Community discussions

MUM Europe 2020

Search found 47 matches

by irico
Mon Jan 21, 2019 7:40 pm
Forum: General
Topic: /ip neighbor discovery-settings
Replies: 2
Views: 512

Re: /ip neighbor discovery-settings

Since 11/20/2018: [Ticket#2018112022004944] ROS 6.43.4 - Export incorrect discovery-settings
Hello,

We are very sorry for any inconvenience caused.

We will fix this problem as soon as possible.

Best regards,
Martins S.
by irico
Wed Nov 14, 2018 8:23 pm
Forum: General
Topic: Export incorrect discovery-settings
Replies: 1
Views: 328

Export incorrect discovery-settings

Export of neighbor discovery-settings is incorrect. Not exporting "not" interface-list ROS: 6.43.4 /ip neighbor discovery-settings #export export terse #result: /ip neighbor discovery-settings set discover-interface-list=WAN print #result: discover-interface-list: !WAN Attachment: export in terminal...
by irico
Wed Oct 31, 2018 1:35 pm
Forum: Beginner Basics
Topic: Firewall filter add to address list - decrease timeout
Replies: 5
Views: 822

Re: Firewall filter add to address list - decrease timeout

I doubt you can choose anything under the TCP timeout window. 10 Seconds is way to short. . I am not talking about TCP timeout. I am talking about Address list timeout. . The rule adds to the list. If address is in the list already, the entry doesn't get changed. If you want to have different behav...
by irico
Tue Oct 30, 2018 8:48 pm
Forum: Beginner Basics
Topic: Firewall filter add to address list - decrease timeout
Replies: 5
Views: 822

Firewall filter add to address list - decrease timeout

I was doing tests with the "add src to address list" option of firewall filter rules and I have seen that the timeout can be increased, but I can not decrease it. Add to list dynamically IP with timeout 1 minute. Upon receiving a package that meets the requirements, in the TEST list I see how it add...
by irico
Tue Oct 23, 2018 2:37 pm
Forum: Beginner Basics
Topic: IPsec tunnel wan failover
Replies: 3
Views: 1184

Re: IPsec tunnel wan failover

Sorry for taking a long time to answer. ROS versión: 6.43.4 The problem is not the peer, it is established correctly. The problem is the duplicate policy with different SA src address, one of them become invalid. [admin@C1] /ip ipsec> remote-peers print detail Flags: R - responder, N - natt-peer 0 i...
by irico
Fri Oct 19, 2018 7:51 pm
Forum: Beginner Basics
Topic: IPsec tunnel wan failover
Replies: 3
Views: 1184

IPsec tunnel wan failover

I want to know if it is possible to configure IPsec tunnel in the following way: In the office I have 2 WAN (main and backup failover) and I want to connect with Azure and IPsec. I have managed to establish IPsec without problem through the main WAN but I do not know how to failover when the main co...
by irico
Thu Oct 18, 2018 1:59 pm
Forum: General
Topic: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname
Replies: 17
Views: 2011

Re: Can`t access to remote desktop/fileserver through PPTP/L2TP by hostname

On L2TP profile you can specify DNS server. If you specify your domain DNS server (I asume it is a domain network), and use \\machine.domain.local to access shared folders should work.
by irico
Fri Oct 05, 2018 6:59 pm
Forum: Beginner Basics
Topic: Firewall filter/nat best practices [SOLVED]
Replies: 3
Views: 1122

Firewall filter/nat best practices [SOLVED]

What is better? A NAT rule (dstnat) without src-address and a filter rule on forward chain with src-address or a NAT rule with src-address to limit access to a device on the LAN.
by irico
Fri Sep 28, 2018 11:12 am
Forum: Beginner Basics
Topic: Basic Routing
Replies: 2
Views: 392

Re: Basic Routing

The configuration seems correct. Possibly it's a firewall problem: on PC1, on PC2 or on the router.
by irico
Fri Sep 28, 2018 11:00 am
Forum: General
Topic: IPsec transport mode sometimes not established
Replies: 10
Views: 864

Re: IPsec transport mode sometimes not established

@sindy thanks. Now it's established and can't do more tests, but if it happens again, I will sniff into a file to analyze it later.
by irico
Thu Sep 27, 2018 6:42 pm
Forum: General
Topic: IPsec transport mode sometimes not established
Replies: 10
Views: 864

