MikroTik

msatter

Thank dmitris and I had in the past read this thread and the conclusion several time. I looked at the log and noticed that the packet have a small size of 40 and I just filter now on that size of between zero and 40, directed at port 80 and being a sync packet. This is a workaround and rather have t...

msatter

The attack is still going and it I am now at 62K requests in several hours.

Now I can sit and checking the log several times a day to enter a few /24 ranges to block also the next one.

Does anyone knows how I can block this kind of attacks by means given in RouterOS?

msatter

I have since a few months a problem start address ranges are DDOS at a rate between 10K and 15K a hour. The current version Destination Limiting does not work because ranges of source addresses are use. Luckily the are all in the same 24 range or blocks of 24 ranges. It would be great if Dst. Limit ...

msatter

Wow.. the seller told you that the SFP module has a web interface? Really?
Also i ve never seen a MAC address on a SFP module...

Then this tread must be an eye opener for you:
viewtopic.php?f=3&t=116364&sid=05dd0e7d ... ad#p751951

msatter

Hmmmm it is becoming even stranger. I tried a different setting and only look at packets that have as TCP flag SYNC and not ACK and the upload started with a delay and was at 40% of the expected speed. This was with clamp to pmtu as action which did not work before. To test I revered the !ack TCP fl...

msatter

My line: add action=change-mss chain=forward connection-mark=!no-mark dst-port=!993,8291 log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1382 I apply a change-mss in the forward chain. My connections are marked so I use !no-mark (not marked connections and the the "...

msatter

Not in the IPSEC section. With IKEv2 you use connection marking or source addresses and those are used in the Mangle line to target traffic in the tunnel. I can't copy from the terminal in the Android APP so I have seach a computer to able to give you the lineI use for that. It should not be needed ...

msatter

I am afraid that you have to lower than 1400. I can send 1500 over PPPoE and I can use 1398 and 1382 through the IKEv2 tunnel. I have to set this value hard because clamp to pmtu is not working for me.

msatter

I can see the ICMP packets in RAW, Mangle and Filter but not in NAT. I tried with taking away in Mangle the connection mark, needed for being directed into the IKEv2 connection, but that did not make those packets visible in NAT nor did solve the problem. I still need in a Mangle line to set a hard ...

msatter

Wondering myself... This topic became really quiet lately.

It is on the slow burner since RouterOS 7 beta so not much test.

msatter

Spending many hours if not days on this I am seeing the ICMP type 3, code 4 packet but it is not shown in connection tracking nor is going to the local network where the client is. I am running a speedtest.net and downloading is fine but uploading does not start. I am not blocking the ICMP traffic b...

msatter

Do you have a subscription with NordVPN and which version of RouterOS are you using?

On the linked page you see a link to the original page by Mikrotik and that one is completer.

msatter

This thread goes about using a SFP in a Mikrotik, which should not be posible because the ISP/provider does not allow that to happen using their service.

Now it is posible if not easy.

msatter

If you block UDP 443 then traffic is forced through TCP.

msatter

Youtube is able to use UDP port 443 instead TCP port 443.

msatter

I have sometimes a slow kind of attack (plus minus 15.000 a day) on port 80 and I block those with an address-list. I filter on the sync and that works good. Today a saw an address from china (140.143.1x.xx) that could made a connection (SAC) on port 80 which don't reach the webserver and I think it...

msatter

If your connection marking based on source addresses then stay with using just source addresses. In my situation I can use two different MTU and if on the same router using connection marking I can use 1380. When it is routed to an other router and that is using source addresses then I can use 1396....

msatter

I have some times a EAP failed in the log without any information which IKEv2 connection failed: EAPfailed.jpg I changed the log settings to add more information all the time, this one were two connection taking in sequence almost 40 minutes to connect: EAPfailed1.jpg It would be nice if the EAP fai...

msatter

Connection marking is the easiest and then you replace PPPoE-out by your connection-mark and don't use out-interface but connection mark.

msatter

The only finite item are adresslists. If you can hook a rule to an adress ot domainn then it would.

An other way to put a comment code word or number on a rule and use scheduler to switch that rule on or off by finding that code word or number and switch the rule.

msatter

Set only the traffic through the tunnel to 1280 for testing and leave the WAN MTU alone or set it to 1492 if you have a PPPoE connection. Fasttracking over VPN is not going to work. On the other stuff I can't give you any advise. Have you used the WiKi of Mikrotik to find examples and tips? https://...

msatter

Everyone is testing RouterOS v7.0beta1 (ARM)!!!

