Community discussions

Search found 98 matches

  • 1
  • 2
by oreggin
Tue Jun 25, 2019 7:40 am
Forum: General
Topic: IPsec Hardware acceleration on CHR?
Replies: 9
Views: 1706

Re: IPsec Hardware acceleration on CHR?

Same here, KVM with host CPU which has AES-NI flag.
Is there any solution?
by oreggin
Wed Jun 12, 2019 11:47 am
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

I configured IPSec on one of my RoS devs, and that said don't configure base mode because it will removed in RoSv7 so something is cooking in the owen and i hope it wont burned up :)
by oreggin
Wed May 22, 2019 3:05 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Off topic, what is your native language if I may ask?
Sure, my native lang is hungarian. I hope my english is not too wrong and you understand what I'd like to say. BTW we using worse, strange, mixed language in business that you shouldn't see/hear :-D
by oreggin
Wed May 22, 2019 1:33 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Meanwhile I switched the cabelmodem to bridge mode for testing so now the spoke has public IP, but I will switch it back as cabelmodem in this mode has a reduced feature set. Another thing I tried is a static policy on spoke with UDP:1701:1701 and tunnel mode, under identity "generate-policy=none", ...
by oreggin
Tue May 21, 2019 5:12 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Cisco have their own protocol for that (DMVPN).
Yes, high-end vendors has mGRE+NHRP based DMVPN which is good but not scalable above some thousands of tunnels and it is off topic over here.
by oreggin
Tue May 21, 2019 4:31 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Now it comes into my mind I tried this HUB setup with cisco CPE and when it is connects to HUB it somehow generating tunnel mode policy but I can't figured out how did it do that :(
by oreggin
Tue May 21, 2019 11:43 am
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

We have only one spoke behind every branch's ISP modem which are the NAT GWs, but spokes behind NAT with this configuration does not work. There is no need any trick to supports more spoke behind the same NAT GW. We need a trick to build tunnel mode (instead of transport mode) dynamic tunnels to wor...
by oreggin
Mon May 20, 2019 7:14 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Here are my anonymised configs and print outputs: [oreggin@HUB] > ip ipsec export verbose # may/20/2019 17:52:51 by RouterOS 6.44.3 # software id = XXXX-XXXX # # model = XXX # serial number = XXXXXXXXXXXX /ip ipsec mode-config set [ find default=yes ] name=request-only responder=no /ip ipsec policy ...
by oreggin
Mon May 20, 2019 4:40 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Thanks for deep explanations, good to learn something new every day. BTW your conclusion is not exactly right as our L2TP tunnels are encrypted, I checked it. Dynamic policies generated on HUB and spokes and SA counters increasing with the amount of trasmitted bytes. I don't say that I 100% understa...
by oreggin
Mon May 20, 2019 3:11 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

I didn't mentioned IPSec is the outer and L2TP is inside of it. In the reverse situation the result performance is terrible. Now I have dynamic policies on both end and it works if peers are not behind NAT. I'm not an IPSec expert, so do you say I need set static policy on spokes? On spokes because ...
by oreggin
Mon May 20, 2019 1:41 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Under "/interface l2tp-client" I set "use-ipsec=no" as if I'm right it supports only PSK based auth. I configured dynamic policies under "/ip ipsec": /ip ipsec peer set 0 exchange-mode=ike2 /ip ipsec identity set 0 auth-method=rsa-signature generate-policy=port-override Unfortunately I didn't found ...
by oreggin
Mon May 20, 2019 12:52 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

How can I request tunnel mode, if both side has dynamic policies? I can't find this option in RoS :(
I using BGP inside L2TP to distribute (IPv4+IPv6) routes between hubs and spoke, so i think i can't drop L2TP, or can I? How?
Oh, and I missed the MPLS part inside the L2TP.
by oreggin
Fri May 17, 2019 9:10 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 10847

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Hi! I build a hub and spokes IKEv2/rsa signature auth with L2TP over IPSec setup with Tik deivces. There is one central HUB with static public address, and there are some spokes, one of them have a dynamic public address, and the other is behind NAT where NAT public address is dynamic as well. Publi...
by oreggin
Tue Apr 09, 2019 4:56 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

MikroTik's plan is to release RouterOS v7 :)

"Probably this year" ™
Are you sure?! :lol:
by oreggin
Tue Apr 09, 2019 3:11 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

Nah, please public a roadmap with public informations in a correct way. Under correct I mean correct for MTik and correct for customers too.
If I working on something my boss insist plans :) Please tell us MTik plans about RouterOS development.
by oreggin
Sat Apr 06, 2019 4:04 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

