Community discussions

Search found 213 matches

by gsloop
Fri Oct 03, 2014 9:53 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

You've created such a total straw-man argument, it's farcical. I'd be glad to trust Mikrotik, provided they acted in a trust-worthy manner. As I've said - I'd like something better than the terse explanation that As RouterOS does NOT use bash, no patching is required from our side. So, does that mea...
by gsloop
Fri Oct 03, 2014 8:35 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

I'm not going to get into an argument about this - but having a single developer, vs the entire company seem, to me at least, to not be at all equivalent. Not even remotely. I guess each person will have to make their own call. I just know my calculus is vastly different than what you're implying. [...
by gsloop
Fri Oct 03, 2014 7:48 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

As I said, one would hope the integrity of the company would suffice.

All that said - Debian and Vyatta don't appear to be developed primarily in Latvia. [Never mind that UBNT [as I understand it] forked Vyatta and while the base is Vyatta, there are modifications of their own.]

Got some sources?
by gsloop
Thu Oct 02, 2014 10:08 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

@avantwireless If you are that worried about security, you shouldn't be putting a piece of software from a foreign country in your network You know, you're right. That's why I'm moving my installed base over to Ubiquiti's Edge Router. [How about that?] And, for the same or better price-point, I do g...
by gsloop
Thu Oct 02, 2014 9:34 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

There were questions about different versions, about whether BASH was simply not user-accessible, but still in the underlying system etc. Perhaps you're perfectly fine with inadequate information, simply trusting that the blanket statement given covers all possibilities, but I'm not. You're welcome ...
by gsloop
Thu Oct 02, 2014 6:12 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

@andriys Thanks, I think. Lets assume you're right. That's all nice, I suppose. However, should it be this hard to get a definitive answer from Mikrotik? I could probably disassemble the machine code and make sure BASH isn't in there too, but can anyone imagine having to do that with any responsible...
by gsloop
Thu Oct 02, 2014 1:46 am
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

@ andriys Sure it could be CShell or anything else. But a "*it could be*" isn't an answer. I need a definitive answer. Is BASH on ROS in any form, even if it's not accessible or visible to the user? There have been lots of answers from lots of people saying... "Oh, our product X, it isn't vulnerable...
by gsloop
Fri Sep 26, 2014 6:45 pm
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

@krisjanis So, you're saying that BASH doesn't exit in any form , visible or not, accessible to the user or not on RouterOS? What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it's a little har...
by gsloop
Thu Sep 25, 2014 8:29 am
Forum: General
Topic: Routers for VPN project?
Replies: 6
Views: 1340

Re: Routers for VPN project?

If you want to use OpenVPN [which I think is a good choice] then Mikrotik is, IMO, a bad choice. 'Tik's OpenVPN only supports TCP tunnels, not UDP based. With 'Tik You can't push routes from the OpenVPN server. [That I'm aware of - the docs sucked, last time I looked.] Support is woefully lacking fo...
by gsloop
Thu Sep 25, 2014 8:21 am
Forum: General
Topic: Bash Exploit
Replies: 24
Views: 13758

Re: Bash Exploit

+1 to the question.

It would seem RoS is not vuln, but would like *official* word from 'Tik.
by gsloop
Mon Sep 22, 2014 10:38 pm
Forum: General
Topic: Upgrading from 5.X to 6.X
Replies: 3
Views: 1096

Re: Upgrading from 5.X to 6.X

I did look at the change-log for 6.0 release and there wasn't anything that indicated any real difference between 5.X and 6.X. But has scripting changed? I have a substantial number of scripts I've written in 5.x and having to re-work them could be very time-consuming! Critical pieces. IPSec and Ope...
by gsloop
Mon Sep 22, 2014 7:55 pm
Forum: General
Topic: Upgrading from 5.X to 6.X
Replies: 3
Views: 1096

Upgrading from 5.X to 6.X

I'm not sure if this is wise yet, but I'm hoping to upgrade some of my Mikrotik units to 6.X soon.

Is there a document that describes the differences between 5.X and 6.X and what I need to be worried about? [Other than the usual buggy slag in most all RoS versions? :) ]

TIA
-Greg
by gsloop
Fri Apr 18, 2014 8:37 pm
Forum: General
Topic: Please fix VPN.
Replies: 1
Views: 883

Re: Please fix VPN.

Solution: EdgeRouter Lite. Seriously. This isn't a troll. I feel almost exactly as you do. Mikrotik tells you nothing. VPN's in RoS simply suck. I've reported odd performance issues in OpenVPN - about the only reasonably useful VPN product in RoS, and the response: "Meh, we don't support OpenVPN." "...
by gsloop
Fri Sep 20, 2013 12:12 am
Forum: General
Topic: Route non-local subnet through IPSec tunnel
Replies: 2
Views: 993

Re: Route non-local subnet through IPSec tunnel

Though not explicitly described, it was assumed no NAT is occurring. Let me fill the example out, just to make it clear. --- Site 1: 10.1.0.0/24 Site 2: 10.2.0.0/22 In this example: Host 10.1.0.15 is sending traffic to 10.3.0.20 --- So, to make it explicit: Traffic from say, 10.1.0.15 to 10.3.0.20 T...
by gsloop
Thu Sep 19, 2013 11:38 pm
Forum: General
Topic: Route non-local subnet through IPSec tunnel
Replies: 2
Views: 993

Route non-local subnet through IPSec tunnel

Route non-local remote subnet through IPSec tunnel Setup: IPSec tunnel, RB450G/RoS-5.25---RB-450G/Ros5.25, (site-to-site) Site 1: 10.1.0.0/24 Site 2: 10.2.0.0/22 Traffic routing for all 10.1.0.0/24 and 10.2.0.0/22 works fine. However, I need to route subnet 10.3.0.0/24 from [Site 1] over the IPSec t...
by gsloop
Fri Jul 05, 2013 8:33 pm
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

Re: MTU / MSS problem on IPSec tunnel

Hi Greg, Thanks for posting on this subject. I'm wrestling with this this MTU stuff currently and found some worthwhile info here. If I may say so, though, I think you are being a bit harsh with your comments about the support responses from Mikrotik. regards, Alan I'm glad the information is helpf...
by gsloop
Thu Mar 21, 2013 12:57 am
Forum: General
Topic: ssh port forwarding
Replies: 2
Views: 589

Re: ssh port forwarding

Sorry, that's really not particularly helpful ... or something. Is there any way to identify the SSH tunnel except by the fact that it's inbound on 22 [which doesn't tell us much if we use 22 for other stuff other than port-forwarding.] or by the source IP which, as stipulated, we can't assume we kn...
by gsloop
Wed Mar 20, 2013 8:30 pm
Forum: General
Topic: ssh port forwarding
Replies: 2
Views: 589

ssh port forwarding

I've done quite a lot of searching, and I can't find much real documentation on ssh port forwarding. I've got most everything setup, but I'd like to limit which ports/traffic can be forwarded through the Mikrotik. Is there any way to identify which traffic is coming from a forwarded port so we can f...
by gsloop
Wed Mar 06, 2013 7:46 am
Forum: General
Topic: Tips for VPN / IP routing issues on Mikrotik ?
Replies: 4
Views: 1740

Re: Tips for VPN / IP routing issues on Mikrotik ?

I'm sorry I've not read your question so this isn't help with the technical part of your question, however: PPTP is based on MSChapv2 which is TOTALLY broken and vulnerable to any attacker than can capture a handshake/connect. [i.e. Anyone on the route from PPTP client to PPTP server.] (Google Cloud...
by gsloop
Mon Dec 10, 2012 8:24 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

I've not tinkered with L2TP too much, but I think it handles this much better than PPTP. [It's been a while and I don't recall the exact details. But it's quick to setup and test if you'd like to try it.]

-Greg
by gsloop
Mon Dec 10, 2012 5:48 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

@john.... There just isn't any, IMO, reasonable way to solve this in ROS. There's several "hacks" that could be strung together with say, a powershell script that might make it manageable - but it's fragile and really a horrid hack. BUT - several things have happened in the time since I posted this ...
by gsloop
Thu Nov 29, 2012 11:52 pm
Forum: General
Topic: PPTP and VPN
Replies: 1
Views: 477

Re: PPTP and VPN

MTU size problem?
by gsloop
Thu Nov 29, 2012 11:40 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

However, doing it the way I described is possible. Read it again, and tell me why it would not work. You have a script [or can fashion one] that will allow an IPSec connect, and then modify the "/ip firewall filter" rules to allow L2TP for ONLY that associated SA IP source address? Is that what you...
by gsloop
Thu Nov 29, 2012 9:56 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

L2TP will only be availible to IPSec connected clients. That's simply incorrect. I emailed support, and here's the query and response. > I've setup L2TP on my RB450G - I want to tighten security down some... > > 1) Prevent people from logging on via L2TP and their PPP credentials without first > co...
by gsloop
Thu Nov 29, 2012 9:34 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

Scenario 2) For IPSec tunnel mode In tunnel mode, you know the IP that is behind the tunnel, since you HAVE TO configure it in IPSec policy. If you use "generate policy", the policy will be generated with proper IPs that are on the other side of the tunnel. Therefore, you can filter in firewall bas...
by gsloop
Thu Nov 29, 2012 8:23 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

I don't have time to spend, but you don't understand how IPSec is handled by ROS. Say someone connects from 4.3.2.1 via IPSec or L2TP [essentially the same] to your RB. The IPSec traffic is handled and then a packet just appears on your WAN interface. It's source IP is 4.3.2.1. [But if you don't kno...
by gsloop
Thu Nov 29, 2012 7:52 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

On forward chain, even generally in IPSec and in this case too, you should always know the IP adress (range) of the other side, so securing it should not a problem either. So your L2TP clients will always connect from known networks? Never from a hotel or coffee shop? [Good if that works for you. I...
by gsloop
Thu Nov 29, 2012 7:35 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

I was describing things related to IPSec more generically - and how that can cause issues when used as a Road-Warrior setup. Since the IPSec traffic isn't flowing to the LAN side as the next step, but to the L2TP server on the RB, then it's the INPUT chain that matters.

Sorry...

-Greg
by gsloop
Thu Nov 29, 2012 7:32 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

I was not thinking clearly. Also do the same for the input chain.

