Community discussions

Search found 1050 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by msatter
Fri May 24, 2019 2:12 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Android client for MikroTik VPN
Replies: 5
Views: 137

Re: Android client for MikroTik VPN

As client I use OpenVPN and for IKEv2 StrongSwan. A good solution is if you own the router that is able to provide VPN connections to isu that. This to have VPN for all devices connected to that router. OpenVPN is a bit of a Unicorn with Mikrotik however IKEv2 is in Beta supported. Works well and I ...
by msatter
Thu May 23, 2019 11:52 pm
Forum: General
Topic: Fastrack encypted connections the Piggyback way (test)
Replies: 5
Views: 192

Re: Fastrack encypted connections the Piggyback way (test)

If your IKEv2 client is running on the PC, the UDP transport of the encrypted data becomes a plaintext transit traffic for the router connecting that PC to the rest of the world, so fasttracking that traffic makes sense if the router doesn't have enough CPU to handle the forwarding and firewalling....
by msatter
Wed May 22, 2019 11:14 pm
Forum: RouterBOARD hardware
Topic: BiDi SFP on CRS326-24G-2S+: light but no link
Replies: 3
Views: 158

Re: BiDi SFP on CRS326-24G-2S+: light but no link

I solved my problem by turning auto negotiation off, and setting the link capacity to 1G fixed. As always. Maybe Mikrotik will implement a extra button in ROS in that screen with the text "Does not work" and pressing it will disable auto negotiation for you. Or make the default negotiation state be...
by msatter
Wed May 22, 2019 8:24 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 26
Views: 7821

Re: Help with IKEv2/IPsec client configuration

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking. If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath....
by msatter
Mon May 20, 2019 10:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

I have tried now with addresslist and I can make a split horizon. The TS_I is given by PureVPN (10.4.48.178) for that fixed IP server. The only address in the addresslist (Marker) is not to be seen the log. The ST_R is 0.0.0.0/0. The NAT is generated and then I have change my original source address...
by msatter
Mon May 20, 2019 10:22 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by msatter
Sun May 19, 2019 10:41 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 26
Views: 7821

Re: Help with IKEv2/IPsec client configuration

Hello emils Please, provided the configuration command for use Ikev2 with EAP authentication. I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication. This is the Linux config for NordVPN for exemple: https://nordvpn.com/tutorials/linux/ikev2ipsec/ You can h...
by msatter
Sun May 19, 2019 9:22 pm
Forum: General
Topic: Fastrack encypted connections the Piggyback way (test)
Replies: 5
Views: 192

Re: Fastrack encypted connections the Piggyback way (test)

Thanks Sindy and I was this afternoon ofline to test it so I did not see your reply earlier. I had the PPPoE running and changed my settings but I could not get any traffic to the "PPPoE" router so I still know nothing. I had to discover that you have to use a bridge to even have an IP on ether2 vis...
by msatter
Sun May 19, 2019 3:53 pm
Forum: General
Topic: Fastrack encypted connections the Piggyback way (test)
Replies: 5
Views: 192

Fastrack encypted connections the Piggyback way (test)

I have been bussy with IKEv2 connections the last few days and now all is working I was disappointed the my RB760iGS only managed to do 70-90 Mbit/s due to networking an firewalling task being taking all the CPU of Core 0 while the others are almost idling. I am thinking and going to setup in a mome...
by msatter
Sat May 18, 2019 10:03 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 26
Views: 7821

Re: Help with IKEv2/IPsec client configuration

Many thanks and I have working with PureVPN and their support could not help me much. I sm uding now a IP address of one of their XX-ikev.ptoservers so that the internal and network IP (range) is constant. This have a src-nst with a condtant gateway. Thanks to Mikrotik make it possible and also Nord...
by msatter
Fri May 17, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore. I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:...
by msatter
Wed May 15, 2019 11:26 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

I am a bit further and I needed two certificates to be in the certificates box. https://blogger.davidmanouchehri.com/2017/09/ Now I get twice the error that the [b ]peer's ID does not match certificate [/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 Subject...
by msatter
Wed May 15, 2019 11:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried. I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to s...
by msatter
Tue May 14, 2019 9:37 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released! IKEv2

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there) ip ipsec identity add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv...
by msatter
Mon May 13, 2019 12:29 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 76
Views: 15317

Re: [Feature request] Wireguard

Wireguard was tested by INRIA Source: https://www.security.nl/posting/608796/Onderzoekers+testen+cryptografische+werking+WireGuard-vpn Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol deri...
by msatter
Fri May 03, 2019 12:27 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?
by msatter
Sun Apr 28, 2019 11:30 pm
Forum: General
Topic: GoogleFiber
Replies: 14
Views: 712

Re: GoogleFiber

Also check if your ethernet interface negotiates to the correct speed and duplex.
Status shows as Unknown.
Then set it manually.
by msatter
Sat Apr 27, 2019 2:03 pm
Forum: General
Topic: GoogleFiber
Replies: 14
Views: 712

Re: GoogleFiber

That is correct, you got an IP without that line active so you could also omit that line.

