Community discussions

Search found 50 matches

by howdey57
Fri Apr 12, 2019 8:36 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, Sorry for the delay in responding. This now works. Thanks for your help and spending so much time on this. You are very generous with your time and knowledge. The things I had to do were: In the UK, put ipsec-policy=in,ipsec in all rules that might stop the French traffic. Stop traffic from t...
by howdey57
Mon Apr 08, 2019 11:30 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

I did a tracert with the NAT rule turned on. Looks like you are correct: The tracert seems REALLY slow - not just the 51ms below. Tracing route to 8.8.8.8 over a maximum of 30 hops 1 3 ms 1 ms 1 ms 192.168.65.1 2 51 ms 49 ms 56 ms 192.168.64.1 3 * * * Request timed out. 4 * * * Request timed out. 5 ...
by howdey57
Mon Apr 08, 2019 8:46 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

I added ipsec-policy=in,none to the UK rule. I then enabled the chain=srcnat action=accept src-address=192.168.65.79 rule in France but the laptop still can't get to the internet (via the UK?) Do I need to disable the Raw rules as well? My firewall rules have built up over a number of years and may ...
by howdey57
Sun Apr 07, 2019 11:05 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Complicated! I've exported both sides, /ip only. Hopefully that is enough. And hopefully, nothing sensitive! And thanks for your help! Charles France # apr/07/2019 19:36:45 by RouterOS 6.44.2 # software id = 65FW-3KRA # # model = 2011UiAS-2HnD /ip ipsec profile add dh-group=modp4096 enc-algorithm=ae...
by howdey57
Sun Apr 07, 2019 9:18 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

The suggested NAT Rule seems to kill the connection from the laptop. I do already have exceptions for the existing 64.0 to 65.0 VPN so perhaps that's ok. However that doesn't explain my French external IP address. Any other ideas? DNS perhaps? I added the exception to the fast-track firewall rule - ...
by howdey57
Sun Apr 07, 2019 7:14 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, Sorry, I should have put the print in my response. Here it is: [admin@Red MikroTik] > /ip ipsec installed-sa print Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0x6F3F16 src-address=x.x.x.x:4500 dst-address=192.168.1.38:4500 state=mature auth-algorithm=sha512 enc-algorithm=aes-cbc enc-key-size=...
by howdey57
Sun Apr 07, 2019 5:58 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, Thanks for the prompt reply. There are two pairs. The first has a large number of packets (current-packets=148443) whilst the other has much less (current-packets=796). I know I'm not going through the VPN because bbc.co.uk gets redirected to bbc.com (the BBC only serves .co.uk if you are in ...
by howdey57
Sun Apr 07, 2019 5:29 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, I'm having a go with this. I thought I'd try with just one IP address (192.168.65.79). I have put in the following Policies. The second Policy is the existing VPN. Branch Office /ip ipsec policy add comment="FranceLondon-Laptop " dst-address=0.0.0.0/0 sa-dst-address=\ x.x.x.x sa-src-address=0...
by howdey57
Thu Mar 28, 2019 8:50 pm
Forum: General
Topic: L2TP Dynamic Peer not appearing
Replies: 2
Views: 371

Re: L2TP Dynamic Peer not appearing

OK. Tried that and it worked.

Thanks.
by howdey57
Sun Mar 24, 2019 8:58 pm
Forum: General
Topic: L2TP Dynamic Peer not appearing
Replies: 2
Views: 371

L2TP Dynamic Peer not appearing

Is this one for Sindy? I have just swapped the config from a HAP AC2 to a HAP AC. I exported from one and ran the script on the second. On the AC2, I've been using L2TP successfully for a year but am having difficulty getting the AC to work. The thing I've noticed is that the Dynamic Peer, created w...
by howdey57
Sun Dec 09, 2018 11:52 am
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, I was about to do this but then had a further thought. Is there a way to use address lists to say which specific machines should go via the head office VPN, rather than them all? If that is possible, then all i need to do is add or take off ip addresses from that address list. The use case is...
by howdey57
Sun Nov 04, 2018 10:54 pm
Forum: General
Topic: L2TP IPSec PSK VPN and Pixel 3 dropping after a minute
Replies: 0
Views: 277

L2TP IPSec PSK VPN and Pixel 3 dropping after a minute

I've just got a new Pixel 3 and am having difficulty keeping a VPN connected to my MK router. The VPN does after about a minute. Very frustrating. I don't have the same problem with a Pixel 2 which has been working will for ages.

