MikroTik

i4jordan

As a quick fix add the following static FWD lines to your router: /ip dns static add forward-to=159.148.147.201 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD add forward-to=159.148.172.251 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD And flush the DNS cache ! This forwards any q...

i4jordan

I am using 3 ways to block unwanted content (ads are a part of the unwanted content) 1) uBlock on any browser on our computers I use Vivaldi (Chromium based) and push uBlock with an GPO on Windows 2) Pi-Hole running on a virtual linux computer 3) IP blocking in Mikrotik With uBlock you are also bloc...

i4jordan

I also would pay for such a service, no problem.
Maybe you can make something with a pay per device/year option?

In any way thank you for the intrusBL service!

i4jordan

Where are you located? I am experienced in large ‘MikroTik’ networks. And might help you with this.

Which brand of switches are you going to use?

i4jordan

Beutifull work. Very nice made. Thank you very much.

i4jordan

The Rb750Gr3 is using a MMPIS cpu, not a MIPSBE!

For the MMIPS cpu there is no user manager package.
The same is for the ARM (RB3011 series).

I have no clue if there wil be a user manager package for the ARM or the MMIPS cpu.

i4jordan

I also need conditional forwarding of DNS request.
We are using a lot of Mikrotik products for VPN tunnels for branche office usage. And need DNS forwarding to AD DNS domains to authenticate users on terminals/ client computers.

i4jordan

Yes this is possible. I have made such a system, works perfect.

i4jordan

Active DAC 10Gbit is +/- € 120,- excl. VAT.
2x SFP+ incl. 10m LC-LC ONM3 cable is +/- € 150,-

So pricing is comparable.

SFP+ modules plus LC-LC cable gives you more flexibility. Just change the LC-LC cable if you need more or less lenght (up to around 300m).

i4jordan

The mentioned SFP+ modules are 310nm versions special for short distance (up to 300 meters). Other modules are for longer distance, like 10km etc.
I am not sure SFP+ modules are compatible with 1Gbit SFP ports.

i4jordan

Hello Jeroen, I am also from the Netherlands and can help you with this. Please send me a PM if needed. We are very experienced working with Mikrotik and DAC/SFP+ in combination with a lot of switching brands. For your info DAC is possible up to 10m, but that would require active DAC cables. In esse...

i4jordan

It will werk if you add those 'non excisting' IP adresses to a new bridge.
Call this bridge something like nat-bridge or nything you like.
Then add those 2 addresses 192.168.10.80/24 and .90/24 to this bridge.

That will do the job.

i4jordan

Strange behaviour of a RB3011 with v6.35.RC28 It sometimes reports very high and strange interface usage: [img] RB3011-high-interface-usage.jpg [/img] eth6 is connected to a LTE router (max.150/150Mbps) eth7 is connected to a ADSL2 router (max. 10/1 Mbps) eth8 is connected to a ADSL2 router (max. 10...

i4jordan

I think because there is also a CCR1009-8G-1S-1S+ model with 2GB RAM, LCD Screen and 10Gbit for just around $ 50,- more. For me that is the best priced model they offer.

i4jordan

I have written a script which makes a backup and a configuration export on a attached USB stick. :global getDateTime do={ :local thisdate [/system clock get date]; :local thistime [/system clock get time]; :local year [:pick $thisdate 7 11]; :local month [:pick $thisdate 0 3]; :if ($month="jan&...

i4jordan

@Janisk

For now the 6.34rc39 version is not available. The latest is 6.34rc36.

i4jordan

@MRZ Can you give us some good examples with ipSec tunnel and ipSec over GRE/IPIP (transport) to get the optimal best performance? I am dealing with this a lot and I see a lot of articles saying that MSS/packet size should be good to get optimal results, but I do not see any examples with the right ...

i4jordan

It has arrived!
http://routerboard.com/CCR1072-1G-8Splus

Pricing is fair US$ 3050

i4jordan

It has arrived!
http://routerboard.com/CCR1072-1G-8Splus

Pricing is fair US$ 3050

i4jordan

Also the complete line of CCR routers do have hardware encryption.

i4jordan

Hyper-V does not work with the current ROS 6.xx software.

I do think we have to wait for 7.x because this version maybe is based on Linux kernel 3.4 or higher.
Starting with 3.4 Linux kernel there are native Hyper-V virtual device drivers included. Specially for networking you need those.

i4jordan

Bridging works fine. You can even filter the bridge L2 traffic or apply IP Firewall rules if IP Firewall is enabled on bridging. I have used this in a situation where production servers needed public WAN IP's without any natting. We applied IP filters and IP Firewall rules for security. Used a CCR10...

i4jordan

+1
Would be perfect!
Would make MKT the best branch office router/firewall/VPN device there is.

i4jordan

We tested RB2011 also and do not get more than 270Mbps with routing/nat.

