Community discussions

Search found 32 matches

by pakjebakmeel
Fri Jun 06, 2014 2:43 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

PMTUD have no relation to virtual interfaces. What it does is, it tries to send a packet of the maximum size possible and with don't fragment (DF) bit set. Any intermediate router that is not capable of forwarding this packet without fragmenting it first drops the packet and replies to the sender w...
by pakjebakmeel
Fri Jun 06, 2014 12:45 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

Yeah the other FW platforms I have worked with use to create a virtual interface on which you can set the MTU size so PMTU works. As RoS does not create a virtual interface, how should PMTUD work then? How would it figure out the maximum payload size? Does RoS send the fragment ICMP packet back if f...
by pakjebakmeel
Fri Jun 06, 2014 12:00 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

Looks good. Type 3 code 4 is allowed, so my guess appears to be wrong. Is it? Because when I use the mangle rules to force the MSS values, which should decrease the maximum packet size effectively the problem goes away. It should work without these rules too if PMTUD would just discover the proper ...
by pakjebakmeel
Fri Jun 06, 2014 9:30 am
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

[rbadmin@MikroTik] /ip firewall filter> print chain=icmp Flags: X - disabled, I - invalid, D - dynamic 0 ;;; 0:0 and limit for 20p/s chain=icmp action=accept protocol=icmp icmp-options=0:0-255 limit=20,1 1 ;;; 3:3 and limit for 20p/s chain=icmp action=accept protocol=icmp icmp-options=3:3 limit=20,...
by pakjebakmeel
Wed Jun 04, 2014 1:03 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

Sigh...

Maybe a bug in RouterOS or in ur both brains...
Did you try this on ROS 6.12?My VPN gateway is running 6.12 and works like a charm...

-Chris, out of ideas and now out for lunch :-)
Enjoy :D

thanks
by pakjebakmeel
Wed Jun 04, 2014 12:52 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

Strange indeed. I just checked my VPN gateway with 20 active IPsec tunnels - for each tunnel it also reports no-phase2, but the tunnels (site2site and roadVPN) are up and running, so we can consider this normal. Could your issue be a MTU problem? I've found this thread which makes sense to me. Try ...
by pakjebakmeel
Wed Jun 04, 2014 12:10 pm
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

Re: IPSec restransmissions

Everything looks fine on first sight. Out of a gut feeling, try generate-policy=port-override instead of port-strict in the peer. Good luck! -Chris Hi Chris, Thanks for the reply, I have tried that too yes. Same result. I have done a lot of trial and error but nothing seems to make a difference. It...
by pakjebakmeel
Wed Jun 04, 2014 11:38 am
Forum: General
Topic: IPSec restransmissions
Replies: 15
Views: 6139

IPSec restransmissions

Hiya, I'm having an issue with my IPSec tunnel and I cannot figure out what the issue is. I have a fairly simple PSK + Xauth setup: [rbadmin@MikroTik] /ip pool> print where name="IPSec Clients" # NAME RANGES 0 IPSec Clients 10.7.0.100-10.7.0.254 [rbadmin@MikroTik] /ip ipsec> export hide-sensitive ve...
by pakjebakmeel
Thu May 29, 2014 4:11 pm
Forum: General
Topic: IPSec Android client
Replies: 2
Views: 2648

Re: IPSec Android client

Yes, I have found that. If the naming scheme for the auth protocols is followed I would require rsa-signature-xauth which isn't supported. Is this something that is on the list of things coming to RouterOS? I believe this would be the safest option, strange that this was not implemented. So if I wou...
by pakjebakmeel
Tue May 27, 2014 11:10 pm
Forum: General
Topic: IPSec Android client
Replies: 2
Views: 2648

IPSec Android client

Hi, I am connecting from an Android 4.4 device into my LAN through a RB493g using IPSec. I have managed to make this work but not quite the way I would like it to. The modes that Android offers are: 1. IPSec Xauth PSK 2. IPSec Xauth RSA 3. IPSec Hybrid RSA As far as I understand it nr 1 used pre-sha...
by pakjebakmeel
Mon Jan 14, 2013 1:05 pm
Forum: General
Topic: v6 rc6 released
Replies: 215
Views: 62701

Re: v6 rc6 released

I have a small issue with RC6 that just worked in v5.x. Not sure if this is by design or whether it's a bug. I have an OpenVPN tunnel running on a seperate Gentoo box for UDP support (hint hint) connecting 3 sites: 192.168.0.0/24 192.168.1.0/24 192.168.10.0/24 The Gentoo box is 192.168.10.10 running...
by pakjebakmeel
Fri Dec 21, 2012 6:02 pm
Forum: General
Topic: v6 rc6 released
Replies: 215
Views: 62701

