MikroTik

servaris

Hi, With IKEv2 connection the IP address one has from their router or ISP is NOT masqueraded like it is with L2TP/IPsec. Even though I am given an IP address from the attribute | ip-pool name, entering 'my ip' into search engine produces the IP address given by the local ISP which to me is absolutel...

servaris

Hi, Have working RoadWarrior IKEv2 configuration. Only one issue, how to get IP Pool IP addresses used like the clients received for L2TP/IPSec VPN? There are 3 groups, each group has their own IP Pool. What has to be changed/added so when a client connects to the Mikrotik router with IKEv2 they get...

servaris

We have one CCR1009-8G-1S-1S+ and one RB760iGS (hEXS) in two data centers in the same city. There are no queues on both routers. There is 1GB ethernet connection on each router. A new 1GB connection was added today to the CCR1009. It did not help at all. The tests were made very early in the AM when...

servaris

You will need to tell windows to NOT run updates or that bug laden update will be reinstalled and you'll have the same problem. On windows10 settings => windows update settings => pause it for as long as possible.

servaris

Have a CCR1009 in our DC in Canada . It is configured for L2TP/IPsec VPN connections for some users. Some users are in North America and some are in Israel. The problem is when a user is connected to the CCR1009 VPN from Canada or the USA and opens chrome or firefox and goes to google.com, the resul...

servaris

Tried your suggestion of settings => privacy => Permissions => Location to block new requests for location. Cleared cache, closed and then reopened firefox. Open google.com and it shows the location of the computer. Location permissions is not the issue. google-from-ccr1009.png Disconnected from CCR...

servaris

I'm using firefox not chrome.
This computer location is set to Canada. So are the clients that need to connect to the CCR1009 as I have asked them.

Thanks.

servaris

Connected now to hEX S L2TP/IPsec vpn, IP address is right but same issue it seems with browser geolocation. The google ad at the bottom though is not in foreign language. hexs_ip_address.png hexs_browser_geolocation.png google-from-hexs.png But when going to google.com it sees me in Canada with hEX...

servaris

The browser geolocation is actually correct, but that's not the desired result. It should show the country where the IP address is. In this case the IP address is located in Canada. The map image above is not Canada.

Thanks.

servaris

The connection to the CCR1009 is direct. Have client configured for each separate VPN.
Thanks.

servaris

Using https://mylocation.org/ Shows the correct IP address but the browser geolocation shows the country where the computer is located. browser_geolocation.png The google ads all display based on the country the computer is located in rather than the location of IP address. This really screws up cli...

servaris

vpntesting.com Ran the test while connected to CCR1009 L2TP/IPsec vpn IPv4 xx.193.49.109 (this is correct IP address handed out by dhcp server in CCR1009) The IP address you use for IPv4 connections. IPv6 N/A The IP you use for IPv6 connections. Connection IPv4 The connection protocol you use now (I...

servaris

The only thing I've checked is simple search in search engine. 'My IP' and 'My Location'. My IP results are always correct regardless of which Router I am connected to. When opening browser and connected to say google.com the result (no search yet just opened google.com) page is in foreign language ...

servaris

IP routes for the hEX S: Canyon] > /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 l2tp-out1 1 1 ADS 0.0.0.0/0 pppoe-bell 1...

servaris

Perhaps you can tell me exactly which config you want to see?
Thanks.

servaris

The CCR1009 dhcp server hands out routable (non rfc1918) ip addresses. The hEX S only has 1 public IP address as its just a home office. The CCR1009 has /24 and some of the IP addresses are in pools. The VPN clients get the right IP addresses. There is no problem there.

servaris

The search results for anything when connected to the CCR1009 show the results based on one remote country where there are only 3 or 4 client computers. Other VPN clients that are in the same country as the CCR1009 also show search results for the one remote country . These other VPN clients are act...

servaris

Have changed the CCR1009 PPP settings to be exactly same as the hEX S. No change. 'my location' search still shows the remote country I am currently in. hEX S shows the location country where the hEX S is. Search 'my ip', the result is the same using either router. Shows the public IP of the hEX S a...

servaris

Both VPN client (hEX S and CCR1009) connection settings have 'Use default gateway on remote network' checked.
Thanks.

servaris

Used a windows 7 notebook to connect to both routers. I connected to the hEX S, location shows up as physical location of the hEX S whereas when I connect to the CCR1009 and location search displays the location of the notebook. I figure it might be a misconfiguration somewhere. The other problem is...

servaris

Hi, have 2 Mikrotik routers, hEX S and CCR1009 both running L2TP server with IPsec. The issue is when connected to the CCR1009 L2TP/IPsec vpn, the remotely connected computer doing a search for 'my location' will display the country the computer is physically in (not desired). When connected to the ...

servaris

Thanks to mducharme for pointing out the fix to the failed updates.