All I can say is that development of v7 has picked up in the last few months, more than ever. While I can't promise anything stable, it is pretty safe to say, that some kind of public test release (like beta for specific platforms) could be expected this year. The chances of that happening are now ...
by oreggin
Wed Jan 23, 2019 5:24 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

What is the timeline? if there is no cut-off date then it's just proof of concept for developers. Alpha is exactly that - proof of concept (in a lot of ways) They continue to work on 6.x, but 7 being a new kernel and everything means they have to make sure all existing functionality from 6.x is imp...
by oreggin
Wed Jan 23, 2019 5:18 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

And hopefully some new ARM64-based hardware as CCR replacement. Indeed. The CCR-line is a key product for many customers. It would be very welcomed with an refreshed version with similar number/type of interfaces. There is no need to replace the hardware if MT upgrade to the latest Linux kernel whi...
by oreggin
Mon Nov 26, 2018 2:31 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

I think, the first and most important step is to finish kernel transplantation at least RC state and this should has more and more priority over RoS v6.x train. After this can slowly dropping v6 and fix v7 bugs and implement the new features as a transition. I hope MT switch to the most recent LTS k...
by oreggin
Fri Nov 16, 2018 7:16 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

Too big silence...Santa brings some wanted surprise? :-)
by oreggin
Mon Nov 05, 2018 5:10 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 22548

Re: v6 RC and v7 BETA

V7 beta seems to be already in development. You can see mrz's post:

http://forum.mikrotik.com/viewtopic.php?t=130551

Seems to be v7beta running on Virtualbox.
Then mrz has a unicorn :)
When exactly we have one too? A bugpile is better than nothing... :)
by oreggin
Fri Jul 13, 2018 11:49 am
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

Re: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

Thanks to all! So, the solution is disabling vlan-filtering on the CAP's bridge and then voilà! CAP drops selected SSID to its vlan what I set in CAPsMAN, so now CAPsMAN controlling the CAPs Vlan selection based on SSID. If I enabling vlan-filtering, this method is not works! As this is not a proble...
by oreggin
Thu Jul 12, 2018 12:54 pm
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

Re: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

Yes, this can be done in datapath. I jumped on the "do it manually per interface" train b/c you said that vlans differ from site to site for the same ssid... And this can only be done by hand ;-) I can configure as many datapath/configuration as I need and then assign it to provision and I can sepa...
by oreggin
Thu Jul 12, 2018 12:40 pm
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

Re: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

Thanks, but the topic started at somewhere "can capsman assign vlan to SSID on CAP instead of configuring it on every CAP by hand?" At the moment I assign vlans on CAP to SSID by hand.

Kind regards,
oreggin
by oreggin
Wed Jul 11, 2018 5:20 pm
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

Re: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

For using local forwarding, your CAP devices must have a bridge configured with ethernet and wlan interfaces in them. Then you set in cap settings bridge=<yourbridge> -Chris I did it: [oreggin@ap11] > interface bridge print Flags: X - disabled, R - running 0 R name="LAN" mtu=auto actual-mtu=1500 l2...
by oreggin
Wed Jul 11, 2018 4:04 pm
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

Re: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

You can edit this in the corresponding CAP interface under datapath. select vlan-mode = tag and then set the corresponding vlan id. A bit cumbersome, but it works. -Chris I tried it but it didn't work for me in local-forwarding mode. How to configure the CAP in this case? Now it has a bridge in MST...
by oreggin
Wed Jul 11, 2018 11:31 am
Forum: Wireless Networking
Topic: CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]
Replies: 11
Views: 1803

CAPsMAN + local forwarding CAP + SSID/Vlan? [SOLVED]

Hi! I found some topic under this issue but there is no clear to me if it would be possible to capsman assign vlan to ssid in local-forwarding mode where vlans specified on CAP device and not on capsman. I have a capsman device and caps devices in hub&spoke topology. CAPs are on some sites, and each...
by oreggin
Tue Jul 03, 2018 3:02 pm
Forum: General
Topic: RB1100AHx2 bridge HW-offload issue [SOLVED]
Replies: 4
Views: 556

Re: RB1100AHx2 bridge HW-offload issue [SOLVED]

Dear Samot, Thanks for your answer but I think you totally misunderstand me. I didn't wrote that there would need another page. Instead it would be clearer if it is more sectioned and not mixing switching/bridging/L3Interface configs around pre-v6.41 and post-v6.41. In the past I used pre-v6.41 with...
by oreggin
Tue Jul 03, 2018 2:00 pm
Forum: General
Topic: RB1100AHx2 bridge HW-offload issue [SOLVED]
Replies: 4
Views: 556

