Community discussions

Search found 110 matches

by n4p
Wed Oct 02, 2019 9:05 pm
Forum: General
Topic: IPSec Side to Side | One Side behind NAT not working
Replies: 2
Views: 316

Re: IPSec Side to Side | One Side behind NAT not working

Hi,
thanks for your answer, but i think i found the problem. Looks like IPSec-ESP Protokoll get's blocked between both devices. On Client-Side i tried to enforce NAT-T and now it works over udp 4500.
by n4p
Wed Oct 02, 2019 4:03 pm
Forum: General
Topic: IPSec Side to Side | One Side behind NAT not working
Replies: 2
Views: 316

IPSec Side to Side | One Side behind NAT not working

Hi there, i currently setting up some ipsec tunnels. On Central Side i have two wan connections. One Connection with Static Adress without NAT and the second one with LTE (behind NAT). Failover etc. is working. But what i can't get working is the ipsec side-to-side with the static address? If centra...
by n4p
Tue Oct 01, 2019 5:07 pm
Forum: General
Topic: IPSec Side-to-Side with Multiple Routen
Replies: 1
Views: 321

IPSec Side-to-Side with Multiple Routen

Hi, im currently configure multiple ipsec side-to-side connections. To get it working you need to configure in the ipsec policy the local (src.address) subnet. That works pretty fine if i have only one subnet on central station. But if i have multiple subnets on the central side i need to configure ...
by n4p
Mon Sep 30, 2019 4:14 pm
Forum: General
Topic: IPSec with multiple WAN Adresses
Replies: 3
Views: 395

Re: IPSec with multiple WAN Adresses

Thanks for this nice Idea, but this is not supported from the devices on the second side.
Any other solutions?
by n4p
Mon Sep 30, 2019 2:11 pm
Forum: General
Topic: IPSec with multiple WAN Adresses
Replies: 3
Views: 395

IPSec with multiple WAN Adresses

Hi,
i currentley renew my setup and wanna ask if there is any better method available to use ipsec for multiple wan adresses instead using netwatch and ping anything?
I can't create two policies with the same src & dst, but with different sa src. address.

Thanks for help!
by n4p
Thu Sep 26, 2019 10:40 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

Yes, i would use a dark fiber for the Sync. But your right, the Problem ist the cleartext...

Thanks

Especually i get an Idea for Monitoring those Connection.
by n4p
Thu Sep 26, 2019 9:58 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

Thanks for sharing your script. Yes, i was thinking about a man in the middle Attack on this Board. As far as i know the file Sync goes through smb or FTP? So with man in the middle you can gather information about PSK etc. Or i am completley wrong? I know it depends on my different Setup were the r...
by n4p
Thu Sep 26, 2019 9:03 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

OK, yes the layer2 ist extented but i would use a complete different way for Sync. So If i Install a EOIP Tunnel before hainstall would this Work if i select the EOIP Interface?

May you Share your Script?
by n4p
Thu Sep 26, 2019 8:16 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

OK, One Last question, would it be possible to secure the Sync Ports especually through EOIP Tunnel or something? I need to make a Setup where the routers are not placed in the same room. And is it possible to build IPSec Tunnels with certificates? With PSK it works great in a failover, but will the...
by n4p
Thu Sep 26, 2019 2:02 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

Thanks! It's working now :) Just another question, if I execute SwitchRole i get the following output: /delay 2; :do { /ip smb shares add comment=HA_AUTO name=mkdir disabled=yes directory=/skins } on-error={} /ip smb shares set [find comment=HA_AUTO] directory="pub" /ip smb shares set [find comment=...
by n4p
Thu Sep 26, 2019 11:44 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

Hi,
but i need to add those scripts on the vrrp (on Master and on Backup) or?
Or is there any logic included, that all scripts with *_on_backup will be executed?
Thanks
by n4p
Wed Sep 25, 2019 12:55 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 149
Views: 18794

Re: Suggestion: Completely virtual router based on two physical routers

Thanks for this great script, i try to get it working on two CCR1009-7G-1C-1S+.
After Some troubles it seems to work.

Another question, is there any possibility to use the usr-led for showing which router is active and which one is passive?

Thanks in advance.
by n4p
Thu Apr 04, 2019 12:38 pm
Forum: General
Topic: Ensure GRE is going trough IPsec with Firewall
Replies: 2
Views: 311

Ensure GRE is going trough IPsec with Firewall

Hi there, i am currently strugeling a litte bit. To get gre working through ipsec i need to add a rule to allow gre from the same source where the ipsec establishes. So if i understand that right that gre would be open as port from this source? If i disable those rule gre won't work any more. So wha...
by n4p
Thu Dec 20, 2018 8:57 pm
Forum: RouterBOARD hardware
Topic: Connect hap ac lite to poe+ switch
Replies: 9
Views: 834

Re: Connect hap ac lite to poe+ switch

Ah,
that's a nice idea i will give it a try!
Thanks!

