MikroTik

ilium007

Is this script supposed to work with dhcp static leases? I have a couple of static leases that when acquired don’t add the DNS record.

ilium007

I will run this every 6months then. Is there any way to only import the certs that expired or will this import all and overwrite existing certs? { :do { /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem; /certificate remove [ find where authority expired ]; /cert...

ilium007

That makes perfect sense! Thanks.

ilium007

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year. So if I run 3 monthly and a cert expires the day after the last script run then potentially I wait 3 months for this remote site to update root certs so the dynamic DNS IP upd...

ilium007

No need to remove all certificates... You could just remove the expired ones to clean up. /certificate remove [ find where authority expired ]; Thanks - will the certificate import command then only import the new ones or will it write them all again? /certificate import file-name=cacert.pem passph...

ilium007

Looking through the moderator logs, I see that the only removed posts were self removed. Including the post deleted on the 26th of November, and after that, the ones you removed in September. Perhaps there was a misclick, but I don't see a moderator willfully deleting your posts. Ok, thanks for loo...

ilium007

I have a cAP AC that I’m trying to get configured. After spending hours yesterday configuring and setting up scripts and WireGuard etc I took a backup and performed a reboot. The router did not come back, no DHCP, no wifi. I set a static address in same subnet and still no ssh or web access. I perfo...

ilium007

Good luck with contacting an administrator. Messaging is switched off again. It could be that your posting got reported and they are deleted...manually or "automatic". ps. you posted this in scripting and that is not right place post this. I posted in scripting because that’s the forum th...

ilium007

I have posted two different threads in the scripting forum this week and both seem to have been deleted. Not sure if I am doing something against rules but no mod has been in contact to advise.

ilium007

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.

ok, thanks

ilium007

What is the best way to update CA root certs? I am running the script below every 7 days but I wondered if there is a better way to work out if they actually *need* updating before downloading, deleting and replacing certs every week. Also - can running this every week damage flash RAM (or whatever ...

ilium007

I have no idea what you are talking about (too much kangaroo boxing??). Not sure whats so hard to understand. I'll try and make it simpler for you. VLAN 10 - INTERNAL VLAN VLAN 99 - MGT VLAN I have a 5 port Mikrotik Chateau LTE router with 4 SSIDs. - 4 ethernet ports should be on INTERNAL VLAN 10 a...

ilium007

If you want to have all devices being controlled by the management VLAN then each device gets its IP from the managment vlan

The MGT VLAN should only be used to access HTTP/S and SSH ports on the devices, each VLAN has an interface on the main router that serves DHCP, DNS etc.

ilium007

Your trunk port (the one between the Audience and the cAP ac) should be a trunk port. I’ve taken the cAP out of the picture initially, I was trying to get the VLANs working before trying the trunk port and cAP. I have initially followed this config from the pages mentioned up top of this thread - h...

ilium007

So I've spent another night on this and I've got closer after reading through the posts in this thread but I can't get it working as it should I have two VLANs, 10 (INTERNAL_VLAN) and 99 (MGT_VLAN) I can get a DHCP address via VLAN 10 and VLAN 99 (after a very large delay) I have intermittent intern...

ilium007

Thanks for the configs. I’ll try and piece it all together.

ilium007

Thanks. Do you have similar config for the other Mikrotik router with DHCP server?

ilium007

I followed this config without success:

viewtopic.php?t=143620#p706999

ilium007

This topic taught me a lot about VLAN's on MikroTik devices:
viewtopic.php?t=143620

I spent an hour reading this and still got nowhere. I know how VLANs work, I just dont know how to implement in routerOS.

ilium007

I have spent hours today trying to get some virtual wireless networks on a cAP-AC to work with a Mikrotik Chateau LTE. I am following old guides I have found, none of which are working. I don't know if I should have multiple bridges or one bridge. I don't know if VLAN interfaces are assigned to a br...

ilium007

Hi - I am trying to DSTNAT from internet to local RouterOS web interface, I simply want to change to external port for the Web UI but leave the internal port. ie. DSTNAT 80443 to 443 on device. Is there any way of doing this?

ilium007

It works 100% with other hardware. It only fails for me on MikroTik RouterOS.

ilium007

I thought chateau was only ros v7?

