Community discussions

Search found 339 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by eworm
Sat Jul 20, 2019 12:21 am
Forum: Scripting
Topic: User agent with fetch tool
Replies: 3
Views: 504

Re: User agent with fetch tool

/ tool fetch http-header-field="User-Agent: Mozilla/4.0" ...
by eworm
Sat Jul 20, 2019 12:19 am
Forum: Scripting
Topic: status of the sent email? [SOLVED]
Replies: 2
Views: 192

Re: status of the sent email? [SOLVED]

:if ([ /tool e-mail get last-status ] = "succeeded") do={ ...
But I am not sure if you need a delay between sending and checking for status...
by eworm
Fri Jul 19, 2019 9:35 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 37
Views: 3407

Re: v6.45.2 [stable] is released!

But there is not even an attempt to fix the VPN issues everyone is still having, there was never a clear way to fix that in the v6.45.1 thread, and MT needs to have those settings in the Quick Set "VPN Access" checkbox setup, because the default still has broken VPN. I reported issues with IPSec an...
by eworm
Fri Jul 19, 2019 9:32 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 37
Views: 3407

Re: v6.45.2 [stable] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - improved stability for peer initialization (introduced in v6.45); Please, can you write something concrete about this? I look on the manual and there is nothing about it. I have problem with bad policies generated fr...
by eworm
Fri Jul 19, 2019 5:33 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 3
Views: 319

Re: Winbox 64bit Version

Sadly the mac-telnet client can not authenticate with new authentication mechanism. :(
Mikrotik does not give details what is required for encryption.
Compatibility with RouterOS 6.43
by eworm
Thu Jul 18, 2019 6:00 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1535

Re: NordVPN

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news. :mrgreen:
by eworm
Thu Jul 18, 2019 5:56 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 55425

Re: v6.45.1 [stable] is released!

Is there any ETA for...
Wrong question! At MikroTik, there never is an ETA!
"it is ready when it's ready".
This is just spam to advertise Bitcoin/Cryptocurrency Trading Exchange Platform. (See signature.)
by eworm
Wed Jul 17, 2019 6:21 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1535

Re: NordVPN

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?
by eworm
Wed Jul 17, 2019 3:26 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1535

Re: NordVPN

With " group from phase 1 " you refer to dh-group ? Got it... However this could cause a lot of confusion... Selecting " none " looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol: Still wondering why rekeying does not...
by eworm
Wed Jul 17, 2019 2:37 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1535

Re: NordVPN

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:
13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN
Possibly it does not find its proposal when rekeying...
by eworm
Wed Jul 17, 2019 2:16 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1535

Re: NordVPN

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal
Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?
by eworm
Tue Jul 16, 2019 11:12 pm
Forum: General
Topic: IPv6 in address list
Replies: 5
Views: 1099

Re: IPv6 in address list

Is the IPv6 package installed and enabled? I guess no.
by eworm
Tue Jul 16, 2019 12:53 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 45
Views: 7641

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.
This works perfectly fine! Would like to see it in a stable release as soon as possible... But I guess I have to wait for 6.46 final?
by eworm
Mon Jul 15, 2019 5:42 pm
Forum: General
Topic: EoIP over IPSec performance
Replies: 2
Views: 195

Re: EoIP over IPSec performance

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12 ... estresults
by eworm
Mon Jul 15, 2019 5:35 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

@msatter, did my detailed post #17 explain what I had in mind when saying that your rule suggested in post #10 will drop the packets regardless whether they would be finally intercepted by an IPsec policy? I still have a feeling that the mutual misunderstanding may come from the fact that you use a...
by eworm
Mon Jul 15, 2019 3:38 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

Ah, got it! :D :lol: My false assumption was that I thought... Routing with type=blackhole is the same as routing to an interface with no addresses. Of course it is not. And even more important that I thought... Routing decision is done earlier in flow for unencrypted packet. It is not, or better: L...
by eworm
Mon Jul 15, 2019 10:55 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

@eworm, Oder did I misunderstood 1.? Either you did, or I've misunderstood your goal. My understanding of your goal is that you want to be sure that those pakets, which should be sent via the VPN, will under no circumstances get to the destination via any other path if the VPN connection fails. The...
by eworm
Mon Jul 15, 2019 12:46 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

The order of actions is use routing to find the outgoing interface execute the postrouting chain of the firewall (including srcnat) check a match to IPsec policy and send the packet via the policy's SA if it matches send the packet out the interface chosen in step 1 if it didn't match any IPsec pol...
by eworm
Sun Jul 14, 2019 11:33 pm
Forum: General
Topic: privateinternetaccess.com IPsec IKE2 config with port forwarding
Replies: 3
Views: 372

