Community discussions

MUM Europe 2020

Search found 256 matches

by leonset
Thu Aug 11, 2016 1:16 pm
Forum: General
Topic: What's faster&easier on the CPU: "conntrack off" or "conntrack on + fasttrack"?
Replies: 9
Views: 1489

Re: What's faster&easier on the CPU: "conntrack off" or "conntrack on + fasttrack"?

That's what I was trying to say. I have huge lists of firewall filter rules and some 40.000 address list entries. I was wondering if conntrack on + fasttrack would be easier on the CPU than conntrack off and having each packet in the connection be processed by all the rules. You should've clarified...
by leonset
Fri Jun 24, 2016 2:58 pm
Forum: Scripting
Topic: Munin Plugins to monitor MikroTik Wireless via SNMP
Replies: 6
Views: 2004

Re: Munin Plugins to monitor MikroTik Wireless via SNMP

I can confirm that the OID .1.3.6.1.4.1.14988.1.1.1.3.1.10 for CCQ only works if wireless protocol is plain 802.11. It returns 0 otherwise.
Many thanks for the detailed information!
by leonset
Tue Jun 21, 2016 10:50 am
Forum: Scripting
Topic: Munin Plugins to monitor MikroTik Wireless via SNMP
Replies: 6
Views: 2004

Re: Munin Plugins to monitor MikroTik Wireless via SNMP

I am querying OID .1.3.6.1.4.1.14988.1.1.1.3.1.10 on AP to get Overall Tx CCQ for a certain wlan interface.
I always get 0 on that OID. RouterOS versions range from 6.27 to latests betas using wireless-fp/wireless-cm2 packages and nv2. Which ones do work for you?
by leonset
Fri Jun 17, 2016 12:59 pm
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

How many rules are in your firewall filter/mangle/nat? Queues? I remember an issue I had some time ago: on a 1036 acting just as FW and OSPF gateway, I created a fw rule to check for L7 content. I just restricted by dst-port 80 and enabled it. CPU load was around 25-30% (normal usage is around 7%) b...
by leonset
Fri Jun 17, 2016 12:12 pm
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

Already had a long discussion with support email to MT team, and they were unable to find anything.  Well, then you need bigger hardware. Get another 1036 and set them side by side, they will share the PPPoE load automatically (I would set 3 in total, to make sure the system will still give service...
by leonset
Fri Jun 17, 2016 11:47 am
Forum: Scripting
Topic: Munin Plugins to monitor MikroTik Wireless via SNMP
Replies: 6
Views: 2004

Re: Munin Plugins to monitor MikroTik Wireless via SNMP

Hello, I'm interested on the CCQ OID's you used. Would you be so kind to let me know which OID you use for the RX/TX CCQ? Do you look for them in the client or in the AP?  When I snmpget the values supposed to have CCQ information I always get "0".  In fact, Mikrotik support has told me that there's...
by leonset
Fri Jun 17, 2016 11:31 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

In that case I suggest you reenable ConnTrack, generated some supout.rif files when the problem is happening and contact support@mikrotik.com with as much information as possible. How many PPS and how much bandwidth are we talking about? How many rules do you have in you firewall filter/nat/mangle?
by leonset
Fri Jun 17, 2016 11:05 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack? Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone wit...
by leonset
Fri Jun 17, 2016 10:21 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

Ouch. 
But everything is working fine. 
So, do you mean, Connection tracking should be on for PPPoE router ?
Yes, it should. Set it as "auto" and get bigger hardware if load is an issue.
by leonset
Fri Jun 17, 2016 10:12 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6663

Re: Connection Tracking, off or on ?

Leave it as "auto" and Mikrotik will wisely choose to enable it or not. If hardware resources are an issue, set it as "auto" and if RouterOS enables it, try to find out why and then if you can move/disable the service which switches tracking on. Many features require ConnTrack to work (nat, firewall...
by leonset
Fri Jun 17, 2016 10:03 am
Forum: Wireless Networking
Topic: Wireless performance very bad - what am I doing wrong?
Replies: 3
Views: 913

Re: Wireless performance very bad - what am I doing wrong?

Some suggestions: - You can't have a port both as a slave and in a bridge. - Check to make sure you are not generating a loop with some other devices. - Try with Data Rates set as "configured". - When you are connected to the AP, generate traffic for a minute, what is shown on Registration tab? CCQ,...
by leonset
Fri Jun 17, 2016 9:41 am
Forum: Forwarding Protocols
Topic: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet
Replies: 21
Views: 2840

Re: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet

Leonset's suggestion has much merit. If you have servers with a service name BACKUP and put them in the same locations as the primary servers, then any backup pppoe session can be configured to use the service name BACKUP and they will only connect with the BACKUP servers. Yes, this is best choice....
by leonset
Thu Jun 16, 2016 10:31 am
Forum: Forwarding Protocols
Topic: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet
Replies: 21
Views: 2840

Re: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet

What about using "service-name" on your PPPoE Clients? You could setup a new PPPoE Server instance (or add another routerboard) with different service names and then reconfigure your clients with two service names for primary/backup PPPoE link, then change OSPF instance redistribute options on backu...
by leonset
Thu Jun 16, 2016 10:15 am
Forum: Forwarding Protocols
Topic: PPPoE Server to OSFP Uplinks
Replies: 1
Views: 836

Re: PPPoE Server to OSFP Uplinks

Not sure if I understood your scenario properly, but my suggestion would be to use something like 10.0.0.1 as "Local Address". Your PPPoE clients will get a PtP route to your PPPoE Server which they will reach through the tunnel (which can be encripted, etc). That 10.0.0.1 address will be the defeul...
by leonset
Thu Jun 16, 2016 9:28 am
Forum: General
Topic: PPPoE Service name ?!
Replies: 4
Views: 2873

Re: PPPoE Service name ?!

You have to fill in the "service name" on the PPPoE client if you want it to connect only to your PPPoE server with a specific "service name". Also, on latests versions there's an option "pppoe-server - added pado-delay option;" which can be used to give less preference to some PPPoE Server.
by leonset
Thu May 12, 2016 9:51 am
Forum: General
Topic: RouterOS Virtual Labs
Replies: 84
Views: 115773

Re: RouterOS Virtual Labs

In gns3 you can connect to a router with winbox just by double clicking without loopback without putty-telnet? Not AFAIK, at least on Mac you have to setup a cloud device conected to a Tap interface in your MAC, then using Winbox neighbours (those 3 dots) virtual RouterOS will eventually show up. A...
by leonset
Wed May 04, 2016 9:47 am
Forum: Announcements
Topic: SwOS version 1.15 released
Replies: 28
Views: 9137

Re: SwOS version 1.15 released

Same thing here. Upgraded 3 units, two of them are ok, but the third one keeps downloading a file every time i try to get into the unit. Tried power cycle, different browsers, clear cache, reset the switch with the front panel button and the jumper... The reset did change the device IP to default 19...
by leonset
Thu Apr 28, 2016 2:33 pm
Forum: Announcements
Topic: SwOS version 1.15 released
Replies: 28
Views: 9137

Re: SwOS version 1.15 released

Very needed update!! Thanks!!
by leonset
Tue Apr 26, 2016 5:39 pm
Forum: Announcements
Topic: v6.36rc [release candidate] is released, wireless-fp package is discontinued!
Replies: 295
Views: 68290

Re: v6.36rc [release candidate] is released, wireless-fp package is discontinued!

Note: wireless-fp package is discontinued in this version. It needs to be uninstalled/disabled before upgrade. Use wireless-rep or wireless-cm2 instead. The upgrade process of the latests RC and the final version must upgrade automatically wireless-fp to the most reliable alternative wireless packa...
by leonset
Mon Apr 18, 2016 11:41 am
Forum: Wireless Networking
Topic: Multicast-helper=full
Replies: 7
Views: 7674

Re: Multicast-helper=full

If you don't use multicast-helper=full, the DST-MAC of a multicast packet should be multicast type MAC (i.e. 01:00:5E:00:00:00 for OSPF) and wireless interface will only send ONE copy of the packet regardless of how many conected clients it has, albeit at the slowest basic rate set on the AP. To ove...
by leonset
Fri Apr 15, 2016 2:19 pm
Forum: Beginner Basics
Topic: RouterOS installed in vmware to Routerboard hardware.
Replies: 2
Views: 757

Re: RouterOS installed in vmware to Routerboard hardware.

Make an export to file instead of a backup in the VM. Backups are intended to be restored on exactly the same unit/kind of hardware.

Take care when restoring the export if you have renamed the interfaces, as name is whats used to associate interfaces with values (ip, fw rules, etc).
by leonset
Fri Apr 15, 2016 2:11 pm
Forum: Wireless Networking
Topic: Multicast-helper=full
Replies: 7
Views: 7674

Multicast-helper=full

Hello, The Wiki says that using multicast-helper=full will make the DST-MAC to be changed to the one of the receivers wlan interface, allowing it to be send at max modulation. I have an AP with 27 CPE conected to it, and say 5 of them use multicast OSPF packets. If the DST-MAC gets replaced from a m...
by leonset
Wed Mar 16, 2016 4:24 pm
Forum: Scripting
Topic: Remove file using API
Replies: 0
Views: 728

Remove file using API

Hello, I'm using python API and I would like to remove a file. The name of the file will follow a pattern, so I will have to find it before deleting. The equivalent console command would be: /file remove [find name~"stats"]; I'm trying things like this, but don't really know how to make this work: a...
by leonset
Thu Mar 03, 2016 10:06 am
Forum: Announcements
Topic: v6.32.4 [bugfix] is released!
Replies: 24
Views: 13706

Re: v6.32.4 [bugfix] is released!

If anyone has ethernet issues with 922/912/911 boards with firmware v6.32.4, check my post here to get access back:

http://forum.mikrotik.com/viewtopic.php?f=2&t=105324
by leonset
Thu Mar 03, 2016 9:52 am
Forum: General
Topic: Ethernet negotiation problem on NetMetal5
Replies: 1
Views: 878

Re: Ethernet negotiation problem on NetMetal5

Just tested with a RB-911-G-5HPacD and firmware 6.32.4 and it looses ethernet conectivity if switch is 10/100. To regain access from local network, force eth port to 100/FD and/or connect it using a Gigabit switch/PoE/computer and/or upgrade to v6.34.2 from wireless. I hate this kind of bugs which t...
by leonset
Mon Feb 29, 2016 10:59 am
Forum: General
Topic: Ethernet negotiation problem on NetMetal5
Replies: 1
Views: 878

Ethernet negotiation problem on NetMetal5

Hello, I have upgraded two NetMetal5 devices to the latest bug fix version (6.32.4) and I lost ethernet link on both of them. Luckly they are in my desk and not in the tower and this happend during my normal version test routine. Checking the changelog for the "Current" version I can read: What's ne...
by leonset
Tue Sep 08, 2015 9:56 am
Forum: General
Topic: RouterOS Virtual Labs
Replies: 84
Views: 115773

Re: RouterOS Virtual Labs

Is there any chance of emulating wireless interfaces with this setup?
For example, if you want to test WDS with some other settings and check how the network will behave.

I have used GNS before but I worked with ethernet like interfaces and did not try wireless ones.

