MikroTik

SomeYoungGuy

I am attempting to automatic the creation of Mikrotik CHR Instances on the AWS platform. I can correctly start up an instance, from the Marketplace... then make the necessary changes steps etc, to get the Instance in the condition I want... however when I create an AMI Image from the instance... sub...

SomeYoungGuy

OH MY WORD... it worked!!! Ok, so it now on "6.45.1" sable. It rebooted... VPN connecting again failed, something about "no auth method found..." ok, so I went to ipsec peers, and removed what seemed like a converted peer from the old config. I noticed that the peer config is now totally different a...

SomeYoungGuy

Clicked "download & Install"... hold thumbs

SomeYoungGuy

<EC2_live_instance_ip> <- this is the IP i used to actually connect to the VPN Server. So it is a public IP? That doesn't make much sense to me but I don't know the AWS environment. Does it assign a public IP to the CHR or what? What do "/ip address print" and "/ip route print" on the CHR show? The...

SomeYoungGuy

https://saputra.org/threads/setup-mikro ... server.31/

This guy seems to have a solution, that he said was tested on AWS.

SomeYoungGuy

Do I now need to DST-NAT my router back to my MAC? No, you don't. The firewalls can see only the IPsec layer, which is a UDP connection initiated by the client (PC) towards server's port 500, followed by another connection initiated in the same direction but to port 4500 once the existence of NAT i...

SomeYoungGuy

This is the output: /ip ipsec policy print where dynamic Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 0 D src-address= <EC2_live_instance_ip> /32 src-port=any dst-address=<my_route_live_ip>/32 dst-port=any protocol=udp action=encrypt level=require ipsec-protocols=esp tun...

SomeYoungGuy

Ok, so... thinking about this... im making an assumption... form the AWS side, im having to open ports with my typical thinking that the new connection is being established out side AWS, so the security group must open ports etc, to let traffic flow in... but now i have not looked at my ISP side... ...

SomeYoungGuy

Ok, whats the fix?

/ip route check <live_pc_ip>
status: ok
interface: ether1
nexthop: 172.31.0.1

SomeYoungGuy

P.S. I created a "allow all" rule on the security group, just to make sure it wasn't the AWS firewall blocking something... same result.

SomeYoungGuy

This is the results: /ip ipsec installed-sa print Flags: A - AH, E - ESP 0 E spi=0x7E507F0 src-address=<live_pc_ip>:4500 dst-address=172.31.1.180:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="491995ca8480d61xxxxxxxxxxxxxx21d18f2a8ee" enc-key="74f34e9b83d8c13ef7xxxxxxxxxxxxxxx...

SomeYoungGuy

[admin@My VPN Server] > export # jul/06/2019 09:56:04 by RouterOS 6.34.1 # software id = # /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ppp profile set *0 only-one=yes set *FFFFFFFE only-one=yes use-compression=yes use-mpls=no /interface l2tp-server s...

SomeYoungGuy

The debug with replacements for the ip ... 08:29:22 l2tp,debug,packet rcvd control message from <my_live_pc_ip>:54385 to <my_router_local_ip>:1701 08:29:22 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 08:29:22 l2tp,debug,packet (M) Message-Type=SCCRQ 08:29:22 l2tp,debug,packet (M) Protoco...

SomeYoungGuy

Im running a wrireshark trace on my mac... it seems ESP cannot communicate(no response packets), but the ISAKMP was successful (reply packets found). I don't mean to sound obvious here... but AWS is extremely popular and Mikrotik is rather popular too... so too are Mac Computers.... I would have tho...

SomeYoungGuy

The output is now in debug... but i think there is a lot of personally identifying information... The one thing that i see a lot of is: 08:29:41 l2tp,debug,packet sent control message (ack) to <my pc live ip> :54385 from <this router LOCAL address> :1701 08:29:41 l2tp,debug,packet tunnel-id=6, sessi...

SomeYoungGuy

I'm suspicious that its to do with NAT... i have nothing on the router other then a blanket masquerade. But my understanding then is that WAS probably are not altering the packets on the way out, so packets may appears to come from the EC2 instance local IP address.

SomeYoungGuy

I would assume iphone and Mac use IPSEC...

The output log is still the same:
14:47:12 l2tp,info first L2TP UDP packet received from xxx.xxx.xxx.xxx

SomeYoungGuy

Im using a Mac, or an iPhone

SomeYoungGuy

I get it, PPTP VPN's are bad news because of a bunch of reasons, so Apple removed support for it... but gosh it sure was easier to use... Im attempting to get my mac, or iphone to connect to a hosted Mikrotik that I have in AWS, I have created am EC2 instance running "Cloud Hosted Router-6-34-1" at ...