GSW-1600HP is the switch i prepared with this setup.
by n4p
Thu Dec 20, 2018 8:50 pm
Forum: RouterBOARD hardware
Topic: Connect hap ac lite to poe+ switch
Replies: 9
Views: 834

Re: Connect hap ac lite to poe+ switch

yes, switch uses 802.3af/at standart. But it's not correctly working if i connect the hap ac lite to the switch. The switch try to power the hap ac lite which is show by the poe led on the switch. The hap ac lite did not power on. As far as we know 802.3xxx is not compatible with passive poe. And if...
by n4p
Thu Dec 20, 2018 8:31 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 746

Re: Ipsec Site to Site with certificate

Nobody with an idea?
by n4p
Thu Dec 20, 2018 8:22 pm
Forum: RouterBOARD hardware
Topic: Connect hap ac lite to poe+ switch
Replies: 9
Views: 834

Connect hap ac lite to poe+ switch

Hi there,
i need to connect an hap ac lite to an poe+ switch. As far as i know this would not work, because the hap ac only uses passive poe and not poe+.
Is there any way to disable the poe in on the hap ac lite that i still can connect them?

Thanks
by n4p
Tue Dec 18, 2018 9:55 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 746

Re: Ipsec Site to Site with certificate

Any news about that? Still trying around but no chance to get it working. Only Log-Entry shown is: Can't get private key. So what is wrong there? I created a certificate for server (tls-server) and another one for the client (tls-client) installed on the client the certificate and configured the pee...
by n4p
Mon Dec 10, 2018 9:59 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 746

Ipsec Site to Site with certificate

Hi
I try to configure a connection between two ccr1009 and encrypt this with ipsec.
If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this.

So I wanna ask would this be possible?
Thanks
by n4p
Tue Aug 28, 2018 2:23 pm
Forum: The Dude
Topic: Show the way RSTP uses
Replies: 1
Views: 682

Re: Show the way RSTP uses

Any news about that?
Still need to know which way is currently in use.

I found some snmp mibs about bridge, but those not working with mikrotik. So what can i do?
by n4p
Mon Jul 23, 2018 4:05 pm
Forum: General
Topic: IPSec PH-1 did not working with sha256
Replies: 8
Views: 665

Re: IPSec PH-1 did not working with sha256

Thats a great idea, security vulnerabilities are also fixed in the stable branche or?
Could i simply downgrade as upgrade?

THanks
by n4p
Mon Jul 23, 2018 3:44 pm
Forum: General
Topic: IPSec PH-1 did not working with sha256
Replies: 8
Views: 665

Re: IPSec PH-1 did not working with sha256

Thanks for your really really quick help!
That fixed my issue, any idea how i can fix that to contiune working with winbox?

Thanks!
Kind regards
by n4p
Mon Jul 23, 2018 3:25 pm
Forum: General
Topic: IPSec PH-1 did not working with sha256
Replies: 8
Views: 665

Re: IPSec PH-1 did not working with sha256

Hi,
i am running currently 6.43rc4 on the ccr.
Instead i try it with another vendor router as dezentral device and it happens the same thing. so there must be anything wrong with my ccr.

I added an screenshot from the ipsec logs
by n4p
Mon Jul 23, 2018 2:57 pm
Forum: General
Topic: IPSec PH-1 did not working with sha256
Replies: 8
Views: 665

Re: IPSec PH-1 did not working with sha256

Yes,
thats what i have done, but it still not working.
I currently try it again but it won't work. if i change the settings for phase1 one both devices to sha1/aes128/dh1024 everythink works great and then i can use for phase2 sha256/aes256/dh4096.

But phase1 did not work.
by n4p
Mon Jul 23, 2018 2:41 pm
Forum: General
Topic: IPSec PH-1 did not working with sha256
Replies: 8
Views: 665

IPSec PH-1 did not working with sha256

Hi there, i trying to establish a side to side tunnel with an mikrotik ccr1009 as zentral unit and an component from another reseller as dezentral unit. If i configure the phase 1 to sha1 everything works fine! But if i change the settings to sha256 for phase1 i get in the mikrotik log the following...
by n4p
Wed Jul 04, 2018 7:25 pm
Forum: General
Topic: EoIP with higher IPSec Security
Replies: 6
Views: 2018

Re: EoIP with higher IPSec Security

Hi there,
any news about eoip with generating automated the ipsec tunnel with more than sha1 and aes128? Or do i still need to do this by hand?

kind regards
by n4p
Wed May 02, 2018 8:37 pm
Forum: The Dude
Topic: Show the way RSTP uses
Replies: 1
Views: 682

Show the way RSTP uses

Hi there,
I wanna use dude for monitor my ring topology. So my question is, is it possible to display the way which rstp currently using?