Re: IPsec transport mode sometimes not established

I have a lab with three clean CHR (simulate router A - ISP - router B) with very basic configuration (LAN/WAN masquerade and IPsec on router A/B. Only routing on "ISP router") If I configure IPsec IKEv2 between router A and B, they connects at port UDP 4500. When change configuration to "main echang...
by irico
Thu Sep 27, 2018 11:57 am
Forum: General
Topic: IPsec transport mode sometimes not established
Replies: 10
Views: 864

Re: IPsec transport mode sometimes not established

Yes, sniffer screenshots are simultaneous on both routers. Yes, on router B, I can see Rx and Tx packets, but on router A I only see UDP 4500 Tx packets (IPsec). If I ping, in both routers snnifer I see Tx and Rx, and as I said, if I disable IPsec, the tunnel works correctly. I do not understand whe...
by irico
Thu Sep 27, 2018 11:08 am
Forum: General
Topic: IPsec transport mode sometimes not established
Replies: 10
Views: 864

Re: IPsec transport mode sometimes not established

The IPIP tunnel is always established. The problem is IPsec in transport mode. Sometimes it does not establish the SA. As seen in the previous sniffer (and torch), the packets do not reach Router A. If I disable the policies and the peers, the tunnel works correctly, but without IPsec. With IPsec en...
by irico
Wed Sep 26, 2018 6:10 pm
Forum: General
Topic: IPsec transport mode sometimes not established
Replies: 10
Views: 864

IPsec transport mode sometimes not established

Hello. I have two CCRs and I have configured an IPIP tunnel with IPsec in transport mode. It usually works, but there are times when IPsec stops being established. When not set correctly, router A only transmits packets to router B. Router B receives and transmits packets to router A. ping between r...
by irico
Mon Mar 19, 2018 9:14 pm
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 16065

Re: v6.40.6 [bugfix] is released!

EDITED! irico - Are you 100% sure that simply another admin or you by mistake or on purpose did not re-configure MAC address. Also - why in your printout "Ethernet" is with capital letter? It is not an export. These commands are edited by the hand. Possibly the autocorrector has changed some upperca...
by irico
Thu Mar 15, 2018 4:38 pm
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 16065

Re: v6.40.6 [bugfix] is released!

Update CCR1009 from 6.39.3. Why it's setting MAC address to eth6? That MAC is the same as eth5 ### v6.39.3 Export script: [...] /interface Ethernet set [ find default-name=ether5 ] comment="SW (LACP)" name=e5-SW set [ find default-name=ether6 ] comment="SW (LACP)" name=e6-SW [...] /interface bonding...
by irico
Fri Dec 22, 2017 6:35 pm
Forum: Announcements
Topic: v6.39.3 [bugfix] is released!
Replies: 47
Views: 19122

Re: v6.39.3 [bugfix] is released!

I think there is a problem when exporting IPSec policies: SA src/dst address is not exported when tunnel = no

Is that normal?

Thanks.
by irico
Tue Dec 05, 2017 6:10 pm
Forum: Beginner Basics
Topic: Rename existent address list
Replies: 0
Views: 356

Rename existent address list

Hello! I need to rename an existing and in use address list. Is there a quick way to do it in all the places where it is used like an interface list?

With interface list, when you rename list, all references are renamed too.

Thanks!
by irico
Fri Oct 27, 2017 7:52 pm
Forum: The Dude
Topic: "Add Networks" check not working as expected
Replies: 0
Views: 396

"Add Networks" check not working as expected

I'm new using The Dude.
I'm using v6.39.3 CHR. I think this is a bug. When I discover a Network, I disable "Add Networks" check in Advanced tab, but discover always creates a Network Object in the map.
Same when add discover to "Auto scan".

Thanks in advance.
by irico
Wed Mar 22, 2017 11:35 pm
Forum: Beginner Basics
Topic: Merge routing tables?
Replies: 0
Views: 256

Merge routing tables?

I have a problem with failover when I try to force a host over a specific ISP. I currently have two ISPs and two LANs. The failover is configured and working properly. Dynamic routes to the LANs (directly connected networks), default static routes through the ISPs, and default routes for each ISP wi...
by irico
Tue Feb 28, 2017 1:04 pm
Forum: General
Topic: ipsec site-to-site azure
Replies: 3
Views: 1119

Re: ipsec site-to-site azure

Last week I'm having the same problem with Azure, with a tunnel that has been stable for a long time. For my part I have not made any changes to the configuration or ROS update (6.37.4), so I think it may be an Azure problem.
by irico
Mon Jan 30, 2017 5:49 pm
Forum: General
Topic: totally disable check-gateway for a static route
Replies: 2
Views: 660

Re: totally disable check-gateway for a static route

/ip route print
/ip route unset X check-gateway	--> on X is number of route
by irico
Fri Jan 20, 2017 8:06 pm
Forum: Beginner Basics
Topic: DHCP Hates Me
Replies: 19
Views: 1721

Re: DHCP Hates Me

Change IP Address, DHCP Gateway, or both?

