Community discussions

MUM Europe 2020

Search found 93 matches

by LuizMeier
Thu Mar 29, 2018 2:04 pm
Forum: General
Topic: RB 2011 freezes using IPSec
Replies: 0
Views: 265

RB 2011 freezes using IPSec

Hello! I'm having a weird problem with a 2011 rb running 6.40.4 RouterOS. In l2tp-client, if I flag use-ipsec=yes and put the password, the tunnel comes up, but after something about 30 seconds, the router freezes. Tried with 6.40.6 and same issue persist. I can log in via cli or winbox, but cannot ...
by LuizMeier
Sun Dec 03, 2017 3:25 pm
Forum: General
Topic: Firewalling with dynamic IPv6
Replies: 3
Views: 462

Re: Firewalling with dynamic IPv6

Hi, you can do this by scripting. E.g. I change the IPv6 prefix for DNS and IPv6 firewall after every reconnect. Anyway you will run into the next problem, which is caused by Mikrotik's RADV implemenation. First ND advertises the DNS server set in "/ip dns", therefore you will not be able to use th...
by LuizMeier
Fri Dec 01, 2017 4:48 pm
Forum: General
Topic: Firewalling with dynamic IPv6
Replies: 3
Views: 462

Firewalling with dynamic IPv6

Hello! I've beem wondering and researching if would be possible to find a way to create some fixed firewall rules to some internal hosts to publish services. My ISP gives a /64 prefix that works right. The problem is that the prefix is dynamic, so i can't have a firewall rule with destination addres...
by LuizMeier
Tue Nov 28, 2017 3:39 pm
Forum: General
Topic: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]
Replies: 7
Views: 667

Re: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]

Yes, you should use appropriate firewall rules to avoid that. In fact this touches another issue: when someone connects with L2TP/IPsec and establishes the connection, then loses it without proper close, they still are considered "established" by the firewall and they can connect (from th...
by LuizMeier
Tue Nov 28, 2017 3:10 pm
Forum: General
Topic: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]
Replies: 7
Views: 667

Re: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]

Maybe you have the NAT issue described in this topic: https://forum.mikrotik.com/viewtopic.php?f=13&t=128143 You could try the solution found there. I am also still using that solution on my L2TP/IPsec servers. (no time to re-test if it is still required with current RouterOS) And I use only th...
by LuizMeier
Tue Nov 28, 2017 12:45 pm
Forum: General
Topic: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]
Replies: 7
Views: 667

Re: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]

pe1chl wrote:
Remove 256 bit encryption from the ipsec peer options. You can keep it in the ipsec proposal.

Hello, pe1chl! Thanks for your response.

I did what you said, but the error stills the same.
by LuizMeier
Mon Nov 27, 2017 7:20 pm
Forum: General
Topic: Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]
Replies: 7
Views: 667

Weird problem to establish L2TP/IPSec in Windows machines [SOLVED]

Good Afternoon! We have set up a VPN on our CCR 1009 (v6.34.4) and we have been seing some strange problem: when trying to connect via 3G using thetering it does not connect no matter what. It logs an error saying that the key lenght mismatched, mine: 128, peer: 256 . The thing is the Windows client...
by LuizMeier
Thu Nov 16, 2017 7:08 pm
Forum: General
Topic: coexistence between Tunnel Broker and native IPv6
Replies: 3
Views: 518

coexistence between Tunnel Broker and native IPv6

Hello! Am I misunderstanding something or there is no way to have 2 ipv6 gateways to the same gateway, with different weights? My ISP gives me a valid ipv6 address and I also have a Tunnel Broker 6to4 tunnel. I would like, for test purpose, to have He as my secondary default gateway. Strange thing t...
by LuizMeier
Thu Oct 26, 2017 10:09 pm
Forum: General
Topic: IPSec RSA - Failed to get SubjectAltName
Replies: 0
Views: 368

IPSec RSA - Failed to get SubjectAltName

I'm trying to use a L2TP IPsec with certificates, but when I try to connect I get the "Failed to get SubjetaltName" log. The thing is that the certificate was issued with Subject Alternative Name with OpenSSL. I don't what more to do to get this working. Requested Extensions: X509v3 Subject Alternat...
by LuizMeier
Fri Oct 20, 2017 2:14 pm
Forum: General
Topic: Dynamic L2TP IPsec + NPS + Certificates
Replies: 0
Views: 482