Go to system -> scripts
Click on Environment

Negatively increment your blSerial by 1. To be clear, the blSerial WAS 1516197642 and now its 1516197641 as shown below.

script-environment.png

servaris

The script seems to not be working. Ran blacklistUpdate script in terminal. Log displays: 10:46:56 script,warning Checking server for current blacklist serial number. 10:46:56 script,warning Blacklist is already up to date. Nothing to do. 10:46:56 system,info log rule changed by admin 10:46:57 scrip...

servaris

Hi, running bandwidth tests with and without connecting to remote AHx2 from local RB2011-UiAS-2Hnd No VPN : speedtest-no-vpn.png /tools => bandwidth test running from the Local RB2011UiAS-2Hnd : bandwidth-test-from-rb2011.png PPTP VPN : speedtest-via-vpn.png /tools => bandwidth test running from the...

servaris

If you have subnet overlap you need to enable Proxy ARP on the overlapping non VPN subnet, ether2 in your case. Originally, the VPN windows 'connect to' was set for the 104.19x.x.1 which is on Eth2 . Looking at what you said above makes sense because I believe connecting to the .1 IP on Eth2 is ove...

servaris

The IPs you're using are public IPs you know that right? Yes the IP's subnets are public with exception of 192.168.1.0/24 obviously. There are no overlapping subnets. But when and in this case there is, 192.158.x.x on eth1 (wan) and there is 104.19x.x.x on eth2 AND there is a src nat rule, anything ...

servaris

Hi, trying to get an L2TP/IPsec VPN working so it can be used to go out on the net and to devices behind the CCR1009 as one of the IP's in the 104.19x.x.x subnet . When remotely connected to the VPN and search 'my ip' with a search engine, it does report the IP as 104.19x.x.x. The problem is trying ...

servaris

Hi, Office A and Office B both have MT routers and are remote to each other. Would like to have ipip tunnel with security between them. Both Routers use /ip cloud for dynamic dns. Both routers are behind cable modem. Modem is set to bridge mode in both offices. Both Routers have dhcp enabled routeab...

servaris

tx-stats.png

traffic.png

rx-stats.png

servaris

This site only allows 3 images!

ethernet.png

loop-protect.png

general.png

servaris

Hi Pukkita,

Below are images af all

status.png

rx-stats.png

overall-stats.png

servaris

Fastrack and Fastpath
Search for this in wiki

Thanks for the suggestion Mistry7

New firewall rules added for Fasttrack

firewall.png

servaris

Hi Pukkita, Bandwidth test TCP > 10 minutes bandwith-tcp-both-10min.png Eth1 Overall stats > 10 minutes ether1-stats.png Received email from support suggesting to run bandwidth test using UDP, Bandwidth test UDP > 10 minutes . UDP bandwidth looks great but aren't most things TCP? bandwith-udp-both-1...

servaris

Hi, Getting loss of more than 50% DL speed when behind the RB2011UiAS. There is an issue with upload speed ISP said will be fixed. Tests below were performed from wired Desktop Behind RB2011UiAS bandwidth-test-rb2011.png Directly connected to Cable Modem bandwidth-test-cablemodem.png Running the Ban...

servaris

Hi, Have an RB1100AHx2 with 3 Groove devices attached to provide wireless for staff and guest hot-spot. Both types are being kicked off for the past few weeks and there has not been any changes made to grooves or RB100AHx2. Log shows entries like: hotspot,info,debug guest (192.168.120.214): logged o...

servaris

Hi, Since upgrading to 6.36 yesterday, when using Winbox to connect to the RB2011UiAS-2HnD it is constantly disconnecting Winbox for some strange reason. Popup dialogue box displays: Could not connect to 192.168.1.1 (port 8291) - other end is not responding. A second dialogue box pops up displaying:...

servaris

Hi,
Trying to upgrade an RB2011 currently at 6.28 and it fails with

 missing wireless-6.36-mipsbe.npk

How to upgrade when the Router is remote?

