MikroTik

msatter

I have to have a good look at it when I have access to Winbox and my RouterOS in front of me. Seeing what is catching the first and tailing packets. So I have to come back on this. I am using L2TP/IPSEC on the inner box and the outer (GW) is transparant for that. IKEv2 is routed on the inner bock an...

msatter

The next step is when it hit the IKEv2 Nat rule and the connection is not there anymore what happens then? It will head for the WAN which is transfering anything not specific caught by other routing rules. Outgoing encrypted traffic will fall dead because the receiving IKEv2 server is not there anym...

msatter

I do not agree because forwarded traffic is only dropped if it on his way to the WAN while it is tagged to go through the IKEv2 connection. In the NAT itself the first split is made by only NAT traffic to the WAN the is not connection marked. So if traffic is on it's way through Mangle and marked an...

msatter

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable ...

msatter

IKEv2 is not having it's own interface and encrypted traffic uses WAN. Traffic (not encrypted) marked for IKEv2 has so nothing lost in routing so when detected be indicated as unreachable.

msatter

You want to stop traffic what is not caught by IPSEC and so it is normal traffic.

msatter

I am using a in rules that drops forwarded traffic that has the connection mark and goes out through the WAN. I am using the specific ports now instead of connection mark. I am using this this for L2TP/IPSEC but maybe this can be used for IKEv2 to. Sindy made a blackhole by using an extra bridge. Th...

msatter

That speed is not to bad. I am using PureVPN and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.

msatter

Why do you want to be brainwashed by Alphabet (Google)?

msatter

If you don't run any services that can reached from the outside you can drop all NEW traffic coming in on the WAN not even hitting connection tracking.

Dispite that, securing down you router is alway needed.

msatter

Update: problem tackled with help of mkx. In the previous Beta EAP for ikev2 was made available and I needed to split all over two routers. It needed changes in Hairpin, which broke the catching traffic better be served locally. I have an problem I can't explain with dstnat to an local address on UD...

msatter

*) ipsec - added "connection-mark" parameter for mode-config initiator (CLI only);

Thanks and I am going to test is later. I was looking where is was hidden in Winbox and could just not find it. It is for now CLI only.

ip - ipsec - mode-config

msatter

Hi Folks, Has been a long time since I have post here, but I need a help now! Does mikrotik already support Openvpn with tls? This is because we need to use NORDVPN here in brazil and its a hard time doing it, so, please could you guys solve this problem to enable us to start to sell thousand of de...

msatter

On Mikrotik page about the 4011: We have two versions available. RB4011iGS+5HacQ2HnD-IN-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specif...

msatter

I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.

msatter

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253

msatter

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

msatter

Unknown, send e-mail to support@mikrotik.com

The wiki page for SFP:

https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

msatter

I had similar problem with a SD card in a hEX-S. Could not copy files from and write to.

Formatting in ROS made no difference, Windows could not format the card. I put in a camera and formating was succesful and the card working again in the hEX-S.

msatter

SFP port can be purposed however you need it to be. Can you put the SFP into your :AN and connect a PC to it and access the router? It sounds like hardware issue or negotiation problem between modem and SFP. Indeed switch of auto negotiation and set speed to 1Gbit. Those SFP can generate much heat ...

msatter

It could be due to firewall connection tracking settings. Default has these two settings: udp-timeout: 10s udp-stream-timeout: 3m I'm not familiar with how VoIP works, but settings above might be too short for some idle VoIP clients. Solution would be either to enable sending keep alive packets (if...

msatter

The performance hit is present but not huge. Address lists are vety effrctive and use RAW filtering so it won't reach connection tracking. I only use VPN to browse so thst means any services by you are unreachable for me. VPN is also a eay for us to be on the internet and not be watched all the time...

msatter

To me just dropping seems better to me. The fixes are on the way and my DECT phone blinked red today to indicate that needed attention. That was the RSS notification of this and the security log was containing new information.

msatter

“!” logical NOT :put (!true);
“&&” , “and” logical AND :put (true&&true)
“||” , “or” logical OR :put (true||false);

Standard seems AND

msatter

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible...

msatter

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; Where can I set that identity? I also noticed that the counters are all the same and these are L2tp/IPSEC connections: wrong-counters.JPG The local addresses, in PPP screen, are in the 172.20.12.xxx range (multip...

