MikroTik

angriukas

Situation update: It appeared that router was affected by attack to UDP port 53. Attack rate 200-800packets per second. Two firewall rules, mentioned below, initially was in filter table. After moving those rules to raw table - problem gone. output of "/ip firewall raw print" 1 chain=prero...

angriukas

Information: CCR1036 - same behavior, seems to be problems in config.

angriukas

Try upgrading to 6.49 stable firmware......... see if same issue persists.

We have installed latest LTS, same behavior.

angriukas

I agree with the other posts insofar as that is very difficult to remotely troubleshoot this type of problem in a forum absent the config. You can look in "/tool profile" to see what process category is causing the CPU spike. RouterOS does not list out the individual processes but only th...

angriukas

Config wasn't changed for months. One day problem just suddenly raised.

angriukas

It could be useful if you provide an export of your configuration:
Code: Select all
/export hide-sensitive file=configexport

Unfortunately cannot provide cfg because of corporate router, sorry.

angriukas

Hi, In approximately two hours after reboot of router CPU load rises to 100%. Note, that CPU load rises quite a slowly: just after reboot 3-4% in a first hour after reboot from 4 to 20%, in the next hour, from 20 to 100%. Situation ends up with “kernel failure in previous boot“. Tools -> profile poi...

angriukas

After upgrade from long-term (probably was 6.47.10) to 7.1 - PIM config was cleared. Seems to be no conversion occurred, PIM is empty after upgrade.
Update: downgraded to 6.48.6 - PIM config in place.

angriukas

Have installed a few of RB4011, yes - only one screw. Looks like this is by design.

angriukas

Hi, created OpenVPN tunnel (mode ip) between two Mikrotiks. On both routers PIM contains bridge interface as well as ovpn interface, then on both routers configured RP with needed multicast group. Both routers contains correct routes, IP's of needed devices are reachable via ovpn tunnel. The problem...

angriukas

We also have issues with CCR2004, there is no BGP/OSPF in our case. Reboot fully random, sometimes few times per day, sometimes once in two weeks.
CPU load do not exceed 6%, average load 20-25Mbps with rare spikes to 50Mbps. ROS: 6.47.4.
We love MT devices, ...but those reboots are horrible.

angriukas

Had similar issue with CCR1009-7G-1C-1S+, problem was in IPSec VPN when using AES encryption. After changing to 3DES kernel failure stopped. Support stated they have found the root of the problem, but I do not know about the fix, because I left our VPN on 3DES encryption algorithm. Cannot experiment...

angriukas

Seems to be CAPsMAN correctly generates MAC, my prev. post is faulty, sorry for that.
But head pain still exists - still do not understand why loggers refuses to work in case of dynamic interfaces...

angriukas

Update: made CAPsMAN in warehouse. Customer are using temperature loggers (portable devices with WiFi interface). Loggers are connected to SSID3. And...if I use provisioning rules which creates dynamic interfaces in CAPsMAN - first virtual AP always getting same MAC like master interface, example: 2...

angriukas

What information is it showing on /capsman radio?

Nothing special, virtual interfaces are bound to the same radio.
Note: I have deleted/created interface several times, that's why here is cap16 in this screen-shot.

angriukas

Virtual interfaces for slaves are created dynamically during provisioning. I think it's best practice not changing any virtual wireless interfaces other then through the caps manager. Have made the test with dynamic interfaces. First virtual interface contains same MAC from master interface, subseq...

angriukas

Virtual interfaces for slaves are created dynamically during provisioning. I think it's best practice not changing any virtual wireless interfaces other then through the caps manager. In my case interfaces are created manually, because I need assign channel to AP individually. Are you using provisi...

angriukas

Hi, does anybody could explain how to be with CAP interface MAC address in case of multiple SSID's (virtual AP's)? In CAPsMAN I have master interface for SSID-Lan and two slave interfaces for SSID-Guest and SSID-Mng. So, SSID-Guest and SSID-Mng are virtual AP's, both interfaces has no Radio MAC. Wik...