You're right, the L2TP traffic will be talking to the RB, so it's going to be on INPUT.
by gsloop
Thu Nov 29, 2012 7:21 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

The forward chain. Just try what I said. Either disable all the Forward rules, or put an allow all rule at the very top. The packets ARE hitting the forward chain. Your logs show the L2TP session not getting replied to, and I'm pretty sure that's the problem - it's getting killed. --- Here's what ha...
by gsloop
Thu Nov 29, 2012 6:06 pm
Forum: General
Topic: [Solved] L2TP/IPSec with Android
Replies: 61
Views: 62958

Re: L2TP/IPSec with Android

Not sure, but I suspect you have a firewall rule that's a problem. Those IPSec packets are going to simply "show up" on the WAN interface with a source IP of whatever public IP they have. If you sanitize input on the WAN side, you're going to find you need a rule like this on the WAN. Allow any Sour...
by gsloop
Mon Nov 05, 2012 11:46 pm
Forum: General
Topic: openvpn client connection
Replies: 7
Views: 6153

Re: openvpn client connection

The issue where it immediately resets the connection is usually a mismatch on the PPP-Secret/user credentials.

(i.e. The username/password on the OVPN client don't match that on the server.)

-Greg
by gsloop
Wed Oct 24, 2012 8:13 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45293

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

I don't see anyone denying it. I see these two responses from MikroTik in this topic (after several people confirmed they have such issues): I see comments in the changelog in 5.21 that seem to indicate you "fixed" something in DNS. But since no-one at MikroTik will talk about it, and it sure is be...
by gsloop
Wed Oct 24, 2012 8:09 pm
Forum: General
Topic: 5.21 released
Replies: 78
Views: 19170

Re: 5.21 released

What does it mean?:
*) dns - fix empty response;
I'm asking about it, because I have problems with MikroTik DNS long time. Maybe this fil will repair it, but what do You mean "empty response"??
Please MikroTik - what does this mean?
by gsloop
Thu Oct 18, 2012 5:29 pm
Forum: General
Topic: Mikrotik DNS server issues with Amazon S3 - low TTL 60sec
Replies: 118
Views: 45293

Re: Mikrotik DNS server issues with Amazon S3 - low TTL 60se

What's so goofy about the "fix" that's supposedly in 5.21 is that MikroTik never even admits there is a problem, from what I can see. They deny, deny, deny. Then, suddenly "Aha! That thing that was never broken, and implied was a user problem - well it's FIXED! Aren't we great!" I'd laugh if it wasn...
by gsloop
Tue Oct 16, 2012 8:09 pm
Forum: General
Topic: Queue size=0 problem
Replies: 6
Views: 1489

Re: Queue size=0 problem

I don't have an answer for your question, but I do wonder why you'd want to *drop* traffic that isn't being used by any other queues, when it could borrow that traffic/bandwidth until it's needed by the higher priority queues. I can't think of any downside to using _unused_ bandwidth from higher pri...
by gsloop
Tue Oct 16, 2012 1:25 am
Forum: General
Topic: Problems VPN L2TP
Replies: 7
Views: 4142

Re: Problems VPN L2TP

Have you removed all NAT/Firewall/Mangle rules that aren't absolutely required? You are getting a full IPSec tunnel, where you were not before. But it appears as though the L2TP tunnel dies for some reason. Again, the logs are hard to read, but at least you're getting to a L2TP tunnel - so try disab...
by gsloop
Sat Oct 13, 2012 2:18 am
Forum: General
Topic: Problems VPN L2TP
Replies: 7
Views: 4142

Re: Problems VPN L2TP

I'm horrible grok'ing IPSec debugs - but it looks like it keeps retrying/failing IPSec phase 1 negotiation. To confirm this, watch the SA's in IP | IPSec | SA in winbox. If the IPSec connection is successful, you'll see SA's appear and stay, and be encrypted. That's the first half of the connection....
by gsloop
Thu Oct 11, 2012 9:58 am
Forum: General
Topic: a working failover config needed
Replies: 4
Views: 739

Re: a working failover config needed

@newranman No scripting needed True enough, though there are, IMO, very significant differences between the two approaches. The script version is lots more granular. You can set levels at which the pipe will be considered provisionally down, even if some ping replies come back. You can even do some...
by gsloop
Wed Oct 10, 2012 10:40 pm
Forum: General
Topic: L2TP IPSec with Samsung Galaxy S2
Replies: 8
Views: 3384

Re: L2TP IPSec with Samsung Galaxy S2

I've done L2TP on 5.12. During connect, watch the SA's in IPSec. Do they get built and are they encrypted? If so, you probably have a functional IPSec tunnel. Then the L2TP tunnel gets built inside that. --- Some observations: I couldn't get L2TP to use no encryption, so make sure the device isn't t...
by gsloop
Wed Oct 10, 2012 10:02 pm
Forum: General
Topic: a working failover config needed
Replies: 4
Views: 739

Re: a working failover config needed

I wrote a script like this:
http://forum.mikrotik.com/viewtopic.php?f=9&t=60247

Have you tried that?
I'm glad to help you get it working if you have issues.

-Greg
by gsloop
Wed Oct 10, 2012 9:51 pm
Forum: General
Topic: L2TP IPSec with Samsung Galaxy S2
Replies: 8
Views: 3384

Re: L2TP IPSec with Samsung Galaxy S2

This is not an answer specifically to the requests for "exact recepies" - however... The Wiki page on L2TP works fairly well. For testing, try this approach. In firewall rules, as well as NAT and mangle - you can "disable" rules without deleting them. [It's super easy in WinBox.] So, in really short...
by gsloop
Thu Oct 04, 2012 4:39 am
Forum: General
Topic: L2TP link with high latency (300 ms)
Replies: 1
Views: 799

Re: L2TP link with high latency (300 ms)

L2TP uses an IPSec tunnel for the outer tunnel... ...and IPSec is very sensitive to packet loss/latency. How sure are you about the underlying connection in terms of latency/packet loss. We run smokeping against endpoints like this, and usually when the tunnel starts getting flakey, we also notice t...
by gsloop
Mon Oct 01, 2012 7:07 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

I have tested it writing and reading from flash. As the docs/comments say - use something like this. :local vLastIPFileName "micro-sd/dyndns-lastip.txt" and/or :local vDynDNSResponseFile "micro-sd/cc-dyndns-resp.txt" [I assume you would want both on flash, or both not on flash...] I don't have a uni...
by gsloop
Tue Sep 25, 2012 8:23 pm
Forum: General
Topic: VoIP calls dropping. Disable SPI and SIP ALG?
Replies: 14
Views: 10370

Re: VoIP calls dropping. Disable SPI and SIP ALG?

Unless you have some way to guarantee packet delivery and such all the way to an end point, then you have no guarantees about anything. Some observations: 1) Callcentric and voip.ms are exceedinly cheap and somewhat unreliable SIP providers. I'm not saying that to knock them, but it's simply the tru...
by gsloop
Tue Sep 25, 2012 3:14 am
Forum: General
Topic: Is there any chance to set up this OVPN conf in RouterOS?
Replies: 5
Views: 1746

Re: Is there any chance to set up this OVPN conf in RouterOS

Any debug logs, when you turn on logging for OpenVPN?

See: http://wiki.mikrotik.com/wiki/Manual:System/Log
by gsloop
Mon Sep 24, 2012 7:01 pm
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

Re: MTU / MSS problem on IPSec tunnel

1) While the cisco numbers might be the worst possible, it would be FAR better to be a few bytes too small than a few too large and incurr the overhead of fragmentation and re-assembly. Right? So, why not make that clear and use less optimistic numbers? Or at minimum, explain that the bytes of overh...
by gsloop
Mon Sep 24, 2012 7:00 am
Forum: General
Topic: Mikrotik client OpenVPN
Replies: 8
Views: 4011

Re: Mikrotik client OpenVPN

I'd guess it's possible to make work. [Though I've never done so.] I assume you have done some searches here to see other's experiences, and helpful tips? Some things to keep in mind, if you didn't already know. No LZO compression supported on MTK No UDP OpenVPN tunnel type, only TCP. There are nume...
by gsloop
Sat Sep 22, 2012 12:12 am
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

Re: MTU / MSS problem on IPSec tunnel

Oh, and setting the MSS is done like this: /ip firewall mangle add chain=forward \ action=change-mss new-mss=1350 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=10.1.2.0/24 tcp-mss=!0-1350 Change your source and destination ranges to be the local and remote end of you...
by gsloop
Fri Sep 21, 2012 11:59 pm
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

Re: MTU / MSS problem on IPSec tunnel

Sheesh, since it's "not hard" it would be nice if you'd do it. [I *can* probably dig around to find the data, but I assumed someone there would have it at their finger tips and save me a lot of guessing and many minutes digging.] Since that isn't happening, [thanks for nothing MikroTik] here is what...
by gsloop
Thu Sep 20, 2012 11:59 pm
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

Re: MTU / MSS problem on IPSec tunnel

Would you mind showing me the calculations themselves?
Assume IPSec tunnel with AH and ESP.
by gsloop
Thu Sep 20, 2012 11:56 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 63
Views: 16356

Re: Feature Request: IPSEC Improvements

IPSec policy match.
by gsloop
Thu Sep 20, 2012 11:54 pm
Forum: General
Topic: L2TP problem
Replies: 16
Views: 4697

Re: L2TP problem

Have you done the usual things? Upgrade bootloader, reset and start from scratch, reinstall with NetInstall and start clean with a sightly different (better) configuration, change x86 hardware platform etc etc. ? Perhaps I'm missing something, but didn't Mikrotik actually confirm that it's a known ...
by gsloop
Thu Sep 20, 2012 3:24 am
Forum: General
Topic: MTU / MSS problem on IPSec tunnel
Replies: 9
Views: 29749

MTU / MSS problem on IPSec tunnel

I have a MT to MT IPSec tunnel and I've found some serious issues on it related to MTU. Without going into a bunch of detail, I found that print jobs from a Windows based PC on one end of the tunnel was having lost print jobs to a printer on the other end of the tunnel. [There was a lot of confoundi...
by gsloop
Thu Sep 20, 2012 3:16 am
Forum: General
Topic: PPTP Server with Windows clients
Replies: 1
Views: 961

Re: PPTP Server with Windows clients

I don't have the patience at the moment to grok your mangle and routing rules. How about making it a lot simpler and just using a single WAN link. Once you've got that working, then add stuff back in. I'm just not sure where the PPTP connection is coming from and how traffic is routing. Since it's s...
by gsloop
Tue Sep 18, 2012 7:00 pm
Forum: General
Topic: Help / Advice required on L2TP from Client and Router OS
Replies: 5
Views: 598