It is, my issues are all on RouterOS7, verified in RouterOS7 Beta 3

ilium007

I think I have solved my wireless issues with the help of a few other threads in these forums. Key configuration changes were: channel-width wmm-support keepalive-frames multicast-buffering multicast-helper group-key-update and increasing DHCP lease time from 10mins to 10hrs [admin@router01] > /inte...

ilium007

we have possible fix for this issue, that will be included in upcoming version.

I tested the bug on beta3 and it’s still there

ilium007

I'm having these issues on routerOS7 with all Apple devices. Try to enable WMM support in the wireless section https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless Thanks for that,but in CAPsMAN WMM Support is absent Just do it from CLI, change wlan1 for the appropriate interface: /interface/wi...

ilium007

Is this a known fix or a stab in the dark?

ilium007

I'm having these issues on routerOS7 with all Apple devices.

ilium007

I have turned on DHCP logging to try and catch something the next time it happens.

ilium007

There's something else going on here. I am getting the problem whereby I can't reconnect my Apple MacBook Pro. It seems like the wireless is connecting but I'm not getting an IP address. Could there be an issue with the DHCP side of things? I hadn't experienced the problem in weeks but all of a sudd...

ilium007

As I said, I perform a backup daily via script and email to myself from the router. The backups I attempted to restore were from the pas few days as I know I had made recent changes. These keep failing to restore. I went back to the backup from the 16/09 and was able to restore that unencrypted back...

ilium007

So I'm having a heap of problems here. Power outage last night, router was unresponsive when I came home. Because I do daily backups, emailed to myself, I thought I would grab one and load back to the router. The backups that I am doing now are unencrypted due to the bug I have previously reported i...

ilium007

I have a strange issue where Apple devices are sometimes not reconnecting to the Mikrotik Chateau LTE 12 wireless networks after previously being connected. Not sure where to start, I have read of issues plaguing routerOS for years regarding Apple devices and wireless but cant find solutions. I have...

ilium007

I agree, but it pretty clear from all the testing that I have done that there is an issue. The dstnat works fine from another cheap router via its LTE interface, dstnat on ethernet on Device A works fin, the WireGuard instance on Device B works fine. The problem is dstnat when using the LTE WAN inte...

ilium007

Yes, on device B and on your client. I think the mtu should match on both sides. No idea what happens if it does not. Tried lowering on both with no success. I have checked MTU on the lte1 interface and it is set at 1500. There is no packet fragmentation when doing ping tests to an internet host at...

ilium007

I'm out of ideas. - TP-Link with LTE works => LTE is ok - Chateau with ethernet works => Chateau is ok - Chateau with LTE does not work => ???, but why, when both should be ok? It would be interesting if someone else could test it with their Chateau and LTE, but so far there isn't anyone else. I as...

ilium007

Does it make a difference if you lower the mtu size on wireguard interfaces?

On Device B?

ilium007

You should agree that this is much better than using a line number when it is done in a script.

I suppose it is. Thanks.

ilium007

It is not possible to use ordering sequence numbers in a script!

Wow ok! So I guess I'm confused by the point of "place-before" if rules can't be referenced by an array index number.

ilium007

As I had my scripted rebuild working I decided to try the backup and restore again on an un-encrypted backup and can confirm that it successfully restores. The process below worked: [admin@router01] > /system/backup/save password=xxxx dont-encrypt=yes name=backup01 [admin@router01] > /system/reset-c...

ilium007

[admin@router01] > /system/routerboard/print routerboard: yes model: RBD53G-5HacD2HnD serial-number: C8CA0CB0B626 firmware-type: ipq4000L factory-firmware: 7.0beta6 current-firmware: 7.0beta6 upgrade-firmware: 7.1beta2 [admin@router01] > Due to the backup recovery issue I'm facing I decided to put ...

ilium007

[admin@MikroTik] > /system/routerboard/print routerboard: yes model: RBD53G-5HacD2HnD serial-number: C8CA0CB0B626 firmware-type: ipq4000L factory-firmware: 7.0beta6 current-firmware: 7.0beta6 upgrade-firmware: 7.1beta2 I had generated a routerOS backup using: /system backup save name=router01 passw...

ilium007

Ok, so putting the TPLink LTE router (Device 0) in front of Device A and placing a port forward (UDP 13232) on Device 0 to Device A, and then Device A with a port forward to Device B WORKED . So its not the dstnat that the problem it is something in the LTE side of things. Device 0 - TPlink LTE rout...

ilium007

Exactly.