Re: RB1100AHx2 bridge HW-offload issue [SOLVED]

Hi CZFan! Thanks for pointing on that page. I read many times that wiki but all the times many inline "pre-v6.41", and "post-v6.41" are totally confused me, but I think I harvested the essence and now it works. As it depends on architecture, on RB1100AHx2 between ether1-5 and ether6-10 in the same v...
by oreggin
Fri Jun 29, 2018 3:26 pm
Forum: General
Topic: RB1100AHx2 bridge HW-offload issue [SOLVED]
Replies: 4
Views: 556

RB1100AHx2 bridge HW-offload issue [SOLVED]

Hi! I have an RB1100AHX2 and I would like to use it as desktop switch with hw-offload to save CPU. It works fine with vlan filtering but it disables hw-offload on all bridge port. If I disable vlan filtering (RSTP or none) then hw-offloading automatically enabled on all ports but forwarding not work...
by oreggin
Tue Dec 20, 2016 11:36 am
Forum: RouterBOARD hardware
Topic: RB450G upgrade failed with ROS 4.1 from 3.30
Replies: 38
Views: 8560

Re: RB450G upgrade failed with ROS 4.1 from 3.30

Hehe, I written many times "netinstall doesn't work without 'Clients for Microsoft Networks' option" and comes answares: "disable your firewall" LOL :D
by oreggin
Tue Dec 20, 2016 11:26 am
Forum: General
Topic: IPv6 stateless autoconfiguration, can ROS get autoconfed?
Replies: 9
Views: 5082

Re: IPv6 stateless autoconfiguration, can ROS get autoconfed?

What about this? I can't use SLAAC however I disabled IPv6 forwarding. I tried on RoS ver 6.37.3 So my box is only router(board) in its name but not in its functionality as ipv6 forwarding disabled so it is a host device. So please make it possible to can get IPv6 address with SLAAC. This would be g...
by oreggin
Wed Jul 29, 2015 10:46 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 40
Views: 42994

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

I found this topic and I would like to correct me. L2TP client MTU/MRU is 1460 if uplink MTU is 1500byte. This because L2TP uses UDP encapsulation (UDP port 1701). IPv4 + UDP header = 20+20 = 40 byte. 1500-40=1460. With these options I can reach almost the maximum speed of the router capability @ 10...
by oreggin
Sat Jul 11, 2015 12:59 pm
Forum: RouterOS v7
Topic: Feature Request: PEAP-MSCHAPv2 in station mode
Replies: 6
Views: 1933

Feature Request: PEAP-MSCHAPv2 in station mode

Hi! I hope I write this to the right place. If not please excuse me. UPC Wi-Free service is getting more widespreading so it would be nice if we can use our routerboards running RoS on it as a wireless client to connect to UPC Wi-Free and share it among our PCs and Laptops. It is works with EAP-PEAP...
by oreggin
Sat Jul 11, 2015 12:50 pm
Forum: Wireless Networking
Topic: PEAP mschapv2 auth in station mode?
Replies: 18
Views: 6361

Re: PEAP mschapv2 auth in station mode?

Hi!

I faced the same problem. I can't use my RB433AH to connect UPC Wi-Free as a station, to share it for my PC and Laptop. UPC Wi-Free is getting more widespread, so it will be appreciated to implement PEAP-MSCHAPv2 in RoS.

Cheers,
oreggin
by oreggin
Thu Apr 30, 2015 1:20 am
Forum: RouterBOARD hardware
Topic: RB1100AHx2 FAN question
Replies: 0
Views: 568

RB1100AHx2 FAN question

Hi folks, I have a RB1100AHx2 and it has two fans, main + aux. At the same time only one FAN operating and I can choose between them. It has a really annoying noise :-) Can I chose an option to spin up both fans at half RPM but the same airflow and when one of them fault then the other doubling the ...
by oreggin
Mon Apr 20, 2015 9:25 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: Hardware NAT
Replies: 18
Views: 6915

Re: Feature Request: Hardware NAT

http://www.taifatech.com/files/TF470_Product_Brief_02.pdf http://www.taifatech.com/files/TF480-Product-Brief-04-08.pdf Something like these? It is enough for 100M uplink. But if we need 1G or 10GE wire-speed NAT then we need something like this + TCAM + design + garnish: http://www.marvell.com/netw...
by oreggin
Wed Jan 28, 2015 11:55 pm
Forum: RouterBOARD hardware
Topic: CRS226
Replies: 33
Views: 10234

