Community discussions

MikroTik App

Search found 76 matches

by msundman
Fri Jun 26, 2009 4:37 pm
Forum: General
Topic: Filtering based on any PPTP interface
Replies: 1
Views: 494

Filtering based on any PPTP interface

I have a typical "drop everything that is not explicitly allowed" kind of firewall setup on a RouterOS system and have just added a PPTP server to allow remote access into the local network. My problem now is, how do I add a filter rule to allow traffic from ANY pptp interface into the local network...
by msundman
Mon Apr 27, 2009 4:32 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 32
Views: 21930

Re: ipsec multisubnet or multi policy issue

I just got a reply from the support about this where they told me that Cisco probably defaults to creating seperate SAs per subnet (which I thought was mandatory according to the IPsec standard), while Mikrotik defaults to sharing the same SA for multiple policies. So connecting two MTs works out-of...
by msundman
Tue Apr 21, 2009 2:28 pm
Forum: General
Topic: Can't get over 130Mbits on Two RB1000 using IPSEC
Replies: 12
Views: 1957

Re: Can't get over 130Mbits on Two RB1000 using IPSEC

Who has said there were only one RB?

Both me and wkstill has said that we used two RB1000s connected back-to-back when we did our tests.

Br // Mathias
by msundman
Tue Apr 21, 2009 2:08 pm
Forum: General
Topic: ipsec multisubnet or multi policy issue
Replies: 32
Views: 21930

Re: ipsec multisubnet or multi policy issue

Damn, I just ran into the exact same issue, trying to establish two policies to the same peer (a Cisco), but only the first one that is established works. My config is like: /ip ipsec peer add address=xx.xx.xx.196/32:500 auth-method=pre-shared-key dh-group=modp1024 \ disabled=no dpd-interval=disable...
by msundman
Mon Apr 20, 2009 6:04 pm
Forum: General
Topic: Feature request: Global commands like ping and traceroute
Replies: 11
Views: 3874

Re: Feature request: Global commands like ping and traceroute

maybe default installed aliases. I think this would be the best way, and would give some nice flexability for people who frequently have to run different commands or scripts /system aliases add alias=/updateip cmd=/system script run ChangeIP /updateip Yeah, that would be really nice. I will still a...
by msundman
Thu Apr 16, 2009 2:33 pm
Forum: General
Topic: RB1000 vs L3 switch routing performance
Replies: 3
Views: 2179

RB1000 vs L3 switch routing performance

I wonder if anyone has any experience or knowledge about how a software based router like a Mikrotik RB1000 performs compared to a L3 switch or a "real router" when it comes to pure routing performance. Benchmarking pps and Mbps through different devices with single or only a few simultaneous connec...
by msundman
Thu Apr 09, 2009 5:47 pm
Forum: General
Topic: trigger scripts on system events?
Replies: 3
Views: 1544

Re: trigger scripts on system events?

I second this as well. Would be great if we could kick a script upon interface up/down event, or when a route check-gateway change status between reachable/unreachable.
by msundman
Thu Mar 26, 2009 5:18 pm
Forum: General
Topic: Can't get over 130Mbits on Two RB1000 using IPSEC
Replies: 12
Views: 1957

Re: Can't get over 130Mbits on Two RB1000 using IPSEC

I've also been running a lot of tests on this and got similar results. I was able to push about 160 Mbps using iperf with default settings between two linux boxes over two RB1000 connected back to back with a standard IPSec tunnelmode tunnel AES-128/SHA1. I emailed the support and asked about this i...
by msundman
Thu Mar 19, 2009 10:42 am
Forum: General
Topic: 3.22 released
Replies: 43
Views: 6784

Re: 3.22 released

RouterOS 3.22 has been released today.
*) added '/interface ethernet print stats' command for RB450G and RB750;
Great! Could we hope to see this on RB1000 as well any time soon?
by msundman
Fri Mar 13, 2009 1:55 pm
Forum: General
Topic: Changing winbox port on router
Replies: 7
Views: 6632

