Community discussions

MikroTik App

Search found 98 matches

by eset
Tue Jul 21, 2020 4:00 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

UpCloud claims that this is RouterOS issue and they recommend to use VyOS or pfSense as those can easily work with policy-based o route-based scenarios.
by eset
Tue Jun 30, 2020 2:08 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

in /tool torch i see that something is comming from 10.5.0.120 when I start to ping 10.6.1.253 But it only 560ps on RX with IP protocol I was so close and loosing network connectivity between DCs makes me feel fuckin sad :/ @sindy if you still want to help you can create account in upcloud (they hav...
by eset
Tue Jun 30, 2020 2:03 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

OK, so one last idea before I fall asleep, I've already switched off the PC - once the tunnel gets up, disable and re-enable the action=none dst-address=10.0.0.0/13 policy. I have added it while the tunnel was up, but I also had other action=none policies in place before the tunnel went up, and the...
by eset
Tue Jun 30, 2020 1:20 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

A yes, Sex Mission movie. I 'm shocked that you saw it ;)
by eset
Tue Jun 30, 2020 1:19 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

[konrad@UP-RT-01] /routing bgp network> /ping 10.5.0.1 SEQ HOST SIZE TTL TIME STATUS 0 10.5.0.1 56 64 0ms 1 10.5.0.1 56 64 0ms sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms [konrad@UP-RT-01] /routing bgp network> /tool traceroute 10.5.0.1 # ADDRESS LOSS SENT LAST AVG BEST WOR...
by eset
Tue Jun 30, 2020 1:07 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

And what interesting is that the subnet 10.99.6.0/24 also has connectivity problem. I've created a temporary server instance in the same local SDN network root@debian-1cpu-1gb-fi-hel2:~# traceroute 10.99.6.2 traceroute to 10.99.6.2 (10.99.6.2), 30 hops max, 60 byte packets 1 10.99.6.2 (10.99.6.2) 0....
by eset
Tue Jun 30, 2020 12:34 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

Do you have generate-policy=no in the /ip ipsec identity row? And do you remember the voice password from Sexmission? [konrad@UP-RT-02] > /ip ipsec identity pr Flags: D - dynamic, X - disabled 0 peer=ike-gcp_casino auth-method=pre-shared-key secret="xxxx" generate-policy=no I have no generate-polic...
by eset
Mon Jun 29, 2020 11:52 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

Okay, so there may be some tunnel but the loading and unloading to/from the tunnel is not done by any of the two 'Tiks. Are the routes (10.6.x.y via 100.68.128.129) configured statically or via some dynamic routing protocol? Or is 100.68.128.129 the default gateway (static or DHCP-assigned)? I am l...
by eset
Mon Jun 29, 2020 11:01 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

It's UpCloud Provider. So if you asked me. They are not behind One NAT One mikrotik is in Netherland and second is Frankfurt. So basically those are two different DCs. Communication between them is possible over Local Are Network but 100% sure it's some kind of tunnel between those two regions. 1 10...
by eset
Mon Jun 29, 2020 10:30 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

I'm trying this with 6.45.9 at one end and 6.46.6 on the other, and it works as expected - there is a 0.0.0.0/0<=>0.0.0.0/0 policy between these two Mikrotiks and exceptions from it (action=none) before, and the exceptions work as expected - what is covered by an exception is not kidnapped by the 0...
by eset
Mon Jun 29, 2020 10:03 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

And I have trouble with this ipsec polices. when enable 0.0.0.0/0 I loose traffic between two mikrotiks. The one which has the tunnel and second in different provider network 10.5.0.0/16. Disable IPsec pings works. 10.5.0.0/16 fits into 10.0.0.0/13, hence the action=none dst-address=10.0.0.0/13 pol...
by eset
Mon Jun 29, 2020 9:03 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

And I have trouble with this ipsec polices. when enable 0.0.0.0/0 I loose traffic between two mikrotiks. The one which has the tunnel and second in different provider network 10.5.0.0/16. Disable IPsec pings works.
by eset
Mon Jun 29, 2020 6:42 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

it seems that
! in src-address and src-address-list doesn't work I need to set accept instead of drop then it works. Strange.