Also, not everyone has an ARM device.

msatter

I get with IKEv2 connections to a VPN provider sometimes huge lists of EAP failed in the log but I can't see which account is causing this EAP failed: errors. A bit more of information in the error message would be welcome. EAP-failed.JPG The log is one of many and in that time period of 10 minutes ...

msatter

Having a lifetime of 30 minutes in ipsec proposal should be not problem. If you set Lifetime in ipsec profile to 30 minutes then you can get this error. NordVPN is offering 24 hours. Obey would enforce the 24 hours (NordVPN) but maybe RouterOS is still trying to renew. You could try strict as propos...

msatter

I had a similar problem a week ago. It was caused by a loop I created in VOIP traffic. When registering with VOIP provider the counter starts for 3 minutes. To receive call I have a catcher that accept calls in the timeout period. To test shorten the re-registering time on your VOIP device or length...

msatter

I have the same error when I use a lifetime that is short. I connect to a VPN provider.

msatter

Change MSS It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented...

msatter

"Hex s" is not good to be found with search in this forum so I had to search with DuckDuckGo.

viewtopic.php?p=695939

viewtopic.php?f=2&t=137139&hilit=rb760igs

Have tried to move PPPoE to port two?

msatter

Which RouterOS are you using. I remember that there were more hEX S that had problems with Ethernet port 1. That is a while ago now.

msatter

Yesterday a new article on this was published: https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/ Mikrotik securityblog on this: https://blog.mikrotik.com/security/new-exploit-for-mikrotik-rou...

msatter

add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN The used login name/password is an example and are not real/working. You need an account with NordVPN. There is an repeating offer of 75% with off for three years and you have a 30-day money-back guarantee, so time to tes...

msatter

I have to correct myself. I wrote using source adress was not possible on a single router/device and that was not correct. I am using more than one tunnel at the same time so I never was able to use source address. In your case you have to choose one of them, and as you use a range of your local net...

msatter

You was mixing routing and connection marking. I would start again with the info page of Mikrotik self and only use connection marking.

msatter

Change to:

/ip ipsec mode-config
add connection-mark=nord name=NordVPN responder=no
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=nord passthrough=yes src-address=192.168.88.10-192.168.88.254

Offered a router setup to put yours in.

msatter

If you search in the forum you will find that routing is not going to work on a single device. You have to use connection marking. Remove that ALL from your config and post your config again after that. Then the requesters for config files, can have a easier look at your config. I am not a config re...

msatter

This is not the solution, but you should not use mark-routing when using a single router. Only Connection marking (mark-connection) is to be used.

The IKEv2 joins the WAN and has so no separate interface and only uses the dynamic NAT to get the traffic to the WAN.

msatter

UDP 443 block.

msatter

Better is a cable than a adapter

https://www.fs.com/de-en/products/42284.html

msatter

I am using Regex for domain names very often and you have anchor it at the beginning of the domain (^) or at the end ($ (in ROS \$)). If you don't anchor them then it can match any part of the domain name. The group is used for more complex Regex matching and not needed here. Better, grouping is cor...

msatter

Did you already contacted Mikrotik support on this?

The e-mail address is: support@mikrotik.com

msatter

How do I use the function concatenate to move a value to the next line?

This not the right thread to ask this. "\r" \n" is a newline, or even "\v" in scripting.

https://wiki.mikrotik.com/wiki/Manual:Scripting

msatter

Would this be not more efficient?

"\.gmail\..*\$"

You already hooked it up to the end with \$ sign.

It confuses me that Regex is seen as scripting in ROS......

msatter

The package TR-069 could be using that port.

msatter

I have a simple system of two+1 Addres lists.

- not VPN
- VPN
- fixed VPN

Fixed VPN are destination that don't like traffic arriving from different source addresses. This if you are using more than one VPN connection at the same time.

In Mangle you can use marking to separate traffic.

msatter

Pi-hole can do whitelisting and in the next release the domains will be in a database which gives more control over what is filtered. It will then be also able to use wildcard whitelisting and regex based whitelisting.

Pi-hole sits between the clients and used DNS server.

msatter

Is there an autosupout.rif file on the router by any chance? Will send it to support and I already pushed the button to generate one. . . And it is send to support. Update: after the restart all IKEv2 connections came back/ The ones I was missing where the ones from Pure. Update 2: It appeared that...

msatter

This morning the old dynamically generated NAT lines for IKEv2 are not removed from NAT on reconnect and so I have multiple dynamic NAT lines in NAT for each connection. I installed Beta 34 yesterday and I have two routers doing IKEv2 and the one who is using Source Address as filter did not remove ...

msatter

Nescafe2002 gave the solving answer and I expanded on that.

msatter

Here you cwn find the brochure and see if you are at the max. and normally you should be lower than the max.

https://i.mt.lv/cdn/rb_files/SFP2-131002143606.pdf

msatter

You can also enter a range between two ip addresses. If those can be written short by CIDR then the they will converted by ROS.

