Community discussions

Search found 183 matches

by shaoranrch
Fri Apr 12, 2019 4:13 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 39487

Re: UKNOF 43 CVE

In ipv6 usual prefix is /64. So a local attack will not be filtered by the rules proposed and the number of possible hosts is 2^64 because ipv6 addresses are 128 bit numbers. Enviado desde mi Mi A2 mediante Tapatalk Hey, I still don't quite get it. I do understand that this vector won't the blocked...
by shaoranrch
Wed Apr 10, 2019 10:51 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 39487

Re: UKNOF 43 CVE

It can be firewalled like you say, I posted rules that give you ideas how (and you can tune it to your needs). But many said that they have legitimate traffic coming from a single source to multiple destinations. Of course it would still be possible to exploit it from the inside, but frankly I alwa...
by shaoranrch
Wed Nov 14, 2018 7:26 pm
Forum: Forwarding Protocols
Topic: BGP Aggregates
Replies: 2
Views: 521

Re: BGP Aggregates

Don't forget to add output filter to your peer. Actualy it's pretty simple to aggregate routes from igp. Hi, thank you for the reply. Yeah it's quite easy, I've been labing this, my concern is if anyone has found any weird thing happening with this approach, we all know sometimes (perhaps too many ...
by shaoranrch
Tue Nov 13, 2018 7:13 pm
Forum: Forwarding Protocols
Topic: BGP Aggregates
Replies: 2
Views: 521

BGP Aggregates

Hello, I'll be needing to move (very slowly) a fully bridged network to a fully routed one with multiple entry and exit points towards the internet (multiple carriers, all with a BGP peering session). The first step here is to enable OSPF (after fixing all the mess with the bridges), since this netw...
by shaoranrch
Mon Sep 03, 2018 12:54 am
Forum: RouterBOARD hardware
Topic: Please, which is the equivalent of the Cisco router ASR 9906 at Mikrotik?
Replies: 4
Views: 731

Re: Please, which is the equivalent of the Cisco router ASR 9906 at Mikrotik?

None, if you're looking for a device with the features, resilience and capacity of an ASR like that, you need to go and check other brands.

Closest you can get is a CCR 1072 and those are only comparable (and not 100%) to the ASR1001X
by shaoranrch
Thu Aug 30, 2018 4:38 pm
Forum: RouterBOARD hardware
Topic: CCR1036 SFP1 problem
Replies: 1
Views: 261

CCR1036 SFP1 problem

Hello, Here's the situation: Almost 10 months ago we upgraded a CCR1036-12G-4S that was active and in production for the past 300 days to the latest (by the time) Bug Fix Only image, this device had a 1 GE FO Module plugged to SFP1 (Cisco branded), after the upgrade all was fine, then few days after...
by shaoranrch
Mon Mar 05, 2018 1:26 am
Forum: General
Topic: CRS317-1G-16S+
Replies: 0
Views: 289

CRS317-1G-16S+

Hello, I've got a question related to this device. Has anyone used this in production environment, if so, how reliable has it been for you? Can the SFP+ work at 1 GE with SFP transceivers? or are fixed at 10GE? Have you used it to mirror traffic? have you experienced any delay when working like this...
by shaoranrch
Sat Mar 03, 2018 6:42 pm
Forum: General
Topic: Netflow packet analysis software for home network
Replies: 7
Views: 2070

Re: Netflow packet analysis software for home network

Hi, I have had success with Elastiflow, although it requires an Elasticsearch cluster that you'll have to size properly for it to work, check here: https://github.com/robcowart/elastiflow We also use Grafana to plot this data in real time. Nevertheless anything like this is always going to be costly...
by shaoranrch
Tue Feb 20, 2018 7:11 pm
Forum: Forwarding Protocols
Topic: routing filter set-bgp-communities ASN 32bit bug/error
Replies: 3
Views: 719

Re: routing filter set-bgp-communities ASN 32bit bug/error

Hi,

RouterOS doesn't have extended communities support yet (aside from the ROUTE-TARGET type one for MPLS VPN). The set-bgp-community is only for 32 bits community, hence you can't add a 32 bit ASN in there, only 16 bits ones
by shaoranrch
Fri Feb 02, 2018 5:49 pm
Forum: Forwarding Protocols
Topic: PPPoE on central router OR on each tower
Replies: 11
Views: 5586

Re: PPPoE on central router OR on each tower

Hello Guys, Resurrecting this old thread....I'm looking to carry my pppoe with ibgp. Anyone who's tried this? How do you summarize the /32s? I suppose redistribute connected routes into bgp and route filter what you don't want bgp to advertise. But then how to supernet the many /32s? Any help very ...
by shaoranrch
Fri Feb 02, 2018 4:09 pm
Forum: Forwarding Protocols
Topic: OSPF drops every 30m
Replies: 6
Views: 857

Re: OSPF drops every 30m

Any idea what can be a problem here? Thanks. IRC OSPF has a panic update every 30 minutes even if there are no changes to the topology. It's actually not a "panic update" It's part of the standard, the routers that create an LSA needs to reflood said LSA every 30 minutes when there are no changes. ...
by shaoranrch
Fri Feb 02, 2018 12:58 am
Forum: Forwarding Protocols
Topic: Possible critical routing bug 6.38.7
Replies: 0
Views: 365

Possible critical routing bug 6.38.7

Hi everyone, Here's the scenario Hardware: CCR1036-12G-4S ROS: 6.38.7 What's the router used for: Edge routing, terminates 2 eBGP peers and 2 iBGP peers Routing protocols in use: OSPF and BGP only Additional info No firewalling done except for rules that block access to SSH, winbox, BGP etc. There's...
by shaoranrch
Tue Jan 30, 2018 10:37 pm
Forum: Forwarding Protocols
Topic: OSPF drops every 30m
Replies: 6
Views: 857

Re: OSPF drops every 30m

You could try debugging OSPF via logs. If you are sure this isn't a congestion issue. You could also try setting up the network type as NBMA (and adding the static NBMA neighbors), UBNT wireless links have (had?) usually issues with multicast traffic (the one OSPF uses), changing to NBMA sets this t...
by shaoranrch
Sun Jan 28, 2018 1:32 am
Forum: Forwarding Protocols
Topic: Multiple ISP's, Remote sites, OSPF,MPLS,IBGP [SOLVED]
Replies: 5
Views: 868

Re: Multiple ISP's, Remote sites, OSPF,MPLS,IBGP [SOLVED]

Certainly I’ve had tried many ways on the go. But no luck at all. What do you think we should do. Load balance is the way but how to balance diferente links on a single point when you have remote sites where the lines are That’s the thing. Anyone please ? Hello, The thing is, you need to provide mo...
by shaoranrch
Sat Jan 27, 2018 11:56 pm
Forum: Forwarding Protocols
Topic: BGP route reflectors and cluster-id
Replies: 6
Views: 1601

Re: BGP route reflectors and cluster-id

Same cluster-id filtering only applies for updates between route-reflectors, if you didn't do it like this the reflectors would each have a copy of the others reflector's table, and this wouldn't change the fact that the clients would have 2 copies each (in this particular case) of the routes. Ok R...
by shaoranrch
Sat Jan 27, 2018 12:17 am
Forum: General
Topic: performance impact of simple queues for SNMP monitoring only?
Replies: 3
Views: 334

Re: performance impact of simple queues for SNMP monitoring only?

Thanks for the feedback. In this particular case, the number of queues i need is low...which is why I'm considering this option. For this scenario, I'm not actually interested in tracking per individual IP. I want to monitor a network which serves 3-5 different types of customers....and customers o...
by shaoranrch
Sat Jan 27, 2018 12:10 am
Forum: Forwarding Protocols
Topic: Dual Homing / BGP default route only / Load Sharing Setup
Replies: 1
Views: 856

Re: Dual Homing / BGP default route only / Load Sharing Setup

Hi, Lets go by parts - Given that both ISPs sends only a default (0.0.0.0) route. How can We effectively share “Egress” load between these two equal cost links? From the perspective of your edge routers (the ones that terminate the eBGP sessions) there'll be always two 0.0.0.0/0 routes (eBGP and iBG...
by shaoranrch
Fri Jan 26, 2018 10:16 pm
Forum: Forwarding Protocols
Topic: BGP route reflectors and cluster-id
Replies: 6
Views: 1601

Re: BGP route reflectors and cluster-id

Same cluster-id filtering only applies for updates between route-reflectors, if you didn't do it like this the reflectors would each have a copy of the others reflector's table, and this wouldn't change the fact that the clients would have 2 copies each (in this particular case) of the routes. Most ...
by shaoranrch
Fri Jan 26, 2018 10:07 pm
Forum: General
Topic: performance impact of simple queues for SNMP monitoring only?
Replies: 3
Views: 334

Re: performance impact of simple queues for SNMP monitoring only?