angriukas

Here is similar case to your situation: https://mum.mikrotik.com/presentations/VN17/presentation_4102_1493726768.pdf Check does ip->routes contains needed routes. Try to add firewall rules in forward chain to allow packets between 192.168.81.0/24 and 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24...

angriukas

I can only guess:
Notebook "do not knows" about networks of Office 1,2,3, all of packets from notebook for example to 192.168.40.0/24 are forwarded to internet.
Add to the .ovpn file needed subnets:

route 192.168.20 255.255.255.0
route 192.168.30 255.255.255.0
route 192.168.40 255.255.255.0

angriukas

Did you add to the logging "caps" topic, still nothing in the log?

angriukas

ROS 7.0beta8 contains problems with CAPsMAN (or with DHCP)! Local WiFi interface (on same router) connected via CAPsMAN (in CAPsMAN forwarding mode) cannot deliver DHCP lease, error ocured: 03:01:08 dhcp,warning dhcp1-lan offering lease 192.168.101.253 for MAC-ADDRESS without success There is no pro...

angriukas

Two times encountered loss of SIM card for "SXT 4G kit" device. It's interesting - reboot didn't help, still no SIM card. After Netinstall SIM card was recognized, later lost again. Removed SIM, added again. Firmly press and hold, boot device - nothing helped. Already want to RMA device, b...

angriukas

Correct me if I wrong, but Torch tool shows the same information as on the Connections tab. (IP - Firewall - Connections). I see the source IP there, but the destination IP is not a private IP from my network, it is the IP of Mikrotik, so I can't understand who initiated this traffic. From your pos...

angriukas

I do not know what do you mean "two different systems", but single instance of OpenVPN server is able to handle various situations. Possible solution: in .ovpn config file at the end you can add directive "route 192.168.0.0 255.255.255" to allow only needed subnet for that partic...

angriukas

Try to use Tools -> Torch to identify the source of the traffic. It can be anything, from torrent client inside of LAN to ...

angriukas

What's the reason to have two OpenVPN servers on same hardware?

angriukas

Set same value from field "MAC Addess".

angriukas

In general - yes. CAPsMAN by config in 'data path' will add cap interfaces to the appropriate bridges. eth2-5 -> bridge-lan, also DHCP server on this bridge for lan IP's like: 192.168.0.0/24 Then seconds DHCP on bridge-guest like: 192.168.40.0/24 In firewall: allow DNS requests for guests: /ip firew...

angriukas

This is sample only, for lan and for guest. You cannot use this file as script because I have replaced sensitive info (include MAC addresses).

angriukas

viewtopic.php?t=106768

angriukas

Maybe I am wrong, but I do not see the needs of VLAN if communication between CAP and CAPsMAN are on L2. It's enough to have two bridges in CAPsMAN, first one for LAN, second one for guests, with own dhcp server for each bridge. You can control traffic between bridges in CAPsMAN with firewall. Same ...

angriukas

Simple solution would allow L3 communications.
Create firewall rule in the INPUT chain to allow new connections from needed IP. Place this rule before drop rule.
ip firewall filter add chain=input src-address=A.B.C.D action=accept

angriukas

In the past we had IPSec tunnel between MT and ASA, no problems at all. Not sure is it relevant for you, but I will share my case: few days ago had issue with IPSec when client connects from NAT'ed ISP network (4G). Tunnel initiated, but no traffic could pass the tunnel. The solution was - turn on N...

angriukas

The link to youtube I have posted contains info how to attach local wireless to CAPsMAN. Learn from that video.

angriukas

So, situation is as follows: created 4 rules in firewall to log packets. I can see in the input chain incoming VPN packets with proto 50 then I can see in forward chain ICMP request then I can see in forward chain ICMP response and finally I can see packets leaving my router with proto 50 in output ...

