MikroTik

Technetium

I have a dual wan configuration WAN1 and WAN2 with a classic dual wan mangle configuration (marking connection and in postrouting/outupu marking routing) The router is an IPSEC client IPSEC can only work if the connection is established through WAN2. I have to enforce that the connection established...

Technetium

I run OpenWRT to have wifiwave2 on 3 devices at home (Cap AC). I get 500 mbit/sec on my MacBook running iperf3. But most importantly I get fast roaming on my phone. It fast roams on the same AP between 2 and 5 ghz or across all 3 Cap ACs when I move. I can run an iperf3 test and move around without...

Technetium

The thing is that the wifiwave2 package contains drivers for multiple wireless chip families, and if always only the one needed for a particular RouterBoard model was installed, less disk space would be required. But Wave 2 also requires a lot of RAM to model the wireless environment, so RAM size b...

Technetium

I have a Chateau CAT 12 LTE updated to the last 7.2.3 ros version and modem updated to the last version EG12EAPAR01A10M4G. Every 60 minutes without traffic, the modem notifies a detach in the log and consequently, the lte1 interface disappears. I have to manually disable and re-enable it to make it ...

Technetium

I think the case is clear without the export.
Site A connected over an IPSec to Site B and Site B connected over an IPSec to Site C.

Technetium

Ipsec is already working.
But how can I setup the site A to reach the site C ?

Technetium

I have 3 sites connected through an IPSec tunnel
Site A to Site B: 192.168.1.0/24 <--> 10.0.1.0/24
Site B to Site C: 10.0.1.0/24 <--> 172.20.10.0/24

How can I route the traffic from Site A to Site C through the IPSec tunnel?

Technetium

In the side B i can request for a change of subnet mask.. What if i ask for a site to site for a 192.168.0.0/20 ?
192.168.1.0/24 is included and i can use other subnet.. even if is not correct because my router will be on 192.168.1.1..
Is not correct but may work..

Technetium

Here the mode config ip ipsec mode-config print Flags: * - default, R - responder 0 * name="request-only" responder=no use-responder-dns=exclusively 1 R name="modeconf vpn.LOCAL" system-dns=no static-dns=192.168.1.1 address-pool=dhcp_LAN_pool address-prefix-length=32 split-includ...

Technetium

The remote side (Site B) is not part of my network. I cannot set two (or more) site-to-site connection. I can only use one IPSec.

Technetium

Roadwarriors had to use resource from the server on 192.168.1.10 (Site A) and server on 192.168.30.10 (remote side, Site B).

Technetium

The road warriors should get addresses in none of the two subnets, otherwise you'll have this kind of problems all the time. In mode-config for the road warriors, set the split-include to both subnets (of the local server and the remote server). The road warriors will create two policies each, one ...

Technetium

Yes. Roadwarrior (IPSec) clients have the same IP pool of the LAN.
I think is the only way to work with remote network (192.168.30.0/24) because the site to site is 192.168.1.0/24 (local LAN) <==> 192.168.30.0/24 (remote).

Technetium

I've tried but if I set that rule before the IPsec roadwarrior template the roadwarrior clients cannot reach the lan anymore. /ip ipsec policy set 0 disabled=yes add dst-address=192.168.30.0/24 peer=Peer-Remote proposal=Remote-proposal \ sa-dst-address=REMOTE_IP sa-src-address=LOCAL_IP src-address=\...

Technetium

The network has an IPSec (IKE 1) site to site 192.168.1.0/24 (local LAN) <==> 192.168.30.0/24 (remote) To work with remote resource i've setup an IPSec (IKE2, responder for roadwarrior client, policy 0.0.0.0/0) in the same IP range of LAN configuring the bridge in local-proxy-arp mode to access both...

Technetium

1. Which LTE Category you are interested in most - CAT6, CAT7, CAT9, CAT11, CAT12, CAT16 or some other? CAT7 and CAT 12 2. Which LTE bands and which Carrier Aggregation combinations should be supported? B1+B3+B7+B20 at least 3 of them. 3. Should it also support Legacy technology like 3G or 2G? Here ...

Technetium

I have mostly Windows 10 clients.

Technetium

I've red the topic you linked. If i generate all certificates with "key-size=secp384r1" when i install all certificates on windows i receive an error when try connecting to the VPN: Error 13806: IKEV2: no machine certificate found. /certificate add name=CA.XXXXX.com country=COUNTRY state=S...

Technetium

Sorry, from your description I had a feeling that you have the client on the LAN. The log shows that I was wrong, hence my theory about split-include is irrelevant. If /tool sniffer shows you the transport packets carrying the DPD ones to be leaving via WAN towards the client's public IP, the issue...

