As a quick fix add the following static FWD lines to your router: /ip dns static add forward-to=159.148.147.201 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD add forward-to=159.148.172.251 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD And flush the DNS cache ! This forwards any q...
I am using 3 ways to block unwanted content (ads are a part of the unwanted content) 1) uBlock on any browser on our computers I use Vivaldi (Chromium based) and push uBlock with an GPO on Windows 2) Pi-Hole running on a virtual linux computer 3) IP blocking in Mikrotik With uBlock you are also bloc...
I also need conditional forwarding of DNS request.
We are using a lot of Mikrotik products for VPN tunnels for branche office usage. And need DNS forwarding to AD DNS domains to authenticate users on terminals/ client computers.
The mentioned SFP+ modules are 310nm versions special for short distance (up to 300 meters). Other modules are for longer distance, like 10km etc.
I am not sure SFP+ modules are compatible with 1Gbit SFP ports.
Hello Jeroen, I am also from the Netherlands and can help you with this. Please send me a PM if needed. We are very experienced working with Mikrotik and DAC/SFP+ in combination with a lot of switching brands. For your info DAC is possible up to 10m, but that would require active DAC cables. In esse...
It will werk if you add those 'non excisting' IP adresses to a new bridge.
Call this bridge something like nat-bridge or nything you like.
Then add those 2 addresses 192.168.10.80/24 and .90/24 to this bridge.
Strange behaviour of a RB3011 with v6.35.RC28 It sometimes reports very high and strange interface usage: [img] RB3011-high-interface-usage.jpg [/img] eth6 is connected to a LTE router (max.150/150Mbps) eth7 is connected to a ADSL2 router (max. 10/1 Mbps) eth8 is connected to a ADSL2 router (max. 10...
I think because there is also a CCR1009-8G-1S-1S+ model with 2GB RAM, LCD Screen and 10Gbit for just around $ 50,- more. For me that is the best priced model they offer.
I have written a script which makes a backup and a configuration export on a attached USB stick. :global getDateTime do={ :local thisdate [/system clock get date]; :local thistime [/system clock get time]; :local year [:pick $thisdate 7 11]; :local month [:pick $thisdate 0 3]; :if ($month="jan&...
@MRZ Can you give us some good examples with ipSec tunnel and ipSec over GRE/IPIP (transport) to get the optimal best performance? I am dealing with this a lot and I see a lot of articles saying that MSS/packet size should be good to get optimal results, but I do not see any examples with the right ...
Hyper-V does not work with the current ROS 6.xx software.
I do think we have to wait for 7.x because this version maybe is based on Linux kernel 3.4 or higher.
Starting with 3.4 Linux kernel there are native Hyper-V virtual device drivers included. Specially for networking you need those.
Bridging works fine. You can even filter the bridge L2 traffic or apply IP Firewall rules if IP Firewall is enabled on bridging. I have used this in a situation where production servers needed public WAN IP's without any natting. We applied IP filters and IP Firewall rules for security. Used a CCR10...
I work with SonicWall, Mikrotik and some other brands and I do like both brands for different reasons. SonicWall is performing very good (I worked with NSA3500 series) and for sure is the ipsec tunneling very stable and very fast. SonicWall has VTI interfaces with good routing possibilities on ipsec...
It looks like Mikrotik has finally improved VPN performance in CCR models. :D Here is the changelog for 6.24rc2 ---- What's new in 6.24rc2 (2014-Dec-10 11:04): *) fixed problem where some of ethernet cards do not work on x86; *) improved CCR ethernet driver (less dropped packets); *) improved queue ...
@mrz I am very surprised with you explanation. We bought several CCR models to be able to handle ipsec VPN tunnels at high speed. Also because of the hardware AES support. We build VPN networks for our customers. That's our job. Now you are telling us that the ipsec speed problems (which are mention...
I think there is a huge problem with working with GRE tunnels with ipsec on teh CCR series. Also with IPIP + ipsec. We have a RB1100AHx2 connected via a GRE tunnel to a CCR1036. The RB1100AHx2 is connected with cable 120/10Mbit and the CCR with fiber 500/500 Mbit. If we disable ipsec on that tunnel ...
