Community discussions

Search found 34 matches

by total13
Thu Aug 22, 2019 9:19 am
Forum: General
Topic: VPN with Cisco ASA VTI
Replies: 2
Views: 415

Re: VPN with Cisco ASA VTI

Hmm, wanted to avoid policy based IPsec to make it routable. This way I have BGP running over this link to make it scalable, however it requires some subnet summarization.

Thanks for update!
by total13
Wed Aug 21, 2019 8:04 pm
Forum: General
Topic: VPN with Cisco ASA VTI
Replies: 2
Views: 415

VPN with Cisco ASA VTI

Hello everyone, I have looked for some guides to connect Mikrotik and Cisco ASA VTI (http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html), but was unable to find any. I followed guides that explain connectivity to AWS and I have managed to get bas...
by total13
Wed Apr 24, 2019 11:23 am
Forum: General
Topic: SSTP connection Idle timeout
Replies: 0
Views: 199

SSTP connection Idle timeout

Hello everyone, I have weird issue with SSTP server, under profile I have configured "Idle timeout" under profiles. However it seems even though user is active "over connection" this idle timeout terminates connection after time expires. Meaning idle timeout = uptime and when "uptime" expires set va...
by total13
Tue Jan 29, 2019 4:59 pm
Forum: Forwarding Protocols
Topic: BGP next hop unreachable
Replies: 0
Views: 422

BGP next hop unreachable

I have unusual situation where 1 mikrotik (R0) peering with 2 mikrotik routers (all in same subnet). And lets say that 1st mikrotik has IP 10.10.3.21/25 and two peers are R1 10.10.3.1/25 and R2 10.10.3.2/25 There are many routes exchanged between them and what is issue that for some routes on R0, ne...
by total13
Thu Dec 27, 2018 6:18 pm
Forum: General
Topic: L2TP use-ipsec function with RSA certificate
Replies: 13
Views: 3853

Re: L2TP use-ipsec function with RSA certificate

Hello,

any update on this issue? On SSTP server we can veritfy client certificate. Is it possible to implement same for L2TP server? Seems like relatively simple thing to do, but maybe I am mistaken.
by total13
Wed Oct 17, 2018 9:36 am
Forum: Virtualization
Topic: CHR kernel crash when heavy traffic
Replies: 7
Views: 2035

Re: CHR kernel crash when heavy traffic

Hello I have also noticed that disabling connection tracking improves stability of CHR. However I need this feature since it runs WebProxy.

What is the root cause for this issue and can it be fixed?
by total13
Thu Oct 04, 2018 9:03 am
Forum: General
Topic: CHR stability
Replies: 3
Views: 549

CHR stability

Hello everyone, I keep experiencing CHR instability as in they keep rebooting once per day. 6 months ago they had uptime of 100+ days, however with recent flood of upgrades we started having issues. Specially after that one release that had issues with HyperV virtualization. The issue was presented ...
by total13
Wed Aug 08, 2018 4:06 pm
Forum: General
Topic: Vulnerability CVE-2018-5390 [SOLVED]
Replies: 13
Views: 2301

Re: Vulnerability CVE-2018-5390 [SOLVED]

We use Mikrotik for SSTP connectivity from home so for example port 443 is open for connections...
by total13
Wed Aug 08, 2018 1:58 pm
Forum: General
Topic: Vulnerability CVE-2018-5390 [SOLVED]
Replies: 13
Views: 2301

Vulnerability CVE-2018-5390 [SOLVED]

Hello everyone, I am interested if Mikrotik RouterOS is affected by CVE-2018-5390, which affects CentOS or RedHat (versions 5,6,7), or on other Linux Kernel version 4.9+. I see here: https://wiki.mikrotik.com/wiki/Manual:RouterOS_features that RouterOS is based on linux v3.3.5 kernel, so on first gl...
by total13
Wed May 23, 2018 12:13 pm
Forum: General
Topic: Warning before installing CHR 6.42.1 on Hyper-V
Replies: 22
Views: 3514

Re: Warning before installing CHR 6.42.1 on Hyper-V

Hello, I can confirm 6.40.8 is stable on all but one device I plan to replace today. I will remove it from production and upgrade it to 6.42.1 to try to get more spout files. I have watchdog enabled and it reboots device whenever it looses connection but for some reason it never sends spout via mail...
by total13
Mon May 14, 2018 3:15 pm
Forum: General
Topic: Warning before installing CHR 6.42.1 on Hyper-V
Replies: 22
Views: 3514

Re: Warning before installing CHR 6.42.1 on Hyper-V

Any update planned for this issue?
by total13
Wed May 09, 2018 6:28 pm
Forum: General
Topic: Warning before installing CHR 6.42.1 on Hyper-V
Replies: 22
Views: 3514

