Community discussions

Search found 177 matches

by Ape
Thu Feb 21, 2019 11:41 am
Forum: General
Topic: vlan question
Replies: 6
Views: 503

Re: vlan question

Hi,

yes you can.

Merge bridges, add appropriate VLAN interfaces, so CPU has access to VLANs and then move your DHCP servers and IP adresse to those VLAN interfaces.What you want to do is doable with one bridge an VLANs.

Regards,
Ape
by Ape
Fri Jan 11, 2019 4:25 pm
Forum: Forwarding Protocols
Topic: OSPF load balancing
Replies: 8
Views: 799

Re: OSPF load balancing

Hi It depends entirely on your architectural solution. I would not drive client services through ospf. Use mpls + mp/bgp. I second this. Use MPLS/VPLS and centralize your PPPoE dialins to one server. MPLS should be the transport layer for your customer's traffic. It would be possible to just use the...
by Ape
Fri Jan 11, 2019 3:58 pm
Forum: Forwarding Protocols
Topic: 6.4x OpenVPN + OSPF trouble
Replies: 8
Views: 1819

Re: 6.4x OpenVPN + OSPF trouble

Hi,

if you only need to connect MT devices, you could use another VPN technology like IPSec/L2TP.
I like MT very much, but their OpenVPN implementation is known to be rudimentary.

Nonetheless, this should be fixed.

Regards,
Ape
by Ape
Fri Jan 11, 2019 3:54 pm
Forum: General
Topic: ppp,error,critical Encryption got out of sync - disabling
Replies: 4
Views: 2115

Re: ppp,error,critical Encryption got out of sync - disabling

Hi,

AFAIK this could be due to high packet loss or packet reordering.
Can you dismiss these possible issues?

Regards,
Ape
by Ape
Wed Jan 09, 2019 2:09 pm
Forum: Forwarding Protocols
Topic: OSPF load balancing
Replies: 8
Views: 799

Re: OSPF load balancing

Hi,

it's totally possible with MikroTik and OSPF.

Have a look at this great talk:

Video: https://www.youtube.com/watch?v=dFZz2z6RdQY
Presentation: https://mum.mikrotik.com/presentations/ ... 062656.pdf

Regards,
Ape
by Ape
Wed Jan 09, 2019 1:41 pm
Forum: General
Topic: ethernet - fiber adapter from mikrotik
Replies: 1
Views: 250

Re: ethernet - fiber adapter from mikrotik

Hi, normally, you look at this the other way round: Chose your media converter (copper / fibre) and then chose the SFP(+) transceiver accordingly. There is no need to use a SFP transceiver from the same manufacturer on both ends. It's only necessary to match SM/MM, distance and wavelength. In your c...
by Ape
Fri Dec 21, 2018 3:10 pm
Forum: General
Topic: Selective VPN with different routes?
Replies: 2
Views: 319

Re: Selective VPN with different routes?

Hi,

you could use PPP profiles and execute scripts on Up and on Down to set/unset firewall rules or better adress list entries.
I didn't do it myself, but I think this should be possible.

Regards,
Ape
by Ape
Fri Dec 21, 2018 1:45 pm
Forum: General
Topic: VPN Tunnel Sophos UTM and Mikrotik
Replies: 6
Views: 583

Re: VPN Tunnel Sophos UTM and Mikrotik

Hi, thank you for providing the additional information. Unfortunatelly, I don't understand what I see as the IP adresses in your config are other IP adresses than in your diagram. From the UTM's log you provided, I can see a peer ID of "192.168.178.84" is used. This looks like an IP from the LAN of ...
by Ape
Fri Dec 21, 2018 12:36 pm
Forum: General
Topic: Problem with OpenVPN client - TLS failed
Replies: 4
Views: 875

Re: Problem with OpenVPN client - TLS failed

Hi,

what about the remote side?
Any logs from there?

Regards,
Ape
by Ape
Fri Dec 21, 2018 12:33 pm
Forum: General
Topic: Impossibile to downgrade from 6.42.7 ?? [SOLVED]
Replies: 2
Views: 258

Re: Impossibile to downgrade from 6.42.7 ?? [SOLVED]

Hi,

maybe this is related to the bridge functionality change starting with ROS 6.41.
Try netinstalling the devices instead of downgrading.