Dynamic L2TP IPsec + NPS + Certificates

Hello, We're moving our VPN's from our Fortigate to our CCR1009. For now we are using the "Use IPSec" flag in L2TP Server and configuring the clients as PSK. The users are authenticating over a Windows Server 2008 with NPS as a RADIUS server. I would like to authenticate the IPSec tunnel with certif...
by LuizMeier
Thu Dec 29, 2016 3:58 pm
Forum: General
Topic: TCP Clamp or clamp-to-pmtu
Replies: 1
Views: 5399

Re: TCP Clamp or clamp-to-pmtu

I'm starting with EoIP. Mikrotik's documentation says I should set the L3 MTU in EoIp interface to 1500. I did it and added the rule to clamp to pmtu via mangle. I'm seeing, in the beggining of the conversation, the hosts saying they will use a MSS of 1460, which seems pretty well counting on 40 byt...
by LuizMeier
Mon Dec 26, 2016 7:37 pm
Forum: General
Topic: TCP Clamp or clamp-to-pmtu
Replies: 1
Views: 5399

TCP Clamp or clamp-to-pmtu

Hello! We have a structure of about 50 sites connected to our HQ. Every branch office has 2 tunnels: one EoIP running over ISP's MPLS and a L2TP tunnel for redundancy in case of problems with MPLS. We have also an OSPF enviroment running in this layout with no problems. All sites have a RB 2011. The...
by LuizMeier
Thu Jan 28, 2016 8:37 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

All signs point to your router. Can you haxx0r into it and set it to bridged mode? This modem has the wan parts of configuration disabled for end users. I've been looking at it and it may be possible editing the code with the browser. I'm a little afraid of loosing the equipment, but I think in the...
by LuizMeier
Thu Jan 28, 2016 7:32 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

For giggles, you could test on "other ISP / NAT router modem" mode - and that would remove all doubt if this also works, and the other ISP's router is the same make/model as yours. Damn! When I tested with my ISP, but bridged modem, I've commit a mistake. I forgot to create a rule to force the traf...
by LuizMeier
Thu Jan 28, 2016 6:43 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I think I now may have sure about my ISP blocking the protocol. Some people use IPv6 to get around administrative blocks for things. (I used to get several teredo peers on Bittorrent, for instance). Maybe that's why they're blocking it - or else they have a curmudgeonly old chief engineer who wants...
by LuizMeier
Thu Jan 28, 2016 4:33 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

That is really strange. I can't see why the outbound packets would be ignored by the srcnat. You can confirm by doing a packet capture upstream from the router - but I'm guessing it's a DSL router, so no dice there... I think this is the end of the line as far as my ability to assist goes anyway. F...
by LuizMeier
Wed Jan 27, 2016 9:58 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

That is really strange. I can't see why the outbound packets would be ignored by the srcnat. You can confirm by doing a packet capture upstream from the router - but I'm guessing it's a DSL router, so no dice there... I think this is the end of the line as far as my ability to assist goes anyway. F...
by LuizMeier
Wed Jan 27, 2016 9:42 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