So how do I troubleshoot my failed installation then? It works if I put a cheap router in front and port forward, it fails when I put a $365 Mikrotik Chateau LTE12 in front and dstnat the WireGuard traffic.

ilium007

The 'broken port forwarding' theory. So no change for device B, but I also used 7.1beta2 on device A.

Sorry, but I'm a little confused. Are you saying that you have put a 7.1beta2 WireGuard instance (Device B) behind a 7.1beta2 router (Device A) and its all working?

ilium007

I didn't expect that it would change anything, but I tested device A with 7.1beta2 and no problem at all, everything works.

What exactly did you test??

ilium007

DNS query from Internet to Device B via Device A DSTNAT worked.

Packet capture:
http://ge.tt/4O1Xh773

IMG_3207.jpg

ilium007

Not that it would be completely impossible, but dstnat is simple thing, it's there for years, everyone uses it, ... it's not likely that it would get broken and not noticed by many other people. On the other hand, it is beta version, so maybe the chance is slightly higher. You can test another serv...

ilium007

That was easy. :-)

Sometimes it’s the little things 🤷‍♂️

ilium007

Enabling starttls has resolved the problem, email is now sending. [admin@chateau] /tool/e-mail> print address: smtp.gmail.com port: 587 tls: starttls from: xxxxxxx@gmail.com user: xxxxxxx@gmail.com password: xxxxxxx last-status: succeeded last-address: 74.125.24.108 [admin@chateau] /tool/e-mail>

ilium007

I have a feeling this is due to 2fa or an incomplete user name. In the user name field it should be your email address. I had been using email address for user name with no success. The generated app password with 2FA is the documented method of authentication. The error in getting is a TLS handsha...

ilium007

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound

The only secure documented method of sending mail via Googles SMTP servers for non-GSuite users is via smtp.gmail.con:587 with TLS

ilium007

Else go the SMTP/25 way.

Plain text / no encryption?

ilium007

CRL seems only be possible for certificates you generate on your Router.

Looks like thats the end of sending emails via Google SMTP relays? It really shouldn't be this difficult!

ilium007

I think that you also need this file:

http://crl.globalsign.net/root-r2.crl

That CRL was already in the CRL list but shows up as invalid. I tried re-importing from the URL but it was invalid as well.

Screen Shot 2020-09-12 at 10.25.31 pm.png

ilium007

All of the Google Trust Services root CA's were already in the list of 138 certs that are already present on the device.

ilium007

Delivering a e-mail to them is a PITA and the best chance is using the relay. In the middle of the linked page is a PEM file and have a look at that. I can't test anything being on my tablet. I thought the relay was for G-Suite users only (I use it for SMTP access for printers / scanners at work).

ilium007

Have you tried: smtp-relay.gmail.com Same issue: 20:38:51 e-mail,error Error sending e-mail <email test>: TLS handshake failed Where should I be downloading CA root certs from? I have put the config back, this is the command line I am executing to test: [admin@chateau] /tool/e-mail> print address: ...

ilium007

There are no certificates present by default in Mikrotik routers so you have to install them to use TLS. https://support.google.com/a/answer/6180220?hl=en I had already imported CA root certs from here: https://mkcert.org/generate/ [admin@chateau] /certificate> print Flags: L - CRL; T - TRUSTED Col...

ilium007

I can't send email via smtp.gmail.com. 18:15:18 e-mail,error Error sending e-mail <email Test Email>: TLS handshake failed Config: [admin@MikroTik] > /tool/e-mail/print address: smtp.gmail.com port: 587 tls: yes from: xxxxxxx@gmail.com user: xxxxxxx@gmail.com password: xxxxxxx last-status: failed la...

ilium007

So this happened..... I set up a dirt cheap TP-Link LTE 4G router with the same SIM card and gave it the same LAN IP address and set up a port forward to the Mikrotik Device B. I connected from the same iOS WireGuard client and it successfully connected and performed handshake. The issue has to be w...

ilium007

I'm running out of ideas. Last one for now, although there's no reason why it should be the problem, did you try to connect only to device B and no other server at the same time?