And is there any way to enable ping on local and gcp side? I mean I can't ping from GCP vpn client the mikrotik seems strange
by eset
Mon Jun 29, 2020 6:11 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

You mean those one? add dst-address=169.254.1.2/32 peer=ike-gcp_casino proposal=GCP_phase2 sa-dst-address=35.204.xx.xx sa-src-address=94.237.10.65 src-address=169.254.1.1/32 tunnel=yes add dst-address=10.101.0.0/16 peer=ike-gcp_casino proposal=GCP_phase2 sa-dst-address=35.204.xx.xx sa-src-address=9...
by eset
Mon Jun 29, 2020 5:21 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

btw do I need to have `default` removed? Because right now I don't see if this is required.
by eset
Mon Jun 29, 2020 4:50 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

OK I've set it like this, as you suggested with static (removing template) [konrad@MikroTik] /ip ipsec identity> ..policy pr Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default # PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT 0 TX* ::/0 ::/0 all ...
by eset
Mon Jun 29, 2020 4:43 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

0 0.0.0.0/0 10.99.6.0/24 all none 1 0.0.0.0/0 10.0.0.0/13 all none 2 A ike-gcp_casino yes 169.254.1.1/32 169.254.1.2/32 all encrypt require 1 3 ike-gcp_casino yes 10.99.6.0/24 10.101.0.0/16 all encrypt require 0 4 T * ::/0 ::/0 all 5 DA ike-gcp_casino yes 0.0.0.0/0 35.204.160.90/32 all encrypt uniq...
by eset
Mon Jun 29, 2020 4:30 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

The whole idea was that the policy associated to the peer has to be a 0.0.0.0/0=>0.0.0.0/0 one because the GCP insists on that. You have used a template instead, plus a single policy for just 169.254.1.1=>169.254.1.2, and the peer has accepted that narrow policy, which is quite surprising. So try t...
by eset
Mon Jun 29, 2020 3:45 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

and how to proceed with BGP ? So are you saying that now you have a running tunnel, i.e. there is an installed-sa generated from the template? Ok to make some clearness what's going on now. /ip ipsec policy add action=none dst-address=10.99.6.0/24 src-address=0.0.0.0/0 add action=none dst-address=1...
by eset
Mon Jun 29, 2020 12:05 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

I must say that logs don't give me much information what's going beside that there is a timeout The "ipsec,info,account peer authorized" message which you've posted before is missing in this log, so the timeout is a different issue than in the previous case. Yeah but as you see can figure it out wh...
by eset
Mon Jun 29, 2020 11:31 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

I must say that logs don't give me much information what's going beside that there is a timeout # jun/29/2020 11:27:13 by RouterOS 6.45.9 # software id = # 11:27:17 ipsec ike2 init retransmit 11:27:17 ipsec,debug ===== sending 424 bytes from 94.237.xx.xx[4500] to 35.204.xx.xx[4500] 11:27:17 ipsec,de...
by eset
Mon Jun 29, 2020 10:22 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

Ok basically what bothers me are two things. 1. I've set it like this (so we exclude two IP classes. 10.x and 172.16-31) /ip ipsec policy set 0 disabled=yes add action=none dst-address=10.99.6.0/24 src-address=0.0.0.0/0 add action=none dst-address=10.0.0.0/13 src-address=0.0.0.0/0 add dst-address=0....
by eset
Sun Jun 28, 2020 2:11 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

what do you mean by first type?

I di literally studied your answer but it hard to understand without practical example

I would be very grateful if you could show examples
by eset
Sun Jun 21, 2020 2:57 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

@sindy
The only thing I manage to do this using template


Image
take a picture gif
by eset
Sat Jun 13, 2020 3:46 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

So let me understand that you are talking about that? /ip ipsec policy add dst-address=$here action=none place-before=0 ? $here is <mikrotik_public_IP> all current networks I have on mikrotik side (leftside) ? IPsec policies override all routes including those to connected subnets. So a 0.0.0.0/0 -...
by eset
Sat Jun 13, 2020 12:56 am
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

why you want to make a IPsec from VM with RouterOS on GCP into GCP Cloud VPN? That's sounds stupid.
by eset
Wed Jun 03, 2020 10:01 pm
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

Hi eset, djdrastic. I'm using policy based: Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 1 A peer=peer2 tunnel=yes src-address=169.254.0.5/32 src-port=a...
by eset
Wed Jun 03, 2020 2:05 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