SomeYoungGuy

Well, I was able to set something up just now - something that i realized is that, going to the speedtest site, and clicking the "GO" button cant really test your internet connection... it can only test what your browser session is able to download at right now... if your sister in the other room is...

SomeYoungGuy

Lets assume my ISP is perfect - but at some times during the day, my router is at full capacity of the fiber line - lets say that's 20mb/s Let's for the argument sake say I set up a "voip" queue, and an "all-other-traffic". (I have marked my voip traffic with a mangle rule, so that's sorted.). Now I...

SomeYoungGuy

Hi all, Let's take voip for example - as the moment voice data and say YouTube data are fighting for priority in my router... I just want to say... ok, all traffic to and from this IP (known static) must be prioritized over any other traffic. All I seem to come across is "queues", but they seem unre...

SomeYoungGuy

I need some help to achieve something. I have two Mikrotik routers that i'm in control of, one is the CPE, and the other is the head-end (HE) in the dater-center. I have 2 live IP address assigned to the HE, and am able to make 2 independent VPN connections to the router. My CPE can establish these ...

SomeYoungGuy

I think your snag is in the route-lookup section and specific to traffic originated on the box. Oddly enough we had a similar situation with Cisco iWAN. I could look up the details but it ended up that we routed the traffic 1 hop in and then back out so the router saw it like it would any other tra...

SomeYoungGuy

EDIT: I just tested this, both the connection-mark and policy-routing mangle get hit by the internal service but it doesn't seem to get a match in the routing-table. I suspect internal services do not respect routing-marks during route-lookup. Maybe MikroTik can post to clear it up more officially....

SomeYoungGuy

Yip, that's pretty much what i tried... The SYN packet is sent, and it cant/doesn't get a SYNACK. Anything going in, doesn't go out, unless i have a default route out that doesn't have a Routing mark requirement. Remember the use case here is that direct VPN connections to this actual router will be...

SomeYoungGuy

I'm busy setting something up, that should be quite easy, but something seems to be failing. I want to set up the router as pretty much a VPN server only, so i don't need any other traffic flowing over it other than whats comes in over the VPN, and i want it setup in a multiple WAN senarios, so that...

SomeYoungGuy

We recently installed a new router in our VoIP environment. It's the CCR1009-8G-1S-1S+, and was sold to use as being able to handle "many millions of packets" - our experience was not so. Remember specifically this for almost pure VoIP. We found that firstly Mikrotik have no clue what so ever about ...

SomeYoungGuy

In goggling around i'm not seeing much and what i do see is contradictory. Lets say i have a very busy HTTPS server (note the "s"... yes, with certificate), so now i have 4 or 5 clones, exported the certificate to each server etc. Locally each web server works perfectly on each respective local ip a...

SomeYoungGuy

My final thoughts on this is that bonding EOIP links seems like the right way to do this - but the problem is that on either side there is no "buffer" to re-order the packets or drop the late duplicates - if there is there sure isnt any setting -ie "buffer in milliseconds: XXX". So until this is a f...

SomeYoungGuy

I saw this: http://wiki.mikrotik.com/wiki/Traffic_P ... lemetation

It uses "priority". Is this going to be strong enough to force a HTTP packet out the way of a SIP/RTP packet?

SomeYoungGuy

Yes, correct, thats, my question... how do a say:
Queue 1 = 1MB/s
Queue 2 = "the rest"

SomeYoungGuy

Its just an example, it could be 512kb/s

SomeYoungGuy

Consider this: Our client has say ADSL or 4G or 3G, whatever. The point is that there is "some" speed in it, but it not absolutely predicable like say diginet of fibre. Now lets say I want to reserve 1mb for VoIP, and "the rest" for everything else. How can i configure my Mikrotik to perform the QOS...

SomeYoungGuy

This document: http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation makes reference to an optional sequence number, and if i inspect the GRE packets on the Mikrotik, i notice that outgoing packets have an incrementing sequence number referred to as an "Identifier" (if memory serves). I'm using...

SomeYoungGuy

Hi all, whats the mangle rules for setting up my Mikrotik as a VPN server with multiple WANs. The main difference with all the hundreds of Dual WAN load balancing example is that In NOT load balancing, if you come in on ISP1, you go out over ISP1. Technically i want to be able to disable the general...

