Community discussions

MikroTik App

Search found 81 matches

by angriukas
Wed Apr 08, 2020 1:33 pm
Forum: Beginner Basics
Topic: Unidentified traffic
Replies: 7
Views: 1604

Re: Unidentified traffic

Correct me if I wrong, but Torch tool shows the same information as on the Connections tab. (IP - Firewall - Connections). I see the source IP there, but the destination IP is not a private IP from my network, it is the IP of Mikrotik, so I can't understand who initiated this traffic. From your pos...
by angriukas
Wed Apr 08, 2020 1:00 pm
Forum: General
Topic: Number of OpenVPN server instances?
Replies: 3
Views: 1068

Re: Number of OpenVPN server instances?

I do not know what do you mean "two different systems", but single instance of OpenVPN server is able to handle various situations. Possible solution: in .ovpn config file at the end you can add directive "route 192.168.0.0 255.255.255" to allow only needed subnet for that particular client. In this...
by angriukas
Tue Apr 07, 2020 1:57 pm
Forum: Beginner Basics
Topic: Unidentified traffic
Replies: 7
Views: 1604

Re: Unidentified traffic

Try to use Tools -> Torch to identify the source of the traffic. It can be anything, from torrent client inside of LAN to ...
by angriukas
Tue Apr 07, 2020 1:54 pm
Forum: General
Topic: Number of OpenVPN server instances?
Replies: 3
Views: 1068

Re: Number of OpenVPN server instances?

What's the reason to have two OpenVPN servers on same hardware?
by angriukas
Mon Apr 06, 2020 1:43 pm
Forum: General
Topic: VPN ( IPSec ) packet loss
Replies: 6
Views: 2581

Re: VPN ( IPSec ) packet loss

Set same value from field "MAC Addess".
by angriukas
Fri Mar 13, 2020 2:28 pm
Forum: Wireless Networking
Topic: CAP AC with VLANs on wifi and on ethernet interfaces
Replies: 12
Views: 3478

Re: CAP AC with VLANs on wifi and on ethernet interfaces

In general - yes. CAPsMAN by config in 'data path' will add cap interfaces to the appropriate bridges. eth2-5 -> bridge-lan, also DHCP server on this bridge for lan IP's like: 192.168.0.0/24 Then seconds DHCP on bridge-guest like: 192.168.40.0/24 In firewall: allow DNS requests for guests: /ip firew...
by angriukas
Fri Mar 13, 2020 12:57 pm
Forum: Wireless Networking
Topic: CAP AC with VLANs on wifi and on ethernet interfaces
Replies: 12
Views: 3478

Re: CAP AC with VLANs on wifi and on ethernet interfaces

This is sample only, for lan and for guest. You cannot use this file as script because I have replaced sensitive info (include MAC addresses).
by angriukas
Fri Mar 13, 2020 11:19 am
Forum: Wireless Networking
Topic: CAP AC with VLANs on wifi and on ethernet interfaces
Replies: 12
Views: 3478

Re: CAP AC with VLANs on wifi and on ethernet interfaces

Maybe I am wrong, but I do not see the needs of VLAN if communication between CAP and CAPsMAN are on L2. It's enough to have two bridges in CAPsMAN, first one for LAN, second one for guests, with own dhcp server for each bridge. You can control traffic between bridges in CAPsMAN with firewall. Same ...
by angriukas
Mon Mar 09, 2020 3:06 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

Simple solution would allow L3 communications.
Create firewall rule in the INPUT chain to allow new connections from needed IP. Place this rule before drop rule.
ip firewall filter add chain=input src-address=A.B.C.D action=accept
by angriukas
Thu Mar 05, 2020 4:28 pm
Forum: General
Topic: ip-sec between MikroTik and Cisco ASA not passing traffic
Replies: 23
Views: 3828