Thank you
by leonset
Tue Aug 25, 2015 2:57 pm
Forum: General
Topic: Firewall matcher for a given gateway
Replies: 2
Views: 494

Re: Firewall matcher for a given gateway

C1 (pppoe client1) |------ R1 (pppoe server1) C2 (pppoe client2) | |--- [OSPF routes] ----- R3 (main router) ------- Internet C3 (pppoe client3) | |------ R2 (pppoe server2) C4 (pppoe client4) This is the simplified network, where each component is: - C1 to C4: PPPoE client which get a real IP from ...
by leonset
Mon Aug 24, 2015 1:03 pm
Forum: General
Topic: Muliple PPPoE, only one should be default
Replies: 3
Views: 678

Re: Muliple PPPoE, only one should be default

In the pppoe client, in the Dial out tab, uncheck "add default route" for PPPoE-out2 to 5, and leave it ticked only for PPPoE-out1. Then add routes/nat manually to route things on your PPPoE2 to 5 connections, otherwise they wont be used for anything.
by leonset
Mon Aug 24, 2015 12:58 pm
Forum: General
Topic: Firewall matcher for a given gateway
Replies: 2
Views: 494

Firewall matcher for a given gateway

Hello, In the firewall of a main router, I would like to be able of match packets for the IP's which are conected to a given gateway/router. Routes are distributed to the main router by OSPF from diferent routers which act as PPPoE servers and IPs are assigned by Radius server from a common ip pool....
by leonset
Wed Mar 04, 2015 4:19 pm
Forum: General
Topic: Queue Tree SNMP Problem
Replies: 3
Views: 1166

Re: Queue Tree SNMP Problem

Hello,

I'm having this problem with v6.13. Do you know if this problem still happens with the latests versions of RouterOS?

It's a remote system and I can't update it just now to test it myself.

Thank you!

EDIT:
This workaround works for me!

http://159.148.147.201/viewtopic.php?t=46659#p236253
by leonset
Thu Jan 15, 2015 11:35 am
Forum: General
Topic: Qemu RouterOS image in GNS3
Replies: 12
Views: 5720

Re: Qemu RouterOS image in GNS3

Hello!

Yes, I can use only one license too... I should have updated this thread before!

Thank you!
by leonset
Fri Jan 09, 2015 10:28 am
Forum: General
Topic: When is it required to reboot a mikrotik to apply changes??
Replies: 5
Views: 4046

Re: When is it required to reboot a mikrotik to apply change

The short answer would be "never", all changes are applied inmediately. But for example, if you were dealing with NAT rules, those rules are only checked on the first packet: if a connection is already stablished those rules won't be checked until the connection times up (/ip firewall connections). ...
by leonset
Wed Nov 12, 2014 5:56 pm
Forum: General
Topic: v6.21.1 released
Replies: 112
Views: 28451

Re: v6.21.1 released

please, has at least one of you contacted support about this? we can't fix it, if we can't see the problem With due respect, Mikrotik must implement the appropiate test suites to see the problem before clients face it. Full stop. Specially if the bug breaks any current feature or makes the router u...
by leonset
Fri Oct 17, 2014 2:23 pm
Forum: General
Topic: OVPN server on VRRP IP
Replies: 4
Views: 1002

Re: OVPN server on VRRP IP

I have used VRRP + IPSec in the past. Unfortunately I don't have access to those devices anymore to test with OVPN and I have almost no experience with OVPN. Use IP filter log+accept rules to check if and how packets are reaching your routers. Also, take care with your switch ARP cache (if using any).
by leonset
Thu Oct 16, 2014 12:41 pm
Forum: General
Topic: Firewall is broken in v6.20
Replies: 17
Views: 2716

Re: Firewall is broken in v6.20

Care to elaborate on this?
Already did so!
Just take some time to read some or all of the firewall related pages in the Wiki (I gave you the link in my previous post). I'm sure you will find there most answers to your doubts.

Good luck
by leonset
Thu Oct 16, 2014 9:26 am
Forum: General
Topic: Firewall is broken in v6.20
Replies: 17
Views: 2716

Re: Firewall is broken in v6.20

So I suppose you still have a lot to learn about how firewalls work... no offense intended :)

http://wiki.mikrotik.com/wiki/Firewall
by leonset
Wed Oct 15, 2014 12:56 pm
Forum: General
Topic: sstp vs pptp performance
Replies: 27
Views: 10169

Re: sstp vs pptp performance

That seems way too low... I remember getting more than 4Mbps using pure IPSEC/AES-192 and the old RB450 (not g). Sorry, I don't have values for SSTP not PPTP...
by leonset
Wed Oct 15, 2014 12:52 pm
Forum: General
Topic: OVPN server on VRRP IP
Replies: 4
Views: 1002

Re: OVPN server on VRRP IP

If VRRP ip is not ping-available, OVPN is completely unrelated and you should find out why that VRRP IP goes down. I mean, if the IP is not working OVPN won't work. While having the problem, check the status/logs of the VRRP interface and if you can ping VRRP IP from R1 and R2. Also try no NAT out u...
by leonset
Wed Oct 15, 2014 12:45 pm
Forum: General
Topic: Firewall is broken in v6.20
Replies: 17
Views: 2716

Re: Firewall is broken in v6.20

Ok, your statement applies for the IP filter No. 3 (the RDP connection). But for the IP filter No. 2 (the SSH one) this doesn't apply. In fact, being a connection to the router, it seems I don't need any NAT rule, as the router seems to listen on port 22 on all its IP addresses (be it internal or e...
by leonset
Tue Oct 14, 2014 6:00 pm
Forum: General
Topic: Firewall is broken in v6.20
Replies: 17
Views: 2716

Re: Firewall is broken in v6.20

If I understand what you are trying to do, your rules are wrong. Check the packet flow in the Wiki, specially the first and third drawings: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow Basically, dstnat rules are procesed before ip filter. That make your "input" rules useless, because packets wi...
by leonset
Wed Sep 24, 2014 1:35 pm
Forum: General
Topic: OSX GNS3 and tuntap
Replies: 2
Views: 1517

Re: OSX GNS3 and tuntap

Have you managed to solve this?

Thank you
by leonset
Tue Sep 23, 2014 9:48 am
Forum: General
Topic: Qemu RouterOS image in GNS3
Replies: 12
Views: 5720

Re: Qemu RouterOS image in GNS3

I already knew that HD/lincense relation, but thanks for the clarification regarding QEMU. I haven't actually tried doing that though (as I don't have a spare license to potentially sacrifice). Thats why it would be very nice if OP could update us with his experience :) The problem is that I need to...
by leonset
Mon Sep 22, 2014 3:10 pm
Forum: General
Topic: Qemu RouterOS image in GNS3
Replies: 12
Views: 5720

Re: Qemu RouterOS image in GNS3

Hello! I'm planning on using GNS3 too but I'm not sure if I understood this statement: Every time I create a new topology I have to enter the license... Does that means that every time you power up a qemu VM you have to put the license? Or every time you add a qemu VM to a proyect and start it for t...
by leonset
Thu Aug 14, 2014 1:44 pm
Forum: General
Topic: Question About HW-frames
Replies: 3
Views: 853

Re: Question About HW-frames

Those values are valid only for 802.11 links, they are not used neither in Nstream nor NV2.

http://wiki.mikrotik.com/wiki/Wireless_Matrix
by leonset
Tue Aug 12, 2014 12:34 pm
Forum: General
Topic: RB450G - Doesnt boot
Replies: 3
Views: 881

Re: RB450G - Doesnt boot

Probably the input capacitors have leaked. You may try to replace them if you know how to use solder tools.
by leonset
Tue Aug 12, 2014 12:30 pm
Forum: General
Topic: RB2011 not acting right
Replies: 1
Views: 504

Re: RB2011 not acting right

Be careful when doing masquerade/NAT: connections will be cached until they timeout. That is, if they are shown in "IP, firewall, connections" any packet related to them whon't be checked again against the masquerade/NAT rule... not even if you modify the rules. In my experience, it's easier to setu...
by leonset
Tue Aug 12, 2014 12:19 pm
Forum: General
Topic: SOLVED! Winbox on Windows-7 using MAC Address doesn't work
Replies: 21
Views: 22525

Re: SOLVED! Winbox on Windows-7 using MAC Address doesn't w

If interface is setup to get an IP by dhcp, Windows won't pass any traffic until it gets the lease from a DHCP server... which is fast if there's a server available, but takes more than a minute if no DHCP server replies to the ip request. Set a fixed ip and problem gone. Personally, I haven't had a...
by leonset
Wed Aug 06, 2014 12:28 pm
Forum: General
Topic: IPSec Flushing SA
Replies: 9
Views: 4411

Re: IPSec Flushing SA

Thanks for the info, but this is an ancient post!

At that moment, I wasn't aware of those tricks... nowadays I use them and sometimes also use some scripts and the scheduler (i.e. when the VPN has to be up for some hours a day).
by leonset
Tue Jul 29, 2014 11:16 am
Forum: Wireless Networking
Topic: New wireless-fp and packetloss [Solved]
Replies: 11
Views: 3885

Re: New wireless-fp and packetloss

uldis, I have upgraded to 6.17 and re-activated wireless-fp. So far I've had a couple very minor drop-outs but I think I can chalk them up to multi-path interference due to the locations at the times. I'll keep an eye out for it and send in a supout if I can catch it happening again. Glad to know, ...
by leonset
Mon Jul 14, 2014 2:31 pm
Forum: Wireless Networking
Topic: New wireless-fp and packetloss [Solved]
Replies: 11
Views: 3885

Re: New wireless-fp and packetloss

The trick to catch it is sending pings fast enough to somewhat emulate the flow of other kind of packets. I started investigating this when our users complain about strange behavior of some apps (games, voip, sometimes DNS queries) which mostly use UDP (TCP usually will recover from those losses), s...
by leonset
Mon Jul 14, 2014 1:45 pm
Forum: Wireless Networking
Topic: New wireless-fp and packetloss [Solved]
Replies: 11
Views: 3885

New wireless-fp and packetloss [Solved]

Hello, After being using the new wireless-fp package I can confirm that it does generate a small packetloss in PtP links which do not have any losses using the "classic" wireless package. The problem does not happend in all links, it is just more prone to be seen on links which are in areas with mor...
by leonset
Mon Jul 07, 2014 9:26 am
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

I just don't agree with you, unless OP is using an ancient OS. Since Windows 2000 windows shares use SMB protocol over TCP and are completely IP routable. Older Windows used SMB over NetBIOS/NetBEUI, which is non-routable protocol. You can read all the details here: http://en.wikipedia.org/wiki/Serv...
by leonset
Fri Jul 04, 2014 1:46 pm
Forum: General
Topic: Can not connect remotely via SSH or Winbox
Replies: 7
Views: 2346

Re: Can not connect remotely via SSH or Winbox

Maybe your UDP/53 port is open and you're getting queries from outside your network. Put some firewall rules or disable the service completely if you're using an external DNS server for that network.
by leonset
Fri Jul 04, 2014 1:43 pm
Forum: General
Topic: IPTV IGMP - YouView Box (UK)
Replies: 6
Views: 2193

Re: IPTV IGMP - YouView Box (UK)

I have no experience with that IPTV provider, but also IGMP Proxy should work ok and would be more dynamic than static switch rules, i.e. if you move your STB to different ports. Oh, well, you might never move it!
by leonset
Thu Jul 03, 2014 9:26 am
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Sorry but, what you mean with "try to browse to a computer on the other side"?