Re: Help / Advice required on L2TP from Client and Router O

Open on the IPSec section in Winbox. Flip to the SA tab. Now connect that L2TP client. Does an encrypted SA show up for that client? If so, you know that the IPSec portion of the tunnel came up. [L2TP is outer-wrapped in IPSec, with L2TP inside an MPPE/ms-chapv2 wrapper.] I'm wanting to make sure th...
by gsloop
Mon Sep 17, 2012 9:42 pm
Forum: General
Topic: L2TP problem
Replies: 16
Views: 4697

Re: L2TP problem - L2TP server error confirmed by support

Few minutes after my last post support sent me an answer to all my mails. Definively it is a bug in L2TP server. When L2TP server crashes, it does not delete assigned IP addresses so later it is not possible to complete connection because L2TP server is not able to insert internal IP into address l...
by gsloop
Mon Sep 17, 2012 9:31 pm
Forum: General
Topic: Help / Advice required on L2TP from Client and Router OS
Replies: 5
Views: 598

Re: Help / Advice required on L2TP from Client and Router O

It *looks* like the IPSec portion of the tunnel gets built, since you're seeing PPP logs...BUT...would you check and make sure that encrypted SA's are created by IPSec? [I just want to make sure the first part of the L2TP session is in place and working first. Also, I've seen L2TP bork everything up...
by gsloop
Mon Sep 17, 2012 9:14 pm
Forum: General
Topic: RB 1100AH x2 and simple queue problems...
Replies: 9
Views: 2694

Re: RB 1100AH x2 and simple queue problems...

I should perhaps read more carefully. I see you state that it's vastly different with no queues...

However, how are you marking data.packets, and could you list your mangle+queues? I'm not sure I can help even then, but I'd guess anyone that can will want to see that information.

-Greg
by gsloop
Mon Sep 17, 2012 9:11 pm
Forum: General
Topic: RB 1100AH x2 and simple queue problems...
Replies: 9
Views: 2694

Re: RB 1100AH x2 and simple queue problems...

Those limits don't seem so far off, especially depending on where the traffic is going to, and what you're using to measure. Are we talking about a regular internet speed test? If so, there's a host of networks between your test machine and the speed test machine on the other end. [This could quite ...
by gsloop
Mon Sep 17, 2012 9:21 am
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

I only have just a second. See this thread: http://forum.mikrotik.com/viewtopic.php?t=60963 Now, I'm not sure how much to trust that estimate of 100K writes per block, but even if we assume half the writes they claim in spec, we're still talking a LOT of writes before your flash will die. [Even one-...
by gsloop
Sat Sep 15, 2012 3:50 am
Forum: RouterBOARD hardware
Topic: Mikrotik 1100AH X2 vs Ubiquti Edge Router
Replies: 26
Views: 28248

Re: Mikrotik 1100AH X2 vs Ubiquti Edge Router

Sounds like a great option, especially if one gets: OpenVPN that actually supports more than 10% of the spec. An IPSec policy match. A scripting language that isn't so fragile. [Like, gasp, perl or bash] Allows you to drop into IPTables to build FW rules, with something like FWBuilder. Etc... Obviou...
by gsloop
Sat Sep 15, 2012 3:37 am
Forum: General
Topic: Remote IPSEC vpn remote peers still around after disconnect
Replies: 3
Views: 605

Re: Remote IPSEC vpn remote peers still around after disconn

MRZ: This doesn't really answer the question at all. Should we just expect a whole host of IPSec peers to stack up until the router gets restarted? Is this at all related to the problem in this thread? http://forum.mikrotik.com/viewtopic.php?f=2&t=65424 Are these problems known in other, older versi...
by gsloop
Fri Sep 14, 2012 4:31 am
Forum: RouterBOARD hardware
Topic: hardware issues with rb4xx
Replies: 45
Views: 16398

Re: hardware issues with rb4xx

In addition, many RBs that have the Atheros 8316 switch (like RB450G, RB493G etc.) suffer from ethernet interface failures under heavy load that makes these boards more unreliable. And definitely this issue cannot be fixed by software updates. I'm interested in more detail on the issue above, as I ...
by gsloop
Fri Sep 14, 2012 1:09 am
Forum: General
Topic: Happy with your purchase?
Replies: 32
Views: 5044

Re: Happy with your purchase?

Announcement - Yes. [I fully expected it to get nuked, since that's often the response. When I didn't see it in a brief look today, I assumed it was. But evidently I missed it.] --- I'm no network "newbie" - I'm probably not the absolute best guy around, but I'm very good at what I do, I think. RoS ...
by gsloop
Thu Sep 13, 2012 9:27 pm
Forum: General
Topic: QoS, Queues: Specific theory questions
Replies: 3
Views: 681

Re: QoS, Queues: Specific theory questions

I submitted these to MikroTik to answer, and here is the general response. If you don't account for *all* the traffic passing an HTB, then shaping may well be useless or undesired. [ie. If you mark and shape traffic classes 1, 2 and 3, but leave class 4 traffic unshaped, then how any of the traffic ...
by gsloop
Thu Sep 13, 2012 9:06 pm
Forum: General
Topic: Port Forward PPTP Client
Replies: 2
Views: 1459

Re: Port Forward PPTP Client

How about listing your DST-Nat rules?

Also: Disable other DST-NAT rules and FW rules. Once you have it working then re-enable blocks of rules until it quits working. Then you know where to start looking for the problem.

-Greg
by gsloop
Thu Sep 13, 2012 8:52 pm
Forum: General
Topic: Happy with your purchase?
Replies: 32
Views: 5044

Re: Happy with your purchase?

The rock underneath that lake, can be found anywhere, don't you think? Not only on RouterOS. I don't think that RouterOS is prone to more unresolved issues. I don't agree. From my experience the rocks under lake RoS have been much worse than any other comparable product I've ever used in recent tim...
by gsloop
Thu Sep 13, 2012 8:34 pm
Forum: General
Topic: L2TP/IPSec - multiple users, one location
Replies: 3
Views: 2738

Re: L2TP/IPSec - multiple users, one location

Well, if you're at the same hotel etc, then almost certainly all of you are behind a NAT device. I'm not sure how the D-Link devices handles it, but MTK isn't going to cut it in the situation you describe. OpenVPN should do reasonably well in TAP [ethernet] mode though. It's more work to setup, and ...
by gsloop
Wed Sep 12, 2012 10:27 pm
Forum: General
Topic: QT+MANGLE: pre/postrouting, forward, conn..mark,packet mark?
Replies: 1
Views: 718

Re: QT+MANGLE: pre/postrouting, forward, conn..mark,packet m

There's a tik-tube on all this. It's about an hour. [It was in Vegas - both the 2009 and 2011 ones are fairly good.] Here: http://www.tiktube.com/?video=mEeI3iCGhLLqJKFEKHJsmrovllGoILDp= If the traffic is passing through the router, then forward will apply. If it's to the router, then input, and fro...
by gsloop
Wed Sep 12, 2012 9:14 pm
Forum: General
Topic: Happy with your purchase?
Replies: 32
Views: 5044

Re: Happy with your purchase?

@Caci99 Note the *usually*. I'm aware that it's *possible* to make them work and to work pretty well. However there are a host of hidden rocks at the bottom of the lake that is RoS, and it's really easy to hit an undocumented rock and sink your boat. As for alternatives, well, that looks to be chang...
by gsloop
Mon Sep 10, 2012 11:08 pm
Forum: General
Topic: Happy with your purchase?
Replies: 32
Views: 5044

Re: Happy with your purchase?

Posted a little response elsewhere... I'm sure you've seen it. IMO, the "It's the best $hit ever" crowd is usually WISPS. The "WTF?" crowd, is usually people like you and me. --- It works pretty well for baseline routers for WISPS, from what I can tell, especially if you're not willing to spring for...
by gsloop
Mon Sep 10, 2012 10:53 pm
Forum: General
Topic: L2TP/IPSEC connection drops due to "resend phase1 packet"
Replies: 9
Views: 10205

Re: L2TP/IPSEC connection drops due to "resend phase1 packet

I've seen, at minimum, THREE cases where the OpenVPN server simply stops responding when parameters are changed on the server/RoS. Simply rebooting the Routerboard fixed them. I've seen this complaint at at least with OpenVPN, and perhaps others [vpn end-points]. IMO, it's a good plan, when making l...
by gsloop
Mon Sep 10, 2012 4:37 am
Forum: General
Topic: L2TP/IPSEC connection drops due to "resend phase1 packet"
Replies: 9
Views: 10205

Re: L2TP/IPSEC connection drops due to "resend phase1 packet

What firewall rules do you have? If you have any, or NAT/Mangle rules, can you "disable" them? [Other than the necessary ones - like NAT from LAN to WAN] It looks like it keeps trying to finish phase 1... [Though again, I'm absolutely horrible trying to decipher IPSec logs...] --- 10:55:28 ipsec,deb...
by gsloop
Thu Sep 06, 2012 2:02 am
Forum: General
Topic: L2TP/IPSEC connection drops due to "resend phase1 packet"
Replies: 9
Views: 10205

Re: L2TP/IPSEC connection drops due to "resend phase1 packet

I'm horrible about parsing IPSec logs - but it doesn't look like you get past Phase one.

Do you ever see any SA's get installed in the IPsec SA's section?

My *guess* with just a brief look is that there's some mismatch in the IPSec config client vs RoS side.
SA Lifetime etc.

Good luck.

-Greg
by gsloop
Thu Sep 06, 2012 12:51 am
Forum: General
Topic: Happy with your purchase?
Replies: 32
Views: 5044

Re: Happy with your purchase?