Re: Changing winbox port on router

Dstnat'ing would be done before filter input list, so traffic redirected from port 5001 to 8219 would be droped. Maybe I need additional rule in /ip firewall filter: /ip firewall filter add chain=input protocol=tcp src-port=5001 action=accept That won't work. scr-port is not the original dst-port b...
by msundman
Fri Mar 13, 2009 12:16 pm
Forum: General
Topic: Changing winbox port on router
Replies: 7
Views: 6632

Re: Changing winbox port on router

Ahh, that makes it harder :) Unfortunally you can't just DSTNAT 5001 to 8291 and then DROP traffic to 8291, as the DSTNATing will be done before going trough the input filter list, so it will filter your nat:ed traffic as well. An ugly workaround is to DSTNAT 8219 to anunused port like: [admin@R1] /...
by msundman
Fri Mar 13, 2009 11:52 am
Forum: General
Topic: Changing winbox port on router
Replies: 7
Views: 6632

Re: Changing winbox port on router

How can I specify port (in this example 5001) in winbox when I want to connect to my router?
Use X.X.X.X:5001 when connecting.
by msundman
Fri Mar 13, 2009 11:51 am
Forum: General
Topic: Changing winbox port on router
Replies: 7
Views: 6632

Re: Changing winbox port on router

/ip service set winbox port=5001
by msundman
Thu Mar 12, 2009 4:21 pm
Forum: General
Topic: IPIP over IPsec: How to block unencrypted traffic?
Replies: 1
Views: 1999

Re: IPIP over IPsec: How to block unencrypted traffic?

After a lot of googeling and some discussions with support I came to the conclusion that it's currently not possible to do this on RouterOS. The recommended way on Linux systems with NETKEY IPsec and iptables is to use the "policy" module, which can match traffic only if it has a corresponding IPsec...
by msundman
Wed Mar 11, 2009 5:20 am
Forum: General
Topic: Win XP OpenVPN client against MT - should it be... *SOLVED*
Replies: 16
Views: 28330

Re: Win XP OpenVPN client against MT - should it be that hard?

Hmm, strange... If the bridge is working properly, you shouldn't need WINS. Your NETBIOS name resoultion broadcasts should go over the bridge and find the servers. I havn't had time to play with Mikrotiks bridge implementation together with OpenVPN yet, but on Linux there is no problem bridging the ...
by msundman
Tue Mar 10, 2009 4:04 pm
Forum: General
Topic: Feature request: Global commands like ping and traceroute
Replies: 11
Views: 3874

Re: Feature request: Global commands like ping and traceroute

also i believe those commands are placed in the 'advanced tools' package so they are not even there normally. ping, traceroute, ssh and telnet are all available even after disabling advanced-tools and rebooting on a ROS 3.20 at least. And even if they were part of seperate package, what's the probl...
by msundman
Tue Mar 10, 2009 11:45 am
Forum: General
Topic: srcnat affects ipsec traffic - right or wrong?
Replies: 2
Views: 1025

Re: srcnat affects ipsec traffic - right or wrong?

Thanks, Well, I've been reading up on what has happend with IPsec in the Linux world the last years, and what I had missed was that many have moved from the KLIPS implementation I was used to work with which used virtual interfaces like ipsec0, to NETKEY which doesn't use virtual interfaces at all. ...
by msundman
Mon Mar 09, 2009 1:33 pm
Forum: General
Topic: IPIP over IPsec: How to block unencrypted traffic?
Replies: 1
Views: 1999

IPIP over IPsec: How to block unencrypted traffic?

I've setup an IPIP tunnel over transport mode IPsec between two Mikrotik boxes. Works like a charm. Now I wanted to create firewall rules that only allows ESP and UDP500 packets between these two peers, to make sure any non-encrypted packets doesn't leak on the untrusted side of the routers. This wa...
by msundman
Sun Mar 08, 2009 10:20 pm
Forum: RouterBOARD hardware
Topic: RB450G is here!
Replies: 41
Views: 22830

Re: RB450G is here!

Cool! I can't wait to get my hands on one of those as well. Shipped with ROS v3.21 you say? Is it not a GA version of RB450G you got, or are they distributing it with 3.21 before releasing that version for download from the website? Don't know the meaing of "GA version" but these are production RB4...
by msundman
Sun Mar 08, 2009 1:04 pm
Forum: RouterBOARD hardware
Topic: RB450G is here!
Replies: 41
Views: 22830

Re: RB450G is here!