\\localip.in.remotevpn.network\c$ ??
by leonset
Wed Jul 02, 2014 3:14 pm
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

And where's the gateway to Internet? Is one of the mikrotik devices or a different router?
by leonset
Wed Jul 02, 2014 2:41 pm
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

I would need a drawing of your network to try to help you and also the config of the routers.
by leonset
Wed Jul 02, 2014 1:56 pm
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Write all in the same line...
/ip firewall mangle add chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=!10.1.1.0/24 tcp-mss=!0-1360
by leonset
Wed Jul 02, 2014 1:14 pm
Forum: General
Topic: MikroTik to MikroTik IPSEC VPN can ping but not browse
Replies: 11
Views: 3036

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Try putting this in both ends to limit the data size of every packet, so it won't exceed MTU afther adding all IPSec headers, checksums, etc. /ip firewall mangle add chain=forward \ action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=!10.1.1....
by leonset
Tue Jul 01, 2014 9:29 am
Forum: General
Topic: IGMP Snooping
Replies: 137
Views: 61253

Re: IGMP Snooping

Still makes me wonder, why it is so hard to implement? Even sub 30$ Home "soapbox" routers have it now in conjunction with IGMP Proxy. http://en.wikipedia.org/wiki/IGMP_snooping#Standard_status Despite it's broad usage and usefulness, IGMP snooping is not an industry standard. That alone might not ...
by leonset
Thu Jun 26, 2014 9:37 am
Forum: Beginner Basics
Topic: CRS 226 Bridge penalty
Replies: 7
Views: 2419

Re: CRS 226 Bridge penalty

Now I am left wandering, typically why would someone want to use bridging on a CRS? Well, you may need to do some filtering that can't be done directly within the switch chip, i.e. filter pppoe discovery packets or apply some MAC based Nat rules... very specific scenarios that few "ordinary" switch...
by leonset
Tue Jun 24, 2014 6:01 pm
Forum: Beginner Basics
Topic: CRS 226 Bridge penalty
Replies: 7
Views: 2419

Re: CRS 226 Bridge penalty

The documentation seems to say that bridge mode or router mode applies to how data flows between switch groups, am I correct? As I see it, you need to start thinking that CRS is a switch plus a single port (switch1-cpu) routerboard all in a single box. The way to set this up is different from any o...
by leonset
Tue Jun 24, 2014 2:31 pm
Forum: Beginner Basics
Topic: Copy multicast between two bridges
Replies: 5
Views: 1204

Re: Copy multicast between two bridges

Is it possible to add MFC static entries from Winbox? I haven't found it yet...
by leonset
Tue Jun 24, 2014 11:15 am
Forum: Beginner Basics
Topic: ethernet port with tagged AND untagged traffic - SOLVED
Replies: 9
Views: 3439

Re: ethernet port with tagged AND untagged traffic

I would suggest you to try an updated ROS version... sometimes they solve issues and do not mention it in the changelog.
by leonset
Tue Jun 24, 2014 11:10 am
Forum: Beginner Basics
Topic: Mikrotik RB450G rebooted on old system Version
Replies: 3
Views: 1133

Re: Mikrotik RB450G rebooted on old system Version

This probably won't help you, but I've worked for years with more than one hundred 450G and never had such problem...
by leonset
Tue Jun 24, 2014 11:00 am
Forum: Beginner Basics
Topic: How to configure a CRS125-24G-15-RM as a flat L2 switch
Replies: 8
Views: 4014

Re: How to configure a CRS125-24G-15-RM as a flat L2 switch

In CRS125 just make SFP1 slave of whichever master-port you had defined and all switching will be done in the switch-chip without using the CPU. Don't use bridge. We all need to learn that CRS must be setup in a different way than the previous routerboards: it has a powerfull switch chip which can d...
by leonset
Fri Jun 20, 2014 3:12 pm
Forum: General
Topic: v6.15 released
Replies: 302
Views: 105213

Re: v6.15 released

Tested this too and this workaround worked for me with 433AH and 7115Hd: set wireless to enable and wireless-fp to disable, then reboot. In fact, this sounds logical to me, because it's a user choice to enable/disable wireless package, whichever flavour it is. Mikrotik has no way to know if you want...
by leonset
Fri Jun 20, 2014 2:51 pm
Forum: General
Topic: v6.15 released
Replies: 302
Views: 105213

Re: v6.15 released

The nv2-tdma-period-size is recalculated at some time interval or by any kind of trigger? Where can I check which period is currently being calculated by the "auto" function? I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does...
by leonset
Fri Jun 20, 2014 12:30 pm
Forum: Beginner Basics
Topic: CRS 226 Bridge penalty
Replies: 7
Views: 2419

Re: CRS 226 Bridge penalty

Forget bridge and read this carefully:

http://wiki.mikrotik.com/wiki/Manual:CR ... _Switching

Also, I've read in some other post that 802.3ad is still not implemented in CRS, so you can't use it and benefit of wirespeed switching... yet
by leonset
Thu Jun 19, 2014 10:20 am
Forum: Beginner Basics
Topic: Do I really have to lose a port?
Replies: 9
Views: 3034

Re: Do I really have to lose a port?

That sentence essentially means that the port for which a master-port has been defined will show no traffic from a RouterOS perspective, as all packets will remain within the switch chip. Indeed, the port that will show all traffic is the master-port (with Winbox, torch, etc). I.E. if you set ether3...
by leonset
Thu Jun 19, 2014 10:07 am
Forum: Beginner Basics
Topic: Copy multicast between two bridges
Replies: 5
Views: 1204

Re: Copy multicast between two bridges

Give IGMP proxy a try...
by leonset
Tue Jun 17, 2014 5:15 pm
Forum: Beginner Basics
Topic: CRS125 Configuration Help
Replies: 33
Views: 15166

Re: CRS125 Configuration Help

Don't have access to my CSR right now, but try to put something like 224.0.0.0/8 in Multicast FBD and assign to a port you control (say, main router, a server...). That would filter out, but I don't know if its possible to put ranges in FBD. Anyway, IGMP snooping would solve your problem a lot more ...
by leonset
Tue Jun 17, 2014 3:46 pm
Forum: Beginner Basics
Topic: CRS125 and simple VLAN setup problem
Replies: 3
Views: 1327

Re: CRS125 and simple VLAN setup problem

1.- Choose a master port and enslave the ports you need to be in the same switch group. Switch groups are completely isolated among them, as if they where 2 separate switches. No port can be in more than one switch group. /interface ethernet set ether2 master-port=ether1 set ether3 master-port=ether...
by leonset
Mon Jun 16, 2014 5:20 pm
Forum: Beginner Basics
Topic: CRS125 Configuration Help
Replies: 33
Views: 15166

Re: CRS125 Configuration Help

Multicast FBD is working correctly for me, it does filter which ports are allowed to receive multicast. Not dynamic and not as useful as IGMP Snooping, but could be enough for some usage scenarios: /interface ethernet switch multicast-fdb add address=239.0.1.1 ports=ether5 vlan-id=1 add address=239....
by leonset
Mon Jun 16, 2014 2:49 pm
Forum: Beginner Basics
Topic: CRS125 and simple VLAN setup problem
Replies: 3
Views: 1327

Re: CRS125 and simple VLAN setup problem

Thats the easy way: ruling out VLAN's and use just port isolation... But even I don't need a tunk port ATM, I may need to use different VLAN tags in the same ether port and tag packets in the servers. And of course I want them to be isolated among them, even if they come to the same ether port. I'm ...
by leonset
Mon Jun 16, 2014 1:27 pm
Forum: General
Topic: IGMP Snooping
Replies: 137
Views: 61253

Re: IGMP Snooping

Now that I need it...

+1 for IGMP snooping!
by leonset
Fri Jun 13, 2014 12:58 pm
Forum: Beginner Basics
Topic: CRS125 and simple VLAN setup problem
Replies: 3
Views: 1327

CRS125 and simple VLAN setup problem

Hello, I need to setup a CRS 125 switch with half the ports in VLAN1 and the other half in VLAN2. Ports in the same vlan must be able to communicate among them with untagged packets but must be isolated from ports in the other VLAN. VLAN2 will have a lot of multicast traffic that could easely satura...
by leonset
Fri Jun 13, 2014 12:01 pm
Forum: General
Topic: CRS125 acting like hub with VLANs: port isolation defaults?
Replies: 5
Views: 1897

Re: CRS125 acting like hub with VLANs: port isolation defaul

Following your post there I just found yet another bug, settings in: drop-if-no-vlan-assignment-on-ports drop-if-invalid-or-src-port-not-member-of-vlan-on-ports made from command line do not show in Winbox. Also, if you change those settings in Winbox they overwrite the ones set from the command lin...
by leonset
Fri Jun 13, 2014 11:21 am
Forum: Beginner Basics
Topic: How ot measure jitter?
Replies: 1
Views: 1847

Re: How ot measure jitter?

I don't think that you can get jitter figures within routeros. Try using a server with smokeping or use a script like tho one mentioned here:

http://blog.metricfire.com/2012/04/repl ... ll-script/
by leonset
Thu Jun 12, 2014 1:02 pm
Forum: General
Topic: CRS125 acting like hub with VLANs: port isolation defaults?
Replies: 5
Views: 1897

Re: CRS125 acting like hub with VLANs: port isolation defaul

Hi!

Did you get this issue solved? I'm trying to address it, but I've had no luck yet...

Thanks!
by leonset
Tue May 27, 2014 6:08 pm
Forum: General
Topic: Two Radius Servers
Replies: 4
Views: 1110

Re: Two Radius Servers

Good to know, thanks! @xcracker If using Freeradius, check the file ippool.conf in /etc/freeradius/sql/mysql (or equivalent for your distro). You'll find an "on-clear" query which states something like this: ## This series of queries frees the IP numbers allocated to a ## NAS when an accounting ON r...
by leonset
Tue May 27, 2014 5:16 pm
Forum: General
Topic: IPSec mikrotik-mikrotik and DNAT
Replies: 2
Views: 728

Re: IPSec mikrotik-mikrotik and DNAT

Try to use the internal IP address in the NAT'ed router ipsec policy. You will also need to put accept rules for ipsec traffic before your masquerade rule (if there's any in the ipsec router).

Something similar is explained here:
http://wiki.mikrotik.com/wiki/Manual:IP ... behind_NAT
by leonset
Tue May 27, 2014 5:06 pm
Forum: General
Topic: Two Radius Servers
Replies: 4
Views: 1110

Re: Two Radius Servers

How does the router which is the "main" and which one is the "backup" radius server?
by leonset
Tue May 27, 2014 5:03 pm
Forum: General
Topic: Hotspot hack
Replies: 2
Views: 1256

Re: Hotspot hack

Change the admin credentials to something only you know and wait if it happends again.
by leonset
Fri May 16, 2014 12:16 pm
Forum: General
Topic: RB493 switch chip
Replies: 0
Views: 454

RB493 switch chip

Hello, I've had to use an RB493 as a switch to replace a dead switch. I used eth2 as master-port and set eth3 to eth9 as slaves. It works as switch correctly with v6.12. BUT, i need to know which MAC is connected to which eth port of the RB493. The ARP table shows all MAC's in the eth2 interface (as...
by leonset
Tue May 06, 2014 10:01 am
Forum: General
Topic: v6.12 released
Replies: 237
Views: 58818

Re: v6.12 released

Question I need to put on windows 8.1 ROS. Unfortunately can not see network interfaces with Hyper-V. Is ROS in general 6.x adapters work with Hyper-V? AFAIK, ROS is not and will not be supported under Hyper-V. You may have better luck with Virtualbox or VMWare, but I have no personal experience wi...
by leonset
Thu Dec 19, 2013 11:22 pm
Forum: General
Topic: Mangle Problem
Replies: 1
Views: 714

Re: Mangle Problem

If I understand correctly, you mean that traffic generated in the router doesn't match your prerouting rule?
That is expected, check packet flow: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

You must put a rule in postrouting to match in-router generated traffic...
by leonset
Mon Dec 09, 2013 10:35 am
Forum: General
Topic: bad radius signature, dropping
Replies: 5
Views: 2260

Re: bad radius signature, dropping

Triple check shared secret in both mikrotik and the radius server. Packets are signed with that secret so they must be the same. Also, increase radius timeout in Mikrotik... maybe that radius takes more than the default 300ms to reply, Mikrotik resends the packet and then receives the reply from the...
by leonset
Tue Dec 03, 2013 10:48 am
Forum: General
Topic: Multi WAN IP Sec
Replies: 9
Views: 2970

Re: Multi WAN IP Sec

I've tried this in my spare time but I couldn't make it work correctly.