I need that to detect if there is a link down or something.

Thanks!
by n4p
Wed May 02, 2018 8:35 pm
Forum: Forwarding Protocols
Topic: Block traffic between eoip tunnels
Replies: 2
Views: 507

Block traffic between eoip tunnels

Hi,
I wanna ask if it would be possible to block traffic between multiple eoip tunnels connected to the same bridge interface.
They should only can talk to one pysical port connected to the bridge.

Thanks!
by n4p
Thu Apr 26, 2018 4:44 pm
Forum: General
Topic: Discovery Protocol only on specified interfaces
Replies: 7
Views: 869

Re: Discovery Protocol only on specified interfaces

@pe!chl & 2frogs
Thanks i already found it and configured it.
by n4p
Tue Apr 24, 2018 8:27 pm
Forum: General
Topic: Discovery Protocol only on specified interfaces
Replies: 7
Views: 869

Re: Discovery Protocol only on specified interfaces

Yes, means it's already implement or yes you like my idea?

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

by n4p
Mon Apr 23, 2018 11:03 pm
Forum: General
Topic: Discovery Protocol only on specified interfaces
Replies: 7
Views: 869

Discovery Protocol only on specified interfaces

Hi there, I really like the discovery Protocol, but I also think that it increases my system security if every device broadcasts. So would it be possible to define on which interface the discovery Protocol should work? I've got a management ring and only there it should be enabled. Thanks for your h...
by n4p
Tue Apr 17, 2018 7:19 am
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

Re: What L2-VPN should be used?

@czfan

Yes I know, that's what I need. I'm running very special components behind the tiks and those need L2 transparency.
Otherwise they need to be rekonfigured an that's a really really hard job now and can issue instability.



Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

by n4p
Sun Apr 15, 2018 7:33 pm
Forum: General
Topic: EoIP with higher IPSec Security
Replies: 6
Views: 2018

Re: EoIP with higher IPSec Security

Yeah it would be really nice if this feature would be added, because i had to configure a lot of tunnels by hand. If it would be implementet that i can chose the profile, i didn't need to configure for each peer a seperat ipsec tunnel and can use eoip with secret. Or is there any other way that the ...
by n4p
Sat Apr 14, 2018 6:21 pm
Forum: General
Topic: EoIP with higher IPSec Security
Replies: 6
Views: 2018

EoIP with higher IPSec Security

Hi there, i wanna ask if there is an idea in the future to made it possible that i can select which sha or aes i will use? Currently there is only sha1 and aes128 available, but sha1 is already known as vulnerable. So currently there is only one way to fix this, you had to setup an ipsec tunnel and ...
by n4p
Fri Apr 13, 2018 4:06 pm
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

Re: What L2-VPN should be used?

So you mean at first ipsec side to side and then over that eoip? Correct?
Thanks!
by n4p
Thu Apr 12, 2018 6:14 pm
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

Re: What L2-VPN should be used?

Is there any possibility to increase the encryption if I use eoip + ipsec secret?

Sha1 is already know as vulnerable. And as far as I know routeros support's sha256 and more.

Thanks

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

by n4p
Wed Apr 11, 2018 8:55 pm
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

Re: What L2-VPN should be used?

Yes I have optical links. But I won't use mpls or vpls. Today I tried eoip + ipsec secret with rstp and multiple links. It works fine. I also tried openvpn with tap tunnel and rstp it also works very well. (aes256) So if I understand you correctly you would prefer eoip over ipsec instead of eoip wit...
by n4p
Tue Apr 10, 2018 10:48 pm
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

Re: What L2-VPN should be used?

I wouldn't think so. Because for L2 VPN the options are limited as far as I know.

What I need is L2 Transparenz between head and substation. And that secure.
The bandwidth I had to go through this tunnel is very small.
Max. 1mbit. (limited by the wan connections)

So what you need more?

by n4p
Tue Apr 10, 2018 7:44 pm
Forum: Forwarding Protocols
Topic: What L2-VPN should be used?
Replies: 11
Views: 1117

What L2-VPN should be used?