Cool! I can't wait to get my hands on one of those as well. Shipped with ROS v3.21 you say? Is it not a GA version of RB450G you got, or are they distributing it with 3.21 before releasing that version for download from the website? I guess RB450G will be a great box to run MetaRouter on aswell with...
by msundman
Sat Mar 07, 2009 9:27 am
Forum: General
Topic: srcnat affects ipsec traffic - right or wrong?
Replies: 2
Views: 1025

srcnat affects ipsec traffic - right or wrong?

I have a RB1000 running ROS 3.20 in a typical office setup. A local network on Ether1 and internet on Ether2 and are doing basic srcnat of traffic leaving on Ether2 like: /ip firewall nat add action=src-nat chain=srcnat out-interface=ether2 src-address-list=Local to-addresses=X.X.X.X Then we added a...
by msundman
Sat Mar 07, 2009 8:57 am
Forum: RouterBOARD hardware
Topic: RB450 and winbox issue
Replies: 11
Views: 3142

Re: RB450 and winbox issue

I can confirm as well that it is the torch feature that is using a lot of CPU. Just tested on my home router, a RB450 with a minimal config as a typical home router. 8 filter rules, 1 nat rule. Basically no traffic: 0-2% CPU Basically no traffic, winbox opened, no windows: 0-3% CPU Basically no traf...
by msundman
Sat Mar 07, 2009 8:28 am
Forum: General
Topic: web-proxy on v3.20
Replies: 1
Views: 596

Re: web-proxy on v3.20

Configured as a normal proxy it does support https (Just verified with my home router running 3.20). Transparent proxies will never support https as it simply breaks the security of the protocol. https through a normal Mikrotik proxy with a parent proxy defined should work but is broken in 3.20. Wil...
by msundman
Fri Mar 06, 2009 3:33 pm
Forum: General
Topic: Configuration transfer from Routerboard 600A to 1000
Replies: 3
Views: 835

Re: Configuration transfer from Routerboard 600A to 1000

I suggest you to "export" instead, as this will produce a text file that you can edit to change interface names etc. Can the global /export file be imported directly on a fresh system? If I've created a new complete config export file that I want to upload and put into production on a remote system...
by msundman
Fri Mar 06, 2009 10:58 am
Forum: RouterBOARD hardware
Topic: Monitor fan and temp of RB1000
Replies: 1
Views: 717

Re: Monitor fan and temp of RB1000

No comments about this from Mikrotik? I did an snmpwalk of a 3.21 system, changed /system fan set use-fan=auxiliary and then a new snmpwalk and diffed those, but couldn't find any track the fan status. I also tried snmpwalking enterprises.14988.1 but found nothing there. /system health print oid doe...
by msundman
Thu Mar 05, 2009 11:59 pm
Forum: General
Topic: DHCP Server gives out old DNS info
Replies: 8
Views: 1538

Re: DHCP Server gives out old DNS info

Just to make sure, do a /export and make sure there are NO references to your old DNS servers.

Try disabling/enabling the dhcp-server.
Try removing the lease entry from /ip dhcp-server lease
by msundman
Thu Mar 05, 2009 11:40 pm
Forum: General
Topic: DHCP Server gives out old DNS info
Replies: 8
Views: 1538

Re: DHCP Server gives out old DNS info

Ah, sorry, missed that you wrote that you had updated that. Well if DNS servers are changed both under "/ip dns" and /"ip dhcp-server network" I don't understand why it would hand out false DNS servers. Verify with another client if that gets the new dns servers or not, to make sure it's not the cli...
by msundman
Thu Mar 05, 2009 11:25 pm
Forum: General
Topic: DHCP Server gives out old DNS info
Replies: 8
Views: 1538

Re: DHCP Server gives out old DNS info

Check the system DNS settings under /ip dns.

If you havn't configured any DNS servers in the DHCP server settings I know it uses the system DNS settings instead. Perhaps that's what's happening for you as well.
by msundman
Thu Mar 05, 2009 11:21 pm
Forum: General
Topic: Win XP OpenVPN client against MT - should it be... *SOLVED*
Replies: 16
Views: 28330

Re: Win XP OpenVPN client against MT - should it be that hard?