One option would be to split your IPSec policies so half clients go through first wan and the other half use the second wan.

Edit: with version v5.x
by leonset
Tue Dec 03, 2013 9:14 am
Forum: General
Topic: HDD space keep decreasing, 5 min decrease 1MB?
Replies: 3
Views: 636

Re: HDD space keep decreasing, 5 min decrease 1MB?

Which was the problem?
by leonset
Fri Nov 15, 2013 9:15 am
Forum: General
Topic: certificates? 365 days only
Replies: 3
Views: 974

Re: certificates? 365 days only

Whats the time in the router?

Looks as it isn't set correctly (revoked in Jan/01/1970) and maybe that confuses Winbox to show the wrong valid period.
by leonset
Wed Nov 13, 2013 10:04 am
Forum: General
Topic: Mark packets by interface IP
Replies: 7
Views: 979

Re: Mark packets by interface IP

One thing that comes to my mind is to create an VRRP interface, put there the second IP, and route mark traffic depending on the incoming interface... I'm not sure that it would work, but you may give it a try and let us know. Other option (if your hardware supports it) could be to create a Metarout...
by leonset
Wed Nov 13, 2013 9:50 am
Forum: General
Topic: distribute config to multiple devices
Replies: 5
Views: 1216

Re: distribute config to multiple devices

Manually using "export" or "export compact", my IPSec peer passwords do get exported correctly. What VPU are you using?

If you are using a script or a schedule make sure the "sensitive" policy is checked or you'll get just "*" as the password.
by leonset
Wed Nov 13, 2013 9:41 am
Forum: General
Topic: HDD space keep decreasing, 5 min decrease 1MB?
Replies: 3
Views: 636

Re: HDD space keep decreasing, 5 min decrease 1MB?

Check if you have some kind of logging to disk. I just don't know what else could be producing that...
by leonset
Wed Nov 13, 2013 9:37 am
Forum: General
Topic: Port Bonding Limitation RB450G doesn't make sense
Replies: 2
Views: 1405

Re: Port Bonding Limitation RB450G doesn't make sense

Test through the routers and you'll get much more, but probably not a full Gbps.

BTest server/client does use Routerboard's CPU and if you check, it would be all the way up during the tests.
by leonset
Wed Nov 13, 2013 9:27 am
Forum: General
Topic: RB2011 Default Port Configuration (Master/Bridge)
Replies: 18
Views: 10646

Re: RB2011 Default Port Configuration (Master/Bridge)

I've read it again and it has to refer to the fact that no traffic is shown in / passes by *slave* interfaces, all goes by the *master* one. Say you have master port eth2 (internet gateway) and slave port eth5 (computer): if you put a firewall rule or use torch to match traffic going through eth5 yo...
by leonset
Tue Nov 12, 2013 10:03 am
Forum: General
Topic: Multi-site IPSec VPN - Confusion
Replies: 10
Views: 4664

Re: Multi-site IPSec VPN - Confusion

As I see it, you'll need to setup IPSec policies in each site to reach the other's sites IP ranges through an IPSec tunnel that goes by your HQ. Setting routes is not enough, as IPSec won't encript/tunnel traffic if it doesn't match it's policies. Do you really need to access any site from any other...
by leonset
Tue Nov 12, 2013 9:48 am
Forum: General
Topic: RB2011 Default Port Configuration (Master/Bridge)
Replies: 18
Views: 10646

Re: RB2011 Default Port Configuration (Master/Bridge)

Sort of related question... can you connect anything to the Master switch port? The Mikrotik wiki says "Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out." So, is the port not usable if it's set as a master port? Has ...
by leonset
Tue Nov 12, 2013 9:44 am
Forum: General
Topic: VRRP switch-over not work
Replies: 1
Views: 644

Re: VRRP switch-over not work

You have the same priority on both routers. It has to be higher on master router and lower in backup one... If you check the status of the VRRP interface you should see that one has an "M" (master) and the other is "B" (backup). If both have the same status then something else is wrong. BTW if seen ...
by leonset
Mon Nov 04, 2013 2:24 pm
Forum: General
Topic: routing marks Issues
Replies: 2
Views: 593

Re: routing marks Issues

Maybe its a license level limit?
by leonset
Mon Nov 04, 2013 2:20 pm
Forum: General
Topic: About ipsec site to site vpn,need help
Replies: 5
Views: 1533

Re: About ipsec site to site vpn,need help

Why are you using such an old version? (v2.9.26)
by leonset
Mon Nov 04, 2013 9:25 am
Forum: General
Topic: RB 1100 AHx2 be used as Wan load balancing
Replies: 4
Views: 1400

Re: RB 1100 AHx2 be used as Wan load balancing

Thats a completely different question and should be posted in the main forum, not in this thread.

By the way, I can't tell you if it would work as I haven't used PCC myself yet.
by leonset
Wed Oct 30, 2013 3:29 pm
Forum: General
Topic: Cloud Core spi Process
Replies: 5
Views: 2773

Re: Cloud Core spi Process

SPI doesn't make me think about disk I/O, specially in a firewall router like a CCR... but besides the counter-intuitive of the name is nice to know what it was :)
by leonset
Wed Oct 30, 2013 12:34 pm
Forum: General
Topic: Cloud Core spi Process
Replies: 5
Views: 2773

Re: Cloud Core spi Process

I believe this one will be better asked directly to support@mikrotik.com
And please post back the reply here :wink:
by leonset
Wed Oct 30, 2013 12:33 pm
Forum: General
Topic: RB 1100 AHx2 be used as Wan load balancing
Replies: 4
Views: 1400

Re: RB 1100 AHx2 be used as Wan load balancing

Of course, with the proper settings. For example:

http://wiki.mikrotik.com/wiki/Manual:PCC
by leonset
Wed Oct 30, 2013 11:49 am
Forum: General
Topic: IPsec configuration
Replies: 6
Views: 5638

Re: IPsec configuration

In Mikrotik world nearly everything has a meaning. Glad to help.
by leonset
Tue Oct 29, 2013 4:59 pm
Forum: General
Topic: About RB1100AHx2 performance and ports usage...
Replies: 10
Views: 4260

Re: About RB1100AHx2 performance and ports usage...

I believe that you are making the wrong question. You should be asking yourself what performance do you really need, based on the intended usage of your router. If you really need to deal with sustained traffic of 3Gbps maybe no mikrotik router would fit in... OTOH, basically yes, performance is lim...
by leonset
Tue Oct 29, 2013 10:48 am
Forum: General
Topic: Long address lists
Replies: 5
Views: 1036

Re: Long address lists

As I see it, I should be much faster to have the list in memory than in a file. File would need to be loaded to memory for the router to process it and that would be as if it was in memory in the first place.
by leonset
Tue Oct 29, 2013 10:27 am
Forum: General
Topic: Keep bandwidth usage at interface and queue after restarting
Replies: 4
Views: 979

Re: Keep bandwidth usage at interface and queue after restar

The only thing I can tell you is that in the v6.4 change log it says:

"graphing - make sure that interface graphs gets preserved across reboots;"

You may try...
by leonset
Tue Oct 29, 2013 9:29 am
Forum: General
Topic: About RB1100AHx2 performance and ports usage...
Replies: 10
Views: 4260

Re: About RB1100AHx2 performance and ports usage...

Be careful! CRS125-24G-1S-RM is a "Cloud Router Switch", which is a "Perfect SOHO gateway router, switch, all in one box" as Mikrotik describes it and has nothing to be with the CCR "Cloud Core Router" series that I sugested before. In CCR all ports are connected directly to a Tilera network CPU, so...
by leonset
Mon Oct 28, 2013 5:11 pm
Forum: General
Topic: IPsec configuration
Replies: 6
Views: 5638

Re: IPsec configuration

Add a rules in NAT, like this: add chain=srcnat dst-address=199.10.0.0/16 src-address=192.168.63.0/24 action=accept add action=masquerade chain=srcnat comment=OUT It's very important the order of the rules, so packets for your IPSec neighbour(s) are accepted and passed over to the IPSec process befo...
by leonset
Mon Oct 28, 2013 9:29 am
Forum: General
Topic: About RB1100AHx2 performance and ports usage...
Replies: 10
Views: 4260

Re: About RB1100AHx2 performance and ports usage...

And if you want to do anything with the traffic in any switched port, packets will need to be passed to the CPU for processing and performance will be lower. That doesn't mean that it should be "slow". Do you really need 13GBit simultaneous performance with firewall, nat, queues? Then maybe you need...
by leonset
Mon Oct 28, 2013 9:18 am
Forum: General
Topic: IPSEC very SLOW on router boards? High CPU
Replies: 7
Views: 2918

Re: IPSEC very SLOW on router boards? High CPU

That table belongs to the performance of some routerboard model?
by leonset
Fri Oct 25, 2013 1:36 pm
Forum: General
Topic: IPsec configuration
Replies: 6
Views: 5638

Re: IPsec configuration

As explained here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Internet_Key_Exchange_Protocol Phase 1 is equivalent to peer config in Mikrotik and Phase 2 is Proposal settings. Policy tells router which traffic to encrypt. Set source address 172.27.63.0/24, remote 199.10.10.0/24 and use the rest v...
by leonset
Fri Oct 25, 2013 1:01 pm
Forum: General
Topic: Site to Site IPsec Tunnel between 2 RouterBoards
Replies: 2
Views: 815

Re: Site to Site IPsec Tunnel between 2 RouterBoards

1.- Check Windows firewall config to open the new C ranges of the other offices. If you enable ping from the firewall UI it will allow only from the C class that the computer belongs to. Try disabling firewall and test. 2.- Could be similar: maybe the NAS only allows access to the /24 it belongs to....
by leonset
Fri Oct 25, 2013 12:49 pm
Forum: General
Topic: About RB1100AHx2 performance and ports usage...
Replies: 10
Views: 4260

Re: About RB1100AHx2 performance and ports usage...

Hi,

I don't really know, but if you check the block diagram you'll be able to get some conclusions:

http://i.mt.lv/routerboard/files/Block-RB1100AHx2.pdf

Also this should give you more info on how they benched that router http://www.ietf.org/rfc/rfc2544.txt
by leonset
Fri Oct 25, 2013 12:33 pm
Forum: General
Topic: ISP FIber
Replies: 5
Views: 1259

Re: ISP FIber

Hi,

Check CPU load, it could be an issue if MK board is weak. I don't think its an MTU issue, those values are typical.
Also try different speedtest servers and compare results.
by leonset
Thu Oct 24, 2013 12:25 pm
Forum: General
Topic: IPSEC very SLOW on router boards? High CPU
Replies: 7
Views: 2918

Re: IPSEC very SLOW on router boards? High CPU

Hi, You'll only get that level of performance with routerboards with hardware encryption engine, like the old RB1000 or the new 1100AHx2. I don't know if other models are equiped with it too. As a reference with RB450G I get no more than 23Mbps (with a few firewall/nat rules and routing enabled). Re...
by leonset
Wed Aug 07, 2013 3:36 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 5057

Re: Script to disable IPSec peers

I have sent an email tu support about this issue, I'll post the answer here... I can't use 6.1 because it has bugs with IPSec, can't use v6.0 cause has bug with VRRP, can't use v5.x because it has problems with Mangle rules and performance with RB1000... I hope that I get a "good" version for me soo...
by leonset
Wed Aug 07, 2013 3:14 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 5057

Re: Script to disable IPSec peers

Yes, I use this to en/disable IPSec Policies since almost ever:

/ip ipsec policy enable [find sa-src-address=1.2.3.4]

Your script block doesn't work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C

Thanks!
by leonset
Wed Aug 07, 2013 2:42 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 5057

Script to disable IPSec peers

Hello I'm trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick: /ip ipsec peer enable [/ip ipsec peer find port=500] But it doesn't... it just enables the first peer (number 0) and then the terminal prompt just hangs. ...
by leonset
Wed Aug 07, 2013 11:02 am
Forum: General
Topic: Create VPN between RB450 and Linksys RV042
Replies: 6
Views: 4092

Re: Create VPN between RB450 and Linksys RV042

EDITED!!

