MikroTik

Unic

Hi, I am playing around with this too and so far its working, but iam using it not for balancing, but for PBR and Fallback. I have posted my configuration here to see if someone has tips to make my configuration better/faster. So far there is a missing connection mark for outgoing traffic to get bet...

Unic

Hello, Summery of what i want: - All connection from addresses in addresslist wan1 are going to wan1 - Everything else should go trough wan2 - if wan1 or wan2 goes down, everything including marked packets should go to the other wan interface So my first Question is: If a packets with routing mark h...

Unic

Hello Community, I've created a Client Ovpn from a Mikrotik HAP AC to a Securepoint firewall. Everything is working fine and Clients can access / ping other clients/servers on both remote sites, BUT the Mikrotik can't reach the remote site. i've tried ping on terminal an ping tool with every interfa...

Unic

Hello Community, we have performanceproblems with pcq queues on a RB3011. We need to reach 500MBit, but we only get around 200-300MBit. We just use one Nat Rule and no other rules. The queue should split the 500MBit equally between 3 interfaces. I tried simple quees and queutree. CPU load is minimal...

Unic

Hello. I'am looking for a cheap managed Switch with 8x POE/POE+ gigabit ports to use it with mikrotik and Voipphones. Anyone has a hint which one i can use ? I does not need to be from mikrotik, as i have not found any product that fits that specifications. The problem is, that many switches are so ...

Unic

Hello, I've made a small configuration script to get a default configuration for new devices. I have tried to make it as compatible as possible to all devices. Maybe someone would like to test it or give some more ideas to make it better or add more secure firewall rules. the original (most recent v...

Unic

I have the same problem. After installing the demolicencse i need to reboot, and after that the device will autoswitchoff after some seconds, i even cant look whats wrong, because of this autoshutdown. I barely can see that "license expires" for a half second, before the device is shutting down. Ev...

Unic

I have the same problem. After installing the demolicencse i need to reboot, and after that the device will autoswitchoff after some seconds, i even cant look whats wrong, because of this autoshutdown. I barely can see that "license expires" for a half second, before the device is shutting down. Eve...

Unic

Hello,

and thank you very much for the detailed information. Now i understand the difference.

Unic

Hi there, I'am new to mikrotik scripting and i am not sure that i understand the ":" correct. Example: This works: :local wan1 "ether4"; /interface ethernet; set [ find default-name="$wan1" ] comment="$wan1" name="wan1"; and this not: :local wan1 "ether4"; /interface ethernet; :set [ find default-na...

Unic

What's new in 6.37.2 (2016-Nov-08 13:15): *) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22; Are 6.38rc builds affected by this as well? If so, will there be an update that includes this fix? Does this fix rules that were already broken by upgrade, o...

Unic

hi, i would like to add: -no more than ONE connection from the same IP with L2TP/IPSec -IKEV2 (its mention here that its in the new RC. That would be awesome) EDIT: looks like 6.38rc24 is my new RouterOS 7. Just found this: http://forum.mikrotik.com/viewtopic.php?f=21&t=112844&start=100#p566439. If ...

Unic

RB850x2 with HW encryption can encrypt/decrypt up to 500Mbps with 1400byte packets new hex RB750Gr3 can encrypt/decrypt up to 470Mbps with 1400byte packets Where on the mikrotik webpage i can get the informations which device has hardware encryption and which encryptionmethods are supported ? I hav...

Unic

Hi there,

Is the Hardwarenecryption working for aes256 too ?

thx. for help

Unic

Maybe you can try the new hex with RB750Gr3. It has Hardwarenecryption and should encrypt aes256 faster than your connection speed. But i have not tested it.

But keep in mind that you cant have more than one vpn user behind the same wanIP if you are using L2TP/IPSec.

Unic

Yes its realy needed, as you cant change the security or vpn policy from the other end IT Admins and if they are allowed to, I realy dont want to tell them that they have to use IKEv1. +10 IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it. I work...

Unic

One thing here caught my attention: "ROS 7 will remove the restriction for having more than one L2TP/IPSEC user behind the same NATed network". My understanding is that the router on the client side (road warrior) side of the equation is the one that cannot distinguish the traffic, not the server s...

Unic

Hi, I am not sure that the fortigate will "passtrough" the IPSEC-traffiic, maybe there is a special option for this. By the way. the Error in your log says that you device tries sha256, but you use sha1 in your config. But the real problem could be that both devices are behind NAT. I dont know any w...

Unic

Hi, as more as i use mikrotik, vpn is often the problem. - No Ipsec behind two nated devices. - L2TP/IPSEC no multiple Connection behind one external IP. - no ikev2 Support. - openvpn: no udp support (that not a problem for me, but openvpn is not implemented very well and you need some fallback swit...