SomeYoungGuy

Hi ytuxedo002, yes, i know ViBE well, we do in fact use it. This solution is intended for clients that are not prepared to pay the license fees changed by Voipex, but want some kind of dual voice link to us. I'm at exactly the same point as you - but my findings showed that the underlying RTP stream...

SomeYoungGuy

There is a concept called RAIN: Redundant Array of Internet Nodes Redundant Array of Independent Nodes Redundant Array of inexpensive Networks Redundant Array of Internet Networks How ever you want to phrase it, the point is that the concept refers in some way creating a Network along multiple paths...

SomeYoungGuy

After days of fiddling with this, im still no further to solving the packet loss. Right now, there is a phone, an RB750, 4G Router, the Internet an RB 2011 and then Asterisk If the phone uses the RB750 as a router and the traffic is directly routed to the Asterisk box... audio is perfect. If the RB7...

SomeYoungGuy

FYI: I have completed this task to some level of success, but still the packet loss over SIP is noticeable, see findings here:
http://forum.mikrotik.com/viewtopic.php?f=2&t=86215

SomeYoungGuy

And to answer your questions: I need the PPTP, to establish the connection because it will connect through an existing client firewall without modification or port forwards. EOIP on it own would probably require the return tunnel to have ports opened on the client end. Also EOIP needs to know the cl...

SomeYoungGuy

Well this has been rather interesting... Firstly voice quality over VPN and EOIP, isn't great, im getting quite a lot of packet loss, even tho i have plenty of bandwidth, and low latency. here us what i manged to do and what my findings where... maybe there is something more i can do. 1. create pptp...

SomeYoungGuy

If not, use pure un-encrypted EoIP. Absolutly no requirement for security, this is a replacement for straight SIP of general internet, but right now SIP over general internet is winning the race - quality is far better with-out any VPN or anything. Will you ONLY be running SIP over the EoIP tunnel,...

SomeYoungGuy

Ah right... and you technically cannot loses any packets when you send them (and since there is no ACK)... the only way to test the other direction would be to setup another receive from the server side. So now this begs the question - in order to transmit SIP traffic - what "special" conditioning s...

SomeYoungGuy

You have probably answered this question in your head before reading this... "packet loss over the VPN = MTU is wrong"... right? but where!?!? Do this with me, but remember my two sites are across the internet, and im connected to the internet via 4G... MT SERVER Enable PPTP server... settings defau...

SomeYoungGuy

I followed your configuration, and got Dual WAN working great, now im looking for a way to adapt this to act only on a VPN, so i can specifically route traffic over a VPN, and the VPN has the benefit of the dual WAN configuration. So far what I have is two VPNs VPN1 and VPN2, they are connected and ...

SomeYoungGuy

i have examined this post an the video, but im confused about something... in their examples, and of course in all the other examples i have seen, people use example 111.222.333 blahblah ips, what are they saying about this?? at the same time the guy in the video said, this this does not work over t...

SomeYoungGuy

Hi all, im hoping to be pointed in the right direction here. What im looking for is a way to establish a VPN that will simply never go down.... ever! here is the scenario: i have 2 sites, and i control both ends, lets say two offices; head office and office 1. Head office has two internet options, b...

SomeYoungGuy

I hope like crazy this gets to you guys at MikroTik . When a VPN connection established please could you refresh (or something) the connections list (even "assured" connections), because if you are using SIP, the already established connections DO NOT update to using the newly established VPN connec...

SomeYoungGuy

Here is the situation: [Microtik] <-> [server] server has 2 live IPs in it in a /27 and /29. The networks extent to the MKT, and one of both the /27 and /29 is the gateway ip assigned to the MKT. ie [server]-----------[Mikrotik] 41.XX.XX.2/29------41.XX.XX.1/29 51.XX.XX.3/27------51.XX.XX.1/27 GW: 4...

SomeYoungGuy

Hi, I would like to work with multiple gateways, but no default gateway. We are ending up with traffic coming on one way and leaving another (via the default gateway). Consider this, we have a router with two live IP's, we want traffic that comes in on IP 1 (provided by ISP 1) to leave out via the w...

SomeYoungGuy

Hi guys, this is the scenario: We have two IPS, and may have more ISP1 is general internet and ISP's 2 - x are voip providers. so naturally we make a default gateway as 0.0.0.0/0 in the route section to point to ISP1. Now... we have just been giving ISP2's ip block from them, a X.224/29, so i assign...

