MikroTik

arnaldo

There is no reason for PCC not to be working. The full 3Mbits/sec less overhead and some losses should be available for connections. Suspect a config setup issue??? That's were it gets odd. I will have another 600Mbps around (connected to another Mikrotik. If I use that link, along with the 1Gbps a...

arnaldo

AFAIK, ECMP should round-robin connections in V7 – e.g. the per-src-dst-address was because of the V6 route cache (e.g. older docs here: https://wiki.mikrotik.com/wiki/Manual:IP/Route#Multipath_(ECMP)_routes). The new docs don't really say much about ECMP, so hard to now for sure. Oh!!! That's inte...

arnaldo

Wow!!! And we are still using HTTP that dates back to 1991!! And more, do you use email? It's based on SMTP and dates back to 1971. Don't take me wrong, but the fact that a protocol or system is old is not any measure of its quality. As for PPTP it is really crap, full of problems, but you must take...

arnaldo

Is the traffic VPNs/tunnels/etc – e.g. are connections going to small set of destinations on WANs? Or, is the there a lot of general internet traffic flowing (e.g. lots of connections with many different destination IPs). Basically be good to know if the issue is hashing not creating a suitably ran...

arnaldo

I posted, I've tried with a x86 router (a R86S mini system) and the results were the same. Try limiting the 2Gbit ISP to 1Gbit and see how it works. It seems to me that there is a bottle neck for 2Gbit in your network design after all I do not think there is any such bottleneck, as I can test the 2...

arnaldo

I see where you are coming from, although we are using different routers. The RB5009 has all the Ethernet ports attached to the Marvell switch-chip. So there is no difference on using any of the Ethernet ports on the RB5009. And as I posted, I've tried with a x86 router (a R86S mini system) and the ...

arnaldo

I've tried two routers that (iIMHO) fully capable of handling in excess of 3GB: - A RB009, with a 10G port connected to my internal network, the 2.5G port connected to 2G ISP modem and the 1G ISP modem is connected to a 1G port. - A x86 based router (R86S box) with 2 SFP+ cages and 3 2.5G ethernet p...

arnaldo

I've been using PCC for load balancing for a few years, and as the IPS for each connection speeds changed over time, I've used several different PCC ratios. Recently I've upgraded to a 1Gbps + 2Gbps and for the first time I'm using a 1:2 ratio. Before (with ratios like 3:10, 3:5 and others), I was a...

arnaldo

Is there a way to check if the drivers used on the X86 build for the Intel I226 contains the fix that disable the "Energy Efficient Ethernet". I'm having a hell of a time to get a X86 ROS system to run ports with I226 at 2.5Gbps. For the time being I'm using a SFP+ cage with a transceiver ...

arnaldo

I'm looking for a definite answer for what happens when in a mangle subchain called from Prerouting:

- Mangle -> Prerouting -> ChainA

If a rule in ChainA matches and it has Passthrough = no, will it return to the main Prerouting chain or will break the Magle-Prerouting completely?

arnaldo

Interesting to see someone else with a similar problem! As far as I know, Forti SSL VPN is proprietary (not the "standard" one, if there is such a thing). The term SSL VPN mean "encapsulating the data in a TLS session", but the details are often very different (authentication, et...

arnaldo

I noticed that when running on x86 with AES-NI, OpenVPN will not use hardware encryption.

AES-NI is being used on x86 for IPSEC since ROS 6.39. Is there any reason for not supporting it for OpenVPN? To my best knowledge, AES-NI can do AES-256-CBC.

arnaldo

Being another macOS user, I've rarely resorted to WinBox and have managed all my Mikrotiks with WebFig, even when on the early ROS 7 routing was totally broken (used WinBox just to fix routes - running on a Windows VM under UTM on an Apple Silicon Mac). But back to the new theme, similar to the new ...

arnaldo

Are you sure your 2.5Gbps adapter is working properly? I've seen horror stories with some adapters (Realtek), with poor download or upload speeds.

