Thanks for the IKEv2 and other IPSEC updates. *) ipsec - added SHA384 hash algorithm support for phase 1 (CLI only); Strange effects when attempting to edit ip ipsec profile created with sha384 hash in Winbox 3.27 - the hash is shown as MD5. Presume this will be fixed at release/next Winbox update? ...

I just hit the IKEv2 fragmentation issue running 6.47.8 on my vpn server. Using StrongSwan client on Android, but only with one particular mobile operator (3 UK).

Happy to say that switching to 6.48beta58 (with RFC7383 support) solved the problem for me.

I just updated two of my 3011 and only one had this issue and that is the one that has wireless package disabled. So it might be related to that? Yes, it is the cause. The problem is that the configuration script contains commands that refer to features not available (wireless) and bombs out. It ha...

If @Spirch original requirement was a way to force all connection to go through the hAP. Main reason is my firewall rule / address list are only in the hAP and if possible I don't want to duplicate all of it in the cAP. I want the cAP to be dumb as possible. Would the best solution be to use CAPsMAN...

I have a couple of these I use for LTE remote access, configured as L2TP/IPSEC clients. Here is the resource print from one that is running 6.46 stable and has been up for almost three weeks. I normally use Winbox for remote access but I've confirmed ssh is working normally. /system resource print u...

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this. /ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \ in-interface=PPPoE ipsec-policy=in,none protocol=udp...

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this. /ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \ in-interface=PPPoE ipsec-policy=in,none protocol=udp ...

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however - /ppp secret set [find name=a1] remote-address=pg_A set [find name=a2] remote-address=pg_A set [find name=b1] remote-address=pg_B does not work on mine (version 6.44.5). It appears y...

Thanks for your helpful reply. I see you posted a solution using scripts which makes things clearer to me. I've implemented VRFs on Cisco equipment but Mikrotik just doesn't work the way I was expecting it to!

Hi, I am trying to isolate L2TP connections on my router so the traffic goes into separate VRFs. I have created two static l2tp server instances /ip route vrf add interfaces=l2tp-in1,ether4 routing-mark=SYSTEM1 add interfaces=l2tp-in2,ether3 routing-mark=SYSTEM2 Created two VRFs /ip route vrf add in...

Whilist I think it would be a nice feature to be able to vary the font size in Winbox, there is the option on Windows OS to use the magnifier feature.

So now I've re-ordered a few rules based on your suggestions, traffic flow etc. Most of my understanding is based on experience with Cisco ACLs, ip inspect rules and some BSD pf. Cisco ACL has an implied deny-all at the bottom of the list, so need to double check I've done that on Mikrotik! [admin@O...

It is most efficient to move the established/related rule up as much as possible. Even the ICMP rule can be below that. The rules are evaluated top to bottom and you want the established/related rule to hit as quick as possible, all rules below that will be evaluated only once for each new connecti...

Why do you use netbios??? That is so 1985...

Is the bridge blocking broadcast traffic at layer 2 or layer 3?

Thanks for the suggestion! I've modified the firewall rules to implement this. I'd just adapted the default firewall adding two rules to permit ESP and permit UDP 500,4500,1701 from the spoke routers (O2 UK broadband address range). Firstly I removed port 1701, which was intersting to see the IPSEC ...

Some of my output didn't paste correctly in the first attempt. Showing the ppp connections on the hub, 1 is now encrypted (expected behavior) 0 is not. [admin@O2vpn-hub] > /ppp active print detail Flags: R - radius 0 name="o2vpn2" service=l2tp caller-id="82.132.161.25" address=17...

6.37.4(bugfix) I have a hub/spoke VPN setup using three routers with the above version. Most of the time it works OK but on occasions when the link comes up it seems to bypass the IPSEC encrytption: Server [admin@O2vpn-hub] > /ppp active print detail Flags: R - radius 0 name="o2vpn2" servi...

These were pre-owned RB750s that I purchased via Ebay that came without cases. It the white cases aren't available separately I will just go ahead and find an alternative as these RBs are ony going to be used for training purposes.

Thanks for your help guys.

I have just aquired two RB750 boards (my first Mikrotik hardware!). Whilst I'm currently experimenting with them, I would eventually like to put them in tidy boxes. Are there any suitable enclosures avilable or can I obtain the plastic cases from a Mikrotik dealer? If so what part number should I be...