Community discussions

Search found 1113 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 23
by msatter
Mon Jul 15, 2019 7:39 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

I have to have a good look at it when I have access to Winbox and my RouterOS in front of me. Seeing what is catching the first and tailing packets. So I have to come back on this. I am using L2TP/IPSEC on the inner box and the outer (GW) is transparant for that. IKEv2 is routed on the inner bock an...
by msatter
Sun Jul 14, 2019 11:16 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

The next step is when it hit the IKEv2 Nat rule and the connection is not there anymore what happens then? It will head for the WAN which is transfering anything not specific caught by other routing rules. Outgoing encrypted traffic will fall dead because the receiving IKEv2 server is not there anym...
by msatter
Sun Jul 14, 2019 10:53 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

I do not agree because forwarded traffic is only dropped if it on his way to the WAN while it is tagged to go through the IKEv2 connection. In the NAT itself the first split is made by only NAT traffic to the WAN the is not connection marked. So if traffic is on it's way through Mangle and marked an...
by msatter
Sun Jul 14, 2019 11:32 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable ...
by msatter
Sat Jul 13, 2019 2:09 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

IKEv2 is not having it's own interface and encrypted traffic uses WAN. Traffic (not encrypted) marked for IKEv2 has so nothing lost in routing so when detected be indicated as unreachable.
by msatter
Sat Jul 13, 2019 12:55 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

You want to stop traffic what is not caught by IPSEC and so it is normal traffic.
by msatter
Sat Jul 13, 2019 12:46 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1173

Re: blackhole/unreachable with IPSec policies [SOLVED]

I am using a in rules that drops forwarded traffic that has the connection mark and goes out through the WAN. I am using the specific ports now instead of connection mark. I am using this this for L2TP/IPSEC but maybe this can be used for IKEv2 to. Sindy made a blackhole by using an extra bridge. Th...
by msatter
Fri Jul 12, 2019 4:58 pm
Forum: General
Topic: NordVPN-IKEv2 slow NET speed
Replies: 6
Views: 463

Re: NordVPN-IKEv2 slow NET speed

That speed is not to bad. I am using PureVPN and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.
by msatter
Fri Jul 12, 2019 4:55 pm
Forum: General
Topic: Google Station
Replies: 4
Views: 382

Re: Google Station

Why do you want to be brainwashed by Alphabet (Google)?
by msatter
Fri Jul 12, 2019 3:11 pm
Forum: General
Topic: MikroTik blacklists (IPv4/IPv6)
Replies: 4
Views: 359

Re: MikroTik blacklists (IPv4/IPv6)

If you don't run any services that can reached from the outside you can drop all NEW traffic coming in on the WAN not even hitting connection tracking.

Dispite that, securing down you router is alway needed.
by msatter
Fri Jul 12, 2019 9:53 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 37
Views: 6488

Re: v6.46beta [testing] is released!

Update: problem tackled with help of mkx. In the previous Beta EAP for ikev2 was made available and I needed to split all over two routers. It needed changes in Hairpin, which broke the catching traffic better be served locally. I have an problem I can't explain with dstnat to an local address on UD...
by msatter
Thu Jul 11, 2019 3:07 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 37
Views: 6488

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator (CLI only);

Thanks and I am going to test is later. I was looking where is was hidden in Winbox and could just not find it. It is for now CLI only. :-)

ip - ipsec - mode-config
by msatter
Tue Jul 09, 2019 1:50 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 37
Views: 6488

Re: v6.46beta [testing] is released!

Hi Folks, Has been a long time since I have post here, but I need a help now! Does mikrotik already support Openvpn with tls? This is because we need to use NORDVPN here in brazil and its a hard time doing it, so, please could you guys solve this problem to enable us to start to sell thousand of de...
by msatter
Fri Jul 05, 2019 4:55 pm
Forum: General
Topic: SFP RB4011
Replies: 19
Views: 1046

Re: SFP RB4011

On Mikrotik page about the 4011: We have two versions available. RB4011iGS+5HacQ2HnD-IN-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specif...
by msatter
Wed Jul 03, 2019 11:05 am
Forum: General
Topic: NordVpn and mikrotik?
Replies: 22
Views: 3435

Re: NordVpn and mikrotik?

I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.
by msatter
Sun Jun 30, 2019 10:58 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253
by msatter
Sat Jun 29, 2019 5:22 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
by msatter
Wed Jun 26, 2019 11:12 pm
Forum: RouterBOARD hardware
Topic: hEX S & SFP S-RJ01
Replies: 4
Views: 370

Re: hEX S & SFP S-RJ01

by msatter
Wed Jun 26, 2019 11:53 am
Forum: General
Topic: Unable to write on External USB EXT3 HDD
Replies: 3
Views: 220

Re: Unable to write on External USB EXT3 HDD

I had similar problem with a SD card in a hEX-S. Could not copy files from and write to.