Try checking the adapter first, without getting the RB5009 involved. Then move back to the router.

arnaldo

The concept is great! But there is an error in the post (probably resulting from cut-paste) is that the second example still has PCC lines 2 to 4. so the correct rules would be (assumes that all packets start as not conn-marked): PCC 4/0 ===> connection mark gateway-25 if not marked ==> connection m...

arnaldo

WinBox is 3.39 and WebFig 7.11.1 (latest as of this post). Yes, it is correct when using the CLI. Your WinBox image show exactly what I'm talking about: Address: 0.0.0.0/0. It's not a question of being able to check the IP address using WinBox/WebFig, but rather to make changes (need apply/ok). Look...

arnaldo

I may be missing something, but whenever I display (or try to change) the IP address associated with a veth (for a container) it shows as 0.0.0.0/0 in WinBox and as a "blank" in WebFig.

Is this a bug or I'm really missing something here?

Thanks in advance.

arnaldo

I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old). I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled...

arnaldo

Usually this indicates the certificate is in the store already... Thanks for the pointer! I've checked that already. But reminding of it gives me a hint. I will remove all certificates (if I can export the CA key, used to sign several OpenVPN certificates) and give it a try. The RB5009 is a fantast...

arnaldo

I'm trying to import a PKCS#12 certificate and key under 7.2.2 and it's not finding anything inside the P12 file. /certificate/import file-name=test.p12 passphrase=fd6eef05 certificates-imported: 0 private-keys-imported: 0 files-imported: 0 decryption-failures: 0 keys-with-no-certificate: 0 I've dou...

arnaldo

I finally managed to get it working this weekend. :D :D :D The problem was that I was using a single wireguard interface for both the site-to-site tunnel and to allow inbound road warriors! The "allowed-ip" were overlapping, even though the road-warriors were "not connected" (but...

arnaldo

My understanding is that they (Amazon, HBO Max, Netflix, Paramount+, etc) perform IP blacklisting. To counteract, the VPN providers keep changing their IP ranges. It's a never ending cat-and-mouse game. A few years ago most VPN providers would advertise that their service were "great" to b...

arnaldo

Finally you should be able to troubleshoot connections by pinging 10.10.10.254 from RouterB and 10.10.192.1 from Router A (who needs IP addresses for wg interface ;-P ) Ha ha ha!!! This is the part that works!!! Pinging either router from the other side! And yes, I have realized that with "all...

arnaldo

it is indeed a "consequence of anonymisation that went wrong" they are the same and they are correct in the real config. The assignment of routing marks to own outgoing traffic of the router is complicated - all the packets are first routed using routing table main, and only then they go t...

arnaldo

[Not exactly. The gateway=<peer-address> is fine, but it's just for routing process, WG doesn't care about that. WG determines to which peer it should send it from their allowed-address. That's why you can't have more than one peer with same allowed addresses on one WG interface. Good to know, as I...

arnaldo

Thanks for all the comments. Let me start to address some of the points: ALSO I NOTE YOUR DIAGRAM IS WRONG---> the local network A should be 10.10.10.0/20 Ah... nope: 10.10.10.0/20 = IP address 10.10.10.0 on the 10.10.0.0/20 network. The /20 applied to x.x.0.0 will go from x.x.0.0 to x.x.15.255, thu...

arnaldo

I'm having a rough time with WireGuard and routing tables. I have a WireGuard VPN between 2 Mikrotik routers (both at 7.1.2, as shown in the diagram bellow: https://i.ibb.co/HdPpHM9/Screen-Shot-2022-02-20-at-5-07-41-PM.png Each side has proper routes to the other side's network, through WireGuard, a...

arnaldo

Ok. Here it is (just the relevant parts) # feb/17/2022 17:56:51 by RouterOS 7.1.2 # software id = MMRW-IEXQ # model = RB5009UG+S+ /interface ethernet set [ find default-name=ether1 ] comment="Ethernet Port #1" set [ find default-name=ether5 ] comment="Ethernet Port #5 - LAN Interface ...

arnaldo

With dual WAN you need to ensure that inbound packages to the routers will have their responses sent out through the same interface. - Inbound connections on the WANs that are not connection marked need to be tagged (in magle/preroute). One rule per WAN. - On the output flow (mangle/output), if a co...

arnaldo

Packages addressed to the IP address of ISP_B are being returned thru ISP_A, as if connection tracking was not working. But only with UDP packages. TCP works fine.