We have a subnet from our provider stated 66.159.4.104/29 (addresses 66.159.4.104-110) The default gateway is 66.159.5.254 ?? If I enter this in a SonicWall it works. But when I want to program this ISP in a mikrotik it failes. I add address 66.159.4.110/29 to ether1. An add the route to 0.0.0.0/0 t...
+1 for me. We need this for small satellite offices connected via VPN to large main office. You need this kind of DNS lookup in case of Active Directory login. Now we 'solve' this with adding the main office DNS servers in de DHCP options as primary DNS. But this also give a lot of DNS traffic for s...
I am building a large 10Gbit network with Dell PowerConnect equipement. Core switches are 2x Dell PowerConnect 8132F in stack (same as the new N4000 series), field switches are 5548(P) models also stacked. All connections between core switches and field switches are teamed 10Gbit connections. For al...
I do not say your solution is not working.
It is more that I have not worked with IGMP Proxy. I will take some time to learn more about these features.
@Etz Yes flat would be perfect but is not working in his situation. The STB's are not using a 'standard' internet connection. They have a separate network on the provider network and should have direct IP's from the provider. So also no NAT. The LAN devices require a 'normal' internet connection and...
Sharing multiple networks one cable can be done with VLAN's. But you need a VLAN capable device on both sides of the network. There are simple 8 of 16 port switches which support Layer2 VLAN. Like TPLInk TL-SG1016DE ( http://nl.tp-link.com/products/details/?categoryid=&model=TL-SG1016DE#spec ) P...
@nz_monkey Thank you for making this VTI feature more clear for everyone. I was not aware that VTI implementation in the SonicWall is a standard supported by other brands. I hope Mikrotik takes some time to improve IPsec performance and features because the main thing we do is making VPN networks fo...
@MRZ On a SonicWall you only provide ipsec settings in the VTI settings dialogs. And yes those are in fact peer/proposal/policy info. But you do not need to make a separate GRE tunnel with the same end-point peer IP addresses. Also in the SW implementation you do not need IP adresses (subnet) for th...
@andriys Yes I agree with you that the engineers should fix/improve the speed on the IPIP+ipsec and/or GRE+ipsec implementations. But besides the throughput speed, a IPsec tunnel is less complicated to configure than IPsec (peer/profile/policy) + IPIP/GRE tunnel (tunnel+subnet). At least in the Soni...
With IPsec Virtual Interface most people mean an virtual interface like the IPIP or GRE interface. But then with standard IPsec security. SonicWall has a very nice implementation of this kind of interface. Keep in mind SonicWall has a propriety implementation. I do understand we can make this with I...
Today a few CCR and RB1100AHx2 models arrived. I am going to use those to test all kinds of VPN tunnels and will report the measured speeds. I will test: - IPIP + ipsec (transport) - GRE + ipsec (transport) - EOIP + ipsec (transport) - ipsec tunnel Mainly with AES encryption because this should be h...
No, I do not have a case open for this. But next coming weeks I will spend some time testing all variant of ipsec connections. Strange thing indeed is that ipsec tunnels seems much faster than ipsec over IPIP or GRE tunnels. We have one ipsec tunnel from a SonicWall NSA3500 series to our CCR1036, th...
i can second this. GRE (or IPIP) + ipsec seems very slow between CCR and 1100AHx2.
I also tried almost all AES variants. but the performance seems to be limited to around 50Mbps.
@mrz Wat is the maximum speed the RB1100AHx2 can do with ipsec? And also at what Encr. Algorithms do we get the best speed? Is it AES-cbc 128 or maybe AES-gcm 256 or ...? We are using a lot of ipsec tunnels connected from CCR1036 to RB100AHx2 and we'd like to optimize the ipsec speed. Thank you in a...
A good working and simple to setup ipsec VTI would stop us from selling (expensive) SonicWall SRA solutions. The ipsec VTI should be working like an IPIP/GRE tunnel but then with ipsec security. We now use IPIP or GRE tunnels with ipsec transport security. This works but is not easy to setup and spe...
StrongSwan looks OK. They implemented IKEv2 and a load of other usable features. http://www.strongswan.org Mikrotik R&D please take a look at this. No response on this subject from Mikrotik development? In short, it would be nice to have IKEv2 implementation in RouterOS. Is this planned for Rou...