Can't test because I am not even on the same continent. ;-)
by msatter
Sat Apr 27, 2019 1:39 pm
Forum: General
Topic: GoogleFiber
Replies: 14
Views: 712

Re: GoogleFiber

by msatter
Sun Apr 21, 2019 12:22 pm
Forum: General
Topic: DHCP client on bridge does not work?
Replies: 12
Views: 3973

Re: DHCP client on bridge does not work?

Fast Forward depends on many other setting to be active. See the manual.

https://wiki.mikrotik.com/wiki/Manual:I ... st_Forward
by msatter
Sat Apr 20, 2019 12:42 pm
Forum: General
Topic: Android Mobile App Feature Request
Replies: 2
Views: 211

Re: Android Mobile App Feature Request

There does not appear to be a dedicated forum for the mobile app, so I did not know where else to post this.
There is only one official thread on that and it can be found here:

viewtopic.php?f=21&t=98407
by msatter
Wed Apr 17, 2019 11:22 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 885

Re: Preventing IPSec-less L2TP [SOLVED]

That is not a problem and I made it work that way. Some sites, like this forum do not like that approach, I have to use a single IP address ( fixed-vpn ) during a session when I am logged in. Others site I visit block VPN so I have also a addresslist no-vpn . Each list is about 20 entries long so no...
by msatter
Wed Apr 17, 2019 10:45 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 885

Re: Preventing IPSec-less L2TP [SOLVED]

I was afraid that I need NAT when using a VPN provider. I have multiple connections which have different public IP addresses on the side of the VPN provider. By example, a webpage is collected by different IP addresses from the VPN provider and on my side I split (initiate) it those request based on...
by msatter
Wed Apr 17, 2019 2:39 pm
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 885

Re: Preventing IPSec-less L2TP [SOLVED]

Thanks for your patience and I am looking for a way to skip NAT. I have marked the route in Mangle and it puzzles me why I still need NAT. In the default client setup for L2TP(-IPSEC) the local address is set in the 172.20.12.x range and I changed that to a address that is my local network thinking ...
by msatter
Tue Apr 16, 2019 11:50 am
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 885

Re: Preventing IPSec-less L2TP [SOLVED]

Thanks Sindy, I am using mangle to mark connection and route . I hoped to be able skip NAT but I was not able to. I run several VPN side to side and I get overlapping 172.20.12.x as local address. Mangle 33 chain=route-vpn action=mark-routing new-routing-mark=VPN11 passthrough=no connection-mark=VPN...
by msatter
Tue Apr 16, 2019 11:07 am
Forum: General
Topic: Preventing IPSec-less L2TP [SOLVED]
Replies: 23
Views: 885

Re: Preventing IPSec-less L2TP [SOLVED]

I had a look at my VPN and up goes no traffic over port 1701 up but down I traffic on port 1701 coming from the VPN connection and the packey count are almost the same as on ipsec-esp in the line above in RAW. If I disable the accept for 1701 incoming, in RAW, my VPN is death. Is my traffic down enc...
by msatter
Tue Apr 16, 2019 10:52 am
Forum: The Dude
Topic: Where is db cleanup and maintenance info
Replies: 16
Views: 5908

Re: Where is db cleanup and maintenance info

The Wiki on this:

https://wiki.mikrotik.com/wiki/Manual:T ... /db_vacuum

Also have a look at this script to backup and vacuum:

https://github.com/sayajin101/Dude-Backup-Script
by msatter
Mon Apr 08, 2019 2:43 pm
Forum: General
Topic: [Feature request] Address List extension
Replies: 11
Views: 637

Re: [Feature request] Address List extension

That's awesome. It is a good start to making a script that could for example let Google or Facebook in a Walled Garden list or perhaps QoS rule or blocking. I wish I knew how to deduplicate it. It would be great as an online script generator. I tested it and it seemed an effective way to block Face...
by msatter
Tue Apr 02, 2019 11:18 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 174
Views: 18281

Re: Blacklist Filter (Development Topic)

Humans can be truly awfull but using you undergoing your treatment to steal from you then there are no words to describe my feelings about that.

I am sorry to read that you are ill and that the outcome is uncertain. I wish all the strength to overcome this horrible time in your life.
by msatter
Mon Apr 01, 2019 11:15 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35331

Re: UKNOF 43 CVE

The beta released today, addresses IPv6 route cache using more memory than available. MAJOR CHANGES IN v6.45: ---------------------- !) ipv6 - fixed soft lockup when forwarding IPv6 packets; !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table; ---------------------- Changes in this...
by msatter
Mon Apr 01, 2019 12:52 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35331

Re: UKNOF 43 CVE

@bmann has made some very good points which I can relate to. I come from the Cisco camp and I was amazed when I bought my RB1100AHx4 what I was getting for the money... and it's made in Latvia, not China! Personally, I think Mikrotik products are possibly a bit too cheap and I would be happy to pay...
by msatter
Fri Mar 29, 2019 3:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 222
Views: 35331

Re: UKNOF 43 CVE

Thanks Maznu for finding this and reporting it to Mikrotik. Good to see that the communications is up-to-speed now so that Mikrotik can handle this correctly and in time for us Mikrotik device owners.
by msatter
Fri Mar 29, 2019 1:53 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.
by msatter
Thu Mar 28, 2019 12:43 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Mikrotik: Change the default Powerbox config!
Replies: 15
Views: 902

Re: Mikrotik: Change the default Powerbox config!

