Hi, I have a building with 3 floors, on each of these floors a CAP AC is installed for WiFi coverage. A Mikrotik router is located centrally and manages the access points using CAPSMAN. My question would be, what is the recommendation for the 5GHz frequencies for this building? Currently it seems th...
Hi there, i would ask if there is any possibility to get a vpn server based on sstp running behind a nat. As you can see in the picture below, the lte router on the server side forwards every package to the mikrotik behind it. But i was not able to establish the sstp tunnel. Ive already made some a ...
Hi nathan,
could you be so fine and give me an short information what i need to know if i upgrade routeros from 6.44.5 to 6.44.6 ?
As far as i know there some significate changes in the section from vrrp or?
Hi,
thanks for your answer, but i think i found the problem. Looks like IPSec-ESP Protokoll get's blocked between both devices. On Client-Side i tried to enforce NAT-T and now it works over udp 4500.
Hi there, i currently setting up some ipsec tunnels. On Central Side i have two wan connections. One Connection with Static Adress without NAT and the second one with LTE (behind NAT). Failover etc. is working. But what i can't get working is the ipsec side-to-side with the static address? If centra...
Hi, im currently configure multiple ipsec side-to-side connections. To get it working you need to configure in the ipsec policy the local (src.address) subnet. That works pretty fine if i have only one subnet on central station. But if i have multiple subnets on the central side i need to configure ...
Hi,
i currentley renew my setup and wanna ask if there is any better method available to use ipsec for multiple wan adresses instead using netwatch and ping anything?
I can't create two policies with the same src & dst, but with different sa src. address.
Thanks for sharing your script. Yes, i was thinking about a man in the middle Attack on this Board. As far as i know the file Sync goes through smb or FTP? So with man in the middle you can gather information about PSK etc. Or i am completley wrong? I know it depends on my different Setup were the r...
OK, yes the layer2 ist extented but i would use a complete different way for Sync. So If i Install a EOIP Tunnel before hainstall would this Work if i select the EOIP Interface?
OK, One Last question, would it be possible to secure the Sync Ports especually through EOIP Tunnel or something? I need to make a Setup where the routers are not placed in the same room. And is it possible to build IPSec Tunnels with certificates? With PSK it works great in a failover, but will the...
Thanks! It's working now :) Just another question, if I execute SwitchRole i get the following output: /delay 2; :do { /ip smb shares add comment=HA_AUTO name=mkdir disabled=yes directory=/skins } on-error={} /ip smb shares set [find comment=HA_AUTO] directory="pub" /ip smb shares set [fin...
Hi,
but i need to add those scripts on the vrrp (on Master and on Backup) or?
Or is there any logic included, that all scripts with *_on_backup will be executed?
Thanks
Hi there, i am currently strugeling a litte bit. To get gre working through ipsec i need to add a rule to allow gre from the same source where the ipsec establishes. So if i understand that right that gre would be open as port from this source? If i disable those rule gre won't work any more. So wha...
yes, switch uses 802.3af/at standart. But it's not correctly working if i connect the hap ac lite to the switch. The switch try to power the hap ac lite which is show by the poe led on the switch. The hap ac lite did not power on. As far as we know 802.3xxx is not compatible with passive poe. And if...
Hi there,
i need to connect an hap ac lite to an poe+ switch. As far as i know this would not work, because the hap ac only uses passive poe and not poe+.
Is there any way to disable the poe in on the hap ac lite that i still can connect them?
Any news about that? Still trying around but no chance to get it working. Only Log-Entry shown is: Can't get private key. So what is wrong there? I created a certificate for server (tls-server) and another one for the client (tls-client) installed on the client the certificate and configured the pee...
Hi
I try to configure a connection between two ccr1009 and encrypt this with ipsec.
If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this.
Hi,
i am running currently 6.43rc4 on the ccr.
Instead i try it with another vendor router as dezentral device and it happens the same thing. so there must be anything wrong with my ccr.
Yes,
thats what i have done, but it still not working.
I currently try it again but it won't work. if i change the settings for phase1 one both devices to sha1/aes128/dh1024 everythink works great and then i can use for phase2 sha256/aes256/dh4096.
Hi there, i trying to establish a side to side tunnel with an mikrotik ccr1009 as zentral unit and an component from another reseller as dezentral unit. If i configure the phase 1 to sha1 everything works fine! But if i change the settings to sha256 for phase1 i get in the mikrotik log the following...
