MikroTik

abubin

There are no other NAT rules and firewall rules (besides the fasttrack dummy rules that I can't remove) in there. Did packet sniffing from the mikrotik. I do see the dst-nat doing it's work changing the dst IP&port. However, I do not see src-nat matching packets. Sorry I didn't get a chance to s...

abubin

To better understand what @tdw wrote, have a look at packet flow description . And: all properties of SRC-NAT and DST-NAT conmmands, except to-addresses and to-ports, are "matching" properties. Which means that they are used to selectively pick packets which will get changed. The two ment...

abubin

I did a torch on the public interface of the mikrotik router and is seeing lots of DNS requests incoming from the internet. I already tried adding the firewall rules to block port 53 (tcp and udp) to no avail. Also disabled the "allow remote requests" in DNS settings. Even removed DNS serv...

abubin

To sum it up;

user 1.2.3.4 5678 ---> our network (src 10.1.1.2 5678) ---> leasedline ---> customer 172.1.1.1 8888

Apologize if my posting is not clear enough. Please do not hesitate to ask any questions. Appreciate any input no matter helpful or not.

abubin

I have a connection coming from outside (WAN) that I need to route it into another network that is connected internally. user (30.1.1.1) ----> mikrotik master (WAN 1.2.3.4 LAN 192.168.1.1) --> mikrotik second (LAN 192.168.1.2 LAN2 10.1.1.2) --> 3com router (10.1.1.1) --> leasedline --> customer (172...

abubin

Can I know why use Mikrotik CHR instead of AWS VPN service? Some feature that AWS VPN does not support? Cause I am trying to connect Mkrotik in my DC to AWS VPN and is facing issues getting it setup properly. My lack of skill with mikrotik is getting the better of me. And the project is due yesterda...

abubin

aws-mikrotikvpn05.jpg I am wondering if line number 4 is needed with firmware 6.48.4. Anyway, I tried with and without that line and still doesn't work. update: something to do with the BGP setting? And the internal IP used? (169.254.30.76/30). I am not sure what these IPs are called. They seems to...

abubin

What you show does indeed indicate phase 1 success. And yes, 6.36.whatever is very old and a device running that version must not be exposed to internet - if it was connected to internet without tight enough firewall rules, netinstall it again (not just upgrade) to a current long-term version (6.47...

abubin

So I upgraded to latest firmware 6.48.4. Did a change on the IPsec policy. PH2 State: established. aws-mikrotikvpn04.jpg However, still unable to communicate between the 2 sides. Probably routing and firewall issue...again, do I have to do anything at the Mikrotik firewall side? Maybe AWS is trying ...

abubin

Manage to get something showing...but AWS there still showings connection down.

Any idea what to check?

aws-mikrotikvpn03.jpg

abubin

Does this means phase1 is success?

How to check phase2 successful or not? I still can't ping any IPs in AWS side. Can't even ping the localhost ip 169.254.30.77 of AWS.

BTW, I have downgraded the firmware to 6.36.3 using netinstall. I am thinking maybe should upgrade to latest firmware version.

abubin

Please bear with me, I am very noob at this. I am trying to connect mikrotik to AWS on VPN. The guide I found are a bit old for firmware 6.36. Trying to connect from behind NAT. There is one guide found which have newer guide but it is slightly different from what I am doing. So far, I am unable to ...

abubin

We have deploy a mikrotik CHR in a cloud environment and manage to establish connection to our client backend that is using Fortigate. However, since the deployment 2 months ago we have been getting random "disconnection" issue. The so called disconnection is not really a disconnection bec...

abubin

The bug happened again yesterday. It is causing problems on our side as we have data transactions by the seconds. Anyone can help shed some light into how to resolve this issue? I have already emailed Mikrotik support but they responded with some setting for us to try which does not work. No respons...

abubin

I am using Mikrotik CHR RouterOS 6.45.9.

abubin

Thank you for the reply. Appreciate your sharing of knowledge. I have encountered another issue on this VPN. Just this morning connection to the other side suddenly failed. Upon checking, I can see the IPsec connection still showing "established". So I tried a quick telnet (from the mikrot...