While I haven't tested this myself, I think it'd impact (badly) on many things: Router's CPU 1.- Processing per-packet into the queues should grow with the number of queues you add 2.- Could mean a router's lockup in certain stressed scenarios depending on your overall network and hardware Configura...
by shaoranrch
Thu Jan 18, 2018 9:34 pm
Forum: Forwarding Protocols
Topic: Forwarding DDoS
Replies: 3
Views: 864

Re: Forwarding DDoS

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in...
by shaoranrch
Wed Jan 17, 2018 4:16 pm
Forum: Forwarding Protocols
Topic: Full BGP table in VRF
Replies: 1
Views: 567

Re: Full BGP table in VRF

Hi, Any particular reason for doing it like this and not just using the global (main) table? Nevertheless, I've tried in labs things like this, although not using CCR but CHR (using 2 xeon processors, 8 GB of ram) and even though they take the full table the first time with no issue, when I tested t...
by shaoranrch
Tue Jan 16, 2018 2:10 am
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 2844

Re: BGP Multipath Load Balancing

You could try AS path prepending to ISP1. That should make more of your prefixes prefer to reach you over ISP2 as you will appear closer in terms of AS hops. Unless you connect to the same ISP on both links, setting communities is only of limited value, unless you can get both ISPs to agree to usin...
by shaoranrch
Mon Jan 15, 2018 11:12 pm
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 38
Views: 12631

Re: FastNetMon Integration with MikroTik (DDoS detection software)

Hi!, I can't download yours .json files for grafana (I'm using https://github.com/openbsod/grafana_dashboards but grafana show "no data points") Your post show that I no have permissions. Can you make it public or sendme by email? FastNetMon works fine with 6.38.3 with your configuration, some time...
by shaoranrch
Tue Jan 09, 2018 4:16 am
Forum: General
Topic: SImple queues not working with upload
Replies: 0
Views: 656

SImple queues not working with upload

Hi, Recently I had a task to build a parent/child relationship using simple queues to limit a pool of IPs, those IPs belong to different segments and are not sequential, basically this: I have a bunch of IPs in different ranges say: [*]192.168.0.0-192.168.0.10 [*]192.168.0.16-192.168.0.33 [*]172.16....
by shaoranrch
Thu Dec 14, 2017 10:17 pm
Forum: General
Topic: PPPoE and automatic queues issue
Replies: 0
Views: 236

PPPoE and automatic queues issue

Hello, I've currently an issue where automatic queues created upon login in the PPPoE service don't work as intended. Here's the setup: CCR1036-12G-4S Image: 6.39.3 (latest BFO) We've a bonded interface between Ether8-9 that connects to a switch, this interface has VLAN 100 on it. Over this VLAN is ...
by shaoranrch
Fri Dec 08, 2017 3:42 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 152268

Re: RouterOS v7.0 beta1 - when?

+1 On this request, please tell us when, the faster you release the faster we can test and give feedback for you to perfect it. I mainly work in the carrier side, we use MikroTik a lot but some things we do miss, specially related to the BGP and MPLS side... Your brand has been quickly evolving from...
by shaoranrch
Mon Oct 02, 2017 6:46 pm
Forum: Forwarding Protocols
Topic: CCR1072-1G-8S+ BGP Locking Up
Replies: 11
Views: 1925

Re: CCR1072-1G-8S+ BGP Locking Up

It is actually locking up both BGP and OSPF. Almost like it is dropping all forwarding. Hi, Do you see in the logs the message about the peering being dropped due to "hold timer expiration" (or something like that) by any chance? As far I know, the routing process is the same for BGP and OSPF, so i...
by shaoranrch
Sat Sep 02, 2017 6:31 pm
Forum: General
Topic: Time for VLAN confessions!
Replies: 6
Views: 848

Re: Time for VLAN confessions!

I knew this day would come -- I'm hoping people can soften the blow for I have sinned.... Years ago, when I started with Mikrotik, I bought the RB1100 (how I remember that fan), and as needs came, I started adding CRS switches. We didn't VLANs at the time, so I never bothered. I just kept adding sw...
by shaoranrch
Sat Aug 26, 2017 11:46 pm
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 38
Views: 12631

Re: FastNetMon Integration with MikroTik (DDoS detection software)

Hi all, we're providing BGP DDoS protection, fully automated mitigation service for Mikrotik networks. Detection and mitigation in less than 5 seconds. More info: https://ginernet.com/en/services/antiddos/bgp/ Hi, I see you're using FastNetMon as the detection mechanism in your service (saw the vid...
by shaoranrch
Sat Aug 26, 2017 3:41 pm
Forum: General
Topic: Link Downs monitoring
Replies: 2
Views: 1017

Re: Link Downs monitoring

Hello, We need monitor via SNMP "Interface\ Status \ Link Downs" value, and "Rate" and "Full Duplex" value. Its possible? Hello, I don't recall whether you can check the duplexity of the link using SNMP, however for the Link up/down (operational and admin status) you can, as well for the counters f...
by shaoranrch
Sat Aug 26, 2017 3:44 am
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 38
Views: 12631

Re: FastNetMon Integration with MikroTik (DDoS detection software)

######### Updates (Jan. 2018) ######### InfluxDB Since we started using this (August 2017) the space usage for the influx logs increased in just 30 GB, this means we have records for the past 5 months in just 30 GB of space, our traffic patterns now show a increase in BW usage, we're usually at arou...
by shaoranrch
Sat Aug 26, 2017 3:44 am
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 38
Views: 12631

FastNetMon Integration with MikroTik (DDoS detection software)

Disclaimer: this is going to be a rather long post Hello, This guide will show you how to install and configure FastNetMon to be used with MikroTik and also as a bonus how to integrate it with Slack and Grafana , the first one is used to get reports about DDoS and the second one to have a really gr...
by shaoranrch
Fri Aug 25, 2017 3:07 am
Forum: Forwarding Protocols
Topic: OSPF - filter out dynamic network ?
Replies: 14
Views: 2120

Re: OSPF - filter out dynamic network ?

If I understand correctly what you want to do, you can just set the interfaces as passive by default in OSPF, so this way the server will advertise the connected customers IPs but the links by themselves won't participate in the OSPF process thus not learning IPs from there.
by shaoranrch
Sat Aug 12, 2017 4:34 am
Forum: General
Topic: Zone based firewalling for Mikrotik
Replies: 11
Views: 2409

Re: RE: Re: Zone based firewalling for Mikrotik

Hello shaoranrch,

I was wondering if you had any time to post the updated Zone Based Firewall script? I would be greatly appreciate it and your help.

Thank you,

Eric
I just updated the repo, you can check it out now.

Regards,
by shaoranrch
Fri Aug 11, 2017 5:04 am
Forum: General
Topic: Zone based firewalling for Mikrotik
Replies: 11
Views: 2409

Re: Zone based firewalling for Mikrotik

Hey, sorry I haven't had the time to check this. I'll do it this weekend, my head has been somewhere else these days.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Thu Aug 03, 2017 3:06 pm
Forum: General
Topic: Zone based firewalling for Mikrotik
Replies: 11
Views: 2409

Re: RE: Re: Zone based firewalling for Mikrotik

So, I'm releasing this for people to use and contribute to it. It's my approach to zone based firewalling (or ZBF) I've got this on a few routers in production (RB1100, hAP-Lite and CCR1009). For anyone that doesn't know, ZBF is a methodology to filter traffic based on the trustworthiness of an int...
by shaoranrch
Thu Aug 03, 2017 3:00 pm
Forum: General
Topic: Zone based firewalling for Mikrotik
Replies: 11
Views: 2409

Re: RE: Re: Zone based firewalling for Mikrotik

So, I'm releasing this for people to use and contribute to it. It's my approach to zone based firewalling (or ZBF) I've got this on a few routers in production (RB1100, hAP-Lite and CCR1009). For anyone that doesn't know, ZBF is a methodology to filter traffic based on the trustworthiness of an int...
by shaoranrch
Tue Aug 01, 2017 2:13 pm
Forum: Forwarding Protocols
Topic: Impossible ip route print with condition.
Replies: 1
Views: 370

Re: Impossible ip route print with condition.

This is something I've been struggling with too... Had to install quagga in another machine and use it as a route server to check the routes being used due to what you stated, if you filter in some specific and useful ways it never shows anything.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Sun Jul 30, 2017 9:37 pm
Forum: Forwarding Protocols
Topic: DDOS BGP protection [automate communitys?]
Replies: 13
Views: 4822

Re: DDOS BGP protection [automate communitys?]

Try FastNetMon with ExaBGP. https://github.com/pavel-odintsov/fastnetmon I've set it up on a VM, and I configured my edge routers to send to FastNetMon netflow data. (IP > Traffic Flow in RouterOS). FastNetMon will constantly evaluate the packet rate and transfer rate and if your configured thresho...
by shaoranrch
Wed Jul 12, 2017 12:05 am
Forum: Forwarding Protocols
Topic: ECMP Load Balancing
Replies: 2
Views: 803

Re: ECMP Load Balancing

You need to use policy based routing, either by using policy rules: /ip route rule add src-address=172.16.1.11 action=lookup table=ISP01_OUT or via the mangle facility in the firewall: /ip firewall address-list add list=ISP1_CLIENTS address=172.16.1.11 /ip firewall mangle add chain=prerouting action...
by shaoranrch
Tue Jul 11, 2017 5:17 am
Forum: Forwarding Protocols
Topic: OSPF-DR,backup
Replies: 6
Views: 888

Re: OSPF-DR,backup

When i will do reboot R1 and when it will come backs in the network DR will be R2 backup will be R3 and on this moment R1 is (dr other). Why it didn't switch back on R1 to be DR? Hi, there's no preemption on the DR election in OSPF, as in, even if the device with the higher priority comes back onli...
by shaoranrch
Wed Jul 05, 2017 10:05 pm
Forum: Forwarding Protocols
Topic: Very strange issue with mangle
Replies: 3
Views: 849

Re: Very strange issue with mangle

I figured out what happened, just in case anyone else needs to know it's all about how MikroTik processes outgoing packets locally originated. If you check the packet-flow it happens after the routing decision, so basically the router checks the current table (in this case is the main) and since it ...
by shaoranrch
Mon Jul 03, 2017 3:19 am
Forum: Forwarding Protocols
Topic: Very strange issue with mangle
Replies: 3
Views: 849

Re: RE: Re: Very strange issue with mangle

There's nothing else in this router.
No changes in /ip settings, for example rp-filter?
Hi, none at all, I've even restarted the router to factory settings.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Mon Jul 03, 2017 1:50 am
Forum: Forwarding Protocols
Topic: Very strange issue with mangle
Replies: 3
Views: 849

Very strange issue with mangle

Hello everyone, Currently I've got a weird situation with some mangle rules, the rules in question are these: /ip firewall mangle add action=mark-connection chain=prerouting comment="##Start of MGMT Access Rules##" connection-mark=no-mark in-interface=ether10 \ new-connection-mark=mgmt_connection pa...
by shaoranrch
Tue Jun 13, 2017 5:12 am
Forum: Forwarding Protocols
Topic: BGP Announce Problem
Replies: 10
Views: 1730

