MikroTik

markdutton

Thanks Sindy. That looks great.

I will give it a try soon. In the meantime, I just used a policy VPN gateway in Azure and used the standard IPSEC policy based setup in Mikrotik (with my custom profile and policy settings), which worked perfectly.

Mark

markdutton

I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default? If not is there a way to create an IP tunnel tha...

markdutton

LLDP-MED, yes please else the use of the PoE switches is limited.

Agree 100%. It is a fundamental requirement in any enterprise switch.

markdutton

You should enable DHCP VLAN on your phone: https://www.grandstream.com/sites/default/files/Resources/VLAN_Guide.pdf Or configure the VLAN manually. MikroTik does not currently support LLDP-MED which is necessary for communicating voice VLAN ID to phones. This normally isn't a huge problem since mos...

markdutton

Thanks Murmaider! That did it. I was trying previously to do a discard on 192.168.220.0/30, but I don't think it ever matched properly. Either that, or it was another connected route that was causing the problem. Putting in the explicit allow for the route I wanted to advertise followed by a discard...

markdutton

I know I am doing something really dumb here, but I am stuck and I need a hand. I create a backbone area between two routers using an IP tunnel (over IPSEC). For simplicity, the routers each have their local LAN interfaces, their Internet interfaces and their IP tunnel interface. I number the tunnel...

markdutton

You can access graphs within winbox - no need to use web access to them.

Yes but the graphs in Winbox are rubbish compared to the web ones with their time and throughput scales.

markdutton

This is the second advisory for this same port in as many weeks. Whilst we block it to the world we still feel compelled to update all our customers' routers. I hope this is not a sign of things to come. While I'm on my soapbox I'd like to suggest that graphs are moved off the web management port. T...

markdutton

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network. Yeah I know I can limit IP on the graphing, but what I would like to see is open to world graphing. From my understanding...

markdutton

Whilst we block most of our client routers from the Internet to all but our own IP address for management, there are some clients who want to have the graphs publicly available. I would like to see a separate port for graphing if possible so that this functionality can be available to anyone without...

markdutton

Hi All I have just started trialing Capsman in a development environment. I have only scratched the surface, but these are on my wishlist now. - Auto tuning of an internal wireless network. Power levels and frequencies to ensure smooth transition between nodes. - A graphical heat map in Capsman (or ...

markdutton

I would like to add to this. I have found the following (using Capsman 2). If you set your frequency to auto on the CAP, BEFORE you enable capsman control, it will be auto frequency if Capsman does not specify a channel. However, the auto channel system does not honour the implicit 3 usable channels...

markdutton

OK. Thanks for that. So in relation to multiple VLANS. I only need to define a vlan to ports and CPU if I want to manipulate the VLAN as in my example? The other vlans can be left unassigned at the switch level? It all works fine this way and I have done a million tests, but I don't want to have it ...

markdutton

Hello. I am trying to wrap my head around where I need to actively configure vlan settings on the switch ports. Most commonly, if I want to create a VLAN trunk to an external switch, I simply create multiple VLAN interfaces and assign them all to the same physical port on the Mikrotik. I end up with...

markdutton

OK. Update.

After a cold restart (power off), it has come up working again. We can run until the new firmware is out GA. It seems that this is a start up issue.

markdutton

OK Thanks Normis

Next problem though will be that I can't upgrade the router without netflash.

If I factory default, will I get access to the flash again? I have rebooted, but this did not help.

Is thre any way to get the flash writing without defaulting unit?

Mark

markdutton

Hi All I have a CCR 9 core on 6.15. It is in operation and working, but I can no longer create a backup. The password for the admin has reverted to blank also and won't save. I can't create a capture file with packet sniffer. It is as if the file system has become read only. The exact error when I t...

markdutton

I have reconfigured the job to run outside of the VPN tunnel and it seems to have sorted it. Not sure why the load is so high with Rsync, but it killed the router over IPSEC.

markdutton

Correct it is an IPSEC tunnel.

Additionally, Rsync is running directly across the connection. It is not tunnelled inside SSH.

markdutton

Hi All I have a weird problem on my home RB493. I will say from the outset, I have set up dozens of Mikrotiks and I have been using them internally for a couple of years and this is a one off to me. I have a RB2011L in the office, which I am evaluating. It is normally an RB450G. I have an IPSEC tunn...

markdutton

BTW Fewi I like your idea of using RFC1918 as the source address list so only outbound packets would fire the routing mark. I just put a new rule in my adhoc-bdsl routing table that duplicated the main table rule so the rule would fire in both directions and the inbound route was catered for. It wou...

markdutton

Thanks Fewi I was on the same tack as you stated in your post. I have been able to get the outbound interface working fine using routing marks and a custom routing table. The issue now for me is I already have a huge mangle table for my packet marking rules. To keep things tidy and to get maximum pe...

markdutton

OK. Sorry guys. I have led you astray. The router is very busy, so sometimes it can lead me to make a false assumption. I just did a packet trace on the interfaces. It turns out that the router is NOT using the wrong queues. It is using the wrong interface. However, it is outbounding traffic on the ...