Example: 83.240.61.5-83.240.61.201

msatter

There is a page in the Wiki, which is empty, that could be used for feature request to be implement and implemented in v6 or v7:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

msatter

Hotter air rises so a opening at the bottom and top could ventilate your closet. You can put ventilation hole(s) at bottom of the door if the slit between the door and floor is small. Look if at the top of the closset is an escape for the hot air. Active ventilation needed when passive is not enough...

msatter

Hello, I have a mikrotik ccr 1036 and most of my ddos attacks are on TCP/UDP and currently my connection tracking is disabled and i block destination hosts on RAW filtering for reduce cpu loads. so i want to know this way save better CPU usages for me or enable connection tracking and use fast trac...

msatter

Please add IEEE 802.1AE AKA MACSEC to Router & SwitchOS.
This is already done in v7
There is no v7

There is as you can see at the top of this page:

BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

msatter

That router is perfectly fine.

In the NAT rule to wich ports do you translate. You need port 80 and 443 and I leave that empty and filter on the incoming side.

msatter

Hmmm I was moving files using FTP inside my network and saw that in beginning that I still got a high load and after a short time that dropped. So I could abandon the untrack thought and use the following filter (ip firewall filter) / ip firewall filter add action=reject chain=forward dst-address-li...

msatter

Security is not an issue. > you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel. How is this feature called? I what like to read more about this Also I have a problem that netflix and amazon is not working through that t...

msatter

ip - firewall - address-list

I wrote processor and to bemore clear it is Connection tracking in R-OS that slows things down.

msatter

The problem with the Mediatek MT7621A design is that you have to keep traffic out that is local->local to enter the processor. This is not possible so I mark it as "notrack" traffic and so it will be not going in/through the connection table. Enabling the switch option does not work because it is au...

msatter

I think that independent stands for not in a bridge. Bridge is more or less standard with Mikrotik.

Be aware that using the SFP will reduce overall speed again.

Connect uneven with even for each subnet so you will have the best usage of resources of the 760iGS.

msatter

When you buy an different router with hardware support you can use IKEv2 which is safe, L2TP is not, you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.

You can then use your local DNS if you want.

msatter

I tried PPTP, LT2P and LT2P with IPSec All of them are extremly slow. (Around 1Mbit) Only LT2P with IPSec gives me SOMETIMES 10MBit. I followed this instruction: https://support.safervpn.com/hc/en-us/articles/115004457365-Manual-PPTP-setup-on-Mikrotik-Router I have the feeling that there is a probl...

msatter

NordVPN is fast and I get with two RB760iGS in cascade 250/250Mbit/s. Single RB760iGS shuffles around 170Mbit/s over the IKEv2 tunnel.

With a RB4011 you will get between 250 an 300Mbit/s through NordVPN.

msatter

Have a look at these posting(s):

viewtopic.php?f=13&t=150682&p=743671&hi ... ns#p742837

msatter

Thanks pe1chl. I had yesterday some kind of only sync requests on ports 80 and 443 from serveral different AS numbers fom Dutch, Lituania, Ukrain and China sourced server/service providers.

I blocked in 12 hours almost 50 000 connections in RAW, now it is quiet again.

msatter

When adding devices to the access list "Signal Strength Range" is limited to -1;120, where it should be -120;120.

Already mentioned in the 6.46.Beta thread:

viewtopic.php?f=21&t=149910&start=50#p744204

msatter

Using Address Lists not only with IP address and Domain Name but also with the ASN number.

Never found a way to block in routing incoming traffic using ASN and I had to fallback on generating my own Address List to filter those IP ranges out.

msatter

When I make a static DNS entry and I look in Cache then I see it counting the TTL down for a few seconds and then it starts counting from the top again.

I have to move the static entries to an external DNS server to have a normal TTL countdown of the given TTL value.

msatter

Using Pi-hole and Chrome?

https://discourse.pi-hole.net/t/strange ... -log/21814

msatter

Also the TCP MTU could be off. In Mangle add this line and move it up as high as possible. You need still to mark the traffic and the DNS could be working with your or against you. So try both ways. /ip firewall mangle add action=change-mss chain=forward connection-mark=!no-mark src-address-list=SHI...

msatter

/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=udp port=!53 add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=tcp port=!53 /ip ipse...

msatter

You could have a look at DNSmasq that is also used in Pi-hole. Add to --synth-domain the ability to create names using sequential numbers, as well as encodings of IP addresses. For instance, --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-* creates 21 domain names of the form int...

