Community discussions

MUM Europe 2020

Search found 33 matches

by kevintitus81
Fri Jun 14, 2019 7:13 pm
Forum: General
Topic: Mikrotik mangle for VoIP
Replies: 3
Views: 468

Re: Mikrotik mangle for VoIP

I mark the connection in pre-routing, then I mark the packets as well in forward chains. Works fine for me.
by kevintitus81
Mon Apr 29, 2019 11:42 pm
Forum: General
Topic: VPN can't access SMB shares
Replies: 10
Views: 918

Re: VPN can't access SMB shares

You need to add a route back to your VPN subnet on the SMB server or its gateway. So add a static route on the mikrotik over to your 10.8.0.0/8 net and set gw address to reach that net to 192.168.1.238. (your openvpn server) Please excuse my lack of knowledge, i tried to setup a static route today ...
by kevintitus81
Mon Apr 29, 2019 5:51 am
Forum: General
Topic: VPN can't access SMB shares
Replies: 10
Views: 918

Re: VPN can't access SMB shares

You need to add a route back to your VPN subnet on the SMB server or its gateway. So add a static route on the mikrotik over to your 10.8.0.0/8 net and set gw address to reach that net to 192.168.1.238. (your openvpn server)
by kevintitus81
Fri Mar 09, 2018 4:38 pm
Forum: General
Topic: New Mikrotik CAPs APs are nice
Replies: 0
Views: 327

New Mikrotik CAPs APs are nice

Installed a few of these last night and they are a nice upgrade from the previous model. They don't have the cheap feel the old ones did, these feel pretty solid. The ceiling hardware included worked great for the drop ceiling tiles. I had a few that seemed to reboot back to factory unsecured open M...
by kevintitus81
Mon Nov 20, 2017 8:45 pm
Forum: General
Topic: Mikrotik Switches Vs Cisco Switches
Replies: 20
Views: 5010

Re: Mikrotik Switches Vs Cisco Switches

Basically I run the switches on APC UPS units for battery backup...those have snmp (along with the mikrotiks). We use zabbix to monitor via snmp. I monitor via "the dude" as well. As far as swithc loops and whatnot, the gear is in locked closets, and the ports are setup as needed (so you can't just ...
by kevintitus81
Sat Nov 18, 2017 8:02 pm
Forum: General
Topic: Mikrotik Switches Vs Cisco Switches
Replies: 20
Views: 5010

Re: Mikrotik Switches Vs Cisco Switches

I'm running the CCR series in a large campus. I have one switch acting as my fiber distribution switch, then the CCR226s as the local access switches. (The property spans an entire block) I have about 200+ active VLANS (vlaning out a gigabit ISP feed to individual tenants) and it works really well. ...
by kevintitus81
Fri Nov 17, 2017 6:26 pm
Forum: General
Topic: Mikrotik Switches Vs Cisco Switches
Replies: 20
Views: 5010

Re: Mikrotik Switches Vs Cisco Switches

Also, if you need 10G, you will probably need to go with the CRS326, I don't think the CRS125 does 10G on the SFP...(hence the 2S "+" oon teh CRS326) Hello Guys !!! I'm using Cisco Switch 2960-TTL (10/100Mbps) from Long time (approx 3 years), now I'm trying to change vendor from Cisco to Mikrotik an...
by kevintitus81
Fri Nov 17, 2017 6:22 pm
Forum: General
Topic: Mikrotik Switches Vs Cisco Switches
Replies: 20
Views: 5010

Re: Mikrotik Switches Vs Cisco Switches

I think the CRS326 would be better since you'll have a extra sfp port should you need it later. I recently replaced a entire campus of dell power connect series (which are pretty close to cisco switches in terms of features and cmd interface) with the CRS226 series. Configuration of the vlans was a ...
by kevintitus81
Wed Oct 25, 2017 4:49 pm
Forum: General
Topic: VPN Issue (Split Tunneling)
Replies: 1
Views: 510

Re: VPN Issue (Split Tunneling)

You can try a mangle to mark the udp traffic going to Blizzard. Then just create a specific route, to the destination and set to route the marked packets thru that.
by kevintitus81
Tue Aug 29, 2017 8:20 am
Forum: General
Topic: IPSEC tunnel established, but no traffic flowing
Replies: 2
Views: 1595

Re: IPSEC tunnel established, but no traffic flowing

Hi there,

Try adding a src nat allow rule to allow your local lan subnet to the dst network address.

/ip > firewall > nat > src addr */local subnet/* dst */remote network allow


Hope that helps.
by kevintitus81
Wed Aug 02, 2017 3:18 pm
Forum: General
Topic: Setup Mikrotik as VPN Service to hide Public IP
Replies: 3
Views: 1284

Re: Setup Mikrotik as VPN Service to hide Public IP

The way I do it on Mikrotik is setup a PPP OenVPN Client, where the mikrotik "dials out" to the openvpn service (currently using SlickVPN) then what you do is mark the traffic going out to the world and then route it out the dynamic VPN tun. The mangle rule can be your on/off switch. To make the dyn...
by kevintitus81
Thu Jul 20, 2017 7:43 pm
Forum: Beginner Basics
Topic: All traffic over VPN
Replies: 9
Views: 5093

Re: All traffic over VPN

It sounds like you need to srcnat allow your local lan subnet to the remote lan subnet.

