MikroTik

bluecrow76

No. Support for AES-256-GCM, AES-128-GCM and CHACHA20-POLY1305 compatible with standard OpenVPN implementation should be added. It is big problem for me. AES-GCM (128/192/256) was added to RouterOS 7.8 in February of 2023 (only after they had added it to just about everything else that uses encrypt...

bluecrow76

Mikrotik support provided me with the same ROS routeros-7.11alpha126 firmware to try about an hour ago. While I didn't have any physical hardware I could easily test the alpha firmware on, I spun up a test CHR instance with 7.10 and verified that the OpenVPN Server bug was present on a CHR instance....

bluecrow76

I've used this same setup ever since the FWD option was added to RouterOS. I swear I've tested this in the past and failover worked just fine between multiple FWD / forward-to static entries, but this morning a customer's primary DNS server went offline and remote sites that were configured to use t...

bluecrow76

I've been dealing with this same issue and working with Mikrotik support since March. Previously I was unable to figure out how to create my own AMI. This weekend I finally realized what I was previously doing wrong. I have documented in relative detail the issues I've experienced with T3/T3a instan...

bluecrow76

I've been dealing with this same issue and working with Mikrotik support since March. Previously I was unable to figure out how to create my own AMI. This weekend I finally realized what I was previously doing wrong. I have documented in relative detail the issues I've experienced with T3/T3a instan...

bluecrow76

The following bug report was just sent to support@mikrotik.com:

[SUP-87865] After upgrading a CCR1009 from 6.49.6 to 7.4, I found that the new-routing-mark entries in all mangle rules were reset to "main" instead of the previously configured route marks.

bluecrow76

For anyone wanting some actual technical information on the issue, this article does a good job of explaining the issue with AES-CBC. "If you really have no choice and need to use CBC, you can still secure it by computing a message authentication code (MAC) from the ciphertext and IV, this can ...

bluecrow76

OpenVPN client broken with AES-256-CBC since upgraded to RouterOS 7.2 (from 7.1.5), switching to Blowfish 128 works. Echoing the experience. Upgraded from 7.1.5 to 7.2 and some OpenVPN clients using AES on some routers are broken. It does not matter which AES cipher is chosen... none of them work w...

bluecrow76

Earlier this year I sent an email to Mikrotik support asking if VTI was going to be included in ROS v7 as I had some customer projects coming up that needed VTI support. On Aug 30th, 2021, I received a reply stating "Unfortunately, currently there are no short term plans to implement this featu...

bluecrow76

I just ran into some problems setting up a customer connection to their Azure environment and thought I would share the resolution. The errors we were receiving were "payload missing: ID_" and "TS_UNACCEPTABLE" depending which side was the initiator. The trick is enabling the &qu...

bluecrow76

Remote-id=ignore simply skips the ID checking against remote peer's certificate. Responder should always send the ID_r payload as per rfc7296.

https://tools.ietf.org/html/rfc7296#appendix-C.2

The remote-id=ignore is only used for certificate based authentication... not PSK.

bluecrow76

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.

bluecrow76

@bluecrow76 May I know what is your RouterOS version, It seems " execute script=$a file=$filename" only works in early version such as 6.45.9, it doesn't work on 6.47.3. I don't recall the exact version I was running when I posted this back in April, but I would have been running whatever...

bluecrow76

We finally got our wish! I'm not sure when this was added, but in v6.47 you can now specify the record type!!!

Thank you Mikrotik! It only took 12 years.

bluecrow76

Did some testing with BGP this evening. BGP does not work when a TCP MD5 key is specified. Removing the TCP MD5 key requirement from the remote peer allows BGP to connect. When the TCP MD5 key is specified, there are no error messages on either end regarding an invalid key as would be expected. This...

bluecrow76

has been solved with this command {:local a [/system script get script1 source]; execute script=$a file=$fname1} Fantastic solution!!! This came to my rescue this evening. I wrote a script to print out the netwatch statuses in CSV format, but I wanted to save the output it to a file for easy downlo...

bluecrow76

Background Images in the Dude won't load. And what happened to the font, the "1" at the end isn't readable. https://i.imgur.com/YRRrup3.png :arrow: CONFIRM Images in the Dude won't load. /dude/files/default Permission denied Don't update DUDE !!! :arrow: confirm bug on ARM and CHR devices...

bluecrow76

It would be more interesting to know (as these are routers) which queue types, if any, support ECN in MikroTik products. https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter Being able to set the ECN flag is a much different thing than knowing whether or not a queuing mechanism supports setting...

bluecrow76

I was upgrading some routers from previous versions to 6.41, when all of a sudden I notice the most recent version is now 6.41.1. :-) I noticed that on 6.41.1 I am unable to change the neighbor discover-setting. Shown below are console output from a 6.41 router and a 6.41.1 router. They are the same...

bluecrow76

Just so everyone knows, this was a feature request long before this thread. We asked for this back when we were using RoS v2. They were able to add RegEx capabilities to the DNS proxy, but nothing yet in over 10 years about being able to specify the record type... I'm working on an issue for a custo...

bluecrow76

In case people haven't noticed yet, changes are afoot as of 6.40rc29 to bring MSTP to RouterOS. I noticed it in the release candidate channel firmware at 6.41rc11 (cli-only mode currently). See the link below for the only reference to it on the Wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/B...

bluecrow76

In case people haven't noticed yet, changes are afoot as of 6.40rc29 to bring MSTP to RouterOS. I noticed it in the release candidate channel firmware at 6.41rc11 (cli-only mode currently). See the link below for the only reference to it on the Wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/B...