Hi there, i am searching for the best vpn-standart to realise a layer 2 vpn tunnel between 1 headstation and 2-3 substations. Those substations a connectet redudand to the headstation and using ospf. It should be much secure as possible and made no problems if the routing from ospf changes. Layer3 V...
by n4p
Tue Jan 09, 2018 5:27 pm
Forum: General
Topic: vrrp & ipsec
Replies: 5
Views: 500

Re: vrrp & ipsec

Ok, but i using passive listening for ipsec on the mikrotik router, so they won't establishe any connection by them selve.
Should this be the fix?
Yes the script would be the second way. As far as I know i can start a script if the master changes?
by n4p
Tue Jan 09, 2018 4:22 pm
Forum: General
Topic: vrrp & ipsec
Replies: 5
Views: 500

Re: vrrp & ipsec

I thought i only need to establish the connection to the vRouter in the vrrp-Cluster?
by n4p
Tue Jan 09, 2018 3:00 pm
Forum: General
Topic: vrrp & ipsec
Replies: 5
Views: 500

Re: vrrp & ipsec

Nobody got an idea how to do this?
by n4p
Tue Dec 19, 2017 6:56 pm
Forum: General
Topic: vrrp & ipsec
Replies: 5
Views: 500

vrrp & ipsec

Hi there, i wanna ask if there is any common way to configure a vrrp setup (2 routers) with ipsec site to site? Vrrp is currently running as it should. But now i wanna at ipsec to the virtuell Master. So how is the right way to do that? Just for information, i will have 2 routers with vrrp in office...
by n4p
Mon Nov 20, 2017 6:59 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

I have been testing a 180-T but it seems to resync every 10-12 hours. It does sync at a high speed on my line, and latency is low when it is working, but drops twice a day. Has anyone else seen this sort of instability ? Nick Hey Nick, Can't confirm that. For me here in austria the modul works abso...
by n4p
Fri Nov 17, 2017 7:22 pm
Forum: Beginner Basics
Topic: tcp/554 and tcp/555 open, why?
Replies: 10
Views: 1196

Re: tcp/554 and tcp/555 open, why?

Hi k6ccc, yes up there you can see my default firewall setup. As descripted in the frist post i made a scan with just only this rules and see port 554 & 555 as open. After that i tried to add an input rule with matches these ports and drop them, but nothing happens and the ports still open. Between ...
by n4p
Fri Nov 17, 2017 10:35 am
Forum: Beginner Basics
Topic: tcp/554 and tcp/555 open, why?
Replies: 10
Views: 1196

Re: tcp/554 and tcp/555 open, why?

Yes,
there are only two dst-nat rules. But those have nothing to do with port 554 & port 555.
Its currently not possible to make an export from the nat rules, but there is only port 443 & and a special port 55372.

So that can't be the fault.
by n4p
Thu Nov 16, 2017 4:11 pm
Forum: Beginner Basics
Topic: tcp/554 and tcp/555 open, why?
Replies: 10
Views: 1196

Re: tcp/554 and tcp/555 open, why?

Hm,
nobody got an idea why those ports are open? It looks really confiusing because with the drop-rules in the firewall set, everythink else instead of ipsec and icmp should be locked out. So why open?
by n4p
Wed Nov 15, 2017 5:34 pm
Forum: Beginner Basics
Topic: tcp/554 and tcp/555 open, why?
Replies: 10
Views: 1196

Re: tcp/554 and tcp/555 open, why?

Hi Steve, here is the prefered output from the firewall rule-set. /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=add-src-to-addres...
by n4p
Mon Nov 13, 2017 2:10 pm
Forum: Beginner Basics
Topic: tcp/554 and tcp/555 open, why?
Replies: 10
Views: 1196

tcp/554 and tcp/555 open, why?

Hi there, i successfuly configurated my firewall settings at the rb2011. After that i wanna made a check with an extern connection pointed to my ip adress and used nmap. The confiusing thing is, that nmap everytime shows port 554/tcp and port 555/tcp is open. So i add a new rule to the firewall and ...
by n4p
Fri Nov 10, 2017 9:29 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

I have currently RC6.41 on my RB2011, will take look as early as i am at home if there are any stats avaible. Through winbox i didn't find anything.

Edit: DSL Not available here until now.
by n4p
Fri Nov 10, 2017 9:21 am
Forum: Beginner Basics
Topic: Portforwarding with pppoe won't work
Replies: 5
Views: 2103

Re: Portforwarding with pppoe won't work

Yes, adding the in-interface fixed the problem to arrive https websites from the lokal subnet. But now i gonna stuck, i can't arrive my lokal website trough the external ip-address. Any idea how to fix that?
by n4p
Fri Nov 10, 2017 7:33 am
Forum: Beginner Basics
Topic: Portforwarding with pppoe won't work
Replies: 5
Views: 2103

Re: Portforwarding with pppoe won't work

Here are the current export from nat: # nov/10/2017 06:29:34 by RouterOS 6.41rc52 # software id = R3IZ-BBCZ # # model = 2011UiAS # serial number = 763107FDC325 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\ pppoe-out1 add action=dst-nat chain=dstnat...
by n4p
Thu Nov 09, 2017 7:41 am
Forum: Beginner Basics
Topic: Portforwarding with pppoe won't work
Replies: 5
Views: 2103

Portforwarding with pppoe won't work

Hi there, I am currently a little bit confused, because I the portforwarding with the pppoe connection won't work. It's not my first Routerboard where I do this but the first with pppoe. So what I already have done is to setup the default masquerade rule for die outinterface and place it as first. I...
by n4p
Thu Nov 09, 2017 7:33 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

After long time waiting my sfp arrived Yesterday. And what should i say, it works as descripted with my VDSL Connection (40/10).