OK, now I have a working setup between a Mikrotik v3.20 and a Windows client running OpenVPN + GUI. I used easy-rsa on my windows client todo the following (follow the readme in the easy-rsa dir): Run init-config.bat and then edit vars.bat. Then open a DOS prompt and run: cd \program\openvpn\easy-rs...
by msundman
Thu Mar 05, 2009 4:40 pm
Forum: General
Topic: Win XP OpenVPN client against MT - should it be... *SOLVED*
Replies: 16
Views: 28330

Re: Win XP OpenVPN client against MT - should it be that hard?

Looks like there is a problem with your CA certificate that you are trying to use on the client. I've successfully used OpenVPN + GUI from openvpn.se to connect to a Mikrotik router, but I used easy-rsa from the OpenVPN package to create the ca cert. Could you try with an easy-rsa cert just to check...
by msundman
Thu Mar 05, 2009 1:32 pm
Forum: General
Topic: Feature request: more parameters with static IP on interface
Replies: 6
Views: 1483

Re: Feature request: more parameters with static IP on interface

I do NOT think you should be able to set def gw and DNS when defining the interface IP address. That are three completely different things, that belongs in three different sections just as it is now. Having a def route set on the interface, and then when you work with the routing table and wants to ...
by msundman
Wed Mar 04, 2009 10:28 am
Forum: General
Topic: OVPN Client with preshared key
Replies: 2
Views: 1072

Re: OVPN Client with preshared key

Nope, the Mikrotik implementation of OpenVPN only support TLS mode, not static-key. I've requested support for static-key setups, but it didn't sound like it will be implemented in the near future.
by msundman
Tue Mar 03, 2009 4:41 pm
Forum: General
Topic: Feature request: Global commands like ping and traceroute
Replies: 11
Views: 3874

Re: Feature request: Global commands like ping and traceroute

that wont be changed. The order that is active currently, allows you to run all the commands with "/" as prefix from anywhere. like: /ip address> /ip route print or /ip address> .. route print that wont be changed. I'm not asking you to allow every single command to be allowed to be executed from e...
by msundman
Thu Feb 26, 2009 6:06 pm
Forum: RouterBOARD hardware
Topic: Monitor fan and temp of RB1000
Replies: 1
Views: 717

Monitor fan and temp of RB1000

How do I monitor the status of the fans on a RB1000?

I found out there is a spare one that should take over if the main fan fails, so I assume I should be able to monitor if that happends. Is it available to poll via SNMP?

Also, is it possible to monitor the CPU temp on RB1000?
by msundman
Thu Feb 26, 2009 12:19 pm
Forum: General
Topic: Feature request: Global commands like ping and traceroute
Replies: 11
Views: 3874

Feature request: Global commands like ping and traceroute

I think it would be convenient to have some commands/utilities available as globally available commands. Currently commonly used tools are spread in three different places: /ping /tool traceroute /system telnet /system ssh I think these 4 tools should be available everywhere without explicitly havin...
by msundman
Wed Feb 25, 2009 2:04 pm
Forum: General
Topic: VRRP with BGP and IPsec
Replies: 2
Views: 1196

VRRP with BGP and IPsec

I'm looking into the possibility to use two Mikrotik routers for redundancy using VRRP, similar to using two Netscreen firewalls with NSRP in Active/Passive mode. This router-cluster will be used as an IPsec concentrator and run BGP on the local interface. Is it possible to achive this with VRRP? I ...
by msundman
Wed Feb 25, 2009 1:52 pm
Forum: General
Topic: Most stable BGP version?
Replies: 37
Views: 3873

Re: Most stable BGP version?

3.21 is not released yet. It's only in beta. Search for "3.21" and "https" here in the forum and you will find links to the beta. But keep in mind that it is a beta and not for production use.

It would still be nice to know if it fixes any BGP bugs though.
by msundman
Wed Feb 25, 2009 1:49 pm
Forum: General
Topic: next version when release??
Replies: 2
Views: 596

Re: next version when release??