msatter

Lets take a step back. You had it working but it was slow. My suggrstion is to not put DNS traffic into the VPN and use the Pihole instead. To get traffic to the pihole you put the IP of pihole into, the DNS given to clients, in your DHCP. So your rule is the mangle rule and from one rule you hsve t...

msatter

Hmmmm there is someting going on with using pmtu as that did not worked for me. If you replace pmtu with value 1280 it should be running as expected. Hope that Mikrotik gets the calculation correct soon.

msatter

Yes yes no. You are still using source address for all traffic and in NAT the NordVPN Nat is always on top. So you have to add in your proposed rule UDP!/!53 and duplicate that line and change to TCP/!53 !53 stands for everything except 53. So DNS traffic should then go to your Pi-hole as that was t...

msatter

Remember if you use the source address, that your DNS requests will also go to the VPN.

You can now also mark connection, see link to Mikrotik on the NordVPN page top, and then you can mark specific which traffic you want to goto the VPN.

msatter

Keep on living.

You are seeking hardware vlan and Mikrotik does support vlan in software.

So no need to jump of the cliff.

msatter

.
.
Which is totally what I'm looking actually since now I can apply "incoming" connection mark to all incoming connections and basically apply IPSec to connection-mark=!incoming.

It's still useful to limit source of IPSec policy a bit in order to make hairpin work properly

!incoming = nomark

msatter

I am on a Beta and that one also does not allow to remove the dynamic servers.

msatter

Have you enabled use peer DNS in the PPPoE setting in the Mikrotik? Check with pinging from a client (computer).

msatter

Version of the routerOS running on that device?

msatter

Start in RouterOS by be able to disable Dynamic DNS. athis undermines the first step so that has to be done before anything else.

msatter

I can't also not shed those and made a feature request for that.

viewtopic.php?f=1&t=45934&p=741888#p741888

msatter

Using now NordVPN for a while on the beta and I get after 24 hours problem with the reconnects. I installed 46.6beta16 which stated a more conclusive error log but it has not changed. I get ipsec,error EAP failed and sometimes even ipsec,error INVALID_SYNTAX EAP failed can be due to using all the si...

msatter

I can only set the vlan and I do it in /interface vlan

Then PPPoE uses the VLAN interface as exit and the VLAN uses WAN as exit (eth1 in your case)

You have to state which router you use because some like mine can do only software VLAN.

msatter

https://en.m.wikipedia.org/wiki/Passive_optical_network

Ehich PON is used depends on the ISP implementation.

msatter

Look at it as a media converter. It only put out what came in and the other way and amplify the voltage to make the next leg of the cable.

Is a delay a big criteria? Before then it even never arrived.

msatter

Good to read that it has been resolved and in searching for strange problems check whole chain is the second step.

msatter

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add name=NordVPN pfs-group=none

Atleast aes128

msatter

Have a look here on this:
viewtopic.php?f=13&t=150377&hilit=1280

msatter

I just concluded my short test and did not find noticeable difference between tracking and notracking. I am notracking the outside of the IPSEC connection/tunnel and traffic inside the tunnel is not Fasttrack-ed nor Notrack-ed. Using two routers in series increases the speed to between 200 and 300MB...

msatter

Able to disable dynamic DNS servers when using an IKEv2 connection to a VPN provider as NordVPN. This to have only the manual entered DNS server receiving requests and no fallback to the dynamic provided DNS servers of the VPN provider.

msatter

Thanks Sindy. I had not the chance to test it. I read it in the Wiki: It is very important that bypass rule is placed at the top of all other NAT rules. Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack. /ip firewall fil...

msatter

It seems to give a 30% reduction to use NOTRACK in a IPSEC connection. The current client config in ROS has an option to set Prerouting or Output but the IP addresses used do not catch anything in RAW. It uses the internal addresses and not the addresses communicated to. So I made an addresslist wit...

msatter

Did you already found Fasttracking?

https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

msatter

i modiface from msatter . i found it makes traffic ONLY when Speedtest.net is running, but what eals i found special dummy rules dont make traffic,even on connect-list fasttrack is 0. Do im getting fastrack for Speedtest? Filter add action=fasttrack-connection chain=forward comment="Speedtest fastt...

msatter

msatter , good idea by port. i'm running torch on same time with speed test. There is millions of ports Speedtest.net is using destination port 8080 and my line in Mangle is then: /ip firewall mangle add action=fasttrack-connection chain=prerouting comment="Speedtest fasttracking" connection-mark=n...

msatter

How disassemble and use the reset:

https://m.youtube.com/watch?v=k9Yna2f5Hao

Hope yours is the same.

msatter

Thanks and when I ping from my PC then normal (not VPN) has a 1472 MTU and both VPN connection a 1410 MTU. So I set the rule to do 1410 and then I have problems. Only When I am going down for NordVPN to MTU 1398 I can connect. I think that noting is left to use Wireshark again to see what is differe...

msatter

Run speedtest and look in connections wich port is used and fasttrak that port.