Technetium

Yes. I have a log of the whole session. From authentication to the removal of the peer. https://i.ibb.co/Sd4Pfbk/image.png https://i.ibb.co/0Mt9yxg/image.png 16:29:48 ipsec,debug ===== received 528 bytes from MY_IP_XXXXX[500] to 10.0.2.10[500] 16:29:48 ipsec -> ike2 request, exchange: SA_INIT:0 MY_I...

Technetium

The problem is not that i can't reach the database service. I know that is not included in the split-include list. I can't reach 192.168.1.1 that is the router itself! And that's the fist step.. There is no packet flow from LAN to my IPSec client and vice-versa after the first connection negotiation...

Technetium

I have a router with 2 WAN: WAN1 and WAN2. Usually, all is using WAN2 because it's faster. On this router i've set a VPN IPSec to a database service. Now I want add an IPSec Ikev2 to use the database service remotely but it not work. Something is braking the IPSec. I have to connect to the router in...

Technetium

If you can reach service on server, but you can't ping the same server, it can be caused by server's firewall. For example all Windows don't accept pings from non-local subnets by default. Access from tunnel to internet should work. In filter it's allowed by rule #7 and also #8. Srcnat looks ok too...

Technetium

No one use an IPSec IKEv2 tunnel for it's external client ?

Technetium

Actually I have 5 "road warrior" clients (notebook with Win 10) that use OpenVPN. All works fine, the external clients can connect using 4G smartphone tethering, using guest WIFI of the hotel where they are.. the only problem is that OpenVPN is slow. I want switch my road-warrior clients t...

Technetium

I can't figure out why with split include 0.0.0.0/0 remote clients cannot route all traffic through th IPSec tunnel.
All remote clients are windows 10.
Does anyone know how to configure the router?

Technetium

I've setup an IPSec IKEv2 tunnel for remote clients. The IKE2 tunnel is established. I can reach the LAN server, i can reach other machine, but i can't ping any machine on LAN and i can't reach internet from the tunnel. All VPN remote clients are Win 10. The network topology is this one: https://i.i...

Technetium

I need the forward rules because i have some nat from the isp router to servers in the internal network.
But i think you see right.. the first two rules had to be limited only to LAN interface.

Technetium

The OVPN connection works from WAN2 but not works when i use WAN1 to connect to the router.

Technetium

Does anyone have an idea of why OpenVPN isn't working with both wan?

Technetium

I have set-up the OpenVPN server inside ROS for management purposes. I have two WAN: WAN1 (10.0.1.1/24) and WAN2 (10.0.2.1/24). The connection to OVPN works only from WAN2. I've noticed that the OVPN connection isn't marked from mangle.. can be because the interface is created dynamically? In the at...

Technetium

So how can i receive untagged traffic in the bridge (to use local LAN) and tagged traffic (vlan-20) out of the bridge ?

Technetium

I have a router hAP and a cAP as separate access point who has to manage the wifi network "local lan" and "guest". Local lan wifi is sent on untagged eth1 of cAP Guest Wifi is on a virtual interfaces with vlan=20 of physical radio interfaces. http://i66.tinypic.com/1430105.png Th...

Technetium

I have connected the WiFi access point to one ethernet port (ether5) that is in the lan bridge "Bridge". I want mark all connections from the AP (on ether5) to route all to a specified WAN. /ip firewall mangle add action=accept chain=prerouting comment="Accept da WAN1" dst-addres...

Technetium

I've setup an OpenVPN server on my router. My lan pool is 192.168.1.0/24, 192.168.1.1 is the bridge for the lan. The OpenVPN pool is 10.255.255.0/24 The connection to the server works fine but i can't see and ping the lan I've inserted the rule in the firewall to reach the lan from a open-vpn addres...

Technetium

I've added the interface list LAN in the profile. It worked only if i set a local ip in the dhcp range (es. 192.168.1.2) al local address and "dhcp" pool as remote address. It not work if a use a separate pool (10.255.255.2-10.255.255.254) for the ovpn profile. I can't figure out why using...

Technetium

But why ping to the devices is working ?

Technetium

I've setup a OpenVPN server on the router to be able to change it's config (using winbox) but when i'm connected from an external connection in a OpenVPN tunnel i can't connect t the router. The connection is correctly initated. Assigned ip 10.255.255.3 Ip pool for OVPN sever is 10.255.255.2/24. I c...

Technetium

How can i set on my router DNS that a request for ".sitea.com" had to b resolved in the SITE A (192.168.27.48/29) network ?

Technetium

So i have to insert a nat that match the destination and the local source. Thanks.