After looking in the router itself and doing some packet capture on the ether1-gateway interface, I see the protocol 41 packets being sent to the Internet and they look correct (both for ping replies and for keepalive packets) I'm not seeing these packets arrive at my router, so obviously they're b...
by LuizMeier
Wed Jan 27, 2016 8:43 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I've left it running non-stop. Do you see the replies leaving your router? I'm not getting replies from you. I don't see the packets being replied, only the requests. That must be some firewall problem. sit2 is your tunnel. /ipv6 firewall filter add chain=input comment=ZeroByte in-interface=sit2 ad...
by LuizMeier
Wed Jan 27, 2016 8:13 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I have the 2001:db8:1:1::1/64 now set on my tunnel interface. Okay - I disabled keepalives on my end, and I now have a ping running to 2001:db8:1:1::1 from 2001:db8:1:1::10 The packets look like this: Untitledxxx.png Make this the first rule in the IPv4 filter chain: /ip firewall filter add chain=i...
by LuizMeier
Wed Jan 27, 2016 7:47 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Is there any setting that you want to see and I didn't post? Go ahead and configure IPv6 address 2001:db8:1:1::1/64 on the tunnel interface. I notice that when my router sends the keepalives, it's from and to :: and the protocol version is set to 0 like you see in the wireshark analysis. I'm also r...
by LuizMeier
Wed Jan 27, 2016 6:20 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Your keepalive setting shouldn't break the tunnel even if it doesn't match the value (if any) set on HE's end, because it's like a ping. Your side pings their side, and if you get replies then it stays up, as far as your router is concerned. PPP is this way - one side can do "no keepalive" and the ...
by LuizMeier
Wed Jan 27, 2016 3:34 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Well, the only thing left to do is sniff the packets from Tunnelbroker, capture them to a file on the Mikrotik, and open the capture file in Wireshark. Perhaps you can poke around in that. As far as I can tell, you should put 192.168.100.2 as the local IP of your tunnel, and it should work. If you ...
by LuizMeier
Wed Jan 27, 2016 12:16 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Well, the only thing left to do is sniff the packets from Tunnelbroker, capture them to a file on the Mikrotik, and open the capture file in Wireshark. Perhaps you can poke around in that. As far as I can tell, you should put 192.168.100.2 as the local IP of your tunnel, and it should work. If you ...
by LuizMeier
Tue Jan 26, 2016 10:09 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Well, I went reading a little more on the subject and found this blog entry: Behind NAT If you're behind a NAT, the configuration needs to be tweaked a bit. First, you'll want to setup a static IP address behind your router. If you're router supports configuration of forwarding more than just TCP/U...
by LuizMeier
Tue Jan 26, 2016 9:30 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Well, I went reading a little more on the subject and found this blog entry: Behind NAT If you're behind a NAT, the configuration needs to be tweaked a bit. First, you'll want to setup a static IP address behind your router. If you're router supports configuration of forwarding more than just TCP/U...
by LuizMeier
Tue Jan 26, 2016 8:50 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Does anybody know if the tunneling protocol validates the local and remote address in both endpoints?

If so, this is the problem, because for HE, my address is the valid IPv4 address, but for my mikrotik is the Lan address, because my modem is in router mode.
by LuizMeier
Tue Jan 26, 2016 1:14 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I have 2 rules on my firewal allowing the 41 protocol as below. /ip firewall filter add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D add chain=output protocol=ipv6 It just dawned on me that I forgot to address this in your earlier reply. First of all, the notes on HE's page specify that...
by LuizMeier
Tue Jan 26, 2016 12:32 am
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I have 2 rules on my firewal allowing the 41 protocol as below. /ip firewall filter add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D add chain=output protocol=ipv6 It just dawned on me that I forgot to address this in your earlier reply. First of all, the notes on HE's page specify that...
by LuizMeier
Mon Jan 25, 2016 9:46 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

I have 2 rules on my firewal allowing the 41 protocol as below. The problem with my ISP is that they've changed the modus operandi in the last year, providing the new clients access to the internet through CGNAT (but with native IPv6). So I'm afraid of requesting IPv6 and end with CGNAT. Well, that...
by LuizMeier
Mon Jan 25, 2016 9:08 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Re: Tunnel Broker IPv6

Per the Hurricane Electric FAQ page: *Two important notes: Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol). If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41. What is IP Proto...
by LuizMeier
Mon Jan 25, 2016 8:20 pm
Forum: General
Topic: Tunnel Broker IPv6
Replies: 33
Views: 2892

Tunnel Broker IPv6

Hello! I always used the HE tunnel to get IPv6 working in home. But now, since I've changed my ISP for one that only gives me a option to connect with my modem in routed mode, I am having problems to connect. Below are my configs: /ipv6 address add address=2001:470:1f07:a84::1 interface=bridge-local...
by LuizMeier
Thu Jun 25, 2015 9:04 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 144074

Re: FastTrack - New feature in 6.29

Just made a test with queue. Mikrotik just ignores the queues at all if FastTrack is active. :)
by LuizMeier
Tue Jun 23, 2015 11:00 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