Re: ip-sec between MikroTik and Cisco ASA not passing traffic

In the past we had IPSec tunnel between MT and ASA, no problems at all. Not sure is it relevant for you, but I will share my case: few days ago had issue with IPSec when client connects from NAT'ed ISP network (4G). Tunnel initiated, but no traffic could pass the tunnel. The solution was - turn on N...
by angriukas
Thu Mar 05, 2020 10:20 am
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

The link to youtube I have posted contains info how to attach local wireless to CAPsMAN. Learn from that video.
by angriukas
Tue Mar 03, 2020 11:52 am
Forum: Beginner Basics
Topic: IPSEC problems over 4G
Replies: 5
Views: 2276

Re: IPSEC problems over 4G

So, situation is as follows: created 4 rules in firewall to log packets. I can see in the input chain incoming VPN packets with proto 50 then I can see in forward chain ICMP request then I can see in forward chain ICMP response and finally I can see packets leaving my router with proto 50 in output ...
by angriukas
Mon Mar 02, 2020 6:42 pm
Forum: Beginner Basics
Topic: IPSEC problems over 4G
Replies: 5
Views: 2276

Re: IPSEC problems over 4G

ISP can give you IPv6, other IPv4. ISP can block protocols but you should check the Firewall\Connections You should check this yourself - you know. IPSec configure means know what and how works should be checked by you too. ISP assign for me IPv4, as I noted - VPN is established, I am sure for 99% ...
by angriukas
Mon Mar 02, 2020 5:30 pm
Forum: Beginner Basics
Topic: IPSEC problems over 4G
Replies: 5
Views: 2276

IPSEC problems over 4G

Hi, I have encountered following situation: IPSEC configured on CCR. Client side – Windows ShrewSoft VPN client. There is no issues with VPN tunnel from wired/WiFi networks. But I have problems with VPN if I try connect from 4G mobile network, I share internet connection from Android phone via tethe...
by angriukas
Mon Mar 02, 2020 4:18 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

You can use any prefixes you want.
If CAP's contains no CAPsMAN IP address in config - assume it is L2 ;)
If you are not sure about L2, as proof you can try to remove IP address from CAP - that device still should provide WiFi.
Regarding 2.4 interfaces - hard to comment.
by angriukas
Mon Mar 02, 2020 2:38 pm
Forum: General
Topic: VPN ( IPSec ) packet loss
Replies: 6
Views: 2581

Re: VPN ( IPSec ) packet loss

Here it is.
by angriukas
Mon Mar 02, 2020 2:33 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

Switch in between should have no influence for CAPsMAN via L2.
by angriukas
Fri Feb 28, 2020 8:33 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

Nobody will say what exactly you should do :) If I understood correctly from last post - you have two CAPsMAN's. For L2 - you cannot lock to CAPsMAN by IP. Lock should be like that: in CAPsMAN manager set option "Require Peer Certificate" in AP lock to the needed CAPsMAN with cert. Before that you h...
by angriukas
Fri Feb 28, 2020 2:23 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

Loaded your cfg to CHR. I see nothing wrong there. I usually use single provisioning for multiple SSID's and 2.4/5GHz bands. But it's up to you. I guess you have entered CAPsMAN IP address during AP configuration. Attached my CAP config screen. In my case AP is locked to CAPsMAN via certificates, an...
by angriukas
Fri Feb 28, 2020 1:47 pm
Forum: Beginner Basics
Topic: RS to master port
Replies: 4
Views: 1516

Re: RS to master port

Router should have static IP on LAN interface. DHCP is needed for client PC's or other network devices in LAN (which are connected to that bridge). And only one DHCP server is allowed in the same broad-cast domain. Configure your mikrotik like this: Disable DHCP client in mikrotik on LAN bridge inte...
by angriukas
Fri Feb 28, 2020 1:31 pm
Forum: General
Topic: RB4011 and RB1100 AHx4 "bricks" randomly
Replies: 93
Views: 18045