Hi,
I wanna ask if it would be possible to block traffic between multiple eoip tunnels connected to the same bridge interface.
They should only can talk to one pysical port connected to the bridge.
Hi there, I really like the discovery Protocol, but I also think that it increases my system security if every device broadcasts. So would it be possible to define on which interface the discovery Protocol should work? I've got a management ring and only there it should be enabled. Thanks for your h...
Yes I know, that's what I need. I'm running very special components behind the tiks and those need L2 transparency.
Otherwise they need to be rekonfigured an that's a really really hard job now and can issue instability.
Yeah it would be really nice if this feature would be added, because i had to configure a lot of tunnels by hand. If it would be implementet that i can chose the profile, i didn't need to configure for each peer a seperat ipsec tunnel and can use eoip with secret. Or is there any other way that the ...
Hi there, i wanna ask if there is an idea in the future to made it possible that i can select which sha or aes i will use? Currently there is only sha1 and aes128 available, but sha1 is already known as vulnerable. So currently there is only one way to fix this, you had to setup an ipsec tunnel and ...
Yes I have optical links. But I won't use mpls or vpls. Today I tried eoip + ipsec secret with rstp and multiple links. It works fine. I also tried openvpn with tap tunnel and rstp it also works very well. (aes256) So if I understand you correctly you would prefer eoip over ipsec instead of eoip wit...
I wouldn't think so. Because for L2 VPN the options are limited as far as I know.
What I need is L2 Transparenz between head and substation. And that secure.
The bandwidth I had to go through this tunnel is very small.
Max. 1mbit. (limited by the wan connections)
Hi there, i am searching for the best vpn-standart to realise a layer 2 vpn tunnel between 1 headstation and 2-3 substations. Those substations a connectet redudand to the headstation and using ospf. It should be much secure as possible and made no problems if the routing from ospf changes. Layer3 V...
Ok, but i using passive listening for ipsec on the mikrotik router, so they won't establishe any connection by them selve.
Should this be the fix?
Yes the script would be the second way. As far as I know i can start a script if the master changes?
Hi there, i wanna ask if there is any common way to configure a vrrp setup (2 routers) with ipsec site to site? Vrrp is currently running as it should. But now i wanna at ipsec to the virtuell Master. So how is the right way to do that? Just for information, i will have 2 routers with vrrp in office...
I have been testing a 180-T but it seems to resync every 10-12 hours. It does sync at a high speed on my line, and latency is low when it is working, but drops twice a day. Has anyone else seen this sort of instability ? Nick Hey Nick, Can't confirm that. For me here in austria the modul works abso...
Hi k6ccc, yes up there you can see my default firewall setup. As descripted in the frist post i made a scan with just only this rules and see port 554 & 555 as open. After that i tried to add an input rule with matches these ports and drop them, but nothing happens and the ports still open. Betw...
Yes,
there are only two dst-nat rules. But those have nothing to do with port 554 & port 555.
Its currently not possible to make an export from the nat rules, but there is only port 443 & and a special port 55372.
Hm,
nobody got an idea why those ports are open? It looks really confiusing because with the drop-rules in the firewall set, everythink else instead of ipsec and icmp should be locked out. So why open?
Hi Steve, here is the prefered output from the firewall rule-set. /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=add-src...
Hi there, i successfuly configurated my firewall settings at the rb2011. After that i wanna made a check with an extern connection pointed to my ip adress and used nmap. The confiusing thing is, that nmap everytime shows port 554/tcp and port 555/tcp is open. So i add a new rule to the firewall and ...
Yes, adding the in-interface fixed the problem to arrive https websites from the lokal subnet. But now i gonna stuck, i can't arrive my lokal website trough the external ip-address. Any idea how to fix that?
Here are the current export from nat: # nov/10/2017 06:29:34 by RouterOS 6.41rc52 # software id = R3IZ-BBCZ # # model = 2011UiAS # serial number = 763107FDC325 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\ pppoe-out1 add action=dst-nat ch...
Hi there, I am currently a little bit confused, because I the portforwarding with the pppoe connection won't work. It's not my first Routerboard where I do this but the first with pppoe. So what I already have done is to setup the default masquerade rule for die outinterface and place it as first. I...