Re: v6 rc6 released

Guys, a couple of releases ago access point mode was slow and dodgy.. It seems that with the latest releases all works fine. Attached a screenie of the throughput on a RB493G with 2 pigtail antenna's connected to a r52hn card. Client is a Dell laptop with an Intel wifi link 5100 copying some files a...
by pakjebakmeel
Mon Sep 10, 2012 9:46 am
Forum: Wireless Networking
Topic: Wireless Security Against Wifi Hacking
Replies: 2
Views: 1551

Re: Wireless Security Against Wifi Hacking

Really paranoia? I think if you use WPA2 only, enable AES, disable TKIP and use a randomly generated 63 character key using strings from random.org I think you will be fine until WPA2 gets properly compromised. No need to hide the SSID, it seems it has to transmit more data when hidden which 'in the...
by pakjebakmeel
Thu Aug 30, 2012 4:57 pm
Forum: Wireless Networking
Topic: Mikrotik wireless doesn't work with apple devices
Replies: 4
Views: 3680

Re: Mikrotik wireless doesn't work with apple devices

Have you set preamble mode to short? Set it to both, figured out that most Broadcoms in apple devices don't like short preable mode..
/interface wireless set 0 preamble-mode=both
Confirm the current mode:
/interface wireless print advanced
by pakjebakmeel
Wed Jan 18, 2012 11:53 am
Forum: General
Topic: TCP/IP over DNS/ICMP/HTTP - deceive proxy / firewall
Replies: 6
Views: 4389

Re: TCP/IP over DNS/ICMP/HTTP - deceive proxy / firewall

Can you use any protocol over those ports or do they do content filtering aswell? Check the guide for openvpn roadwarrior setup, you could run a linux server or the mikrotik openvpn server (which has some reduced functionality. Check the topics on openvpn) on any port and redirect the gateway.. The ...
by pakjebakmeel
Thu Nov 10, 2011 9:13 am
Forum: Wireless Networking
Topic: what is the best frequency for 5ghz wireless network
Replies: 7
Views: 8569

Re: what is the best frequency for 5ghz wireless network

http://upload.wikimedia.org/wikipedia/commons/thumb/8/8c/2.4_GHz_Wi-Fi_channels_%28802.11b%2Cg_WLAN%29.svg/799px-2.4_GHz_Wi-Fi_channels_%28802.11b%2Cg_WLAN%29.svg.png As you can see in the image only channels 1, 6 and 11 do not overlap. If you have an AP on channel 1 and someone else sets up an AP ...
by pakjebakmeel
Mon Nov 07, 2011 9:29 am
Forum: General
Topic: RouterOS v5.8 released
Replies: 182
Views: 87556

Re: RouterOS v5.8 released

50C is normal, more than 70C is probably start to worry. if you see CPU load, check "/tool profile" menu to see what is consuming it. yes, there was a bug with 100MHz CPU in previous version of firmware, new one fixes it, you should not see it anymore. Had this too after the firmware upgrade.. I wa...
by pakjebakmeel
Thu Oct 20, 2011 9:10 pm
Forum: Wireless Networking
Topic: Wireless bridge into LAN
Replies: 2
Views: 1586

Re: Wireless bridge into LAN

tested and working :D
by pakjebakmeel
Thu Oct 20, 2011 4:10 pm
Forum: RouterBOARD hardware
Topic: Jumbo frames 493g
Replies: 3
Views: 1142

Jumbo frames 493g

Hi,

I understand that the 493g cannot do jumbo frames. What I can't find is whether this is because of the switch chip or the logic in the rest of the board. Would it be able to use jumbo frames between 2 ports that are in switch mode?
by pakjebakmeel
Wed Oct 19, 2011 11:21 pm
Forum: Wireless Networking
Topic: Wireless bridge into LAN
Replies: 2
Views: 1586

Re: Wireless bridge into LAN

I *think* I have figured this out myself.. Haven't had the time to test it but I think I have to: Create a bridge, let's say bridge1. 1. Create some firewall rules, start with one that allows incoming management like SSH and WinBox. But on the in-interface bridge1. 2. Create 2 ports under the bridge...
by pakjebakmeel
Wed Oct 19, 2011 11:05 am
Forum: Wireless Networking
Topic: Wireless bridge into LAN
Replies: 2
Views: 1586