You know that fasttracking is making router is making is working better and not to used as limiter to your customers.

msatter

Where could lie the problem. I noticed it with NordVPN and PureVPN did not show that problem. A thing I remember doing the speedtest (xs4all) with PureVPN that not always the upload started and even gave a timeout. I have now only for NordVPN the MTU limited and not for PureVPN and the run side-by-s...

msatter

I am testing on the moment NordVPN and used before other VPN providers. MTU was sometimes a problem and I could always go without any changes to the MTU. Using NordVPN in the same configuration as with PureVPN IKEv2 I could not reach some sites and it stayed on getting the certificates for TLS and t...

msatter

Not make releases at the end of the week as most people do like their weekend too.

msatter

Have a read in this topic about GPON in Spain:

viewtopic.php?f=3&t=116364

msatter

I tried something else. Currently using an SFP for the WAN and that has in the RB760iGS (same processor as the RB750GR3). I connect it up differently replacing the SFP up-link with a ethernet port connected to a media converter. Now the usage of the processor is bit better and the firewall/network l...

msatter

I get every 120 seconds a new IP and rebuild of the IKEv2 connection. This is interupting traffic and makes browsing a waiting game for pages..if it even arrive. I understand that they are using TTL this way to spread users over the servers. However it spoils it for me and I have now fixed the IP ad...

msatter

When using multiple IPSEC connections side by side the traffic tends hurdles still together on one core.

msatter

Thanks for the feedback. We will try to add it in the 6.45.2 as well. It will also be possible to specify both the src-address-list and connection-mark parameters to form a single NAT rule. If anyone is wondering, currently an example is published here . New question about IKEv2 and re-keying. Usin...

msatter

I have to have a good look at it when I have access to Winbox and my RouterOS in front of me. Seeing what is catching the first and tailing packets. So I have to come back on this. I am using L2TP/IPSEC on the inner box and the outer (GW) is transparant for that. IKEv2 is routed on the inner bock an...

msatter

The next step is when it hit the IKEv2 Nat rule and the connection is not there anymore what happens then? It will head for the WAN which is transfering anything not specific caught by other routing rules. Outgoing encrypted traffic will fall dead because the receiving IKEv2 server is not there anym...

msatter

I do not agree because forwarded traffic is only dropped if it on his way to the WAN while it is tagged to go through the IKEv2 connection. In the NAT itself the first split is made by only NAT traffic to the WAN the is not connection marked. So if traffic is on it's way through Mangle and marked an...

msatter

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable ...

msatter

IKEv2 is not having it's own interface and encrypted traffic uses WAN. Traffic (not encrypted) marked for IKEv2 has so nothing lost in routing so when detected be indicated as unreachable.

msatter

You want to stop traffic what is not caught by IPSEC and so it is normal traffic.

msatter

I am using a in rules that drops forwarded traffic that has the connection mark and goes out through the WAN. I am using the specific ports now instead of connection mark. I am using this this for L2TP/IPSEC but maybe this can be used for IKEv2 to. Sindy made a blackhole by using an extra bridge. Th...

msatter

That speed is not to bad. I am using PureVPN and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.

msatter

Why do you want to be brainwashed by Alphabet (Google)?

msatter

If you don't run any services that can reached from the outside you can drop all NEW traffic coming in on the WAN not even hitting connection tracking.

Dispite that, securing down you router is alway needed.

msatter

Update: problem tackled with help of mkx. In the previous Beta EAP for ikev2 was made available and I needed to split all over two routers. It needed changes in Hairpin, which broke the catching traffic better be served locally. I have an problem I can't explain with dstnat to an local address on UD...

msatter

*) ipsec - added "connection-mark" parameter for mode-config initiator (CLI only);

Thanks and I am going to test is later. I was looking where is was hidden in Winbox and could just not find it. It is for now CLI only.

ip - ipsec - mode-config

msatter

Hi Folks, Has been a long time since I have post here, but I need a help now! Does mikrotik already support Openvpn with tls? This is because we need to use NORDVPN here in brazil and its a hard time doing it, so, please could you guys solve this problem to enable us to start to sell thousand of de...

msatter

On Mikrotik page about the 4011: We have two versions available. RB4011iGS+5HacQ2HnD-IN-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specif...

msatter

I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.

msatter

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253

msatter

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

msatter

Unknown, send e-mail to support@mikrotik.com

The wiki page for SFP:

https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

msatter

I had similar problem with a SD card in a hEX-S. Could not copy files from and write to.