- It is not possible to distinguish between encrypted and unencrypted traffic in FW rules (which is required to make dynamic policy generation secure) i.e. IPsec policy matching. Add my voice to this. _Loudly_ too! While it's been an endless complaint, UDP on OpenVPN is a big deal. Always will be. ...
by gsloop
Tue Sep 04, 2012 9:54 pm
Forum: General
Topic: Supported users on RB1100AHx2 and RB1100
Replies: 2
Views: 721

Re: Supported users on RB1100AHx2 and RB1100

If all you're doing is packet filtering sure. If you're doing a lot of QoS etc, I'm not sure. Without QoS, I can get around 250Mb/s out of a RB450G. But lots of L7 packet inspection, tagging lots of frames etc can consume a lot of CPU. Same with lots of IPSec or OpenVPN traffic. I'd guess without a ...
by gsloop
Tue Sep 04, 2012 9:45 pm
Forum: General
Topic: SNMP no Response
Replies: 33
Views: 15943

Re: SNMP no Response

SNMP has problems on RoS if the routing isn't symmetrical. I saw a clever "work-around" for it the other day, but can't recall what it was. Do some searches on SNMP and symmetrical routing - I think you'll find it. [Perhaps that isn't your issue, but something to consider.] -Greg [Found it: http://f...
by gsloop
Tue Sep 04, 2012 9:40 pm
Forum: General
Topic: My first openVPN setup, and it just disconnects
Replies: 8
Views: 7878

Re: My first openVPN setup, and it just disconnects

I know it works. [tested on XP-SP3 and Win7P] I can give more feedback if you'd like. I just find tun mode unusable. If I have 20 RW clients, I'll have to drop a block of 40 addresses to support them. Not happening. really small installations, perhaps it could work. However, I can't find any problem...
by gsloop
Tue Sep 04, 2012 9:28 pm
Forum: General
Topic: IPSec/L2TP vpn connection starts but won't complete
Replies: 4
Views: 7226

Re: IPSec/L2TP vpn connection starts but won't complete

Check your IPSec SA's - to be sure they are doing encryption. IIRC setting the PPP policy to not use encryption caused the whole IPSec tunnel to be in the clear. You'll have double encryption, where the outer tunnel will be IPSec and the inner L2TP tunnel will use [whatever it's called, I can't reca...
by gsloop
Tue Sep 04, 2012 9:20 pm
Forum: General
Topic: L2TP/IPSEC connection drops due to "resend phase1 packet"
Replies: 9
Views: 10205

Re: L2TP/IPSEC connection drops due to "resend phase1 packet

If you're still intent on setting up a RW connect via IPSec after this post, let me know and I'll see if I can offer some help. However, you'll have to use a peer address of 0.0.0.0/0 to allow a connect. Also, you can't write any filter rules to manage IPSec traffic, since you can't know the source ...
by gsloop
Tue Sep 04, 2012 9:09 pm
Forum: General
Topic: QoS, Queues: Specific theory questions
Replies: 3
Views: 681

Re: QoS, Queues: Specific theory questions

Bump. Can MikroTik address these questions? Or someone who *knows* [please, no guessing, unless you explicitly say you're guessing.] --- One other question I have, though this one isn't nearly as important as the ones above. Is there some particular reason to use GlobalIn vs GlobalOut? Certainly if ...
by gsloop
Tue Sep 04, 2012 7:09 pm
Forum: General
Topic: My first openVPN setup, and it just disconnects
Replies: 8
Views: 7878

Re: My first openVPN setup, and it just disconnects

If you use TAP mode [ethernet mode on RoS] you don't have to do that.

I wasn't clear you were using Tunnel mode. [Since it eats so many addresses [two for every client] I decided to use TAP mode which doesn't. [If you're not using Windows, either will work fine.]

-Greg
by gsloop
Tue Sep 04, 2012 12:47 am
Forum: General
Topic: My first openVPN setup, and it just disconnects
Replies: 8
Views: 7878

Re: My first openVPN setup, and it just disconnects

Oh, reading what you wrote more carefully - it doesn't seem that the route is likely your problem.

What does the logging on the ovpn client on Windows say?

-Greg
by gsloop
Tue Sep 04, 2012 12:44 am
Forum: General
Topic: My first openVPN setup, and it just disconnects
Replies: 8
Views: 7878

Re: My first openVPN setup, and it just disconnects

Yes, as soon as I saw the "soft reset" I was pretty sure that was the problem. Sorry I wasn't here earlier to help. Have you looked at the "print routes" results? Generally you'll get a route to the FW via that assigned IP. [It's a /32 route] You need a command like this in your ovpn config file on ...
by gsloop
Mon Sep 03, 2012 9:36 am
Forum: General
Topic: QoS, Queues: Specific theory questions
Replies: 3
Views: 681

QoS, Queues: Specific theory questions

I've read quite a lot about QoS and Queues here in the forum, the wiki and the 2011 Vegas TikTube on QoS - however there are several issues not answered by these sources. I'm sorry if I've missed something, but here's what I have questions on. --- 1) I assume, but don't know that if you don't handle...
by gsloop
Fri Aug 24, 2012 2:47 am
Forum: General
Topic: MikroTik IPsec tunnel problem
Replies: 8
Views: 2301

Re: MikroTik IPsec tunnel problem

How are you monitoring with Nagios? Fping? How often and how many pings. [I use smokeping so I'm not sure how Nagios does it.]

Again, what's the tunnel type?
[You do have logging turned on for that protocol/service on the RB and have looked at the logs, right?]

-Greg
by gsloop
Wed Aug 22, 2012 6:34 pm
Forum: General
Topic: MikroTik IPsec tunnel problem
Replies: 8
Views: 2301

Re: MikroTik IPsec tunnel problem

What is the tunnel? IPSec? Something else?

Any packet loss? Having a tunnel drop isn't unheard of, but having it drop for hours is, unless you've got some serious packet loss or something.
by gsloop
Wed Aug 22, 2012 6:24 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

Without going on too long a rant about how MikroTik does things and why it bothers me, let me just say this: I would absolutely LOVE for MikroTik to do really well as a company. I've spent, literally, well more than a hundred hours on MikroTik - since mid-year last year. That's non-billable time, mo...
by gsloop
Tue Aug 21, 2012 8:54 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

The L2TP docs are fairly good. The OpenVPN docs are horrid. [Really, really horrid.] I'm probably going to do a round-up of all the Road-warrior VPN's practically available on RoS and I may do docs for OpenVPN. I've gone back and forth - you can probably go find my recent threads - but I was incline...
by gsloop
Mon Aug 20, 2012 7:28 pm
Forum: General
Topic: VPN Issue
Replies: 5
Views: 890

Re: VPN Issue

Just a passing thought. Is your load-balancing causing issues?

-Greg
by gsloop
Mon Aug 20, 2012 7:16 pm
Forum: General
Topic: OpenVPN and diffie-dellman key material
Replies: 0
Views: 399

OpenVPN and diffie-dellman key material

Oh, and as long as we're talking about OpenVPN...

Normally you need to import/upload the diffie-hellman keying material to your OpenVPN server.
This doesn't appear to happen on the OVPN server for RoS.

Can someone enlighten me where the DH keying material comes from in ROS?
TIA!

-Greg
by gsloop
Mon Aug 20, 2012 7:10 pm
Forum: General
Topic: OpenVPN CRL [Certificate revocation list]
Replies: 12
Views: 7710

Re: OpenVPN CRL [Certificate revocation list]

I know all about OpenVPN and MikroTik's **HORRIBLE** implementation record.

However, I've not seen any posts saying that Mikrotik has said they will never impliment CRL's.

Can you point me to that?

[I'm not saying they will, just that I'd like to see for myself where they say they won't.]

-Greg
by gsloop
Mon Aug 20, 2012 7:06 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

I'm glad to help, but I should warn you that PPTP is **BROKEN** See: https://www.cloudcracker.com/blog/ I can't say that with enough vigor. In the last three weeks a new attack on the protocol was released and it's pretty trivial to break PPTP. [Without any attempt to insult you, IMO, you'd be a foo...
by gsloop
Mon Aug 20, 2012 12:50 am
Forum: General
Topic: OpenVPN CRL [Certificate revocation list]
Replies: 12
Views: 7710

OpenVPN CRL [Certificate revocation list]

I've only seen a single post on CRL's for certificates in OpenVPN. [Or CRL's for any certificates anywhere for that matter] It appears there's no functional way to use CRL's in RoS. Is this still the case? --- If so, the only way to block a OpenVPN user is to change/delete their PPP secrets config, ...
by gsloop
Thu Aug 16, 2012 10:58 pm
Forum: General
Topic: IPSec Policy Generation Issue w/Windows Client
Replies: 13
Views: 5420

Re: IPSec Policy Generation Issue w/Windows Client

Yes, I've tested L2TP to a RB 450G running v5.12 where the client is behind NAT [Windows 7/XP-SP3] and the server [RB450G v5.12] is not. Works nicely. However, only a single client behind the NAT device can connect to L2TP at a time. The second device will hijack the first devices connection. Howeve...
by gsloop
Thu Aug 16, 2012 9:55 pm
Forum: General
Topic: L2TP Security
Replies: 0
Views: 434

L2TP Security

So, two issues: 1) Prevent people from logging on via L2TP and their PPP credentials without first connecting via IPSec. I assume that blocking [or not allowing depending on your POV] port 1701 UDP on the external IF [or any interface you don't want someone making a regular L2TP connect from] should...
by gsloop
Thu Aug 16, 2012 2:54 am
Forum: General
Topic: IPSEC + L2TP works ONLY WITH DOUBLE ENCRYPTION
Replies: 5
Views: 1501

Re: IPSEC + L2TP works ONLY WITH DOUBLE ENCRYPTION

Anyone? Is there no way to disable MPPE on the inner tunnel in L2TP between a Windows client and a RB?
RoS v5.19, BTW.

TIA
-Greg
by gsloop
Tue Aug 14, 2012 4:23 pm
Forum: General
Topic: OpenVPN performance, throughput odd/bad.
Replies: 5
Views: 3544

Re: OpenVPN performance, throughput odd/bad.

What I find odd is that while the throughput was half what I expected, the CPU utilization was also half . So, say, <10Mb/s throughput, but the CPU was also only at 50%. While doing crypto in userland could explain low throughput at high CPU utilization, I'm still just baffled at the results. It's l...
by gsloop
Fri Aug 10, 2012 10:34 pm
Forum: General
Topic: NAT-T & IPSec Issues still exist
Replies: 25
Views: 12139

Re: NAT-T & IPSec Issues still exist

Somewhat uninformed speculation: I think this is because you can't "Generate" unique policies - I could well be wrong - but I think that's the problem. Not confirming, but I may well be testing it myself. I'll try to update if I find out something helpful/definitive. It would be great if you'd updat...
by gsloop
Fri Aug 10, 2012 10:27 pm
Forum: General
Topic: PPTP VPN into network. Missing something.
Replies: 3
Views: 1285

Re: PPTP VPN into network. Missing something.