The last two sets of packet captures where whilst connecting to Device B only. One WireGuard connection only.

ilium007

Captures from the DSTNAT connection attempt to a Raspberry Pi WireGuard server running behind the Mikrotik Device A.

http://ge.tt/2jsaQ573

Client WAN IP: 49.195.16.14
Client LAN IP: 192.168.8.101

Device A WAN IP: 123.209.194.128
Device B LAN IP: 192.168.10.20

ilium007

The obvious problem is that it contains only initial requests, there's not a single response. It was the same in previous combined capture as well. All non-TZSP packets are from client to server. But if you look at TZSP packets, you can see that device B is sending responses. So one more thing you ...

ilium007

I realised that I could have just produced a .pcap file on Device B itself using the packet sniffer tool. To avoid confusion I have produced two seperate packet captures, one from my laptop in the hotel, the other from Device B. Laptop: SRC IP: 172.20.1.195 Hotel WAN IP: 124.19.6.93 https://transfer...

ilium007

And how exactly did you capture this? It looks like strange mix. Some packets are wrapped in TZSP, from 192.168.10.5 to 192.168.200.11 (what's that?), while others look like direct capture from interface. But if it's captured using packet sniffer on 192.168.10.5, as TZSP suggests, then it shouldn't...

ilium007

After a lot of messing around I have captured the USP packet stream for both the client and Device B. https://transfer.sh/Poqim/client_connect.pcapng 172.20.1.195 - hotel room IP address 124.19.6.93 - hotel WAN IP address 123.209.117.65 - Device A WAN IP address (LTE modem interface where DSTNAT to ...

ilium007

But there's one thing I noticed now, you have 192.168.201.0/24 as address on wireguard1 interface. But it's not correct address, with .0 at the end it's subnet address. Change it to something else, e.g. .1. That was a configuration typo during testing! I have fixed now and it behaves the same. I am...

ilium007

Is there are firewall rule that does source NAT just after destination NAT for the incoming packet? Possibly that confuses wireguard... What interfaces are in interface list "WAN"? SRCNAT / masquerade rule is above the DSTNAT rule for Device B WireGuard instance: /ip firewall nat add acti...

ilium007

Have you tried to access Wireguard on device A via port 8080 and set up DSTNAT to device B to the Wireguard port. Some ISPs block various ports. If port 8080 (TCP) works, it should also work on WG. As expected it behaves exactly the same. Packets were always getting through the DSTNAT to the WireGu...

ilium007

I've done some more testing and can't make sense of this. I can successfully DSTNAT TCP 8080 traffic from the internet to Device B on TCP port 80 (just a test to the Device B webfig app) - DSTNAT works from Device A to Device B: http://mikrotik2020.duckdns.org [admin@MikroTik] /ip/firewall> nat/ pr ...

ilium007

I tried quick test with RouterOS as WG server behind NAT with forwarded port, same as OP has, and it works fine. Exactly as expected, since WG shouldn't care about NAT at all.

What routerOS version is running on the Mikrotik router doing your port forward?

ilium007

Ah, I misread and misunderstood some details. So both peers are behind NAT, one is supposed to be reachable via destination NAT. Never tried that with wireguard, no idea if this should work. Device A has a public IP address (no CGNAT) via its LTE modem. I port forward (DSTNAT) UDP 31232 to Device B...

ilium007

There’s no “LTE stick”. Internet facing router is a Mikrotik Chateau LTE12. As I said, other port forwards work through to the cAP ac so I know DSTNAT from Device A and all routing is working. I know WireGuard works on Device B because I can connect to it locally and handshake is successful. I also ...