Formatting in ROS made no difference, Windows could not format the card. I put in a camera and formating was succesful and the card working again in the hEX-S.

msatter

SFP port can be purposed however you need it to be. Can you put the SFP into your :AN and connect a PC to it and access the router? It sounds like hardware issue or negotiation problem between modem and SFP. Indeed switch of auto negotiation and set speed to 1Gbit. Those SFP can generate much heat ...

msatter

It could be due to firewall connection tracking settings. Default has these two settings: udp-timeout: 10s udp-stream-timeout: 3m I'm not familiar with how VoIP works, but settings above might be too short for some idle VoIP clients. Solution would be either to enable sending keep alive packets (if...

msatter

The performance hit is present but not huge. Address lists are vety effrctive and use RAW filtering so it won't reach connection tracking. I only use VPN to browse so thst means any services by you are unreachable for me. VPN is also a eay for us to be on the internet and not be watched all the time...

msatter

To me just dropping seems better to me. The fixes are on the way and my DECT phone blinked red today to indicate that needed attention. That was the RSS notification of this and the security log was containing new information.

msatter

“!” logical NOT :put (!true);
“&&” , “and” logical AND :put (true&&true)
“||” , “or” logical OR :put (true||false);

Standard seems AND

msatter

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible...

msatter

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; Where can I set that identity? I also noticed that the counters are all the same and these are L2tp/IPSEC connections: wrong-counters.JPG The local addresses, in PPP screen, are in the 172.20.12.xxx range (multip...

msatter

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...

msatter

Hello! I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN). IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3 If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "sear...

msatter

Chain input is a good step if you look at Mikrotik awn kernel. Also there are forwards and not all linux systems are already updated for this. Having also a main filter in the RAW looking at traffic coming in through the WAN is wise.

msatter

If your script is longer tha 4KB then you can run tha rsc file by using import file=xyz.rsc

msatter

Till we have a conformation about this, from Mikrotik put that rule in RAW. Which is the best place for it.

msatter

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstrea...

msatter

The ADD in the rules is there to add the line to the RAW section in the firewall. After thst it not used anymore.

Dropping unwanted traffic is most efficient in RAW and so it won't reach connection tracking.

msatter

Duh. 60 Degrees is the angle and if you look at hardware section you see also a X3 (new) version that has an angle of 180 degrees. The width is limited by the distance. I won't reach the planet Mars despite it could be well in the 60 degrees angle. From the Mikrotik wiki and if you look at the LHG v...

msatter

Mikrotik creates a number for each support question and it seems that only one question is accepted. Try next time first the suggestion mentioned earlier and search a bit. If no find put the questions in separate e-mails if the differ much.

The forum is often faster than support.

msatter

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less. I set in the 'inside' router ...

msatter

I helped with an earlier version and it is should be incremental and your get the changes you missed since the last sucessful update you had. The sheer number of routers connecting still can give a heavy bandwith usage. Dave is doing a great job despite his personal set backs. https://forum.mikrotik...

msatter

I would also go for the 4011. The hAP ac^2 is good but you need to go to fasttracking to reach real high speeds. The encypting power is 4 times higher with the 4011.

msatter

Hey mada3k, I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S), so I assume that there is no OpenSSL hardware encryption engine support :-( Look at this page and you see that ECB in worse than CBC: https://datalocker....

msatter

Maybe, use :log info " " instead of /log info " " You confused the actual logging and the log menu itself at this line: /log info "test this" Good that you managed to solve it yourself. I tested /log info "test" and it worked. I never use that and use :log because you can call it wherever you are i...

msatter

Maybe, use :log info " " instead of /log info " "

You confused the actual logging and the log menu itself at this line:

/log info "test this"

msatter

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detect...

msatter

If a rule/line is matching and the Passthrough is NOT marked for that line then the rest of the lines are skipped in Mangle. If a rule/line is matching and the Passthrough is marked then the next line is processed. If that line or an later line is also matching then the value is overwritten if that ...

msatter

So after giving up on running it on router I returned to using two routers to be able to use Mangle + PCC to distribute traffic over several IKEv2 and L2TP/IPSEC connections. Also activated fastracking for the first NAT on the 'inner' router which was a bit of hustle. I had made a jump to two chains...

msatter

I give it a rest for now. I can spend days trying to get it work. Who know Mikrotik will give IKEv2 it's own interface and client settings so can do this without double NAT or IPIP tunnels.

Spend too much time on this running in circles.