Just wanting to highlight how broken PPTP is. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ You're welcome to use if you like, but I wouldn't trust PPTP over any insecure medium. [And if you're on a completely secure medium, why use PPTP in the first place.] L2TP/IPSec works pret...
by gsloop
Fri Aug 10, 2012 10:12 pm
Forum: General
Topic: Mikrotik 2 WANs Failover (Simple)
Replies: 4
Views: 4783

Re: Mikrotik 2 WANs Failover (Simple)

This might work. It's my script. Not exactly "simple" but not hard for someone with a little experience.
I think it's pretty well documented too.

http://forum.mikrotik.com/viewtopic.php?f=9&t=60247
by gsloop
Fri Aug 10, 2012 10:05 pm
Forum: General
Topic: WAN Failover with Dynamic IP from ISP and default route
Replies: 10
Views: 7805

Re: WAN Failover with Dynamic IP from ISP and default route

I wrote a script that handles this. I don't know that it's better than the linked stuff - I haven't looked at it. However, it does several things I find useful. Rather than simply up if any pings return, you can set the level of packet-loss that should result in a "practically" down pipe. You can pi...
by gsloop
Fri Aug 10, 2012 9:50 pm
Forum: General
Topic: First Post, Big Problem
Replies: 2
Views: 484

Re: First Post, Big Problem

I am really unsure, but thought I'd offer a couple of suggestions: This could be a cabling problem - are you sure the CAT5E/CAT6 cable is good? Have you actually tested it with a Fluke or Microtest unit? How about locking the 10/100/1000 negotiation at some particular speed. If locking at 100Mb/s so...
by gsloop
Fri Aug 10, 2012 9:43 pm
Forum: General
Topic: How do I increase my internet speed on RB 800
Replies: 2
Views: 1265

Re: How do I increase my internet speed on RB 800

Doveman: How about using mrtg on the uplink to the ISP. Then you'd know if you're using all/most of the bandwidth. [And then you could use nTop to find out what/who is using it.] [Even STG would work to gather stats on the amount of traffic, and setup is really quick.] See http://www.wtcs.org/inform...
by gsloop
Fri Aug 10, 2012 9:18 pm
Forum: General
Topic: OpenVPN and importing certs
Replies: 2
Views: 831

Re: OpenVPN and importing certs

Perhaps that will work, but I just copied the text output of the key and crt and then imported those. They imported fine, with no need for a password and all was well. However, IMO, consider OpenVPN completely DEAD on RouterOS. They can't seem to care enough to do even the most basic things - like p...
by gsloop
Fri Aug 10, 2012 1:00 pm
Forum: General
Topic: IPSEC + L2TP works ONLY WITH DOUBLE ENCRYPTION
Replies: 5
Views: 1501

Re: IPSEC + L2TP works ONLY WITH DOUBLE ENCRYPTION

BUMP I'm having the same problem. I'm using IPSec to wrap the L2TP session, so I really don't need MPPE on the L2TP session. How can I disable MPPE on the L2TP internal channel? [When I set the PPP profile assigned to the L2TP server to "Protocols | no encryption" it turns off the *IPSec encryption*...
by gsloop
Thu Aug 09, 2012 10:25 pm
Forum: General
Topic: OpenVPN performance, throughput odd/bad.
Replies: 5
Views: 3544

Re: OpenVPN performance, throughput odd/bad.

For AES-256, 10mbit is expected. But testing using IPSec, also using SHA1/AES-256, I get more than DOUBLE the throughput with all other factors being identical. [~25Mb/s on a RB450G @ 100% CPU utilization.] Using SHA1/AES-256 and OpenVPN I get <10Mb/s @ <50% CPU utilization, AND wild fluctuations i...
by gsloop
Thu Aug 09, 2012 7:13 am
Forum: General
Topic: OpenVPN performance, throughput odd/bad.
Replies: 5
Views: 3544

OpenVPN performance, throughput odd/bad.

Finally hacked my way through setting up OpenVPN in ethernet/TAP mode. However, after doing so, and running JPerf/IPerf on machines at either end, I get really poor throughput. I'm using SHA-1 / AES-256-CBC on a RB450G - and I get at max throughput around 10Mb/s, but then have drops down to 2Mb/s fo...
by gsloop
Wed Aug 08, 2012 7:07 am
Forum: General
Topic: OpenVPN Tun/IP mode
Replies: 2
Views: 1198

Re: OpenVPN Tun/IP mode

Yes, that sure appears to be the case. [And to beat on the dead horse some more... It would sure help if the Wiki page was officially maintained and had reasonably well presented information. It simply doesn't, and certainly doesn't cover the limitations of IP/Tun mode well.] --- So, while I've not ...
by gsloop
Wed Aug 08, 2012 4:04 am
Forum: General
Topic: OpenVPN Tun/IP mode
Replies: 2
Views: 1198

OpenVPN Tun/IP mode

Working to finalize an OpenVPN setup. Again, the WIKI is horrible. Mikrotik claims [via email] that the Wiki isn't theirs - but user maintained. But are totally evasive when prodded to produce something less than HORRIBLE themselves. They say - "You can edit it." I counter - "Pay me, like everyone e...
by gsloop
Fri Aug 03, 2012 9:41 am
Forum: General
Topic: OpenVPN and importing certs
Replies: 2
Views: 831

OpenVPN and importing certs

First - can someone re-work the Wiki page - it's horrible! [For "supported" stuff, you'd think a reasonably well done Wiki page for docs would be a good idea.] I'm having a terrible time "importing" the certs. I've generated the certs twice and can't get them imported. I'm creating my own CA and the...
by gsloop
Fri Aug 03, 2012 2:27 am
Forum: General
Topic: 20 ipsec tunnels
Replies: 6
Views: 765

Re: 20 ipsec tunnels

Around 20Mbps UDP traffic with 1470 byte packets. Forgive me if I'm wrong, but I don't believe that IPSec is UDP. The 450G gets about that [20-25Mb/s] throughput via IPSec/AES-256, so I'd expect the 750 to throughput a lot less. [And that's at 100% utilization, so obviously nothing else would be ha...
by gsloop
Thu Aug 02, 2012 5:25 am
Forum: General
Topic: PPTP MS-CHAPv2 broken/cracked
Replies: 1
Views: 1888

PPTP MS-CHAPv2 broken/cracked

Since PPTP/MS-CHAPv2 is now totally insecure, I'm wondering what choices everyone else is using for Road-warrior VPN's. See: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ PPTP was nice, since it was supported in Windows naively. OpenVPN can work, though UDP support would be nice....
by gsloop
Thu Aug 02, 2012 5:21 am
Forum: General
Topic: PPTP link activity, unknow, need help
Replies: 3
Views: 445

Re: PPTP link activity, unknow, need help

Not sure what you're using PPTP for - but you should know that the encryption is now conclusively broken - really, really, really badly. Anything using MS-CHAPv2 [or any version of MS-CHAP really, though we already knew CHAPv1 was bad.] is horribly broken. Use something else. See: https://www.cloudc...
by gsloop
Tue Jul 17, 2012 5:57 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

Follow-up for assistance of others using the script. --- So, you're controlling fail-over with the RB, even though the actual device connected to the WAN links is NOT the RB. [I'd think doing the fail-over on the router actually connected to the WAN links would be the place to do it.] That point not...
by gsloop
Sun Jul 15, 2012 11:32 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

Thanks for the feedback. and option to enable force update every 24h with dyndns? I *could* add this, but it's very much against the TOS. I'm not sure what the limits are set at for DynDNS, so I'm not sure if a forced 24h set would get you on the wrong side... I just think it's a bad idea. Also, wri...
by gsloop
Tue Jul 10, 2012 9:37 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

Read the script header/docs.
DynDNS is optional.
DHCP is also not required - this will work on static IP's.

I'll try to come back and reply when I have a little more time - but don't know when that will be.

-Greg
by gsloop
Tue Jun 12, 2012 9:41 pm
Forum: General
Topic: Maybe chewing bit too much
Replies: 4
Views: 761

Re: Maybe chewing bit too much

@darthjysky As far as I know you can't add gateway check for dynamically generated default gateway Create a route, and point it at the interface. i.e. Eth2 [I'm not paying attention to your example up there.] Have the DHCP client not add the default route. Now you can do checks on that "static" rout...
by gsloop
Mon May 28, 2012 8:05 am
Forum: Beginner Basics
Topic: IPTables bash script
Replies: 6
Views: 2188

Re: IPTables bash script

In short, no. While it's less than the best solution, I suspect, I've created a excel spreadsheet that will generate all my rules. [At least filter and dst-nat rules.] Not every option is there, but the most common used fields: src-addr, dst-addr etc. Essentially each column allows me to specify thi...
by gsloop
Thu May 24, 2012 8:51 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

To Recap, here's what I and others are asking!: -Answers about the problem and it's scope. [Would be nice, but I'm not holding my breath.] -Time-frame on a working fix for this undefined set of security vulnerabilities/DOS attacks. [Must have!] -Position on a security list-serv and when and how you ...
by gsloop
Thu May 24, 2012 7:32 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

So, let me ask, since I simply don't use PPPoE etc - how do you know what WAN interface to check. [If you can, can you give me a code snippet that would help me along.] Part of the reason I've written it the way I have is that for virtually all of my installs, we have regular eth interfaces that get...
by gsloop
Mon May 21, 2012 7:12 pm
Forum: General
Topic: PPTP into a router that uses EoIP to another location
Replies: 4
Views: 1151

Re: PPTP into a router that uses EoIP to another location

I'm not sure if this might be your problem, but it might apply. Windows PPTP clients to a MikroTik/RoS box use class based netmasks and routes. Thus, if you PPTP into RoS from a Windows machine, you'll get a mask/route based on the class of IP assigned to the Windows PC. So, if the Windows PC is on ...
by gsloop
Fri May 18, 2012 11:56 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

So, the hyper-defense continues unabated. Whatever. I guess you'll believe what you want and we/I will believe what I believe. I just can't figure out 1) why you refuse to go the full-disclosure route, 2) why you won't give an estimated time for release 3) why you won't commit to a list-serv or equi...
by gsloop
Thu May 17, 2012 7:10 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

So, Normis and Janisk both post elaborate defenses, and simply ignore all the queries about a security list-serv or equivalent? Seriously?! [With all due respect, can I have what you're smoking? It's got to be good stuff!] --- -- First: I can show you scare mongering, and this isn't it. [The first p...
by gsloop
Wed May 16, 2012 7:33 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