RN850Gx2 http://routerboard.com/RB850Gx2
If you do not need more than 5 Ethernet ports.
or
RB1100Ahx2 http://routerboard.com/RB1100AHx2
or
CCR1009 http://routerboard.com/CCR1009-8G-1S

i4jordan

I work with SonicWall, Mikrotik and some other brands and I do like both brands for different reasons. SonicWall is performing very good (I worked with NSA3500 series) and for sure is the ipsec tunneling very stable and very fast. SonicWall has VTI interfaces with good routing possibilities on ipsec...

i4jordan

It looks like Mikrotik has finally improved VPN performance in CCR models. :D Here is the changelog for 6.24rc2 ---- What's new in 6.24rc2 (2014-Dec-10 11:04): *) fixed problem where some of ethernet cards do not work on x86; *) improved CCR ethernet driver (less dropped packets); *) improved queue ...

i4jordan

@mrz I am very surprised with you explanation. We bought several CCR models to be able to handle ipsec VPN tunnels at high speed. Also because of the hardware AES support. We build VPN networks for our customers. That's our job. Now you are telling us that the ipsec speed problems (which are mention...

i4jordan

I think there is a huge problem with working with GRE tunnels with ipsec on teh CCR series. Also with IPIP + ipsec. We have a RB1100AHx2 connected via a GRE tunnel to a CCR1036. The RB1100AHx2 is connected with cable 120/10Mbit and the CCR with fiber 500/500 Mbit. If we disable ipsec on that tunnel ...

i4jordan

@sob

Thank you, I am going to try this.

i4jordan

@docmarius

I tried this. But no result?
First add route 66.159.5.254/32 -> ether1
Then add route 0.0.0.0/0 -> 66.159.5.254 (not reachable)

Also no result

Thank you for your suggestion.

i4jordan

We have a subnet from our provider stated 66.159.4.104/29 (addresses 66.159.4.104-110) The default gateway is 66.159.5.254 ?? If I enter this in a SonicWall it works. But when I want to program this ISP in a mikrotik it failes. I add address 66.159.4.110/29 to ether1. An add the route to 0.0.0.0/0 t...

i4jordan

Janisk,

Please reread the post from calvarez. The question is about dst-nat, not src-nat.

i4jordan

+1 for me. We need this for small satellite offices connected via VPN to large main office. You need this kind of DNS lookup in case of Active Directory login. Now we 'solve' this with adding the main office DNS servers in de DHCP options as primary DNS. But this also give a lot of DNS traffic for s...

i4jordan

Normis, and what if we use multiple WAN connecties?

Does this also work with the new version of The Mikrotik cloudservices?

i4jordan

Normis,

Thank you for the numbers. It helps a lot in designing VPN networks.

Do you also have some numbers on the 'older' RB1100AHx2 models?

I'd like to know speed of the ipsec tunnels and also the GRE+ipsec speed.

Other question, which is fatser: GRE+ipsec or IPIP+ipsec.

Thank you!

i4jordan

I am building a large 10Gbit network with Dell PowerConnect equipement. Core switches are 2x Dell PowerConnect 8132F in stack (same as the new N4000 series), field switches are 5548(P) models also stacked. All connections between core switches and field switches are teamed 10Gbit connections. For al...

i4jordan

@Etz

I do not say your solution is not working.
It is more that I have not worked with IGMP Proxy. I will take some time to learn more about these features.

Thank you for your explanations.

i4jordan

@Etz Yes flat would be perfect but is not working in his situation. The STB's are not using a 'standard' internet connection. They have a separate network on the provider network and should have direct IP's from the provider. So also no NAT. The LAN devices require a 'normal' internet connection and...

i4jordan

Sharing multiple networks one cable can be done with VLAN's. But you need a VLAN capable device on both sides of the network. There are simple 8 of 16 port switches which support Layer2 VLAN. Like TPLInk TL-SG1016DE ( http://nl.tp-link.com/products/details/?categoryid=&model=TL-SG1016DE#spec ) P...

i4jordan

http://www.flexoptix.net/en/sfp-zx-1-gi ... m-dom.html

You can choose a compatibility type in this shop.
Maybe Mikrotik support can help with choosing the right one.