IIRC, you have to set IPSec Policy, Action, Level to "unique" to make it work

Anything in the logs?
Go to System, logging and add a rule for "ipsec, !packet" to get some info and add "debug" it you need extremely verbose logs
by leonset
Wed Aug 07, 2013 10:35 am
Forum: General
Topic: v6.2 released
Replies: 247
Views: 91215

Re: v6.2 released

Hi,

VRRP AH auth seems to be broken in v6.2 as it was in v6.0. It worked ok with v6.1, but I can't use that release due to IPSec problems solved in v6.2. I've had to switch to "simple" authentication and/or vrrp v3 protocol.

Please, check vrrp again for next release.
Thanks!
by leonset
Thu Aug 01, 2013 1:08 pm
Forum: General
Topic: CPU loads 100%
Replies: 15
Views: 10599

Re: CPU loads 100%

Don't use such rule, you are blocking all traffic to port 53 and thus blocking DNS. Just limit queries to your local LAN address range:
chain=input action=drop protocol=udp dst-port=53 src-address=!10.10.10.0/24
Replace "10.10.10.0/24" with your local LAN range
by leonset
Thu Aug 01, 2013 10:41 am
Forum: General
Topic: Fast VPN?
Replies: 9
Views: 2591

Re: Fast VPN?

Nice, I was expecting lower performance from RB2011 as it has 600Mhz CPU versus RB450G's 680Ghz.

You may try to fine tune the tunnel playing with MTU/Clear DF so it won't generate unneeded fragmentation and thus less packets to enc/decrypt. Anyway, you probably won't see much more than that.
by leonset
Sat Jul 27, 2013 11:38 am
Forum: General
Topic: Fast VPN?
Replies: 9
Views: 2591

Re: Fast VPN?

It's RB1100AH or RB1100AHx2? The later supports HW encryption and manual says you should get ~700Mbps. Anyway, the other end doesn't have HW engine, and based in my experience with RB450G you may expect something around 20Mbps from RB2011
by leonset
Fri Jul 26, 2013 4:10 pm
Forum: General
Topic: Mangle rules hurts performance by 50% (Clear DF, change MSS)
Replies: 6
Views: 1890

Re: Mangle rules hurts performance by 50% (Clear DF, change

Update: - It works ok with RouterOS 6.0 in RB1000. - Downgraded to v5.25 with the same config and I got a performance drop of ~50% - Under v5.25, changed encryption algorithm from AES-128 to Camellia-128. There was NO performance drop at all (but CPU usage rised to ~20% as only AES is hardware accel...
by leonset
Fri Jul 26, 2013 12:59 pm
Forum: General
Topic: Mangle rules hurts performance by 50% (Clear DF, change MSS)
Replies: 6
Views: 1890

Re: Mangle rules hurts performance by 50% (Clear DF, change

Hi,

No, I have no logging rules, just te bare minumum for this test. As this is a test environment I can up or downgrade freely so I'm going to do it now and test it again.

thanks
by leonset
Thu Jul 25, 2013 4:07 pm
Forum: General
Topic: Mangle rules hurts performance by 50% (Clear DF, change MSS)
Replies: 6
Views: 1890

Re: Mangle rules hurts performance by 50% (Clear DF, change

RB1000 v5.25
RB450g v6.0

I'll upgrade RB1000 to v6 in a while and test again.
by leonset
Thu Jul 25, 2013 3:41 pm
Forum: General
Topic: Mangle rules hurts performance by 50% (Clear DF, change MSS)
Replies: 6
Views: 1890

Re: Mangle rules hurts performance by 50% (Clear DF, change

Just to clarify some points: - Traffic is uploaded from RB1000 to RB450G: RB1000 encrypts IPSec and RB450G decrypts it. - The Magle rules decreases performance even if the traffic is not matched by the rule. Just having the rule there drops performance. - This probles ONLY affects IPSec flows. Using...
by leonset
Thu Jul 25, 2013 2:03 pm
Forum: General
Topic: Download start good to slow very slow, upload perfect
Replies: 2
Views: 757

Re: Download start good to slow very slow, upload perfect

It could be a setting with the webserver you are downloading from. It may allow for an initial high burst and then reduce the speed... Does it happens with more than one web server?
by leonset
Thu Jul 25, 2013 1:52 pm
Forum: General
Topic: Fast VPN?
Replies: 9
Views: 2591

Re: Fast VPN?

IPSec if you are using any hardware accelerated routerboard (RB1000, RB1100AHx2). Anyway, how much bandwidth do you need? A simple RB450G should give you 15Mbits of AES-128 bandwith
by leonset
Thu Jul 25, 2013 1:44 pm
Forum: General
Topic: Mangle rules hurts performance by 50% (Clear DF, change MSS)
Replies: 6
Views: 1890

Mangle rules hurts performance by 50% (Clear DF, change MSS)

Hello, I've been doing some testing with a new IPSec deploypment using RB1000 with 20MBits WAN in one end and RB450G with 100/10 FTTH in the other. Enabling "Clear DF" in RB1000 cuts performance in halve, in my case from nearly 15MBits/s to somewhere around 8MBits/s. CPU at RB1000 sits below 5% and ...
by leonset
Tue Jul 03, 2012 1:58 pm
Forum: General
Topic: Two IPSec tunnels from the same network
Replies: 6
Views: 1167

Re: Two IPSec tunnels from the same network

Glad to hear that, slech :) I've manager to get it done by: - Defining two IPSec policy, each one for the needed tunnel: Tunnel1: 10.0.0.0/24 -> 10.20.0.0/24 Tunnel2: 10.0.0.0/24 -> 10.20.0.32/28 - Setting them as "unique" instead of "required". - Setting the priority for Tunnel2: 10.0.0.0/24 -> 10....
by leonset
Mon Jul 02, 2012 10:25 pm
Forum: General
Topic: Two IPSec tunnels from the same network
Replies: 6
Views: 1167

Re: Two IPSec tunnels from the same network

Hello!

I've tried using higher priority (for example 100, 1000, 9999...) for 10.20.0.32/28 bu it still doesn't work.

Thanks for the tip!
by leonset
Mon Jul 02, 2012 3:12 pm
Forum: General
Topic: Two IPSec tunnels from the same network
Replies: 6
Views: 1167

Re: Two IPSec tunnels from the same network

Forgot to mention, I'm using Mikrotik on both ends, RB1000 and 450G.
For Cisco I've read that the policy has to be set as "unique" instead of "require".
by leonset
Mon Jul 02, 2012 2:35 pm
Forum: General
Topic: Two IPSec tunnels from the same network
Replies: 6
Views: 1167

Two IPSec tunnels from the same network

Hello,

I'm trying to configure this tunnels:

Tunnel1: 10.0.0.0/24 -> 10.20.0.0/24
Tunnel2: 10.0.0.0/24 -> 10.20.0.32/28

Tunnel1 always work, but I get no traffic through Tunnel2. The SA for Tunnel2 does get stablished, but count bytes stay at 0.

Whow should I set this up on Mikrotik?
Thanks!
by leonset
Thu Mar 29, 2012 11:24 am
Forum: Beginner Basics
Topic: Borked 450g?
Replies: 5
Views: 1105

Re: Borked 450g?

by leonset
Thu Mar 29, 2012 11:20 am
Forum: Beginner Basics
Topic: restore backup 450G->1100AH
Replies: 5
Views: 1241

Re: restore backup 450G->1100AH

In the past I have moved .backup full configs between different models. It has usually worked correctly, but the eth and wireless interfaces do get messed up: I had to check one by one and rename them, check IP address assignments, check DCHP server settings, etc. I have to check that /export compac...
by leonset
Thu Mar 29, 2012 11:05 am
Forum: General
Topic: IPSec tunnels do not pass data and multiple SA's
Replies: 1
Views: 733

Re: IPSec tunnels do not pass data and multiple SA's

I still have this problem, but I have narrowed it down to my DSL routers on the branch offices stopping to send ESP packets to the Mikrotik router behind them. The test I did was to disable DPD on that tunnel and reboot the DSL router when the tunnel stopped sending packets. After the reboot, the tu...
by leonset
Thu Mar 29, 2012 10:35 am
Forum: General
Topic: ONE Ipsec VPN restart
Replies: 4
Views: 2772

Re: ONE Ipsec VPN restart

Hi, I'm having a similar problem and I have narrowed down the problem to my DSL router's stopping to pass ESP packets to the mikrotik router behind it. As I have no control over them, I use this script to check connectivity and flush SA's if neccesary: :if ([/ping REMOTE_IP_REACHABLE_BY_THE_VPN_TUNN...
by leonset
Thu Mar 29, 2012 10:21 am
Forum: Scripting
Topic: scripting based on data rates.
Replies: 1
Views: 725

Re: scripting based on data rates.

I think that using PCC would be do a better use of both links:

http://wiki.mikrotik.com/wiki/Manual:PC ... _Balancing
by leonset
Thu Mar 29, 2012 10:15 am
Forum: Scripting
Topic: change VRRP priority if default gateway is down
Replies: 2
Views: 801

Re: change VRRP priority if default gateway is down

Hello!

Just curious, why would you need to do that?

Thanks!
by leonset
Wed Mar 28, 2012 7:20 pm
Forum: The Dude
Topic: Graphing Queues
Replies: 0
Views: 801

Graphing Queues

Hello! I'm quite new to The Dude but not to Mikrotik. I've been searching for a while and I haven't found how and if it's possible to generate graphs of the bandwitdh usage of some simple queues or from a queue tree. Now I'm using mikrotik native graphs, marking packets and assigning them to simple ...
by leonset
Thu Mar 22, 2012 6:35 pm
Forum: General
Topic: Force ARP packet on VRRP Master state change
Replies: 5
Views: 1508

Force ARP packet on VRRP Master state change

Hello! Is there any way to force RouterOS to send ARP broadcast packets to the net when an VRRP interface becomes master? Manual says that it sends one unsonlicited packet announcing the change when the VRRP becomes master, but some switches ignore it quite often and I have to wait some minutes for ...
by leonset
Thu Mar 22, 2012 1:10 pm
Forum: General
Topic: Effectiveness of a script policy? Scheduler policy?
Replies: 4
Views: 1383

Re: Effectiveness of a script policy? Scheduler policy?

Maybe it's because it needs to "write" a value into the smtp variable.

