MikroTik

akschu

I finally found the issue, I had generated two certificates on an external CA. The certs both had the same email address, and even though they were different certs and the certs loaded into the vpn server, and uniquely identified in the ipsec identity section, the fact that they had the same email a...

akschu

I have an issue where when a second ike2 client connects, it boots the first one. I'm using mode-config to define static addresses for the clients and I've tried creating two policy groups, but I can't seem to get it to work. This is what I have: /ip ipsec mode-config add address=10.10.10.1 address-...

akschu

Mine isn't stable enough. Frequently my 5hgz network goes away and I have to reboot the thing. I don't think this has to do with the number of users. Your ROS/firmware versions ? No, I don't. Currently, I have 4 wireless clients attached to it. I'm running 6.46beta59 as it contains: *) wireless - i...

akschu

Mine isn't stable enough. Frequently my 5hgz network goes away and I have to reboot the thing.

akschu

Telling the router to do destination nat is one thing, allowing that packet through the firewall is different. So if you have: chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 protocol=tcp dst-address-type="" src-port=9090 dst-port=9090 log=no log-prefix="" then in /ip firewall fi...

akschu

I suspect you have a split routing or MTU issue as there are a lot of people using ipsec over pppoe without issue. I have one box plugged into 1000/100 pppoe internet connection and it's doing a lot of VPN work for an office of engineers.

schu

akschu

If I use /fetch into a directory, the system does't create that directory, instead it creates it as a file: [admin@hotspot104] /file> /tool fetch user=hotspot password="xxxxxxxxxx" url="https://domain.net/Hotspot/Files/hotspot104/login.html" dst-path=hotspot/ status: finished downloaded: 0KiBC-z pau...

akschu

I need this feature

akschu

I would like to track sessions and use normal /ip firewall filter rules for src addresses in list1, list2, and list3, but for everything else I don't have any need to track connections. Can I accomplish this with? /ip firewall raw add action=return chain=prerouting src-address-list=list1 add action=...

akschu

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the s...

akschu

Right now we have three ways to authenticate certs in ike2: match-by=remote-id remote-id=user-fqdn:user@domain.com or equivalent or match-by=remote=id remote-certificate=<cert> or match-by=certificate The first two require us to identify every certificate that can be used to authenticate. The last o...

akschu

If we had: name="rw-config" system-dns=yes address-pool=roadwarriorips address-prefix-length=32 responder=yes dst-address-list=roadwarriors Then in the firewall we could reference the roadwarriors list and create dynamic firewalls for anyone connecting with the above mode-config. This would be vastl...

akschu

There is nothing to be "fixed", it works as expected. The trust chain is from the endpoint certificate up to the root CA and it cannot be shortened arbitrarily. Plus to work, the entity checking the validity of an endpoint certificate must have access to the complete chain of CAs, while the one of ...

akschu

Config looks like this: /ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf /ip ipsec policy group add name=ike2-policies /ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 lifetime=1h add name=ike2 /ip ipsec peer add exchange-mode...

akschu

I have a certificate authority and a sub CA then my server and road warrior cert. Like this: ROOT CA | VPN CA | | Client cert Server cert The idea is that I only want client certs signed by the VPN CA to authenticate, not every user cert signed by ROOT CA. I thought I could do this by simply putting...

akschu

This is what I need, a way to make a firewall list based on ipsec identity. All that's needed to make this work is the ability to define src-address-list when responder=yes: /ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-firewallrulesA src-address-list=firewallru...

akschu

I would like to build a chain of firewall rules, then assign that chain to road-warrior VPN clients that authenticate with ike2 and thus are identified by the ipsec identity, and thus the ipsec mode-config. What would be great is if the src-address-list attribute on ipsec mode-config worked in respo...

akschu

So if I /system reset-configuration with run-after-reset with a config containing: /system scheduler add interval=24h name=getconfig on-event=update start-time=02:30:00 Then it imports it as: [admin@mikrotik] /system scheduler> print detail Flags: X - disabled 0 name="getconfig" start-date=jan/02/19...

akschu

RouterOS Devs: The default user creation doesn't require a password, and defaults to blank, which means if someone simply does a: /user add name=fred group=full Then you can immediately login as fred with no password. This creates a significant security issue that isn't immediately obvious. Furtherm...

akschu

There are plenty of limitations for service providers as well. 1. BGP is single core. 2. VRF's pretty much don't work because local connected routes are always available to all tables. 3. SNMP monitoring support is terrible. 4. openvpn only works in TCP mode. 5. Limited -48v DC options (though this ...

akschu

The routeros platform is pretty limited in regards to monitoring with snmp. If I want something like cpu resource monitoring or ipsec SA monitoring, then I have to find other ways to monitor than snmp. However, there is a super simple way that mikrotik could fix this: Assign an OID to each /system s...

akschu

Is this the same issue?

viewtopic.php?t=70274

akschu

Hello, I'm having an issue with the main routing table being used when I've set the traffic to use an alternate routing table. Here is my setup [remote router with static ip in aws] <-----vpn----- [local router with dynamic IP] I want all of my web/mail/ssh traffic to go to the host with a static, a...

akschu

Thanks for the response. You are right, they are invalid packets, because the tcp timeout on connection tracking is super aggressive. I relaxed that a bit and that helped, now I'm dropping invalid traffic before it hits my logs so that I'm not filling up my firewall logs with tcp timeout nonsense. A...