After almost a year of digging ale looking for information. GCP Support helped. Mikrotik Support analyzed information from GCP Support and gave me also information which didn't satisfied me but there is nothing I can do right now so. More information here: https://forum.mikrotik.com/viewtopic.php?f=...
by eset
Wed Jun 03, 2020 1:53 pm
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

@eset yes, sometimes and randomly the ipsec tunnel is connected but no traffic passing through, so the bgp goes down. I have to reset everything manually and it comes back, I got almost fixed it setting the timers a google request them on their manual, but still having some random issues. The easie...
by eset
Wed Jun 03, 2020 11:18 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

I received answer from Emil, from MikroTik Supportm and he says Hello, RouterOS has policy based IPsec only. You can configure 0.0.0.0/0<->0.0.0.0/0 traffic selector, but you will not be able to route specific traffic over the tunnel, so that really is not an option at this time. Emīls Z. So right n...
by eset
Wed Jun 03, 2020 12:15 am
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

The log from GCP side suggests that you use mode-config=request-only in the /ip ipsec identity at Mikrotik side, thus asking the GCP end to assign an IP address to the Mikrotik, but it doesn't have one on stock. Is requesting an address via mode-config required by their documentation? No it doesn't...
by eset
Tue Jun 02, 2020 10:47 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

Still I can't manage to create a ipsec policy to connect with GCP /ip ipsec policy add action=none dst-address=172.16.1.0/24 src-address=0.0.0.0/0 add action=none dst-address=172.16.3.0/24 src-address=0.0.0.0/0 add action=none dst-address=172.16.18.0/24 src-address=0.0.0.0/0 add action=none dst-addr...
by eset
Tue Jun 02, 2020 9:56 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

Re: VPN with GCP

So I changed it to `use` but also it is required to set 0.0.0.0 src and dst in IPsec policy. When I do that I loose connectivity Could someone advise me how to proceed ? I'd prefer require to use for level , but that's minor. To prevent losing connectivity by setting policy's src and dst to 0.0.0.0...
by eset
Tue Jun 02, 2020 8:47 pm
Forum: General
Topic: VPN with GCP
Replies: 49
Views: 6378

VPN with GCP

I gathered many information in huge GCP documentation about setting IPsec using IKEv2 with BGP. What I found is that , and this is important Important: When using IKEv2, your peer VPN gateway must accept all of the CIDRs in each traffic selector using a single Child SA. Not all VPN gateways support ...
by eset
Fri Feb 14, 2020 9:11 pm
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

@eset yes, sometimes and randomly the ipsec tunnel is connected but no traffic passing through, so the bgp goes down. I have to reset everything manually and it comes back, I got almost fixed it setting the timers a google request them on their manual, but still having some random issues. The easie...
by eset
Mon Dec 02, 2019 12:10 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

Oh it's in stable now version. Hm So I need to wait for long-term to receive that update. But I'm not sure if that will resolve the problem
No problem isn't resolve. still the same issue occur
by eset
Mon Dec 02, 2019 12:07 pm
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

@gargola I have few question. Do you have any connectivity problems? I wrote to MikroTik support because my tunnel sometimes disconnects and when reconnecting which seems all fine some part of networks defined in policy don't work (Ping doesn't goes through). After disable/enable that policy it star...
by eset
Tue Nov 12, 2019 5:21 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

No one from mikrotik support will refer to this?
by eset
Fri Nov 08, 2019 1:10 pm
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 178
Views: 64271

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

I have automator running with the following:
Screen Shot 2019-10-17 at 8.57.56 AM.png
I've done it differently, not using staging but just wine64 from 4.0.2 and works.
But Automator doesn't run the winbox
export PATH="/usr/local/Cellar/wine/4.0.2/bin:$PATH"
wine64 $HOME/.winbox/winbox64.exe
by eset
Fri Nov 08, 2019 12:35 pm
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 178
Views: 64271

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

Xquarz no longer required by Wine. Simple installer with Next->Next. Homebrew install doesn't add wine64 to environment, you must guess where the binary is. Can't install latest Wine. Nothing against hombrew. I agree. @mandrade your solution isn't accurate but I disagree that homebrew doesn't add w...
by eset
Thu Nov 07, 2019 3:26 pm
Forum: General
Topic: Mikrotik IPIP/IPSec stops working randomly [SOLVED]
Replies: 1
Views: 606