bluecrow76

In case people haven't noticed yet, changes are afoot as of 6.40rc29 to bring MSTP to RouterOS. I noticed it in the release candidate channel firmware at 6.41rc11 (cli-only mode currently). See the link below for the only reference to it on the Wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/B...

bluecrow76

In case people haven't noticed yet, changes are afoot as of 6.40rc29 to bring MSTP to RouterOS. I noticed it in the release candidate channel firmware at 6.41rc11 (cli-only mode currently). See the link below for the only reference to it on the Wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/B...

bluecrow76

What about the stateful packet inspection? I would think that would fall under the category of firewall as conntrack is a component of iptables. Unfortunately I cant find any instance of where anyone from Mikrotik has officially documented what spi in the profile tool actually means. My comments ar...

bluecrow76

SPI stands for Serial Peripheral Interface. It is one of the buses on the router that is used to talk to certain components, like the LCD panel as previously stated. Anyone that has ever message with an Arduino should be familiar with this type of bus. https://en.wikipedia.org/wiki/Serial_Peripheral...

bluecrow76

This is a revenue generating opportunity for Mikrotik. We have numerous customers that would pay an additional licensing fee to have this product added to the Mikrotik router. I could easily sell this for $1000 a site. We are having to go to other router vendors (Sonicwall, Fortinet, Watchguard) to ...

bluecrow76

I'm gonna give this a big bump!

I find it easier to create new users from the command line, but I don't do it anymore because the password that is set is in plain text in the history. Not good when there's no way to clear it!

Shouldn't be that difficult to add /system history clear...

bluecrow76

BUMP

I can't believe this hasn't been addressed yet.

I've added --secure and :2211 to the address and it still connected using remote.

This seems like it would be a pretty obvious and easy problem to solve.

bluecrow76

I can't find where this has been reported before, so here it is. This exists in RouterOS 4.16 and 5.0rc7. If you add a BGP instance from the console, you have the option to set the routing-table option. This option is not available in the GUI. It would be handy to have in the GUI... please! :D route...

bluecrow76

The bug appears to be merely cosmetic. Came across it doing an interop test between Mikrotik and Cisco. In RouterOS 4.16 the GUI displays the wrong Destination for the MPLS Forwarding Table as shown in the below image. Looks like an index is off by one. The console version (/mpls forwarding-table pr...

bluecrow76

The trick is to do the following: /ip hotspot profile set hsprof1 dns-name="" /ip hotspot walled-garden add action=allow comment="" disabled=no dst-host=www.apple.com path=/library/test/success.html For some reason the iPhone and iPad won't resolve the dns-name of the hot spot pr...

bluecrow76

Just adding my two cents. Not being able to set the dns-suffix for a vpn is a big problem, and has been a big problem ever since we started using Mikrotik routers years ago in V2. I'm pretty sure this has been a feature request for a LONG TIME. Every new customer that comes our way gets a Mikrotik r...

bluecrow76

Okay, so as usual with a little persistence and proper debugging, the solution has presented itself. The NAS-Port-Type presented by the OpenVPN server is 0 (Async), whereas when using PPTP it's 5 (Virtual). Make sure your radius policies allow NAS-Port-Type to also be equal to 0. The other issue was...

bluecrow76

I'm experiencing the same behavior on 4.10 with OpenVPN. PPTP and L2TP will authenticate using radius, but not OpenVPN. The log shows the packets being sent and received but authentication consistently fails. I have only had success using the local user database.

bluecrow76

I have had similar issues with PPTP passthrough since the introduction of V3, regardless of minor revision. I haven't been able to nail down the cause, but I will have 20 people in an organization and 18 of them will all work fine but two will not. We will perform firmware updates on their current r...

Search found 36 matches

Re: openvpn and AES-256-GCM

Re: v7.10 [stable] is released!

Re: DNS forwarding - multiple DNS servers?

Re: AWS CHR Upgrade to 7.3.1 Fails to boot LoaE01

Re: CHR on Amazon Cloud ROS 7 upgrade server crash

Re: v7.4 [stable] is released!

Re: openvpn and AES-256-GCM

Re: v7.2 is released!

Re: IPSec VTI

Re: Azure VPN [SOLVED]

Re: IPSec error payload missing: ID_R

Re: IPSec VTI

Re: send script output to a file

Re: Feature request: NS in static DNS

Re: v7.0beta8 [development] is released!

Re: send script output to a file

Re: v6.46 [stable] is released!

Re: Enable TCP ECN for bandwidth efficiency

Re: v6.41.1 [current]

Re: Feature request: NS in static DNS

Re: [feature request] |Normal working RSTP/MSTP support

Re: Multiple Spanning Tree Protocol MSTP/PVST+

Re: Feature Request: MSTP

Re: Feature Request: PVST+/MSTP

Re: What is Tools->Profile->SPI usage??

Re: What is Tools->Profile->SPI usage??

Feature request: Sonicwall/Fortinet style high availability

Re: Clear user command history

Re: Command line parameters

[BUG REPORT] BGP GUI: Instance routing-table

[BUG REPORT] Wrong Destination in MPLS GUI

Re: iPhone iOS v4 problem with Hotspot Logon Page

Re: dns problem for incomming vpn users

Re: OpenVPN doesnt support RADIUS?

Re: OpenVPN doesnt support RADIUS?

Re: PPTP connection drops when user has Linksys wireless router