Are you sure 3.21 will allow HTTPS in transparent mode? I didn't think it was possible to transparently proxy HTTPS.

What I know it fixes is to use it as a normal proxy but redirecting to a PARENT proxy with HTTPS.
by msundman
Tue Feb 24, 2009 4:43 pm
Forum: General
Topic: Most stable BGP version?
Replies: 37
Views: 3873

Re: Most stable BGP version?

ROS 3.20 has some problems with routes that disappear when a new peer is established ROS 3.20+ Routing Test looks good, i'm using it and works fine.. but sometimes it hangs for a while when acquiring the full internet routing table. And looks like it doesn't use all the multi-cpu of a quad-core x86...
by msundman
Tue Feb 24, 2009 11:25 am
Forum: General
Topic: Most stable BGP version?
Replies: 37
Views: 3873

Most stable BGP version?

I'm about to put a RB1000 into production shortly. I'll probably be running ROS v3.21 (beta) on it, as it will be used as a HTTP proxy forwarder to a parent proxy, and I need to able to forward HTTPS that is fixed in v3.21. This router will also be eBGP peering with two peers and receive a few hundr...
by msundman
Mon Feb 23, 2009 2:17 pm
Forum: General
Topic: Bonding RB1000 to two switches
Replies: 0
Views: 564

Bonding RB1000 to two switches

I'm about to design a new redundant network. We're thinking about using like two HP Procurve 2824 switches and connect them with a 2 interface trunk. Then each server will be connected with teamed network adapters with one port to each switch in TLB mode. Then as a gateway we're thinking of using a ...
by msundman
Mon Feb 23, 2009 9:40 am
Forum: General
Topic: Mikrotik causes worldwide net instability!?
Replies: 11
Views: 1813

Re: Mikrotik causes worldwide net instability!?

When you are editing prepend from console, you are allowed to set it 1...16 When you are editing prepend from winbox, you are allowed to set it 1...2^32 1st mistake, we are allowed to set it up to 2^32 2nd mistake, 255 seems to be the default value, should be 0 or null (=> not set => not used) Ouch...
by msundman
Sat Feb 21, 2009 12:57 am
Forum: General
Topic: full squid feature with GUI in mikrotik will be great
Replies: 32
Views: 7236

Re: full squid feature with GUI in mikrotik will be great

Hello Normis, Just sent through another supout.rif regarding the proxy issue (which is now affecting v3.18) Ticket number is 2009011466000074 Has this problem been resolved yet or are you still experiencing these problems with v3.20? When you guys have problems with the proxy, is it enough to disab...
by msundman
Sat Feb 21, 2009 12:24 am
Forum: General
Topic: IPSec with several networks
Replies: 5
Views: 1142

Re: IPSec with several networks

The problem is that you are using overlapping IP subnets. Between two Mikrotiks you can solve it with an IPIP tunnel over transport mode IPsec. See this post: http://forum.mikrotik.com/viewtopic.php?f=2&t=29635&start=0&hilit=route+outside However if you want todo this between a Mikrotik and a Netscr...
by msundman
Thu Feb 19, 2009 12:54 am
Forum: General
Topic: Route outside a 0.0.0.0/0 ipsec tunnel
Replies: 12
Views: 19785

Re: Route outside a 0.0.0.0/0 ipsec tunnel

Thank you for good idea ! :) I'm will try recheck all settings and find why I have problems with fragmentation on IPIP tunnel over IPSec and PPPoE Thank you for your help ! Have you decreased the MTU of the IPIP interface? It's default value of 1480 assumes an MTU of 1500 for the physical interface...
by msundman
Thu Feb 19, 2009 12:21 am
Forum: General
Topic: Route outside a 0.0.0.0/0 ipsec tunnel
Replies: 12
Views: 19785

Re: Route outside a 0.0.0.0/0 ipsec tunnel

Thank you for good idea ! :) I'm will try recheck all settings and find why I have problems with fragmentation on IPIP tunnel over IPSec and PPPoE Thank you for your help ! Have you decreased the MTU of the IPIP interface? It's default value of 1480 assumes an MTU of 1500 for the physical interface...
by msundman
Wed Feb 18, 2009 6:00 pm
Forum: General
Topic: Serial V.35 WAN router
Replies: 2
Views: 1036