Re: Mikrotik IPIP/IPSec stops working randomly [SOLVED]

`conntrack` was the issue. Holding old connections.
by eset
Wed Nov 06, 2019 9:36 pm
Forum: General
Topic: Mikrotik IPIP/IPSec stops working randomly [SOLVED]
Replies: 1
Views: 606

Mikrotik IPIP/IPSec stops working randomly [SOLVED]

Router A (RB4011) Router B (MikroTik CHR on VPS) Router C (RB3011) Graph: https://www.lucidchart.com/publicSegments/view/cdefd8fe-a25a-484f-8c79-d85669254c84/image.png Some time ago, after adding a "clean" IPsec tunnel to Router A, some strange things started to happen on that Router with different...
by eset
Tue Oct 29, 2019 12:03 pm
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 178
Views: 64271

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

homebrew is a must have tool for any mac user. that being said, you can just not use homebrew - install this and nothing else https://dl.winehq.org/wine-builds/macosx/pool/winehq-staging-4.18.pkg It would be great if that could work without fuckin up my CPU in Iterm2. Also previous wine was working...
by eset
Fri Oct 04, 2019 4:35 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

Emil from MikroTik support is investigating this issue with me. But said also that , although, test release has this fix
*) ike2 - fixed phase 1 rekeying (introduced in v6.45);

So it looks that Mikrotik has issues with rekeying.
by eset
Thu Jul 25, 2019 11:41 am
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

I found in loogs from GCP VPN service that there is a
N(TEMP_FAIL)

When he establishe connection again after rekeying. I see someone has the same problem with Mikrotik connected to stronsgwan on Linux
https://wiki.strongswan.org/issues/2646
by eset
Thu Jul 25, 2019 11:14 am
Forum: Forwarding Protocols
Topic: OSPF Linux MikroTik
Replies: 4
Views: 2755

Re: OSPF Linux MikroTik

They have some sort of filtering. They said That I need modify TTL on both sides. Between mikrotik and Linux.
by eset
Thu Jul 11, 2019 12:51 am
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

Ok I analyzed your answer very carefully. There are some misunderstanding which I wanted to clear so we both be on the same page here. So my concern regarding what you had in mind when saying that the switch should be a gateway for some devices in the VLAN remains - a gateway is an L3 term, meaning ...
by eset
Wed Jul 10, 2019 6:58 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

You're freely mixing switching (bridging) and routing together, saying in one sentence that the external switch is a gateway (router) for a host connected to some VLAN and in another sentence implying that the gateway (router) should be the Mikrotik instead. That's an indication that you have some ...
by eset
Wed Jul 10, 2019 3:36 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

I set it differently. I mean there is Interlink vlan which I created between switch (bond interface) and mikrotik bond. Added that bond to the bridge and assigned vlans to bridge. After that I created a VRRP in the network where Interlink is and added that specific interlink vlan from trunk to the v...
by eset
Tue Jul 09, 2019 12:58 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

VRRP is an L3 matter, so you'll need one VRRP setup in each VLAN on the trunk (which means one /interface vlan per each trunk on each of the two machines) and one on the native/tagless/default VLAN. If you want L2 redundancy, you have to use other means than VRRP. Could you explain that more or hav...
by eset
Tue Jul 09, 2019 12:31 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

So this is different approach that was provided by cdiedrich ? Because I'm confused right now.

Above config looks like that
Image
by eset
Mon Jul 08, 2019 10:03 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

/interface bridge add name=BR_TRUNK protocol-mode=none vlan-filtering=yes add name=bridge1 add fast-forward=no name=loopback /interface bridge port add bridge=bridge1 comment=defconf interface=ether7 add bridge=BR_TRUNK hw=no interface=bond_core /interface bridge vlan add bridge=BR_TRUNK tagged=vrr...
by eset
Mon Jul 08, 2019 8:00 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

Ok but which IP Should I chose when they ale are tagged (trunk) ? And is it possible with that vlan config https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_without_a_built-in_switch_chip RB4011 has no built-in switch chip so I Wanted to have bonding in VRRP. On that configur...
by eset
Mon Jul 08, 2019 4:16 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

Re: VLAN VRRP

Ok but which IP Should I chose when they ale are tagged (trunk) ?
by eset
Thu Jun 27, 2019 1:13 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 3215

