MikroTik

Fesiitis

1. Yes, regularly. I use them to save window and column layouts for different routers. 2. I've always thought of sessions as an opportunity to personalize windows and columns to your liking. 3. If sessions could be managed from the Winbox GUI. If I want to use one session for another router, I copy ...

Fesiitis

Here is a good video from Mikrotik on this topic - https://www.youtube.com/watch?v=1I5FywY6opQ

Fesiitis

I'm also seeing a bunch of errors like these for the last few days on all routers that have IPsec configured. payloadmissing.PNG I think these are new entries on top of the existing ones ( identity not found for peer: FQDN: *something* and identity not found for peer: RFC822: research-scan@sysnet.uc...

Fesiitis

Maybe the method I use for iOS will be useful for someone. Create certificates: /certificate add common-name=XX.XX.XX.XX name=XX.XX.XX.XX sign "XX.XX.XX.XX" ca-crl-host=<router local IP> add common-name=XX.XX.XX.XX subject-alt-name=IP:XX.XX.XX.XX key-usage=tls-server name="IKE2 RSA se...

Fesiitis

So disabling this, to get full speed upload, even without reboot. ??? Yes, I watched one video about the "FastTrack" rule that also explained the cases when it is better to disable it. So, out of interest, I disabled it and ran a speed test without restarting router. And it looks like thi...

Fesiitis

Just to let you know, if anyone else has had a similar situation, I discovered the cause of the problem quite by accident, it's the "fasttrack-connection" firewall rule. After I disabled this rule, the 5GHz upload speed "skyrocketed". Even if I disable the "fasttrack-connect...

Fesiitis

Hi, After upgrading hEX S (RB760iGS) to ROSv7, I can no longer access resources behind IPsec tunnels from IKEv2 RSA road warrior VPN. It was possible on ROSv6. I have tried reseting the hEX S router to default settings on ROSv7 and configuring it for my needs from sratch but no change. If I downgrad...

Fesiitis

Ca6ko, unfortunately does not help, the same results as in the first post.

bpwl, thanks for the detailed explanation. Here is a picture showing the HW Frames and Frames columns, looks like Tx HW Frames and Tx Frames are quite different after three speedtest attempts.

frames.PNG

Fesiitis

I'm not really sure if it's related, but yesterday I upgraded hEX S from v6.49.6 to v7.2.3 and I was no longer able to connect to IPsec resources from the Road-Warrior VPN. Using IKEv2 with RSA authentication, I can connect to resources on the local network, but not to resources behind other IPsec t...

Fesiitis

Sorry for the late reply. Here are three results: When downloading whendownloading.PNG When uploading whenuploading.PNG When idle whenidle.PNG At the moment, I don't have a long enough RJ45 cable in my home to connect my router to my desktop so that I can test the speed with a cable. However, the la...

Fesiitis

Hi, I have been using cAP ac for several years now. And since day one I have noticed that the 5 GHz upload speed is much slower than the download speed. I don't use 2.4 GHz at all so I haven't tested the difference between upload and download speeds with 2.4 GHz. And I use cAP ac only as 5 GHz wirel...

Fesiitis

Thanks, sindy! I did a couple of tests on my home router last weekend. I'm not entirely sure if it's really necessary to set crl-download to yes in my case, but after I set crl-use to yes and performed the following configuration, I was able to make the router to recognize if the certificate has rev...

Fesiitis

By revoked certificates I meant client certificates, because they can't be simply deleted. When the employee leaves the company, they no longer need the VPN. And yes, for all the identities I use match-by=certificate , so I always remove the identities that were associated with revoked certificates....

Fesiitis

Hi, For a pretty long time our office router has a working IKE2 RSA VPN. No problems so far, but there are currently a few revoked certificates in the router. The identities for these certificates have already been removed. For a couple of days now I see the following entries in the router logs. Is ...

Fesiitis

Since v7.1rc5 on RB5009, I experience weird issue where router at some point is unable to access to internet anymore. No error logs, no nothing. I can access to router, but there's nothing I can do there. I have to restart the router to get access to internet again. I thought problem is related to I...