Re: RB4011 and RB1100 AHx4 "bricks" randomly

10 days ago installed two RB4011iGS+ devices.
Firewall, 3 bridges, CAPsMAN with two SSID's, EoIP between both devices, few queues.
No bricks, no reboots, no issues at all.
RoS and firmware: 6.45.8
by angriukas
Fri Feb 28, 2020 1:14 pm
Forum: General
Topic: VPN ( IPSec ) packet loss
Replies: 6
Views: 2581

Re: VPN ( IPSec ) packet loss

What I would do in your case is: include ipsec and debug in to logging rules, analyze log to reveal what's going on. Also: I see the bridge in your config, add Admin MAC to the bridge, because sometimes bridge could change his MAC address, it depends from running/inactive ports. That could have infl...
by angriukas
Fri Feb 28, 2020 12:59 pm
Forum: Beginner Basics
Topic: RS to master port
Replies: 4
Views: 1516

Re: RS to master port

If port is in the bridge (port is slave in your case), then DHCP should be configured on the "bridge_local" interface (not on slave port). Bridge acts as an interface.
The same is for firewall and other services. Everywhere in config should be used bridge interface (instead of slave port).
by angriukas
Fri Feb 28, 2020 10:12 am
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

This line points that your AP's communicating with CAPsMAN via L3, that's why FW rules comes in action. 16:45:43 caps,info [::ffff: 192.168.88.1:55981 ,Join,[C4:AD:34:60:88:12]] joined, provides radio(s): C4:AD:34:60:88:1D,C4:AD:34:21:20:69 The log line should look like: 16:45:43 caps,info [ MAC ADD...
by angriukas
Thu Feb 27, 2020 4:27 pm
Forum: Wireless Networking
Topic: Firewall disabling my wireless interface in CAPsMAN
Replies: 22
Views: 4502

Re: Firewall disabling my wireless interface in CAPsMAN

If CAP is on the same L2 segment with CAPsMAN - FW should have no influence.
Provisioning should be without IP on the same L2 segment.
by angriukas
Mon Feb 17, 2020 3:10 pm
Forum: Beginner Basics
Topic: Stupid Questions
Replies: 12
Views: 2778

Re: Stupid Questions

I have few notes about RB4011:
mounting ears are terrible if you plan to install this router to rack.
Switch chip is not the best inside of RB4011.
Despite all of that RB4011 has good HW characteristics.
Also you can use CCR1009 if budget allows that and no switch chip is needed.
by angriukas
Thu Jan 23, 2020 10:09 am
Forum: Beginner Basics
Topic: Replacing current router
Replies: 2
Views: 827

Re: Replacing current router

Each situation is different. Nobody will say exact steps, like do A, B, C, ...
If you have not enough experience - better to hire certified MT specialist near you, which can do the job and explains-teach you for the same :)
by angriukas
Mon Jan 13, 2020 2:38 pm
Forum: RouterBOARD hardware
Topic: USB POWER Problems on RB952Ui-5ac2nD-TC with sn: xxxxxxxxxxxx/936 and /937
Replies: 5
Views: 2787

Re: USB POWER Problems on RB952Ui-5ac2nD-TC with sn: xxxxxxxxxxxx/936 and /937

Metering device could have delay, but: at 0.448A it is visible only 4.04V. Possibly that 4.04V can occur because of USB power cut-off. But also possible this case: USB voltage dropped due to high load, and as result modem resets itself due to low voltage... Without oscilloscope it's not possible to ...
by angriukas
Mon Jan 13, 2020 11:45 am
Forum: General
Topic: Locked myself out of WinBox - Help Requested
Replies: 7
Views: 1365

Re: Locked myself out of WinBox - Help Requested

Try connect via serial port and enable eth if your router has management port.
by angriukas
Thu Jan 09, 2020 5:25 pm
Forum: SwOS
Topic: CSS326-24G-2S+RM hangs until power cycle
Replies: 89
Views: 19155