Re: BGP Announce Problem

That is certainly the behavior of some routing platforms like Cisco, but MikroTik can advertise a prefix without it existing in the routing table. But it must surely exist in the BGP table in order for it to be advertised, and if it's in the BGP table, isn't it going to be in the routing table (may...
by shaoranrch
Tue Jun 13, 2017 5:02 am
Forum: Forwarding Protocols
Topic: Load Balance with OSPF
Replies: 3
Views: 977

Re: Load Balance with OSPF

This is the kind of things BGP was designed for, you can't establish preferences on a prefix basis using OSPF but you can do this using BGP. The guys of IParchitechs have a presentation about a way to achieve this kind of thing here: http://www.stubarea51.net/2017/05/27/wisp-design-using-ebgp-and-os...
by shaoranrch
Sun Jun 04, 2017 1:48 am
Forum: Forwarding Protocols
Topic: Multiple BGP sessions to one provider
Replies: 10
Views: 2642

Re: Multiple BGP sessions to one provider

I actually had an issue like this with IPv4. Multiple peers within a router, one of them went down then up. Got a message about hold timer expired and the next thing I know is that even the OSPF adyacencies went down on this particular router, as if the routing process went down. Happened 3 times, w...
by shaoranrch
Fri May 19, 2017 9:00 pm
Forum: Forwarding Protocols
Topic: BGP Announce Problem
Replies: 10
Views: 1730

Re: BGP Announce Problem

Is this the chain you're using? add action=accept chain=Britis_out comment="ANUNCIO DE BLOCOS-BRITIS" prefix=192.140.36.0/22 prefix-length=22-24 add action=accept chain=Britis_out prefix=192.140.36.0/23 prefix-length=23 add action=accept chain=Britis_out disabled=yes prefix=192.140.37.0/24 prefix-le...
by shaoranrch
Fri May 19, 2017 7:35 pm
Forum: Forwarding Protocols
Topic: BGP Announce Problem
Replies: 10
Views: 1730

Re: BGP Announce Problem

Did you check with your upstream? Perhaps he is blocking your announces if they are higher than /23

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Wed Apr 12, 2017 5:01 pm
Forum: Virtualization
Topic: CHR or CCR1036 12G 4S
Replies: 4
Views: 1161

Re: CHR or CCR1036 12G 4S

May I ask why you'd want to replace pfsense? it's a firewall not a router and as such it's a really really good one. For your routing needs it's actually a lot about the services and traffic you'll move, information that you're not providing. Anyway, CCR1036 is after 1072 the biggest routers MikroTi...
by shaoranrch
Mon Apr 10, 2017 1:48 pm
Forum: Forwarding Protocols
Topic: BGP advertisements
Replies: 3
Views: 614

Re: RE: BGP advertisements

hi all, i have only simple question, why is that Mikrotik BGP advertise network even though it is not on its routing table? did they make it on purpose? As per cisco "The minimum requirement for a prefix configured under the network command to be installed in a BGP table is to have a component rout...
by shaoranrch
Mon Apr 10, 2017 3:23 am
Forum: General
Topic: how to block vpn
Replies: 7
Views: 6001

Re: how to block vpn

there is an free extension in google chorme betternet free vpn which made bypassing any kind of content filtering unbelievably easy . i tried all kind of port blocking, gre blocking to block this kind of vpn , but no success . any idea .. ? TIA Unfortunately there's no easy solution for this nor a ...
by shaoranrch
Sun Apr 09, 2017 8:33 pm
Forum: Forwarding Protocols
Topic: OSPF, MLPS/VPLS, PPPoE
Replies: 2
Views: 663

Re: RE: Re: OSPF, MLPS/VPLS, PPPoE

I would argue completely the opposite for a few reasons: 1) IPv4 address efficiency. PPPoE is the best at this as it hands out a /32 by default 2) PPPoE over VPLS is a validated design that works well and has its origins in the telco DSL world, which is why it's used by ISPs all over the globe - it...
by shaoranrch
Thu Apr 06, 2017 8:59 pm
Forum: General
Topic: Hotspot Mikrotik Page after connected to wifi
Replies: 4
Views: 2465

Re: RE: Re: Hotspot Mikrotik Page after connected to wifi

Thanks for your reply, however, I didn't change any in the page of hotspot, however I use this one: https://forum.mikrotik.com/viewtopic.php?t=105985 I think is the best and looks great!. But, in the PC or notebook or cell phones, If you don't click manually after WIFI connected nothing happen.... ...
by shaoranrch
Thu Apr 06, 2017 8:07 pm
Forum: Forwarding Protocols
Topic: What does /ip route vrf really do?
Replies: 22
Views: 9028

Re: What does /ip route vrf really do?

The discussion remains too much focussed on what a VRF is and how it is supposed to work on a functional level. In the document you quote it says: Technically VRFs are based on policy routing. There is exactly one policy route table for each active VRF. The existing policy routing support in MT Rou...
by shaoranrch
Thu Apr 06, 2017 6:20 pm
Forum: Forwarding Protocols
Topic: [Solved] OSPFv2 neighbor x.x.x.x: state change from Full to Down
Replies: 9
Views: 5760

Re: OSPFv2 neighbor x.x.x.x: state change from Full to Down

Hello! I have 2 routers with OSPF neighboring over a radio link (Ubiquiti). It happens that the link state goes randomly down even if the radio link is always up and running. Both routers have been upgraded to 6.38.5. One is a CCR1009, other is a RB2011. CPU resources are within good margins. OSPF ...
by shaoranrch
Thu Apr 06, 2017 6:11 pm
Forum: Forwarding Protocols
Topic: What does /ip route vrf really do?
Replies: 22
Views: 9028

Re: What does /ip route vrf really do?

Thanks for the further description. But when doing experiments, and also when looking at stated limitations in the documentation, it really looks like the MikroTik VRF function (probably unlike other router software) is really doing "hidden" setup for packet markings and ip route rules to do its wo...
by shaoranrch
Thu Apr 06, 2017 5:18 am
Forum: General
Topic: Hotspot Mikrotik Page after connected to wifi
Replies: 4
Views: 2465

Re: RE: Hotspot Mikrotik Page after connected to wifi

Hello to all, is there any script or some configuration that after you connect to wifi, the browser in the pc/laptop/cell open automatically asking the username and password for surfing in the web?, I can't find the way. Everything work good, but I must to open the web manually, and looks great if ...
by shaoranrch
Wed Apr 05, 2017 9:52 pm
Forum: Forwarding Protocols
Topic: What does /ip route vrf really do?
Replies: 22
Views: 9028

Re: What does /ip route vrf really do?

Maybe my question was not very clear... What I mean is not to ask what a VRF is for, or what its principles are. I know that. What I want to ask is what the /ip route vrf command really does in RouterOS. When I enter it, what will the router do? I know how to operate /ip route rule and /ip route wi...
by shaoranrch
Wed Apr 05, 2017 6:50 pm
Forum: Forwarding Protocols
Topic: VRF on VPN
Replies: 4
Views: 854

Re: VRF on VPN

Hello, Like this /ip route vrf add routing-mark=L2TP interfaces=ether1,l2tp-r3 /ip route print where routing-mark=L2TP Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATE...
by shaoranrch
Wed Apr 05, 2017 6:36 pm
Forum: Wireless Networking
Topic: google maps gives me wrong country when using wifi.
Replies: 8
Views: 1058

Re: google maps gives me wrong country when using wifi.

Yes. there are multiple ways to give google maps info on location. The funny thing was when I disconnected the ap the phone found the right place. So somehow something was transmitted from the network to make it think poland instead of sweden. So I wonder how could this be. The ip for my isp is sho...
by shaoranrch
Sat Apr 01, 2017 8:21 pm
Forum: Wireless Networking
Topic: google maps gives me wrong country when using wifi.
Replies: 8
Views: 1058

Re: google maps gives me wrong country when using wifi.

Hello, Your "issue" has nothing to do with the RB3011 nor the AP: 1.- The AP setting is for establishing the AP limits in terms of frequency and EIRP as per the country selected 2.- The clock setting is for setting the RB3011 local timezone so it has a proper time configured None of these settings a...
by shaoranrch
Tue Mar 28, 2017 6:09 pm
Forum: Forwarding Protocols
Topic: External BGP with Mikrotik (private ASN) to Juniper (public ASN) - Holdtimer expired
Replies: 1
Views: 647

Re: External BGP with Mikrotik (private ASN) to Juniper (public ASN) - Holdtimer expired

Hello,

Did you check firewall rules (on both devices) ?
Frame errors within the link?
Is router idling when this happens or has a CPU spike?


Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Tue Mar 28, 2017 6:42 am
Forum: General
Topic: SNMP Over Internet
Replies: 14
Views: 2651

Re: SNMP Over Internet

Taking into account you said it works from the LAN side, are you 100% sure the router is receiving the petition? Did you do a packet capture? I've worked with isp that are really odd and block everything going to well known ports towards their clients, maybe this is your case. Enviado desde mi SAMSU...
by shaoranrch
Mon Mar 27, 2017 10:13 pm
Forum: General
Topic: SNMP Over Internet
Replies: 14
Views: 2651

Re: RE: Re: SNMP Over Internet

Not dual homed.
Do you have multiple IPs on the wan interface?

Are you querying to the main IP of the wan interface if the answer to the previous question is yes?

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Mon Mar 27, 2017 10:04 pm
Forum: General
Topic: SNMP Over Internet
Replies: 14
Views: 2651

Re: SNMP Over Internet

Are you dual homed? With assymetric traffic paths?