Re: IPSec

Hello,

I've followed this tutorial and I believe that phase 1 is ok. How coul I test phase 2?
ip ipsec remote-peers print
0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=48m56
by LuizMeier
Tue Jun 16, 2015 4:49 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 144074

Re: FastTrack - New feature in 6.29

The feature is great, however its user interface is confusing. I think the fast-track rule shouldn't just mark connections, but should automatically work as "Accept", so that the packets don't fall through to the next rule which is in 100% Accept. That's really weird. I'd expect that only those pac...
by LuizMeier
Mon Jun 15, 2015 9:51 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

Re: IPSec

I assume the other side is using Cisco gear due to the sintax. If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up. I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1. How can I test (if phase 1 is ok)...
by LuizMeier
Mon Jun 15, 2015 3:22 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

Re: IPSec

I assume the other side is using Cisco gear due to the sintax. If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up. I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1. How can I test (if phase 1 is ok)...
by LuizMeier
Fri Jun 12, 2015 4:17 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

Re: IPSec

Please look at the site to site section here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec [admin@MikroTik] /ip ipsec proposal> print Flags: X - disabled 0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 Hi!, I've tried that, but still get the same thing. I ...
by LuizMeier
Thu Jun 11, 2015 9:14 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

Re: IPSec

Looks like you're having problems completing IPsec phase 1 so it can't go on to phase 2. I take it you're doing a site to site.
That is what i think so, but I don't see what I need to change.
by LuizMeier
Thu Jun 11, 2015 4:28 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1794

IPSec

Good morning! I faced today a problem while configuring an IPSec VPN for one of our providers. They have sent me a document with the configurations I would need to set up to have an encrypted communication with them, once they are an finance company. I will put here the configuration that they sent ...
by LuizMeier
Thu May 07, 2015 2:51 pm
Forum: General
Topic: PPTP + Bridge
Replies: 0
Views: 838

PPTP + Bridge

Hello! I have 2 offices connected through a PPTP tunnel. I followed this and this article and so far it is workink, except for broadcast. I have a SonicWall in one of the branches that I would like to give IP address through DHCP to devices on vlan3 in another office. If I set an IP address on a dev...
by LuizMeier
Mon Jan 26, 2015 9:15 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

Still the same thing here. Tried using bridges instead of interface's addresses, but I still get the same problem. When I need to go through the multihop BGP path, the package don't get the destination because the ISP don't know how to reach it. I though that BGP would send the package to the peer, ...
by LuizMeier
Tue Jan 20, 2015 7:17 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

Yeah, i though about that, but will need to test anyway.

Actually I'm already doing it. My first problems were those on my first post. :(
by LuizMeier
Mon Jan 19, 2015 10:25 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

The only traffic that is sent directly to MPLS is the one to accomplish the EoIP tunnel.

There is static routes at the branch and the hq to make this tunnel working.

The core router decides the path between EoIP or PPTP by OSPF costs.
by LuizMeier
Mon Jan 19, 2015 7:30 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

How we work today: 1) Traffic comes from WAN, passes through my firewall and then reachs QEMU1 Mikrotik, which is the PPTP manager. Each PPTP tunnel has 172.20.1.X/32 network. 2) QEMU1 is on the same subnet as QEMU2 (EoIP manager with 10.1.X.0/30 network for tunnel) and Cisco's ISP router. 3) The ad...
by LuizMeier
Mon Jan 19, 2015 6:32 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

They don't give this option to clients. Besides that, I don't trust them 100% to depend in case of problems.

I would like to leave the minimum of work on their hands.
by LuizMeier
Mon Jan 19, 2015 3:57 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

Celtic, I presented it that way to make the topology easier to understand, but actually I have over 4 ISP's routers between my HQ and branch. And yes, I understood (correct me if i'm wring) that I cannot make adjacencies on OSPF through that way, once OSPF only talks with neighbors that can receive ...
by LuizMeier
Mon Jan 19, 2015 3:27 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