Hi, I wanna ask if there are any plan's for the Future with 24 Port Switches that have included 2-5 POE Out Ports, Running RouterOS and have at least 1 SFP Port? Would really like those device for small Business or Home-Use combined with WAP AC. Thanks for answer. Gesendet von meinem HUAWEI GRA-L09 ...
Got the Procend 180-T ..[cut].. I will post some results.. Interesting, I'll wait for news. Have anyone links of EU/shops where these modules are available? thanks.. Yeah, that would be very interesting. I am already in contact with Allnet but they mean that they can't ship before Q1/2018. So i hop...
Hi, i think i found the solution, there was a description in the forum, so i followed that and configured that on my RB2011. Currently it look it works correctly, all Connections from the local LAN goes trough WAN1 where is the router without ability to setup any portforwarding. And if i connect a s...
Hi, i wanna ask if it would be possible to setup two internet connections where one is for inbound traffic and one for outbound traffic. Or a little bit clearer, i have to setup a mikrotik router (router B) behind another router (router A). And i can't configure any portforwardings or something on r...
Yes you are right, sorry for the wrong description. I mean switches with RouterOS :) So what i wanna have is VDSL through SFP (SFP should arrive soon) IPSEC/L2TP for Smartphones/Laptop Capsman for 2 wap AC simple Firewall for Home-use little bit Routing Thats it, i think the bottle neck would be the...
Sorry for pushing this thread, but i currently thinking about it to buy one of these routers. At work i only had to do with the CCR-Series. But for home usage i wanna get one device what can do all for me, so what would be better? CRS125-24G-1S-RM vs CRS326-24G-2S+RM ? I only need one SFP, so thats ...
Yes thats right, i doesn't need dns or something like that. Do you mean i need to specify the source and the destination address? Please remember, those are the same subnet. The ping rule and the drop rule works as espected. The problems are only with the tcp :( Looks like the ack,syn packets are ge...
So, here we are. I already try something, but it happens the same as with the ip-firewall. If i select Port/Protokoll it stops working. Current bridge filter looks like this: add action=accept chain=forward comment="HTTP allow" \ dst-address=172.19.102.0/24 dst-port=80 in-interface=ether8 ...
Yes, you are right, i wanna filter inside the VLAN. Or especually on the untagged out port. Doesn't know whats better. I already tried the way with the bridge firewall, but there i didn't found anywhere the config for dest.port or something. Just for understanding, in the esx system there are window...
Just for you to help you understand what i wanna do. Outside this ESX Cluster is unsecure Network. I mean the both subnets. The traffic amount from the esx cluster out to those subnets are minimal. I speak in kb size. So i thougt the right way would be ip-firewall. But if you have another solution i...
I am cooperative, but it seems you won't understood that the second router had nothing to do with the setup which i need on this router. But if it easyier for you let's start from new. I take a another RB2011 and wanna make this setup only on this standalone router. Is that ok for you? I would think...
I think you didn't understand what i wanna do? I already posted the configuration where i had to Start. The second RB2011 has nothing to do with this szenario.
I simply wanna add Firewall rules die those bridges vlan 700 and 800.
Hello, no this router just have to add to different subnets a vlan tag. Port 1-5 terminates on a second rb2011 also on Port1-5 and those are connected through sfp. The importent thing from me starts now on port 6 until 8. I connect 2 subnets one on port 7 and one on port 8. The Router should add the...
Thanks for your answer, now i see the connection on the connection list. The firewall rules works, but i got troubels with limitating the ports. Especually i try to limt the port that only port 80 is allowed it fails. Here the logs with only tcp allowed any port: 20:51:12 firewall,info forward: in:b...
Hi, Ive a RB2011 running, there i have connectet 3 subnets without vlan. So i use the RB2011 to bridge the 3 subnets (connectet on port 7 till 9) to Port 6 with a VLAN Tag. On Port 6 my esxi server is connected. Till now everything works fine. But what i wanna do now is, to install a firewall betwee...
Hi, we got a cloud core router with 2 wan connections. Connection type is LTE. As known there are sometimes troubles with the LTE connection so i made a backup for those connection (also LTE, but on a different location). The script is currently working as expected, but it would be great if anybody ...
Thanks for answer, my idea is not only to disconnect them, i wanna disable his Profile. For our Setup its not possible that this happens anytime, only if anybody try to attack the server. The outstanding peer's normaly should connect everytime and stay up. So what i had done until now is: I added Fi...