Formatting in ROS made no difference, Windows could not format the card. I put in a camera and formating was succesful and the card working again in the hEX-S.
by msatter
Tue Jun 25, 2019 5:56 pm
Forum: RouterBOARD hardware
Topic: hEX S & SFP S-RJ01
Replies: 4
Views: 370

Re: hEX S & SFP S-RJ01

SFP port can be purposed however you need it to be. Can you put the SFP into your :AN and connect a PC to it and access the router? It sounds like hardware issue or negotiation problem between modem and SFP. Indeed switch of auto negotiation and set speed to 1Gbit. Those SFP can generate much heat ...
by msatter
Mon Jun 24, 2019 12:57 pm
Forum: General
Topic: Im having issues with UDP conns for VOIP being unreliable.
Replies: 4
Views: 316

Re: Im having issues with UDP conns for VOIP being unreliable.

It could be due to firewall connection tracking settings. Default has these two settings: udp-timeout: 10s udp-stream-timeout: 3m I'm not familiar with how VoIP works, but settings above might be too short for some idle VoIP clients. Solution would be either to enable sending keep alive packets (if...
by msatter
Sun Jun 23, 2019 2:43 pm
Forum: Beginner Basics
Topic: Firewall list performace hit
Replies: 3
Views: 266

Re: Firewall list performace hit

The performance hit is present but not huge. Address lists are vety effrctive and use RAW filtering so it won't reach connection tracking. I only use VPN to browse so thst means any services by you are unreachable for me. VPN is also a eay for us to be on the internet and not be watched all the time...
by msatter
Thu Jun 20, 2019 11:44 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 2512

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

To me just dropping seems better to me. The fixes are on the way and my DECT phone blinked red today to indicate that needed attention. That was the RSS notification of this and the security log was containing new information.
by msatter
Wed Jun 19, 2019 1:06 pm
Forum: Scripting
Topic: Select rule exact match by fields
Replies: 4
Views: 302

Re: Select rule exact match by fields

“!” logical NOT :put (!true);
“&&” , “and” logical AND :put (true&&true)
“||” , “or” logical OR :put (true||false);

Standard seems AND
by msatter
Wed Jun 19, 2019 12:55 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible...
by msatter
Wed Jun 19, 2019 10:56 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; Where can I set that identity? I also noticed that the counters are all the same and these are L2tp/IPSEC connections: wrong-counters.JPG The local addresses, in PPP screen, are in the 172.20.12.xxx range (multip...
by msatter
Tue Jun 18, 2019 11:29 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by msatter
Tue Jun 18, 2019 11:25 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

Hello! I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN). IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3 If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "sear...
by msatter
Tue Jun 18, 2019 6:07 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 2512

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Chain input is a good step if you look at Mikrotik awn kernel. Also there are forwards and not all linux systems are already updated for this. Having also a main filter in the RAW looking at traffic coming in through the WAN is wise.
by msatter
Tue Jun 18, 2019 12:49 pm
Forum: General
Topic: Upload file and change it into a script
Replies: 2
Views: 155

Re: Upload file and change it into a script

If your script is longer tha 4KB then you can run tha rsc file by using import file=xyz.rsc
by msatter
Tue Jun 18, 2019 12:43 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 2512

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Till we have a conformation about this, from Mikrotik put that rule in RAW. Which is the best place for it.
by msatter
Fri Jun 14, 2019 11:43 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstrea...
by msatter
Thu Jun 13, 2019 11:05 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 22115

Re: Blacklist Filter (Development Topic)

The ADD in the rules is there to add the line to the RAW section in the firewall. After thst it not used anymore.

Dropping unwanted traffic is most efficient in RAW and so it won't reach connection tracking.
by msatter
Thu Jun 13, 2019 1:41 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 518

Re: Annoyed with Mikrotik 'Support'

Duh. 60 Degrees is the angle and if you look at hardware section you see also a X3 (new) version that has an angle of 180 degrees. The width is limited by the distance. I won't reach the planet Mars despite it could be well in the 60 degrees angle. From the Mikrotik wiki and if you look at the LHG v...
by msatter
Wed Jun 12, 2019 11:42 pm
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 518

Re: Annoyed with Mikrotik 'Support'

Mikrotik creates a number for each support question and it seems that only one question is accepted. Try next time first the suggestion mentioned earlier and search a bit. If no find put the questions in separate e-mails if the differ much.