Regards,
Ape
by Ape
Fri Dec 21, 2018 12:31 pm
Forum: General
Topic: Migrating self signed CA
Replies: 4
Views: 427

Re: Migrating self signed CA

Hi, I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate. Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR? Regards, Ape E...
by Ape
Fri Dec 21, 2018 12:24 pm
Forum: General
Topic: VPN Tunnel Sophos UTM and Mikrotik
Replies: 6
Views: 583

Re: VPN Tunnel Sophos UTM and Mikrotik

Hi, I'm sorry, but you didn't provide any useful information about cour config to help you. Please post your config and exclude an sensitive data. What's in the logs of your MikroTik? Add a log rule in "System" -> "Loggin" with "debug" and "ipsec" to see what is happening. Next thing, depending on y...
by Ape
Thu Dec 20, 2018 12:01 pm
Forum: Forwarding Protocols
Topic: VPLS link
Replies: 6
Views: 578

Re: VPLS link

Hi, thank you for reporting back. I drop just some thoughts: You can try "mtr -n --mpls" to determine the hop causing the packet loss Check if there are devices in the path with high CPU load, respectivly high single core load Is there an rate limit for ICMP packets? Is this limited to ICMP or is th...
by Ape
Wed Dec 19, 2018 4:26 pm
Forum: Forwarding Protocols
Topic: VPLS link
Replies: 6
Views: 578

Re: VPLS link

Hi, just ping with "dont fragment" option set. Start with a payload if 1472 bytes (ICMP & IP Header is 28 bytes in total, so you have a size of 1500 bytes). Then, decrease payload size till ping goes through unfragmented. Take the value of your payload and add 28. Thats you actual MTU. Edit: Mke sur...
by Ape
Wed Dec 19, 2018 3:09 pm
Forum: General
Topic: slow masquerade ?
Replies: 7
Views: 594

Re: slow masquerade ?

Hi, thank you for providing the diagram! chain=prerouting action=passthrough chain=prerouting action=accept src-address=192.168.5.0/24 dst-address=10.10.0.0/24 chain=prerouting action=notrack src-address=192.168.5.0/24 dst-address=10.10.3.0/24 chain=prerouting action=notrack src-address=10.0.0.0/8 d...
by Ape
Wed Dec 19, 2018 2:29 pm
Forum: General
Topic: public interface
Replies: 1
Views: 155

Re: public interface

Hi, as you are using a very old release of RouterOS, you are probably affected by some of the security issues discovered in RouterOS. There are several official announcements from MikroTik about these issues: https://blog.mikrotik.com/security/new-exploit-for-mikrotik-router-winbox-vulnerability.htm...
by Ape
Wed Dec 19, 2018 2:13 pm
Forum: General
Topic: problem with firewall
Replies: 2
Views: 215

Re: problem with firewall

Hi,

I don't understand what you try to achieve.
If you have correct firewall rules before your last deny rule, you should be fine.

If you're using winbox, make sure, you display the rules in the order, they will be applied.
To ensure this, you need to click on the "#" column in Winbox.

Regards,
Ape
by Ape
Tue Dec 18, 2018 12:38 pm
Forum: General
Topic: Best VPN
Replies: 22
Views: 10937

Re: Best VPN

Hi, coming back to the intial issue, I would like to contribute some technical facts. You need to chose the VPN technology according to your limiting factors. These could be: - NAT/CNAT (https://en.wikipedia.org/wiki/Carrier-grade_NAT) - dual-stack lite (https://en.wikipedia.org/wiki/IPv6_transition...
by Ape
Tue Dec 18, 2018 11:51 am
Forum: General
Topic: slow masquerade ?
Replies: 7
Views: 594

Re: slow masquerade ?