VLAN VRRP

I will like to add bond0 device with unttaged vlan but pushing trunk inside it. All that needs to be served in VRRP. Is it even possible? https://www.lucidchart.com/publicSegments/view/0924a05e-a457-45d4-bf9b-12bbc72f0c28/image.png?fbclid=IwAR3FeCBXpuZDzpw2HpCR0VoBXpv64gb17tZmEnPKP-Woxr-2qXWwZeGIa8c
by eset
Thu Jun 27, 2019 12:50 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

Re: IPsec IKEv2 GCP ping timeout [SOLVED]

Which Server? Google Cloud provide IaaS this a VPN service and it works normally. But it freeze sometimes and pings stops working at all. Now I have the same problem. I don't know what is happening.
by eset
Thu Jun 27, 2019 12:45 pm
Forum: Forwarding Protocols
Topic: OSPF Linux MikroTik
Replies: 4
Views: 2755

Re: OSPF Linux MikroTik

I don't believe you'll be able to run OSPF inside AWS. They block Multicast / Broadcasts. I also believe (not sure if it's fixed yet) that there is/was issues with OSPF over ipip. Not 100% on this, but I recall something like this. It's not AWS though but yeah.. this provider is blocking multicast....
by eset
Sat Jun 22, 2019 4:09 pm
Forum: Forwarding Protocols
Topic: OSPF Linux MikroTik
Replies: 4
Views: 2755

OSPF Linux MikroTik

I'm struggling 2 weeks with Quagga on Debian and MikroTik CHR which is already running with other regions and connected with IP-IP/IPsec tunnels and OSPF is working fine. When I wanted to connect a Linux Node with also IP-IP tunnel but without IPsec, using internal VPC provider network (Linux and Mi...
by eset
Tue Jun 04, 2019 11:11 am
Forum: General
Topic: IP spoofing
Replies: 1
Views: 1151

IP spoofing

Allow IP spoofing in internal network  In our MikroTik network we installed a security appliance called Darktrace. It observes the network using promiscous mode. One of the features of it is that it is able to break TCP connections that it classifies as malicious by sending RST packets with spoofed ...
by eset
Sat Apr 27, 2019 12:10 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 4547

Re: IPSec IKEv2 rekeying problem

I have the same problem with IPsec tunnel on Google Cloud Platform with Mikrotik CHR { insertId: "19i68qjg37lbjw8" labels: {…} logName: "projects/project1/logs/cloud.googleapis.com%2Fipsec_events" receiveTimestamp: "2019-04-27T07:10:57.800611868Z" resource: {…} severity: "DEBUG" textPayload: "parsed...
by eset
Wed Apr 24, 2019 3:14 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

You know that is useless chat about basic stuff I should do which I've already done. If it were so simple I wouldn't be writing. I'm writing because I reached all my ideas and knowledge for that. Reading documentation is a "must". True And that's why I used https://wiki.mikrotik.com/wiki/Manual:CAPs...
by eset
Tue Apr 23, 2019 8:52 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

The temporary solution is disabling STP on both Mikrotik (capsman) and CAPs on bridge interfaces. Those interfaces have automatically enabled RSTP when bridge interfaces were added for Local Forward configuration. Strange is that when I wanted to force using STP and setting correct priority for caps...
by eset
Tue Apr 23, 2019 7:35 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

our current configuration in git does not define channels for AP. Line 7 & 10 provides what frequency they are using. Also I've provided forced channel later on. In my first answer I asked if other AP also accepted configuration supplied. But did not received answer. Like I said it's not the major ...
by eset
Tue Apr 23, 2019 5:15 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

It is a little bit confusing "No interference" and "which seems to interfere themself each other". Don't you think so ? By no interference I mean there are no other radio from other offices around. 1. AP nearby should have different channel to reduce interference. I'v set that from mikrotik because...
by eset
Tue Apr 23, 2019 3:07 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

Have you tried to see what is in the AIR ? There is a lot of tools that can show what is happening in the AIR Yes. No interference. I'm struggling with my own caps which seems to interfere themself each other Another question, why in configuration you configure every single AP manually ? CapsMAN ca...
by eset
Fri Apr 19, 2019 11:54 pm
Forum: Wireless Networking
Topic: cAP-ac Throughput & High Ping Problems
Replies: 33
Views: 6721