Wireless bridge into LAN

Ok, sorry to bother you with a question like this but I seem to be stuck atm. My current setup is this: RB 493G ether1 WAN (x.x.x.x) ether2 LAN (192.168.10.1/24) ether3 Switch port with ether2 as master ether4 Switch port with ether2 as master ether5 Switch port with ether2 as master wlan1 WIFI (192...
by pakjebakmeel
Wed Oct 12, 2011 10:33 am
Forum: Wireless Networking
Topic: Poor Wireless N Performance
Replies: 5
Views: 1446

Re: Poor Wireless N Performance

Yes, although I think Mikrotik Router OS is a very good product I am quite disappointed in the AP mode throughput. I have seen nothing but similar stories. Perhaps some more attention should be put into improving 802.11n AP mode.
by pakjebakmeel
Wed Sep 28, 2011 9:43 am
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9547

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

This is still working like a charm and I haven't had any issues with it yet. All the records are properly purged over a reboot or deamon restart.


Just FYI.
by pakjebakmeel
Wed Aug 31, 2011 4:43 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9547

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

WHOOHOO! Success! A quick guide: 1. Get DSA authentication on the MikroTik box: http://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_%28DSA_key_login%29 2. Install Fail2Ban on an internal or DMZ server and configure some jails in jail.conf. Mine looks like this for SSH and FTPS (relevant portio...
by pakjebakmeel
Tue Aug 30, 2011 2:55 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9547

Re: [FAIL2BAN] add banned IP's to addr list on remote Router

That all sounds hopeful. Thanks for the help so far. I hope I can find the time to do some testing with the provided options this weekend. :)
by pakjebakmeel
Wed Aug 24, 2011 12:22 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9547

Re: Remote SSH commands

But then I can only add the source/destination IP based on a firewall rule? I need to add offending IP's from my Gentoo server's fail2ban, but would prefer them to be dynamic. Would there be a solution around this? Would it not make sense to have the ability to add IP's to address-lists with a timeo...
by pakjebakmeel
Wed Aug 24, 2011 12:02 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9547

[FAIL2BAN] add banned IP's to addr list on remote RouterOS

Hi all, I've found how to run remote commands on the MikroTik board using SSH and a keyfile. I'm running fail2ban on my server in the DMZ, if someone tries to logon several time he/she is added the the server's iptable and all connections are blocked from the offending IP. Rather then blocking the h...
by pakjebakmeel
Sun Aug 21, 2011 9:49 pm
Forum: General
Topic: NAT Forwarding mini-challenge
Replies: 3
Views: 641

Re: NAT Forwarding mini-challenge

specify in-interface=wan on that nat rule. Right ok.. Yes I think I get it now. Because I didn't specify the interface, it was not actually the returning packets being NAT's but the initial connection from CLIENT --> HTTPS WEB PAGE. I have added the interface WAN (stupid I forgot) and it seems to b...
by pakjebakmeel
Sun Aug 21, 2011 9:27 pm
Forum: General
Topic: NAT Forwarding mini-challenge
Replies: 3
Views: 641

Re: NAT Forwarding mini-challenge

That won't help I guess (think I have already done that). Both returning HTTPS traffic from the internet that belongs to a client's browser session and incoming VPN connections on port 443:TCP on the WAN interface will match that rule. Hence, all traffic destined for users trying to logon to a secur...
by pakjebakmeel
Sun Aug 21, 2011 5:27 pm
Forum: General
Topic: NAT Forwarding mini-challenge
Replies: 3
Views: 641

NAT Forwarding mini-challenge

Hi all, Quick question, there might be a very easy way around this but I haven't found it yet :) I run OpenVPN server on a server on an internal subnet on port 443:TCP (so I can access it from fire walled locations). How can I create a dst-nat mapping that forwards incoming VPN connections on the WA...
by pakjebakmeel
Mon Jul 18, 2011 11:42 am
Forum: Wireless Networking
Topic: 802.11n Slow
Replies: 126
Views: 48235

Re: 802.11n Slow

Got the 5.6 pre-release version which seems to have some improvements in rate selection. The clients connect on 150Mbit/s now but still fluctuating link speeds. A lot better but not ideal yet. I manage to get 60Mbit/s through the line on a good day. Sometimes the link speed goes up to 240Mbit/s but ...
by pakjebakmeel
Thu Jul 14, 2011 1:55 pm
Forum: Wireless Networking
Topic: 802.11n Slow
Replies: 126
Views: 48235

Re: 802.11n Slow

EXACTLY the same problems here, RB493g and r52hn.

I am liasing with MikroTik support now, if something magical happens I will let you know. Did anyone manage to get some decent throughput in the meanwhile?