abubin

I have setup mikrotik with 2 ipsec vpn connection to primary and secondary site. Can I know how I can load balance traffic between them? It can be active-active or active-passive. Preferably active-active. server ----> mikrotik ------> vpn1 ------> primary (192.168.1.1) ------> vpn2 ------> secondar...

abubin

Is that something to worry about? Cause telnet works but right now I am facing some issues communicating with the other side. Maybe it is not related to this error but it is concerning to have this showing in the logs.

abubin

I am facing another problem now. Even though I manage to have 2 of that VPN connection established, I cannot get the routing to work. It is the problem with the routing. /ip route print lags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - bla...

abubin

Hah...got it working. Here is what I changed, [abubin@uatmtik] > /ip ipsec policy print Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default # P TUN SRC-ADDRESS 0 T * ::/0 1 A o yes 192.168.11.34/32 2 A o yes 192.168.11.33/32

abubin

I am trying to setup 2 ipsec vpn connection to a destination that accept both the connection. I think they are using fortigate at their end. I am using Mikrotik CHR running on a cloud instance. Anyway, we have 2 ipsec connection to setup, DR and testing. I have done the configuration as below: [abub...

abubin

To minimize the outage I'd recommed to change all interfaces in a single step; to do that, you need to add [find] to the end of the command instead of interface name. Can I know what is the exact command I should use with [find] command? Sorry, I can't find any reference for this on changing MAC ad...

abubin

So does that means I have to run that command locally? I was thinking of changing the MAC remotely because the router is located in DC. Also, please let me know if any of the mikrotik settings will be reset when I change the MAC addresses. Another question is, should I change the MAC addresses one b...

abubin

I just found out that there are 2 mikrotik sharing same MAC address. Probably from some cloning process that was done previously. My question is, both the devices are running live right now. Does running "reset-mac-address" command cause configurations rules to be reset as well? Will the w...

abubin

Did some tests on VRRP. Here is what I am at: Site B1 (192.168.10.3) ----||---> [ (192.168.10.1) Mikrotik A1 (172.16.10.1) ---->] ---- backend switch [ ] VRRP (dual M/S)(192.168.10.254)<--[ ]---> VRRP (dual M/S)(172.16.10.254) [ ] Site B2 (192.168.10.4) ----||---> [ (192.168.10.2) Mikrotik A2 (172.1...

abubin

Looks like VRRP is the way to go with above. Any comments?

abubin

After some tests and learning experience, I think I got it. I just need to bridge the 2 connections and route the traffic accordingly. The above picture works and I do not need to implement any complicated load balancing setup.....yet. So with the basics out of the way, I would like to take this one...

abubin

Assuming Site B will handle the load balancing (using ECMP). If I setup each line in Site B with different IP then I do not really need to configure load balancing in Site A, right? Site B1 (192.168.10.1) --------------| |----------> Mikrotik (SFP1 192.168.10.2), (SFP2 192.168.20.2) -----> Backend s...

abubin

I am trying to connect between 2 networks using mikrotik. Let's call it Site A and Site B. Connection between the 2 sites will be using SFP. Site A belongs to us and we got a mikrotik CCR1036-12G-4S. There will be 2 lines coming from Site B. So we can setup the two line as either Active-Passive or A...

abubin

anyone have any other ideas? I really need to get this working...

abubin

thanks for the quick reply. i tried removing the script and re-adding but still does not run from run-script or from scheduler. Directly running it or using "/system script run script-b" works

abubin

I have a 2 scripts which have almost same line. Both run fine if I execute them manually. But when I run them from script or scheduler, it won't work. This is really strange and frustrating. The script is as below: script-a /interface ethernet switch ingress-port-policer disable number=0 script-b /i...

abubin

That method works, did you tick in Bridge > Settings button "use ip firewall"??

Yes I did but still doeesn't work...

abubin

tried and it doesn't work. few questions: - why do you use tree queue instead of simple queue? - there is packet-mark being used. It this needed? Did you mark the packet in firewall mangle? - queue being used is "pcq-download-default". But for all ports, default is "only-hardware-queu...

abubin

after doing a little bit more googling, I think I have the idea on how to do this. So basically I will need to group the ports up. Probably create another group called group-lan which is port 17-24. This group will be used for internal IP and VPN. Then I assign locate IP address into this group? Is ...

abubin

wow..good to know it can be done with mikrotik.