Normis... I'm not sure why you all feel so strongly about this. [Quite clear, since you deleted my last post...] I'm really not trying to be a PITA, but I haven't heard any real answers. So, I'd like an answer MK ... 1) Is discussion of a security vulnerability and the steps to mitigate it off limit...
by gsloop
Wed May 09, 2012 10:03 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

These are all nice replies, but mostly meaningless unless we know more about the problem and a full discussion of the issues from MT. Since this hasn't happened, these mitigation may well not "mitigate" anything. Further, while mitigating a problem is nice - there are some cases where allowing WinBo...
by gsloop
Mon May 07, 2012 9:55 pm
Forum: General
Topic: Mikrotik Router DDoS attack
Replies: 32
Views: 8685

Re: Mikrotik Router DDoS attack

I went looking to see about the DOS attacks, and all the threads I can find, have been deleted. I find this quite troubling. Is MikroTik simply going to address security vulnerabilities by quashing any discussion of them?!?! I'm not aware of any security list, or the like so one can know about such ...
by gsloop
Fri Apr 27, 2012 8:45 pm
Forum: RouterBOARD hardware
Topic: NAND flash memory life expectancy (write cycles)
Replies: 12
Views: 6446

Re: NAND flash memory life expectancy (write cycles)

I've been told, in this thread [http://forum.mikrotik.com/viewtopic.php?f=2&t=60963], that a "sector" is 2KB (2048 bytes) - so 35,000 sectors would only be ~72MB. If you look at that thread, I believe that 1) if the spec MikroTik gives is actually correct, and NAND should survive ~100,000 writes 2) ...
by gsloop
Fri Apr 20, 2012 8:40 pm
Forum: General
Topic: Failover with two ISPs.
Replies: 3
Views: 1282

Re: Failover with two ISPs.

I'm not sure I see the point? [Perhaps you've thought this over, but it seems like you're asking for a quite complicated setup without good reason.] Why not load-balance both LAN networks evenly [or unevenly if needed] over the two WAN links. When one of the WAN links dies, then change the load-bala...
by gsloop
Tue Apr 17, 2012 9:39 am
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

So, a sector is 2048 bytes for 256MB "disks" [NAND] (i.e. a RB450G has a 256M disk, and it's sector size is 2048 bytes, correct?) So - we have a lot of re-calculating to do. If the 256MB NAND is 268,435,456 bytes, and a sector is 2048 bytes: Then There are 131072 "sectors" in the 256MB NAND Disk. [2...
by gsloop
Tue Apr 17, 2012 5:48 am
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

Bump... Normis. Can you please confirm the general calculations made above. Namely. The 256M NAND has either 16384 blocks/sectors or 32768 blocks/sectors So, in worst case, with only 16384 sectors... If you can write each "sector" 100000 times - then: You would expect to get about 1.638 billion "sec...
by gsloop
Mon Apr 16, 2012 2:29 am
Forum: General
Topic: Anything happened to Changeip / Sam Norris?
Replies: 51
Views: 7795

Re: Anything happened to Changeip / Sam Norris?

@shawnsmith Just curious. What do you like about ChangeIP that you don't about DynDNS? [IMO, the biggest + for DynDNS is the huge distributed network and redundancy they have. Their upper tier stuff is so very far beyond what I need for any of my clients/myself - but the result is a system that is f...
by gsloop
Mon Apr 16, 2012 2:24 am
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

Thanks for the Karma --- Log rules. Yes, they will show some details of the packets that match the rule. Input/Output/Forward. Without thinking about it much, I'd guess the rule simply didn't match. Perhaps the dst-nat rule changed the packet so it didn't match as an "input" since it was re-directin...
by gsloop
Sun Apr 15, 2012 8:20 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

<Fred Rogers voice> See, I knew you could. </Fred Rogers voice> Good job. That trick of enabling and disabling rules is invaluable as you're trying to hack your way through a problem. Also very good, is LOG action rules - which do nothing other than log the packet patch to the logs. Glad you found i...
by gsloop
Sat Apr 14, 2012 7:38 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

It's really unlikely that I'd have time anytime soon. Still, I think your best bet is to look and see what's different between the two port configurations. The things I've asked you to do, really shouldn't take more than 30 minutes or so. Yes, they are a pain. But they are invaluable in narrowing do...
by gsloop
Sat Apr 14, 2012 6:04 am
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

Then you need to start looking at other things. Mangle rules. NAT rules I seriously doubt there is a bug, and the RB sees every port, essentially the same. There's no difference between one port and another. So, if it connects on eth2, and not on eth0, then you must have something configured on eth0...
by gsloop
Fri Apr 13, 2012 10:32 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

If you connected via the LAN [another port on the RB] then it's one of two things. 1) Something in the MTK is blocking connections to the WAN port. Firewall rule is a prime example here. 2) Something in the path is blocking PPTP connections. I've given you some hints on #1 - but I'm not sure how you...
by gsloop
Fri Apr 13, 2012 9:32 pm
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

But do the calculations above look correct?

Since this appears to be the ONLY time I've seen anyone actually try to give some real authoritative and calculated basis, I want to be sure they are good calculations.

Thanks!

-Greg
by gsloop
Fri Apr 13, 2012 9:03 pm
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

So, completely guessing here... What you call "sector" the data-sheet calls Block, right? Thus, if it's a x8 device, the block size is 16K + 512bytes spare. For an x16 device, the block size is 8K + 256 xpare. But for calculation sake, just use the 8K or 16K Thus, for a 256M of NAND, and a 1) x8 NAN...
by gsloop
Fri Apr 13, 2012 8:24 pm
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

PDF? I see a web-page...? --- If you're talking about the Hynix data sheet, that's a pretty arcane answer. The word "sector" isn't mentioned in the article anywhere. So, perhaps we are talking about what is referred to as "page size." But heck if I know. And how would I know if it was a x8 device or...
by gsloop
Fri Apr 13, 2012 7:48 pm
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

After further testing from within the same network as the microtik I was able to connect a client just fine. Does this mean that you essentially put the client hanging off one of the WAN ports of the MicroTik - just via an ethernet cable. Gave both appropriate IP addresses and it worked. Correct? I...
by gsloop
Fri Apr 13, 2012 7:35 pm
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

Hey! You didn't answer the most important and basic question...

HOW BIG IS A SECTOR? 4K 16K 4MB?

HOW BIG IS A SECTOR?
by gsloop
Fri Apr 13, 2012 4:18 am
Forum: General
Topic: Good Firewall Alternative?
Replies: 5
Views: 1550

Re: Good Firewall Alternative?

I've not used one, but the 1100AHx2 should handle that level of traffic. If you want bandwidth and use stats - ntop. To capture that many packets, you'll need to use their high-speed data capture methods, but you'll get a level of stats that is really pretty incredible. Pair this with MRTG and you'l...
by gsloop
Fri Apr 13, 2012 4:03 am
Forum: General
Topic: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!
Replies: 38
Views: 51356

Re: PPTP Server w/Windows 7 PPTP Client PLEASE HELP!!

In Winbox, go into your firewall rules and place three rules right at the top. One to allow all input One to allow all output One to allow all forwards. Then you can "enable" or "disable" them for your test. Enable them and try the PPTP connect. If it works, then you have a firewall problem. If they...
by gsloop
Thu Apr 12, 2012 10:14 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

@mitzone

Thanks!

I'll add that in the code, and this script can be used for either NoIP or DynDNS.

-Greg
by gsloop
Thu Apr 12, 2012 10:12 pm
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Re: Sector writes, how big is a "sector"

Bump... Here's what I need to know... So again, how big is a "sector write" on the RB? Does the size of a "sector" vary depending on device or NAND capacity? Finally, is all recent [last 5 years] RB NAND good for one-hundred-thousand writes? [I've done some searching and the best I found was only no...
by gsloop
Wed Apr 11, 2012 9:07 pm
Forum: General
Topic: Load Balancing with Auto Failover
Replies: 5
Views: 2152

Re: Load Balancing with Auto Failover

See: http://forum.mikrotik.com/viewtopic.php?f=9&t=60247 This does exactly what you're looking to do. The regular net-watch stuff will too, but IIRC what you monitor is more limited and it isn't as granular as my script. [I've implemented this at several clients very successfully.] Just read the thr...
by gsloop
Wed Apr 11, 2012 9:02 pm
Forum: General
Topic: Anything happened to Changeip / Sam Norris?
Replies: 51
Views: 7795

Re: Anything happened to Changeip / Sam Norris?

Not to whack Sam - but while it's not SSL wrapped, I have a script for DynDNS that is, IMO, very robust. [Nudge, nudge - MikroTik - how about implementing a SSL wrapped fetch!] Someone also submitted a change that would let it work with noip as well. Thread with the script here: http://forum.mikroti...
by gsloop
Tue Apr 10, 2012 4:04 am
Forum: General
Topic: Sector writes, how big is a "sector"
Replies: 19
Views: 6495

Sector writes, how big is a "sector"

Wanting to calculate NAND exhaustion rates on my RB, and all RB's in general. I see the value "sector writes" in the system | resources section - but without knowing how big a "sector" is, I can't calculate how much impact a single sector write has. Now, rather than telling me - "well how many write...
by gsloop
Mon Apr 09, 2012 7:20 am
Forum: General
Topic: Bug report
Replies: 2
Views: 1519

Bug report

It appears to be a bug in WinBox [not sure if it occurs via other methods, but I know it occurs in Winbox.] If you go into System | Scheduler and add a new scheduled item, it appears to add the next run time based on GMT, and not on the localized time-zone as set in the TZ. [It's easy enough to modi...
by gsloop
Fri Apr 06, 2012 10:10 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

@THG I appreciate that information, but then I have to have some way to "automagically" add the proper route to the client PC - which isn't really possible. Again, while this is a work-around, it's as bad as simply adding the remote PPTP tunnel as the default gateway - perhaps worse. So, I'll note a...
by gsloop
Fri Apr 06, 2012 8:53 pm
Forum: General
Topic: PCC + pppoe clients + routing trouble
Replies: 7
Views: 1835

Re: PCC + pppoe clients + routing trouble

Posting your "solution" rather than "it works now" might help someone else...

:)
by gsloop
Fri Apr 06, 2012 8:42 pm
Forum: General
Topic: PCC with Netwatch Style Script?
Replies: 6
Views: 1270

Re: PCC with Netwatch Style Script?