Thanks.

servaris

Hi, Since writing the first post, took a shot at configuring the mangle rules and queue tree from the wiki page but using parent=GLOBAL . Made some calls from both desktop phone and smart phone and both showup in queue: Current Settings: /ip firewall mangle add action=mark-packet chain=prerouting co...

servaris

Hi, My RB2011UiAS version=6.35.2 Found a page that shows a setup for QoS And VoIP at http://wiki.mikrotik.com/wiki/Voip The code on that page shows things like parent=global-in and parent=global-out but there is only global in the Parent drop down list. The code on that wiki page is: /queue tree add...

servaris

Hi,
Webfig is failing login using 'admin' without password. Tried my username/passwd for ppp and webfig does same..

webfig.png

Tried removing any IP address in /ip service www-ssl and it did not change anything. The user 'admin' doesn't have a password.

Thanks for your help.

servaris

Hi thebracket, Thanks for replying. Trying to monitor and control inbound packets to this office. Especially so to make sure there is always enough bandwidth available for SIP/RTP (VoIP). Tried changing both mangle rules to use forward but it did not show any usage in the queue tree. After removing ...

servaris

Hi, Have a strange issue. The mangle list shown below clearly shows packets and there are two rules, mark connection and mark packets. The RB2011 queue is not controlling inbound HTTP packets. Other items in the queue list seem to be working. #IP FIREWALL MANGLE 7 ;;; HTTP Down chain=prerouting acti...

servaris

Hi, Have a strange issue. The mangle list shown below clearly shows packets and there are two rules, mark connection and mark packets #IP FIREWALL MANGLE 7 ;;; HTTP Down chain=prerouting action=mark-connection new-connection-mark=HTTP passthrough=no protocol=tcp in-interface=ether1-gateway src-port=...

servaris

Actually was looking for a way to limit P2P (torrents et al) via queue but thought a good test would be to see if it can be blocked period. Chupaka wrote add to firewall rules: 36 chain=forward action=drop p2p=all-p2p log=no log-prefix="" Then added http://releases.ubuntu.com/14.04.1/ubunt...

servaris

Hi Feklar, Thank you for replying with your comment. I did not put in an FQDN because there is no local dns server. Like I said in the original post, the organization was unwilling to spend money to get a small DNS Server. Since they did not have a dns server, I simply put hotspot1 as the DNS Name. ...

servaris

Hi, Although I posted this earlier, not one person made any reply which I am really surprised at. The issue was guests running microsoft windows on a notebook could not get to the login.html page. What ever web page they were trying to get to would just show as 'page cannot be displayed'. To be clea...

servaris

Hi,
For some reason which is unknown to me, PCs running Windows cannot get to the HotSpot login.html page. PCs running linux and Apple/Mac as well as smart phones can access the login.html and then get internet access.

Any ideas?

Thanks!

servaris

Hi, Using AHx2 with several Groove's in building. People using notebooks with MS Windows cannot get IP address or access the HotSpot login.html page. People with Smart Phones and Apple/Mac notebooks are able to access HotSpot and get IP address without any issues. Wondering if anyone might know what...

servaris

You need to change protocol to tcp. OpenVPN can be either TCP or UDP, in RouterOS only TCP is supported. Hi, I think you are wrong. I write this because of the following from the /log oct/14 23:34:56 firewall,info vpn prerouting: in:ether2 out:(none), src-mac 00:15:65:33:ba:d0, proto UDP, 192 .168....

servaris

Hi,
Where is the connection tracking?

servaris

Hi, What I did now to retest was the following. On one SIP phone here, changed it to stop using VPN and just use normal insecure communications. Even using the VoIP mangle rule doesn't catch it. The reason seems to be RTP (the actual voice) because 5060 is NOT where voice goes, 5060 is for registrat...

servaris

Hi, I am reasonbly sure the problem is with me. Setup a Firewall Mangle rule to mark connection and mark packet for 'any port' 1194. Make a call, no traffic shows. Tried adding src address and then dest address, still no traffic shows. Tried again and used Packet Sniffer and there of course the traf...

servaris

Hi, On a new RB1100AHx2 what would be suggested to accomplish the following: 1) One group (group1) of users to be able to see/access any device on the LAN (Wired and Wireless) 2) One group (group2) of users to only have internet access and not be able to see/access other devices on the LAN. (Wired a...

servaris

Hi,
Can a /export compact from a 6.15 rb2011uias be transfered into a brand new rb1100ahx2? If it can, should the ahx2 have configuration reset first using the following command?