Celtic, Sorry for the missing information. 1) HQ is the area from SW1 to SW2, includins QEMU2 and QEMU1; 2) Branch is the area with QEMU3; 3) The network 172.20.0.0/30 is to ilustrate PPTP; 4) EoIP runs over R1 and R2, which ilustrate the MPLS circuit provided by my ISP. Yes, I still have MPLS and P...
by LuizMeier
Mon Jan 19, 2015 2:48 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

Re: BGP Implementation

BGP will indeed typically be slower to respond than OSPF using default settings. I lost track of your original thread but it seemed at that time that your application was very well suited to OSPF - given that it is a link-state protocol and your application essentially came down to link states. Wha...
by LuizMeier
Fri Jan 16, 2015 8:57 pm
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2723

BGP Implementation

Hello Guys! After dealing with this problem, no the BGP have come back to me. My manager now wants to end with the EoIP tunnels, so we can make the things a little easier, and want me to implement BGP. I am new at BGP and just have made some tests when I've started with the OSPF implementation. Now ...
by LuizMeier
Tue Jan 06, 2015 2:12 pm
Forum: Forwarding Protocols
Topic: PPTP and OSPF issue
Replies: 7
Views: 2374

Re: PPTP and OSPF issue

I did the same thing with the "2 gw per route" issue. Used 2 tunnels with 2 differente peers, so I have also redundancy. My problem was, actually, the size of routing table. I though OSPF would summarize the routes that passes over HQ, so it woud not need to learn all routes. For example, to reach t...
by LuizMeier
Tue Jan 06, 2015 12:42 pm
Forum: Forwarding Protocols
Topic: PPTP and OSPF issue
Replies: 7
Views: 2374

Re: PPTP and OSPF issue

Hello! Nope, didn't find any answer for what I was intendind to do. for now, we're working with OSPF on just one area. IN the first time, I "solved" the problem using routing filters, but it became a problem when I needed to publish other routes. So, I'm now living with a big routing table on all my...
by LuizMeier
Mon Sep 29, 2014 6:53 pm
Forum: RouterBOARD hardware
Topic: System rebooted because of kernel failure
Replies: 29
Views: 23265

Re: System rebooted because of kernel failure

I just did the upgrade from 6.11 to 6.19 and after that it rebooted twice by kernel failure. After the third reboot, it stopped. Maybe because I changed some VRRP scripts? This RB is being used on a test enviroment (thanks god!) for VRRP. I will use It and other RB1200(that has been upgraded as well...
by LuizMeier
Mon Sep 29, 2014 6:24 pm
Forum: RouterBOARD hardware
Topic: System rebooted because of kernel failure
Replies: 29
Views: 23265

Re: System rebooted because of kernel failure

I'm having this same issue on a 1100AHx2 /system resource print uptime: 1h3m21s version: 6.19 build-time: Aug/26/2014 14:05:51 free-memory: 1485.8MiB total-memory: 1518.7MiB cpu: e500v2 cpu-count: 2 cpu-frequency: 1066MHz cpu-load: 0% free-hdd-space: 88.2MiB total-hdd-space: 128.0MiB architecture-na...
by LuizMeier
Fri Sep 26, 2014 10:04 pm
Forum: Beginner Basics
Topic: log: excessive or late collision, link duplex mismatch ????
Replies: 24
Views: 49424

Re: log: excessive or late collision, link duplex mismatch

I solved this issue opening a ticket with my ISP.

In my case, the problem was the ISP Routers's port, which was not in Auto mode. And no, the ISP didn't tell me wich was the value configured before.
by LuizMeier
Wed Sep 24, 2014 4:58 pm
Forum: General
Topic: Routing IP/Cloud
Replies: 0
Views: 457

Routing IP/Cloud

Good Morning,

Does anybody can tell(or know) which is the address of the resolver for Cloud service? I have multiple gateways and want it to use a specific link to generate my sn.mynetname.net.