Can i setup on the same router a LT2P/IPsec server ? This service use the same port (500 and 4500) of the IPSec tunnel.

Technetium

I've setup a plain IKE-IPSEC connection. The VPN connection is working (estabilshed) and from the SITE A they can ping the machine in my internal network but i can't ping machines on the other site -> Ping is not working from SITE B to SITE A. Using tracert i see that the request to a SITE A IP is s...

Technetium

I will try. I'm not the administrator of the server side.
The server side is managed by the company who sell the web application.
The VPN connect my router to them datacenter.

Technetium

Just an IPSec (IKE -IPSec).

Technetium

The VPN is a tunnel to reach a server that exposes a webserver, port 80,8080,443.
The client on my network had to digit on browser https://192.180.1.10 to use it.
Is an /ip ipsec policy setup sufficient ?

Technetium

I have a network (192.168.1.XXX), connected to internet. To access to an application i have to setup a VPN and route through the VPN tunnel the requests from local devices that are requiring for the VPN network IP (192.180.1.XXX) How can i route only the requests to 192.180.1.1 through the VPN conne...

Technetium

The WAN interface of the mikrotik router are behind the ISP router because its doesen't support full bridge mode so on the WAN interface i have the private IP. The RTP stream received to the mikrotik router have the PBX ip because the PBX is a router that manage the phone network. So the PBX transla...

Technetium

Which doesn't answer my question. Do you know whether the RTP from the internal phone towards the VoIP provider reaches Mikrotik from the IP of the phone or from the IP of the PBX? RTP streams are directed and originate (outgoing stream) to the PBX IP. The PBX has it's own router (and switch) insid...

Technetium

On the other side, external there is the server of the VoIP provider. The PBX is internal and manages all the phones network. Generally receiving a call, on the other side there may be any device (a PSTN phone, a mobile phone.. a Voip device..) The problem is that sometimes a call result in a mute c...

Technetium

Here the export: /interface bridge add admin-mac=XXXXX auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=ether1 ] name=WAN1 set [ find default-name=ether2 ] name=WAN2 /interface ethernet switch port set 0 default-vlan-id=0 set 1 default-vlan-id=0 set 2 default-vlan-...

Technetium

The VoIP PBX isn't working very well. It is working but sometimes an incoming call is mute. No audio is received. Maybe because the PBX port are dst-natted? Port 5060, 5061 and a range from 8000-10000 are dst- natted to the IP of the PBX. The packet involved in a dst-nat are processed in input or ou...

Technetium

Documentation is not clear on that point: https://wiki.mikrotik.com/wiki/Manual:HTB. One example has such situation, but the effect/goal is not elaborated. Then again is that a valid situation for you? I would think not: voip should have higher prio, and it's volume will be much smaller than rest i...

Technetium

I've checked the queue tree in a test setup. https://i.imgur.com/HNDcad2.jpg The Voip queue takes all bandwidth up to its maximum limit even if in the other queue there is upload activity. I thought queue would split in half the bandwidth, after satisfying the minimum bandwidth imposed by limit-at. ...

Technetium

I have only 1 line. I measured the traffic during a call, it's a maximum of 100Kb. Phones are not in the lan of the mikrotik router. Are on another lan managed directly from PBX (pbx has it's own poe router/switch inside). VoIP connections is excluded from PCC using the rules that force traffic thro...

Technetium

I've added the dst-nat on port 5060, 5061 to the pbx an the range of port used for udp 10000-12000. It seems start working when i added this mangle rule that are matching some traffic. /ip firewall mangle add chain=forward in-interface=WAN1 action=mark-connection new-connection-mark=WAN1 add chain=f...

Technetium

With your suggestion i have to add this on mangle. Marking connection of Voip: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=bridge src-address=192.168.1.246 new-connection-mark=Voip_WAN2 passthrough=yes comme...

Technetium

Can I use simple queue without marking packets?

To use queue tree I have to mark all packet to and from my PBX IP.
Next, set a queue tree global on wan 2. Which type of queue?
Next a queue with "limit at" for marked packets.
Did I understand right ?

Technetium

I haven't rule to mark packet in mangle.
Can i use queue tree on WAN 2 without marking the packet ?

Technetium

Yes, you are right. I've added another connection mark but there is no need to do it. Thanks

WAN2 is 10M down/1M up.
Now, how can i reserve some bandwidth for VoIP upload ?

Technetium

Interesting...I did not think about using other marks. But which is the default route ? Wan 1 has a gateway (ISP1) and Wan 2 has another gateway (ISP2) I thought to force the routing adding this rules in mangle: /ip firewall mangle #Mark Voip connection, force use WAN2 add action=mark-connection cha...