Fesiitis

Upgraded from v7.1rc4 to rc5 on RB5009, rebooted and I can't connect to VPN based on IKEv2 with RSA authentication anymore. Windows 10 gives an error "The error code returned on failure is 13816". Haven't tried with macOS. If that fails too, looks like I will have to visit a client in offi...

Fesiitis

I have similar situation between two networks. I have site-to-site VPN between 10.0.0.0/24 and 10.95.0.150. In my case I only need different source address when connecting to destinations 80 and 443 port, so I have created NAT rule that changes source IP to 10.0.25.x when connecting to 10.95.0.150:8...

Fesiitis

I think Windows 10 built-in VPN client still doesn't understand sha256 when doing phase 2 and modp2048 when doing phase 1. Change or add profiles dh-group to modp1024 and proposals auth-algorithms to sha1. I haven't tested it for myself, but you should try this.

Fesiitis

I figured out by myself. After configuring second Audience as repeater, I had to manually change some settings for wlan3. Then repeater successfully connected to main Audience. Firstly I configured both Audiences almost identically, only frequency differed - /interface bridge add name=bridge1 /inter...

Fesiitis

Hi! I bought two Audiences to replace my old wi-fi setup. The main idea is to configure both Audiences as AP bridges. One of them will be connected to router. Also I want configure both Audiences for mesh networking. It should look like this - https://i.imgur.com/42l4JQJ.png As I have never configur...

Fesiitis

I just bought one and decided to share default config for everyone interested in it. # jan/02/1970 00:01:55 by RouterOS 6.45.4 # software id = XXXX-XXXX # # model = RBD25G-5HPacQD2HPnD # serial number = XXXXXXXXXXXX /caps-man configuration add channel.band=2ghz-b/g/n channel.control-channel-width=20...

Fesiitis

@Paternot, I got your idea, but I don't have any plans for using second ethernet port, maybe in future. Currently I'm using only wi-fi.

The point is U-POE-AF from Ubiquiti would fit perfectly in my current situation. So I would be happy to see similar PoE devices from Mikrotik as well.

Fesiitis

This is my situation. There is no way RBGPOE can help without any switch or something between incoming LAN cable from ISP and my router. https://i.imgur.com/3DItBBC.jpg I'm planning to replace my current wAP with new cAP ac, and I have to figure out how to power it. Why don’t you add a female-to-f...

Fesiitis

Hi, Does Mikrotik has any plans in future for PoE Injectors similar like Ubiquiti has? For example this one - https://store.ui.com/collections/operator-accessories/products/u-poe-af RBGPOE does not fit my needs, because in my apartment the ISP has only provided incoming LAN cable without any switche...

Fesiitis

You can follow this guide how to create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal And there is my Mikrotik configuration, including full firewall configuration. Just replace your public IP...

Fesiitis

You have to add additional input rule on both sides -

add action=accept chain=input comment="IPsec allow access to router" \
    dst-address=<site1-router-ip> in-interface-list=WAN ipsec-policy=in,ipsec \
    src-address=<site2-subnet>

Fesiitis

These are steps I did - 1. Create CA /certificate add common-name=XX.XX.XX.XX name=XX.XX.XX.XX sign "XX.XX.XX.XX" ca-crl-host=XX.XX.XX.XX 2. Create server certificate add common-name=XX.XX.XX.XX subject-alt-name=IP:XX.XX.XX.XX key-usage=tls-server name="IKE2 RSA server" sign &quo...

Fesiitis

Thank you for the detailed explanation! ;) I just changed IP pool to different addresses and it works now. :D Previously I had PPTP enabled with 10.0.0.71-10.0.0.80 in IP pool and proxy-arp was already enabled on bridge interface, so I thought something is wrong with firewall rules. But your post ga...

Fesiitis

Hi! This is first time I have ever configured IKE2 RSA Road Warrior, I followed this tutorial - https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication Current DHCP for LAN - 10.0.0.10-10.0.0.70 I have two site-to-site IPsec tunnels configured as well - ...

