MikroTik

eworm

/ tool fetch http-header-field="User-Agent: Mozilla/4.0" ...

eworm

:if ([ /tool e-mail get last-status ] = "succeeded") do={ ...

But I am not sure if you need a delay between sending and checking for status...

eworm

But there is not even an attempt to fix the VPN issues everyone is still having, there was never a clear way to fix that in the v6.45.1 thread, and MT needs to have those settings in the Quick Set "VPN Access" checkbox setup, because the default still has broken VPN. I reported issues with IPSec an...

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator; *) ipsec - improved stability for peer initialization (introduced in v6.45); Please, can you write something concrete about this? I look on the manual and there is nothing about it. I have problem with bad policies generated fr...

eworm

Sadly the mac-telnet client can not authenticate with new authentication mechanism.

Mikrotik does not give details what is required for encryption.
Compatibility with RouterOS 6.43

eworm

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news.

eworm

Is there any ETA for...
Wrong question! At MikroTik, there never is an ETA!
"it is ready when it's ready".

This is just spam to advertise Bitcoin/Cryptocurrency Trading Exchange Platform. (See signature.)

eworm

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?

eworm

With " group from phase 1 " you refer to dh-group ? Got it... However this could cause a lot of confusion... Selecting " none " looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol: Still wondering why rekeying does not...

eworm

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:

13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN

Possibly it does not find its proposal when rekeying...

eworm

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal

Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?

eworm

Is the IPv6 package installed and enabled? I guess no.

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator;
Great, thanks a lot for this! Much appreciated.

This works perfectly fine! Would like to see it in a stable release as soon as possible... But I guess I have to wait for 6.46 final?

eworm

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12 ... estresults

eworm

@msatter, did my detailed post #17 explain what I had in mind when saying that your rule suggested in post #10 will drop the packets regardless whether they would be finally intercepted by an IPsec policy? I still have a feeling that the mutual misunderstanding may come from the fact that you use a...

eworm

Ah, got it! :D :lol: My false assumption was that I thought... Routing with type=blackhole is the same as routing to an interface with no addresses. Of course it is not. And even more important that I thought... Routing decision is done earlier in flow for unencrypted packet. It is not, or better: L...

eworm

@eworm, Oder did I misunderstood 1.? Either you did, or I've misunderstood your goal. My understanding of your goal is that you want to be sure that those pakets, which should be sent via the VPN, will under no circumstances get to the destination via any other path if the VPN connection fails. The...

eworm

The order of actions is use routing to find the outgoing interface execute the postrouting chain of the firewall (including srcnat) check a match to IPsec policy and send the packet via the policy's SA if it matches send the packet out the interface chosen in step 1 if it didn't match any IPsec pol...

eworm

Really nice this works! No idea why PIA does not support this officially. I am/was about to switch to NordVPN, possibly I should hold on... (Though this would be a delay only, I think.) Your profile and proposal settings are weak, though. I tested with these to work: /ip ipsec profile add dh-group=e...

eworm

I added this rule as a workaround... It catches the packets if the dynamic rule by mode-config is not present. /ip firewall nat add action=src-nat chain=srcnat connection-mark=via-vpn to-addresses=127.0.0.1 However it is kind of blackhole only, there's no way to make the client receive unreachable m...

eworm

Yes. But I can not decide by out interface as that does not differ with policies.

eworm

With l2tp this is quite easy as routing goes to different interfaces. With IPSec policies things work different.

eworm

Hello everybody, with my current VPN provider I use l2tp/IPSec, which works with an interface. I add routing marks, then add a route for these marks to my interface. A second route makes sure no traffic is routed when the interface is down: / ip route add distance=1 gateway=l2tp-pia routing-mark=via...

eworm

*) ipsec - added "connection-mark" parameter for mode-config initiator;

Great, thanks a lot for this! Much appreciated.

Is any of the other ipsec changes suppose to fix my issue from Ticket#2019070222004609?

eworm

Can I migrate my router from 6.44 Stable to Long term without worrying about configuration?