Was just thinking about a 4 leg setup. That has a LOT of permutations. All legs up: ABCD One leg down: BCD, ACD, ABD, ABC Two legs down: AB AC AD BC BD CD Three legs down: A B C D --- So that means you'll have 15 different conditions to handle in your different load-balance rules. [And that's provid...
by gsloop
Fri Apr 06, 2012 8:28 pm
Forum: General
Topic: PCC with Netwatch Style Script?
Replies: 6
Views: 1270

Re: PCC with Netwatch Style Script?

I just stumbled across your post... While I don't have a cookie-cutter approach and full code for you, I think the theory is as follows: You have multiple WAN/INet connections they all get used equally by "splitting" the outbound traffic across each leg. There's a bunch of ways to split, by IP, by d...
by gsloop
Fri Apr 06, 2012 12:32 am
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

Bump.
Normis? Someone?
by gsloop
Mon Apr 02, 2012 7:06 pm
Forum: General
Topic: urgent help..client problem with dhcp
Replies: 1
Views: 382

Re: urgent help..client problem with dhcp

Do you have more than one DHCP server? In windows, you should be able to do an "ipconfig /all" and see the IP address of the DHCP server. [You have to do it from a client using DHCP, not a static assigned client. (Obvious, but thought I should explicitly mention it.)] I'd guess you'll find something...
by gsloop
Mon Apr 02, 2012 6:19 am
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

2012/04/01
Update to script - updates to comments to make a bug less likely to bite you. Also a modification to a file variable preset.
(All related to the "lastip.txt" file. If the file is stored on RB flash, don't prefix with a '/' [slash])
by gsloop
Mon Apr 02, 2012 6:11 am
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

Update to code, to add to comments, and fix a read from an "un-initialized" file for the last-ip store.

Thanks to @carlosmp for running the issue down and providing a clear explanation of his findings!

-Greg
by gsloop
Fri Mar 30, 2012 8:44 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

-Bump-

Normis et al...

Could someone please respond, I would really appreciate it.
This is quite an issue plaguing my clients who I have on RB gear.

-Greg
by gsloop
Thu Mar 29, 2012 6:15 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

The code in lines 87-94 check to see if the file specified in lin 69 [vLastIPFileName] exists, and if it doesn't it creates it. The creation is simply a print of the root directory of your RB. [Which is what you're seeing in that file...] ...Ah, the light turns on for me! I'd guess what is happening...
by gsloop
Tue Mar 27, 2012 7:04 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

If you connect to a Windows server via PPTP it doesn't get a /8. If you use Snapgear you don't get a /8. If you use OpenWRT you don't get a /8. So, it's a Mikrotik thing, in that, it's very possible to do something different and Mikrotik hasn't done it. I'm really tired with the "we can't do anythin...
by gsloop
Mon Mar 26, 2012 6:42 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

Someone PM'd me this... Could this be used in conjunction with a PCC load balancing script to perform remote checks on a domain and to take any routes offline where the ADSL line has failed but the ADSL router is still up (causes the MT to route traffic to non working lines)? I'm not sure exactly wh...
by gsloop
Mon Mar 26, 2012 6:20 pm
Forum: General
Topic: Responding to ICMP traffic on an intrface with a high metric
Replies: 2
Views: 628

Re: Responding to ICMP traffic on an intrface with a high me

Thanks.

That example handles is just as I did, so that's nice.
Glad for any other pointers if applicable!

-Greg
by gsloop
Mon Mar 26, 2012 12:02 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

Update to the code.

See the first post in the thread for details and for the download link.

-Greg
by gsloop
Mon Mar 26, 2012 12:01 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

Sorry for the double-post...

But wanted to update the thread.

New version. See notes at the end of the initial post for details, and for download.

Thanks!
-Greg
by gsloop
Mon Mar 26, 2012 10:09 am
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

a "nochg" means it tried to post an update, but the IP hadn't changed. [At least that's what it means for DynDNS...] If setup as per the documentation in the "header" of the script, it shouldn't generate nochg updates - at least not generally. [Perhaps it could generate one the very first run, if th...
by gsloop
Mon Mar 26, 2012 4:01 am
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

I've extensively tested this over the last week and I have a few updates to change. There is a mangle rule you'll need and I'm trying to finalize one that will allow you to use a FQDN instead of an IP address. [But POS that ROS scripting language is...a :resolve that doesn't resolve and has an "erro...
by gsloop
Mon Mar 26, 2012 3:56 am
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

@Chupaka Line three of your routing table shows a /8 on the 10.0.0.0 network. Looks just like what I'm describing. Let me re-iterate my situation Local network 10.1.1.0/24 Remote Network 10.1.2.0/24 Once I connect to the remote network at 10.1.2.0/24, I get a route in my windows routing table like I...
by gsloop
Sat Mar 24, 2012 2:38 am
Forum: General
Topic: Responding to ICMP traffic on an intrface with a high metric
Replies: 2
Views: 628

Responding to ICMP traffic on an intrface with a high metric

My brain is fried, so my apologies if this seems easy, but I'm not having any luck I've got two routes to the internet Lets call them 1.1.1.1/24 [wan1] and 2.2.2.2/24 [wan2] The metric on 1.1.1.1 is: 1 The metric on 2.2.2.2 is: 2 When I try to ping the 2.2.2.2 interface from the WAN side (the intern...
by gsloop
Fri Mar 23, 2012 11:06 pm
Forum: Scripting
Topic: :resolve failure
Replies: 0
Views: 665

:resolve failure

WOW... if a [:resolve abc.com] doesn't resolve to something, this appears to fatally crash the script. [There were reports of this back several years ago, but it still seems to be the case on 5.12] Is this still everyone else's experience also? Is there a reasonable work-around? The only work around...
by gsloop
Fri Mar 23, 2012 10:57 pm
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

Re: PPTP classless route vs. class routing

@Chupaka WinXP, WinVista, Win7 all exhibit this behavior. 1) I don't want the VPN to be the default gateway. 2) There are lots of PPTP devices that handle this properly. I believe native Linux will do it fine. I know that Snapgear handled it fine too. Again, if your remote network/station is 10.1.2....
by gsloop
Thu Mar 22, 2012 7:15 am
Forum: General
Topic: PPTP classless route vs. class routing
Replies: 20
Views: 8162

PPTP classless route vs. class routing

@Chupaka 3) PPTP classless routing fix for Windows clients ?? The issue is when you're using PPTP on, say, a 10.x.x.x/24 network, and connecting to a different class C 10.x.x.y/24 network. In crazy MikroTik land, the route the PPTP client gets is a /8 route - which borks all traffic on either the lo...
by gsloop
Wed Mar 21, 2012 7:56 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

Ok, updated the script.

Sorry for the oversight.

It should work correctly now.

-Greg
by gsloop
Fri Mar 16, 2012 10:22 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Re: Netwatch style script

You're right.

[I hadn't thought about when the connection is down, the route changes...and thus we'll have a problem.]

I'll work on it, but it will be a few days before I have the time, I suspect.

-Greg
by gsloop
Thu Mar 15, 2012 6:50 am
Forum: General
Topic: Feature requests
Replies: 1163
Views: 212804

Re: Feature requests

1) HTTPS fetch
2) fping support
3) PPTP classless routing fix for Windows clients
by gsloop
Wed Mar 14, 2012 11:27 pm
Forum: Scripting
Topic: failover connection script
Replies: 3
Views: 1030

Re: failover connection script

I'm not sure my script will help you, but in looking at what you wanted, this seems to apply. You're welcome to see. See this post. http://forum.mikrotik.com/viewtopic.php?f=9&t=60247 [I was getting ready to post this, and saw your post which seemed to cover the same ground - so I thought I'd mentio...
by gsloop
Wed Mar 14, 2012 11:24 pm
Forum: Scripting
Topic: Netwatch style script
Replies: 16
Views: 8730

Netwatch style script

I have created a fairly extensive script, using some of the concepts I've seen in other scripts. This script does several things. 1) It will ping a host x number of times and will change the metric of the specified route from 1 to 3 when y number of pings aren't returned. [i.e. If <8/10 pings return...
by gsloop
Mon Mar 12, 2012 8:58 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

Re: DynDNS update script

Just a follow-up If you use this script, could you please 1) Let me know if it worked or not. 2) What hardware it was on 3) What ROS version 4) Comments or suggestions. Finally, if you adapt the code, would you be so kind as to relate that back to me: What revisions did you make and why? I'd like to...
by gsloop
Mon Mar 12, 2012 8:34 pm
Forum: Scripting
Topic: external editor syntax highlighting
Replies: 39
Views: 43671

Re: external editor syntax highlighting

@dtoffo

Cool! Thanks!

-Greg
by gsloop
Mon Mar 12, 2012 8:25 pm
Forum: Scripting
Topic: dynDNS Update Script
Replies: 158
Views: 109754

Re: dynDNS Update Script

I've rewritten [well, actually mostly written from scratch] a dyndns script. The post is here: http://forum.mikrotik.com/viewtopic.php?f=2&t=60018&p=306491#p306491 I have a few changes I'm working in still, but this should work just fine. It does NOT do double-NAT, but it does stay within the TOS at...
by gsloop
Wed Mar 07, 2012 6:51 pm
Forum: Scripting
Topic: Dyndns update script (another)
Replies: 7
Views: 2547

Re: Dyndns update script (another)

I've just posted a DynDNS update script.

I think it is an improvement over the scripts I've seen. It doesn't handle double-NAT though.