I do understand, from reading this forum and also Microsoft/Linux documentation, that Microsoft Hyper-V drivers are included in Linux kernel 3.4 and higher. Mikrotik is using kernel version 3.3.5 So I hope that as soon Mikrotik is implementing kernel 3.4 or higher Hyper-V integration is supported. T...
Bug in ipsec phase 2 AES-256 on CCR?? I have updated our CCR1036-12G-4EM from 6.7 to 6.9. Al was working fine except for a lot of our VPN tunnels. The standard ipsec tunnels with AES-256 in phase 2 (proposal) all send packages but did not receive. After changing from AES-256 to AES-128 they went fin...
+1 for Virtual IPsec Tunnel interfaces. I implement IPsec tunnel interface in SonicWall SRA solutions and those tunnels work superb with a load of (OSPF) routing options. It would be perfect if RouterOS would support a kind of ipsec virtual interface just like IPIP and GRE tunnels but then standard ...
I assume that the graphing data also is included in the backups.
So if your router is running a long time with graphing enabled the backups also will grow.
You can 'adjust' mss (MTU -/- protocol overhead) size with MSS Mangle rules. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle Look for Basic Examples 'Change MSS' With those you can set the outgoing MSS (and resulting MTU) size for packages passing the ipsec + IPIP tunnel. I always use mtupat...
IPsec + GRE is very nice to make advanced routed private netwerks through VPN. But I have noticed there is a big performance penalty with this combination. If you use IPIP tunnels instead of GRE it is faster, but this gives some MTU challenges. In short: IPsec + GRE, nice for VPN 'tunnels' but slow,...
There are a lot of examples on how to use multi-wan configs. It is not easy to do on Mikrotik routers, but if you understand routing/firewall rules and mangle in Mikrotik you will manage to do this. Please follow this instructions; http://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-...
We succesfully use Draytek A120 for these situations.
Put the A120 in bridge mode and the Mikrotik will get the WAN IP, on either DHCP Client/fixed IP/PPPoE.
I do not know if any of the Mikrotik routers has Hardware NAT, but a few models are fast enough for 1000Mbps.
I would advice the RB1100AHx2 because this one is for sure fast enough and at this moment very afordable.
Or else the Tilera CPU routers (CCR series) are for sure fast enough.
Yes indeed with an EoIP tunnel you would actually get a Layer2 connected tunnel.
And then also DHCP request would broadcast through this L@ tunnel and get a reply from the DHCP server.
You need to add the not routed subnets on the ipsec proposals. For example in a 2 site and 1 HQ setup HQ has 192.168.100.0/24 Site 1 has 192.168.101.0/24 Site 2 has 192.168.101.0/24 On HQ you define 2x peers for the sites + 2x ipsec proposals per peer to connect HQ-site1, HQ-site2, HQ-site3 Peer Sit...
'Seeing' computers on side A from side B has nothing to do with your split subnet. But everything with DNS setup and of course if the subnets are defined well on the VPN tunnel. In DHCP Relay option you put the interface which needs to be monitored for DHCP requests, mostly this is the interface whi...
connect the ISP connection to (example) eth1 and call this interface 'eth1-ISP' Then make a VLAN virtual interface with VLAN ID 835 based on interface 'eth1-ISP', and call this one 'eth1-ISP-VLAN835' Then make a PPPoE client interface based on interface 'eth1-ISP-VLAN835' and call this 'WAN-PPPoE' W...
If you have a DHCP server on the 'other' side. You can simple use DHCP relay for relaying DHCP request from your side of the to the IP of the DHCP server. Please note that you need to have 2 IP pools on that DHCP server! one pool for the 'other' side and one for your side of the VPN. This because yo...
Thank you. Yes, I am aware of dhcp-relay, I am actually using it in my network but it still isn't an option as this customer requires L2 not just for DHCP. So in theory I could be doing: 1. L3 with GRE 2. Routing (OSPF/...) over GRE 3. MPLS/VPLS L2 Tunnel over GRE Indeed if both sides support MPLS ...
GRE is a routing protocol. On Layer 3, Not Layer 2. It is compatible with Cisco GRE. Actually Mikrotik GRE is compatible with Cisco GRE, because Cisco developed this protocol. For Layer2 tunnels you need 2x Mikrotik because they have EoIP tunnel interface as option. So if you have any other brand th...