Re: privateinternetaccess.com IPsec IKE2 config with port forwarding

Really nice this works! No idea why PIA does not support this officially. I am/was about to switch to NordVPN, possibly I should hold on... (Though this would be a delay only, I think.) Your profile and proposal settings are weak, though. I tested with these to work: /ip ipsec profile add dh-group=e...
by eworm
Sun Jul 14, 2019 12:00 am
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable m...
by eworm
Sat Jul 13, 2019 1:51 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

Yes. But I can not decide by out interface as that does not differ with policies.
by eworm
Sat Jul 13, 2019 12:50 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

Re: blackhole/unreachable with IPSec policies [SOLVED]

With l2tp this is quite easy as routing goes to different interfaces. With IPSec policies things work different.
by eworm
Sat Jul 13, 2019 12:13 pm
Forum: General
Topic: blackhole/unreachable with IPSec policies [SOLVED]
Replies: 22
Views: 1225

blackhole/unreachable with IPSec policies [SOLVED]

Hello everybody, with my current VPN provider I use l2tp/IPSec, which works with an interface. I add routing marks, then add a route for these marks to my interface. A second route makes sure no traffic is routed when the interface is down: / ip route add distance=1 gateway=l2tp-pia routing-mark=via...
by eworm
Thu Jul 11, 2019 2:17 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 45
Views: 7641

Re: v6.46beta [testing] is released!

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.

Is any of the other ipsec changes suppose to fix my issue from Ticket#2019070222004609?
by eworm
Wed Jul 10, 2019 6:44 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 64
Views: 9503

Re: v6.44.5 [long-term] is released!

Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?
Yes, it's just a small bugfix release then.
by eworm
Wed Jul 10, 2019 6:11 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 64
Views: 9503

Re: v6.44.5 [long-term] is released!

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.
You have set strong-crypto=yes? I think it depends on that setting.
by eworm
Wed Jul 10, 2019 5:10 pm
Forum: General
Topic: Can't update Installed SAs
Replies: 7
Views: 437

Re: Can't update Installed SAs

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.
by eworm
Wed Jul 10, 2019 2:06 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 64
Views: 9503

Re: v6.44.5 [long-term] is released!

Let's cool down on the changelog topic. IMHO this is just another matter of communication. Just add a note to the changelog: A new stable release moved to long-term. For full changelog see changes up to version 6.44.3. At least this is a first step and clarifies what changes can be expected in chang...
by eworm
Tue Jul 09, 2019 2:57 pm
Forum: General
Topic: OpenVPN woring on all but ubuntu systems
Replies: 1
Views: 182

Re: OpenVPN woring on all but ubuntu systems

/interface ovpn-server server
set certificate=ovpn-ca cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn-impact enabled=yes netmask=19
Looks like you set the ca certificate for the openvpn server. Use the server certificate instead.
by eworm
Mon Jul 08, 2019 3:35 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: [Feature request] conditional dhcp options
Replies: 16
Views: 4701

Re: [Feature request] conditional dhcp options

That's a step forward, but not a solution. We need the matcher for the architecture.
by eworm
Sat Jul 06, 2019 1:00 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 55425

Re: v6.45.1 [stable] is released!

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? One after another the IPSec links came up without any configuration change. Finally today (after...
by eworm
Thu Jul 04, 2019 5:06 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 45
Views: 7641

Re: v6.46beta [testing] is released!

My IPSec issues persist. (Though there are no more crashes.) Sent a reply with support output file to Ticket#2019070222004609.
by eworm
Mon Jul 01, 2019 4:17 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 55425

Re: v6.45.1 [stable] is released!

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.
Is this just GRE or GRE over IPSec? Possibly an IPSec issue?
by eworm
Mon Jul 01, 2019 12:36 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 55425

Re: v6.45.1 [stable] is released!

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? Edit 1: Initiator devices log: ipsec,error MikroTik: bad state: 7 Edit 2: Looking in /ip ipsec ac...
by eworm
Thu Jun 27, 2019 12:36 am
Forum: Scripting
Topic: Function: IP to Decimal
Replies: 4
Views: 527

Re: Function: IP to Decimal

Actually calculating with ip addresses is easy:
Manual:Scripting / Bitwise Operators

Do you need anything more?