Does MAC telnet travels over the internet?
by msatter
Thu Mar 28, 2019 12:36 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Mikrotik: Change the default Powerbox config!
Replies: 15
Views: 902

Re: Mikrotik: Change the default Powerbox config!

Maybe Mikrotik can use internet detecting to switch the rules off when no internet is reachable on that interface. If you make on your side the Internet unreachable it will become a LAN port instead of WAN. This could gives a security risk in the time between switching. https://wiki.mikrotik.com/wik...
by msatter
Wed Mar 27, 2019 2:14 pm
Forum: Beginner Basics
Topic: How do you turn on hEX's DMZ?
Replies: 16
Views: 1498

Re: How do you turn on hEX's DMZ?

If the exposed host is comprimised then there is access to the internal network. Not with a DMZ if it is separated well.
by msatter
Sun Mar 24, 2019 11:33 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44035

Re: v6.45beta [testing] is released!

Thanks for adding ECDSA certificates!
by msatter
Wed Mar 20, 2019 1:07 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 401
Views: 132126

Re: Tik App, MikroTik android utility ALPHA test

Neither of the two apps are in Beta anymore. Delete them, and install them again from the regular stores, if you still see the beta. I uninstalled the APP and installed it again but is still stating beta on the APP page and shows up in my beta list in the Play Store. Got it. I have first to leave t...
by msatter
Wed Mar 20, 2019 12:17 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 401
Views: 132126

Re: Tik App, MikroTik android utility ALPHA test

My post has nothing to do with getting the APP. It has everything to do with making sure the APP is up to date and informing MT users which is the latest app version. For example my APP was on version 0.24. I was fat dumb and happy. NO INDICATIONS were provided UNLIKE other apps, that my app was ou...
by msatter
Tue Mar 19, 2019 7:08 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 401
Views: 132126

Re: Tik App, MikroTik android utility ALPHA test

I AM NOT DEAF I ONLY CAN'T READ.
by msatter
Mon Mar 18, 2019 9:01 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 546

Re: Putty updated to 0.71

RB760iGS (hEX S) with the SFP being cooled. @msatter pray tell how do you cool the SFP on your hEXs ... got a pic? Yes, and I have now only the one between the power cable and the SFP and used a round file to make slight indentation so that not to much force is put on the power connector. When it i...
by msatter
Mon Mar 18, 2019 3:07 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 546

Re: Putty updated to 0.71

Or a coffee LOL.
Remember: sleeping is poor substitute for caffeine.
Sleep helps me to solve problems and caffeine makes me run in circles around it and not solving the problem. Some problem can't be solved and the you have learn with them.
by msatter
Mon Mar 18, 2019 3:04 pm
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 546

Re: Putty updated to 0.71

Which is my point. Post it in the phucking putty forum. Do you want me to start effing posting everytime there is a windows update, a linux update, a macos update, an avast update, etc etc etc............ I might as well post everytime I pop a zit, and pluck a nose hair. ;-) And yes, I have been he...
by msatter
Mon Mar 18, 2019 2:15 am
Forum: General
Topic: Putty updated to 0.71
Replies: 12
Views: 546

Putty updated to 0.71

Our trusty Putty has been updated to version 0.71. A time ago a vulnerability was discovered and through the EU-funded bounty program a few more were shared. The latest version can be downloaded from: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Change log: https://www.chiark.green...
by msatter
Sun Mar 17, 2019 1:47 pm
Forum: Beginner Basics
Topic: Recommend way to block Ads with Mikrotik
Replies: 9
Views: 610

Re: Recommend way to block Ads with Mikrotik

No, I am using Pi-hole.
by msatter
Sun Mar 17, 2019 12:58 pm
Forum: Scripting
Topic: Bypass mobile phones to different dhcp pool
Replies: 4
Views: 250

Re: Bypass mobile phones to different dhcp pool

Beta 6.45

*) dhcpv4-server - added "vendor-class-id" matcher (CLI only);
by msatter
Thu Mar 14, 2019 2:35 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 659

Re: How to really make backups (by script) ?

It seems that the MAC address is programmed in the hardware which appears when you erase the restored MAC.

It is config backup and the setting you mention a for the same device or if you want to duplicste a device.
by msatter
Wed Mar 13, 2019 2:52 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 659

Re: How to really make backups (by script) ?

Copy and past your MAC reset script in the export.rsc file.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21