Re: cAP-ac Throughput & High Ping Problems

I will joing this post also because I see friend here has the same problem that I have. Here is my whole config: https://gist.github.com/electropolis/6db9a8d556bc20f9d63881cf3197d670 Just want to mention that although 2.4Ghz are working on different channels , selecting by themself though 5Ghz isn't...
by eset
Fri Apr 19, 2019 8:04 pm
Forum: Virtualization
Topic: IPsec IKEv2 GCP ping timeout [SOLVED]
Replies: 8
Views: 4626

IPsec IKEv2 GCP ping timeout [SOLVED]

I have a strange case which I thought I managed to resolve but I was wrong when again a working ipsec tunnel stopped working properly without any log information , anything. Here is my config: https://gist.github.com/electropolis/d8f59508bb0ccf6c72048a461117eb7f The problem is that clients behind Mi...
by eset
Fri Apr 19, 2019 7:50 pm
Forum: Beginner Basics
Topic: firewall prerouting [SOLVED]
Replies: 6
Views: 1613

Re: firewall prerouting [SOLVED]

It was already explained like I said.
by eset
Fri Mar 01, 2019 12:24 pm
Forum: Beginner Basics
Topic: firewall prerouting [SOLVED]
Replies: 6
Views: 1613

Re: firewall prerouting [SOLVED]

A better way to approach this is not to show us any configuration but put in words what functionality you would like to have without discussing solution.
I already did.
by eset
Fri Mar 01, 2019 12:23 pm
Forum: Beginner Basics
Topic: firewall prerouting [SOLVED]
Replies: 6
Views: 1613

Re: firewall prerouting [SOLVED]

Your SSH rule does not work because you are trying to use connection tracking features for non tracked connection (hint connection-state=new ). I know that but that's not what I'm asking. I was asking about Winbox. Why Winbox doesn't work if it also included in that no track rule the same as for SS...
by eset
Sun Feb 24, 2019 2:12 pm
Forum: General
Topic: GCP VPN On Mikrotik
Replies: 3
Views: 1729

Re: GCP VPN On Mikrotik

I finally set that cloud VPN but once a time I've got BGP sessions timeout and before it gets established again I have some zabbix timeouts and false alarms on hosts which are connected to zabbix server through zabbix proxy to the other site of the tunnel. Wysłane z mojego ONEPLUS A5000 przy użyciu ...
by eset
Thu Feb 21, 2019 2:52 pm
Forum: Beginner Basics
Topic: firewall prerouting [SOLVED]
Replies: 6
Views: 1613

firewall prerouting [SOLVED]

I have strange behavior. MikroTik: 10.254.254.253 VPN users: 172.16.0.0/16 in ip firewall filters I have this rule for ssh & winbox add action=reject chain=services comment="Reject fule for 'services' ports" dst-port=8291 log=yes log-prefix=Winbox protocol=tcp reject-with=tcp-reset src-address-list=...
by eset
Thu Jan 31, 2019 11:39 am
Forum: Forwarding Protocols
Topic: Routing filter order
Replies: 11
Views: 4884

Re: Routing filter order

You wrote casinio-out instead of casino-out
Damn I didn't catch that... :/ Thanks. Sorry to bother. So I quess I understand it good :)
by eset
Thu Jan 31, 2019 10:50 am
Forum: Forwarding Protocols
Topic: Routing filter order
Replies: 11
Views: 4884

Re: Routing filter order

I have following error I don't understand that routing filtering Two IPsec tunnel with different peers. Set BGP on each session /routing bgp peer add address-families=ip,vpnv4 in-filter=casino-in name=up-gcp_casino out-filter=casinio-out remote-address=169.254.0.2 remote-as=65502 ttl=default add add...
by eset
Tue Jan 29, 2019 3:58 pm
Forum: Forwarding Protocols
Topic: OSPF over GRE tunnel and IPSEC VPN
Replies: 5
Views: 9657

Re: OSPF over GRE tunnel and IPSEC VPN

When setting GRE you don't need IPsec Policy with so many networks.
by eset
Thu Jan 17, 2019 5:12 am
Forum: General
Topic: GCP VPN On Mikrotik
Replies: 3
Views: 1729

Re: GCP VPN On Mikrotik

No still nothing
by eset
Wed Jan 16, 2019 11:46 am
Forum: Forwarding Protocols
Topic: Google Cloud Platform GCP - VPN - BGP [SOLVED]
Replies: 27
Views: 12059