Is anyone else having the same problem?

Charles
by howdey57
Sat Oct 20, 2018 2:45 pm
Forum: Scripting
Topic: Log Monitoring Script
Replies: 2
Views: 2892

Log Monitoring Script

I wanted a way to monitor log files for certain entries. I have created a script based on the various log monitoring scripts I have found. I thought I might share this in case others wanted an alternative. The only challenge is that, due to an issue with how ROS displays time in log files around mid...
by howdey57
Mon Oct 08, 2018 5:46 pm
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 14830

Re: Built in function library

Chupaka

You are correct about log entries not directly being about functions but the flip side is that you need lots of other functions to be built to manipulate the inconsistent log date formats.

I'll try support@.

Thanks

Charles
by howdey57
Mon Oct 08, 2018 5:06 pm
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 14830

Re: Built in function library

Thanks. Commas it will be! The date challenge is twofold: 1. Dates in the log file are not consistent. The date is excluded from entries for today and the year is missed out for entries this year. Ideally there would be a switch to set all log date/times to YYYYMMDDHHMMSS format. Machine readable an...
by howdey57
Mon Oct 08, 2018 11:48 am
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 14830

Re: Built in function library

Thanks. I'll try those. Are they mentioned in the wiki?

Any thoughts on the dates?
by howdey57
Mon Oct 08, 2018 11:23 am
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 14830

Re: Built in function library

I'd like to have a debug function that helped with basic syntax. When writing code I spend most of my time getting the basics in place. I write my logic then comment most of it out then uncomment line by line to make sure each line is working. With ros code, if it doesn't work, you get nothing to sa...
by howdey57
Tue Sep 25, 2018 12:36 am
Forum: General
Topic: Log File Dates & Times seem to be incorrect
Replies: 6
Views: 486

Re: Log File Dates & Times seem to be incorrect

Does anyone from MikroTik have anything to say about this? It looks to me like a software error.

Charles
by howdey57
Sun Sep 23, 2018 11:01 pm
Forum: General
Topic: Log File Dates & Times seem to be incorrect
Replies: 6
Views: 486

Re: Log File Dates & Times seem to be incorrect

Any views on why the log is so weird around midnight?

It looks like the internal date processor doesn't work. Could it be to do with the time zone?

The log file produced at 02:05:00 behaves properly.

Charles
by howdey57
Sun Sep 23, 2018 6:59 pm
Forum: General
Topic: Log File Dates & Times seem to be incorrect
Replies: 6
Views: 486

Re: Log File Dates & Times seem to be incorrect

Mkx

I've never seen your first point. When you access the log programmatically, the datetimes come in the 3 flavours.

+1 for your second point.

Charles
by howdey57
Sun Sep 23, 2018 6:10 pm
Forum: General
Topic: Log File Dates & Times seem to be incorrect
Replies: 6
Views: 486

Log File Dates & Times seem to be incorrect

I am trying to track new log entries. I have a script that works except around midnight. Overarching Issue: Ideally log entries would have Date Time written consistently as YYYY-MM-DD HH:M:SS. I cannot understand why it is done in a way that is not machine readable (and in US format too). Is there a...
by howdey57
Sat Sep 01, 2018 9:45 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy Thanks for this and sorry for the delay in letting you know how I am getting on. 1. Worked. Thanks. 2. Still plucking up the courage to do this. Just don't want to cut myself off from the remote office. I'll let you know. I'm currently battling with chatty Chinese security cameras that want to...
by howdey57
Mon Aug 27, 2018 1:39 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sindy, and I thought this would be easy!! Thanks for looking. There are two problems: 1. How to ping from one router to another - The ping says "Host Unreachable" and names the WAN address 2. How to default the Sub Office so all internet traffic goes though the main office. The two router configs ha...
by howdey57
Sun Aug 19, 2018 1:49 pm
Forum: General
Topic: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?
Replies: 22
Views: 1767

Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Newbie Question (perhaps I will always be a newbie with Mikrotik!!). I have two mikrotik routers connected via IPSec. I want to force all traffic from the remote site to go through the VPN and out of the Head Office WAN connection. There are lots of long posts that offer lots of ways, all of which s...
by howdey57
Mon Aug 13, 2018 1:11 am
Forum: General
Topic: How do I: Route with ipsec and L2TP?
Replies: 2
Views: 325

Re: How do I: Route with ipsec and L2TP?

Thank you sindy. That worked. I changed the pool to the same subnet and changed the profile to proxy-arp on the bridge only and things seem to work now.

Charles
by howdey57
Sun Aug 12, 2018 9:13 pm
Forum: General
Topic: How do I: Route with ipsec and L2TP?
Replies: 2
Views: 325

How do I: Route with ipsec and L2TP?

Noobie question: I don't yet have a config problem. I just don't know where to start. I have 2 networks with different subnets joined by a new IPsec VPN. When away from the network, i connect using my laptop using a L2TP VPN. My question is: what do I need to use to be able to get to the "far" netwo...
by howdey57
Tue Apr 10, 2018 11:28 am
Forum: RouterBOARD hardware
Topic: SFP dsl modem compatibility list
Replies: 0
Views: 1044

SFP dsl modem compatibility list

There is an active discussion https://forum.mikrotik.com/viewtopic.php?f=3&t=104109&e=1 here but no summary list of compatible SFP modules that allow MT kit to connect to ADSL/VDSL. It should be here https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table but has yet to be done. Pleas...
by howdey57
Mon Apr 09, 2018 11:51 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89618

Re: Mikrotik VDSL / DSL Modem?

This is a very long thread now. Is there a summary in the Mikrotik documentation that describes the SFP dsl hardware that works with Mikrotik routers (with settings)?

Charles
by howdey57
Tue Sep 26, 2017 2:21 pm
Forum: Announcements
Topic: v6.40.3 [current]
Replies: 95
Views: 26496

Re: v6.40.3 [current]

I know. I originally put it as a question that i could find the answer to myself, then thought better of it but couldn't delete it. I then changed it to the anodyne response above!

My bad.

-end-
by howdey57
Tue Sep 26, 2017 8:40 am
Forum: Announcements
Topic: v6.40.3 [current]
Replies: 95
Views: 26496

Re: v6.40.3 [current]

Thanks for the response.

Maybe I have. I will investigate.
by howdey57
Mon Sep 25, 2017 11:56 pm
Forum: Announcements
Topic: v6.40.3 [current]
Replies: 95
Views: 26496

Re: v6.40.3 [current]

Hi All, I installed 6.40.3 over the weekend and seem to have a problem. I use passthrough firewall rules to track Bytes used by IP addresses in an Address List. Before the update I was using about 2 GB per day, but since the upgrade that has fallen to approx 10MB. I know I am using more! Has anyone ...
by howdey57
Sat Aug 26, 2017 8:15 pm
Forum: Beginner Basics
Topic: Firewall rule for L2TP/IPSec access to router
Replies: 3
Views: 7533

Re: Firewall rule for L2TP/IPSec access to router

pukkita, Thanks for the response. Your guesses were correct. I added the /interface L2TP server binding and the static interface to the Interface List and, after a delay, saw the L2TP connections using those rather than dynamic ones. The only issue is that I need to add a L2TP Server binding and a n...
by howdey57
Thu Aug 24, 2017 11:15 am
Forum: Beginner Basics
Topic: Firewall rule for L2TP/IPSec access to router
Replies: 3
Views: 7533