Thanks in advance.
by LuizMeier
Mon Aug 25, 2014 2:38 pm
Forum: Forwarding Protocols
Topic: PPTP and OSPF issue
Replies: 7
Views: 2374

Re: PPTP and OSPF issue

Hello CelticComms, Sorry, I forgot to put them here when I cleaned the results for security. :) Branch /routing ospf network add area=backbone network=10.25.44.0/23 add area=backbone network=172.20.1.1/32 add area=backbone network=172.20.2.1/32 HQ add area=backbone comment="VLAN 25" network=10.254.2...
by LuizMeier
Thu Aug 21, 2014 9:25 pm
Forum: Forwarding Protocols
Topic: PPTP and OSPF issue
Replies: 7
Views: 2374

PPTP and OSPF issue

Hello! I'm having some troubles with branches with 2 PPTP tunnels running with OSPF: I have 2 tunnels on these branchs for redundancy. Each PPTP tunnel connects to a different link on my HQ and goes out by a different link on branch. It's something like PPTP-1 connecting from branch's ISP1 to HQ's I...
by LuizMeier
Thu Aug 07, 2014 2:40 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

mrz,

Thanks for your help. I'll try the setup and will return for feedback.
by LuizMeier
Thu Aug 07, 2014 2:31 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

Let's assume that I'll need VRRP on all addresses, considering high availability. 1) Create one VRRP interface for each interface I want to be redundant. That VRRP needs to be binded to each redundant interface. 2) One ip address of each network on each interface, plus the floating IP on that interf...
by LuizMeier
Wed Aug 06, 2014 9:37 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

Let's ilustrate it a little bit: /interface eoip add local-address=10.254.254.5 mac-address=FE:CB:B4:0B:B3:D2 name=teste remote-address=10.254.54.253 tunnel-id=54 add local-address=10.254.254.5 mac-address=FE:9E:1C:A3:A6:1B name=teste1 remote-address=10.254.18.253 tunnel-id=18 /interface vlan add in...
by LuizMeier
Wed Aug 06, 2014 3:10 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

For example: three networks 10.1.1.0/24, 10.2.2.0/24, 10.3.3.0/24. First one is used by vrrp. vrrrp runs on ether1 then config /interface vrrp add interface=ether1 /ip address add address=10.1.1.1/32 interface=vrrp1 add address=10.1.1.2/24 interface=ether1 add address=10.2.2.1/24 interface=vrrp1 ad...
by LuizMeier
Wed Aug 06, 2014 2:50 pm
Forum: General
Topic: SNMP information
Replies: 13
Views: 2596

Re: SNMP information

49er,

If you are using Zabbix tool for monitoring, I recommend you to have some study to understand the tool you are using.

To create items and templates, you can take a look at the documentation. :)
by LuizMeier
Wed Aug 06, 2014 2:48 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

Thank you for the replies, but I think I am not getting this clearly on my mind. If I have various IP addresses on various interfaces, how could I manage this to work with VRRP? Maybe I am thinking wrongly, but I would need to configure all my interface addresses on VRRP interface right? To do so, h...
by LuizMeier
Tue Aug 05, 2014 5:02 pm
Forum: General
Topic: SNMP information
Replies: 13
Views: 2596

Re: SNMP information

You can user auto discovery and enter the oid one level higher, it will discover all interface and available snmp info
Plus, you can also use a regular expression to filter the interfaces you want. :)
by LuizMeier
Tue Aug 05, 2014 4:57 pm
Forum: General
Topic: SNMP information
Replies: 13
Views: 2596

Re: SNMP information

49er, You can use the dynamic index of Zabbix's SNMP. It reads the index and then capture the data of respective interface. For example (assuming you're using an SNMP type key), configure the OID like I'm putting below: IF-MIB::ifInOctets["index","ifDescr","{$INTERFACE1}"] It will read the index of ...
by LuizMeier
Tue Aug 05, 2014 4:47 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

Re: VRRP - Multiple Addresses

One VRRP for multiple addresses.
And with that, one adicional IP on each router for each floating IP, right?
by LuizMeier
Tue Aug 05, 2014 4:13 pm
Forum: Forwarding Protocols
Topic: VRRP - Multiple Addresses
Replies: 13
Views: 2903