angriukas

ISP can give you IPv6, other IPv4. ISP can block protocols but you should check the Firewall\Connections You should check this yourself - you know. IPSec configure means know what and how works should be checked by you too. ISP assign for me IPv4, as I noted - VPN is established, I am sure for 99% ...

angriukas

Hi, I have encountered following situation: IPSEC configured on CCR. Client side – Windows ShrewSoft VPN client. There is no issues with VPN tunnel from wired/WiFi networks. But I have problems with VPN if I try connect from 4G mobile network, I share internet connection from Android phone via tethe...

angriukas

You can use any prefixes you want.
If CAP's contains no CAPsMAN IP address in config - assume it is L2

If you are not sure about L2, as proof you can try to remove IP address from CAP - that device still should provide WiFi.
Regarding 2.4 interfaces - hard to comment.

angriukas

Here it is.

angriukas

Switch in between should have no influence for CAPsMAN via L2.

angriukas

Nobody will say what exactly you should do :) If I understood correctly from last post - you have two CAPsMAN's. For L2 - you cannot lock to CAPsMAN by IP. Lock should be like that: in CAPsMAN manager set option "Require Peer Certificate" in AP lock to the needed CAPsMAN with cert. Before ...

angriukas

Loaded your cfg to CHR. I see nothing wrong there. I usually use single provisioning for multiple SSID's and 2.4/5GHz bands. But it's up to you. I guess you have entered CAPsMAN IP address during AP configuration. Attached my CAP config screen. In my case AP is locked to CAPsMAN via certificates, an...

angriukas

Router should have static IP on LAN interface. DHCP is needed for client PC's or other network devices in LAN (which are connected to that bridge). And only one DHCP server is allowed in the same broad-cast domain. Configure your mikrotik like this: Disable DHCP client in mikrotik on LAN bridge inte...

angriukas

10 days ago installed two RB4011iGS+ devices.
Firewall, 3 bridges, CAPsMAN with two SSID's, EoIP between both devices, few queues.
No bricks, no reboots, no issues at all.
RoS and firmware: 6.45.8

angriukas

What I would do in your case is: include ipsec and debug in to logging rules, analyze log to reveal what's going on. Also: I see the bridge in your config, add Admin MAC to the bridge, because sometimes bridge could change his MAC address, it depends from running/inactive ports. That could have infl...

angriukas

If port is in the bridge (port is slave in your case), then DHCP should be configured on the "bridge_local" interface (not on slave port). Bridge acts as an interface.
The same is for firewall and other services. Everywhere in config should be used bridge interface (instead of slave port).

angriukas

This line points that your AP's communicating with CAPsMAN via L3, that's why FW rules comes in action. 16:45:43 caps,info [::ffff: 192.168.88.1:55981 ,Join,[C4:AD:34:60:88:12]] joined, provides radio(s): C4:AD:34:60:88:1D,C4:AD:34:21:20:69 The log line should look like: 16:45:43 caps,info [ MAC ADD...

angriukas

If CAP is on the same L2 segment with CAPsMAN - FW should have no influence.
Provisioning should be without IP on the same L2 segment.

angriukas

I have few notes about RB4011:
mounting ears are terrible if you plan to install this router to rack.
Switch chip is not the best inside of RB4011.
Despite all of that RB4011 has good HW characteristics.
Also you can use CCR1009 if budget allows that and no switch chip is needed.

angriukas

Each situation is different. Nobody will say exact steps, like do A, B, C, ...
If you have not enough experience - better to hire certified MT specialist near you, which can do the job and explains-teach you for the same

angriukas

https://iperf.fr/iperf-download.php

angriukas

Metering device could have delay, but: at 0.448A it is visible only 4.04V. Possibly that 4.04V can occur because of USB power cut-off. But also possible this case: USB voltage dropped due to high load, and as result modem resets itself due to low voltage... Without oscilloscope it's not possible to ...

angriukas

Try connect via serial port and enable eth if your router has management port.