Can you provide some guide on how to do this? Perhaps some available tutorial or some sort simple instructions?

Thanks.

abubin

i am new to mikrotik. I would like to know is it possible to have the mikrotik cloud switches set as bridge mode and at the same time configure VPN on it? What I would like to do is have some servers behind the mikrotik using LAN IP. In order to connect to these server, I would need to use VPN. Mayb...

abubin

would it be possible to separate the documentation into v5 and v6? There are a lot of command differences between them and mixing them into same docs is confusing. On top of that all the examples given are for v5 which make it harder for v6 users to get familiar with CRS. I have been trying to weeks...

abubin

hmm..no one can help?

abubin

ok, the method found is simple and nice. But it controls the whole port speed.

Can someone help with getting the queue method working? This method is preferred as it is more granular for controlling traffic rate limit.

Thanks.

abubin

found the easier solution: http://wiki.mikrotik.com/wiki/Manual:CRS_features Bandwidth Limiting Both Ingress Port policer and Shaper provide bandwidth limiting features for CRS switches. Ingress Port Policer sets RX limit on port: /interface ethernet switch ingress-port-policer add port=ether5 meter...

abubin

I just got a CRS125-24G-1S-RM.

We wanted to run it in bridge mode (transparent) and with rate limit.

I have tried following this guide http://wiki.mikrotik.com/wiki/TransparentTrafficShaper

but it is not working. Anyone can provide some help please?

abubin

is this a joke? the problem was reported on Nov 2011 and now it's already 1 year and still not fixed? How can we (system integrator) rely on this product with such bad support? This is a major issue that is a deal breaker for this router. If support is unable to fix it, the company should have reca...

abubin

if you want to fix the cpu-load-high-when-turn-on-wifi-reboot-issue then don't waste your time. Look at the other thread where they discuss about this issue. ros6 does not fix this problem. We tested latest 5.22 firmware and it is even worst. No one is connected to the wifi and it still reboots. I a...

abubin

is this a joke? the problem was reported on Nov 2011 and now it's already 1 year and still not fixed? How can we (system integrator) rely on this product with such bad support? This is a major issue that is a deal breaker for this router. If support is unable to fix it, the company should have recal...

abubin

I also discovered this problem and apparently there are no REAL solution to it. From my research in this forum, found out that because mikrotik hotspot is unable to redirect https connection to hotspot login page. This is problem with https protocol and proxy. Cause hotspot login redirection is some...

abubin

Hai...I Think your DHCP network netmasik is /32, netmask 32 not work with gingerbird...so back to netmask /24 but dangerous with netcut. or change your android with ice cream sandwich :-). soryy my english Awesome!! This solved the problem!! Apparently Android 2.3.x have problem using other than /2...

abubin

wow..is surprised that this is a known problem but no solution yet. I am currently met with this problem as well. MT750. Problem only happen when using android 2.3.x. Android honeycomb 3.x and ICS 4.x does not have this problem. Can login fine. Anyone have any solution? This is important because the...

abubin

I found the solution myself.

Change

:local entry [:pick $line 0 ($lineEnd -1) ]

to

:local entry [:pick $line 0 $lineEnd ]

abubin

I have some script that I need to implement that read certain text file for the content line by line and output accordingly. This script to read line by line were copied from an example in wiki. Excerpt is as below: if ( [/file get [/file find name=text.txt] size] > 0 ) do={ :global content [/file g...

abubin

ok, i found the problem. This is due to the wall.txt file. All the entries in the text file have an empty space at the end of each line. Therefore, mikrotik.com becomes "mikrotik.com ". Note the space after "m". So the mikrotik was unable to resolve the domain names correctly due...

abubin

I have a script that download a text file from remote website. Then it will go through the file line by line to all entry into walled-garden ip list. However, the relevant dynamic entries are not added into walled-garden and firewall filters. I follow example as depicted in this http://wiki.mikrotik...

Search found 52 matches