Hopefully in newer ROS can read Out the Connection state from the Module.

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Wed Nov 01, 2017 8:53 pm
Forum: RouterBOARD hardware
Topic: Switch/Router 24G-1S Request
Replies: 4
Views: 731

Re: Switch/Router 24G-1S Request

Thanks for the link!
That would be great! Hopefully they would add a pretty nice cpu to this Switch/Router then it would be really awesome.

Any ideas when this Switch/Router will be released?
by n4p
Tue Oct 31, 2017 11:18 pm
Forum: RouterBOARD hardware
Topic: Switch/Router 24G-1S Request
Replies: 4
Views: 731

Switch/Router 24G-1S Request

Hi, I wanna ask if there are any plan's for the Future with 24 Port Switches that have included 2-5 POE Out Ports, Running RouterOS and have at least 1 SFP Port? Would really like those device for small Business or Home-Use combined with WAP AC. Thanks for answer. Gesendet von meinem HUAWEI GRA-L09 ...
by n4p
Fri Oct 20, 2017 12:54 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

Can't wait for it!!! Still waiting for my preorder from Allnet, but they can't ship before Q1/2018.



Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Wed Oct 11, 2017 10:50 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

Got the Procend 180-T ..[cut].. I will post some results.. Interesting, I'll wait for news. Have anyone links of EU/shops where these modules are available? thanks.. Yeah, that would be very interesting. I am already in contact with Allnet but they mean that they can't ship before Q1/2018. So i hop...
by n4p
Thu Oct 05, 2017 4:10 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 555

Re: 2 Internet Connections, one for Inbound and one for Outbound

Hi, i think i found the solution, there was a description in the forum, so i followed that and configured that on my RB2011. Currently it look it works correctly, all Connections from the local LAN goes trough WAN1 where is the router without ability to setup any portforwarding. And if i connect a s...
by n4p
Thu Oct 05, 2017 2:20 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 555

Re: 2 Internet Connections, one for Inbound and one for Outbound

Thanks for answer,
but do i really need to use mangle there?
Can't i do this with route distance?
by n4p
Thu Oct 05, 2017 7:37 am
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 555

2 Internet Connections, one for Inbound and one for Outbound

Hi, i wanna ask if it would be possible to setup two internet connections where one is for inbound traffic and one for outbound traffic. Or a little bit clearer, i have to setup a mikrotik router (router B) behind another router (router A). And i can't configure any portforwardings or something on r...
by n4p
Mon Sep 25, 2017 9:07 pm
Forum: RouterBOARD hardware
Topic: CRS switch (CRS125) and wired RADIUS authentication
Replies: 2
Views: 794

Re: CRS switch (CRS125) and wired RADIUS authentication

I am also interessted in those setup,
can you give an feedback if you get that working?
by n4p
Wed Sep 20, 2017 8:21 pm
Forum: Wireless Networking
Topic: wap AC for home usage indoor?
Replies: 7
Views: 1137

Re: wap AC for home usage indoor?

Yes you are right, sorry for the wrong description. I mean switches with RouterOS :) So what i wanna have is VDSL through SFP (SFP should arrive soon) IPSEC/L2TP for Smartphones/Laptop Capsman for 2 wap AC simple Firewall for Home-use little bit Routing Thats it, i think the bottle neck would be the...
by n4p
Mon Sep 18, 2017 10:12 pm
Forum: Wireless Networking
Topic: wap AC for home usage indoor?
Replies: 7
Views: 1137

Re: wap AC for home usage indoor?

Sorry for pushing this thread, but i currently thinking about it to buy one of these routers. At work i only had to do with the CCR-Series. But for home usage i wanna get one device what can do all for me, so what would be better? CRS125-24G-1S-RM vs CRS326-24G-2S+RM ? I only need one SFP, so thats ...
by n4p
Sun Aug 06, 2017 8:16 pm
Forum: Scripting
Topic: Improvments for WAN-Backup Script
Replies: 4
Views: 897

Re: Improvments for WAN-Backup Script

Push,
no one got an idea for improvment?
by n4p
Sun Aug 06, 2017 8:14 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Thanks!
Now its working as mentoned!
I will try it out with nmap if it is working correctly :)

But until this,
Thanks Chris!
by n4p
Tue Aug 01, 2017 4:36 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

The Problem now looks the same as descriped in post 3 with ip-firewall in use.
So what can be the problem here?