Re: Google Cloud Platform GCP - VPN - BGP [SOLVED]

Are you using dedicated instance from GCP side to connect with mikrotik or do you use dedicated VPN service from Google?
Two could you share the config ?
by eset
Wed Nov 07, 2018 9:35 pm
Forum: Beginner Basics
Topic: SSTP server verify user cert
Replies: 2
Views: 1351

Re: SSTP server verify user cert

OK I see that question was already explained in here viewtopic.php?f=2&t=60769&sid=836968099 ... 2a916d26e8
And MikroTik doesn't support EAP on SSTP. So what is this option for ? Any other vpn clients ?
by eset
Wed Nov 07, 2018 3:57 pm
Forum: Beginner Basics
Topic: SSTP server verify user cert
Replies: 2
Views: 1351

SSTP server verify user cert

I run on famous problem. On windows side there is a problem with connection when Verify Client Certificate: checked Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle. Looking for solution found this: https://wiki.mikrotik.com/wiki/Manual:Inter...
by eset
Wed Sep 19, 2018 10:19 am
Forum: Beginner Basics
Topic: CAPsMAN
Replies: 1
Views: 564

CAPsMAN

Hi I'm trying to set two AP to RB3011 with normal IP address and push to them two VLANs for Office network and Guest network. Here is the full config: https://gist.github.com/electropolis/17a19e409ad6490a841c3b08b13c2cc8 It's getting to be a Pain in The Ass because that doesn't work although it was ...
by eset
Wed Sep 19, 2018 10:15 am
Forum: General
Topic: Advanced Failover
Replies: 5
Views: 1015

Re: Advanced Failover

Sindy https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

It looks like this tutorial is missing some previous configuration. I tried that approach and it didn't worked.
by eset
Tue Sep 18, 2018 1:16 pm
Forum: Beginner Basics
Topic: HA Radius
Replies: 0
Views: 411

HA Radius

I'm preparing to set Radius server using MariaDB database. I was wondering is it possible to set a Radius server with HA. In Mikrotik there is option to set only one address so is it possible set a Read only Radius server which own slave database. Each country side will be connected to master radius...
by eset
Thu Aug 30, 2018 5:52 pm
Forum: General
Topic: Advanced Failover
Replies: 5
Views: 1015

Re: Advanced Failover

When I remove dthe static router to 0.0.0.0/0 from one ISP and dynamic one from DHCP-CLIENT (add-default-route) I lost connection to mikrotik. You said that it shouldn't be added.
by eset
Wed Aug 29, 2018 11:35 pm
Forum: General
Topic: Advanced Failover
Replies: 5
Views: 1015

Advanced Failover

Hi, I want to discussed about this article https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting 1. There is no information about if this requires to have already default routing added before proceed with this setup because in this article at the bottom we can see that they prov...
by eset
Tue Aug 07, 2018 7:37 pm
Forum: Announcements
Topic: Winbox v3.17 released!
Replies: 17
Views: 14990

Re: Winbox v3.17 released!

When Winbox will be released for macOS ?
by eset
Thu May 17, 2018 1:05 am
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 2770

Re: Mikrotik act as SLAVE DNS

Basically you described what I was asking. When primary dns (for external and internal zones) goes down, second will provide queries for the new names which are not cached and rest will go from mikrotik cache.
by eset
Wed May 16, 2018 10:58 am
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 2770

Re: Mikrotik act as SLAVE DNS

Seriously? So why we put second, third server in /ip dns ? If we set two servers in router in location B - One from location A and second can by any server I would like for example 1.1.1.1 so if server in Location A goes down , users in location B should still be able to surf Internet using name res...
by eset
Wed May 16, 2018 4:18 am
Forum: General
Topic: Mikrotik as Local Slave DNS
Replies: 2
Views: 651

Re: Mikrotik as Local Slave DNS

Yes and No. Yes because I can push DNS to VPN users or for LAN users. And also to prevent them of using another DNS I can redirect 53 in firewall / NAT. Ok it seems ok but.. I have the following scenario DNS serwer: 10.4.0.120 CHR Mikrotik : 10.5.0.120 CHR and DNS can see each other. On CHR I'm doin...
by eset
Mon Apr 23, 2018 12:50 pm
Forum: General
Topic: Mikrotik as Local Slave DNS
Replies: 2
Views: 651