SomeYoungGuy

For those who stumble across this post - here is the solution: We had no joy from the ISP - they where not interested in making any modifications. fair enough. So we got another RB750 to "terminate" the fibre. This way the new RB750 (let's call this the Fibre Terminator router) was always available ...

SomeYoungGuy

I think i see what the problem is, but im not sure how to fix it. In the IP > Routes section, the Routes are correctly defined, however if i tab over to Nexthops, i notice that the HQ link (PPPoE link) does not appear. I cant ping it, but it sure is established, and DOES work. See i think at the tim...

SomeYoungGuy

Right, i have done what you said, still the same problem this morning.

I have the prerouting mark and the Pref Source, still the same thing!

Does it make any difference to mention that the HQ link is established with a PPPOE while the GQ link is a Ethernet (Diginet) connection.

SomeYoungGuy

Thanks for the help joshaven, ill give that a go, and let you know. Last night i came across the "Pref. Source" setting in the Routes section. In reading about it - it seems that this is exactly the setting it getting "confused" about. It says: Which of the local IP addresses to use for locally orig...

SomeYoungGuy

Nope, its just happened again, about 10 of the 20 or so phones are not online because the Reply Dst. Address is "wrong". The connections have a timeout of about an hour, so it seems like it could happen as often as every hour. Please explain the "correct" way to do this reliably? You mentioned "tagg...

SomeYoungGuy

Ah... that's the thing i was looking for. I take it, this is like "SIP ALG".

I have disabled it, will see how it goes over the next few days.

SomeYoungGuy

No marking, no nothing, the router is pretty much "out-the-box", with just that one additional route in the IP > Routes section.

SomeYoungGuy

Hi all, we have a very strange issue that has suddenly come up. We have two internet connections connected directly to our MTK router, and with it two "live" IPs. One is High-Quality, but costs per gig, and the other is Good-Quality, uncapped. So we obviously route our calls via the HQ link and the ...

SomeYoungGuy

Hi guys, I would like to set up a high-speed VPN... the connection speed should be exactly the same speed as a native connection speed. Here is the situation: I have a private network containing arbitrary information and communication. Nothing is "sensitive", but I want clients to "authenticate" bef...

SomeYoungGuy

Thanks for the reply, There are two cisco switched connected to the two Ethernet ports. The entire networks is setup for redundancy. Its a complete A/B network. Every devices is replicated, and sends each packet on both the A and B network. The A and B networks are connected at the switch(s). I supp...

SomeYoungGuy

Hi all I have bond0 from (Ether1 and Ether2) in broadcast mode. Ether1 has a mac address of: D4:CA:6D:97:B7:58 Ether2 has a mac address of: D4:CA:6D:97:B7:59 Bond0 has a mac address of: D4:CA:6D:97:B7:58 (same as Ether1, I suppose this is right?) I have assigned a static IP 192.168.1.105 to bond0. I...

SomeYoungGuy

Hi guys, we have a router connected to the internet, and our internal network is say 192.168.1.0/24 so connections are NATed and thats how we get internet... pretty simple. If i Google "whats my ip" (from my PC), we get the ISP provided live IP, as you would expect.... again nothing tricky here. But...

SomeYoungGuy

Ok, so i have a VPN client (MikroTik) connected to a VPN Server (whatever), and the VPN client with an IP of say 192.168.1.1 is our PC's gateway... right bog standard! For what ever reason i want to route all my "internet" traffic via the VPN. Now i cannot add another default route something like: d...

SomeYoungGuy

Ok... ill answer my own question!

Go to IP > Neighbours... Tab to "Discovery Interface", and enable "Bond0" (or whatever you called it).

Now was that so difficult? I have been clicking on every possible navigation item!

SomeYoungGuy

Hi, I recently bonded two of the Ethernet ports (1 and 2). Immediately after doing this, the router disconnected, (totally understandable) but Winbox could not see it after that. I blindly entered mac addresses until I found it, and was able to log into it, gave the bond an IP, and have been able to...

SomeYoungGuy

IP address - public ip. I'm not in the office, will this be a problem?

SomeYoungGuy

Hi All, I'm using the WinBox 5.20 RB2011UAS. I have logged in and can see the interface, menus etc etc, since most of the the help etc is in command line, i opened the "Terminal", but am faced with a blank screen for about a minute then it displays the lext-logo, etc ,etc and the last line is: ... M...

Search found 69 matches