Does i need different ip-adresses on one side to get it working?

Or does the router didn't support that what i wanna do?
by n4p
Mon Jul 31, 2017 2:59 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Yes thats right, i doesn't need dns or something like that. Do you mean i need to specify the source and the destination address? Please remember, those are the same subnet. The ping rule and the drop rule works as espected. The problems are only with the tcp :( Looks like the ack,syn packets are ge...
by n4p
Mon Jul 31, 2017 2:34 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

So, here we are. I already try something, but it happens the same as with the ip-firewall. If i select Port/Protokoll it stops working. Current bridge filter looks like this: add action=accept chain=forward comment="HTTP allow" \ dst-address=172.19.102.0/24 dst-port=80 in-interface=ether8 ip-protoco...
by n4p
Fri Jul 28, 2017 12:27 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Yes, you are right, i wanna filter inside the VLAN. Or especually on the untagged out port. Doesn't know whats better. I already tried the way with the bridge firewall, but there i didn't found anywhere the config for dest.port or something. Just for understanding, in the esx system there are window...
by n4p
Fri Jul 28, 2017 12:07 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Just for you to help you understand what i wanna do. Outside this ESX Cluster is unsecure Network. I mean the both subnets. The traffic amount from the esx cluster out to those subnets are minimal. I speak in kb size. So i thougt the right way would be ip-firewall. But if you have another solution i...
by n4p
Fri Jul 28, 2017 11:11 am
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

I am cooperative, but it seems you won't understood that the second router had nothing to do with the setup which i need on this router. But if it easyier for you let's start from new. I take a another RB2011 and wanna make this setup only on this standalone router. Is that ok for you? I would think...
by n4p
Thu Jul 27, 2017 10:54 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

I think you didn't understand what i wanna do? I already posted the configuration where i had to Start. The second RB2011 has nothing to do with this szenario.

I simply wanna add Firewall rules die those bridges vlan 700 and 800.
by n4p
Thu Jul 27, 2017 8:41 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Hello, no this router just have to add to different subnets a vlan tag. Port 1-5 terminates on a second rb2011 also on Port1-5 and those are connected through sfp. The importent thing from me starts now on port 6 until 8. I connect 2 subnets one on port 7 and one on port 8. The Router should add the...
by n4p
Thu Jul 27, 2017 5:18 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Here you are [admin@MikroTik] > /export compact # jan/12/1970 03:05:01 by RouterOS 6.39.2 # software id = DIJI-TXA7 # /interface bridge add name=bridge-vlan200 add name=bridge-vlan300 add name=bridge-vlan400 add name=bridge-vlan500 add name=bridge-vlan600 add name=bridge-vlan700 add name=bridge-vlan...
by n4p
Thu Jul 27, 2017 1:36 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Bump

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Wed Jul 26, 2017 11:06 am
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

Re: VLAN Firewall

Thanks for your answer, now i see the connection on the connection list. The firewall rules works, but i got troubels with limitating the ports. Especually i try to limt the port that only port 80 is allowed it fails. Here the logs with only tcp allowed any port: 20:51:12 firewall,info forward: in:b...
by n4p
Mon Jul 24, 2017 5:58 pm
Forum: General
Topic: VLAN Firewall
Replies: 22
Views: 3943

VLAN Firewall

Hi, Ive a RB2011 running, there i have connectet 3 subnets without vlan. So i use the RB2011 to bridge the 3 subnets (connectet on port 7 till 9) to Port 6 with a VLAN Tag. On Port 6 my esxi server is connected. Till now everything works fine. But what i wanna do now is, to install a firewall betwee...
by n4p
Sat Jul 22, 2017 12:20 pm
Forum: Scripting
Topic: Improvments for WAN-Backup Script
Replies: 4
Views: 897

Re: Improvments for WAN-Backup Script

Nobody got an improvment?
by n4p
Wed Jul 19, 2017 3:03 pm
Forum: Scripting
Topic: Improvments for WAN-Backup Script
Replies: 4
Views: 897

Improvments for WAN-Backup Script

Hi, we got a cloud core router with 2 wan connections. Connection type is LTE. As known there are sometimes troubles with the LTE connection so i made a backup for those connection (also LTE, but on a different location). The script is currently working as expected, but it would be great if anybody ...
by n4p
Fri Jul 07, 2017 2:17 pm
Forum: RouterBOARD hardware
Topic: cAP with ac WLAN?
Replies: 8
Views: 1959

Re: cAP with ac WLAN?

Yep,
already found this device, but i love the look from the cap.
I mean it fits better on the wall.
by n4p
Fri Jul 07, 2017 12:57 pm
Forum: RouterBOARD hardware
Topic: cAP with ac WLAN?
Replies: 8
Views: 1959

cAP with ac WLAN?