/system> reset-configuration no-defaults=yes

Thanks.

servaris

I suggest to take a look at the new syntax for the dhcp options in the wiki.

http://wiki.mikrotik.com/wiki/Manual:IP ... CP_Options

Hi Patrikg,
My syntax is:

/ip dhcp-server option
add code=150 name=tftp-server value=0x63EE56AE

It works. However, if code=66 it will NOT work.

servaris

I think it is worth noting that code cannot be 66

Been playing with this all day and have found when using code 66 the phone does not connect to remote tftp server.

servaris

I tried adding it via Mikrotik GUI and do not see the phone able to connect to the tftp server. Turned off the dhcp server on Mikrotik for the wired network and used some windows based dhcp server, used option 66 with the IP and it connected immeditately. /ip dhcp-server network add address=192.168....

servaris

But at some point there is a choke point on the Mikrotik where you could sniff traffic correct? I tried the sniff app. I did not see the address. Actually, the phone is setup to use OpenVPN, and it uses a 10.8.0.x IP. The phone says though 192.168.10.11 In the sniff app, for 10.11 IP it did show a ...

servaris

On the Yealink 22P it shows: http://www.servaris.com/images/voip/yl22p-qos.jpg The T22P manual states: Voice QoS In order to make VoIP transmissions intelligible to receivers, voice packets should not be dropped, excessively delayed, or made to suffer varying delay. DiffServ model can guarantee high...

servaris

By the way, I don't have a problem with wireshark. The problem is running wireshark on what? The phones here are not connected to computers. They run to switch and its not a Mikrotik switch either. Its an unmanaged 3com.

servaris

Hi,
We have Yealink T22P and HT502 ATA for analogue phone and Polycom VVX310

I am extremely new to Mikrotik and no network guru either. I want to setup our RB2011AiUS and have another RB2011AiUS and a CRS125 for client. Basically the same setup.

Thanks JKarras

servaris

Do your phones tag the packets with DSCP or COS values? It may be easy to pickup on those values for your QOS.

Hi jkarras,

How can I tell? Since the phones here go through the RB2011 I cannot run a tcpdump. Can this be done on the RB2011?

servaris

Hi, I have searched around for simple firewall rules for small offices which include QoS for SIP. What I have found are very complicated sets and unsure if those are really needed. Below is the network topology: Wireless Internet Access <-> RB2011iUAS <--> CRS125-24G-1S-2H <--> LAN RB2011UiAS Wirele...

servaris

I am no Mikrotik guru but I would say it is easier to use a different port for SSH. We use a 5 digit port number (same one of course) on every one of our servers. Never got broken into. We used PF on the Servers (running FreeBSD). IThen you can use the firewall rule the person above said to use for ...

servaris

Hi, In a previous firewall system we blocked many subnets using a simple text file which has each x.x.x.x/x or /xx per line. We are using the RB2011UiAS now. Example: x.x.x.x/16 x.x.x.x/24 x.x.x.x/12 Is there a way to just import a file like that? If not, how do we add all subnets in order to block ...

servaris

Hi, Just received a new RB2011UiAS. Current configuration is the default the RB2011 came with + wireless (using access list), port 2 = 192.168.0.1/24, 192.168.1/24, 192.168.2.0/24 (make it 192.168.0.1/22 ?). Although I tried, perhaps incorrectly, to get dhcp server on the RB2011 working for Wireless...

servaris

Hi, Just received an RB2011UiAS and have it somewhat setup. That is, all LAN clients can access other computers on the LAN and access Internet. We have a few IP phones which use VPN ( OpenVPN setup on REMOTE FreePBX Server ). Local SIP phones show up on remote FreePBX as coming from 10.8.0.6 (FreePB...

Search found 67 matches