VRRP - Multiple Addresses

Helo! We have an enviroment with 2 sites (one core and other as a backup site) and 1 RB 1100 on each. Today, we have different functions for them, like types of tunneling and we have redundancy with OSPF protocol. We bought 2 CCR's 1009 and we're thinking of putting VRRP in production. The transport...
by LuizMeier
Tue Aug 05, 2014 4:04 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Did you resolve the OSPF branch office stub config? Celtic, Sorry by the delay on my response. I was on vacation, so no Mikrotiks for me on that period. :) We "solve" the problem by filtering the routes on border's routers. I accepted only the routes I wanted there making sure that it would not bra...
by LuizMeier
Fri May 30, 2014 8:42 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Can you upload the print output from /router ospf lsa on the branch router so that we can see its view. That should let us see the LSAs it is receiving at the moment. [admin@RB2011-BARI-JOINVILLE] > routing ospf lsa print detail instance=default area=bari-joinville type=router id=10.255.35.255 orig...
by LuizMeier
Thu May 29, 2014 9:36 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Thanks for your reply! Both hub routers should end up knowing both routes within OSPF but only the currently active route (as determiend by OSPF) is inserted in the main routing table. You can see which routes are being advertised to either of the hub routers by looking at LSAs. I suggest that you u...
by LuizMeier
Wed May 28, 2014 8:47 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

What costs do you have on the two links to the branch and on the link between the 1100 routers? The total cost of the path to the branch from either router must be lower on the EoIP path. e.g. if the cost of the path between the routers is 10 and the EoIP branch path is 20 then you would make the b...
by LuizMeier
Wed May 28, 2014 6:15 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Check that both links are configured for OSPF and have their networks included in the branch area. On the branch router you should show 2 neighbor entries - one at end of each link. You can also check the body of the LSA and see if it shows both paths. Make sure that interface costs are assigned co...
by LuizMeier
Tue May 27, 2014 11:52 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

R2 seems to have inject-summary-lsas=yes on the stub area. Check that the branch routers and their links from head office only have stub area settings on them now. The head office router should be carrying out the ABR function. If above doesn't show a difference after correcting perhaps more config...
by LuizMeier
Tue May 27, 2014 2:36 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

I must be doing something wrong. Even making another area for the branch, like NetNotGross said, I am still receiving the routes from the backbone area. It is about 50 routes. All the routes related to that branch were declared on new area. /routing ospf network add area=bari-joinville network=10.25...
by LuizMeier
Mon May 26, 2014 6:43 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

You can advertise networks simply by declaring them in OSPF networks. The system creates dynamic interfaces for any interfaces included within the network definitions. If you want more control over things like cost, network-type, authenticaton etc. then it is normal to create interfaces manually. T...
by LuizMeier
Mon May 26, 2014 4:56 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

You absolutely can chose which path you would like to select. Weight or Local Preference can be used to control outbound traffic and Prepending or MED can be used to control inbound traffic - there are many ways to get things done in BGP but those are the basic mechanisms. Can you post the output o...
by LuizMeier
Thu May 22, 2014 7:02 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

You see there is 2 routes for 10.25.35.0, one with 200 and other with 20 distance. Even with 20/200 on both he chooses PPTP. He turned 200 when I removed multihope on PPTP. Can't I put by myself the weight for the preferred path? [admin@RB2011-BARI-JOINVILLE] > ip route print Flags: X - disabled, A ...
by LuizMeier
Thu May 22, 2014 3:51 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

As to your other questions, if you already have a /32 route to the far end peer, then you don't need to add one. I was just letting you know that you don't need a default route just for the BGP peering. You're saying that I wouldn't need at least one static route to 10.254.35.253/32 to get BGP esta...
by LuizMeier
Thu May 22, 2014 2:56 pm
Forum: General
Topic: Zabbix Template
Replies: 17
Views: 24553

Re: Zabbix Template

There are many Zabbix applets for Android. I can't believe that at least one is not good for you.

About the script directory, if you don't know where it is, you always have the choice of be using your script as UserParameter.