Re: Serial V.35 WAN router

Oh, sometimes you think this forum has answers for everything so you forget to accually check the documentation before posting questions! *shame* I found in the docs there a number of supported V35 boards. Nice! So, lets rephrase the question. Is there any Mikrotik or other appliances equipped with ...
by msundman
Wed Feb 18, 2009 5:43 pm
Forum: General
Topic: Serial V.35 WAN router
Replies: 2
Views: 1036

Serial V.35 WAN router

Does RouterOS support any V.35 serial (HDLC) PCI boards so it can be used as WAN router? Is there any appliance boxes running RouterOS with an v.35 interface? Any tips of a cheap but reliable Serial-Ethernet bridge or router to put outside of the Mikrotik to run the link otherwise? This will be used...
by msundman
Wed Feb 18, 2009 2:04 pm
Forum: General
Topic: Log firewall only remotely
Replies: 2
Views: 698

Re: Log firewall only remotely

Cool, that did the trick! Thanks a lot!
by msundman
Wed Feb 18, 2009 10:31 am
Forum: General
Topic: v4.0 Feature Request(s)
Replies: 139
Views: 40004

Re: v4.0 Feature Request(s)

Here's my list: * Route/interface based IPsec (0/0 - 0/0) (nz_monkey) * vrouters (Metarouter on RB1000 might do the trick) * Ethernet interface error statistics via CLI/Winbox * Improved sniffer that allows to easily from cmdline filter and print sniffed packets in realtime. Just like running tcpdum...
by msundman
Tue Feb 17, 2009 2:18 pm
Forum: General
Topic: Route outside a 0.0.0.0/0 ipsec tunnel
Replies: 12
Views: 19785

Re: Route outside a 0.0.0.0/0 ipsec tunnel

I see, no you run into the exact type of problem that I do, that MR1 thinks that everyting destinated for 10/8 should be handled by ipsec, even the local 10.9.10.0/27 subnet which you of course want to be able to communicate with directly. I don't see any solution with the current ipsec implementati...
by msundman
Tue Feb 17, 2009 2:02 pm
Forum: General
Topic: Firewall chains - default policy action?
Replies: 12
Views: 15371

Re: Firewall chains - default policy action?

default action of default firewall chains (forward, input, output) is to accept the packet. dynamic rules should be inserted into the top position (0) of the list, therefore, last rule will always be last one, so adding /ip firewall filter chain=<input|forward|output> action drop will change the be...
by msundman
Mon Feb 16, 2009 5:56 pm
Forum: General
Topic: Firewall chains - default policy action?
Replies: 12
Views: 15371

Re: Firewall chains - default policy action?

I've been searching for this as well. I'd like to be able to change the default policy. On Linux you can change the default policy for each chain like: # Set Default Policy DROP iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP When using the Mikrotiks like routers I usually wa...
by msundman
Mon Feb 16, 2009 4:36 pm
Forum: General
Topic: How are the firewall chains traversed?
Replies: 2
Views: 904

Re: How are the firewall chains traversed?

Thanx that you could confirm what I thought.

Do you know also whether ROS is accually using the Linux kernel build-in netfilter code todo the packet filtering/NAT:ing or if they have implemented their own engine?
by msundman
Mon Feb 16, 2009 2:19 pm
Forum: General
Topic: web proxy debug???
Replies: 17
Views: 4684

Re: web proxy debug???

As this got very off-topic, I started a new thread about how NAT chains are traversed on ROS:

http://forum.mikrotik.com/viewtopic.php?f=2&t=29723
by msundman
Mon Feb 16, 2009 2:13 pm
Forum: General
Topic: How are the firewall chains traversed?
Replies: 2
Views: 904

How are the firewall chains traversed?