Both, and see my edit in prev post! Sorry, my mistake
by irico
Fri Jan 20, 2017 7:56 pm
Forum: Beginner Basics
Topic: DHCP Hates Me
Replies: 19
Views: 1721

Re: DHCP Hates Me

/ip address add address=192.168.2.0/24 interface=ether1-LAN network=192.168.2.0 /ip dhcp-server network add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.0 "ip address" and " dhcp gateway" (192.168.2.0) are network address. Please change it for 192.168.2.1 and try again (renew...
by irico
Tue Jan 17, 2017 4:12 pm
Forum: Announcements
Topic: v6.37.4 [bugfix] is released!
Replies: 38
Views: 15944

Re: v6.37.4 [bugfix] is released!

Installed on CCR1009. Everything looks correct. Thanks!
by irico
Thu Jan 12, 2017 6:23 pm
Forum: Beginner Basics
Topic: Configure Internet Only LAN / DMZ
Replies: 5
Views: 1118

Re: Configure Internet Only LAN / DMZ

Use secure mode and test one of them first... firewall filter: drop input in-interface: ether2 dst-address=!192.168.22.1 (clients on ether2 only can access (ping, winbox, telnet....) router by IP: 192.168.22.1) drop input in-interface: ether5 dst-address=!192.168.99.1 (clients on ether2 only can acc...
by irico
Thu Jan 12, 2017 1:39 pm
Forum: Beginner Basics
Topic: Configure Internet Only LAN / DMZ
Replies: 5
Views: 1118

Re: Configure Internet Only LAN / DMZ

ether3 without master dhcp server on ether3 (ex 192.168.99.0/24) ip address on ether3 (ex 192.168.99.1) firewall filter: drop forward in-interface: ether2 out-interface:ether3 (clients from ether2 cannot see client from ether3) drop forward in-interface: ether3 out-interface:ether2 (clients from eth...
by irico
Mon Jan 09, 2017 8:56 pm
Forum: Beginner Basics
Topic: Connect 2 networks with separate internet connections
Replies: 16
Views: 2861

Re: Connect 2 networks with separate internet connections

I addes the subnetmask, but still i can not connect to the other network. Can you ping from RB to Fritzbox and Zyxel IPs? Can you ping from RB to client connected to Fritzbox? Can you ping from RB to client connected to Zyxel? Can you ping from PC connected to Fritzbox to RB(192.168.1.2)? Can you p...
by irico
Mon Jan 09, 2017 8:08 pm
Forum: Beginner Basics
Topic: Connect 2 networks with separate internet connections
Replies: 16
Views: 2861

Re: Connect 2 networks with separate internet connections

Please post result of:
/ip address print
/ip route print
/ip firewall filter print
by irico
Mon Jan 09, 2017 7:10 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 84819

Re: v6.39rc [release candidate] is released

On a new CHR machine (v6.39rc7 vhdx image), I have an error creating new IPSec Peer from Winbox (v3.7):
- Could not add new IPsec peer - Property not supported (6)

The problem is in the NAT-T property. If winbox is set to "false" the error occurs. It would be good to hide this property for IKE2.
by irico
Mon Jan 09, 2017 6:13 pm
Forum: General
Topic: X86_64 ROS - 64bit Mikrotik
Replies: 79
Views: 30862

Re: X86_64 ROS - 64bit Mikrotik

On Hyper-V you can configure auto start, too.
by irico
Mon Jan 09, 2017 4:48 pm
Forum: Beginner Basics
Topic: Connect 2 networks with separate internet connections
Replies: 16
Views: 2861

Re: Connect 2 networks with separate internet connections

Adding the routes to both modems (Zyxel and Fritzbox) should be enough.
No need to do NAT'ting
Thanks for the clarification. I edit my previous post. Thanks
by irico
Mon Jan 09, 2017 4:45 pm
Forum: General
Topic: Vlan trunk configuration between Mikrotik CCR and Edgepoint
Replies: 9
Views: 2666

Re: Vlan trunk configuration between Mikrotik CCR and Edgepoint

When you say you can ping through VLAN, I guess you can ping from PC on VLAN 100 to PC on VLAN 200, is that correct?
The rule I have indicated is just an example. You have to create the rest of the rules for the rest of VLANs
by irico
Mon Jan 09, 2017 4:40 pm
Forum: Beginner Basics
Topic: Connect 2 networks with separate internet connections
Replies: 16
Views: 2861