markdutton

Following are all logs except firewall export, which is huge and I would rather not disclose it anyway. The issue is the queues should be attached to the egress interface and they are not. I know this because when I connect externally to my 4-Amcom-BDSL interface via https (443), and drag a file dow...

markdutton

Seems it is caused by various things. It is not really a flapping port as such. Flapping ports don't usually just disable then re-enable with a corresponding log entry. Flapping ports are usually the result of a problem with the Ethernet connection to the remote device. I know I can make the problem...

markdutton

Hi All I have found a bug in the queue tree decision logic which is making it impossible for me to use the router as I need to. The scenario is I have 2 WAN interfaces and I have 2 queue trees attached to these interfaces. I have various mangle rules to create connection and packet marks to fee the ...

markdutton

I think I have almost homed in on this problem for my situation. I swapped out my RB750G for my RB450G today. No problems initially, but then I set about making the changes I had made on the RB750G just before it started to play up (coincidentally the same day I upgraded the firmware). My config is ...

markdutton

I too am having port flapping on my RB750G since upgrading from 5.0beta to 5.5. I am using 4 ports. Three of the ports are dropping then resuming. It is not false logging as I went to the log to work out why I was getting VOIP silence periods of around 10 - 20 seconds. Looking at the log it appears ...

markdutton

Guys this would be good if there was not a bug in the export. I have just done an export from a 750G on v5.5. When I go to import I get "expected end of line at line x, column y" The problem is the exported line is creating the script with the wrong syntax. E.G. /queue interface set 1-Loca...

markdutton

I too was trying to figure this out. However, in defence of Mikrotik, when you do a copy run tftp, then copy tftp run you ARE working with text files.

markdutton

Hi All Just want to do a sanity check. I have setup a queue tree and use mangle rules to create the appropriate packet marks. I read an interesting wiki article showing a rule that would filter TCP traffic, by port, etc and give it a connection mark, with passthrough enabled. Immediately following i...

markdutton

OK. I believe it is definately preserving the markings on encryption. here is what I do. in prerouting mangle table, I mark the packets based on DSCP, address:port, whatever as VOIP. I then create a queue tree with a queue dedicated to VOIP. The queue tree is attached to my external interface. My SI...

markdutton

That's right. On a standard Linux router using the Freeswan IPSEC stack we would set a flag in the ipsec.conf file being hidetos=no. This would cause the encrypter to put the DSCP flag into the outer packet. We would then create a mangle rule as follows. iptables -t mangle -I TS -p 50 -j RETURN ipta...

markdutton

Excellent diagrams! I actually saw these previously, but I did not scroll down to the end, which shows clearly the double handling of packets through the output routing phase if encrypted. This leads me to two more questions. 1. Will packet marks survive the encryption process? 2. Related to above, ...

markdutton

OK, that makes sense. Could you please in basic ascii art, show the path the packets take including encryption. I am used to Linux IP using freeswan, which encrypts data before it enters the routing stack. I can see the advantages of encypting after routing, particularly when doing QoS, but I am a b...

markdutton

Hi All I have a set up where I have two sites linked via RB750G routers over IPSEC tunnel. I want site B to get its DHCP from a DHCP server in site A. I have set up the relay, etc, but there is an issue getting the routers to traverse the tunnel correctly. Devices behind the router are fine as they ...

Search found 36 matches

Re: IPIP over IPSEC using different profile and policy templates

IPIP over IPSEC using different profile and policy templates

Re: LLDP

Re: Voice vlan and mikrotik

Re: OSPF advertising connected networks

OSPF advertising connected networks

Re: Advisory: Vulnerability exploiting the Winbox port

Re: Advisory: Vulnerability exploiting the Winbox port

Re: Statement on Vault 7 document release

Re: Statement on Vault 7 document release

CapsMan wishlist

Re: CAPsMAN and AP frequencies

Re: VLANS and switch ports

VLANS and switch ports

Re: Backup failing on CCR v6.15

Re: Backup failing on CCR v6.15

Backup failing on CCR v6.15

Re: My RB493 crashes when I run rsync across my VPN

Re: My RB493 crashes when I run rsync across my VPN

My RB493 crashes when I run rsync across my VPN

Re: Bug in queue tree decision logic

Re: Bug in queue tree decision logic

Re: Bug in queue tree decision logic

Re: Bug in queue tree decision logic

Re: Eth. port flapping, when is this going to be solved?

Bug in queue tree decision logic

Re: Eth. port flapping, when is this going to be solved?

Re: Eth. port flapping, when is this going to be solved?

Re: How do I stop interfaces from changing names after resto

Re: How do I stop interfaces from changing names after resto

Efficient connection marking and packet marking for QoS

Re: Accessing remote IPSEC site from within Router

Re: Accessing remote IPSEC site from within Router

Re: Accessing remote IPSEC site from within Router

Re: Accessing remote IPSEC site from within Router

Accessing remote IPSEC site from within Router