Fesiitis

Does Mikrotik has any plans for this feature? Support for EAP authentication methods as initiator was added back in 6.45.1 update. I would like to know whether this feature will be added sooner or later or not at all.

Fesiitis

No, BGP should be configured only if you only really needs it. Also there's no need for additional Routes from Azure side. With default NSG rules, Azure should allow IPsec traffic for both sides.

Fesiitis

First srcnat rule is not meant to allow Azure to On-Premise traffic, it is for On-Premise to Azure. Basically with that srcnat, mangle rule and these default fw rules you should be able to access Azure from On-Premise and vice versa. I have many IPsec tunnels created from Mikrotik to Azure that way ...

Fesiitis

You have to add additional NAT rule to access Azure from On-Premise - /ip firewall nat add action=accept chain=srcnat comment="Azure" dst-address=\ azure-subnet/24 src-address=onprem-subnet/24 Also Azure suggests to clamp TCP MSS at 1350, so you should set this value by adding additional M...

Fesiitis

I'm pretty new on VLAN's, never had any needs to configure it before, so basically this is first time I'm doing it. Here you can see how I would like to see network for wifi for employees and guests - https://i.imgur.com/1MukyEr.png On cAP ac has no any specific configuration yet, it's basically fre...

Fesiitis

This router has only 16 MB of storage size. I have RBwAP2nD and RB760iGS as well. On RBwAP2nD I had upgrade problems just because of storage size. And I solved this by getting rid of unwanted packages. Go to System > Packages and uninstall packages you don't use. Now on both routers I have only thes...

Fesiitis

Thanks for reply. This works. Next time I will post configuration as a text, thanks for suggestion.

Fesiitis

I found this topic, because I have a same issue the OP had. Except I don't have L2TP/IPsec VPN, but IKE2 IPsec configured. And changing from !LAN to WAN does not fix issue, I can't access to router from any device on 10.12.14.0/24 network at all. If I disable that default "not from LAN" ru...

Fesiitis

I'm waiting for ike2 support for eap as responder. Hope this feature will be added soon, since support for this as initiator was added in v6.45.1 update.

Fesiitis

Does it stuck on "Connecting to **IP address**"? If yes then it's not Mikrotik problem. I have same issue with L2TP. On 1803 I had this issue if I had GeForce Experience installed on Windows 10. After upgrade to 1809 L2TP does not work even without GeForce Experience. Haven't tried with 19...

Fesiitis

Hi! I have two different routers. One of them is just a personal computer running OPNsense as OS. Second one is RB850Gx2 (v6.45.1). I want to create VPN server using IKEv2 with EAP-MSCHAPv2 on both of them. I have already created it on OPNsense following this tutorial . Now I want to create somethin...

Fesiitis

Hi! I have DHCP setup with address pool 10.2.0.0/24. What I want to achieve is that when I connect to 10.50.50.4 with 80 and 443 ports (just example) then outgoing address pool is 10.3.0.0/24. It's should be like - my PC has IP 10.2.0.15 assigned. I'm connecting to 10.50.50.4:80 via web browser. My ...

Fesiitis

Problem solved. Stupid Graylog2 can't reach neither Mikrotik router nor any other server if it's binded to direct IP address. After I set bind address to 0.0.0.0, everything started as it should be.

Fesiitis

I'm trying to configure Mikrotik router to send logs to Graylog2 server, but it looks that I have something missing or wrong because nothing happens..

mikrotik.PNG

graylog.PNG

Is there someone who can help me?

Fesiitis

When both chains are in use, my laptop (with Intel Centrino Wireless-N 2230) maximum download/upload speed shows ~25Mbps, but with one chain ~55Mbps. However another laptop (with Intel Centrino Advanced-N 6230), when both chains are in use, maximum speed is ~90Mbps, but with one chain ~45Mbps. That'...

Fesiitis

Hi! One of our clients is using this product . That wireless router is configured as access-point (no DHCP, Ethernet and both Wi-Fi interfaces bridged). Currently settings for both interfaces: https://s12.postimg.io/bsv9tzpx9/image.png https://s12.postimg.io/6vhp8vny5/image.png Problem is that I can...

Search found 45 matches