Re: Connect 2 networks with separate internet connections

If you configure it as in the image, you need to create static routes in Fritzbox and Zyxel. RB750 should have similar IP: - 192.168.1.X (ideal static IP, excluded from DHCP) on the interface connected to Fritzbox, eg 192.168.1.2 - 192.168.100.X (ideal static IP, excluded from DHCP) on the interface...
by irico
Mon Jan 09, 2017 3:03 pm
Forum: General
Topic: Vlan trunk configuration between Mikrotik CCR and Edgepoint
Replies: 9
Views: 2666

Re: Vlan trunk configuration between Mikrotik CCR and Edgepoint

This is because CCR is routing your VLAN traffic.

You need to add firewall filter rules in forward chain to isolate VLANs

Somthing like this:
/ip firewall filter add chain=forward in-interface=VLAN100 out-interface=VLAN200 action=drop
Traffic from VLAN 100 cannot go to VLAN 200
by irico
Fri Dec 30, 2016 3:05 pm
Forum: General
Topic: Site2Site VPN with Azure crap
Replies: 4
Views: 1876

Re: Site2Site VPN with Azure crap

Try this config with latest RC: /ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \ pfs-group=none /ip ipsec peer add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\ aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \ secret={SECRET} /ip ...
by irico
Tue Dec 27, 2016 7:27 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.
It has finally worked. I had setup port 500. When I disabled it in Winbox, it has started to work.
by irico
Tue Dec 27, 2016 5:46 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

Any supout with debug logs from non working version?
Support ticket #2016120722000706 with supout and "ipsec" logs from 2 routers. If you need I can post it here.

I have a test lab with 2 CHR on Hyper-V. 6.38rc31 working good. Then it has not worked anymore.
by irico
Tue Dec 27, 2016 5:36 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

Any update on this problem? After uppgrading to v6.38rc35 I cannot connect to Azure anymore. Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2 [...] Same problem here. Latest RC version can't connect with Azure. In other test lab, Ikev2 between...
by irico
Thu Dec 15, 2016 1:40 pm
Forum: Beginner Basics
Topic: Finding rc build download locations - Testing IKEv2
Replies: 5
Views: 804

Re: Finding rc build download locations - Testing IKEv2

It seems that in the latest RC versions there are problems with IKEv2. I have these problems too and with previous versions I had worked with Azure and in a test environment. I am in contact with support to solve the problem. http://forum.mikrotik.com/viewtopic.php?f=1&t=90266&start=50#p569710 http:...
by irico
Fri Nov 25, 2016 4:26 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 77000

Re: v6.38rc [release candidate] is released

IPSEC IKEv2 not working in latest RCs. In version 6.38rc31 was working fine. Updated to 6.38rc35 IPsec cannot establish tunnel. Update to 6.38rc37 same problem. This is a test environment. R1: Logs: Nov/25/2016 14:08:39 ipsec,debug ========== Nov/25/2016 14:08:39 ipsec,debug 268 bytes message receiv...
by irico
Thu Nov 24, 2016 10:48 am
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.
by irico
Thu Nov 17, 2016 2:57 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

Any IKEv2 examples Yet for connecting to Azure? /ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \ pfs-group=none /ip ipsec peer add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\ aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \ nat...
by irico
Fri Nov 11, 2016 7:32 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 77000

Re: v6.38rc [release candidate] is released

When update from 6.38rc25 to 6.38rc29, ipsec peer exchange mode changes from ike2 to unknown

With 6.38rc29, IKEv2 only works with sha1 or md5 proposal auth algorithm. I have not been able to use "sha256" or "sha512"
by irico
Fri Nov 11, 2016 4:48 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

Please try rc29. If it doesn't work send supout files and logs to support.
Yes! Now it works!!! :D

But... only with sha1 or md5 proposal auth-algo.


UPDATE: I have also been able to establish a VPN connection with Azure using IKEv2. The following week I will do more test with Azure.

Thanks,
by irico
Thu Nov 10, 2016 7:09 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 82431

Re: Feature Req: IKEv2 server and client

I'm trying to establish in a test lab, site 2 site IPSec tunnel with pre-shared key and IKEv2 without success. The network scheme is like that: LAN1 - (192.168.160.1/24) CHR1 (10.0.0.1/24) - "routing" - (10.1.0.1/24) CHR2 (192.168.170.1/24) – LAN2 WAN masquerade on CHR1 and CHR2 but no masquerade be...