ilium007

Why do you configure wireguard on device B, not device A? Because as I said, I am setting this device up to send to my parents to use as a wireless access point but also to give me a WireGuard VPN for remote access. They have an ISP issued VoIP router that can't be swapped out so I need to place th...

ilium007

Problem described in detail here: https://www.reddit.com/r/mikrotik/comments/inkuqp/trying_to_port_forward_wireguard_connection_to/ I have two MIkrotik devices. I am testing Wireguard on the internal (behind internet router) Mikrotik device before I send it off to my parents to use behind their ISP ...

ilium007

:local resolvedIP [:resolve "{{ domain }}.duckdns.org"]; :local currentIP [/ip address get [find interface="{{ interface }}"] address]; :local currentIP [:pick $currentIP 0 [:find $currentIP "/"]]; :if ($resolvedIP != $currentIP) do={ :log info ("Trying to update ...

ilium007

Getting my Chateau LTE 12 tonight and doing some research. I believe WireGuard is available in the routerOS 7 beta but I can’t find a lot of info on it. I remember a few years back when using routerOS with OpenVPN I couldn’t run the OpenVPN server on a WAN interface that had a dynamic public IP. The...

ilium007

Can anyone please confirm the MikroTik SXT LTE Cat 6 only has 10/100 Mbit Ethernet interfaces? If so I am confused.... why bundle an LTE 6 modem capable of 300Mbit download speed if the Ethernet interface can only handle 100Mbit?

ilium007

Thanks - I'll look in to it some more. Need to find an Australian reseller for the SXTR.

ilium007

Can the internal modem in the SXT LTE 6 be replaced. I would like to run a EP06-E.

ilium007

Thanks for the reply. I'm interested to know how the ppp serial interface affects upload speeds. The application I am looking at is remote video surveillance access so the 4G upload speed is of interest to me.

ilium007

Sorry to drag this post up but I am looking at a RB912UAG-2HPnD and I am being told that the Sierra MC7304 is unsuitable because it only does ppp and that it needs DirectIP to work with LTE speeds. From what I am reading below the MC7710 can work with DIP ? Can I expect LTE speeds with an MC7710 and...

ilium007

Almost two years on... glad I didnt wait before going back to dd-wrt where simple things work..

ilium007

Because you showed me a single command to set up a default route. When I change the PPP to include the 'Local Address' that you pointed out earlier the RouterOS does not auto create the routes - we have established this. So you said to run a single command that I assume only creates a single default...

ilium007

The IP address here is auto configured via PPP - it is not the static one they assigned me.

ilium007

These are the two route entries that are auto created: http://f.cl.ly/items/3C2G3J1v013m241m3O0I/admin@192.168.10.1%20(RB750G)%20-%20WinBox%20v5.5%20on%20RB750G%20(mipsbe)-1.jpg http://cl.ly/0J203k1y2b0j391U1l1w/Screen_Shot_2011-09-06_at_6.18.59_PM.png http://cl.ly/3W3J3c0T320I0e2a1U1b/Screen_Shot_2...

ilium007

OK - i'll give it a go. There seemed to be two auto created entries when it is set to do it itself.

ilium007

I havent worked out how to do that yet..

ilium007

No - it's not working !

When I add the ppp profile and then add the local IP ( my static ip ) I can not get Internet access because there is no default route being added. However, in this configuration I can connect in to this static ip via ssh.

ilium007

Hi - I created the new profile with the static IP as 'Local Address' and it worked fine for incoming SSH traffic (tested via phone) but I can't get any traffic out of the network with it enabled this way. I have worked out that no default route is being added when I use the profile set up with the l...

ilium007

OK - will do that. I thought that I had configured this static IP address somewhere last time I was with this ISP. Maybe not ! Out of interest - I have had cheaper Linksys routers that also do pppoe but also allow me to specify a static IP address. How does this work if it is PPP that is handing out...

ilium007

Not sure how to explain this any better ! That address (220.244.77.236/32) is being given via DHCP. The ISP has sent a welcome email stating a different static address that I should be using. Each time I configure this (different) static IP address again pppoe-out1 the RB750G changes this static add...