arnaldo

I put my WireGuard interface on the list of internal interfaces (LAN on the default configuration). This will solve most problems, like masquerading (if needed), firewall rules, forwarding internal to WireGuard road warriors, etc. The only firewall rule I add is to accept UDP port 13231 in the input...

arnaldo

I'm having a problem with connection tracking and UDP, specifically with OpenVPN (ROSv7). While the actual configuration is way more complex (PCC load balancing and recursive routing), I have simplyfied the scenario for testing and for posting here. - There are 2 ISPs: ISP_A and ISP_B - Configuratio...

arnaldo

Just found out that OpenVPN server is not working in 7.1.2.

arnaldo

WebFig still preent the IP->Routes bug. Will not properly display current routes and will become irresponsive after showing either the "Rules" tab or "Add New" or show route (basically leave and return to the route list tab). Also, there is a really wierd problem with Firefox: it...

arnaldo

Same here. And it's not only IP->Routes that is "broken" (I did some digging and there are tons of Javascript errors). Another point with IP->Routes is that if you add one route (or simply press "Add New" and "Cancel"). Due to a javascript error you can't add another ro...

arnaldo

Congratulations for figuring it out. But it looks like you missed this page , it could save you some effort, everything is described there, even with images. But it doesn't hurt when something makes you think and discover stuff by yourself. :) Thanks for the pointer. it's indeed the same explanatio...

arnaldo

I've been trying to make heads and tail about this, specially since all "basic" routers seem to do it without requiring any special configuration. As there are some "solutions" but no explanation of the flow, I was looking at the solutions that claim to be working, so I dare to s...

arnaldo

Maybe your ISP is filtering port 5060?
I'm running 6.42.1 and SIP is working for me (my ISP filters and I switch to port 5080).

If you are using Mikrotik SIP ALG (service port), try disabling NAT support on your client (SIP device or PBX).

arnaldo

This one allows for multiple interfaces, dynamic interfaces, and even more than one DNS entry per interface. I've been using it for a few years now. :local ifs {"ppp1";"wan1";"wan1"}; :local hostnames {"a.homeip.net";"b.homeip.net";"c.homeip.net...

arnaldo

My view of why you don't want to fasttrack "new" connections is that you want the new connection to first go through your firewall to see if safe/trusted, once the new connection is seens as safe/trusted, the established/related part of that connection can be accepted/fasttracked That's h...

arnaldo

Took some time to rewrite all the rules (changing route-marks to connection-marks) adjust passthrough and setting the new route-marks. So far seems to be working fine. The idea to add extra connection-mark->route-mark at the top saves most packages from having to traverse the whole chain. Combine th...

arnaldo

Thanks for all the insights. Using connection-marks was my original approach, but I went the other way around: route-mark -> connection-mark (not a bright idea) :mrgreen: I think the following code will work: /ip firewall mangle add connection-state=new dst-address=10.10.0.0/16 chain=prerouting acti...

arnaldo

Interesting, my understanding of "route-mark" with a value of "main" is that it means "no routing mark" (if that's true, why not use "no-mark"). This is very confusing. Also, I've tried using routing-table, without success. Anyone knows when "routing-tabl...

arnaldo

I know that PBR does not play well with Fasttrack. So, I'm trying to exclude "route-marked" packets from being Fasttracked. To my understanding, the following filter rule should pick all packets that were not mangled with route-mark during prerouting: /ip firewall chain=forward action=fast...

arnaldo

Let me joint the party and share my toughts here. With Apple dropping PPTP, this issue has become a more sensitive problem. Setting up an L2TP/IPSEC server for road warriors was not a major problem once I moved to 6.37.1. It works fine for Win7-10, Android, macOS (10.11 and 10.12) and iOS 10. But as...

arnaldo

I'm trying to use ROS 6.37.1 (RB750GL) as a L2TP/IPSEC client (user/password + shared key), using the auto-generated IPSEC policies (I do not create the IPSEC policies, ROS does) The setup is quite straight forward and I can get it to work from mobile phones, macOS and Windows. But under ROS I can o...

arnaldo

(at least) On 6.36.3 we can defer the creation of the IPSec peer and policy to ROS, for setting up either a L2TP/IPSec server or client. I need to set up both. Setting up the server works fine and I can connect from our target road warrior devices, iOS and Mac OS X. But I also need to make our Mikro...

Search found 47 matches