angriukas

Sharing info about my story: Had issues (port flapping) on CRS326 with powered from APC UPS. Standard CRS PSU for 24V 1200mA replaced to PSU from CCR with DIY elements 8) Post #169 https://forum.mikrotik.com/viewtopic.php?f=2&t=141633 With new PSU port flapping dissapier, SFP+ ports started to w...

angriukas

Firewall should allow traffic to/from tunnel:

;;; accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

;;; accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

angriukas

I have soldered fan wires directly to PSU 24V outlet. Fan could also produce noise. Unfortunately both CRS are far enough from me, can't do testing with lab PSU. linkdowns.txt - events for few last days, 10/100M speed - should be PC NIC in low power mode, I think. During transition between power mod...

angriukas

Hi, want to share small story :) I have two CRS326, both devices powered from APC UPS, both CRS's are out of warranty. My problem was: - port flapping on both devices - Both CRS's with DAC cable on SFP+ interfaces won't work at all. - High CPU temperature, 76-78 degrees in celsius. I bought two 24V ...

angriukas

Hello. Could you get any new information from colleagues from Mikrotik? Few days ago had small conversation, MT support suggested 6.46.1 version. This is not so easy to do for me because I am admin only of local router. Currently we are on 3DES, both routers have to be reconfigured, quite a difficu...

angriukas

Reinstall RouterOS according this manual:
https://wiki.mikrotik.com/wiki/Manual:Netinstall
Note: you will lost all config you had before.

angriukas

We were faced issues on CCR1009 with ipsec AES-256. We had no freeze, was loop: boot - kernel failure - reboot.
Try 3DES if you have such case.

angriukas

Hi i've just upgrade to 6.46 stable to various mikrotik routers.I 've noticed that if i change some parameters in interface wireless configuration(mode,freq,sc-list etc) it freezes for no reason (show initializing in bottom interface status menu) then i have to manually access the router,reset and ...

angriukas

I didn't succeed with IGMP proxy, STB still won't work, even in case when whole traffic is routed to vlan6.
Thanks for spent time.

angriukas

I have created tunnels with Cisco ASA, as well as with SonicWall - always got PH2 Established. No problems with that.
For PROD routers I am using latest long-term version.
If tunnel itself is OK - could be incorrectly displayed PH2 status, but I didn't saw such case.
Try 6.44.6 ROS version.

angriukas

Hard to say why you get "ipsec IPsec-SA expired", could be any reason. Cannot comment much without knowing exact info like: hardware you are using on both sides, ROS version, exact config (/export compact hide-sensitive). You have to: properly configure ipsec on both sides on both sides op...

angriukas

No pahse 2 = no VPN

PH2 State = Established -> means VPN OK
Add ipsec topic in the /system logging - will help to find VPN issues.

angriukas

Depends on STB model ... STB I received from my ISP uses normal internet connection to download EPG ... so I have to provide both untagged internet service (part of my LAN subnet) and tagged multicasts. According MAC - my STB is by Motorola. Well, I have situation when STB is in the local network, ...

angriukas

I sniffed packets on the router's wan interface and I can see the DHCP Inform coming from the Windows 10's VPN IP, so somehow that doesn't reach ipsec? Cannot comment much about that, sounds to IPSEC policy issues. Try increase log verbosity (ipsec and debug), in hope that log will reveal the reason.

angriukas

Hello, There are lot of topic about IPTV, I read lot of them, unfortunately cannot find answer to issues occurred in my case. So, I am trying to setup IPTV via IGMP proxy, my setup is following: hardware: CRS109-8G-1S-2HnD ROS: 6.44.6 from ISP i get: internet traffic - no vlan, DHCP IPTV traffic - v...

angriukas

Solution we have developed in this thread requires two Mikrotiks, second Mikrotik (CRS in schema) needed for removing vlan6 tag. I am curious how ISP solved that with single router, because if I order internet service from ISP with their router (Technicolor TG789vacV2) it is allowed to plug STB to a...