Thank to Sindy again for all the help.

msatter

So I have two address-list, one for those sites only liking you coming from one IP and those that do not like VPN connections. Again, mangling cannot coexist with fasttracking. So I'd suggest to use your address lists of source-sensitive sites to choose the proper action=src-nat rule with the prope...

msatter

And it's gone.....

msatter

Thanks I am now adapting my config. I factor is that I don't have one IKEv2 connection but multiple and I want separate traffic to those IKEv2 connections with help of mangle. I had it working with multiple connections but I could not go far enough back to restore that. Update: Basically I want to d...

msatter

This is what I have added. /ip address add address=127.0.1.1 interface=aux-lo network=127.0.1.1 add address=10.0.1.1 interface=ipip-outer network=10.0.1.1 /interface ipip add mtu=1500 name=ipip-inner remote-address=127.0.1.1 add local-address=127.0.1.1 mtu=1500 name=ipip-outer remote-address=127.0.0...

msatter

I tried mangle route to an IP in 10.0.1.0 which is in the outer but no luck. Then I went back to route marking and ping on the router itself works but from a client it doesn't. There really strange things the NAT is not hit. Using route marking I see in connections the client IP - target - target - ...

msatter

What I want to archive is that 'basic' client behavior using a IKEv2 connection. It is not that simple now the NAT line is created triggered by the source address and the source address is the one of the clients. I tried double NAT on one box and did not get that working. When I use IPIP I saw the c...

msatter

Solved it by marking routing....I did this hundreds of times but not try it here. I will make a short manual so using the new IKEv2 possibilities easier without an client available in ROS/Winbox. Thanks to Sindy for the IPIP idea. It was working and then it stopped and I have figure out why it does ...

msatter

I am bussy with using the latest implementation of IKv2 with EAP authentication. I have it working but I have to manually change each time the entry address of the IKEv2 connection in Mangle. Using the IPIP is partly working when I test it using the ping tool in Winbox. /ip address add address=172.2...

msatter

Look in the wiki.mikrotik.com for PCC and there you have the choice on what information you can split up traffic.

The simplest one is uding destination address.

msatter

Thanks Sindy and it a pity that it did not work as expected. Did you try using different ports as you control the client and the server? When I use IKEv2 I don't activate notracking for now. Tested it with one active IKEv2 connection active and still one core was loaded up...general observation is t...

msatter

Thanks looking forward to it. With IKEv2 I need to know the which IP entry point is given and ROS knows it but having no script on start / change I can't automate it. When using mode config + address list I get a NAT line at the top src-natting the new address of the entry point for encrypting. If n...

msatter

Sindy suggested to use IPIP to see if can run it on one router but I have see how that is going to be setup. Well, that suggestion was relevant in the context of one CPU thread being loaded at 100 % and the others idling as you've stated here, not the whole machine running at 100 % as you've stated...

msatter

The usrrs are free to use a different DNS and Android and APP want to use the DNS of Google itself. You can stop that by blocking that traffic to what I call Rouge DNS servers by putting them in a addresslist and drop that traffic. You can choose to put a NAT enforcer to lesd that trafgic to your ow...

msatter

I had not yet used Fasttracking and the next two are 'profiles'fastracked using outer (GW) and inner (filter/nat/mangle/raw). Inner fasttracked: no picture present And for comparison non encrypting: no picture present] And as second comparison non encrypting on a standalone router with PPPoE: no pic...

msatter

I have made 'profile' screenshots when the router(s) are loaded and doing encrypting: no picture present IKEv2 in cascade setup of a box doing the PPPoE and IKEv2. There i NAT running on the box for the IKEv2. no picture present At the same time the other router doing filtering/nat/mangle/raw no pic...

msatter

hmmm reading it I going to put it in a third blank. RB750Gr2 to see how it works and my live boxes are to complicated now to fit in in one time. During testing IPIP I noticed that in connections only one line appeared of the four expected that stated the searched dynamic IP of the IKEv2 connection w...

msatter

I tried to build IPIP on the single router but I did not manage to get it working. The example in the wiki seems to not do what I see on my router.Thanks for the link and I will see if that is working. I already overheated my brain serveral time in the past week. If I can get it to work then Mikroti...

msatter

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...

msatter

As client I use OpenVPN and for IKEv2 StrongSwan. A good solution is if you own the router that is able to provide VPN connections to isu that. This to have VPN for all devices connected to that router. OpenVPN is a bit of a Unicorn with Mikrotik however IKEv2 is in Beta supported. Works well and I ...

msatter

If your IKEv2 client is running on the PC, the UDP transport of the encrypted data becomes a plaintext transit traffic for the router connecting that PC to the rest of the world, so fasttracking that traffic makes sense if the router doesn't have enough CPU to handle the forwarding and firewalling....