Hi, what do you mean by within the 10 network, 10.10.3 has default route of the mikrotik (10.10.0.1), the 10.10.0 machines do not, so has to be masqueraded Can you please provide a simple network diagram. I can just guess that you have some sort of asymmetric routing on one site with ICMP redirect i...
by Ape
Mon Nov 26, 2018 11:47 am
Forum: Forwarding Protocols
Topic: OSFP Keeps Losing Routes!!! [SOLVED]
Replies: 11
Views: 1738

Re: OSFP Keeps Losing Routes!!! [SOLVED]

Hi, thank you for the description of your solution. As we have the same tunnel IP setup just with L2TP/IPsec tunnels, I was very interested reading that you changed the tunnel IP addresses. I didn't do that but I set all "non OSPF" interfaces to "passive". Since I did that, the issue with dropped ro...
by Ape
Wed Nov 07, 2018 9:54 pm
Forum: General
Topic: Disable port - "Couldn't change interface"
Replies: 1
Views: 548

Re: Disable port - "Couldn't change interface"

Hi, I can confirm the exact same behavior on a hEX. Did you upgrade from a pre 6.42 RouterOS version? My guess is, that this is an remainder of the auto-conversion of the old master-port configuration method to the new HW accelerated bridge feature. I'll try to reset this device an re-apply an expor...
by Ape
Sun Oct 21, 2018 11:58 am
Forum: Forwarding Protocols
Topic: OSFP Keeps Losing Routes!!! [SOLVED]
Replies: 11
Views: 1738

Re: OSFP Keeps Losing Routes!!! [SOLVED]

Hi there, that's quite interesting, as we've contacted MikroTik regarding a very similar issue with OSPF. It's the same behavior somone mentioned earlier in this thread: OSPF works fine for hours, days, weeks and suddenly the "core" router (hub and spoke VPN setup) stops propagating the route of it'...
by Ape
Sun Jan 21, 2018 12:31 am
Forum: General
Topic: Can someone please check this CRS configuration
Replies: 0
Views: 299

Can someone please check this CRS configuration

Hi, I just bought two CRS210-8G-2S+IN. They configured exactly the same: Ports ether1 to ether4 are access ports for VLAN 100. Ports ether5 to ether8 are access ports for VLAN 200. Port sfp-sfplus1 is the trunk port. I followed https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN to do...
by Ape
Tue Oct 24, 2017 3:52 pm
Forum: General
Topic: L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal
Replies: 4
Views: 752

Re: L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal

Hi,

thank you for your response!
Good to know.

Any chance to get the ability to see the PFS status in future ROS versions?
I'm okay with your answer but I know for sure some people (customers for example) want to see if PFS is "really" working.

Regards,
Ape
by Ape
Mon Oct 23, 2017 3:55 pm
Forum: General
Topic: L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal
Replies: 4
Views: 752

Re: L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal

Hi emils, thank you very much for your answer. In fact I was looking for the flag in the SA table. Is there a possibility to check if PFS is used for the established SAs? I used /ip ipsec installed-sa print detail which gives quite a lot of details but no indication if PFS is used or not. Regards, Ape
by Ape
Mon Oct 23, 2017 2:24 pm
Forum: General
Topic: RB2011iL-RM - How many OVPN tunnels ?
Replies: 1
Views: 353

Re: RB2011iL-RM - How many OVPN tunnels ?

Hi,

the RB2011 has a 600MHz CPU.
It won't be able to handle the traffic of 15 branch offices.

Have a look at the hEX, RB1100AHx4 or CCR1009. Those seem to fit your needs.

Regards,
Ape
by Ape
Mon Oct 23, 2017 2:21 pm
Forum: General
Topic: L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal
Replies: 4
Views: 752

L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal

Hi, I've a lab setup, where several RouterBoards should connect to a central VPN server (also Routerboard). I successfully configured a L2TP server and the client RouterBoards establish the L2TP tunnel ("Use IPSec" is checked). According to the IPSec SA table the L2TP sessions are encrypted, but not...
by Ape
Wed Oct 18, 2017 6:01 pm
Forum: General
Topic: Weird public IP to private IP problem
Replies: 3
Views: 387

Re: Weird public IP to private IP problem

Hi,

just defining DST-NAT rules isn't the whole thing, because it only handles incoming traffic.
You need to define corresponding SRC-NAT rules aswell.