ilium007

I am pretty sure I need to run pppoe (TPG ADSL in Australia) - they have supplied me a pppoe username and password and static IP.

ilium007

Cool - but I am a little confused. How do I now implement my static IP address that my ISP has given me to use ?

ilium007

Hi - something strange is happening here ! I have moved house and went from a static IP on my ADSL connection to a new service also with a static IP. The funny thing is that I can't seem to get the static IP that the ISP gave me to work - whenever I configure it under 'IP/Addresses' in the GUI again...

ilium007

So really all I need is a point to point link over about 200m to avoid digging a massive trench and laying copper. At either end I will have a normal Layer 2 switched network (in re-reading my first post I probably should have been clearer here. The 2-3 cameras will be wired and connect to a PoE swi...

ilium007

So there is no one who can advise me on the merits of the SXT devices as opposed to two 411's /711's with antennas ? This was my first real project using Mikrotik after having used a RB750G here at home. I am also looking into Ubuiquiti gear now given the lack of response here. I am a bit worried as...

ilium007

Hi guys - I am going to get to set up my first Mikrotik wifi link for a friend. Basically we need to set up a number of IP cameras for a small property security project. 2 - 3 of the cameras will be situated away from the main farm house and I will need to get a wifi link to haul the traffic back. T...

ilium007

OK, so going through the logs I found the error was because the NTP server was trying to send SYN packets to the external (public IP) interface of the router but these SYN packets were being dropped. I added the following rule: http://dl.dropbox.com/u/973862/Screen%20shot%202011-02-27%20at%2012.55.3...

ilium007

Hi - I have followed the wiki article: http://wiki.mikrotik.com/wiki/Manual:System/Time and I have also installed the standalone NTP package. System is running routerOS 4.16. I have verified the NTP servers I an trying to query by running from my OSX machine inside the network: MacBookPro:~ user$ /u...

ilium007

I hope this helps anyone else trying to do this ! So I set up a log and noticed the traffic was not being NAT'd: http://dl.dropbox.com/u/973862/Screen%20shot%202011-02-25%20at%2011.32.54%20AM.png The source IP was still 192.168.10.10 So I set up a simple NAT rule in the ether-1 interface to NAT outg...

ilium007

I have also just done another test; I got a laptop and assigned the ethernet interface 1.1.1.2/24 with no default gateway etc. unplugged the ADSL modem from the RB750G and plugged the laptop direct to the ADSL modem. I could then use a web browser on the laptop to get to 1.1.1.1 Now when I plug it a...

ilium007

OK - no. I am not that much of a noob !! Maybe I should draw the diagram better: ADSL Modem [1.1.1.1/24] --> [1.1.1.2/24] ** RB750G ** [192.168.10.1/24 ]-->Internal Network 192.168.10.0/24 So I have 1.1.1.2/24 assigned to ether1-gateway on the RB750G and 1.1.1.1/24 assigned to the ethernet port on t...

ilium007

Hi - not sure why this won't work. I have a RB750G as a pppoe client behind an ADSL modem in layer 2 bridge mode. Even in this mode I can still assign an ip to the Ethernet interface to view ADSL stats. Internet-----[ADSL MODEM 1.1.1.1/24]----------(RB750G Gateway pppoe 192.168.10.0/24) I have a rou...

ilium007

And besides...the RT-N16 is rubbish compared to the Mikrotik gear.

ilium007

will that work given one of my networks must be 802.11n and the other 802.11g ?

ilium007

Does anyone know if there is a more suitable enclosure to allow hanging off 6 aerials !

ilium007

I don't have the hardware as yet. As soon as I have it I can send you my configs. Happy to do so.

ilium007

@ jtroybailey I just noticed you are in Brisbane as well !! I am at Gordon Park.

ilium007

hmmm - its going to look like Routenstein with 6 aerials hanging off of it !

ilium007

Hi - I have already posted about my intention to run an RB493G with 3 x R52Hn wifi cards at home in order to build 3 networks. One 802.11n (trusted), one 802.11g (trusted) and one 802.11g (untrusted) for friends etc to access but should not be able to get to my internal network etc etc. Anyway, I wa...