Re: CSS326-24G-2S+RM hangs until power cycle

Sharing info about my story: Had issues (port flapping) on CRS326 with powered from APC UPS. Standard CRS PSU for 24V 1200mA replaced to PSU from CCR with DIY elements 8) Post #169 https://forum.mikrotik.com/viewtopic.php?f=2&t=141633 With new PSU port flapping dissapier, SFP+ ports started to work....
by angriukas
Thu Jan 09, 2020 4:20 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 1
Views: 402

Re: IPSEC dynamic peer ip

Firewall should allow traffic to/from tunnel:

;;; accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

;;; accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
by angriukas
Tue Jan 07, 2020 5:27 pm
Forum: General
Topic: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+
Replies: 189
Views: 33694

Re: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+

I have soldered fan wires directly to PSU 24V outlet. Fan could also produce noise. Unfortunately both CRS are far enough from me, can't do testing with lab PSU. linkdowns.txt - events for few last days, 10/100M speed - should be PC NIC in low power mode, I think. During transition between power mod...
by angriukas
Tue Jan 07, 2020 11:27 am
Forum: General
Topic: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+
Replies: 189
Views: 33694

Re: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+

Hi, want to share small story :) I have two CRS326, both devices powered from APC UPS, both CRS's are out of warranty. My problem was: - port flapping on both devices - Both CRS's with DAC cable on SFP+ interfaces won't work at all. - High CPU temperature, 76-78 degrees in celsius. I bought two 24V ...
by angriukas
Thu Jan 02, 2020 11:18 am
Forum: General
Topic: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?
Replies: 12
Views: 1828

Re: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?

Hello. Could you get any new information from colleagues from Mikrotik? Few days ago had small conversation, MT support suggested 6.46.1 version. This is not so easy to do for me because I am admin only of local router. Currently we are on 3DES, both routers have to be reconfigured, quite a difficu...
by angriukas
Tue Dec 17, 2019 4:58 pm
Forum: Beginner Basics
Topic: Resetting mikrotik [SOLVED]
Replies: 2
Views: 702

Re: Resetting mikrotik [SOLVED]

Reinstall RouterOS according this manual:
https://wiki.mikrotik.com/wiki/Manual:Netinstall
Note: you will lost all config you had before.
by angriukas
Mon Dec 16, 2019 1:43 pm
Forum: General
Topic: CCR1072-1G-8S+ crashing?
Replies: 3
Views: 672

Re: CCR1072-1G-8S+ crashing?

We were faced issues on CCR1009 with ipsec AES-256. We had no freeze, was loop: boot - kernel failure - reboot.
Try 3DES if you have such case.
by angriukas
Fri Dec 13, 2019 9:42 am
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34024

Re: v6.46 [stable] is released!

Hi i've just upgrade to 6.46 stable to various mikrotik routers.I 've noticed that if i change some parameters in interface wireless configuration(mode,freq,sc-list etc) it freezes for no reason (show initializing in bottom interface status menu) then i have to manually access the router,reset and ...
by angriukas
Thu Dec 12, 2019 9:48 am
Forum: General
Topic: IGMP proxy, EPG/menu issues on STB
Replies: 4
Views: 935

Re: IGMP proxy, EPG/menu issues on STB

I didn't succeed with IGMP proxy, STB still won't work, even in case when whole traffic is routed to vlan6.
Thanks for spent time.
by angriukas
Thu Dec 12, 2019 9:44 am
Forum: General
Topic: S2S VPN PH2 status
Replies: 5
Views: 1005

Re: S2S VPN PH2 status

I have created tunnels with Cisco ASA, as well as with SonicWall - always got PH2 Established. No problems with that.
For PROD routers I am using latest long-term version.
If tunnel itself is OK - could be incorrectly displayed PH2 status, but I didn't saw such case.
Try 6.44.6 ROS version.
by angriukas
Wed Dec 11, 2019 6:01 pm
Forum: General
Topic: S2S VPN PH2 status
Replies: 5
Views: 1005