The forum is often faster than support.
by msatter
Wed Jun 12, 2019 2:53 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

It is now quiet around the beta and using now the new IKEv2 EAP possibilities for a time, I want to made a suggestion how to direct traffic using policy routing. I am now using a second router to take care of PPPoE and IKEv2 as those two are bound together more or less. I set in the 'inside' router ...
by msatter
Sat Jun 08, 2019 1:41 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 22115

Re: Blacklist Filter (Development Topic)

I helped with an earlier version and it is should be incremental and your get the changes you missed since the last sucessful update you had. The sheer number of routers connecting still can give a heavy bandwith usage. Dave is doing a great job despite his personal set backs. https://forum.mikrotik...
by msatter
Tue Jun 04, 2019 1:48 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 5
Views: 552

Re: Cheapest router for home use with 1Gb

I would also go for the 4011. The hAP ac^2 is good but you need to go to fasttracking to reach real high speeds. The encypting power is 4 times higher with the 4011.
by msatter
Tue Jun 04, 2019 12:52 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)
Replies: 9
Views: 758

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Hey mada3k, I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S), so I assume that there is no OpenSSL hardware encryption engine support :-( Look at this page and you see that ECB in worse than CBC: https://datalocker....
by msatter
Tue Jun 04, 2019 12:40 am
Forum: Scripting
Topic: Script doesn't continue after a statement [SOLVED]
Replies: 6
Views: 333

Re: Script doesn't continue after a statement

Maybe, use :log info " " instead of /log info " " You confused the actual logging and the log menu itself at this line: /log info "test this" Good that you managed to solve it yourself. I tested /log info "test" and it worked. I never use that and use :log because you can call it wherever you are i...
by msatter
Mon Jun 03, 2019 10:17 pm
Forum: Scripting
Topic: Script doesn't continue after a statement [SOLVED]
Replies: 6
Views: 333

Re: Script doesn't continue after a statement

Maybe, use :log info " " instead of /log info " "

You confused the actual logging and the log menu itself at this line:
/log info "test this"
by msatter
Sun Jun 02, 2019 6:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66023

Re: v6.45beta [testing] is released!

I am now using IKEv2 peer to connect to a VPN provider. I have the problem that the connection is rebuild and that old connection stays in the connection table. I am using a ping to test it and I get a timeout till I remove that connection out of the connection table. I thought that dead-peer-detect...
by msatter
Sat Jun 01, 2019 3:39 am
Forum: Beginner Basics
Topic: Confused with PASSTHROUGH YES/NO in Mangle
Replies: 7
Views: 483

Re: Confused with PASSTHROUGH YES/NO in Mangle

If a rule/line is matching and the Passthrough is NOT marked for that line then the rest of the lines are skipped in Mangle. If a rule/line is matching and the Passthrough is marked then the next line is processed. If that line or an later line is also matching then the value is overwritten if that ...
by msatter
Fri May 31, 2019 10:37 pm
Forum: General
Topic: Fasttrack encypted connections the Piggyback way (test)
Replies: 17
Views: 826

Re: Fasttrack encypted connections the Piggyback way (test)

So after giving up on running it on router I returned to using two routers to be able to use Mangle + PCC to distribute traffic over several IKEv2 and L2TP/IPSEC connections. Also activated fastracking for the first NAT on the 'inner' router which was a bit of hustle. I had made a jump to two chains...
by msatter
Thu May 30, 2019 11:11 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

I give it a rest for now. I can spend days trying to get it work. Who know Mikrotik will give IKEv2 it's own interface and client settings so can do this without double NAT or IPIP tunnels.

Spend too much time on this running in circles.

Thank to Sindy again for all the help.
by msatter
Wed May 29, 2019 6:50 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

So I have two address-list, one for those sites only liking you coming from one IP and those that do not like VPN connections. Again, mangling cannot coexist with fasttracking. So I'd suggest to use your address lists of source-sensitive sites to choose the proper action=src-nat rule with the prope...
by msatter
Wed May 29, 2019 6:14 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

And it's gone.....
by msatter
Wed May 29, 2019 5:57 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

Thanks I am now adapting my config. I factor is that I don't have one IKEv2 connection but multiple and I want separate traffic to those IKEv2 connections with help of mangle. I had it working with multiple connections but I could not go far enough back to restore that. Update: Basically I want to d...
by msatter
Wed May 29, 2019 4:33 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

This is what I have added. /ip address add address=127.0.1.1 interface=aux-lo network=127.0.1.1 add address=10.0.1.1 interface=ipip-outer network=10.0.1.1 /interface ipip add mtu=1500 name=ipip-inner remote-address=127.0.1.1 add local-address=127.0.1.1 mtu=1500 name=ipip-outer remote-address=127.0.0...
by msatter
Wed May 29, 2019 2:52 pm
Forum: General
Topic: Routing to interface with IPIP-dummy
Replies: 15
Views: 585

Re: Routing to interface with IPIP-dummy

I tried mangle route to an IP in 10.0.1.0 which is in the outer but no luck. Then I went back to route marking and ping on the router itself works but from a client it doesn't. There really strange things the NAT is not hit. Using route marking I see in connections the client IP - target - target - ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 23