Doesn't that mtapi.php required on the same directory?
by LuizMeier
Wed May 21, 2014 11:48 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

As to your other questions, if you already have a /32 route to the far end peer, then you don't need to add one. I was just letting you know that you don't need a default route just for the BGP peering. You're saying that I wouldn't need at least one static route to 10.254.35.253/32 to get BGP esta...
by LuizMeier
Wed May 21, 2014 10:46 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Looks like you are making progress! 1) Use the same AS for both of your centralized 1100 routers and peer them to each other. 2) Use a different AS number for each remote site - this will simplify traffic management and routing. 3) As long as the BGP peer has a route to the other peer, they don't h...
by LuizMeier
Wed May 21, 2014 3:59 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Hello! I have some doubts about BGP. I was reading this article and I would appreciate some tips: 1) Will I use the same AS number for all routers, right? 2) Can I use a remote address of peer, even if it isn't directly connected(physical or through any tunnel)? 3) Should I use, in my case, the dist...
by LuizMeier
Tue May 20, 2014 9:43 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

The branch offices access the internet through HQ, so they will pass over our firewall to get the traffic filtered. Are you securing the path via the ISP's MPLS? If so how? No, I'm not. I assumed that It would not be necessary, once the traffic in this link is only ours(at least we pay ISP for that...
by LuizMeier
Tue May 20, 2014 2:57 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

We have in each branch office one MPLS(EoIP) and one Internet(PPTP) link. In the past we used to use scripts to check the gateways and change the priority of routes. But with the enlargement of our network, it began to seem a little bit dumb to suffer with 50 scritps on HQ than make a dynamic topol...
by LuizMeier
Tue May 20, 2014 2:30 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

My revised recommendations are: 1) Take a test site and connect it via BGP instead of OSPF (you shouldn't need an EOIP tunnel for BGP 1) It is very common in larger private networks now to use an autonomous system number per site so pick an AS for the 1100s and then use a new AS for each remote sit...
by LuizMeier
Mon May 19, 2014 6:34 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Thanks for all replies! The primary concern is the workload and organization. As you guys said, the 2011 is strong, and I don't need to have preoccupations about that. What I understood from IPArchitect is if I do that setup, I wil receive in the 2011's just the summarized route to areas 1 and 2. It...
by LuizMeier
Fri May 16, 2014 8:39 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Is the primary concern that there are too many routes on the branch RB2011s? I would have thought that the RB1100s can easily cope with the number of routes they would be seeing. My primary concern is the best way to mantain an available infrastructure without the need of a manual intervention. Tha...
by LuizMeier
Thu May 15, 2014 8:55 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

It sounds like you have an MPLS L3VPN from the carrier What routing protocol is the carrier using to hand off the MPLS connection? If it is BGP, you might consider using BGP end to end for 50 sites and simplify your routing. What I know, by peaking some configs during one maitenance, is that they a...
by LuizMeier
Thu May 15, 2014 3:10 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

Re: OSPF Redundancy and Summarization

Thanks for your reply! So is this just a typical setup? As in are other branch offices just like the one mentioned here? Yes, there is another 4 branch offices running like that. And besides that, we are changing our topology to be this way on other ~50 branch offices. The only way you can summarize...
by LuizMeier
Wed May 14, 2014 5:06 pm
Forum: Forwarding Protocols
Topic: OSPF Redundancy and Summarization
Replies: 58
Views: 10234

OSPF Redundancy and Summarization

Good Morning, My problem: Too many routes on the routing tables in all routers. They are adding one route for each tunnel for each branch office that I have OSPF in. I saw some articles about summarization of routes here and that by adding more areas. My doubt is if I would have problems in summariz...
by LuizMeier
Fri Apr 04, 2014 12:28 am
Forum: Forwarding Protocols
Topic: OSPF Behaviour
Replies: 1
Views: 994

OSPF Behaviour

Good Night! I searched on the documentation and didn't find any quote about a behaviour on my RB1100. I will try to show you my topology. I have a lot of branch offices connecting with my HQ through MPLS from the same ISP. As redundancy, I have one RB2011 connected with HQ throug a PPTP tunnel. Once...
by LuizMeier
Wed Sep 26, 2012 12:16 am
Forum: Wireless Networking
Topic: Disconnect client issue
Replies: 0
Views: 883

Disconnect client issue

Hi, I'm using a RB751G router and I'm having such problems to connect a printer to it. The printer is a HP 1102w. I already enabled the debug logs and here they are: /log print 17:39:04 wireless,info 68:B5:99:8A:02:A2@wireless-main: connected 17:39:41 wireless,debug wireless-main: 68:B5:99:8A:02:A2 ...