angriukas

Can confirm, script from post #3 working on Atheros-8327. Didn't apply "/interface bridge vlan ...", because I am not going to use vlan-filtering in the bridge on this router. I paste all config at once via terminal, no disconnection occurred, Winbox connection to router was from LAN. Afte...

angriukas

Thanks for explanation,
seems to be attempts in test lab with Atheros-8227 failed. Going to configure directly on PROD with Atheros-8327. Keep in touch.

angriukas

Something is not OK. I take hAP mini (Atheros-8227), reset to blank, load following config: /interface bridge add name=bridge /interface vlan add interface=bridge name=bridge.wan.2222 vlan-id=2222 /interface ethernet switch port set 0 default-vlan-id=2222 vlan-mode=secure set 1 default-vlan-id=1 vla...

angriukas

Very smart solution

Today I will test this approach on PROD. Will post reply about results later.
I think this sample is worth to mention in the wiki, for example here: https://wiki.mikrotik.com/wiki/Manual:L ... figuration
Thanks again.

angriukas

Thanks for quick reply. The key factor is that single VLAN6 (IPTV) is used in my case, WAN uses no VLAN. @sindy: Would you like to say, that bridge.wan.2222 is like a "fake" interface for routing, where in fact tag 2222 is removed by switch on port ether1 and on bridge? Finally, ISP and LA...

angriukas

Hi, Advice is needed, how to configure router in the following case: ISP provide IPTV on vlan6. But STB located after switch, there is no possibility connect STB directly to the router. Attached image contains current configuration. I think this config is wrong because vlan6 is bridged, no hardware ...

angriukas

Yes, both ends. One final question, what do I do with my existing masquerade policy? Do I put your before mine, after mine or simply delete mine? Thanks... Answer: replace yours masq with new one or add "ipsec-policy=out,none" to the existing masq rule. l2tp+ipsec are creating dynamic pol...

angriukas

What are you talking about ? There is no need to add any manual routes on your L2TP client...! The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network... I am talking about standard Windows client, lot of routes are needed in ...

angriukas

It takes less than 2 seconds to change that...

And what's then - manual or scripted "route add..."
Users like that

angriukas

If I understood correctly - you need site-to-site VPN. For example - IPsec tunnel.
Better to use CCR, because of hardware acceleration.

angriukas

I would choose IPSec tunnels. Head office router - definitely CCR (because of hardware acceleration), depending from IPSec traffic and how many ports do you need. Cheapest is 1009 series models. RW - notebooks with IPSec client like Shrew-soft-vpn. Branch offices - hAP ac² because of this device als...

angriukas

Did you configure routes?

IPSec is interface less. Policy plays the game.

angriukas

Thanks angriukas, I'll have to test this out tomorrow. It's late here in Australia. Do I do this at both ends?

Thanks again...

Duke

Yes, both ends.

angriukas

1. IPSec traffic should not be masqueraded, replace your masquerade rule with this one (change eth according your needs): /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" ipsec-policy=out,none out-interface=ether1 2. Allow IPSec traffic in forward chain (...

angriukas

viewtopic.php?t=77269

angriukas

I guess also: probably your firewall masquerades and/or drops packets to/from tunnel. Depending from router model - default configuration usually contains properly configured firewall rules for ipsec traffic. Following rules was taken from default config: two accepts should happen before last drops ...

angriukas

This is related to packet fragmentation. In my case workaround was: use 3DES encryption in phase 2 (in IPSec profiles) instead of AES256. Because reboot occurs only in case of AES256 encryption. or change MSS to 1350: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle#Change_MSS Sample rule is...

angriukas

Agree, the only explanation I see - SXT antenna (or modem) working not so well for exactly this frequency.
Signal level was OK in both cases. Direction also was taken into account.
Kind of lottery - never know about device compatibility with operator even chosen correct bands.