Firewall rule for L2TP/IPSec access to router

I had success to connect "L2TP/IPSec VPN Remote Worker Access" https://forum.mikrotik.com/viewtopic.php?f=13&t=124618 but had a problem connecting Windows 10 machines through the Virgin Media router so I've put that router in modem mode and put the 2011 as router behind it. I've configured the VPN e...
by howdey57
Fri Aug 18, 2017 12:22 am
Forum: Beginner Basics
Topic: L2TP/IPSec VPN Remote Worker Access
Replies: 11
Views: 10466

Re: L2TP/IPSec VPN Remote Worker Access

doneware, Brilliant, thanks. Both suggestions worked. Adding dns-server=8.8.8.8 to the /ppp profile meant I could access the internet. So the vpn client doesn't know where to go without the DNS address and changing to local-address=192.168.1.203 meant I could see all local addresses. I presume this ...
by howdey57
Thu Aug 17, 2017 10:41 am
Forum: Beginner Basics
Topic: L2TP/IPSec VPN Remote Worker Access
Replies: 11
Views: 10466

Re: L2TP/IPSec VPN Remote Worker Access

doneware, Thanks for the suggestion. The rule sounds complicated! I thought that if I changed the vpn-pool to 192.168.1.100-110 then I'd be in the same range as the Virgin router (i put proxy-arp on the bridge). That didn't give me access to the internet but when I put in 192.168.1.1 I get to the 20...
by howdey57
Wed Aug 16, 2017 5:28 pm
Forum: Beginner Basics
Topic: L2TP/IPSec VPN Remote Worker Access
Replies: 11
Views: 10466

Re: L2TP/IPSec VPN Remote Worker Access

Thanks for the responses. I agree with pe1chl. Proxy-Arp is not required if on a different subnet. The Virgin Media Router is set up correctly as connections are being made. One other thing I've noticed is that the Windows machine I connect with does not have a "Gateway" for the VPN connection (when...
by howdey57
Wed Aug 16, 2017 9:36 am
Forum: Beginner Basics
Topic: L2TP/IPSec VPN Remote Worker Access
Replies: 11
Views: 10466

L2TP/IPSec VPN Remote Worker Access

I've used this set of instructions https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup to create a L2TP/IPSec VPN, I can connect successfully to the VPN and can get to the Webfig of the 2011. The network looks like this. The 2011 is in bridge mode behind a cable router. The cable...
by howdey57
Sun Mar 15, 2015 12:29 pm
Forum: General
Topic: Routing through an IPSec VPN
Replies: 7
Views: 1980

Re: Routing through an IPSec VPN

Thanks very much troffasky and ZeroByte for the response. #4 sounds complicated, so I will have a think and a try. #5. The NAT rules in my Office 1 Mikrotik are: add chain=srcnat comment="Office 2 to Office 1" dst-address=192.168.0.0/24 out-interface=ether1-gateway src-address=192.168.1.0/24 add act...
by howdey57
Sat Mar 07, 2015 10:59 am
Forum: General
Topic: Routing through an IPSec VPN
Replies: 7
Views: 1980

Routing through an IPSec VPN

I am having difficulty accessing a RaspberryPi on a remote network. I don't know what I need to do next; is it a route, and address, a mangle?? I have the following network. I have 3 successful things and 2 unsuccessful things and any help to fix these would be gratefully received. Network Diagram v...
by howdey57
Sun Jan 18, 2015 5:57 pm
Forum: Beginner Basics
Topic: Newbie routing question.
Replies: 1
Views: 568

Newbie routing question.

I am new to the sophisticated world of Mikrotik Routers. Previously, I used a standard Draytek that didn't allow me to do too much. I don't know if I am going to ask this question using the right words, but it would be great if someone could point me in the right direction. I have created an IPSec V...
by howdey57
Sun Jan 18, 2015 5:47 pm
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Re: Why is it so hard to set up internet access to Webfig?