Re: S2S VPN PH2 status

Hard to say why you get "ipsec IPsec-SA expired", could be any reason. Cannot comment much without knowing exact info like: hardware you are using on both sides, ROS version, exact config (/export compact hide-sensitive). You have to: properly configure ipsec on both sides on both sides open in the ...
by angriukas
Wed Dec 11, 2019 4:14 pm
Forum: General
Topic: S2S VPN PH2 status
Replies: 5
Views: 1005

Re: S2S VPN PH2 status

No pahse 2 = no VPN :)
PH2 State = Established -> means VPN OK
Add ipsec topic in the /system logging - will help to find VPN issues.
by angriukas
Wed Dec 11, 2019 11:31 am
Forum: General
Topic: IGMP proxy, EPG/menu issues on STB
Replies: 4
Views: 935

Re: IGMP proxy, EPG/menu issues on STB

Depends on STB model ... STB I received from my ISP uses normal internet connection to download EPG ... so I have to provide both untagged internet service (part of my LAN subnet) and tagged multicasts. According MAC - my STB is by Motorola. Well, I have situation when STB is in the local network, ...
by angriukas
Tue Dec 10, 2019 12:39 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2159

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

I sniffed packets on the router's wan interface and I can see the DHCP Inform coming from the Windows 10's VPN IP, so somehow that doesn't reach ipsec? Cannot comment much about that, sounds to IPSEC policy issues. Try increase log verbosity (ipsec and debug), in hope that log will reveal the reason.
by angriukas
Tue Dec 10, 2019 11:35 am
Forum: General
Topic: IGMP proxy, EPG/menu issues on STB
Replies: 4
Views: 935

IGMP proxy, EPG/menu issues on STB

Hello, There are lot of topic about IPTV, I read lot of them, unfortunately cannot find answer to issues occurred in my case. So, I am trying to setup IPTV via IGMP proxy, my setup is following: hardware: CRS109-8G-1S-2HnD ROS: 6.44.6 from ISP i get: internet traffic - no vlan, DHCP IPTV traffic - v...
by angriukas
Fri Dec 06, 2019 9:13 am
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Solution we have developed in this thread requires two Mikrotiks, second Mikrotik (CRS in schema) needed for removing vlan6 tag. I am curious how ISP solved that with single router, because if I order internet service from ISP with their router (Technicolor TG789vacV2) it is allowed to plug STB to a...
by angriukas
Fri Dec 06, 2019 12:58 am
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Can confirm, script from post #3 working on Atheros-8327. Didn't apply "/interface bridge vlan ...", because I am not going to use vlan-filtering in the bridge on this router. I paste all config at once via terminal, no disconnection occurred, Winbox connection to router was from LAN. After changes ...
by angriukas
Thu Dec 05, 2019 7:26 pm
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Thanks for explanation,
seems to be attempts in test lab with Atheros-8227 failed. Going to configure directly on PROD with Atheros-8327. Keep in touch.
by angriukas
Thu Dec 05, 2019 6:08 pm
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Something is not OK. I take hAP mini (Atheros-8227), reset to blank, load following config: /interface bridge add name=bridge /interface vlan add interface=bridge name=bridge.wan.2222 vlan-id=2222 /interface ethernet switch port set 0 default-vlan-id=2222 vlan-mode=secure set 1 default-vlan-id=1 vla...
by angriukas
Thu Dec 05, 2019 4:50 pm
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Very smart solution :shock:
Today I will test this approach on PROD. Will post reply about results later.
I think this sample is worth to mention in the wiki, for example here: https://wiki.mikrotik.com/wiki/Manual:L ... figuration
Thanks again.
by angriukas
Thu Dec 05, 2019 4:29 pm
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Re: Proper VLAN switching on router?