(Sadly this does not work with ipv6 addresses. :( Mikrotik, please implement!)
by eworm
Wed Jun 19, 2019 7:07 pm
Forum: General
Topic: Local advertised IPv6 DNS cache server
Replies: 7
Views: 369

Re: Local advertised IPv6 DNS cache server

What does the network configuration look like?
by eworm
Wed Jun 19, 2019 5:24 pm
Forum: General
Topic: Local advertised IPv6 DNS cache server
Replies: 7
Views: 369

Re: Local advertised IPv6 DNS cache server

Android does not support DHCPv6 unless you root the device and install third party software. Search Google for the details.

For me it works just fine with Linux, though you may have to make sure the firewall does not block the essential packets.
by eworm
Wed Jun 19, 2019 5:15 pm
Forum: General
Topic: Cloud Backup
Replies: 20
Views: 3204

Re: Cloud Backup

Now that we have a replace mechanism since version 6.45beta42 one culprit remains: If the cloud server is not accessible for any reason the commands in "/ system backup cloud" give fatal errors. You can not catch these as runtime errors from a script: :do { / system backup cloud ... } on-error={ ......
by eworm
Tue Jun 18, 2019 4:51 pm
Forum: General
Topic: hap lite classic "mode" button?
Replies: 18
Views: 4982

Re: hap lite classic "mode" button?

I don't think you need to do /system routerboard mode-button set on-event=/system script run your-script In my case it worked just giving the script name directly to the on-event= like so /system routerboard mode-button set on-event=your-script Yes, that's enough for things to work. The above was m...
by eworm
Tue Jun 18, 2019 12:40 pm
Forum: General
Topic: Upload file and change it into a script
Replies: 2
Views: 159

Re: Upload file and change it into a script

You can use something like this:
/ system script add name=mail source=[ / file get mail.rsc contents ];
But keep in mind this is limited to a maximum length of 4kB.
by eworm
Tue Jun 18, 2019 11:55 am
Forum: General
Topic: hap lite classic "mode" button?
Replies: 18
Views: 4982

Re: hap lite classic "mode" button?

Script shows up in red, is that correct? The content of this field is displayed with syntax highlighting. Things become colored if you use something like: /system routerboard mode-button set on-event="/system script run test-script;" enabled=yes As a fallback RouterOS tries to run a script with giv...
by eworm
Sun Jun 16, 2019 11:25 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66280

Re: v6.45beta [testing] is released!

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters. That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch... Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and ...
by eworm
Fri Jun 14, 2019 8:58 am
Forum: General
Topic: Wierd Problem with Mikrotik
Replies: 5
Views: 427

Re: Wierd Problem with Mikrotik

I had similar issues with GRE over IPSec, where connection became stuck after packets were send outside IPSec context. For me rejecting unencrypted GRE did the trick. Try something like this on all your routers:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=ipip
by eworm
Thu Jun 13, 2019 11:47 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66280

Re: v6.45beta [testing] is released!

No rc versions this time?
by eworm
Wed Jun 12, 2019 9:14 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66280

Re: v6.45beta [testing] is released!

That would be even more welcome. :D
However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.
by eworm
Wed Jun 12, 2019 4:33 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 66280

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
by eworm
Wed Jun 12, 2019 4:15 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 309

Re: IPSec with MikroTik wAP ac LTE

Thanks a lot! Will have look at availability from local distributors then.
by eworm
Wed Jun 12, 2019 4:08 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 309

IPSec with MikroTik wAP ac LTE

Hello everybody, There's new device MikroTik wAP ac LTE . Very interesting, it does provide a lot of features I am interested in. Did not find any information about hardware IPSec acceleration. It is powered by ARM CPU IPQ-4018, so it should support hardware acceleration. Does anybody have specific ...
by eworm
Thu Jun 06, 2019 11:21 am
Forum: General
Topic: Backup-cloud,works?
Replies: 2
Views: 174

Re: Backup-cloud,works?

Is Backup-cloud stil working? I use to since it comes up,but so fare i got some error. on log says: "Problem connecting with server" Every now and then cloud backup fails with server errors... Just try again later. Sadly using cloud backup in scripts is kind of problematic. Errors are not handled a...
by eworm
Wed Jun 05, 2019 5:26 pm
Forum: RouterBOARD hardware
Topic: hAP powered from 802.3af port - possible?
Replies: 4
Views: 438

Re: hAP powered from 802.3af port - possible?

You could use converters like these from Ubiquiti:
https://www.ui.com/accessories/instant-8023af-adapters/
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7