For access to the Router itself from the Internet, I use this firewall rule. For my simple mind, this works because it opens up port 80 on the first thing the internet hits. chain=input action=accept protocol=tcp dst-port=80 log=no log-prefix="" For access to my fileserver from the Internet, I use t...
by howdey57
Sat Jan 10, 2015 7:18 pm
Forum: Beginner Basics
Topic: IPSec VPN behind 3G private network (Draytek to Mikrotik)
Replies: 3
Views: 1802

Re: IPSec VPN behind 3G private network (Draytek to Mikrotik

After a VERY long time trying to make this work, I have found the solution. In the end, to connect from a Draytek (2830) to a Mikrotik( RB2011) when the Draytek is NATed behind an IP address provided by a 3G mobile operator I had to do the following: 1. On the Draytek, in the IPSec settings, make su...
by howdey57
Thu Jan 08, 2015 11:57 pm
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Re: Why is it so hard to set up internet access to Webfig?

So I managed to figure this out. To access a server within the internal network from outside, you need to set up a NAT rule. To access the router itself from outside, you need to set up a Firewall rule to open up the port you want to use. Perhaps that is obvious to some, but it confused me a lot whe...
by howdey57
Thu Jan 08, 2015 11:50 pm
Forum: Beginner Basics
Topic: IPSec VPN behind 3G private network (Draytek to Mikrotik)
Replies: 3
Views: 1802

Re: IPSec VPN behind 3G private network (Draytek to Mikrotik

I have managed to get a request from the Draytek to the Mikrotik by finding the IP address the Draytek is using (by seeing the UDP traffic on Port 500 on the Mikrotik firewall). The problem is that the connection is not made even though I have an identical set up between another Draytek to the Mikro...
by howdey57
Mon Jan 05, 2015 10:25 pm
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Re: Why is it so hard to set up internet access to Webfig?

OK. I found the "Firewall Router" tick box. It was on the "Home AP" Quick set, not the default "WISP AP". As indicated by some posts, I have added a NAT rule on port 443 to get through to my Fileserver and that works whether I have the "Firewall Router" ticked or nor. However, if I create a NAT rule...
by howdey57
Mon Jan 05, 2015 3:11 pm
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Re: Why is it so hard to set up internet access to Webfig?

Will do.

Please could you also point me at the wiki page that describes how to do it.

Thanks
by howdey57
Mon Jan 05, 2015 9:21 am
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Re: Why is it so hard to set up internet access to Webfig?

Thanks for the response. I don't have that setting on Quick Set. I have a new RB2011 with V6.24.

Where next?

Charles
by howdey57
Sun Jan 04, 2015 10:49 pm
Forum: Beginner Basics
Topic: Why is it so hard to set up internet access to Webfig?
Replies: 10
Views: 2759

Why is it so hard to set up internet access to Webfig?

There does not seem to be a definitive method to access Webfig on my RB2011 router from the internet. Is it actually possible? I have tried lots of different ways from many sites but none work (NAT, Firewall etc).

Can someone provide a working example?

Thanks

Charles
by howdey57
Sun Jan 04, 2015 7:52 pm
Forum: Beginner Basics
Topic: IPSec VPN behind 3G private network (Draytek to Mikrotik)
Replies: 3
Views: 1802

IPSec VPN behind 3G private network (Draytek to Mikrotik)

I am trying to create a VPN from a Draytek router (2830) to a Mikrotik router (RB2011), but cannot . I have previously done this between two Drayteks (one connecting using 3G), so I know it is possible. I also know my VPN settings should work because I have created an identical VPN between another ...
by howdey57
Wed Dec 31, 2014 2:38 pm
Forum: General
Topic: VPN site-to-site IPSec tunnel
Replies: 11
Views: 2365

Re: VPN site-to-site IPSec tunnel

Can you tell me how I put in the dynamic address (eg xxx.dyndns.org) into the VPN setup rather than the IP address?

Thanks