Thanks for quick reply. The key factor is that single VLAN6 (IPTV) is used in my case, WAN uses no VLAN. @sindy: Would you like to say, that bridge.wan.2222 is like a "fake" interface for routing, where in fact tag 2222 is removed by switch on port ether1 and on bridge? Finally, ISP and LAN sees no ...
by angriukas
Thu Dec 05, 2019 1:25 pm
Forum: General
Topic: Proper VLAN switching on router?
Replies: 11
Views: 1195

Proper VLAN switching on router?

Hi, Advice is needed, how to configure router in the following case: ISP provide IPTV on vlan6. But STB located after switch, there is no possibility connect STB directly to the router. Attached image contains current configuration. I think this config is wrong because vlan6 is bridged, no hardware ...
by angriukas
Tue Dec 03, 2019 10:32 am
Forum: General
Topic: Site to Site L2TP VPN
Replies: 13
Views: 1966

Re: Site to Site L2TP VPN

Yes, both ends. One final question, what do I do with my existing masquerade policy? Do I put your before mine, after mine or simply delete mine? Thanks... Answer: replace yours masq with new one or add "ipsec-policy=out,none" to the existing masq rule. l2tp+ipsec are creating dynamic policies and ...
by angriukas
Mon Dec 02, 2019 3:50 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2159

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

What are you talking about ? There is no need to add any manual routes on your L2TP client...! The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network... I am talking about standard Windows client, lot of routes are needed in ...
by angriukas
Mon Dec 02, 2019 3:33 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2159

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

It takes less than 2 seconds to change that...

And what's then - manual or scripted "route add..."
Users like that ;)
by angriukas
Mon Dec 02, 2019 3:28 pm
Forum: General
Topic: Mikrotik routers interconnection between sites for failover
Replies: 1
Views: 319

Re: Mikrotik routers interconnection between sites for failover

If I understood correctly - you need site-to-site VPN. For example - IPsec tunnel.
Better to use CCR, because of hardware acceleration.
by angriukas
Mon Dec 02, 2019 3:14 pm
Forum: General
Topic: Site to Site VPN (13 Sites & 2 remote Laptops)
Replies: 18
Views: 2159

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

I would choose IPSec tunnels. Head office router - definitely CCR (because of hardware acceleration), depending from IPSec traffic and how many ports do you need. Cheapest is 1009 series models. RW - notebooks with IPSec client like Shrew-soft-vpn. Branch offices - hAP ac² because of this device als...
by angriukas
Mon Dec 02, 2019 2:40 pm
Forum: General
Topic: Site to Site L2TP VPN
Replies: 13
Views: 1966

Re: Site to Site L2TP VPN

Did you configure routes?

IPSec is interface less. Policy plays the game.
by angriukas
Mon Dec 02, 2019 2:37 pm
Forum: General
Topic: Site to Site L2TP VPN
Replies: 13
Views: 1966

Re: Site to Site L2TP VPN


Thanks angriukas, I'll have to test this out tomorrow. It's late here in Australia. Do I do this at both ends?

Thanks again...

Duke

Yes, both ends.
by angriukas
Mon Dec 02, 2019 1:32 pm
Forum: General
Topic: Site to Site L2TP VPN
Replies: 13
Views: 1966

Re: Site to Site L2TP VPN

1. IPSec traffic should not be masqueraded, replace your masquerade rule with this one (change eth according your needs): /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" ipsec-policy=out,none out-interface=ether1 2. Allow IPSec traffic in forward chain (rule posit...
by angriukas
Wed Nov 20, 2019 3:08 pm
Forum: General
Topic: Log Server Help need
Replies: 1
Views: 358

Re: Log Server Help need

by angriukas
Wed Nov 20, 2019 3:00 pm
Forum: Beginner Basics
Topic: IPSec Tunnel Established But unable to Ping/Connect Remote Devices
Replies: 2
Views: 934

Re: IPSec Tunnel Established But unable to Ping/Connect Remote Devices

I guess also: probably your firewall masquerades and/or drops packets to/from tunnel. Depending from router model - default configuration usually contains properly configured firewall rules for ipsec traffic. Following rules was taken from default config: two accepts should happen before last drops ...
by angriukas
Wed Nov 20, 2019 10:14 am
Forum: General
Topic: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?
Replies: 12
Views: 1828

Re: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?