The only policies that I really use are "reboot" and "sensitive", the later to hide it from exports if the contain any kind of sensitive data like passwords, local IP's or whatever.
by leonset
Wed Mar 21, 2012 3:30 pm
Forum: General
Topic: IPSEC behind nat
Replies: 5
Views: 13300

Re: IPSEC behind nat

Glad to help! Thanks for Karma upgrade! :) :)
by leonset
Wed Mar 21, 2012 12:34 pm
Forum: General
Topic: IPSEC logs gone after upgrade from v4 to v5
Replies: 4
Views: 584

Re: IPSEC logs gone after upgrade from v4 to v5

Sooo gooood!!! Thanks a lot for that tip!
by leonset
Wed Mar 21, 2012 12:00 pm
Forum: General
Topic: need more power than rb1100
Replies: 3
Views: 659

Re: need more power than rb1100

Here:

http://forum.mikrotik.com/viewtopic.php?f=2&t=60380

A member suggests "Try to disable change-tcp-mss (encryption, compression) in ppp profile."
by leonset
Wed Mar 21, 2012 11:58 am
Forum: General
Topic: Routerboard not fragmenting packets... or so I think
Replies: 2
Views: 689

Re: Routerboard not fragmenting packets... or so I think

Try using a Mangle rule on the forward chain to reset the don't fragment flag for each packet and check if you are getting the same error from the client.
by leonset
Wed Mar 21, 2012 11:49 am
Forum: General
Topic: IPSEC behind nat
Replies: 5
Views: 13300

Re: IPSEC behind nat

I'm using that setup, but the VPNHub is Mikrotik too, not Cisco, so I can't help you with that side. You should map both UDP500 and IPSec-ESP (IP protocol 50) from the external IP to the internal one. If using 1to1 nat, make sure that ESP is forwarded too, not just TCP/UDP. In the Policy, use the Mi...
by leonset
Wed Mar 21, 2012 11:29 am
Forum: General
Topic: IPSEC logs gone after upgrade from v4 to v5
Replies: 4
Views: 584

Re: IPSEC logs gone after upgrade from v4 to v5

I have the same problem: enabling IPSec or Debug logging shows a lot of detail, too much for a quick review. There should be an intermediate level of logging for IPSec.
by leonset
Mon Mar 19, 2012 11:41 am
Forum: General
Topic: IPSec tunnels do not pass data and multiple SA's
Replies: 1
Views: 733

IPSec tunnels do not pass data and multiple SA's

Hello, I've been using Mikrotik's IPSec for VPN's for a long time with almost no problems. VPNHub is a RB1000 and peers use 450G. For sometime now my tunnels stop passing traffic, with no data flowing in one of the SA's of the tunnel. As you may know, each tunnel creates two SA's: one from VPNHub to...
by leonset
Thu Mar 15, 2012 12:18 pm
Forum: General
Topic: IPSec Redundant gateway
Replies: 3
Views: 1772

Re: IPSec Redundant gateway

Hello, I use scripts to keep configs in sync among two routers which share VRRP IP's for IPSec tunnels. I make changes only on primary router and use something like: /ip firewall address-list export file="EXPORT.$[/system identity get name].FW_Lists" to export some settings to a file. Then, on secon...
by leonset
Tue Jan 10, 2012 3:47 pm
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 6022

Re: True WAN bonding through my data center location?

Nice! Try to use that for jitter sensitive traffic like VoIP or Citrix/Remote Desktop. Also, try to emulate problems with the DSL lines. My main concerns about that setup are packet reordering and retransmisions and resiliency to DSL problems. In my tests taking down one of the DSL's didn't took it ...
by leonset
Wed Dec 07, 2011 12:26 pm
Forum: General
Topic: Winbox doesn't show routerboards list on the network
Replies: 2
Views: 2151

Re: Winbox doesn't show routerboards list on the network

Oopss!! :shock:
It was disabled for the connected interface :(

Now it's working perfectly, thanks!
by leonset
Wed Dec 07, 2011 11:57 am
Forum: General
Topic: Winbox doesn't show routerboards list on the network
Replies: 2
Views: 2151

Winbox doesn't show routerboards list on the network

Hello!

In one of my sites, when I click the "three dot button" on Winbox to get a list of the available RouterOS devices on the net, I'm getting an empty list. But there's two devices and I can connect to them using their IP or MAC address.

Why I get nothing on the winbox list?

Thanks!
by leonset
Mon Dec 05, 2011 10:55 am
Forum: Forwarding Protocols
Topic: Force Traffic to Uplink ( RESOLVED ... by myself 1y later )
Replies: 2
Views: 1668

Re: Force Traffic to Uplink ( RESOLVED ... by myself 1y late

I've never done that kind of wifi deployments before, that your solution could be usefull to address that "interclient" traffic :)

Thanks!!
by leonset
Thu Nov 24, 2011 1:09 pm
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 6022

Re: True WAN bonding through my data center location?

Hi,

Which are the expected results you want to accomplish with that setup?
by leonset
Thu Nov 24, 2011 11:46 am
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 6022

Re: True WAN bonding through my data center location?

That would make sense in a Remote Desktop/Citrix environment: you have the Citrix farm at the datacenter and connect to it from the DSL's lines. If you download someting in the remote session it will use the datacenter's bandwidth and traffic flowing by the dsl's would be only Citrix/Remote Desktop....
by leonset
Mon Oct 03, 2011 11:42 am
Forum: General
Topic: Oversized Ping
Replies: 1
Views: 417

Re: Oversized Ping

No one may enlight me on this issue? Please!
by leonset
Mon Oct 03, 2011 11:34 am
Forum: General
Topic: rb450g dual wan failover without load balancing
Replies: 2
Views: 10236

Re: rb450g dual wan failover without load balancing

Hello,

You should try this way of doing such failover:

http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

I've used it sometimes and does a nice job ;)
by leonset
Fri Sep 30, 2011 4:22 pm
Forum: General
Topic: Oversized Ping
Replies: 1
Views: 417

Oversized Ping

Hi, I have a IPSec/VPN among a central site and a bunch of branch offices. Now I'm taiking some Windows PC's to Windows domain and some features of it (User GPO) aren't working. Some Microsoft forums suggests that I should enable 2K ping packet size among the PC's and the domain controllers. It shou...
by leonset
Mon Sep 19, 2011 4:17 pm
Forum: General
Topic: Load Balancing?
Replies: 7
Views: 946

Re: Load Balancing?

Right! I had two gateways with different IP addreses :)

Thanks!
by leonset
Mon Sep 19, 2011 1:50 pm
Forum: General
Topic: Load Balancing?
Replies: 7
Views: 946

Re: Load Balancing?

Fewi, are you sure you can't balance with PCC with just one interface? I tried some setup's and I ended up with a working configuration using just one eth iface on the Mikrotik to the switch where the DSL routers where connected. Maybe I'm wrong, it's been some time since i tested it. And I can't fi...
by leonset
Mon Sep 19, 2011 12:08 pm
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 6022

Re: True WAN bonding through my data center location?

Hi, You won't get more bandwidth using Location B's WAN, because you will be limited by your current DSL's bandwidth. The only reason I can think of doing this is if you need some latency sensitive traffic and "DSL to Location B latency" + "Location B to destination server latency" is lower (or bett...
by leonset
Wed Sep 14, 2011 10:58 am
Forum: General
Topic: EoIP + IPSec transport mode problem at reboot
Replies: 2
Views: 1112

Re: EoIP + IPSec transport mode problem at reboot

Ok!

This drove me nuts for a while. I hadn't used bridges over Internet before.

Thanks!
by leonset
Tue Sep 13, 2011 10:20 pm
Forum: General
Topic: EoIP + IPSec transport mode problem at reboot
Replies: 2
Views: 1112

EoIP + IPSec transport mode problem at reboot

Hello, I am having a problem bridging a net over the Internet using 2 ADSL connections. Here's my setup: - Mikrotik RB450g, RouterOS 5.6 - Static IP on both ends. DSL router does the NAT to the Internet. UDP500 is Dnated to each Mikrotik LAN IP for IPSec. No NAT or firewall on the mk routers. - IPSe...
by leonset
Tue Sep 13, 2011 9:29 pm
Forum: General
Topic: VRRP Working?
Replies: 3
Views: 741

Re: VRRP Working?

Hi,

Make sure the IP's assigned to the VRRP interface have /32 mask and that the IP's assigned to the physical iface (eth1 and the bridge) have the correct mask (say /24).

Regards
by leonset
Tue Sep 13, 2011 9:12 pm
Forum: General
Topic: Eoip over 2x adsl bonding speed
Replies: 6
Views: 2841

Re: Eoip over 2x adsl bonding speed

Hi,

I believe you could check if it's and MTU issue lowering the MSS at /ip firewall mangle:

add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1400
by leonset
Wed Mar 23, 2011 6:17 pm
Forum: General
Topic: Using two EoIP tunnels to load balance IPSec VPN among 2 WAN
Replies: 3
Views: 1368

Re: Using two EoIP tunnels to load balance IPSec VPN among 2

Hi!

Does anyone else have any suggestion? Would be greatly appreciated!

Thanks in advance.
by leonset
Mon Mar 21, 2011 9:26 am
Forum: General
Topic: IPSEC Tunnel between Mikrotik routers
Replies: 5
Views: 977

Re: IPSEC Tunnel between Mikrotik routers

Sorry, just a question: why should "reject" those packets?
by leonset
Fri Mar 18, 2011 12:05 pm
Forum: General
Topic: Efficient connection marking and packet marking for QoS
Replies: 2
Views: 848

Re: Efficient connection marking and packet marking for QoS

I use what I call a "selector" for the firewall set up, with a classifier at the top which sends the packet to the correct chain given it's source/destination IP. That way packets will have to be checked only against the rules that may be applicable to them and not against all 300 rules. I suppose y...
by leonset
Thu Mar 17, 2011 2:35 pm
Forum: General
Topic: Using two EoIP tunnels to load balance IPSec VPN among 2 WAN
Replies: 3
Views: 1368

Re: Using two EoIP tunnels to load balance IPSec VPN among 2

Yeah, but you can't have the same policy for both WAN's... You have to split the traffic among 2 tunnels somehow: source/dest TCP ports, source/dest IP addresses... So you don't get "real" load balancing in realtime, but a "manual" load balancing at configuration time.

Thanks!
by leonset
Thu Mar 17, 2011 11:07 am
Forum: General
Topic: Using two EoIP tunnels to load balance IPSec VPN among 2 WAN
Replies: 3
Views: 1368

Using two EoIP tunnels to load balance IPSec VPN among 2 WAN

Hello, I'm trying to figure out a way to load balance and failover an IPSec VPN among my remote office (2 ISP) and my central office (one ISP). I'm thinking on setting up two EoIP tunnel at the remote office, each one using one ISP, and then create a bonding with both. Then, I would add an IP to the...
by leonset
Tue Jan 18, 2011 3:19 pm
Forum: Forwarding Protocols
Topic: IPSEC Over PCC or Nth
Replies: 2
Views: 1007

Re: IPSEC Over PCC or Nth

Hello!

Will that allow to load balance an IPSec VPN among 2 or more internet conections?
by leonset
Mon Oct 25, 2010 8:19 pm
Forum: General
Topic: General questions on RouterOS
Replies: 14
Views: 2243

Re: General questions on RouterOS

Nice to know!! I whis I had tested my setup before using "selectors" in my forward chain to be able to compare.

Which tools do you use to do those performance meterings?
by leonset
Mon Oct 25, 2010 6:52 pm
Forum: General
Topic: General questions on RouterOS
Replies: 14
Views: 2243

Re: General questions on RouterOS

You're welcome!