You would add this in /ip > firewall > NAT:
src local lan subnet
dst remote lan subnet
action: allow

And you should masq internal subnet out to your ppp or vpn interface.
by kevintitus81
Mon May 01, 2017 5:28 pm
Forum: Forwarding Protocols
Topic: IPSec tunel not passing traffic
Replies: 4
Views: 2346

Re: IPSec tunel not passing traffic

You might try checking that "NAT Traversal" is enabled. nat-traversal (yes | no; Default: no) Use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signs the complete packet, incl...
by kevintitus81
Thu Apr 27, 2017 4:47 pm
Forum: Beginner Basics
Topic: VLAN, Management and multiple switches
Replies: 4
Views: 1461

Re: VLAN, Management and multiple switches

I spent many hours on this working on a system for a multi-tenent bldg using cloud core switches and switch-chip. Best advice I can give is to slave your access ports to a master port, then make sure all of your ingress-translations are setup, then egress translations, and finally giving those ports...
by kevintitus81
Sat Apr 15, 2017 8:31 pm
Forum: Wireless Networking
Topic: Not seeing traffic in CAPsMAN, but APs are up and running
Replies: 3
Views: 715

Re: Not seeing traffic in CAPsMAN, but APs are up and running

Ok I figured out my problem. The reason I wasn't seeing the traffic on the CAPS interface in CAPsMAN was the configuration Datapath setting for "local forwarding" was checked to be enabled. Reading more of the documentation, it appears if set to local forwarding the CAP radio itself would handle all...
by kevintitus81
Sat Apr 15, 2017 12:57 am
Forum: Wireless Networking
Topic: Not seeing traffic in CAPsMAN, but APs are up and running
Replies: 3
Views: 715

Re: Not seeing traffic in CAPsMAN, but APs are up and running

I was able to confirm this to be an issue (possibly with the latest 6.38.5 firmware) I checked another site that has an identical capsman config and router config, and I can see the interface traffic on the caps interface (the one that gets dynamically created when a cap comes online) yet for some r...
by kevintitus81
Thu Apr 13, 2017 5:02 pm
Forum: General
Topic: 50% bandwidth loss RB2011UiAS
Replies: 18
Views: 2273

Re: 50% bandwidth loss RB2011UiAS

What is your wan link negotiating at? I have seen some issues in the past where the ISP side (link partner) was advertising half duplex, and so my WAN link was linking at half capacity. I would check that out, make sure the link partner is advertising and linking to the proper speed/duplex. Once the...
by kevintitus81
Thu Apr 13, 2017 4:52 pm
Forum: General
Topic: L2TP IPSEC stronger crypto
Replies: 4
Views: 1164

Re: L2TP IPSEC stronger crypto

You should be able to specify dynamic source in the ipsec policy (src addr 0.0.0.0/0) and then modify the proposal to the crypto strength you prefer. I'm using l2tp/ipsec for road warrior configs, you can try it out with site-to-site.
by kevintitus81
Wed Apr 12, 2017 6:03 pm
Forum: Wireless Networking
Topic: Not seeing traffic in CAPsMAN, but APs are up and running
Replies: 3
Views: 715

Re: Not seeing traffic in CAPsMAN, but APs are up and running

I guess if I moved the cap over to a port on the rb2011 I would see the interface traffic, but since the pinging host and cap are on the same L2 bridge it's just forwarding direct. Strange thing is I don't see the icmp on the port feeding the cap, does capsman add some encapsulation?
by kevintitus81
Wed Apr 12, 2017 5:49 pm
Forum: Wireless Networking
Topic: Not seeing traffic in CAPsMAN, but APs are up and running
Replies: 3
Views: 715

Not seeing traffic in CAPsMAN, but APs are up and running

Seeing some weird stuff here... I have a RB2011, with eth2 uplinking to a CRS24 port switch. The switch is setup with all ports slaved to eth1 (default config). I have my cap fed from the switch. I have a office-net bridge and a guestnet bridge, and have all of that up and running. Clients are conne...
by kevintitus81
Fri Apr 07, 2017 1:12 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 3132

Re: Connect MK - Linux laptop Serial

I would advise using "screen" if you are running linux, I have had issues with putty on serial connections in the past.

screen /dev/ttyUSB0 19200

then hit enter once and see if you get anything.