i4jordan

@nz_monkey Thank you for making this VTI feature more clear for everyone. I was not aware that VTI implementation in the SonicWall is a standard supported by other brands. I hope Mikrotik takes some time to improve IPsec performance and features because the main thing we do is making VPN networks fo...

i4jordan

@MRZ On a SonicWall you only provide ipsec settings in the VTI settings dialogs. And yes those are in fact peer/proposal/policy info. But you do not need to make a separate GRE tunnel with the same end-point peer IP addresses. Also in the SW implementation you do not need IP adresses (subnet) for th...

i4jordan

@andriys Yes I agree with you that the engineers should fix/improve the speed on the IPIP+ipsec and/or GRE+ipsec implementations. But besides the throughput speed, a IPsec tunnel is less complicated to configure than IPsec (peer/profile/policy) + IPIP/GRE tunnel (tunnel+subnet). At least in the Soni...

i4jordan

With IPsec Virtual Interface most people mean an virtual interface like the IPIP or GRE interface. But then with standard IPsec security. SonicWall has a very nice implementation of this kind of interface. Keep in mind SonicWall has a propriety implementation. I do understand we can make this with I...

i4jordan

Today a few CCR and RB1100AHx2 models arrived. I am going to use those to test all kinds of VPN tunnels and will report the measured speeds. I will test: - IPIP + ipsec (transport) - GRE + ipsec (transport) - EOIP + ipsec (transport) - ipsec tunnel Mainly with AES encryption because this should be h...

i4jordan

Did you try 2x CCR for the GRE+ipsec setup?

I am planning to buy a second CCR just to test this.
I do not have 2x RB1100AHx2 to test such a setup.

But I indeed do suspect a not optimized piece of code in the CCR firmware.

i4jordan

No, I do not have a case open for this. But next coming weeks I will spend some time testing all variant of ipsec connections. Strange thing indeed is that ipsec tunnels seems much faster than ipsec over IPIP or GRE tunnels. We have one ipsec tunnel from a SonicWall NSA3500 series to our CCR1036, th...

i4jordan

i can second this. GRE (or IPIP) + ipsec seems very slow between CCR and 1100AHx2.
I also tried almost all AES variants. but the performance seems to be limited to around 50Mbps.

i4jordan

@mrz Wat is the maximum speed the RB1100AHx2 can do with ipsec? And also at what Encr. Algorithms do we get the best speed? Is it AES-cbc 128 or maybe AES-gcm 256 or ...? We are using a lot of ipsec tunnels connected from CCR1036 to RB100AHx2 and we'd like to optimize the ipsec speed. Thank you in a...

i4jordan

@jollis

No,
I also have seen that ipsec uses 1 CPU on my CCR1036

So 1 CPU very busy, 35 doing almost nothing.

i4jordan

A good working and simple to setup ipsec VTI would stop us from selling (expensive) SonicWall SRA solutions. The ipsec VTI should be working like an IPIP/GRE tunnel but then with ipsec security. We now use IPIP or GRE tunnels with ipsec transport security. This works but is not easy to setup and spe...

i4jordan

@mrz, thank you for your quick answer.

I will be patiently waiting for v7.

i4jordan

StrongSwan looks OK. They implemented IKEv2 and a load of other usable features. http://www.strongswan.org Mikrotik R&D please take a look at this. No response on this subject from Mikrotik development? In short, it would be nice to have IKEv2 implementation in RouterOS. Is this planned for Rou...

i4jordan

I do understand, from reading this forum and also Microsoft/Linux documentation, that Microsoft Hyper-V drivers are included in Linux kernel 3.4 and higher. Mikrotik is using kernel version 3.3.5 So I hope that as soon Mikrotik is implementing kernel 3.4 or higher Hyper-V integration is supported. T...

i4jordan

Bug in ipsec phase 2 AES-256 on CCR?? I have updated our CCR1036-12G-4EM from 6.7 to 6.9. Al was working fine except for a lot of our VPN tunnels. The standard ipsec tunnels with AES-256 in phase 2 (proposal) all send packages but did not receive. After changing from AES-256 to AES-128 they went fin...

i4jordan

StrongSwan looks OK. They implemented IKEv2 and a load of other usable features.

http://www.strongswan.org

Mikrotik R&D please take a look at this.

i4jordan

Normis,

Why is everybody talking about 6.9 on this forum.
And not 6.9 beta of 6.9rcx.

i4jordan

Is the 6.9 version publicly available?
I can not find it and also if I use update package it only finds 6.7 which is current version.

I have a CCS running with a lot of ipsec tunnels and are very interested in hardware accelerated aes ipsec.