Just take care, it isn't as simple to implement as it may seem... specially on a live system. At least for me!
by leonset
Mon Oct 25, 2010 6:23 pm
Forum: General
Topic: General questions on RouterOS
Replies: 14
Views: 2243

Re: General questions on RouterOS

Hi, Try to optimize the mangle chain. Each packet shouldn't be checked against each rule. Segment your network in order to be able to place a "selector" and then jump to a given subchain where those will be mangled acordingly. For example, if you have 2 internal networks with different mangle rules,...
by leonset
Mon Oct 25, 2010 10:11 am
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

Hi, If WinBox "remembers" something that is NOT in a given RouterOS instance it isn't a "feature" but a bug, because you can't get consistency among what you see and what's currently running in RouterOS. On the other hand, if Winbox has "memory" to "remember" such things there has to be a way to del...
by leonset
Thu Oct 07, 2010 3:40 pm
Forum: General
Topic: Ideas to load balance an IPSec VPN
Replies: 1
Views: 1839

Ideas to load balance an IPSec VPN

Hello, I have sey up an IPSec VPN using a DSL line at the branch office to my central CPD. Now I'm going to have two DSL's at each branch office and I would like to load balance the VPN traffic among both lines, but I don't know if it's possible to do it straight away. Also, I need it to be able to ...
by leonset
Mon Aug 09, 2010 3:42 pm
Forum: General
Topic: General questions on RouterOS
Replies: 14
Views: 2243

Re: General questions on RouterOS

If you really want to reach gigabit performance you should opt for x86 hardware. I'm using RB1000 and I can't get more than 700Mbits at full duplex (700Mbps in at eth0 and 700Mbps out at eth1), just with static (but complex) routing, a heavy (but optimized) 250 rules firewall and some Nat/mangle rul...
by leonset
Mon Aug 09, 2010 3:34 pm
Forum: General
Topic: Thousands of Connections established with mikrotik
Replies: 5
Views: 769

Re: Thousands of Connections established with mikrotik

What really stresses a router like RB1000 are packets per second and not bandwidth, because every packet has to be analized and checked against firewall, mangle, routing, etc, etc. Having the right order in your firewall rules does help to withstand Dos Attacks/Traffic Peaks.
by leonset
Tue Aug 03, 2010 2:14 pm
Forum: General
Topic: [Solved] VRRP: Bug in ROS 4.11
Replies: 18
Views: 4263

Re: VRRP: change settings in ROS 4.11

Great! Thanks for the update.

I hope it gets solved soon!
by leonset
Tue Aug 03, 2010 9:56 am
Forum: General
Topic: [Solved] VRRP: Bug in ROS 4.11
Replies: 18
Views: 4263

Re: VRRP: change settings in ROS 4.11

Hello!

Have you send a bug report to Mikrotik? Do you have any answer?

I do heavy use of VRRP and I was planning on upgrading to 4.11 this week...

Thanks,
by leonset
Fri Jul 23, 2010 3:55 pm
Forum: General
Topic: Web server on mikrotik
Replies: 40
Views: 41266

Re: Web server on mikrotik

I don't think you can serve much more than just static files and it won't support too many concurrent users, probably RouterOS isn't optimized to be used in that way. Also, I don't know if RouterOS license will allow you to do that.

Regards,
by leonset
Thu Jul 22, 2010 12:02 pm
Forum: General
Topic: Windows Port Knock Application
Replies: 24
Views: 8028

Re: Windows Port Knock Application

Nice!!

Seems useful, even if I'm not using port knocking right now...

Thanks!
by leonset
Thu Jul 22, 2010 11:58 am
Forum: General
Topic: IPSec Flushing SA
Replies: 9
Views: 4411

Re: IPSec Flushing SA

Enabling DPD and rebooting the remote router is the only way I know to flush an specify SA in RouterOS... Is any other way to do it?

Thanks!
by leonset
Mon Jul 19, 2010 2:23 pm
Forum: General
Topic: IPSec Flushing SA
Replies: 9
Views: 4411

Re: IPSec Flushing SA

Enabling Dead Peer Detection (DPD) really helped me when testing IPSec with Mikrotik. Restarting the remote router will flush just the SA of that peer.

Regards,
by leonset
Mon Jul 19, 2010 2:19 pm
Forum: General
Topic: RB1000 Performance and optimizations
Replies: 4
Views: 813

Re: RB1000 Performance and optimizations

Ok, so if I want to use it as a firewall the limit is somewhere at 750Mbps. If I just need a router I could disable conntrack and get nearly 1Gbps performance (tested). Not too bad for this little board :)

Thanks!
by leonset
Wed Jul 14, 2010 1:28 pm
Forum: General
Topic: Read Backup Configuration
Replies: 4
Views: 1757

Re: Read Backup Configuration

If I understand correctly, the problem is that the export file is on the AP and can't get the file to a computer to read it... I don't know if you can "cat [filename]" from within RouterOS telnet... Probably the best solution would be to just import the old export if haven't done many changes to it'...
by leonset
Wed Jul 14, 2010 1:22 pm
Forum: General
Topic: RB1000 Performance and optimizations
Replies: 4
Views: 813

Re: RB1000 Performance and optimizations

Hello!

Yes, it seems logical that I get those values. I'll try to know the average size of packets.

I know that disabling conntrack will increase performance but, which firewall features I wont be able to use?

Thanks again!
by leonset
Wed Jul 14, 2010 11:39 am
Forum: General
Topic: RB1000 Performance and optimizations
Replies: 4
Views: 813

RB1000 Performance and optimizations

Hello, I have added a new VLAN to a couple of RB1000 to act as intranet routers/firewalls. I have done many tests and the best I could get is 600Mbps full duplex (600Mbps in at eth3, 600Mbps out at eth1). At those rates, CPU usage rises to 85%-95% and I can perceive increased latency, but nothing to...
by leonset
Tue Jul 13, 2010 3:46 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

If an export-import solves the problem, RouterOS or Winbox is storing those address list values somewhere else than just the usual places available for user edit.

I don't like the idea, but I will do an export/import in my main firewall and check the results.

Thanks,
by leonset
Tue Jul 13, 2010 10:21 am
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

run an '/export file=config' and then search it with notepad for names. The problem is that the address list doesn't show up in export but still shows up in Winbox. In fact, yesterday I did an export of ip-firewall, restored it to another, brand new unit, and the address list didn't show in winbox!...
by leonset
Mon Jul 12, 2010 2:36 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

Hi again,

Beside IP/Firewall, where may I be using address lists? I'm having this issue with some lists and not with others (I'm doing a lot of changes).

Thank you!
by leonset
Fri Jul 09, 2010 9:25 am
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

I can't reset those systems and re-work them from scratch... that would be a lot of time, not to mention the downtime because my RB1000 units are in production. I may try to move all services to the second router and redo everything by hand in router1... but I don't like the idea :(

Thanks!
by leonset
Thu Jul 08, 2010 1:31 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

Even if I create another rule, add the old list, remove it... the old address list remains there!! wrong. you must remove ALL rules which saved list name. if you create new rule and then remove it - some old rule still keeps the list name I do... I have NO rule with that address list in them. I had...
by leonset
Thu Jul 08, 2010 11:38 am
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

And... What if I have deleted the rule which had the address list name in use? Even if I create another rule, add the old list, remove it... the old address list remains there!! I've also tried to delete Winbox's cache and also accessing the router from other computers which had never used winbox be...
by leonset
Wed Jun 30, 2010 1:54 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

And to find it it's probably easiest to save a "/export" and search for the address list name in a text editor. Something is referring to it somewhere.
I have done an export and there is no trace of those "ghost" address lists... so I don't know why WinBox is showing them up.
by leonset
Tue Jun 29, 2010 3:36 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

And... What should I do if that address-list doesn't show up with /ip firewall address-list print ???

That's the problem I'm having ;)
by leonset
Tue Jun 29, 2010 3:15 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

How should I remove the address list manually? The only way I know is to remove all IP's from it and if it isn't in use anymore it disappears automatically...
by leonset
Tue Jun 29, 2010 2:46 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Re: Winbox shows an address list that doesn't exists

Hi!

No, it's an old address list that I was using in some firewall rules... but now I have changed them and created another address list.

Thanks!
by leonset
Tue Jun 29, 2010 2:22 pm
Forum: General
Topic: Winbox shows an address list that doesn't exists
Replies: 41
Views: 8785

Winbox shows an address list that doesn't exists

Hi! I have a problem in Winbox: in the Address List drop list box is showing an address list which doesn't exists. I have triple checked every rule in the firewall/nat/mangle tabs and that address list isn't used anywhere. I have even done a full export of the router configuration and there is no tr...
by leonset
Tue Jun 29, 2010 2:06 pm
Forum: General
Topic: MilliScript: freeware to manage export configuration files
Replies: 41
Views: 36898

Re: MilliScript: freeware to manage export configuration fil

Hello!

I'm trying to use this program to check my configuration but when I load the file I only get garbage on screen. I'm I doing something wrong?

Thanks!
by leonset
Wed Apr 28, 2010 12:57 pm
Forum: Scripting
Topic: Script to fight spam
Replies: 6
Views: 2110

Re: Script to fight spam

Hi!

I did use search, but obviously I used the wrong search terms...

That script isn't exactly what I'm looking for, but it's a nice approach. I may take some ideas from it.

Thank you!
by leonset
Tue Apr 27, 2010 3:26 pm
Forum: Scripting
Topic: Script to fight spam
Replies: 6
Views: 2110

Re: Script to fight spam

I know it's not a mail server... it's a router and a firewall (among other things). I can do a lot of things in my mail server, but I can't check the reverse resolution of each incoming TCP/25 connection and drop it it it comes from a dialup or dynamic IP address. That's why I'm looking for a way to...
by leonset
Tue Apr 27, 2010 1:19 pm
Forum: Scripting
Topic: Script to fight spam
Replies: 6
Views: 2110

Script to fight spam

Hello, I don't know if this is possible. I'm thinking on a way to check the reverse name of each IP which connects to my TCP/25 port. If that name has "dialup" or "dynamic" in it, I would directly drop that connection and add that IP to a list of rejected IP's, so it will never reach my mail server ...
by leonset
Wed Mar 17, 2010 6:48 pm
Forum: General
Topic: Getting New WINBOX to Remember Collumn Settings
Replies: 26
Views: 5575

Re: Getting New WINBOX to Remember Collumn Settings

Hi, Try to save a session following pedja's last post, exit. Then login again and you'll get your saved session. Now go to System, Reboot. Then I can never get my saved session back and I have to re-do all the work distributing windows inside Winbox, etc. Anyway, the proposed "solutions" just seem "...
by leonset
Tue Mar 09, 2010 2:36 pm
Forum: General
Topic: Getting New WINBOX to Remember Collumn Settings
Replies: 26
Views: 5575

Re: Getting New WINBOX to Remember Collumn Settings

try to use 'Exit' button instead of 'X' I use mk from 2 years.... every day i want this feature.... and now i know how to do it!!!! :D Thank youuuuuuuuuuuuuuuuuuuuuuuuu :D Yeah... click on Exit and it will work most of the times... but go to system -> reboot and you'll loose all your settings :(
by leonset
Tue Mar 09, 2010 9:30 am
Forum: General
Topic: Dropped traffic identification
Replies: 2
Views: 465

Re: Dropped traffic identification

Glups... I should have thought about that! :?