The announcement post is here:
http://forum.mikrotik.com/viewtopic.php?f=2&t=60018

-Greg
by gsloop
Wed Mar 07, 2012 6:48 pm
Forum: General
Topic: DynDNS update script
Replies: 26
Views: 12355

DynDNS update script

I know there were several DynDNS update scripts out there, and they do work, but they don't work as needed to really stay within the TOS at DynDNS. [Like causing a nochg update after a reboot, since they don't keep IP states across reboots, or querying the IP more often than allowed.] They use a "ol...
by gsloop
Tue Mar 06, 2012 9:26 pm
Forum: General
Topic: SD Card and RB
Replies: 0
Views: 576

SD Card and RB

I thought I'd just post an FYI on SD cards and RB. I've got some RB450G's and I've added a few 8GB sdhc cards. They come up invalid - which is expected. You need to format the cards before you can use them. [/system stores disk from winbox.] However, formatting them takes a LONG time. (In my case, l...
by gsloop
Thu Feb 23, 2012 8:12 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

@ditonet Thanks! [And nice name, BTW!] :) --- Obviously NAT and private RFC1918 blocks change this situation some... But as said above, I think relying on these is less than optimal, and a crutch and will likely be a serious problem in IPv6. [Since that should drive a much needed stake through the h...
by gsloop
Wed Feb 22, 2012 8:08 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

trust me, if you have an ipsec policy in place that traffic will either need to be successfully decrypted, or dropped. it will be dropped before it even hits the forward chain in the firewall if it didnt come thru the tunnel. We're talking about traffic that arrives at the WAN interface vs traffic ...
by gsloop
Tue Feb 21, 2012 6:23 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

@mrz So, it does pass the input chain before getting decrypted. Would it be possible to: 1) set marks on the ESP payload packets in mangle rules. 2) those marks will be maintained and not lost in decryption 3) that you could act on those marks in the forward chain after decryption? This is the only ...
by gsloop
Tue Feb 21, 2012 8:02 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

Just as a follow-up and a demonstration. In your forward rules - right at the top. Place a rule as follows /ip firewall filter chain=forward action=drop src-address=a.a.a.a/m dst-address=b.b.b.b/m Where a.a.a.a/m is the same as /ip ipsec policy dst-address and b.b.b.b/m is the same as /ip ipsec poli...
by gsloop
Tue Feb 21, 2012 7:27 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

Even if you send spoofed packet, with proper subnet src and dst addresses to gateway's public interface, it'll be treated by gateway like every other packet on public/WAN interface (according to your firewall rules in 'input' chain), but not part of IPSec traffic. Exactly! You're exactly right, but...
by gsloop
Mon Feb 20, 2012 8:32 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

I'm buried today...but I need to review the posts. I'm most interested in @mrz's post, since that appears to support my initial position - which is: Without ipsec policy match, then spoofed traffic will very potentially flow through the filter-rules. [More complete/expansive explanation: Without bei...
by gsloop
Mon Feb 20, 2012 7:46 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

@ditonet: First: I'm not sure how ROS impliments IPSec, so perhaps using "required" as part of the policy will sort-of solve this. It's something I'll look at. However, that doesn't resolve the proclamation that "Everything in that article is possible in ROS." It just isn't possible - at least not i...
by gsloop
Sat Feb 18, 2012 2:42 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

@ditonet How do you propose preventing the RB from passing traffic from 1.0.1.10 to 1.0.2.10 that *isn't* from the ipsec tunnel? This is the point you seem to keep missing, intentionally or not, I'm not sure. We shouldn't legitimately ever see that traffic except from over the encrypted ipsec tunnel...
by gsloop
Fri Feb 17, 2012 10:20 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

Finally, I'm still waiting for you to back up this claim Everything described in mentioned article IS available in RouterOS, just RTFM. I'll happily go into the sunset with that information. I'd even be glad to send you $20 just for the trouble. Paypal work? Show me how to create this filter rule: i...
by gsloop
Fri Feb 17, 2012 10:14 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

Lets use this example Network on the left -- Network on the right 1.0.1.0/24 -- 1.0.2.0/24 IP Sec tunnels between the two. Assume the RB's are 1.0.1.1 and 1.0.2.1 on their WAN interfaces. [No NAT] Assume two clients. 1.0.1.10 on the left 1.0.2.10 on the right. To allow that traffic, you can't say: /...
by gsloop
Fri Feb 17, 2012 8:57 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

For me, EOT. Fine by me. What's clear to me, is that you have made a claim this IS possible in the filter rules. Everything described in mentioned article IS available in RouterOS, just RTFM. But I don't think this IS possible in MT. If it was, I could find someone talking about it, and showing it'...
by gsloop
Fri Feb 17, 2012 7:12 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

So, since it's all in the *effing* manual, can you tell me how to do the following... [Should be easy, since it's in the effing manual, right?] iptables --append FORWARD \ --match policy \ --dir in \ --pol ipsec \ --mode tunnel \ --tunnel-dst ${PUBLIC_IP} \ --tunnel-src 0.0.0.0/0 \ --in-interface ex...
by gsloop
Fri Feb 17, 2012 4:27 am
Forum: Scripting
Topic: netwatch limitations and alternatives
Replies: 0
Views: 525

netwatch limitations and alternatives

[I posted this in the general forum, but realized it would probably be better over here... sorry for the dupe.] Ok, I've done some looking and haven't found anything, so here's my query. 1) Multiple internet connections. 2) Want to "fail-over" connections when one goes down. 3) "down" may not mean t...
by gsloop
Fri Feb 17, 2012 3:14 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

I'm not afraid of anyone breaking IPSec. So, here's where we are: 1) You receive a packet on the WAN interface. 2) It claims to be from somewhere in 10.0.1.0/24 and destined for somewhere in 10.0.2.0/24. 3) You allow it, because those are addresses that are in the remote network and the local one, a...
by gsloop
Thu Feb 16, 2012 7:53 pm
Forum: General
Topic: netwatch limitations and alternatives
Replies: 1
Views: 436

netwatch limitations and alternatives

Ok, I've done some looking and haven't found anything, so here's my query. 1) Multiple internet connections. 2) Want to "fail-over" connections when one goes down. 3) "down" may not mean that all pings fail, but that RTT are greater than a certain value, or some%+ of packets are lost. [i.e. RTT >100...
by gsloop
Thu Feb 16, 2012 7:31 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

But if I'm selecting traffic based on the source and dest address, how is this better than what I can do in filter? In short, [Assume the remote end of the IPSec tunnel is 10.0.1.0/24 and the local is 10.0.2.0/24] filtering for src-addr=10.0.1.0/24 dest-addr=10.0.2.0/24 only means the packet CLAIMS ...
by gsloop
Thu Feb 16, 2012 2:45 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

Did you try to mark IPSec connection/packet in 'mangle', then allow/drop in 'filter'?
...and how would you go about identifying that traffic in the mangle rules?

[Perhaps I'm dense, but identifying them in mangle seems to have the same problems as in the filter rules.]

-Greg
by gsloop
Wed Feb 15, 2012 7:53 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

In case someone else has this question: MikroTik support says that the IPSec traffic is not identifiable in FW rules. In short, all traffic will appear to come from the WAN [or IF the IPSec tunnel is terminated to] and thus, you can't filter specifically on the IPSec traffic. [IMO, this leaves the c...
by gsloop
Fri Feb 10, 2012 11:06 pm
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

Re: firewall filter on ipsec, how to identify the IPSec intr

bump...

Anyone? Please!
by gsloop
Wed Feb 08, 2012 5:23 am
Forum: General
Topic: firewall filter on ipsec, how to identify the IPSec intrfce
Replies: 53
Views: 26899

firewall filter on ipsec, how to identify the IPSec intrfce

Perhaps I'm just dumb, but I'm unclear on how I can identify IPSec traffic [not the tunnel setup traffic, but the actual payload traffic] and filter on it. Is there some way to identify the interface [i.e. ipsec interface] the traffic is coming from. The data from the tunnel simply appears to come f...
by gsloop
Tue Jan 31, 2012 2:23 am
Forum: General
Topic: Using a PPTP interface in "in-interface" or "out-interface"
Replies: 3
Views: 641

Re: Using a PPTP interface in "in-interface" or "out-interfa

this is what the ppp-in and ppp-out chains are for. Jump to them in the forward chain. You can also make the server interfaces static so they can be named explicitly in firewall rules, since they won't disappear when they are disconnected. How do you make the server interfaces static? I've looked b...
by gsloop
Tue Jan 31, 2012 1:33 am
Forum: General
Topic: Using a PPTP interface in "in-interface" or "out-interface"
Replies: 3
Views: 641

Using a PPTP interface in "in-interface" or "out-interface"

I'd like to be able to identfy the generic PPTP interface so I can create rules in /ip firewall filters or elsewhere. However, the PPTP interface is something like <pptp-freddy>, where freddy is the user-name of the PPP user. I've tried to do some searches but have come up dry. Is there a way to inc...
by gsloop
Tue Jan 10, 2012 2:39 am
Forum: General
Topic: IPSec interop problem [RB450g to Snapgear SG580]
Replies: 1
Views: 631

Re: IPSec interop problem [RB450g to Snapgear SG580]

Bump - Anyone!? Please!
by gsloop
Sat Jan 07, 2012 4:52 am
Forum: General
Topic: IPSec interop problem [RB450g to Snapgear SG580]
Replies: 1
Views: 631

IPSec interop problem [RB450g to Snapgear SG580]

I'm having real problems getting a RB/450G to talk to a snapgear 580. I've tried several different options, but in general I started with the IPSec document listed here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec I used the example for the site-to-site, using the details given. However, I can't g...
by gsloop
Thu Jan 05, 2012 6:19 pm
Forum: Beginner Basics
Topic: Service ports/groups can NOT be added to?
Replies: 1
Views: 1322

Re: Service ports/groups can NOT be added to?

Ok, I can see that in the forward rules, at least using WinBox you can put in non-contiguous sets of source/destination ports. So, one doesn't need a separate rule for each port/port-range. [I'd have to go back and see to say for sure, but I thought I'd tried to enter multiple ports via the command ...
by gsloop
Thu Jan 05, 2012 6:07 am
Forum: Beginner Basics
Topic: Service ports/groups can NOT be added to?
Replies: 1
Views: 1322

Service ports/groups can NOT be added to?

It appears that IP/Service groups can't be edited. IP/ Firewall So, if I need to allow in a group of ports, say 1,3,5,7,9, 11-15 ...and I can't create a service group, I'll have to create 6 rules to handle the full range of ports, correct. [One rule each for 1,3,5,7,9 and a rage rule for 11-15] Is t...
by gsloop
Thu Jan 05, 2012 6:01 am
Forum: Beginner Basics
Topic: Create interface groups/classes. Is this possible?
Replies: 0
Views: 418

Create interface groups/classes. Is this possible?

I'd like to create rules on interface classes (say WAN-1 and WAN-2) This way, if I setup some FW rules, or QoS rules etc, I can apply them to the Interface-Class/group instead of two individual rules applied to specific interfaces. [Making changes to multiple rules for each individual interface (IF)...
by gsloop
Wed Jan 04, 2012 11:48 pm
Forum: Beginner Basics
Topic: IPTables bash script
Replies: 6
Views: 2188

IPTables bash script

I'm very new to ROS, and I'd probably like to maintain and generate all my iptables rules via something like FWBuilder.

Is there some way to bring in those rules (via bash script) into ROS?

TIA
-Greg