This started as a discussion in another thread that got very off-topic so I start a new topic about it instead. Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrou...
by msundman
Mon Feb 16, 2009 1:05 pm
Forum: General
Topic: Log firewall only remotely
Replies: 2
Views: 698

Log firewall only remotely

How do I configure ROS to only log dropped packets from the firewall to a remote syslog server? I've setuped logging like: /system logging print Flags: X - disabled, I - invalid # TOPICS ACTION PREFIX 0 info memory 1 error memory 2 warning memory 3 critical echo 4 ipsec memory 5 info remote 6 error ...
by msundman
Mon Feb 16, 2009 11:39 am
Forum: General
Topic: Ethernet error statistics
Replies: 2
Views: 620

Re: Ethernet error statistics

Hopefully we'll see this feature in RouterOS really soon. It's just one of the basic must-haves on any router/firewall. Interface statistics should at least show up in CLI under /interface ethernet print detail Also, how do I see what speed and duplex the interface is currently running in from CLI? ...
by msundman
Fri Feb 13, 2009 11:26 am
Forum: General
Topic: Traceroute through ROS drops packets
Replies: 0
Views: 484

Traceroute through ROS drops packets

I've been playing with a little lab network of Mikrotik routers and frequently ran traceroutes through this network. Every now and then I saw drops in my traceroutes like: traceroute to dn.se (62.119.189.4), 64 hops max, 40 byte packets 1 10.0.0.1 0 ms * 0 ms 2 10.1.0.2 0 ms 0 ms 0 ms 3 10.3.0.1 1 m...
by msundman
Thu Feb 12, 2009 2:06 am
Forum: General
Topic: web proxy debug???
Replies: 17
Views: 4684

Re: web proxy debug???

Hi, Firewall rules are read from top to bottom, same in linux, it does not matter to which chain it belongs. If the rule at top matches the query it will not go to any other rule to check. So its very important to make your DST-NAT Rule above all. Wrong! (On Linux with iptables atleast) Each chain ...
by msundman
Wed Feb 11, 2009 9:55 pm
Forum: General
Topic: BGP over IPIP: Detect broken connectivity
Replies: 1
Views: 924

BGP over IPIP: Detect broken connectivity

I have a setup where I run BGP with a peer over an IPIP tunnel (encrypted with a transport mode ipsec). It works perfect except for one little detail: When BGP peering over a normal phystical interface, BGP detects loss of link on the interface instantly and reroutes, however in the case of running ...
by msundman
Wed Feb 11, 2009 2:55 pm
Forum: General
Topic: web proxy debug???
Replies: 17
Views: 4684

Re: web proxy debug???

Try to put dstnat before srcnat. Just put dstnat in the first row. Hmm, does that really matter? Isn't RouterOS using normal iptables/netfilter from the linux kernel todo packet filtering and nating? If so, it shouldn't matter as srcnat and dstnat rules goes into two different iptables chains, so I...
by msundman
Wed Feb 11, 2009 9:28 am
Forum: General
Topic: web proxy debug???
Replies: 17
Views: 4684

Re: web proxy debug???

Hi, Dear i have been using this feature for sometime now, but this is the first time i am facing issues. Dear? So you think that statement answers any of my questions above? How do you expect anyone to be able to help finding the problem if you can't provide any details and answer the questions we ...
by msundman
Tue Feb 10, 2009 5:45 pm
Forum: General
Topic: Route outside a 0.0.0.0/0 ipsec tunnel
Replies: 12
Views: 19785

Re: Route outside a 0.0.0.0/0 ipsec tunnel

Yes, I understand that's the reason, I'm just wondering if there are any workarounds. Can't ipsec be bond to a specific interface to begin with? When using openswan on Linux I have a vague memory that you explicitly defined what interface ipsec should operate on, or simplified by pointing to %defaul...
by msundman
Tue Feb 10, 2009 4:58 pm
Forum: General
Topic: Route outside a 0.0.0.0/0 ipsec tunnel
Replies: 12
Views: 19785

Route outside a 0.0.0.0/0 ipsec tunnel

I have a test setup like this: PC(172.16.0.2/30) - (172.16.0.1/30)R1(10.0.0.2/24) - (10.0.0.1/24)R2(x.x.x.x) - corporate network And have created a ipsec tunnel between R1 and R2, defined on R1 as: src-address=172.16.0.0/30:any dst-address=0.0.0.0/0:any protocol=all action=encrypt level=require ipse...
by msundman
Mon Feb 09, 2009 1:56 pm
Forum: General
Topic: web proxy debug???
Replies: 17
Views: 4684

Re: web proxy debug???