msatter

I solved my problem by turning auto negotiation off, and setting the link capacity to 1G fixed. As always. Maybe Mikrotik will implement a extra button in ROS in that screen with the text "Does not work" and pressing it will disable auto negotiation for you. Or make the default negotiation state be...

msatter

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking. If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath....

msatter

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0. The NAT is generated and then I have change my original source address...

msatter

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...

msatter

Hello emils Please, provided the configuration command for use Ikev2 with EAP authentication. I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication. This is the Linux config for NordVPN for exemple: https://nordvpn.com/tutorials/linux/ikev2ipsec/ You can h...

msatter

Thanks Sindy and I was this afternoon ofline to test it so I did not see your reply earlier. I had the PPPoE running and changed my settings but I could not get any traffic to the "PPPoE" router so I still know nothing. I had to discover that you have to use a bridge to even have an IP on ether2 vis...

msatter

I have been bussy with IKEv2 connections the last few days and now all is working I was disappointed the my RB760iGS only managed to do 70-90 Mbit/s due to networking an firewalling task being taking all the CPU of Core 0 while the others are almost idling. I am thinking and going to setup in a mome...

msatter

Many thanks and I have working with PureVPN and their support could not help me much. I sm uding now a IP address of one of their XX-ikev.ptoservers so that the internal and network IP (range) is constant. This have a src-nst with a condtant gateway. Thanks to Mikrotik make it possible and also Nord...

msatter

Try setting the remote-id to ignore. I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:...

msatter

I am a bit further and I needed two certificates to be in the certificates box. https://blogger.davidmanouchehri.com/2017/09/ Now I get twice the error that the [b ]peer's ID does not match certificate [/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 Subject...

msatter

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried. I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to s...

msatter

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there) ip ipsec identity add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv...

msatter

Wireguard was tested by INRIA Source: https://www.security.nl/posting/608796/Onderzoekers+testen+cryptografische+werking+WireGuard-vpn Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol deri...

msatter

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.

Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?

msatter

Also check if your ethernet interface negotiates to the correct speed and duplex.
Status shows as Unknown.

Then set it manually.

msatter

viewtopic.php?f=9&t=127093&p=625349&hil ... 96#p625349

msatter

That is correct, you got an IP without that line active so you could also omit that line.

Can't test because I am not even on the same continent.

msatter

Duck-duck-go this.

https://www.reddit.com/r/mikrotik/comme ... ex_750gr3/

msatter

Fast Forward depends on many other setting to be active. See the manual.

https://wiki.mikrotik.com/wiki/Manual:I ... st_Forward

msatter

There does not appear to be a dedicated forum for the mobile app, so I did not know where else to post this.

There is only one official thread on that and it can be found here:

viewtopic.php?f=21&t=98407

msatter

That is not a problem and I made it work that way. Some sites, like this forum do not like that approach, I have to use a single IP address ( fixed-vpn ) during a session when I am logged in. Others site I visit block VPN so I have also a addresslist no-vpn . Each list is about 20 entries long so no...

msatter

I was afraid that I need NAT when using a VPN provider. I have multiple connections which have different public IP addresses on the side of the VPN provider. By example, a webpage is collected by different IP addresses from the VPN provider and on my side I split (initiate) it those request based on...

msatter

Thanks for your patience and I am looking for a way to skip NAT. I have marked the route in Mangle and it puzzles me why I still need NAT. In the default client setup for L2TP(-IPSEC) the local address is set in the 172.20.12.x range and I changed that to a address that is my local network thinking ...

msatter

Thanks Sindy, I am using mangle to mark connection and route . I hoped to be able skip NAT but I was not able to. I run several VPN side to side and I get overlapping 172.20.12.x as local address. Mangle 33 chain=route-vpn action=mark-routing new-routing-mark=VPN11 passthrough=no connection-mark=VPN...

msatter

I had a look at my VPN and up goes no traffic over port 1701 up but down I traffic on port 1701 coming from the VPN connection and the packey count are almost the same as on ipsec-esp in the line above in RAW. If I disable the accept for 1701 incoming, in RAW, my VPN is death. Is my traffic down enc...

msatter

The Wiki on this:

https://wiki.mikrotik.com/wiki/Manual:T ... /db_vacuum

Also have a look at this script to backup and vacuum:

https://github.com/sayajin101/Dude-Backup-Script

msatter

That's awesome. It is a good start to making a script that could for example let Google or Facebook in a Walled Garden list or perhaps QoS rule or blocking. I wish I knew how to deduplicate it. It would be great as an online script generator. I tested it and it seemed an effective way to block Face...

Search found 1221 matches