angriukas

Hello, few days ago had the pleasure to setup 'SXT 4G kit' device, ROS 6.44.6. Installed two SIM cards (from different operators). After speed testing: Operator Tele2, band 7, 2850 - download/upload speed pretty normal, in rage of 80/40Mbps Operator Telia, band 7, 3050 - download speed is bad, about...

angriukas

Dears, situation is as follows: Site1, ISP with 1Gbps line (CCR1009-7G-1C-1S+) <- - -> Site2, ISP with 30Mbps line (SonicWall) IPSEC AES256-cbc – no kernel panic . Site2 migrated to new ISP with about 10 times faster line. Right after that CCR started to panic in kernel even in RDP session via tunnn...

angriukas

Upgraded to 6.44.6, still same behavior - kernel failure.

angriukas

Today our router rebooted due to kernel failure lot of times. I guess this is due to IPSec. I can force kernel failure by sending big packet via VPN from PC in LAN : ping 10.50.1.200 -l 10000 After this line I got kernel failure with router reboot. Our hardware CCR1009-7G-1C-1S+ ROS 6.44.5 IPSec VPN...

angriukas

Today got three kernel failures on CCR1009-7G-C-1S+, ROS 6.44.5
This is first time I see kernel failure.
Router started to reboot every few minutes.
No idea what is going on

Update: totally fife reboots every 2-3 minutes. Then suddenly reboots stopped.

angriukas

Hi,
cannot get working elevation graph.
Specs and results - all values entered properly.
"Link status" = Reliable, but elevation graph always shows 1m x 1km.
Used FireFox, Chrome, other browsers - no matter.
Could you please advice - how to get elevation?

angriukas

Three problems with CRS326-24G-2S+

CPU temperature: 76°C - 78°C in room environment, 71°C in cooled env.

Port flapping

SFP+ issues when connecting between Mikrotik devices

angriukas

Have same problem on CRS326-24G-2S+ and CRS125-24G-1S

angriukas

I think CRS326-24G-2S+RM and CRS125-24G-1S contains same problem. SFP+ port in 1G mode - no problems. SFP+ port in 10G mode - problematic case even with Mikrotik DAC's. Update: problems raised when connecting two identical CRS326-24G-2S+RM devices with 10G DAC cable on SFP+ port. Not all of devices ...

angriukas

Is it really CCR1036. Maybe label is wrong. Check that by executing:
/system routerboard print

angriukas

Hard to say is it normal. There are lot of factors, like host NIC drivers, cpu version and etc... Performance tweaks are here. General recommendations: try use 'PCI passthrough' for NIC (ROs probably will not detect NIC's due to missing drivers) use 'host' CPU instead of kvm64 disable PVE 'firewall'...

angriukas

Try to use Proxmox Virtualization Platform (PVE). Just successfully tested CHR on PVE with KVM hypervisor. CHR VM (virtual machine) supports following intefaces: disk - SATA or Virtio (to boot CHR). network - all types, but only Virtio and vmxnet (VMWare) supports 10G. Better to use everywhere Virti...

angriukas

Hi, I have following setup: installed two devices CRS326-24G-2S+ in the same rack. Both devices booting into Router OS. Both devices connected over sfp+ with DAC: copper pigtail, 1m Vendor: MIKROTIK Vendor serial: MCS17H10458 I expect to have 10Gb link between both devices. Port speed detected prope...

angriukas

Hello, From Wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf IpSec Server Config At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used . That phra...

angriukas

Hello, thank you for quick responses. Now tunnel is enabled but I can't ping remote LAN. When I remove following lines from shrew: s:ident-client-data: s:ident-server-data: and add s:client-iface:virtual s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool s:client-ip-mask:25...

angriukas

Hello, I have configured IPSec on RB751G-2hnd (ROS 6.6) according following document from Mikrotik wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf but Shrew client can not bring-up ipsec tunnel, time-out occur. There is nothing mentioned in the wiki about firewa...

Search found 104 matches