server on your Mikrotik you n...
by huntah
Sat Jul 14, 2018 3:12 pm
Forum: General
Topic: How to prevent communication between two bridges? [SOLVED]
Replies: 7
Views: 780

Re: How to prevent communication between two bridges? [SOLVED]

use ip firewall filter and chain forward.

Drop subnet a to subnet b and vice vera.

Or use search on forum. It has been asked and answered multiple times :)
by huntah
Sun Jun 24, 2018 9:55 am
Forum: Announcements
Topic: v6.42.4 [current]
Replies: 93
Views: 15807

Re: v6.42.4 [current]

Why it just started to suck... different configurations for different rb models in vlans,... are You kidding? cant't rewrite config in common syntax? The VLAN configuration is the same for all models. MikroTik completely changed (improved) the VLAN configuration in 6.41 for all devices. It is not M...
by huntah
Fri Jun 22, 2018 6:16 pm
Forum: General
Topic: hAP-AC2 6.42.4 - HWOffload [solved]
Replies: 13
Views: 2193

Re: hAP-AC2 6.42.4 - HWOffload

The hAP ac² dose have a switch chip (Atheros 8327) with vlan switching support and is supported in routeros. The RB750Gr3 have also a switch chip (MT7621) with vlan switching support but is on yet implemented in routeros. So on the RB750Gr3 you only can use software switch if you need vlans. See th...
by huntah
Fri Jun 22, 2018 11:40 am
Forum: General
Topic: hAP-AC2 6.42.4 - HWOffload [solved]
Replies: 13
Views: 2193

Re: hAP-AC2 6.42.4 - HWOffload

There is no switch menu Winbox in 6.42.4 :) In CLI i can see it.. # NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS 0 switch1 Atheros-8327 none none Will try later to set it via CLI and test. And yes the speed is terrible 5MB/s the gateway is HEXGr3 and gets 33% CPU load... but in anyway this...
by huntah
Thu Jun 21, 2018 11:31 am
Forum: General
Topic: hAP-AC2 6.42.4 - HWOffload [solved]
Replies: 13
Views: 2193

hAP-AC2 6.42.4 - HWOffload [solved]

Is this only cosmetic bug in Winbox? in terminal I can see HW ofload active but Winbox shows off. If I disable VLAN filtering I can see HW offload in Winbox. Here is the Brige config. It is working.. But I havent tested performace yet... /interface bridge add ageing-time=5m arp=enabled arp-timeout=a...
by huntah
Thu Jun 21, 2018 10:37 am
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 83
Views: 25026

Re: New IP cloud is coming.

The hostnames will be the same for the same router. Do not worry about that. The domain name will always be tied to the serial number of the router. If you are going to change routers - then you better create on your your own DNS server CNAME entry that points to the <SN>.sn.mynetname.net FQDN. It ...
by huntah
Wed Jun 20, 2018 11:26 am
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 83
Views: 25026

Re: New IP cloud is coming.

@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple site...
by huntah
Wed Jun 20, 2018 9:39 am
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 83
Views: 25026

Re: New IP cloud is coming.

@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
by huntah
Mon Jun 18, 2018 3:34 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)
Replies: 12
Views: 2415

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Actualy yes and no :) Windows Server VPN (RRAS) uses DHCP to assign IP addresses to VPN Clients. Mikrotik uses only a IP Pool. But that is OK it works. I am trying to put into motion (if you can) a "Feature" in addition to classic routes being sent to the client Another push of DHCP option 121 with ...
by huntah
Mon Jun 18, 2018 2:56 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)
Replies: 12
Views: 2415

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

@mrz IKEv2 client gets an IP from IP-Pool (IKE-Pool). I have one or more DHCP Servers on the LAN side (Depending on VLANs..). But for example sake lets just say I have one on Bridge-Local. Bridge-local: 192.168.1.0/24 IKE-Pool: 192.168.200.0/24 Where do I set DHCP option 121 (on bridge-local DHCP se...
by huntah
Mon Jun 18, 2018 11:57 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)
Replies: 12
Views: 2415

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Hi is there any solution for this problem on Windows10. other than: Add-VpnConnectionRoute -ConnectionName "My VPN" -DestinationPrefix 192.168.0.0/16 -PassThru @Mikrotik or someone else: Is there any way to send DHCP option 121 (Static Routes) when WIn10 connect for split tunneling. I think if Mikro...
by huntah
Fri Jun 15, 2018 9:00 pm
Forum: General
Topic: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]
Replies: 5
Views: 877

Re: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED] [SOLVED]

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now I can have ...
by huntah
Wed Jun 13, 2018 4:18 pm
Forum: General
Topic: IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]
Replies: 5
Views: 877