akschu

More oddness: If I trace a flow using logging in the prerouting or post routing chain I see something like this: Where 1.1.1.1 is the public client, 2.2.2.2 is the public facing address on the routeros host, and 3.3.3.3 is the private address I'm doing port address translation to: Mar 30 12:26:32 pr...

akschu

I'm trying to understand why I'm seeing this: 08:49:07 firewall,info input: in:public-gateway out:(none), src-mac 44:f4:77:10:ba:20, proto TCP (ACK,FIN), 6.1.1.2:62092->6.16.9.6:443, len 52 When I have this: /ip firewall nat add action=dst-nat chain=dstnat dst-address=6.16.9.6 dst-port=443 protocol=...

akschu

As someone that runs 4000+ pppoe sessions on x86 routeros I doubt that the CCR1036-12G-4S could do it. The pppoe server code doesn't thread well (at least on x86) and other posts on the forum seem to indicate you will have one CPU absolutely at 100% while the remaining 35 cpus idle. As far as mikro...

akschu

I'm seeing this too. And it's hard to figure out where the traffic is coming from because the routeros sniffer either doesn't work right or it's lying to me because it shows the traffic on bond1 when interface is any: 1 0.035 bond1 129.0.0.71:49320 ...

akschu

The biggest issue now is pppoe/cpu performance. It's not quite multi-threaded: Thanks for doing this Mikrotik! Still waiting for your discovery of the problem Ticket#2014122166000217 - when in system many interfaces, and you delete one of them - mikroik hangs on some time and loses packets. "Interf...

akschu

*) ppp - added new option under "ppp aaa" - "use-circuit-id-in-nas-port-id"; Any details? Please update documentation or post some explanation. It allows some port information to be passed from pppoe through to radius. See my request here: http://forum.mikrotik.com/viewtopic.php?t=95696 I can confi...

akschu

I think the code that Efaden put on github is probably the best bet since it fixes the length issue, as well as gives us a place to track change, but it didn't have port or ssl support. I forked his code and added those featuers: https://github.com/akschu/MikroTikPerl Efaden, please consider merging...

akschu

I have an intel core 2 cpu in an axiomtek NA-820, it's pretty basic stuff, and works perfectly in linux: Driver `coretemp': * Chip `Intel digital thermal sensor' (confidence: 9) coretemp-isa-0000 Core 0: +39.0°C (high = +80.0°C, crit = +98.0°C) Core 1: +40.0°C (high = +80.0°C, crit = +98.0°C) But no...

akschu

Yay!!! This bug is fixed since 6.29rc10:

http://www.mikrotik.com/download/share/ ... 29rc10.npk

Thanks Mikrotik!

akschu

It doesn't look like the builds are being updated. I just downloaded the latest and it says the build time was Apr/13/2015 14:10:30.

I really hope the ssl bug gets fixed, it's making pulling config from https impossible.

akschu

I was told by support that the fetch/ssl bug (http://forum.mikrotik.com/viewtopic.php?f=1&t=95576) would be fixed in the next release, but the latest version (version: 6.28, build-time: Apr/13/2015 14:10:30) still doesn't download more than 4096 bytes. I really hope this is fixed before the next rel...

akschu

Fixing the fetch ssl bug would be fantastic since it makes /tool fetch unusable for me: http://forum.mikrotik.com/viewtopic.php?f=1&t=95576 Got this back from support: Re: [Ticket#2015040666000483] Bug with /tool fetch and https. Hello, Its due to bug in ssl library. Next release will have the fix....

akschu

This feature would make the pppoe server much more viable as a cisco/junpier/redback replacement with minimal programming effort. Simply take the vendor specific pppoe tag "circuit id" and pass it through as the radius NAS-Port-ID attribute the in the radius request packet. Here are docs on how this...

akschu

Fixing the fetch ssl bug would be fantastic since it makes /tool fetch unusable for me:

http://forum.mikrotik.com/viewtopic.php?f=1&t=95576

akschu

See below. The exact same file from the same server gets truncated when downloaded through https: [admin@MikroTik] /file> /tool fetch url="https://webserver/test" status: finished [admin@MikroTik] /file> print where name=test # NAME TYPE SIZE CREATION-TIME 0 test file 4096 jan/01/1970 16:32:33 [admi...

akschu

Mine is acting very strange. I can't get a solid link light half the time, I was able to get in if I reboot it enough times, but after a downgrade to 6.25 after seeing kernel panic messages I was never able to get it to work again.

I guess I'll mail it back.

akschu

I'm not sure if I found a bug in my thinking or RouterOS, but I can't seem to get OSPF to work the way I think it should. I have a PPPOE server that uses static ip addresses from radius, static networks from radius, and a local dynamic pool. I would like to originate the static ip addresses, the sta...

akschu

This is a bit of a hack, but I needed something in perl so I extended this code to use ssl. Attached is the module.

akschu

I really need this feature, and it would be trivial to add. The MIB is already in place since Mikrotik uses the existing DHCP mib, and that mib already has a spot for this: dhcpv4ServerClientHostName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "T...

akschu

So I'm working on setting up ipsec/l2tp with an ipad. I've done it a number of times on a number of different platforms so I have a pretty good idea on what I'm doing. The problem with the mikrotik is that you can't add an ipsec policy that has a dynamic endpoint: [admin@MikroTik] /ip ipsec policy> ...

akschu

I have a requirement to get the host-name of the dhcpclient in snmp so I can monitor who is on the network. The information is available in the router: [admin@MikroTik] /ip dhcp-server lease> print Flags: X - disabled, R - radius, D - dynamic, B - blocked # ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-...

Search found 45 matches