Mikrotik as Local Slave DNS

Hi, Is it possible to set mikrotik to be a DNS provider for VPN user but acting as primary DNS server for VPN user and forwarding queries to another DNS server in network but this DNS server isn't available for VPN user (different network address / no routing between them). VPN User 172.16.xx.xx -> ...
by eset
Mon Mar 19, 2018 10:12 pm
Forum: General
Topic: Troubleshooting L2TP/IPSec, can't connect with some clients
Replies: 7
Views: 7580

Re: Troubleshooting L2TP/IPSec, can't connect with some clients

I'm quite sure I have made a good network plan. I wouldn't be asking for help if I wouldn't do anything yet. I was using tutorials, reading and it still doesn't work. My routing is Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackho...
by eset
Mon Mar 19, 2018 11:23 am
Forum: General
Topic: Troubleshooting L2TP/IPSec, can't connect with some clients
Replies: 7
Views: 7580

Re: Troubleshooting L2TP/IPSec, can't connect with some clients

You can set 0.0.0.0/0 in public ip But I've tested and also can't ping anything beside my mikrotik LAN interface when connected over L2TP/IPsec konrad@MacBook-Pro [~/]:$ ping 10.5.0.120 PING 10.5.0.120 (10.5.0.120): 56 data bytes 64 bytes from 10.5.0.120: icmp_seq=0 ttl=64 time=23.296 ms --- 10.5.0....
by eset
Mon Mar 19, 2018 2:39 am
Forum: General
Topic: GCP VPN On Mikrotik
Replies: 3
Views: 1729

GCP VPN On Mikrotik

I have CHR mikrotik set on virtual server and want to connect it with GCP infrastructure. I have done it but.. I'm wondering how can achieve routing ? Tried using BGP https://cloud.google.com/vpn/docs/how-to/creating-vpn-dynamic-routes But I had on mikrotik 169.254.1.1 network unreachable. So I deci...
by eset
Sun Jan 28, 2018 11:21 pm
Forum: General
Topic: routing between two cloud providers though vpn
Replies: 3
Views: 1025

Re: routing between two cloud providers though vpn

Like I thought it could be problem with DigitalOcean infrastructure cuz IPsec is for sure configured correctly. That said, looking at your threads and this ticket, I see something very troubling. I might be wrong, but it looks like you're trying to bridge our internal network in AMS2 to your network...
by eset
Sun Jan 28, 2018 10:39 pm
Forum: General
Topic: routing between two cloud providers though vpn
Replies: 3
Views: 1025

Re: routing between two cloud providers though vpn

You may need to specify the source address for your ping. It has to be forced to the 10.x address. However, I recommend you to not use direct IPsec policies but instead configure a GRE/IPsec tunnel with routes on each side. That way you can avoid such painful debugging sessions: it always works the...
by eset
Sun Jan 28, 2018 7:05 pm
Forum: General
Topic: routing between two cloud providers though vpn
Replies: 3
Views: 1025

routing between two cloud providers though vpn

OK I have a very good subject to discuss. I will start from beginning. We have two providers DigitalOcean and UpCloud . The idea was to connect networks of those two providers. UpCloud is much easier to manage if it comes to routing because all regions (Frankfurt, Amsterdam, London... and so on) can...
by eset
Sun Dec 24, 2017 1:23 am
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 2770

Re: Mikrotik act as SLAVE DNS

Is your A dns a MIkrotik too? Then you could just sync (scripted) the static entries from A to B, and still have A as remote of B.
It's linux machine with bind
by eset
Sat Dec 23, 2017 11:52 pm
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 2770

Mikrotik act as SLAVE DNS

There is a network structure like this: Location A Has internal DNS server (virtual server acting as cache and serving internal zones of local names) All clients in tha Location has DNS pointed to that internal DNS server so all can resolve local names without knowing IP addresses which is obvious. ...
by eset
Mon Jan 11, 2016 3:55 pm
Forum: General
Topic: Net problem ISP or MikroTik
Replies: 1
Views: 602

Net problem ISP or MikroTik

Hey, I had once a problem with my MT RB750Gr2. I had strange thing goin on with something which had to do wth ether1 interface. Network was working properly TX and RX packets flow ok and sometimes network stoped working. TX was sending packets on ether1 but I did not receive any packets on RX. I was...