IKEv2 - Win10 Select Certificate Multiple VPN tunels [SOLVED]

Hi, I have IKEv2 with cert up and running. Everrthig is working as it should but I have a problem on Win10 1803 machines (maybe also other Win versions). The config is based on: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication I manage multiple cl...
by huntah
Mon May 21, 2018 4:52 pm
Forum: Beginner Basics
Topic: CHR - Access Internet via external Proxy
Replies: 3
Views: 551

Re: CHR - Access Internet via external Proxy

Hi CZFan, first sorry for late reply. I think you have just pasted the same answer which I already tried and found on forum. And It is missing a chain. But it does not work (it does not count the packets). So here is the complete ip firewall export: /ip firewall address-list add address=download.mik...
by huntah
Fri May 18, 2018 4:34 pm
Forum: Beginner Basics
Topic: CHR - Access Internet via external Proxy
Replies: 3
Views: 551

CHR - Access Internet via external Proxy

Hi, I have a Dude Server installed on a CHR (Hyper-V) which is working. ROS 6.42.2. There is only one ether interface name=ether1. IP and Default GW, DNS is configured and I can ping and traceroute everthing as I should. But the Main Firewall is blocking internet acess directly and I have to use Pro...
by huntah
Wed May 16, 2018 7:55 pm
Forum: General
Topic: VPN IKEv2 RW withRSA - Check Logons
Replies: 0
Views: 245

VPN IKEv2 RW withRSA - Check Logons

Hi,

I have IKEv2 with certificates up and running. My only question is there a way to see which users have connected and when. (Without Radius and EAP).
Something similar as LT2P - Secrets - Last logon.

Thanks for answers or advise.
by huntah
Sat May 05, 2018 10:31 am
Forum: General
Topic: Linux<->Mikrotik Site-to-Site OpenVPN issue [UPD]
Replies: 24
Views: 2823

Re: Linux<->Mikrotik Site-to-Site OpenVPN issue [UPD]

How about NAT (Masquerade). Did you disable it on both sides for the tunel IPs?
by huntah
Wed Apr 25, 2018 12:11 am
Forum: The Dude
Topic: How to add Device on map (Device added in Winbox)
Replies: 0
Views: 352

How to add Device on map (Device added in Winbox)

Hi,

I have added some devices (Switches) in Dude / Device.
Now they are not show on default (only) map.

I cannot find the field or setting to specify to show them on the map.
Any help would be appriciated.

Using ROS 6.42

Regards,
Huntah
by huntah
Wed Mar 21, 2018 12:56 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 94171

Re: v6.42rc [release candidate] is released!

Seems like my hap ac2 has 233 MB RAM . at least on ROS 6.40.5 Using it as Cap for testing. So did not jump tu 6.42rc yet.. uptime: 1d7h32m31s version: 6.40.5 (stable) build-time: Oct/31/2017 13:05:15 factory-software: 6.40.5 free-memory: 208.7MiB total-memory: 233.4MiB cpu: ARMv7 cpu-count: 4 cpu-fr...
by huntah
Fri Jan 26, 2018 6:36 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 94171

Re: v6.42rc [release candidate] is released!

*) sfp - improved SFP module compatibility;
That this means thaht the following SFP modules are working:
viewtopic.php?f=17&t=120190&p=591082&hi ... 02#p591082

If yes will there be an update for SwOS also?
by huntah
Thu Jan 25, 2018 12:26 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 94171

Re: v6.42rc [release candidate] is released!

I am very glad Mikrotk is working on Certificates. I dont use SCEP but rather more and more popular LetsEncypt (hotstpot, SSTP and IKEv2 VPN !). I would be great if Mikrotik could implement something like acme.sh . I have used this guide https://www.ollegustafsson.com/en/letsencrypt-routeros/ to aut...
by huntah
Fri Dec 01, 2017 4:42 pm
Forum: General
Topic: VLANs not working on 6.40.5
Replies: 4
Views: 727

Re: VLANs not working on 6.40.5

If you are not using SFP module then you do not need a bridge. So you can remove it as you described All other Interfaces are in the same switch group and thus you can use hw switching. I would do it like this: /interface ethernet set [ find default-name=ether2 ] name=ether2-master set [ find defaul...
by huntah
Fri Dec 01, 2017 1:13 am
Forum: General
Topic: WAN IP's in DHCP
Replies: 1
Views: 326

Re: WAN IP's in DHCP

I suspect you have a DHCP assigned IP address and then the the ISP is Routing a block of IPs to your DHCP assigned IP. You can make a local PPPoE Server and distribute the adresses or simply make a Pool With Public IPs and a DHCP Server on the internal bridge(or interface) on which your clients conn...