This is related to packet fragmentation. In my case workaround was: use 3DES encryption in phase 2 (in IPSec profiles) instead of AES256. Because reboot occurs only in case of AES256 encryption. or change MSS to 1350: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle#Change_MSS Sample rule is...
by angriukas
Mon Nov 11, 2019 10:18 am
Forum: Wireless Networking
Topic: SXT 4G kit setup
Replies: 2
Views: 1325

Re: SXT 4G kit setup

Agree, the only explanation I see - SXT antenna (or modem) working not so well for exactly this frequency.
Signal level was OK in both cases. Direction also was taken into account.
Kind of lottery - never know about device compatibility with operator even chosen correct bands.
by angriukas
Thu Nov 07, 2019 6:52 pm
Forum: Wireless Networking
Topic: SXT 4G kit setup
Replies: 2
Views: 1325

SXT 4G kit setup

Hello, few days ago had the pleasure to setup 'SXT 4G kit' device, ROS 6.44.6. Installed two SIM cards (from different operators). After speed testing: Operator Tele2, band 7, 2850 - download/upload speed pretty normal, in rage of 80/40Mbps Operator Telia, band 7, 3050 - download speed is bad, about...
by angriukas
Wed Nov 06, 2019 3:17 pm
Forum: General
Topic: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?
Replies: 12
Views: 1828

Re: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?

Dears, situation is as follows: Site1, ISP with 1Gbps line (CCR1009-7G-1C-1S+) <- - -> Site2, ISP with 30Mbps line (SonicWall) IPSEC AES256-cbc – no kernel panic . Site2 migrated to new ISP with about 10 times faster line. Right after that CCR started to panic in kernel even in RDP session via tunnn...
by angriukas
Tue Nov 05, 2019 7:41 pm
Forum: General
Topic: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?
Replies: 12
Views: 1828

Re: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?

Upgraded to 6.44.6, still same behavior - kernel failure.
by angriukas
Tue Nov 05, 2019 3:38 pm
Forum: General
Topic: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?
Replies: 12
Views: 1828

Re: RB3011 L2TP + IPSec 'kernel failure in previous boot' due to hardware encryption?

Today our router rebooted due to kernel failure lot of times. I guess this is due to IPSec. I can force kernel failure by sending big packet via VPN from PC in LAN : ping 10.50.1.200 -l 10000 After this line I got kernel failure with router reboot. Our hardware CCR1009-7G-1C-1S+ ROS 6.44.5 IPSec VPN...
by angriukas
Tue Nov 05, 2019 2:45 pm
Forum: SwOS
Topic: System rebooted because of kernel failure
Replies: 2
Views: 2089

Re: System rebooted because of kernel failure

Today got three kernel failures on CCR1009-7G-C-1S+, ROS 6.44.5
This is first time I see kernel failure.
Router started to reboot every few minutes.
No idea what is going on :(

Update: totally fife reboots every 2-3 minutes. Then suddenly reboots stopped.
by angriukas
Sat Oct 05, 2019 3:53 pm
Forum: Announcements
Topic: Wireless link calculator updated
Replies: 71
Views: 42998

Re: Wireless link calculator updated

Hi,
cannot get working elevation graph.
Specs and results - all values entered properly.
"Link status" = Reliable, but elevation graph always shows 1m x 1km.
Used FireFox, Chrome, other browsers - no matter.
Could you please advice - how to get elevation?
by angriukas
Fri Jul 26, 2019 2:42 pm
Forum: RouterBOARD hardware
Topic: CRS326-24G-2S+RM fans
Replies: 18
Views: 6878