Unic

HI, i use the ZyXel VMG1312-B30A. If you keep the default Zyxelconfig you dont need to use vlans on your mirkotik for internet. Just keep default pppoe settings with 1492 MTU. If you need to connect to 1und1 add a capital "H" in front of your Username if you have a Telekomanschluss. Iam pretty sure ...

Unic

thanks for reply.

i have made a typo in my post. i need to use port-override not port-strict for windows 10!

so what means port policy ? what port is defined by policy ? And why it does not work with windows ?

best regards

Unic

thanks for reply.

i have made a typo in my post. i need to use port-override not port-strict for windows 10!

so what means port policy ? what port is defined by policy ? And why it does not work with windows ?

best regards

Unic

Hi, in the wiki i can read the following: port-override -- generate policies and force policy to use any port (old behavior) port-strict -- use ports from peer's proposal, which should match peer's policy Can someone explain me the difference ? What means ports from peers proposal ? can i pin the co...

Unic

Would like to see this feature to.

Instead of Users, maybe the use of profiles or usergroups would be an easy implantation.

Unic

16MB is so small. Hope they will make a bigger one or make it possible to replace or upgrade it.

Unic

Yes, ive replaced our nightlight to find the way to the bathroom with a RB2011

Unic

Hi,

Change your action from "drop" to "reject", as otherwise the browser will wait for the timeout.

Unic

nat is for "hiding" your ip behind the device. So i think you should not NAT anything. Just make an acceptrule in the nat-table. But you need to make sure that all devices know where they find the networks, so it may be nessesary to add the routes in the routingtable.

Unic

remove the ether1 gatway from bridge. remove this static routesettings for ether1 add an ip 192.168.0.254 to ether1-gateway make sure that ether1-gateway has NO master interface set. and change /ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=\ bridge-loc...

Unic

Hello Community, i have made some rules to secure my router and i would like to ask if some of the people here can take a look into it and give any hints to make it even more secure or to fix some mistakes i have made. /ip firewall filter #Fasttrack - Be aware that these rules need to be placed afte...

Unic

http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global , ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment What means parent=global here ? I...

Unic

Hello, iam looking for a productmatrix like fortigate has on its pages where i can compare the devices, or at least get all informations for a single device. i miss this type of informations: how much VPN passtrough is possible (IPSEC/SSL) ? what kind of hardwareaccereration (SHA1/sha256 - DES/AES12...

Unic

This stick works including sms. Dial Command: ATDT Data and Info Channel 1 But you need to enable serialmode and disable CD-Rom. You can do this from a Windowspc : Insert the stick and install it. Backup the files from the virtual CDRom. Visit: "http://192.168.0.1/goform/goform_process?goformId=MODE...

Unic

Hello, i have created a L2TP connection with IPSEC enabled. But i need Sha256 and the dynamic created IPSEC rule only supports Sha1. I can create a new rule and delete the dynamic rule. All works find, but on reboot the dynamicrule is created again. Is there a way to change the default rule or prev...

Unic

Hi,

i will answer myself:

/interface sstp-server
add name=sstp-username user=username

Unic

Bump

same question here about Of Traf, and Of Freq .

Unic

Hello, I have a forwardrule: ;;; Allow forward traffic sstp-username chain=forward action=accept in-interface=<sstp-username> out-interface=bridge-lan log=no log-prefix="" The problem: After the User disconnects the Rule never reenabled again, even if the user reconnects. So my Question is: how d...

Unic

Thank you very much for the fast support, that solved my problem. I think i have copied this rule by accident from a Router which was reseted with "default configuration".

Do i need this rule for a working fasttrack ?

Unic

Thx for reply.
When i try to move/remove the rules i get the errormessage: Cannot move/remove builtin.

Unic

Hi, i have the strange problem, that the ipsec tunnel looks fine and i can ping all device behind the routers, but i cant get any tcp packet trough it (f.e. RDP, SMB, http). But, as soon as i enable the packetsniffer all works find and i can connect RDP f.e. I have tested it with a ASA5505 and a For...

Unic

Hello,

i just want to know if its still not possible to have both sides behind a nat when you use L2TP/IPSEC with mikrotik, or is there now a possibility to create such a VPN-Connection.

I have seen that there are some changes on it lately (f.e. IPSEC Checkbox on L2TP Server)

Best Regards.

Unic

Thx for your post, i think i figured out your components. In germany it seems a little bit tricky to get all components at a single provider. As it looks nearly the same: would it be possible to use a netmetal 5 with the same minipcie card for indoor usage? Havnt found i inside look for the netmetal...

Unic

Hello, iam looking for a indoor Wifi Solution. I want to use up to 5 Wireless APs from Mikrotik, but i'am unsure which devices i can use. What i want: - I want to connect all APs with CAPsMAN. - I want to use 2,4Ghz AND 5Ghz ac as far as i see there aren't any devices which have both 2,4 and 5 Ghz a...

Search found 43 matches