It will show a lot of information, but I believe that I may be able to enable the rule for a while, analyze some traffic and disable it afterwards. Doing it some times and should get a view of what's being blocked and why :)

Thanks!
by leonset
Fri Mar 05, 2010 12:40 pm
Forum: General
Topic: Dropped traffic identification
Replies: 2
Views: 465

Dropped traffic identification

Hello,

I have nearly 200 rules in my firewall and I see traffic being dropped in my final drop rule. I would like to know which kind of traffic is being dropped there in an easy way. How do you identify your dropped packets? Suggestions accepted :)

Thanks in advance!
by leonset
Thu Mar 04, 2010 9:25 am
Forum: General
Topic: window7 and winbox
Replies: 8
Views: 1944

Re: window7 and winbox

Try to set it to "Run as Administrator". Also if you have multiple NICs make sure only the one your are connecting to the router is enabled, and it has IP address assigned. That's important: if your nic gets it's IP from a DHCP it won't start moving packets until it gets an IP or reaches the timeou...
by leonset
Mon Mar 01, 2010 6:47 pm
Forum: General
Topic: Traffic-Flow on ROS v4.5
Replies: 7
Views: 1483

Re: Traffic-Flow on ROS v4.5

I'm not using that feature right now, but maybe there's a rule blocking netflow traffic from Mikrotik to your collector...
by leonset
Mon Mar 01, 2010 6:46 pm
Forum: General
Topic: Getting New WINBOX to Remember Collumn Settings
Replies: 26
Views: 5575

Re: Getting New WINBOX to Remember Collumn Settings

A button to explicitly save winbox columns and layout for each mikrotik would be nice. And a button to save those settings once and apply them as a template to every other RouterOS managed from that computer would be excelent!
by leonset
Mon Mar 01, 2010 6:34 pm
Forum: General
Topic: New command syntaxes in new versions
Replies: 1
Views: 478

Re: New command syntaxes in new versions

+1 :)


I would add a 4th option: point us to somewhere where's updated information about the syntax for each version :)

Thanks!
by leonset
Fri Feb 26, 2010 11:54 am
Forum: General
Topic: IPSec VPN problem [SOLVED]
Replies: 5
Views: 11853

Re: IPSec VPN problem

Hi, In case anyone needs this: The problem is that there was a route to the IPSec protected remote lan through a OpenVPN disabled interface that I had created when testing with OpenVPN... so my router couldn't reach the remote IPSec peer. Checked all settings again and now I have a working IPSec VPN...
by leonset
Thu Feb 18, 2010 10:36 am
Forum: General
Topic: RB450G problem
Replies: 3
Views: 705

Re: RB450G problem

I haven't used a nanostation, sou I can't help on that... I thought that nanostation was taking care of the wifi access/hotspot and the 450G was dealing with nat/firewall/routing.
by leonset
Thu Feb 18, 2010 10:17 am
Forum: RouterBOARD hardware
Topic: Overclocking RB450G
Replies: 11
Views: 4283

Re: Overclocking RB450G

Hello,

Are there real world benefits overclocking those units? I have some around and maybe a I could try... if I knew how to do it!

Thanks
by leonset
Thu Feb 18, 2010 9:57 am
Forum: General
Topic: RB450G problem
Replies: 3
Views: 705

Re: RB450G problem

Maybe you have a NAT for everything that goes out from the 450G, but you shouldn't be doing NAT if you want to reach your internal LAN, and that includes the nanostation and laptops.

Disable the NAT rule, reboot the 450G (to flush the NAT table) and try again.
by leonset
Thu Feb 18, 2010 9:35 am
Forum: General
Topic: VRRP backup interface not standing down v4.3 on RB1000
Replies: 7
Views: 1455

Re: VRRP backup interface not standing down v4.3 on RB1000

Nice!

I'll keep it in mind if I ever use hotspot! :)

Now that support told you about the solution it seems logical, because hotspot blocks every packet util that user has authenticated, and that may include VRRP.

Bye
by leonset
Thu Feb 18, 2010 9:29 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 95181

Re: Feature Request: OpenVPN [ovpn] udp tunnels

Hi, @roadracer96 Have you been able to measure the bandwidth that you are loosing by using tcp instead of the native bandwidth of your link? In my tests I loose at least 50% of the links native bandwidth (and there aren't any lost packets nor high latency). @everyone Has someone played with MTU's to...
by leonset
Mon Feb 08, 2010 2:30 pm
Forum: General
Topic: [Solved] How to unbrick a RouterBoard 750(G)
Replies: 7
Views: 6802

Re: How to unbrick a RouterBoard 750(G)

I don't have any 750, but you could use WinBox to gain access to the one with a working RouterOS. You'll need to use it's mac address, because there's no IP address to access to.

Regards
by leonset
Mon Feb 08, 2010 10:47 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 95181

Re: Feature Request: OpenVPN [ovpn] udp tunnels

I think it would be nice to add your vote here:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

Probably someone should add all the votes from the v3 feature requests page which are not done yet:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

Regards
by leonset
Wed Feb 03, 2010 6:56 pm
Forum: General
Topic: IPSec VPN problem [SOLVED]
Replies: 5
Views: 11853

Re: IPSec VPN problem

Hi! Here's the IPSec config for the local router: /ip ipsec proposal set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \ lifetime=30m name=default pfs-group=modp1024 /ip ipsec peer add address=2.2.2.2/32:500 auth-method=pre-shared-key comment="" \ dh-group=modp1024 disabled...
by leonset
Wed Feb 03, 2010 4:00 pm
Forum: General
Topic: IPSec VPN problem [SOLVED]
Replies: 5
Views: 11853

Re: IPSec VPN problem

Hi,

No one has faced this problem before? Should I send a report to support?

Thanks,
by leonset
Mon Feb 01, 2010 9:19 pm
Forum: General
Topic: IPSec VPN problem [SOLVED]
Replies: 5
Views: 11853

IPSec VPN problem [SOLVED]

Hello, I'm trying to test IPSec without L2TP, just tunneling two lans in tunnel mode. Both ends have a fixed & real IP address and are reachable from the Internet, so afaik I shoudn't need L2TP. Currently I'm using a preshared key. When I generate traffic from the local lan destined to the remote la...
by leonset
Mon Feb 01, 2010 7:10 pm
Forum: General
Topic: VRRP backup interface not standing down v4.3 on RB1000
Replies: 7
Views: 1455

Re: VRRP backup interface not standing down v4.3 on RB1000

I'm sorry, but I can't help you with that... I haven't used hotspot yet!

Good luck!
by leonset
Mon Feb 01, 2010 6:26 pm
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 95181

Re: Feature Request: OpenVPN [ovpn] udp tunnels

+1!!! I really need this feature. Using TCP to encapsulate TCP gives me a very low throughput... and it's a shame, because it's really easy to set up an OpenVPN tunnel (well, at least when you've done it ten times and you discover how RouterOS like's it's certs and some other tricky detalis). Mikrot...
by leonset
Mon Jan 11, 2010 7:20 pm
Forum: General
Topic: VRRP backup interface not standing down v4.3 on RB1000
Replies: 7
Views: 1455

Re: VRRP backup interface not standing down v4.3 on RB1000

Hello! If you have firewall and/or NAT rules ensure that you exclude VRRP and IGMP traffic from them... In my case the problem was a rogue source NAT rule which was driving vrrp packets nowhere. Right now the problem seems solved, but I'm doing some final tests. Also, my problem was undetected for a...
by leonset
Fri Jan 08, 2010 10:59 am
Forum: General
Topic: VRRP backup interface not standing down v4.3 on RB1000
Replies: 7
Views: 1455

Re: VRRP backup interface not standing down v4.3 on RB1000

Hello,

I'm having exactly the same problem here: the secondary comes up as Master and Running. Just upgraded to 4.4. This same setp up was working flawlessly in 3.30!!

I've followed the wiki and every other document out there without success...

Should we send a report to support?
Thank you
by leonset
Tue Sep 22, 2009 2:33 pm
Forum: General
Topic: How control several Mikrotik`s not one by one
Replies: 26
Views: 3018

Re: How control several Mikrotik`s not one by one

Hi!

Alternatively... Is there any easy way to export just some settings and import them into a different routerboard? For example a given ruleset, the IP addresses, etc.

Thanks!
by leonset
Tue Sep 22, 2009 2:07 pm
Forum: General
Topic: 5 ADSL lines PCC Load Balancing problem
Replies: 15
Views: 1743

Re: 5 ADSL lines PCC Load Balancing problem

I would suggest to simplify your environment and start testing. Keep just 1 DSL and disable the rules and packet marks for the rest. Test that everything is ok. Then add a second DSL, enable it's rules, etc. Test again. Add a third one, test... and so on. It's very important to have a good set of te...
by leonset
Mon Sep 07, 2009 1:13 pm
Forum: General
Topic: OpenVPN on 3.28
Replies: 9
Views: 1205

Re: OpenVPN on 3.28

+1 I would also like to see a complete and standard implementation of OpenVPN in RouterOS, at least for the most powerful routerboard models if there are limitations in memory or processing power. That would make this the all-round all-terrain device that I'm looking for. Thanks in advance! :-) but ...
by leonset
Tue Jun 02, 2009 10:07 am
Forum: General
Topic: RouterOS V3.24 release
Replies: 26
Views: 2818

Re: RouterOS V3.24 release

Hello! What's new in 3.24: *) fixed vlan on bonding; Normis, could you please give some more information on that point? we tried bonding of gigabit links on v~3.20 (in bonding-rr mode), it worked for some hours and then huge packet loss begins. and yes, there were many VLANs on that bonding interfac...
by leonset
Wed May 27, 2009 3:35 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

I've just checked it and the problem has been solved in v3.24 :)

Thanks Mikrotik!
by leonset
Tue May 12, 2009 11:55 am
Forum: General
Topic: IP SEC
Replies: 2
Views: 505

Re: IP SEC

Hi!

As far as I know you can't have an IPSec server behind NAT, because that would force a change in packet headers and IPSec checksums won't work.

BTW, I suggest you to read an updated documentation:

http://www.mikrotik.com/testdocs/ros/3.0

Bye!
by leonset
Tue May 12, 2009 11:35 am
Forum: General
Topic: Please Help ... my system always Crash
Replies: 14
Views: 1326

Re: Please Help ... my system always Crash

Take a look at the wiki:

http://wiki.mikrotik.com/wiki/PCC#Notes

Keep in mind that PCC is not available yet, but the other methods described there are.
by leonset
Fri May 08, 2009 4:08 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

Hello!

Mikrotik's support team has been able to reproduce the problem easily, so they will look deeper into it and try to solve it for next release :) :)

Thanks everyone.
by leonset
Fri May 08, 2009 11:03 am
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

Thanks for the hint... but that command doesn't exist in my current Ros version. Just in case someone needs it, to upgrade the RouterBoot firmware: - I downloaded the firmware from http://www.routerboard.com/comparison.html - Using a serial cable entered the "bios" and uploaded the file using XMODEM...
by leonset
Thu May 07, 2009 4:04 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

Hello! 1st - at start you did not provide what arch and hardware you are using I'm sorry for that... as I explained in a previous post, I'm using 4 different units of RouterBoard RB450 2nd - you do not state - what version you are using Yes, I did... RouterOS v3.22 and v3.23 3rd - what RouterBOOT ve...
by leonset
Thu May 07, 2009 3:03 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

I'm using RB450 and I have tried four diferent units... all show the same problem.

I should have specified that before... sorry!
by leonset
Thu May 07, 2009 1:30 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

Re: Kernel Oops when adding a comment to an interface

After playing a little bit more with this, I get another dump if I just disable the trunk iface: [admin@ZIPI] > Oops[#1]: Cpu 0 $ 0 : 00000000 00000000 00010000 00010000 $ 4 : 00000000 c0b01eb0 c0c34380 c17c9090 $ 8 : 00002485 d184d710 00002485 d184d710 $12 : 00000000 c0379b80 c1c908f0 00000001 $16 ...
by leonset
Wed May 06, 2009 12:20 pm
Forum: General
Topic: [SOLVED] Kernel Oops when adding a comment to an interface
Replies: 10
Views: 2587

[SOLVED] Kernel Oops when adding a comment to an interface

Hello, I've seen a curious problem... When I change the comment of a Trunk interface, or to any of the VLAN or VRRP interfaces which depend on it, the whole trunk stops responding (no ping, no traffic, I can't even get the MAC address of the iface). The serial console gives some more information: [a...