Re: CRS226

If i'm right, CRS is a Layer2 ASIC with CPU Layer3 support. So it can't NAT or routing in ASIC but in CPU?
Do you plan make real Layer3 switches? I mean what can does simple routing or NAT functions with TCAM or similar.
by oreggin
Wed Oct 01, 2014 12:01 pm
Forum: General
Topic: DNSSEC
Replies: 33
Views: 9701

Re: DNSSEC

+1 for feature request
by oreggin
Sat Oct 19, 2013 2:17 pm
Forum: General
Topic: IPv6 ping - "no route to host"
Replies: 7
Views: 4218

Re: IPv6 ping - "no route to host"

Did you all mentioned it to MT support?
by oreggin
Sun Oct 13, 2013 2:15 pm
Forum: General
Topic: IPv6 ping - "no route to host"
Replies: 7
Views: 4218

Re: IPv6 ping - "no route to host"

Reboot can resolve it temporarily but after a random time the router lost again their routes to own connected neigbours. It can only reach itself. Really very strange thing. It would be appreciated if someone from MT could tells something if they knows this issue and working on it or not.
by oreggin
Sun Oct 13, 2013 2:06 pm
Forum: General
Topic: IPv6 ping - "no route to host"
Replies: 7
Views: 4218

Re: IPv6 ping - "no route to host"

Same problem here. I wrote it to support for months ago, I asked they multiple times if this is a known bug or not but no answare comes back.
by oreggin
Sat Oct 12, 2013 4:42 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 40
Views: 42994

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

Same problem here. I have a 120/10 connection, and I can only using 12-13Mbps over it with NAT on L2TP /wo compression and encryption on my RB450G: [oreggin@RB450G] > /interface monitor ether1 name: ether1 rx-packets-per-second: 2 020 rx-drops-per-second: 0 rx-errors-per-second: 0 rx-bits-per-second...
by oreggin
Wed Jul 04, 2012 2:50 pm
Forum: General
Topic: DHCPv6 client doesn't create pool at startup
Replies: 2
Views: 712

Re: DHCPv6 client doesn't create pool at startup

I think this happens because the Pool gets created and then the time gets set using ntp

I have reported this as a bug
Nick.
Me too :)
Thanks.

oreggin
by oreggin
Mon Jul 02, 2012 2:17 pm
Forum: General
Topic: DHCPv6 client doesn't create pool at startup
Replies: 2
Views: 712

DHCPv6 client doesn't create pool at startup

Hi, I testing an RB450G with RoS 5.18 on DSL and IPv6. While I configured dhcpv6 client on the router and it works but as soon as I reboot the router or turn on then dhcpv6 client doesn't make ipv6 pool: [admin@rtr.test] > /interface ethernet print Flags: X - disabled, R - running, S - slave # NAME ...
by oreggin
Mon Jul 02, 2012 10:42 am
Forum: General
Topic: /31 point to point Ethernet links not working
Replies: 4
Views: 1028

Re: /31 point to point Ethernet links not working

This is a duplicated topic:
http://forum.mikrotik.com/viewtopic.php?f=2&t=63255

@mrz: do you have any information when will be supported RFC3021 in Linux/RoS on ethernet?
by oreggin
Sun Jul 01, 2012 2:44 pm
Forum: General
Topic: /31 not useable on Mikrotik
Replies: 8
Views: 1478

Re: /31 not useable on Mikrotik

Thus the smallest functional subnetting on an interface would be /30. And nothing is broken, just working as expected.
/31 doesn't brake too. Please see RFC3021.
by oreggin
Sun Jul 01, 2012 12:43 pm
Forum: General
Topic: /31 not useable on Mikrotik
Replies: 8
Views: 1478

Re: /31 not useable on Mikrotik

Ok, but what if I need to work with non-MT/RoS devices like cisco?
by oreggin
Sat Jun 30, 2012 11:20 pm
Forum: General
Topic: /31 not useable on Mikrotik
Replies: 8
Views: 1478

Re: /31 not useable on Mikrotik

You can do /31 on Mikrotik.

Set interface to 10.99.99.1/32 and set broadcast to the remote end e.g. 10.99.99.2 do the opposite on the remote end.
It is not clear to me. Can you please give us a config example?

Thanks,
oreggin
by oreggin
Sat Jun 30, 2012 11:05 pm
Forum: General
Topic: /31 not useable on Mikrotik
Replies: 8
Views: 1478

Re: /31 not useable on Mikrotik

Same thing here, but I don't forcing this because I can live with /30s and IPv6 is coming and knocking on the window :-)
  • 1
  • 2