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Thu Mar 23, 2017 8:24 pm
Forum: Forwarding Protocols
Topic: OSPF cost on dynamic interfaces
Replies: 6
Views: 2246

Re: OSPF cost on dynamic interfaces

Hi all! Is it possible to assign different ospf cost to different types of tunnels dynamic without creating bindings? For example, at l2tp cost 10, openvpn cost 20, pptp cost 30 This is actually quite simple to do, it works with PPPoE, PPTP, SSTP, L2TP and OVPN. The key here is to use certain varia...
by shaoranrch
Thu Mar 23, 2017 4:49 pm
Forum: Forwarding Protocols
Topic: Any plans to implement segment routing
Replies: 5
Views: 1505

Re: Any plans to implement segment routing

I'd like to have this feature as well, been reading about it lately. Seems to bring a serious and efficient way to program a network behavior with full interaction of the application layer.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Mon Mar 20, 2017 6:33 pm
Forum: Forwarding Protocols
Topic: Complex OSPF deploy with Partitioned backbone (solved)
Replies: 3
Views: 575

Re: OSPF with Partitioned backbone issue (updated)

Hello, post your OSPF export please. For each of the routers.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
by shaoranrch
Tue Mar 07, 2017 5:37 am
Forum: Forwarding Protocols
Topic: 2 ISP's 1 Lan BGP and bandwidth bonding.
Replies: 1
Views: 732

Re: 2 ISP's 1 Lan BGP and bandwidth bonding.

I have 2 Isp's both have enabled full BGP at their end. I have a CCR and my own ip addresses. All i want to do is to bond the bandwidth from both the ISP's into my own ip addresses. ISP1 - 183.87.XX.XX/25 - 100Mbps ISP2 - 45.115.xx.xx/28 - 100Mbps My ip pool : 103.73.xx.xx/24 Bgp is enabled and my ...
by shaoranrch
Tue Mar 07, 2017 5:26 am
Forum: Forwarding Protocols
Topic: Access Multiple Devices with Same IP Address
Replies: 12
Views: 3660

Re: Access Multiple Devices with Same IP Address

Thanks for fast answers. It works perfect, but I need one more thing. When try to update software or download report from device connection can not be established. Is it possible to do this without setting device gateway? Hello, If you mean initiating the connection from the device itself, you'll n...
by shaoranrch
Sun Mar 05, 2017 7:09 pm
Forum: Forwarding Protocols
Topic: Access Multiple Devices with Same IP Address
Replies: 12
Views: 3660

Re: Access Multiple Devices with Same IP Address

Hi, I want to access several devices connected to Mikrotik at the same time. The problem is device IP address cannot be changed and gateway cannot be set. I think this can be done only with routing. I don't know how to configure it. Please help me. Plan is attached. To connect to these devices is u...
by shaoranrch
Thu Mar 02, 2017 12:37 am
Forum: Forwarding Protocols
Topic: MikroTik Routing Process Clarification
Replies: 1
Views: 405

MikroTik Routing Process Clarification

Hello, A while ago I made a post related to an issue with OSPF and BGP where we saw some peers flapping and then all the OSPF adjacency going down as well (basically, as soon the flapping ended, the OSPF was stable again), you can check it here: https://forum.mikrotik.com/viewtopic.php?f=14&t=118512...
by shaoranrch
Wed Mar 01, 2017 3:33 pm
Forum: Forwarding Protocols
Topic: Full BGP tables with two upstream ISPs using CHR - Performance question
Replies: 11
Views: 4878

Re: Full BGP tables with two upstream ISPs using CHR - Performance question

I just did a test inducing a flapping 5 times on a CHR, basically takes eons to load back the full table as I commented, but the last time I left the peering disabled. What I'm seeing is the device keeping a number of routes in the FIB as ACTIVE even though there's no BGP session at all, the routes ...
by shaoranrch
Wed Mar 01, 2017 2:49 pm
Forum: Forwarding Protocols
Topic: Full BGP tables with two upstream ISPs using CHR - Performance question
Replies: 11
Views: 4878

Re: Full BGP tables with two upstream ISPs using CHR - Performance question

Yup. Not only the initial load is slow, but convergence is very slow too (full tables IPv4/IPv6 - 600k+ and peering IPv4/IPv6 - 150k+)... If MT doesn't do improvements to BGP soon, I'll be looking to replace my large BGP tables with other devices. From where the BGP process receives the route, unti...
by shaoranrch
Wed Mar 01, 2017 1:12 am
Forum: Forwarding Protocols
Topic: Full BGP tables with two upstream ISPs using CHR - Performance question
Replies: 11
Views: 4878

Re: Full BGP tables with two upstream ISPs using CHR - Performance question

I haven't implemented it in production yet. I've got one however taking feeds from one CCR as a dummy test. Seems to be reliable so far, takes around 1 minute to load a full table (over 600k routes). However I've noticed rather weird things (it's BFO 6.37.4). For instance sometimes after it loads th...
by shaoranrch
Sat Feb 25, 2017 2:17 pm
Forum: Forwarding Protocols
Topic: CISCO route-map equivalent
Replies: 9
Views: 2841

Re: CISCO route-map equivalent

You could do something like this: /ip route add gateway=172.16.4.2 routing-mark=list1 /ip route add gateway=172.16.4.3 routing-mark=list2 /ip firewall mangle add chain=prerouting src-address=172.16.6.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list1 /ip firewall mangle add chain=p...
by shaoranrch
Wed Feb 22, 2017 3:59 am
Forum: Forwarding Protocols
Topic: CISCO route-map equivalent
Replies: 9
Views: 2841

Re: RE: CISCO route-map equivalent

Hi, In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface...
by shaoranrch
Wed Feb 22, 2017 12:39 am
Forum: Forwarding Protocols
Topic: OSPF dropping default route
Replies: 3
Views: 693

Re: OSPF dropping default route

Hello, I haven't seen such behavior ever. As asked above, what are the settings on your default route via OSPF? What version of RouterOS? Could you share your configuration? What devices are you using? This is a serious issue since it'd mean we can't trust 100% on OSPF default routes redistribution ...
by shaoranrch
Sun Feb 19, 2017 7:14 pm
Forum: Forwarding Protocols
Topic: Serious issue with BGP and OSPF
Replies: 4
Views: 854

Re: RE: Re: Serious issue with BGP and OSPF

It's possible, though not likely. But in general, the more you can distribute workloads, the more stable your network will be. Don't rule out the possibility of an attack on your customers either - there are many odd behaviors that can happen when a customer experiences a DDoS or other kind of mali...
by shaoranrch
Sun Feb 19, 2017 5:27 pm
Forum: Forwarding Protocols
Topic: Serious issue with BGP and OSPF
Replies: 4
Views: 854

Re: Serious issue with BGP and OSPF

Hi, thanks for the reply. Actually this is not the device connecting with out carriers, it just receives the routes from our edge devices and also replicate it to customers. There is a point thought. I understand how bgp cripples a single CCR core. But I don't understand why having other available c...
by shaoranrch
Sun Feb 19, 2017 3:39 pm
Forum: Forwarding Protocols
Topic: Serious issue with BGP and OSPF
Replies: 4
Views: 854

Serious issue with BGP and OSPF

Hello, Lately we had a major problem with one of our core routers, this device is basically receiving a full feed and sending it to other 2 customers, plus a default and partial internal routes (around 12 prefixes only) to other 4. These customers are only sending us 3-6 prefixes each. Each customer...
by shaoranrch
Sat Feb 11, 2017 5:39 pm
Forum: Forwarding Protocols
Topic: BGP Route sending order
Replies: 0
Views: 352

BGP Route sending order

Hello, I have a very specific question about the order BGP sends routes, say, for example, I have full feeds and also a default route from my carriers, it takes time to load the full tables, in the meanwhile I need the network to be operational, my routers are having iBGP sessions with other routers...
by shaoranrch
Wed Feb 01, 2017 4:21 pm
Forum: General
Topic: Address Lists limits
Replies: 0
Views: 524

Address Lists limits

Hello, I'm facing the following challenge. Currently we have a router installed in a place where the internet connection is basically sold with 2 "quotas", there's basically a Local Traffic Quota (within the same country) and a International traffic Quota (everything else). The restrictions are quit...
by shaoranrch
Wed Sep 07, 2016 10:55 pm
Forum: General
Topic: Timed Firewall rules issues
Replies: 0
Views: 246

Timed Firewall rules issues

Hi, I've got the following set of rules: /ip firewall filter add action=drop chain=forward dst-port=53 layer7-protocol=facebook protocol=udp \ src-address-list=!non_restricted time=8h-11h59m,sun,mon,tue,wed,thu,fri,sat add action=drop chain=forward dst-port=53 layer7-protocol=facebook protocol=udp \...
by shaoranrch
Sun Aug 28, 2016 7:39 pm
Forum: Forwarding Protocols
Topic: Problem with MPLS TE VPLS
Replies: 13
Views: 2207

Re: RE: Re: Problem with MPLS TE VPLS

Your problems might be caused by the way you are advertising your networks via OSPF? /routing ospf network add area=area10 network=10.64.5.32/27 It looks like you are trying to advertise multiple subnets with a summary. What if you advertise things separately instead? Just to clarify, this statemen...
by shaoranrch
Mon Aug 22, 2016 7:48 pm
Forum: Forwarding Protocols
Topic: RSTP loops
Replies: 5
Views: 1605

Re: RE: Re: RSTP loops

Hi, thank you for your answer! I have already modified the path costs. I tried to change the root bridge to B or C but I got loop always when I put more than 1 backup link. regards, Gabor Double check rstp is active in the bridge. This shouldn't be happening if it is Enviado desde mi MotoE2(4G-LTE)...
by shaoranrch
Sun Aug 21, 2016 11:02 pm
Forum: Forwarding Protocols
Topic: MPLS/VPLS and HTB / EXP bits
Replies: 7
Views: 1702

Re: RE: Re: MPLS/VPLS and HTB / EXP bits

Yes, I have confirmed that it works. This provides a method for QoS with MPLS/VPLS, and allows marking of MPLS frames for use in queue trees. The last post was slightly incorrect. It is actually quite simple: - Both VPLS tunnel endpoints should be connected to bridges - A bridge filter should be se...
by shaoranrch
Sun Aug 21, 2016 8:23 pm
Forum: Forwarding Protocols
Topic: RSTP loops
Replies: 5
Views: 1605