Regards,
Ape
by Ape
Wed Oct 18, 2017 5:49 pm
Forum: General
Topic: Blocking interVLAN traffic
Replies: 4
Views: 542

Re: Blocking interVLAN traffic

Hi, in case you have configured the VLANs as VLAN interfaces on a RouterBoard, just add the VLAN interfaces in a interface list and create a block rule in forward chain with this interface list as source and destination. Edit: I just saw the answer posted before mine. This is the simplest solution, ...
by Ape
Tue Oct 17, 2017 4:50 pm
Forum: General
Topic: Forwarding to second External IP
Replies: 5
Views: 749

Re: Forwarding to second External IP

Hi, it depends on how you realise the forwarding. If you forward traffic on a specific port on 1.1.1.1 to 2.2.2.2 and you use SRC-NAT, the traffic will go through 1.1.1.1. If you don't use SRC-NAT you could end up having an asymmetric path from client to 1.1.1.1 to 2.2.2.2 and from there directly ba...
by Ape
Wed Oct 11, 2017 8:37 am
Forum: General
Topic: NAT helper strange issue
Replies: 3
Views: 488

Re: NAT helper strange issue

Hi,

you can try to disable the ftp service port in the routers's firewall settings.

Is the configuration on both CCR identical regarding NAT and firewall?

Regards,
Ape
by Ape
Mon Oct 09, 2017 3:29 pm
Forum: General
Topic: Odd VOIP Behavior on Mikrotik 3011
Replies: 12
Views: 898

Re: Odd VOIP Behavior on Mikrotik 3011

Hi, yes, these two values are especially relevant for SIP/RTP. I can't give a general advice which values to set in your case, but it's worth trying to slightly increase these values. Furthermore, have a read of this thread: https://forum.mikrotik.com/viewtopic.php?t=85039 Usually, the problem is th...
by Ape
Mon Oct 09, 2017 1:36 pm
Forum: General
Topic: RB750Gr3 6.40.4 CBWFQ QoS?
Replies: 3
Views: 629

Re: RB750Gr3 6.40.4 CBWFQ QoS?

Hi,

indeed, without further configuration (mangling your traffic), you cannot use both, queues and fasttrack.

Please read viewtopic.php?t=98133 as reference.

Regards,
Ape
by Ape
Mon Oct 09, 2017 11:46 am
Forum: General
Topic: Odd VOIP Behavior on Mikrotik 3011
Replies: 12
Views: 898

Re: Odd VOIP Behavior on Mikrotik 3011

Hi, as troffasky already stated, most of the time these issues occur in conjunction with ALG settings. Another thing to look at: As the firewall is stateful and UDP (which is used fpr SIP) is stateless, the firewall emulates stateful UDP connections by maintaining timers for those UDP connections. A...
by Ape
Wed Jul 05, 2017 11:56 am
Forum: Forwarding Protocols
Topic: OSPF stuck at Init State
Replies: 3
Views: 981

Re: OSPF stuck at Init State

Hi,

your OSPF config export seems incomplete.
Please post a complete OSPF config, so we can try to help you.
Use a code block to format it a little.

Thank you.

Regards,
ape
by Ape
Wed May 31, 2017 4:26 pm
Forum: General
Topic: CCR1072 950 pppoe connection cpu overload when pppoe disconnected
Replies: 11
Views: 1657

Re: CCR1072 950 pppoe connection cpu overload when pppoe disconnected

Thanks Louis.

I had this talk in mind while writing my post.
by Ape
Wed May 31, 2017 4:10 pm
Forum: General
Topic: CCR1072 950 pppoe connection cpu overload when pppoe disconnected
Replies: 11
Views: 1657

Re: CCR1072 950 pppoe connection cpu overload when pppoe disconnected

Hi,

are you using NAT masquerade on the CCR?
If you you do and you have a static public address, use a static srcnat instead.

Regards,
Ape
by Ape
Thu Apr 06, 2017 3:58 pm
Forum: General
Topic: High TX on WAN1 Interface.
Replies: 9
Views: 794

Re: High TX on WAN1 Interface.

Hi, simply spoken, these "bad guys" use your DNS resolver to amplify there attack. They send DNS "small" requests (just a few bytes) with a spoofed source IP address. Your DNS resolver answers to the spoofed source IP address with a much larger response, resulting in an amplification of the original...
by Ape
Wed Apr 05, 2017 11:02 pm
Forum: General
Topic: High TX on WAN1 Interface.
Replies: 9
Views: 794

Re: High TX on WAN1 Interface.

Hi,
Yes it was DNS issue. After disabling DNS, it is working normally.
Running the DNS cache is not your problem. It's not having appropriate firewall rules.
Please do yourself and the rest of the internet the favor of securing your device!