Yes, it's just a small bugfix release then.

eworm

I noticed that after upgrade from 6.43.16 to 6.44.5, allow-none-crypto=yes was set in /ip ssh. This seems to be a new setting and is documented as defaulting to no.

You have set strong-crypto=yes? I think it depends on that setting.

eworm

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.

eworm

Let's cool down on the changelog topic. IMHO this is just another matter of communication. Just add a note to the changelog: A new stable release moved to long-term. For full changelog see changes up to version 6.44.3. At least this is a first step and clarifies what changes can be expected in chang...

eworm

/interface ovpn-server server
set certificate=ovpn-ca cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn-impact enabled=yes netmask=19

Looks like you set the ca certificate for the openvpn server. Use the server certificate instead.

eworm

That's a step forward, but not a solution. We need the matcher for the architecture.

eworm

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? One after another the IPSec links came up without any configuration change. Finally today (after...

eworm

My IPSec issues persist. (Though there are no more crashes.) Sent a reply with support output file to Ticket#2019070222004609.

eworm

GRE tunnels won't start anymore between 6.45.1 versions. But 6.44.3 <--> 6.45.1 are working fine.

Is this just GRE or GRE over IPSec? Possibly an IPSec issue?

eworm

I have serve issues with all my IPSec responders. As far as I can tell about half of my IPSec initiator devices do not get addresses from mode-config. Not sure about the details. Anybody else seen this? Edit 1: Initiator devices log: ipsec,error MikroTik: bad state: 7 Edit 2: Looking in /ip ipsec ac...

eworm

Actually calculating with ip addresses is easy:
Manual:Scripting / Bitwise Operators

Do you need anything more?

(Sadly this does not work with ipv6 addresses.

Mikrotik, please implement!)

eworm

What does the network configuration look like?

eworm

Android does not support DHCPv6 unless you root the device and install third party software. Search Google for the details.

For me it works just fine with Linux, though you may have to make sure the firewall does not block the essential packets.

eworm

Now that we have a replace mechanism since version 6.45beta42 one culprit remains: If the cloud server is not accessible for any reason the commands in "/ system backup cloud" give fatal errors. You can not catch these as runtime errors from a script: :do { / system backup cloud ... } on-error={ ......

eworm

I don't think you need to do /system routerboard mode-button set on-event=/system script run your-script In my case it worked just giving the script name directly to the on-event= like so /system routerboard mode-button set on-event=your-script Yes, that's enough for things to work. The above was m...

eworm

You can use something like this:

/ system script add name=mail source=[ / file get mail.rsc contents ];

But keep in mind this is limited to a maximum length of 4kB.

eworm

Script shows up in red, is that correct? The content of this field is displayed with syntax highlighting. Things become colored if you use something like: /system routerboard mode-button set on-event="/system script run test-script;" enabled=yes As a fallback RouterOS tries to run a script with giv...

eworm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters. That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch... Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and ...

eworm

I had similar issues with GRE over IPSec, where connection became stuck after packets were send outside IPSec context. For me rejecting unencrypted GRE did the trick. Try something like this on all your routers:

/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=ipip

eworm

No rc versions this time?

eworm

That would be even more welcome.

However I thing Mikrotik has its reasons to do it one way, not the other. I am happy either way.

eworm

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.

Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?

eworm

Thanks a lot! Will have look at availability from local distributors then.

eworm

Hello everybody, There's new device MikroTik wAP ac LTE . Very interesting, it does provide a lot of features I am interested in. Did not find any information about hardware IPSec acceleration. It is powered by ARM CPU IPQ-4018, so it should support hardware acceleration. Does anybody have specific ...

eworm

Is Backup-cloud stil working? I use to since it comes up,but so fare i got some error. on log says: "Problem connecting with server" Every now and then cloud backup fails with server errors... Just try again later. Sadly using cloud backup in scripts is kind of problematic. Errors are not handled a...

eworm

You could use converters like these from Ubiquiti:
https://www.ui.com/accessories/instant-8023af-adapters/

Search found 339 matches