Re: RSTP loops

Hello, this should work (assuming all interfaces got the same cost): 1.- Make C the root bridge (reduce its bridge priority). 2.- Increase the cost of D interface going to C and D interface going to B to something higher than the sum of D to A, A to B and B to C interfaces. Enviado desde mi MotoE2(4...
by shaoranrch
Fri Aug 19, 2016 4:57 am
Forum: General
Topic: Weird IPSec behavior
Replies: 0
Views: 254

Weird IPSec behavior

Hello! Currently I've got a weird issue with IPSec, here's the scenario: IPSec tunnel between 3 sites, ESP Everything works as intended except that the tunnel with one of the sites looks "repeated" and I get flooded with the following messages in the log: phase1 negotiation failed due to time up sit...
by shaoranrch
Fri Aug 05, 2016 5:38 am
Forum: Forwarding Protocols
Topic: BGP Looking glass help
Replies: 4
Views: 840

Re: BGP Looking glass help

Thank you very much for your time. Really nice answer :)

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Fri Aug 05, 2016 12:04 am
Forum: Forwarding Protocols
Topic: BGP Looking glass help
Replies: 4
Views: 840

Re: RE: Re: BGP Looking glass help

I suspect that Telia is using a new feature in some BGP implementations where more than just the best route is sent to a neighbor, hence the multiple next-hop addresses per peer... but that's just a wild guess on my part. Hi, Thanks for the answer. What about my second question, any insights about ...
by shaoranrch
Thu Aug 04, 2016 2:50 am
Forum: Forwarding Protocols
Topic: BGP Looking glass help
Replies: 4
Views: 840

BGP Looking glass help

Hello, I'm trying to fix some issues with a BGP session with our MK routers, well rather than issues is behaviour tweaking. Nevertheless my issue is the following, please see the attached picture: https://s32.postimg.org/6h9feeb6d/2016_08_03_1.png This is from a Looking Glass server (Telia Sonera Ca...
by shaoranrch
Thu Jul 21, 2016 5:45 pm
Forum: Forwarding Protocols
Topic: MPLS BGP VPNv4 with OSPF as PE-CPE
Replies: 18
Views: 3246

Re: MPLS BGP VPNv4 with OSPF as PE-CPE

[admin@CPE1-1] > tool trace 192.168.20.1  # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                       1 10.12.0.2                          0%    2     3ms     2.1     1.2       3     0.9                              2                            ...
by shaoranrch
Thu Jul 21, 2016 5:28 pm
Forum: Forwarding Protocols
Topic: Mikrotik CCR 1036 802.3ad Bond with Cisco3750G over etherchannel LACP
Replies: 8
Views: 2802

Re: Mikrotik CCR 1036 802.3ad Bond with Cisco3750G over etherchannel LACP

Dear All, With reference to the subject, I want assistance in understanding the cause of improper aggregation over a L3 etherchannel between CCR-1036 and Cisco 3750G. I have configured a standard port channel on the cisco switch and followed steps to create a bond on the CCR from the internet. Unfo...
by shaoranrch
Mon Jun 27, 2016 1:19 am
Forum: Forwarding Protocols
Topic: DDOS BGP protection [automate communitys?]
Replies: 13
Views: 4822

Re: DDOS BGP protection [automate communitys?]

There's also this presentation on the subject http://mum.mikrotik.com/presentations/E ... 752556.pdf
Excelent information, thanks for sharing. 
by shaoranrch
Sun Jun 26, 2016 1:41 am
Forum: General
Topic: Layer 7 packet marking between multiple devices
Replies: 3
Views: 702

Re: Layer 7 packet marking between multiple devices

You could also set the DSCP marking on a per packet basis from the APs then the main router would be able to interpret this since these markings are part of the IP header and so they can travel the whole network with routers being aware of them.

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sat Jun 25, 2016 3:29 am
Forum: Forwarding Protocols
Topic: DDOS BGP protection [automate communitys?]
Replies: 13
Views: 4822

Re: DDOS BGP protection [automate communitys?]

HI all, We have been getting a few DDOS attacks of late, Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole. Unfortunately this is a manual process, so we first need to detect an attack, locat...
by shaoranrch
Sat Jun 25, 2016 12:40 am
Forum: Forwarding Protocols
Topic: Blocking HTTPS and hosts/subdomains.
Replies: 18
Views: 2671

Re: Blocking HTTPS and hosts/subdomains.

As mentioned before, if you control the computers your users use to access the Internet you can pretty much use certificates self-signed, it would be basically a man-in-the-middle attack, be aware of this, I am quite sure that in some places this is ilegal as you're pretty much intercepting and dec...
by shaoranrch
Fri Jun 24, 2016 10:18 pm
Forum: Forwarding Protocols
Topic: Blocking HTTPS and hosts/subdomains.
Replies: 18
Views: 2671

Re: Blocking HTTPS and hosts/subdomains.

As mentioned before, if you control the computers your users use to access the Internet you can pretty much use certificates self-signed, it would be basically a man-in-the-middle attack, be aware of this, I am quite sure that in some places this is ilegal as you're pretty much intercepting and decr...
by shaoranrch
Thu Jun 23, 2016 11:49 pm
Forum: Forwarding Protocols
Topic: Updated Database description packet has different master status flag OSPF issue
Replies: 20
Views: 4899

Re: Updated Database description packet has different master status flag OSPF issue

First off, thanks everyone for sharing your insights, I'll answer some of your questions but the issue seems to have been solved (adjancency's been up the past 3 days), it was as I suspected an issue with the transit network, the provider didn't exactly tell me what they did, but they called me tell...
by shaoranrch
Sun Jun 19, 2016 3:25 pm
Forum: Forwarding Protocols
Topic: Updated Database description packet has different master status flag OSPF issue
Replies: 20
Views: 4899

Re: Updated Database description packet has different master status flag OSPF issue

Check the MTU on both ends of the link - all the parameters must match exactly or an adjacency won't form. You could try debug logging for OSPF to see why it's getting mad. It would keep the adjacency on ex-start but on this case it forms (goes to full) and flaps randomly after x amount of time. Ma...
by shaoranrch
Sun Jun 19, 2016 1:38 am
Forum: Forwarding Protocols
Topic: Updated Database description packet has different master status flag OSPF issue
Replies: 20
Views: 4899

Re: Updated Database description packet has different master status flag OSPF issue

One of the routers is a RB951 the other one is a CRS can't remember the model atm. No firewall rules whatsoever are being used, OSPF configuration is fine, this is a small network with less than 8 routers all of them working fine. Just this pair link isn't working. Both devices are using the latest ...
by shaoranrch
Thu Jun 02, 2016 11:06 pm
Forum: Forwarding Protocols
Topic: Updated Database description packet has different master status flag OSPF issue
Replies: 20
Views: 4899

Re: Updated Database description packet has different master status flag OSPF issue

Having the exact same issue here. Tried 6.34.2 and 6.35.2 using both NBMA and Broadcast type of networks still the issue prevails. In this particular case the issue is between 2 routers connected using a L2VPN via a transport provider. Going to try as well adding authentication to the link to see if...
by shaoranrch
Fri Apr 29, 2016 9:59 pm
Forum: General
Topic: Social Login on Hotspot Mikrotik
Replies: 6
Views: 3528

Re: Social Login on Hotspot Mikrotik

The like option is not required, but I use the "Like" only an advertising.

Thanks for your reply
Hi,

My company has a product like this that also works with Twitter. Send me a PM if you want more information.

Regards

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sun Apr 24, 2016 11:54 pm
Forum: General
Topic: Poor (ridiculously) performance on two CCR1072
Replies: 54
Views: 6794

Re: Poor (ridiculously) performance on two CCR1072

No errors in any interface. The issue is related with a single TCP connection.

Regards
What about the other questions I asked?

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sun Apr 24, 2016 11:12 pm
Forum: General
Topic: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)
Replies: 21
Views: 15460

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Hello, You can't really filter requests based on L7 due to most of them being HTTPS, you can't use OpenDNS either because you need to register your public IP to your account in order for it to work, and since 3G/4G providers use CGNAT this won't really work at all as it should. You either use regexp...
by shaoranrch
Sat Apr 23, 2016 6:09 pm
Forum: General
Topic: RB2011 VLAN Tagged and Untagged, 2 Access Ports and 1 Trunk on the Same Router.
Replies: 8
Views: 9782

Re: RB2011 VLAN Tagged and Untagged, 2 Access Ports and 1 Trunk on the Same Router.