Re: Warning before installing CHR 6.42.1 on Hyper-V

I came here to find if there is some bug, we have had 3 devices already cut off from network. Devices seem to be "pingable" from local network, but reboot solves issue. Also do not know if it is related, but we had 2 devices loose interface data - interface name reverted to default perhaps. (IP addr...
by total13
Wed Jan 03, 2018 9:35 am
Forum: General
Topic: SSTP server encryption offer [SOLVED]
Replies: 2
Views: 529

Re: SSTP server encryption offer [SOLVED]

I had SSTP uptimes of over 30days before I upgraded my router to ver6.41 some five days ago. And now? :) Is it Mikrotik - Mikrotik SSTP or you are connecting from Windows client? I have noticed weird behaviour: seems SSTP resets after "Idle-Timeout" counter no matter if connection is active or not....
by total13
Tue Jan 02, 2018 6:39 pm
Forum: General
Topic: SSTP server encryption offer [SOLVED]
Replies: 2
Views: 529

SSTP server encryption offer [SOLVED]

Hello,

is it possible to configure / change priority of SSTP server encryptions? So we can enforce AES128 encoding over AES256.

Also does someone have advice on SSTP connection stability, since it seems to break every hour or so...

Thanks in forward!
by total13
Wed Dec 27, 2017 5:03 pm
Forum: General
Topic: WinBox security?
Replies: 13
Views: 9253

Re: WinBox security?

Is it possible to "disable" clear text mode on MT itself so when connecting over winbox, it is always in secure mode?
by total13
Thu Oct 26, 2017 12:52 pm
Forum: General
Topic: Radius timeout limit
Replies: 4
Views: 883

Re: Radius timeout limit

Nope, it fails to us because OTP request / response is created after first auth is passed (and timer starts)...
by total13
Wed Oct 25, 2017 9:37 am
Forum: General
Topic: Radius timeout limit
Replies: 4
Views: 883

Re: Radius timeout limit

Yes in single authentication, but when you have dual authentication (like one time password - OTP) than we want to give users more time to enter it....

Kind regards,
by total13
Tue Oct 24, 2017 3:23 pm
Forum: General
Topic: Radius timeout limit
Replies: 4
Views: 883

Radius timeout limit

Hello everyone, I have checked older posts concerning radius setup time limit and errors from it but I have not found any reason why is there such "small" range of radius timeout valid values: [admin@MT1] /radius> set 2 timeout=20s value of timeout is out of range (00:00:00.010 .. 00:00:10) [admin@M...
by total13
Fri Aug 04, 2017 3:59 pm
Forum: General
Topic: freeradius login users. cleartext passwords
Replies: 7
Views: 5919

Re: freeradius login users. cleartext passwords

Same problem here, any solution?
by total13
Tue Mar 28, 2017 11:52 am
Forum: General
Topic: SNMP issue when responding from different interface
Replies: 1
Views: 420

Re: SNMP issue when responding from different interface

Just wanted to post update: I have "solved" this issue with some NATting so I modify SNMP requests so they "always" come from same interface (or at least Mikrotik thinks that his neighbour is asking and responding to him) So bottom problem remains, is this as intended or ? UPDATED: received reply fr...
by total13
Mon Mar 27, 2017 9:40 pm
Forum: General
Topic: SNMP issue when responding from different interface
Replies: 1
Views: 420

SNMP issue when responding from different interface

Hello everyone, I have issue with CCR1036-12G-4S v6.37.5 and v6.38.5 (although I have tried different versions too). When sending SNMP request (get) to Mikrotik, it does not send SNMP response when it should respond from different interface. For example I have usually SFP for uplink and when request...
by total13
Thu Jan 26, 2017 11:02 am
Forum: General
Topic: Wireless radius server auth problem
Replies: 5
Views: 855

Re: Wireless radius server auth problem

Definitely recommend Notepad ++, using it myself, also has nice feature it can add mikrotik syntax to itself so it nicely "color codes" mikrotik commands...
by total13
Tue Jan 24, 2017 7:40 pm
Forum: General
Topic: IPsec VPN with multiple subnets in "cryptomap"
Replies: 9
Views: 3414

Re: IPsec VPN with multiple subnets in "cryptomap"

set level=unique otherwise only one policy will work with cisco.
No, you should not.