Thank you.

i4jordan

Also support for IPsec IKEV2 should be very nice.

i4jordan

+1 for Virtual IPsec Tunnel interfaces. I implement IPsec tunnel interface in SonicWall SRA solutions and those tunnels work superb with a load of (OSPF) routing options. It would be perfect if RouterOS would support a kind of ipsec virtual interface just like IPIP and GRE tunnels but then standard ...

i4jordan

I assume that the graphing data also is included in the backups.
So if your router is running a long time with graphing enabled the backups also will grow.

i4jordan

You can 'adjust' mss (MTU -/- protocol overhead) size with MSS Mangle rules. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle Look for Basic Examples 'Change MSS' With those you can set the outgoing MSS (and resulting MTU) size for packages passing the ipsec + IPIP tunnel. I always use mtupat...

i4jordan

IPsec + GRE is very nice to make advanced routed private netwerks through VPN. But I have noticed there is a big performance penalty with this combination. If you use IPIP tunnels instead of GRE it is faster, but this gives some MTU challenges. In short: IPsec + GRE, nice for VPN 'tunnels' but slow,...

i4jordan

There are a lot of examples on how to use multi-wan configs. It is not easy to do on Mikrotik routers, but if you understand routing/firewall rules and mangle in Mikrotik you will manage to do this. Please follow this instructions; http://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-...

i4jordan

I am using 4x ISP (adsl, vdsl, cable and fiber) on a ccr1036, runs very smooth.

Theoretically you can use an almost unlimited amount of ISP's. But practically it is limited by ethernetports and/or VLAN's.

i4jordan

Or the new A130. This one is also VDSL compatible.

https://www.draytek.com/index.php?optio ... 10&lang=en

i4jordan

We succesfully use Draytek A120 for these situations.
Put the A120 in bridge mode and the Mikrotik will get the WAN IP, on either DHCP Client/fixed IP/PPPoE.

For info: https://www.draytek.com/index.php?optio ... 51&lang=en

i4jordan

I do not know if any of the Mikrotik routers has Hardware NAT, but a few models are fast enough for 1000Mbps.

I would advice the RB1100AHx2 because this one is for sure fast enough and at this moment very afordable.
Or else the Tilera CPU routers (CCR series) are for sure fast enough.

i4jordan

@feklar

Yes indeed with an EoIP tunnel you would actually get a Layer2 connected tunnel.
And then also DHCP request would broadcast through this L@ tunnel and get a reply from the DHCP server.

i4jordan

You need to add the not routed subnets on the ipsec proposals. For example in a 2 site and 1 HQ setup HQ has 192.168.100.0/24 Site 1 has 192.168.101.0/24 Site 2 has 192.168.101.0/24 On HQ you define 2x peers for the sites + 2x ipsec proposals per peer to connect HQ-site1, HQ-site2, HQ-site3 Peer Sit...

i4jordan

'Seeing' computers on side A from side B has nothing to do with your split subnet. But everything with DNS setup and of course if the subnets are defined well on the VPN tunnel. In DHCP Relay option you put the interface which needs to be monitored for DHCP requests, mostly this is the interface whi...

i4jordan

connect the ISP connection to (example) eth1 and call this interface 'eth1-ISP' Then make a VLAN virtual interface with VLAN ID 835 based on interface 'eth1-ISP', and call this one 'eth1-ISP-VLAN835' Then make a PPPoE client interface based on interface 'eth1-ISP-VLAN835' and call this 'WAN-PPPoE' W...

i4jordan

If you have a DHCP server on the 'other' side. You can simple use DHCP relay for relaying DHCP request from your side of the to the IP of the DHCP server. Please note that you need to have 2 IP pools on that DHCP server! one pool for the 'other' side and one for your side of the VPN. This because yo...

i4jordan

Normis,

Does the tile series (CCR1036) also have hardware accelerated ipsec?

i4jordan

Thank you. Yes, I am aware of dhcp-relay, I am actually using it in my network but it still isn't an option as this customer requires L2 not just for DHCP. So in theory I could be doing: 1. L3 with GRE 2. Routing (OSPF/...) over GRE 3. MPLS/VPLS L2 Tunnel over GRE Indeed if both sides support MPLS ...

i4jordan

GRE is a routing protocol. On Layer 3, Not Layer 2. It is compatible with Cisco GRE. Actually Mikrotik GRE is compatible with Cisco GRE, because Cisco developed this protocol. For Layer2 tunnels you need 2x Mikrotik because they have EoIP tunnel interface as option. So if you have any other brand th...

i4jordan

Disabling Quickset in Designer mode also resolved my problem with 'magically' changed settings.

Search found 77 matches