Good to know it's working now, regarding this: ============================================================================== Cisco switch Configuration // Not really familiar with iOS so if anyone can assist translating the below to iOS code be my guest. Add a cable from the Mikrotik RB1 Ether5 to ...
by shaoranrch
Sat Apr 23, 2016 5:54 am
Forum: Forwarding Protocols
Topic: BGP + VRRP?
Replies: 6
Views: 3114

Is each ccr connected to a different upstream? One way to do this is to establish dual sessions to your upstreams, as in: CCR A peers with ISP 1 and 2 CCR B peers with ISP 1 and 2 as well. This would avoid prefixes being withdraw from an upstream in case of failures from one of the routers. You coul...
by shaoranrch
Fri Apr 22, 2016 9:26 pm
Forum: General
Topic: RB2011 VLAN Tagged and Untagged, 2 Access Ports and 1 Trunk on the Same Router.
Replies: 8
Views: 9782

Check the logs on the switch to see what's happening. Shouldn't be any problem with this configuration since it's straight forward. By looking at the logs it'll be easier to check that's happening to it. VTP is only for sending information related to vlans between cisco switches so it shouldn't inte...
by shaoranrch
Fri Apr 22, 2016 9:10 pm
Forum: General
Topic: Poor (ridiculously) performance on two CCR1072
Replies: 54
Views: 6794

Re: Poor (ridiculously) performance on two CCR1072

Up please! This is a nightmare. Regards Did you check RX and TX stats on both links? Inside the interface where errors are counted, look for errors, crc problems this would lead to a faulty line or faulty SFP. Did you try a test with the router having no configurations whatsoever? Did you try with ...
by shaoranrch
Thu Apr 14, 2016 4:54 pm
Forum: Forwarding Protocols
Topic: Extended Communities questions
Replies: 2
Views: 776

Re: Extended Communities questions

Currently in ROSv6 you cannot match, add, set or edit extended communities with routing filters. This feature will be added in ROS v7. You mean you can't do that on extended communities other than the route target type ones, right? Because route targets are extended communities (one of the types) a...
by shaoranrch
Thu Apr 14, 2016 2:41 am
Forum: Forwarding Protocols
Topic: Extended Communities questions
Replies: 2
Views: 776

Extended Communities questions

Hello again! I've got some questions related to tagging routes with ext-communities. Is there any way to: 1.- Edit the Type High and Type Low (Type and Sub-type) of the community? don't really need it right now, just asking, since it seems to be possible on Cisco, Juniper, etc. 2.- Is there a way to...
by shaoranrch
Thu Mar 24, 2016 3:29 pm
Forum: General
Topic: Bridge filter and CHR
Replies: 7
Views: 926

Re: Bridge filter and CHR

To anyone interested, as per response of mikrotik support. This is a known bug that's being investigated to get fixed.
by shaoranrch
Tue Mar 22, 2016 1:21 pm
Forum: General
Topic: Two exchange servers
Replies: 6
Views: 969

You could use Netwatch to ping either server and enable/disable rules as needed. Although it's automatic the fact that you can ping doesn't mean that the service is up but could work for you if your failures are usually from server shutdowns or hardware issues that take it out of the network. Enviad...
by shaoranrch
Mon Mar 21, 2016 3:28 pm
Forum: General
Topic: site to multisite with redundant
Replies: 4
Views: 942

Hi

Well as far I know there's not on mikrotik that's like cisco DMVPN. You'll need to use hub and spoke or partial mesh topologies to avoid having hundreds of VPN tunnels. As for the protocol I'd got with gre over ipsec.

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Mon Mar 21, 2016 6:38 am
Forum: Forwarding Protocols
Topic: OSPFv3 stuck EXSTART between cisco and ccr
Replies: 14
Views: 2533

Ciscos devices usually get stuck on ExStart when there's a MTU mismatch between the neighbors (As in, their interface MTU is not the same). I know you said you checked it but could work that you make sure that the MTU is the same on the 3560 interface going to the CCR and vice versa. Enviado desde m...
by shaoranrch
Sun Mar 20, 2016 7:06 pm
Forum: General
Topic: Bridge filter and CHR
Replies: 7
Views: 926

Though so. I was trying to validate some designs but this issue came in. Would be nice to have answers from mikrotik staff since this feature which is a major one seems to be broken on CHR.

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sun Mar 20, 2016 3:47 pm
Forum: General
Topic: Bridge filter and CHR
Replies: 7
Views: 926

Re: Bridge filter and CHR

Check the Bridge [Settings] button, is "Use IP firewall" ticked? Hi, it's not. So isn't on real equipment as well. This option as far I know is only to force bridged traffic to also be processed by IP rules on /ip firewall; regular bridge rules doesn't need this option turned on, unless you've got ...
by shaoranrch
Sat Mar 19, 2016 3:38 pm
Forum: General
Topic: Bridge filter and CHR
Replies: 7
Views: 926

Just to clarify, the traffic is coming into the CHR properly tagged as seen via packet captures. Anyone got information related to this matter?

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sat Mar 19, 2016 2:50 am
Forum: General
Topic: Bridge filter and CHR
Replies: 7
Views: 926

Bridge filter and CHR

Hello, One question, does bridge filter work on CHR? if so, how do I activate it? I tried setting simple rules, yet they never get matched, tried the same simple rules on real equipment and they work as intended. For instance this rule: /interface bridge filter add in-interface=ether10 mac-protocol=...
by shaoranrch
Tue Mar 15, 2016 12:09 am
Forum: General
Topic: hAP Lite issues
Replies: 2
Views: 561

hAP Lite issues

Hello, I wanted to ask everyone here what's their experience with this particular model, the "vertical" one. So far I've encountered some issues with it: 1.- Some web pages are randomly blocked, we really don't know why, even on devices factory reseted with no default-configuration. 2.- On some othe...
by shaoranrch
Tue Mar 08, 2016 5:45 pm
Forum: General
Topic: VRRP over VLAN over BRIDGE
Replies: 2
Views: 1570

Re: VRRP over VLAN over BRIDGE

Just curious why you're using a bridge at the routers. It's very CPU intensive since you're actively forcing traffic to use the bridges to get from one switch to the other. You could run a link between the two switches so that anything in the same layer 2 domain wouldn't have to cross a software br...
by shaoranrch
Tue Mar 08, 2016 1:46 am
Forum: General
Topic: VRRP over VLAN over BRIDGE
Replies: 2
Views: 1570

VRRP over VLAN over BRIDGE

Hello, Currently I'm trying to implement the following topology: http://s17.postimg.org/sejr7yubz/resumido.jpg Currently I'm creating VLANs over a bridge on each router, and on top of each VLAN I'm creating VRRP interfaces. So far so good, except for some erratic behavior: 1.- Sometimes (not always,...
by shaoranrch
Fri Feb 26, 2016 7:26 pm
Forum: Forwarding Protocols
Topic: Total BGP Community noob
Replies: 18
Views: 4392

Re: Total BGP Community noob

Hi, A question about this, when you set the "default-chain" attribute, is this chain used even if you set a different chain (a custom one) per peer? It's my understanding that this chain is only used whenever there's no other chain explicitly set for the peer. It uses both - at least according to m...
by shaoranrch
Fri Feb 26, 2016 7:01 pm
Forum: Forwarding Protocols
Topic: Total BGP Community noob
Replies: 18
Views: 4392

Re: Total BGP Community noob

Don't ever redistribute connect routes with BGP... Use synchronize: /ip route add dst-address=192.0.2.0/24 bgp-communities=123:456 type=blackhole /routing bgp network add network=192.0.2.0/24 synchronize=yes Definitely don't use redistribute. However, if the actual interface has the same address/ma...
by shaoranrch
Tue Feb 23, 2016 4:12 am
Forum: Forwarding Protocols
Topic: OSPF route filtering
Replies: 4
Views: 1783

Re: OSPF route filtering

Unfortunately, your design doesn't work because OSPF behaves a lot differently than BGP - it doesn't make a list of routes and then send them to its neighbors. OSPF builds a map of your network and a list of which networks are connected to which routers, and then plots the lowest-cost route to each...
by shaoranrch
Sat Feb 20, 2016 4:02 am
Forum: Beginner Basics
Topic: 3 WAN - 3 same DHCP on routerboard 1100AH
Replies: 4
Views: 567

Well if I get correctly what you're trying to do. The easiest cleanest way is to use VRF. Map one VRF for each lan/wan pair. This way none can communicate with each other and you'll get the behavior you want (As in, blue uses blue Internet connection). Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Wed Feb 17, 2016 1:58 am
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

Re: Cloud Hosted Router

Also, still got issues with BGP and CHR, routes being advertised by other routers don't appear in the:

/routing bgp advertisements print

But the routes are installed inside the routing table.

V6.34.1
by shaoranrch
Tue Feb 16, 2016 2:31 am
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

Re: Cloud Hosted Router

So I did try the rule on real equipment and works as intended. I think this is a bug of some sort or a non-supported feature on CHR (which would be nice to have)
by shaoranrch
Mon Feb 15, 2016 6:29 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

It shouldn't do that. That option is for using the /ip firewall. Anyway I tried still no success. I did upgrade to 6.34.1 same issue. The interface is inside the bridge, I'm talking about the physical interface not a vlan interface. The frames are being received tagged. The rule is a simple in-inter...
by shaoranrch
Mon Feb 15, 2016 4:35 am
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

Re: Cloud Hosted Router

What virt environment? Some don't support vlans... This is running on GNS3 I can see the tags by using Wireshark, so the issue is not a lack of support. As a matter of fact I've tested the VLANS a lot with virtual switches connected to the mk boxes and mikrotik connected to another mikrotik. The is...
by shaoranrch
Mon Feb 15, 2016 2:31 am
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

Re: Cloud Hosted Router

Hi, Could anyone tell me if Bridge Filter works on CHR? Been working on some simulations, need to filter traffic comming from an especific port with an especific VLAN tag, but the problem is, the rules never "trigger". It's a simple rule matching: 1.- In-Interface (the interface belongs to a bridge)...
by shaoranrch
Sat Feb 13, 2016 1:40 am
Forum: General
Topic: Zone based firewalling for Mikrotik
Replies: 11
Views: 2409

Zone based firewalling for Mikrotik

So, I'm releasing this for people to use and contribute to it. It's my approach to zone based firewalling (or ZBF) I've got this on a few routers in production (RB1100, hAP-Lite and CCR1009). For anyone that doesn't know, ZBF is a methodology to filter traffic based on the trustworthiness of an inte...
by shaoranrch
Mon Feb 08, 2016 4:37 pm
Forum: General
Topic: Hotspot Feature: Social Networks
Replies: 20
Views: 12426

There are several solutions for that already... And mikrotik does offer the tools to craft these (As well as do the social media providers) . I do support 3 companies which offer solutions like that, my own company got something that allows social integration at different levels too, and works with ...
by shaoranrch
Sun Jan 17, 2016 10:22 pm
Forum: General
Topic: VLAN as Trunk .. Possible??
Replies: 3
Views: 547

As zerobyte stated, your concern here is the L2MTU your provider allows. There are several ways to do this: 1.- zerobyte solution of double tagging, up to certain extent this really depends on the service provider network, on how they manage their traffic internally. I would try this first 2. EoIP a...
by shaoranrch
Wed Jan 06, 2016 4:34 am
Forum: General
Topic: DHCP and bridge issues Mikrotik and Ubiquiti AP
Replies: 3
Views: 4263

DHCP and bridge issues Mikrotik and Ubiquiti AP

Hello, Recently I've getting problems with a setup, that due to it being a pretty common setup and the nature of the failure I'd like to share to see if anyone else's got this issue and solved it. Here's the scenario: Router: Mikrotik hAP Lite, Firmware first tested with 6.31 then 6.33.3 AP: Ubiquit...
by shaoranrch
Sun Dec 06, 2015 6:02 pm
Forum: Beginner Basics
Topic: How to setup VLANS for STP...?
Replies: 3
Views: 618

Re: How to setup VLANS for STP...?

may be i think it supports STP is it right....? reply me.. STP and RSTP (in the form of CST so 1 topology for all the VLANs) are supported on ROS, you need to change the priority of the bridge in order for you to achieve what you're looking for, STP Primary and STP secondary are just macros that ba...
by shaoranrch
Sun Dec 06, 2015 5:32 pm
Forum: Beginner Basics
Topic: How to setup VLANS for STP...?
Replies: 3
Views: 618

Re: How to setup VLANS for STP...?