Regards,
Ape
by Ape
Wed Apr 05, 2017 2:04 pm
Forum: General
Topic: routed segments traffic pass through backbone router
Replies: 10
Views: 871

Re: routed segments traffic pass through backbone router

Hi, relying on ICMP redirect is a bad pratice in my opinion. You need to configure your devices to accept ICMP redirects. For the mikrotik routers: /ip settings set accept-redirects=yes /ip settings set send-redirects=yes I suggest, you create some sort of transfer network segment and use OSPF in th...
by Ape
Wed Apr 05, 2017 1:57 pm
Forum: General
Topic: High TX on WAN1 Interface.
Replies: 9
Views: 794

Re: High TX on WAN1 Interface.

Hi,

please provide the following information:
/ip firewall filter export compact
/ip dns export compact
Additionally, do another torch, this time, check "Protocol" and "Port".

I suppose you're accidentally running an open DNS resolver.

Regards,
Ape
by Ape
Thu Mar 16, 2017 11:55 pm
Forum: General
Topic: Strange behavior - Secure connection failed
Replies: 3
Views: 624

Re: Strange behavior - Secure connection failed

Hi,

thank you for letting us know!

Just one objection: Wouldn't it be nicer to use a mangle rule to change outgoing MSS for these connections?

Regards,
Ape
by Ape
Thu Mar 16, 2017 11:51 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 11749

Re: Yet another "dhcp,warning offering lease without success" issue

Hi,

I observed DHCP problems in conjunction with

- wrong MTU setting (expecially along with VLAN),
- no Admin MAC on bridge interface
- STP configured on bridge running DHCP

Apart from layer 1 problems, these points are most of the time the cause of all trouble.

Regards,
Ape
by Ape
Wed Mar 08, 2017 6:01 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 42752

Re: Statement on Vault 7 document release

Hi,

thank you very much normis!
This is a real professional handling of the situation.

Regards,
Ape
by Ape
Tue Mar 07, 2017 10:24 am
Forum: Wireless Networking
Topic: Remove RBwAP2nD from CAPsMAN
Replies: 1
Views: 880

Re: Remove RBwAP2nD from CAPsMAN

Hi Roland,

simply disable CAP for the WLAN interface:
CAP01.png
CAP02.png
Regards,
Ape
by Ape
Mon Mar 06, 2017 10:53 pm
Forum: General
Topic: VOIP failure
Replies: 1
Views: 264

Re: VOIP failure

Hi,

if your can dismiss your router's firewalling / NATing, you'll need a SIP trace from your customers.

Regards,
Ape
by Ape
Mon Mar 06, 2017 10:14 pm
Forum: General
Topic: L2TP Client Default IPsec Settings
Replies: 3
Views: 435

Re: L2TP Client Default IPsec Settings

Hi, thank you for your answer mrz. It would be really nice, if the IPSec parameters could be specified in the L2TP-client interface settings. Regarding the default hashing algorithm, which is curently SHA1, one could say it is absolutely necessary to make the L2TP-clients IPSec parameters configurab...
by Ape
Fri Mar 03, 2017 5:28 pm
Forum: Wireless Networking
Topic: Cannot get wireless virtual interfaces to work, simultaneously in AP and station modes
Replies: 2
Views: 878

Re: Cannot get wireless virtual interfaces to work, simultaneously in AP and station modes

Hi, maybe I can help. I did this kind of setup myself and I came across the following behavior: Assume, "wlan1" is the physical wifi interface and it is configured as "station". Now, you create a second wifi interface, the virtual AP interface "wlan2", which is the slave interface of "wlan1". At thi...
by Ape
Fri Mar 03, 2017 5:20 pm
Forum: General
Topic: Routerboard
Replies: 2
Views: 292

Re: Routerboard

Hi,

did you try to netinstall it?
Did you connect to the console? What's the ouput during startup?

Regards,
Ape
by Ape
Fri Mar 03, 2017 5:15 pm
Forum: General
Topic: ipsec site-to-site azure
Replies: 3
Views: 981

Re: ipsec site-to-site azure

Hi,

configure verbose logging on your MikroTik and have a look what's going on. Without details nobody is able to assist you.

Regards,
Ape