So what happens? "It's not working" is not much of a problem description. Do you get any entries in the log? Is it completely "dead" or does it work sometimes? Is you sniff the outside interface, can you see the proxy trying to connect to the destination http server? Are you both running in transpar...
by msundman
Fri Feb 06, 2009 2:03 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

HTTPS problem now fixed in this beta package of 3.21:

http://mikrotik.com/download/temp/netin ... 21-ppc.zip
http://mikrotik.com/download/temp/route ... c-3.21.npk

Thanks a lot Mikrotik!
by msundman
Thu Feb 05, 2009 3:37 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

Much better answers from the support today :)

The FTP problem is at least accepted as a feature request, and the HTTPS problem will most likely be fixed in next release (3.21).

Thanks support!
by msundman
Thu Feb 05, 2009 1:46 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

Not having much luck with the support yet :( The FTP problem is simply acknowledged as works-as-designed and not a bug. They claim that the parent-proxy feature is only supposed to forward HTTP to the parent, not other protocols, but obviously it IS trying to forward HTTPS as well, so I can't unders...
by msundman
Mon Feb 02, 2009 5:21 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

I've mailed a bugreport regarding this to support and are hoping for a quick response. In the meantime I found that proxying FTP accually didn't work with a parent proxy! The Mikrotik proxy happily accepts FTP requests but they are sent out directly, ignoring the defined parent proxy. As a workaroun...
by msundman
Mon Feb 02, 2009 2:18 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

Just wanted to let you know that I've verified that the problem IS what I described above. I just tried telneting directly to our parent proxy and tried to send CONNECT cmds with both syntaxes and using http:// in front of the URL the way the Mikrotik does do fail. Working: mathias@mathias-laptop:~$...
by msundman
Mon Feb 02, 2009 12:08 pm
Forum: General
Topic: Web proxy https bug?
Replies: 49
Views: 96686

Re: Web proxy https bug?

I just ran into same problem with proxying HTTPS to a parent proxy. I'm on an enterprise network where all direct outgoing traffic is blocked and BlueCoat proxies are used for all HTTP, HTTPS and FTP traffic. I'm now trying to solve a capacity problem by using Mikrotik RB1000 proxies to offload a WA...
by msundman
Fri Jan 23, 2009 11:27 am
Forum: General
Topic: MetaRouter on RB1000
Replies: 9
Views: 2633

MetaRouter on RB1000

Will we see MetaRouter/XEN support on the RB1000 soon? We are replacing some of our NetScreen NS-5GT and SSG-5 firewalls with RB1000s and are looking at getting similar functionally as NetScreens vrouter or Cisco VRF features to have completely seperate routing tables for different zones. I think th...
by msundman
Fri Jan 23, 2009 10:57 am
Forum: General
Topic: 3.18 and BGP w/ full routing tables
Replies: 10
Views: 1680

Re: 3.18 and BGP w/ full routing tables

so the dropping of fragments has been fixed since the early 3.x betas? Previously without conn-track it was dropping them. Anyone who can confirm this? I have a customer who is just about to implement a new HA network and do BGP peering with two ISP and are considering buying two Juniper M7i router...
by msundman
Tue Jan 20, 2009 1:47 pm
Forum: General
Topic: OpenVPN server ignoring cipher settings
Replies: 3
Views: 3226

Re: OpenVPN server ignoring cipher settings

* Use StaticKey mode for simple PtP tunnels without having to create certificates, similar to a PSK IPSec tunnel. If require-client-certificate=no then clients do not require certificates. Users can connect simply with username and password. Yes, but you're still not running OpenVPN in static-key m...
by msundman
Tue Jan 20, 2009 11:59 am
Forum: General
Topic: OpenVPN server ignoring cipher settings
Replies: 3
Views: 3226

OpenVPN server ignoring cipher settings

Hi! I've just got my hands on a couple of RB1000 boxes. First time running RouterOS and I must say I'm VERY impressed! Great work! I've been running my own custom-made linux based firewalls for 10 years now and been waiting for an appliance like this that is featurerich enough to replace my own syst...