Short answer, You can't What you're asking is a CISCO's propietary function called Per Vlan Spanning Tree plus (PV-STP+) the open standard version is called MST, none of which are supported by Mikrotik RouterOS currently. Even more, if you try to use it on Mikrotik devices you'll notice it will not ...
by shaoranrch
Fri Oct 23, 2015 4:56 pm
Forum: Forwarding Protocols
Topic: RIP route consolidation
Replies: 7
Views: 1690

Re: Re:

Router 1 Routes 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 Can be summarized to 10.1.0.0/16 (...) This statement is wrong. You need to take in account all routes: e.g. 10.1.1.0/24 via a 10.1.2.0/24 via a 10.1.3.0/24 via a 0.0.0.0/0 via b Now if you summarize as you said: 10.1.0.0/16 via a then 10.1.4.0/24...
by shaoranrch
Tue Oct 20, 2015 1:48 pm
Forum: General
Topic: Queueing for QOS
Replies: 4
Views: 1318

Use the priority field on queue trees. Create a queue that will be the parent for the tree this queue will have the limitation of bandwidth on your case say 100 mbps. This queue must have its parent either set to the outgoing interface or global htb. Then create your 3 additional queues setting thei...
by shaoranrch
Sun Oct 11, 2015 6:25 pm
Forum: General
Topic: Use external DNS server with hotspot
Replies: 3
Views: 825

Try this

(assuming 8.8.8.8 is your Dns server and hs_server is the name of your hotspot server)

 
/ip hotspot walled-garden ip add server=hs_server dst-ip=8.8.8.8 protocol=17
Do this for every DNS server

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Sun Oct 11, 2015 4:06 pm
Forum: Forwarding Protocols
Topic: RIP route consolidation
Replies: 7
Views: 1690

I think you can achieve this using prefix lists and placing said lists on the interface facing the WAN of each router. I haven't tried this but I would try the following: Router 1 Routes 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 Can be summarized to 10.1.0.0/16 I'd create the following prefix list: /routi...
by shaoranrch
Fri Oct 09, 2015 3:16 pm
Forum: General
Topic: [Solved] OpenVPN Client (Mikrotik RouterOS) connecting to OpenVPN server (Debian/Linux)
Replies: 2
Views: 5913

You're trying to go full tunneling to access the Internet. The issue is with your routing table on MK. The default gateway points to your modem and you can't change that because then it won't be able to reach the Internet. Put a new default route pointing to your ovpn server address (the internal on...
by shaoranrch
Fri Oct 09, 2015 3:36 am
Forum: Forwarding Protocols
Topic: RSTP question with 3 paths
Replies: 2
Views: 905

This is exactly the behavior of spanning tree. On a redundant network it will disable paths in order to avoid loops. So you'll see that sometimes traffic flows in a way that's counter intuitive. what you're trying to achieve involves making A the root bridge. Lower the bridge priority on A and it sh...
by shaoranrch
Thu Oct 08, 2015 8:18 pm
Forum: General
Topic: Bonding 2 microwave links
Replies: 4
Views: 729

Hello, I don't know how you've configured this but. You need to create the bonding first and create the vlans on the just created bonding interface

Enviado desde mi MotoE2(4G-LTE) mediante Tapatalk
by shaoranrch
Thu Oct 08, 2015 2:22 am
Forum: Forwarding Protocols
Topic: BGIP Routing in CCR1009, ISP given WAN, my /24 needs to work
Replies: 11
Views: 1142

Re: BGIP Routing in CCR1009, ISP given WAN, my /24 needs to work

Hello,

You're not giving enough information about this in order to help you.

You say you're sending prefixes to your ISP. is your ISP sending prefixes to you or a default route?

Try to give more details
by shaoranrch
Thu Oct 01, 2015 10:39 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 583
Views: 186782

Re: Cloud Hosted Router

Hello, I've encountered the following issues with CHR: 1.- On BGP print advertisements, it won't show iBGP advertised prefixes, even though the route is installed in the routing table. 2.- BGP also mixes sometimes the names of peers on the advertisement section, for instance a router with 2 eBGP ses...
by shaoranrch
Wed Sep 30, 2015 11:56 pm
Forum: Forwarding Protocols
Topic: BGP advertisements print
Replies: 3
Views: 796

BGP advertisements print

Hello, I've got a situation where I established an iBGP session between my internal routers, and eBGP sessions with some providers. It is working as intended, the thing is, when I issue the command: /routing bgp advertisements print The following happens: On Routers with eBGP sessions I can see the ...
by shaoranrch
Mon Sep 28, 2015 2:18 am
Forum: Forwarding Protocols
Topic: BGP + OSPF (RR instead of "full mesh").
Replies: 3
Views: 1398

Re: BGP + OSPF (RR instead of "full mesh").

Hello, One question, why are you establishing iBGP peering sessions with each one of your routers? Unless you use a Route Reflector, which I don't see you're using, you'll need a full mesh, and that's a pain the configure even for just a few routers. What I'd do is: 1.- Establish an iBGP session bet...
by shaoranrch
Mon Sep 21, 2015 2:06 am
Forum: Beginner Basics
Topic: Packet Of Disconnect
Replies: 2
Views: 513

Re: Packet Of Disconnect

is a tunnel to/from the radius server/network not possible...?
+1 To this, is the easiest solution and will avoid you a lot of headaches.

Been working on deployments like this lately, Radius Server being hosted on an IaaS provider we create tunnels between the VM and the HS server.
by shaoranrch
Sun Sep 20, 2015 10:53 pm
Forum: Forwarding Protocols
Topic: OSPF Filter
Replies: 3
Views: 1016

Re: OSPF Filter

Hi,

What you're trying to achieve can be done within ospf section "area range":
/routing ospf area range
Not from filters
by shaoranrch
Tue Aug 25, 2015 6:56 pm
Forum: Forwarding Protocols
Topic: How do I forward BGP routes to another mikrotik?
Replies: 6
Views: 1011

Re: How do I forward BGP routes to another mikrotik?

shaoranrch thnx for your solution but I did it another way :) I've set Route Targets with filters on routes received from PEER 3 and matched these targets with filters for the hosts B & C. Diagram was a really simple example. I've got an extensive bgp configuration with 3 instances and 12 BGP peers...
by shaoranrch
Mon Aug 24, 2015 10:56 pm
Forum: Forwarding Protocols
Topic: How do I forward BGP routes to another mikrotik?
Replies: 6
Views: 1011

Re: How do I forward BGP routes to another mikrotik?

Why don't you use regular expressions, something like: ^AS_ Where AS is the AS number from the peer you're receiving the routes (and want to advertise), something like this should work: Only send routes to HOST A/B that are learnt by PEER 1 (assumming PEER 1 AS is 65001): /routing filter add action=...
by shaoranrch
Fri Aug 21, 2015 5:42 pm
Forum: Forwarding Protocols
Topic: Symmetric BGP Routing
Replies: 4
Views: 1103

Re: Symmetric BGP Routing

If I get it correctly, what you want to do can be achieved by changing the LOCAL_PREF of the routes received, But since you're just accepting default routes, all you can do is failover (how can you discern which routes you want to prioritize on certain provider when all are 0.0.0.0/0?) Set BGP filte...
by shaoranrch
Thu Aug 13, 2015 8:58 pm
Forum: General
Topic: Time to Learn IPv6
Replies: 1
Views: 416

Re: Time to Learn IPv6

You should take a class, the problem with IPv6 isn't subnetting, configuring interfaces nor provide addresses to end hosts (as a matter of fact it's easier here than on IPv4), but rather how you are going to interact with legacy IPv4 networks. Just some insights: 1.- All IPv6 subnetworks, as per RFC...
by shaoranrch
Thu Aug 13, 2015 2:58 am
Forum: General
Topic: dst-limit help
Replies: 1
Views: 564

Re: dst-limit help

Anyone?
by shaoranrch
Tue Aug 11, 2015 5:15 am
Forum: General
Topic: dst-limit help
Replies: 1
Views: 564

dst-limit help

Hello, Currently I'm facing an issue with the following rule: /ip firewall filter add action=return dst-limit=10,5,src-and-dst-address chain=forward protocol=icmp icmp-options=8:0 It's my understanding that dst-limit works like this: First parameter is number of packet, since I've not specified the ...
by shaoranrch
Tue Aug 04, 2015 4:55 pm
Forum: General
Topic: RSTP, multiple Vlans with cisco switches
Replies: 6
Views: 2541

Re: RSTP, multiple Vlans with cisco switches

As far I know, Mikrotik devices are only compatible with CST, which is the IEEE standard for spanning-tree over vlans, this means 1 single instance of spanning tree for all the vlans available when trunks are in use. The STP (RSTP) information when CST is being used is sent over the native vlan, whi...
by shaoranrch
Mon Aug 03, 2015 5:30 pm
Forum: General
Topic: Static route and gateway on different subnet not working
Replies: 6
Views: 2511

Re: Static route and gateway on different subnet not working

I think the way you're trying to do it doesn't work for the following reasons: You're configuring a route that points to an interface instead of a next-hop ip address, on PtP based networks (for instance PPP or PPPoE) this doesn't matter since the connection will always have 1 single possible L2 des...
by shaoranrch
Mon Aug 03, 2015 4:46 pm
Forum: General
Topic: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x
Replies: 15
Views: 3222

Re: Mikrotik to ASA IPSEC VPN Working until 6.29.1, not working on 6.30.x

Hello, I've got exactly the same issue, although I specify all the proper addresses (not 0.0.0.0) and the tunnel is between a Cisco UC520 and a CRS1036-12G-4S, the tunnel comes UP but no data whatsoever is being send, if I kill a few times both ISAKMP and IPSEC associations it starts working for the...
by shaoranrch
Sat Jul 25, 2015 3:38 am
Forum: Wireless Networking
Topic: RB922 2.4 GHz dual chain problem.
Replies: 0
Views: 518

RB922 2.4 GHz dual chain problem.