Hi,
are there any plans for the future with cAP supporting ac WLAN?
I wanna use capsman, so i can't/won't use ubiquiti.

Thanks for Feedback.
by n4p
Fri Jul 07, 2017 11:25 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

Any News out there?
Is the VDSL SFP now working with Mikrotik correctly?
by n4p
Fri Jul 07, 2017 11:21 am
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 4765

Re: Script to disable IPSec peers

Thanks for answer, my idea is not only to disconnect them, i wanna disable his Profile. For our Setup its not possible that this happens anytime, only if anybody try to attack the server. The outstanding peer's normaly should connect everytime and stay up. So what i had done until now is: I added Fi...
by n4p
Wed Jul 05, 2017 9:40 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 4765

Re: Script to disable IPSec peers

Thats not really a help for me, because i use side to side tunnel. And if there is a security issue i wanna block this tunnel.
But if there is nothing the tunnel should be up everytime.
by n4p
Sun Jul 02, 2017 8:51 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 4765

Re: Script to disable IPSec peers

The idea behind that was to made the system more secure. I have only one engine behind every ipsec Tunnel.

And if there was a Security issue or somebody try to attack the server i wanna Block them completle until a employe that a look at those engine.
by n4p
Sat Jul 01, 2017 9:44 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 4765

Re: Script to disable IPSec peers

Yeah, it would be great if you can give me some advice. My idea was do check the addresslist every second or something like that and look if there is a peer with name blacklist. There i need to look about the ip range if it is 172.8.10.xxx or 172.8.11.xxx and search with this for the matching ipsec ...
by n4p
Fri Jun 30, 2017 1:38 pm
Forum: Scripting
Topic: Script to disable IPSec peers
Replies: 14
Views: 4765

Re: Script to disable IPSec peers

Hi, i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list. Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i w...
by n4p
Thu Jun 29, 2017 9:31 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

I got it working! The way how it was done is: I setup 3 forwarding rules with Destination the local subnet where the ipsec Traffic terminates. And there i Drop all expect icmp and the specified tcp Port. To Made that more sensitiv i setup a whitelist which include the allowed clients. On the Client ...
by n4p
Thu Jun 29, 2017 5:58 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Hi i tried your idea with the two policys but it didn't work, if i disable each the other one start working. So i would say my UMTS-Router didn't support that. The second way with blocking the bridge (where the local ports connected) also won't work :( I tried to add a rule with drop any but it does...
by n4p
Mon Jun 26, 2017 11:47 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Just one information, as far as i know in the policy i can only specify one protokol or one port. Or i am wrong with my information. I will see tomorow and try that out. Just for information, the cpu load and the bandwich are just idling arround, because we got traffic in 1-5kb ranges and about 1000...
by n4p
Sun Jun 25, 2017 5:52 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Thanks for your instruction, so if i am right, i can handly that with the policies? Just read the wiki as descriped. So if i change the policiy that only tcp traffic from port 3002 is allowed that should do the trick? Any other traffic will be blocked because not encrypted? Or im still wrong? But ju...
by n4p
Sun Jun 25, 2017 4:00 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Hello! Thanks for answer. The Problem is i can't do a Ipsec/L2TP setup. The only way i can go is site-to-site. To understand what i got: computer(172.10.20.2)--------3G/UMTS-Modem(172.10.20.1)-------- IPSEC-------Mikrotik(172.10.0.1)------server(172.10.0.2) The problem is, that the modem outside onl...
by n4p
Sun Jun 25, 2017 2:25 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

No Comment?
Also not to my last idea with routing the encrypted ipsec traffic trough 2 Port?
by n4p
Thu Jun 22, 2017 5:59 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Nobody got a idea for help?
GRE Tunnel or L2TP is no opinion.
Because my Road Warriors didnt Support that.
Would it be possible with a Loop from outgoing Port 6 to Port 7 and Firewall unencrypted between Port 7 and 8?

Or is this a stupid idea?
by n4p
Fri Jun 09, 2017 7:07 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

@milotop
Where did you get your sfp of type 180-T?
I also wanna order one and wanna try if it works with our specs.

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Mon Jun 05, 2017 7:49 pm
Forum: RouterBOARD hardware
Topic: Upgrade for CRS125 ?
Replies: 2
Views: 376

Re: Upgrade for CRS125 ?

Thanks for your answer! Sounds really interesting!
Hopefully they also increased the cpu power. Doesn't need to be a big jump, but just a little bit more.

And it will be amazing to use the poe-out with wap ac etc. :)
Much less installation requered
by n4p
Mon Jun 05, 2017 4:09 pm
Forum: RouterBOARD hardware
Topic: Upgrade for CRS125 ?
Replies: 2
Views: 376

Upgrade for CRS125 ?