Technetium

I have set my routerboard to use 2 wan on load balance with PCC technique. /ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=10.0.1.0/24 comment="Accept da WAN1" add action=accept chain=prerouting disabled=no dst-address=10.0.2.0/24 comment="Accept da WAN2...

Technetium

If i add a simple queue for each WAN interface: /queue simple add max-limit=3M/30M name="WAN1" target=192.168.1.0/24 add limit-at=1M/1M max-limit=0/0 name="SERVER Traffic" parent="WAN1" target=192.168.1.200 add max-limit=3M/30M name="Other client" parent="...

Technetium

I have 2 Wan in load balancing using PCC. A classic setup using mangle marking rule. In the lan i have a server that can be reached from internet through a dsn-nat that is working. During high bandwidth usage from other clients of the LAN, requests to the server from internet can do a timeout error....

Technetium

I think that the reason why there isn't any advice about fasttrack is that no one required it or at the author of the article on PCC didn't occur to him.
I think that user on forum can help to improve it.

P.s. https://wiki.mikrotik.com/wiki/Manual:TOC is the official manual of RouterOS.

Technetium

I saw after that i have to disable fasttrack. In the book and guide i read there is no advice to disable fasttrack and also on the Mikrotik PCC wiki (https://wiki.mikrotik.com/wiki/Manual:PCC). @normis Can you update the wiki about PCC and insert an advice like: "disable fasttrack to use PCC&qu...

Technetium

I have 2 Wan in load balance configuration after the ISP modem. Wan 1 : 192.168.10.2 Wan 2 : 192.168.20.2 The load balance work but a NAT rule i have set for a webserver seems not working well. If 2 Wan are connected the NAT sometimes work, sometimes no. If it work, the connection is slow. If i disa...

Technetium

Problem resolved by itself.
The AP doesn't support Vlan when in AP mode, only when in router mode. So i can't use vlan to differentiate home wireless network from guest. It's limited by the netgear firmware.

Technetium

I have checked the AP configuration. It can assign more than one Vlan. Can assign 3 Vlan to respective "services": Home Wifi, Guest wifi, IPTV. It was set for only one Vlan 20 for guest wifi. Now i have a "vlan 10" for the home wifi. eth9 is a trunk port. How i can isolate Vlan 2...

Technetium

I'm using a routerboard without wireless. I've associted the vlan20 to the eth9 because the AP is connected to the eth9. Is an error ? Or simply isn't necessary ? Vlan10 doesn't exist. The AP has only the vlan20 for the WIFI Guest net. The home WIFI isn't associated to a VLAN but is received on the ...

Technetium

Great resource on VLAN. Thanks for the link.

In attachment there is my config of the routerboard.

Technetium

I have a Netgear AP that has 2 net home and guest. The Guest wifi is on VLAN 20. I think that that home wifi is untagged on the same port. My rb2011 setup is: 2 wan on eth1 and eth2 a bridge from eth3 to eth10 Netgear AP is conected to eth10 I've created a VLAN "vlan20" on eth10 and is in ...

Technetium

i can't help with checking send email (i didn't have to setup this). in my cases i usually setup logging to remote servers and for critical systems have telegram alerts This setup work if the device is supposed to be constantly connected. If the connection stops, the message to syslog server are lo...

Technetium

Thanks very clear and it works ;) I'm a beginner of RouterOs and after many research i found that from script i have to save any messages about topics we select (es. warning or info or..) and after (download, email..) filter it to select the messages that interest us. In my mind, working on linux sy...

Technetium

In log i want write a string like "PC1 is down". I don't understand how to use "action" and "rule" of logging system to obtain a file only dedicated to netwatch message. I don't understand how to log only netwatch log because script can write only on 4 topics.. "de...

Technetium

I'm a beginner of RouterOS ;) I would like to set up a lan monitoring tool that send me the log daily. Email is already configured. Using netwatch i want log only if a host is down. But how can i write a specific log only dedicated to netwatch and send it only daily by email ? How can i "reset&...

Technetium

If it is completly passive and give no remote signal, from my point of view, isn't very useful.
If the radio are running on battery i want to know it..

Technetium

The mUPS device it's very interesting. I couldn't attend at MUM in Milano due to some work commitments. Can we have more info about it? Will the mUPS monitor the battery voltage and send alert message over ethernet (like low voltage, running on batt, no dc power..) ? Or will have a continuous monito...

Technetium

Hi, we had a request to mount some antenna but the client require a camouflage of the antenna with the color of the roof (dark grey, dark red). Anybody have some experience in painting anntenas like QRT, SXT or mAnt30 ? Which paint is recommended to use ? Can painting the antenna in dark colour, cau...

Search found 77 matches