Hello, currently I'm facing a problem with an RB922, here's the situation: This device's got a PCI card for 2.4 GHz connectivity, the card is connected to a 10 dBi dual-polarization omni antenna (Ubiquiti AMO-2G10). This card is configured as STATION, as of right now, its job is to allow a computer ...
by shaoranrch
Tue Jul 14, 2015 7:13 pm
Forum: General
Topic: ipsec cisco-mikrotik - SPI's fail after inactivity
Replies: 4
Views: 1663

Re: ipsec cisco-mikrotik - SPI's fail after inactivity

Did you verify that the ISAKMP timers and IPSEC timers on the Cisco and MK routers are the same? Did you disable the lifetimes in bytes on both devices?? On MK: ISAKMP values are changed in the "peer" section IPSEC values are changed in the "profile" section On Cisco ISAKMP values are changed direct...
by shaoranrch
Mon Jun 15, 2015 7:42 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1678

Re: IPSec

I assume the other side is using Cisco gear due to the sintax. If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up. I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1. How can I test (if phase 1 is ok)...
by shaoranrch
Sun Jun 14, 2015 3:19 pm
Forum: General
Topic: IPSec
Replies: 11
Views: 1678

Re: IPSec

I assume the other side is using Cisco gear due to the sintax.

If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up.
by shaoranrch
Sun Jun 14, 2015 3:09 pm
Forum: General
Topic: Need help: IPSec configuration with multiple subnets
Replies: 3
Views: 1045

Re: Need help: IPSec configuration with multiple subnets

Hello,

As far i know, you can't push static routes over PPP (this is the inner payload of L2TP, PPTP, PPPoE, etc.). I've tried this with no luck whatsoever. OpenVPN i think does support this, but i haven't tried out yet.
by shaoranrch
Thu Oct 23, 2014 6:08 pm
Forum: General
Topic: Cisco - Mikrotik VLAN TRUNK and STP
Replies: 4
Views: 3489

Re: Cisco - Mikrotik VLAN TRUNK and STP

It is not working because RSTP allows only one Spanning Tree topology. Rapid PVST is not supported in RouterOS. Any idea about how to fix it other than disabling Spanning-tree? Well i fixed it enabling bpdufilter on the bonded interface and disabling CDP on it as well, if anybody has/had the same p...
by shaoranrch
Thu Oct 23, 2014 3:46 pm
Forum: General
Topic: Cisco - Mikrotik VLAN TRUNK and STP
Replies: 4
Views: 3489

Re: Cisco - Mikrotik VLAN TRUNK and STP

It is not working because RSTP allows only one Spanning Tree topology.
Rapid PVST is not supported in RouterOS.
Any idea about how to fix it other than disabling Spanning-tree?
by shaoranrch
Thu Oct 23, 2014 12:30 am
Forum: General
Topic: Cisco - Mikrotik VLAN TRUNK and STP
Replies: 4
Views: 3489

Cisco - Mikrotik VLAN TRUNK and STP

Hello currently i need to set up a trunk within a Cisco 2960S and a MK CCR1036-12G-4S, the topology is: http://i62.tinypic.com/2qm3scg.jpg The numbered lines represent access ports, the number is the VLAN that is associated with that port. The trunk port is a bonded link using LACP. The problem is, ...
by shaoranrch
Wed Oct 01, 2014 4:25 pm
Forum: General
Topic: Sequential Arp requests
Replies: 6
Views: 1115

Re: Sequential Arp requests

probably ARP poisong attempt to spoof/dump traffic by hijacking it. switch isn't almighty and using vlans as port isolation tools well-known but not flawless(there was several ways to bypass/thwart vlan port isolation, especially on default configuration of majority of devices). that problem really...
by shaoranrch
Wed Oct 01, 2014 3:28 pm
Forum: General
Topic: Sequential Arp requests
Replies: 6
Views: 1115

Re: Sequential Arp requests

BUMP

Anyone?
by shaoranrch
Tue Sep 30, 2014 11:13 pm
Forum: General
Topic: Sequential Arp requests
Replies: 6
Views: 1115

Re: Sequential Arp requests

Also i am noticing traffic leaking from one port to the other...

Traffic for subnet 1 is being seen on vlan 2 and viceversa...

The switch is isolating the traffic and each VLAN has its own dedicated port on the CCR, i really don't know why it's happening.
by shaoranrch
Tue Sep 30, 2014 10:22 pm
Forum: General
Topic: Sequential Arp requests
Replies: 6
Views: 1115

Re: Sequential Arp requests

someone might doing a arp/ip scan on your network. manually ore someone can be infected by a virus I am monitoring the port that's directly connected to the CCR, i am running a monitor session directly from the switch, checked the mac address tables, everything point to the CCR doing the requests. ...
by shaoranrch
Tue Sep 30, 2014 8:36 pm
Forum: General
Topic: Sequential Arp requests
Replies: 6
Views: 1115

Sequential Arp requests

Hello there, Lately i've been noticing that our main MK router (CCR1036-12G-4S) is making a lot of ARP requests, the interesting part is that those requests are sequential (as in, request for ip 10.10.10.1 to 10.10.10.100), it's even making request to IPs that are not currently online. The router ha...
by shaoranrch
Fri Sep 26, 2014 10:03 pm
Forum: General
Topic: Mikrotik Cisco GRE IPsec tunnel not coming up
Replies: 7
Views: 2116

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

I've got almost the very same problem, i also have the same MK device (CCR1036-12G-4S), i posted this issue in the forums as well. I did the nat rule to "accept" traffic going to the other side of the tunnel, i still have the same issue you describe, as a matter of fact the logs are basically the sa...
by shaoranrch
Thu Sep 18, 2014 4:49 pm
Forum: Beginner Basics
Topic: Questing regarding packet marking
Replies: 4
Views: 964

Re: Questing regarding packet marking

It is my understanding that packet and connection marks never leave the router which added them. I am not certain from your question if you are referring to the marks in the same device which added them, then encapsulated them. Or are you wanting to refer to the marks added on one device, call it r...
by shaoranrch
Fri Sep 12, 2014 6:40 pm
Forum: Beginner Basics
Topic: Questing regarding packet marking
Replies: 4
Views: 964

Re: Questing regarding packet marking

BUMP
by shaoranrch
Sat Sep 06, 2014 12:08 am
Forum: Beginner Basics
Topic: Questing regarding packet marking
Replies: 4
Views: 964

Questing regarding packet marking

Hello there, i've got a question that i know it's probably been already answered but i couldn't find the answer. I do not have MK gear to mess with right now, so can't test this to find the answer, my question is: Are the marks applied on packets/connections lost after said packets/connections are e...
by shaoranrch
Fri Aug 22, 2014 9:39 pm
Forum: General
Topic: Need support with GRE over IPSec VPN
Replies: 3
Views: 1131

Re: Need support with GRE over IPSec VPN

Mikrotik opens tunell when it is needed. Maybe it is your problem...no traffic so tunnell is closed. In Tool/Netwatch set ping to any address in main office and up and down scripts. It prevents VPN from beeing closed. I used to set ping interval for value which is odd (eg. 61 sec.) and timeout for ...
by shaoranrch
Fri Aug 22, 2014 9:14 pm
Forum: General
Topic: Need support with GRE over IPSec VPN
Replies: 3
Views: 1131

Re: Need support with GRE over IPSec VPN

BUMP, anyone?
by shaoranrch
Fri Aug 22, 2014 6:53 pm
Forum: General
Topic: Need support with GRE over IPSec VPN
Replies: 3
Views: 1131

Need support with GRE over IPSec VPN

Hello there, currently i am in need for support regarding a VPN link i've stablished between our main office and a branch office, this is a really important link since the financial data is located in our main office and branch is always in the need of pulling it from our servers. As of right now th...
by shaoranrch
Fri Feb 14, 2014 8:54 pm
Forum: Beginner Basics
Topic: RouterOS and multilayer switching
Replies: 1
Views: 841

Re: RouterOS and multilayer switching

Managed to fix it i don't if it's the most efficient way to do it, but here it goes. I Tried it with only 2 VLANS (10 and 20), and the subnets 192.168.0.0/24 (VLAN 10) and 192.168.1.0/24 (VLAN 20). A.- Configuring Trunk Ports IOS: switchport mode trunk To do this in RouterOS what i had to do was: * ...
by shaoranrch
Thu Feb 13, 2014 8:19 pm
Forum: Beginner Basics
Topic: RouterOS and multilayer switching
Replies: 1
Views: 841

RouterOS and multilayer switching

Hello over there, am really new on RouterOS, and got really used to Cisco IOS, but now i wanna try out this system. Currently i have a setup that consist in 2 Cisco 2960S and 1 CCR1036-12G-4S. I need the CCR to do intervlan routing between both switches also the CCR would be our DHCP-Server for each...