Thats not really a help for me, because i use side to side tunnel. And if there is a security issue i wanna block this tunnel.
But if there is nothing the tunnel should be up everytime.
Yeah, it would be great if you can give me some advice. My idea was do check the addresslist every second or something like that and look if there is a peer with name blacklist. There i need to look about the ip range if it is 172.8.10.xxx or 172.8.11.xxx and search with this for the matching ipsec ...
Hi, i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list. Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i w...
I got it working! The way how it was done is: I setup 3 forwarding rules with Destination the local subnet where the ipsec Traffic terminates. And there i Drop all expect icmp and the specified tcp Port. To Made that more sensitiv i setup a whitelist which include the allowed clients. On the Client ...
Hi i tried your idea with the two policys but it didn't work, if i disable each the other one start working. So i would say my UMTS-Router didn't support that. The second way with blocking the bridge (where the local ports connected) also won't work :( I tried to add a rule with drop any but it does...
Just one information, as far as i know in the policy i can only specify one protokol or one port. Or i am wrong with my information. I will see tomorow and try that out. Just for information, the cpu load and the bandwich are just idling arround, because we got traffic in 1-5kb ranges and about 1000...
Thanks for your instruction, so if i am right, i can handly that with the policies? Just read the wiki as descriped. So if i change the policiy that only tcp traffic from port 3002 is allowed that should do the trick? Any other traffic will be blocked because not encrypted? Or im still wrong? But ju...
Hello! Thanks for answer. The Problem is i can't do a Ipsec/L2TP setup. The only way i can go is site-to-site. To understand what i got: computer(172.10.20.2)--------3G/UMTS-Modem(172.10.20.1)-------- IPSEC-------Mikrotik(172.10.0.1)------server(172.10.0.2) The problem is, that the modem outside onl...
Nobody got a idea for help?
GRE Tunnel or L2TP is no opinion.
Because my Road Warriors didnt Support that.
Would it be possible with a Loop from outgoing Port 6 to Port 7 and Firewall unencrypted between Port 7 and 8?
Thanks for your answer! Sounds really interesting!
Hopefully they also increased the cpu power. Doesn't need to be a big jump, but just a little bit more.
And it will be amazing to use the poe-out with wap ac etc.
Much less installation requered
Hi, i wanna know if there is an plan for upgrading the CRS125 in future days? Because i really like those device, 24 Port Switch with a small Router included. But with higher bandwith the router get's on his limit. So my question is there any cpu increase in plan? Or an oder idea is to offer some mo...
Hi there! I try to find out how it would be possible to attach Firewall rules between the ipsec site to site tunnel. My goal is to close this tunnel and only allow 1 tcp protokoll on port 3002 and icmp. So my question is, how is the right way for that? Do i need to setup the rules on the outgoing po...
here it is: Router A, here i wanna join the switch from router B. /interface bridge add admin-mac=E4:8D:8C:27:3D:15 auto-mac=no comment=defconf name=bridge add name=bridge-vlan200 add name=bridge-vlan300 add name=bridge-vlan400 add name=bridge-vlan500 add name=bridge-vlan600 /interface ethernet set ...
Hi, I'm currently planing the network setup from our new building. And because i work in my company with mikrotik i thought it can't be bad for home use? So my idea is to use the CRS125-24G-1S-RM as Switch/Router and two wapAC together as access points with capsman. Will this work pretty good? Or th...
Hi, I got a setup with two RB2011. Those are connected via SFP and i already configured VLAN's for the 5 Gigabit Ports. So Port1 on Router a terminates on Port1 on Router B. And all over the sfp port. That works fine. But know i will ask if it would be possible to make a vlan that connects port 6-9 ...
I speak about the sfp what would be already available and not an vdsl modem included in the mikrotik hardware. Possible that this will be sooner available?
Or there any other way i can do this? I already searched for mini-pci cards but doesn't found one.
I really hope that this would be available in few days.
Currently that's the only issue that i didn't use mikrotik routers/switch in home area.
Because I need few more devices, switch, router, modem. And so it would be able to do all with one.
Hello everybody. It's my first mikrotik router and i got little problems at start up. So i hope you can help me. I currently try to create multiple subnet's on the router by follow this guide: http://networkingforintegrators.com/2013/01/how-to-run-multiple-networks-from-a-mikrotik/ Everything is fin...