Try creating/restoring a setup with policies instead of policy templates, set level=unique. If it does not work, post /ip ipsec export here.
Thank you that worked!
by total13
Tue Jan 24, 2017 6:43 pm
Forum: General
Topic: IPsec VPN with multiple subnets in "cryptomap"
Replies: 9
Views: 3414

Re: IPsec VPN with multiple subnets in "cryptomap"

On a general note, one of the biggest problems with Cisco is terminology. What Cisco calls "cryptomap" is called "IPsec policy" everywhere else outside of the Cisco world. :) thanks for noting, would change topic but dont think I can. Also should I give different "priority" to policies? I have trie...
by total13
Tue Jan 24, 2017 6:37 pm
Forum: General
Topic: IPsec VPN with multiple subnets in "cryptomap"
Replies: 9
Views: 3414

Re: IPsec VPN with multiple subnets in "cryptomap"

I am trying to create MT as "peer device" so it can establish VPN to ASA or from ASA. Bidirectional VPN. Like 2 offices with multiple subnets. You created template for dynamic policies, but policy generation is disabled. See example here how to make static policies http://wiki.mikrotik.com/wiki/Manu...
by total13
Tue Jan 24, 2017 6:34 pm
Forum: General
Topic: Wireless radius server auth problem
Replies: 5
Views: 855

Re: Wireless radius server auth problem

I mean, it works, but as I said, problem is that "window configuration" adds extra "\\\\" characters to radius PSK. When I paste configuration (PSK) to terminal, it paste-s fine.... Ok, it is maybe redundant to answer to myself but if someone else has similar problem "\" character is used to note "...
by total13
Tue Jan 24, 2017 6:32 pm
Forum: Wireless Networking
Topic: Wireless clients keep getting disconnected/reconnected
Replies: 23
Views: 13260

Re: Wireless clients keep getting disconnected/reconnected

i've got same problem for log time, im going to show you something, if you fix it up, let me know http://wiki.mikrotik.com/wiki/Manual:Wireless_Debug_Logs Sorry for delayed answer but, tried factory defaulting device and there were still problems so in the end we bought new device and it solved pro...
by total13
Tue Jan 24, 2017 6:28 pm
Forum: Beginner Basics
Topic: Disable Filter rules at one shot from Terminal
Replies: 8
Views: 17194

Re: Disable Filter rules at one shot from Terminal

Hmm, sometimes it worked fine and sometimes not, although I admit it was bit "crude" tool, so I found better:
/ip firewall filter remove [/ip firewall filter find]
by total13
Tue Jan 24, 2017 6:21 pm
Forum: General
Topic: IPsec VPN with multiple subnets in "cryptomap"
Replies: 9
Views: 3414

IPsec VPN with multiple subnets in "cryptomap"

Hello, I am trying to configure IPsec VPN with CISCO ASA with multiple subnets in "cryptomap". I am fairly familiar with configuring VPNs on ASA side and it is fairly easy to populate cryptomap/NAT exempt objects for specific VPN tunnel but on Mikrotik it seems you need to create specific configurat...
by total13
Tue Dec 20, 2016 6:38 pm
Forum: Beginner Basics
Topic: Disable Filter rules at one shot from Terminal
Replies: 8
Views: 17194

Re: Disable Filter rules at one shot from Terminal

Hello!
I am having issues with this command:
:for x from 1 to 100 do={/ip firewall filter remove $x}
I sometimes get response:
no such item (4)

And sometimes it just deletes rules as it should. Any ideas why is this happening?
by total13
Thu Jul 21, 2016 11:45 am
Forum: Wireless Networking
Topic: Wireless clients keep getting disconnected/reconnected
Replies: 23
Views: 13260

Re: Wireless clients keep getting disconnected/reconnected

I have noticed that problem might be in authentication mode, i have created/tested several security profiles with WPA2 PSK, different keys but when it is on, clients get disconnected. It is not wrong setup since it is tested several times and sometimes clients get connected for like 5 minutes but wh...
by total13
Thu Jul 21, 2016 11:13 am
Forum: General
Topic: Wireless radius server auth problem
Replies: 5
Views: 855

Re: Wireless radius server auth problem

I mean, it works, but as I said, problem is that "window configuration" adds extra "\\\\" characters to radius PSK. When I paste configuration (PSK) to terminal, it paste-s fine....
by total13
Thu Jul 21, 2016 11:11 am
Forum: Wireless Networking
Topic: Wireless clients keep getting disconnected/reconnected
Replies: 23
Views: 13260

Wireless clients keep getting disconnected/reconnected

Hello! I have problem with RB2011UiAS-2HnD v6.34.5 (was downgraded from v6.64.6 that has similar problem). Is it plain hardware fault (wireless module)? Wireless clients keep getting disconnected, few seconds after getting connection. I have tested with completely open wireless (no auth) and there i...
by total13
Fri Jul 08, 2016 2:36 pm
Forum: General
Topic: Wireless radius server auth problem
Replies: 5
Views: 855

Wireless radius server auth problem

Hello, new to this boards. I have problem that couldn't find answer for. I was configuring wireless network with security profile that used RADIUS for authentication. Everything was setup perfectly but when I configured RADIUS server over "New Radius Server" window and I have copy/pasted previously ...