Re: CRS326-24G-2S+RM fans

Three problems with CRS326-24G-2S+
  • CPU temperature: 76°C - 78°C in room environment, 71°C in cooled env.
  • Port flapping
  • SFP+ issues when connecting between Mikrotik devices
by angriukas
Fri Jul 26, 2019 1:49 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 63
Views: 19394

Re: RB3011 port flopping - bad design

Have same problem on CRS326-24G-2S+ and CRS125-24G-1S
by angriukas
Tue Jul 16, 2019 2:23 pm
Forum: General
Topic: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+
Replies: 189
Views: 33694

Re: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+

I think CRS326-24G-2S+RM and CRS125-24G-1S contains same problem. SFP+ port in 1G mode - no problems. SFP+ port in 10G mode - problematic case even with Mikrotik DAC's. Update: problems raised when connecting two identical CRS326-24G-2S+RM devices with 10G DAC cable on SFP+ port. Not all of devices ...
by angriukas
Thu Jul 11, 2019 5:06 pm
Forum: General
Topic: CCR1036-12G-4S dual PSU or not?
Replies: 3
Views: 549

Re: CCR1036-12G-4S dual PSU or not?

Is it really CCR1036. Maybe label is wrong. Check that by executing:
/system routerboard print
by angriukas
Wed Jul 10, 2019 2:23 pm
Forum: Virtualization
Topic: CHR PROXMOX Performance
Replies: 4
Views: 3582

Re: CHR PROXMOX Performance

Hard to say is it normal. There are lot of factors, like host NIC drivers, cpu version and etc... Performance tweaks are here. General recommendations: try use 'PCI passthrough' for NIC (ROs probably will not detect NIC's due to missing drivers) use 'host' CPU instead of kvm64 disable PVE 'firewall'...
by angriukas
Wed Jul 03, 2019 3:11 pm
Forum: Virtualization
Topic: CHR Hardware
Replies: 14
Views: 5264

Re: CHR Hardware

Try to use Proxmox Virtualization Platform (PVE). Just successfully tested CHR on PVE with KVM hypervisor. CHR VM (virtual machine) supports following intefaces: disk - SATA or Virtio (to boot CHR). network - all types, but only Virtio and vmxnet (VMWare) supports 10G. Better to use everywhere Virti...
by angriukas
Mon Oct 15, 2018 11:37 am
Forum: RouterBOARD hardware
Topic: 10G link problem on CRS326-24G-2S+
Replies: 1
Views: 893

10G link problem on CRS326-24G-2S+

Hi, I have following setup: installed two devices CRS326-24G-2S+ in the same rack. Both devices booting into Router OS. Both devices connected over sfp+ with DAC: copper pigtail, 1m Vendor: MIKROTIK Vendor serial: MCS17H10458 I expect to have 10Gb link between both devices. Port speed detected prope...
by angriukas
Fri Nov 29, 2013 3:34 pm
Forum: General
Topic: IPSec Road Warrior
Replies: 9
Views: 10547

Re: IPSec Road Warrior

Hello, From Wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf IpSec Server Config At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used . That phra...
by angriukas
Sun Nov 24, 2013 3:37 pm
Forum: General
Topic: IPSec Road Warrior
Replies: 9
Views: 10547

Re: IPSec Road Warrior

Hello, thank you for quick responses. Now tunnel is enabled but I can't ping remote LAN. When I remove following lines from shrew: s:ident-client-data: s:ident-server-data: and add s:client-iface:virtual s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool s:client-ip-mask:25...
by angriukas
Fri Nov 22, 2013 9:41 am
Forum: General
Topic: IPSec Road Warrior
Replies: 9
Views: 10547

IPSec Road Warrior

Hello, I have configured IPSec on RB751G-2hnd (ROS 6.6) according following document from Mikrotik wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf but Shrew client can not bring-up ipsec tunnel, time-out occur. There is nothing mentioned in the wiki about firewa...