msatter

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...

msatter

Hello! I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN). IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3 If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "sear...

msatter

Chain input is a good step if you look at Mikrotik awn kernel. Also there are forwards and not all linux systems are already updated for this. Having also a main filter in the RAW looking at traffic coming in through the WAN is wise.

msatter

If your script is longer tha 4KB then you can run tha rsc file by using import file=xyz.rsc

msatter

Till we have a conformation about this, from Mikrotik put that rule in RAW. Which is the best place for it.

msatter

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstrea...

msatter

The ADD in the rules is there to add the line to the RAW section in the firewall. After thst it not used anymore.

Dropping unwanted traffic is most efficient in RAW and so it won't reach connection tracking.

msatter

Duh. 60 Degrees is the angle and if you look at hardware section you see also a X3 (new) version that has an angle of 180 degrees. The width is limited by the distance. I won't reach the planet Mars despite it could be well in the 60 degrees angle. From the Mikrotik wiki and if you look at the LHG v...

msatter

Mikrotik creates a number for each support question and it seems that only one question is accepted. Try next time first the suggestion mentioned earlier and search a bit. If no find put the questions in separate e-mails if the differ much.

The forum is often faster than support.

msatter

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less. I set in the 'inside' router ...

msatter

I helped with an earlier version and it is should be incremental and your get the changes you missed since the last sucessful update you had. The sheer number of routers connecting still can give a heavy bandwith usage. Dave is doing a great job despite his personal set backs. https://forum.mikrotik...

msatter

I would also go for the 4011. The hAP ac^2 is good but you need to go to fasttracking to reach real high speeds. The encypting power is 4 times higher with the 4011.

msatter

Hey mada3k, I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S), so I assume that there is no OpenSSL hardware encryption engine support :-( Look at this page and you see that ECB in worse than CBC: https://datalocker....

msatter

Maybe, use :log info " " instead of /log info " " You confused the actual logging and the log menu itself at this line: /log info "test this" Good that you managed to solve it yourself. I tested /log info "test" and it worked. I never use that and use :log because you can call it wherever you are i...

msatter

Maybe, use :log info " " instead of /log info " "

You confused the actual logging and the log menu itself at this line:

/log info "test this"

msatter

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detect...

msatter

If a rule/line is matching and the Passthrough is NOT marked for that line then the rest of the lines are skipped in Mangle. If a rule/line is matching and the Passthrough is marked then the next line is processed. If that line or an later line is also matching then the value is overwritten if that ...

msatter

So after giving up on running it on router I returned to using two routers to be able to use Mangle + PCC to distribute traffic over several IKEv2 and L2TP/IPSEC connections. Also activated fastracking for the first NAT on the 'inner' router which was a bit of hustle. I had made a jump to two chains...

msatter

I give it a rest for now. I can spend days trying to get it work. Who know Mikrotik will give IKEv2 it's own interface and client settings so can do this without double NAT or IPIP tunnels.

Spend too much time on this running in circles.

Thank to Sindy again for all the help.

msatter

So I have two address-list, one for those sites only liking you coming from one IP and those that do not like VPN connections. Again, mangling cannot coexist with fasttracking. So I'd suggest to use your address lists of source-sensitive sites to choose the proper action=src-nat rule with the prope...

msatter

And it's gone.....

msatter

Thanks I am now adapting my config. I factor is that I don't have one IKEv2 connection but multiple and I want separate traffic to those IKEv2 connections with help of mangle. I had it working with multiple connections but I could not go far enough back to restore that. Update: Basically I want to d...

msatter

This is what I have added. /ip address add address=127.0.1.1 interface=aux-lo network=127.0.1.1 add address=10.0.1.1 interface=ipip-outer network=10.0.1.1 /interface ipip add mtu=1500 name=ipip-inner remote-address=127.0.1.1 add local-address=127.0.1.1 mtu=1500 name=ipip-outer remote-address=127.0.0...

msatter

I tried mangle route to an IP in 10.0.1.0 which is in the outer but no luck. Then I went back to route marking and ping on the router itself works but from a client it doesn't. There really strange things the NAT is not hit. Using route marking I see in connections the client IP - target - target - ...

Search found 1113 matches