Hi, i wanna know if there is an plan for upgrading the CRS125 in future days? Because i really like those device, 24 Port Switch with a small Router included. But with higher bandwith the router get's on his limit. So my question is there any cpu increase in plan? Or an oder idea is to offer some mo...
by n4p
Tue May 30, 2017 5:34 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

Re: IPSec Site to Site Firewall

Thanks for answer,
can you give me a little input how to configure this?
Or there are any templates how to do that?

Thanks
by n4p
Mon May 29, 2017 4:10 pm
Forum: General
Topic: IPSec Site to Site Firewall
Replies: 16
Views: 1935

IPSec Site to Site Firewall

Hi there! I try to find out how it would be possible to attach Firewall rules between the ipsec site to site tunnel. My goal is to close this tunnel and only allow 1 tcp protokoll on port 3002 and icmp. So my question is, how is the right way for that? Do i need to setup the rules on the outgoing po...
by n4p
Mon May 15, 2017 10:47 am
Forum: Beginner Basics
Topic: VLAN between 2x RB2011 over SFP
Replies: 4
Views: 576

Re: VLAN between 2x RB2011 over SFP

here it is: Router A, here i wanna join the switch from router B. /interface bridge add admin-mac=E4:8D:8C:27:3D:15 auto-mac=no comment=defconf name=bridge add name=bridge-vlan200 add name=bridge-vlan300 add name=bridge-vlan400 add name=bridge-vlan500 add name=bridge-vlan600 /interface ethernet set ...
by n4p
Fri Apr 21, 2017 10:03 am
Forum: Wireless Networking
Topic: wap AC for home usage indoor?
Replies: 7
Views: 1137

Re: wap AC for home usage indoor?

Ok, it only would be great if those would be available in another Design :-) specially like Cap.

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Fri Apr 21, 2017 8:32 am
Forum: Wireless Networking
Topic: wap AC for home usage indoor?
Replies: 7
Views: 1137

Re: wap AC for home usage indoor?

Thanks for your quick answer! Did the traffic trough with the capsman also works fine?

I think switching traffic wouldn't be nesercary?

I wanna use this with a 100/50mbit VDSL Connection.

Thanks in advance!
Manuel


Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Fri Apr 21, 2017 8:27 am
Forum: Beginner Basics
Topic: VLAN between 2x RB2011 over SFP
Replies: 4
Views: 576

Re: VLAN between 2x RB2011 over SFP

Sounds good, can you give me any idea how i can so this?



Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
by n4p
Thu Apr 20, 2017 8:05 pm
Forum: Wireless Networking
Topic: wap AC for home usage indoor?
Replies: 7
Views: 1137

wap AC for home usage indoor?

Hi, I'm currently planing the network setup from our new building. And because i work in my company with mikrotik i thought it can't be bad for home use? So my idea is to use the CRS125-24G-1S-RM as Switch/Router and two wapAC together as access points with capsman. Will this work pretty good? Or th...
by n4p
Thu Apr 20, 2017 7:51 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

Any news out there? Would be happy if this is working at the end of the next year :) I got an outstanding project there.
by n4p
Thu Apr 20, 2017 7:50 pm
Forum: Beginner Basics
Topic: VLAN between 2x RB2011 over SFP
Replies: 4
Views: 576

VLAN between 2x RB2011 over SFP

Hi, I got a setup with two RB2011. Those are connected via SFP and i already configured VLAN's for the 5 Gigabit Ports. So Port1 on Router a terminates on Port1 on Router B. And all over the sfp port. That works fine. But know i will ask if it would be possible to make a vlan that connects port 6-9 ...
by n4p
Fri Dec 02, 2016 7:15 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

I speak about the sfp what would be already available and not an vdsl modem included in the mikrotik hardware. Possible that this will be sooner available?

Or there any other way i can do this? I already searched for mini-pci cards but doesn't found one.
by n4p
Fri Dec 02, 2016 2:56 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 314
Views: 89485

Re: Mikrotik VDSL / DSL Modem?

I really hope that this would be available in few days.
Currently that's the only issue that i didn't use mikrotik routers/switch in home area.
Because I need few more devices, switch, router, modem. And so it would be able to do all with one.
by n4p
Wed Nov 25, 2015 10:12 pm
Forum: General
Topic: RB2011UiAS and multiple Network
Replies: 1
Views: 369

RB2011UiAS and multiple Network

Hello everybody. It's my first mikrotik router and i got little problems at start up. So i hope you can help me. I currently try to create multiple subnet's on the router by follow this guide: http://networkingforintegrators.com/2013/01/how-to-run-multiple-networks-from-a-mikrotik/ Everything is fin...