You may need to winbox to the device and check serial settings too.
by kevintitus81
Thu Apr 06, 2017 3:34 am
Forum: Beginner Basics
Topic: DNS zone transfer behind NAT
Replies: 9
Views: 1650

Re: DNS zone transfer behind NAT

thx. @Kevin 39 ;;; Block all exc. related chain=forward action=drop connection-state=!established,related connection-nat-stat src-address-list=!OK log=yes log-prefix="ALL-39" would tht do ? @Skuykend i have 1 src-nat rule and that is masquerade ps bellow is capture from log, 194.146. ip is secondar...
by kevintitus81
Wed Apr 05, 2017 8:23 pm
Forum: General
Topic: Mangle, Queue and more
Replies: 4
Views: 668

Re: Mangle, Queue and more

I haven't done too much with PCQ yet, but I remember I had to mark my src traffic as "upload" and then traffic coming in my wan interface (eth1) as "download" Then I set the parent queue to my bandwidth (5/5M in your case). I'll see if I can replicate this tonight on a device and then post the confi...
by kevintitus81
Wed Apr 05, 2017 5:53 am
Forum: General
Topic: routed segments traffic pass through backbone router
Replies: 10
Views: 1082

Re: routed segments traffic pass through backbone router

On the router that you want the switching to happen on, do you have the ports in the switch group slaved to a master port? You may also want to try adding these ports to a bridge if you want those ports to be in the same L2 group (broadcast domain). Hope this helps...
by kevintitus81
Wed Apr 05, 2017 4:54 am
Forum: General
Topic: Mangle, Queue and more
Replies: 4
Views: 668

Re: Mangle, Queue and more

For a base firewall config I usually go with something like: /ip firewall filter add action=drop chain=input comment="Drop invalid input" connection-state=invalid add action=accept chain=input comment="allow established and related input" \ connection-state=established,related add action=drop chain=...
by kevintitus81
Mon Apr 03, 2017 7:57 am
Forum: Beginner Basics
Topic: L2TP/IPsec Lan-to-Lan
Replies: 9
Views: 1709

Re: L2TP/IPsec Lan-to-Lan

Now that I think about it, it is probably because I have two seperate lans I am tunneling to from behind the remote peer? I noticed it would flap around to one or the other.
by kevintitus81
Sat Apr 01, 2017 3:45 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 3132

Re: Connect MK - Linux laptop Serial

In ubuntu I usually use "screen" to console in via serial. Usually it goes something like this...

user# sudo screen /dev/ttyUSB0 19200 <--(my particular usb to serial dongle) and then see if you get console.
by kevintitus81
Sat Apr 01, 2017 3:20 am
Forum: Beginner Basics
Topic: Vlan help
Replies: 7
Views: 989

Re: Vlan help

I just finished a multi-tenant vlan config consisting of a distribution switch and multiple access switches. I found switch chip configuration to work much better. It seemed like running the vlans on bridges was very CPU intensive. Using switch-chip CPU is about 5-10% on average during peak business...
by kevintitus81
Sat Apr 01, 2017 3:12 am
Forum: Beginner Basics
Topic: DNS zone transfer behind NAT
Replies: 9
Views: 1650

Re: DNS zone transfer behind NAT

Do you have a firewall rule to allow established and related connections forward?
by kevintitus81
Sat Apr 01, 2017 3:03 am
Forum: Beginner Basics
Topic: L2TP/IPsec Lan-to-Lan
Replies: 9
Views: 1709

Re: L2TP/IPsec Lan-to-Lan

Quick note too..if you do multi site ipsec on the routerboard, be sure you set the ipsec policy action level to "unique" other wise only one of the vpns will maintain its connection. I had this issue and it took me a while to figure it out.

Regards,
Kevin TItus
MTCNA / Sophos
by kevintitus81
Fri Mar 31, 2017 5:22 pm
Forum: Announcements
Topic: v6.38.5 [current]
Replies: 66
Views: 26392

Re: v6.38.5 [current]

^^^ I saw that last night and figured I would come and share...just to help raise some awareness to the issue. https://www.exploit-db.com/exploits/41752/ Latest DOS exploit for 6.38.5, looks like it only effects the winbox port 8291. So if you can drop outside input traffic to that port maybe will p...
by kevintitus81
Fri Apr 15, 2016 5:37 pm
Forum: Wireless Networking
Topic: Excessive link-downs on interface feeding CAP station
Replies: 1
Views: 718

Re: Excessive link-downs on interface feeding CAP station

The solution was replacing the CAP with the bad link downs. So far so good!
by kevintitus81
Tue Mar 22, 2016 11:45 pm
Forum: Wireless Networking
Topic: Excessive link-downs on interface feeding CAP station
Replies: 1
Views: 718

Excessive link-downs on interface feeding CAP station

Hello, I am hoping somebody can give me some advice. I have a issue with one of my new installs where the interface feeding my CAP station shows tons of link-downs. Over 400+ link downs over the course of a few weeks. The site consists of a RB2011 acting as the CAPsman controller, and two CAP statio...