ilium007

Ok - this is what I have: [admin@MikroTik] > /ip firewall export # jan/18/2011 12:19:54 by RouterOS 4.11 # software id = M26S-4LTJ # /ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \ tcp-close-wait-timeout=10s tcp-established-timeout=1d \ t...

ilium007

Or IP addressing But this is my dilema - if I were to use just IP addressing, a savvy operator could manually change their IP address to one on my other network (ie. change his 192.168.11.0/24 address to a 192.168.10.0/24 address) and then bypass the firewall rules. I work for a financial instituti...

ilium007

Ahh ok - that makes sense. So set up firewall rules based on source interface?

ilium007

I don't want to rely on Layer 3 to separate the networks. If someone were to change their IP address to one on the LAN network then they would gain full access. I would rather separate the networks at Layer2 which is why I thought you use VLANs on the same physical switch. Also - was my post not det...

ilium007

Hi guys - I am looking to build an elaborate 493G setup at home. I am starting off with a RB750G however just to get a feel for the platform and capabilities etc. Once I am happy with this as opposed to the pfSense install I have been running I will purchase the 493G with 3 x R52Hn wifi cards. I wan...

ilium007

That will be awesome !!

ilium007

Thanks for taking the time to reply. Can you point me to any doco with a full guide to setting up the dynamic ip VPN ?

Cheers

ilium007

Does anyone know if road warrior IPSec VPM support has gotten better in the latest RouterOS releases. The lad time I looked at this was early this year and have continued using low end WRT54GL routers instead.

ilium007

We are looking at Nagios and also Zenoss

ilium007

Great - thanks for that.

Now to work out how to use dynamic IP addresses for IPSec VPN's (or just get a solid OpenVPN install happening) and I will be a happy man.

ilium007

OK cool - thanks.

ilium007

awesome - I can use other monitoring tools such as Nagios I assume. I haven;t looked at the RouterOS SNMP support as yet.

If I can configure ALL options via CLI I will be happy enough.

ilium007

Didn't mean to offend man... just saying...it's a strange name to call a product. Anyway - its not the Windows computers we don't want, it's any form of O/S licensing associated with Microsoft.

Can RouterOS be configured via CLI or web interface ?

ilium007

Also - can someone tell me how to get PM'ing turned on. I read the FAQ's and it says that I can;t PM because of up to 3 issues, not logged on etc etc or a mod has disabled. Not sure why I would be disabled.

Cheers.

ilium007

Hi - Does anyone know if there is a Java based GUI instead of the 'Dude'. We are a 100% Microsoft free organisation and this is one of 2 things holding us back from RouterOS. The other is the inability to find a way to get an IPSec VPN running with dynamic DNS / IP's. Any help appreciated. **EDIT - ...

ilium007

Another vote for Brisbane - i'd be there

ilium007

I have been doing IPSec VPNs to low end devices (Draytek, Billion, Linksys and Netgear) for years with dynamic ips. Why is it so hard for Mikrotik to implement?

ilium007

I have read that page, the examples are much better than I have found anywhere to date. I couple of questions though. Some people have reported issues around SA flushing, is there any fix to this with the later versions of RouterOS ? Also, I think I can see now why people are having issues with dyna...

ilium007

Ha cool - reading that now. Didn't think to look in the old user manual. Just to confirm, does the VPN dial on traffic 'from' or 'to' a specific subnet ?? I definitely have only ever seen a VPN dial on traffic 'to' a specific subnet - at least thats what I need t do here. Thanks again.

ilium007

So - I have read all of those pages, still no MikroTik to MikroTik IPsec example from the CLI. Also, my plan is to have configs for up to 50 VPN's but only dial on demand. Most other routers I have dealt with will only connect the VPN when they receive traffic for a particular subnet on an interface...

ilium007

Hi all - first post here. I am looking to set up a number of VPN's (around 50) to my clients for the purposes of remote support. I am looking at a number of router O/S's and hardware platforms, obviously MikroTik is a strong contender at this point. I am looking at using RB750G's at client sites but...

Search found 133 matches