Community discussions

Search found 170 matches

by JohnTRIVOLTA
Sun May 19, 2019 6:41 pm
Forum: Forwarding Protocols
Topic: L2TP+ipsec speeds
Replies: 5
Views: 309

Re: L2TP+ipsec speeds

Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too ! Unsure how to use that setting properly, however with MTU=1420 and MRRU=1600, no clamp in FW nor PPP, I got about 5% less than with MTU=1460. Ser...
by JohnTRIVOLTA
Sun May 19, 2019 5:15 pm
Forum: Forwarding Protocols
Topic: L2TP+ipsec speeds
Replies: 5
Views: 309

Re: L2TP+ipsec speeds

After lowering the MTU/MRU to 1420 for L2TP+ipsec to avoid fragmentation, I have some expected results: L2TP+IPSec 280 280 120/120 208 200 80/80 Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too !
by JohnTRIVOLTA
Sat May 18, 2019 11:26 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Re: Block public proxy servers - HOW [SOLVED]

Blocking access to proxies doesn't sound like something that would help much. Unless you have some very strict filtering of all outgoing traffic, any worm will just use either custom ports, or if you block those, then regular https. And you pretty much have to allow that, if those 150 clients shoul...
by JohnTRIVOLTA
Sat May 18, 2019 11:09 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Re: Block public proxy servers - HOW [SOLVED]

It really depends on what exactly you need it for and how persistent users you have. Maybe if you block the most obvious servers, they will give up. The major thing against you is that all they need is just one working server. Behind a ccr I have a very sensitive network with about 150 clients. The...
by JohnTRIVOLTA
Sat May 18, 2019 8:24 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Re: Block public proxy servers - HOW [SOLVED]

I don't follow what happens in public proxy world, but what I got from Google was all without https, just http. But if you have different sources with https, then it's bad for you, because you can't see what's inside https connection, it's the whole point of https. And collecting address, good luck...
by JohnTRIVOLTA
Sat May 18, 2019 7:24 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Re: Block public proxy servers - HOW [SOLVED]

For now, this stops traffic to proxies that do not use https / SSL /. Unfortunately, most of the public are over https ! Тhe only solution for now is that I have to collect their ip addresses in lists .
by JohnTRIVOLTA
Sat May 18, 2019 4:32 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Re: Block public proxy servers - HOW [SOLVED]

I don't think you can. You can block some with L7 like this:
/ip firewall layer7-protocol
add name=proxy regexp="^(CONNECT\\ .*|GET\\ https\?:\\/\\/.*)\\ HTTP\\/1\\."
But it's far from perfect.
Тhank you very much Sob !
I will try it ... I hope I will not block with it another traffic? :D
by JohnTRIVOLTA
Fri May 17, 2019 9:34 pm
Forum: General
Topic: Block public proxy servers - HOW [SOLVED]
Replies: 12
Views: 340

Block public proxy servers - HOW [SOLVED]

Hi guys, I have not found a way to effectively block traffic to public proxies so as not to bypass the rules in the firewall ! If anyone has such a solution, please share their experience ! P.S. I want to ask, if i can add a firewall rule in filter section on forward chain with conten=https and one ...
by JohnTRIVOLTA
Thu May 16, 2019 12:10 pm
Forum: Wireless Networking
Topic: 40MHz channel on hAP Mini
Replies: 4
Views: 231

Re: 40MHz channel on hAP Mini

Your client wireless card may not be configured correctly to use 40MHz channel ?! Sometimes signal noise is the cause of the inability to use a wider frequency length !
by JohnTRIVOLTA
Mon May 06, 2019 9:06 pm
Forum: General
Topic: Port forwarding not working or something interfering possibly? 12 hrs later.. still don't know.
Replies: 7
Views: 294

Re: Port forwarding not working or something interfering possibly? 12 hrs later.. still don't know.

Have you forgotten to put a gateway address on the computer to which we forward(dst-nat) the port ?
by JohnTRIVOLTA
Mon Apr 22, 2019 11:37 am
Forum: General
Topic: How dynamic tunnels can be created?
Replies: 3
Views: 173

Re: How dynamic tunnels can be created?

Thanks JohnTrivolta for replying. I tried that but, I'm running a dhcp server and clients under the bridged interface can't obtain an ip from server. Played around with mtu's but can't get it working. If you have properly configured your BCP, you must successfully expand transparently /L2/ the hots...
by JohnTRIVOLTA
Sun Apr 21, 2019 3:16 pm
Forum: General
Topic: Trying to Understand MSS Clamping - Not Working? [SOLVED]
Replies: 9
Views: 398

Re: Trying to Understand MSS Clamping - Not Working? [SOLVED]

When i need some ppp based VPN i use multilink feature instead clamp mss ! You must set the MRRU = 1600 for example on both sides - try it !
by JohnTRIVOLTA
Sun Apr 21, 2019 8:42 am
Forum: General
Topic: How dynamic tunnels can be created?
Replies: 3
Views: 173

Re: How dynamic tunnels can be created?

Just use L2TP client with BCP on every clients router!
by JohnTRIVOLTA
Thu Apr 18, 2019 9:18 pm
Forum: Wireless Networking
Topic: CAP AC Vs HAP AC2
Replies: 3
Views: 353

Re: CAP AC Vs HAP AC2

An important difference - cAP AC has separate antennas for each chain /4/ and better wireless performance for that! hAP AC2 has 2 combined antennas for both frequencies!
by JohnTRIVOLTA
Mon Apr 15, 2019 12:50 pm
Forum: Beginner Basics
Topic: HAP mini IPSEC+EoIP performance?
Replies: 4
Views: 292

Re: HAP mini IPSEC+EoIP performance?

I think the hAP ac2 / RBD52G-5HacD2HnD-TC / is the right choice !
by JohnTRIVOLTA
Sun Apr 14, 2019 6:34 pm
Forum: Beginner Basics
Topic: HAP mini IPSEC+EoIP performance?
Replies: 4
Views: 292

Re: HAP mini IPSEC+EoIP performance?

Don't expect more than 10 mb/ps with AES 128 CBC , the eoip tunnel use lot of cpu resources too!
by JohnTRIVOLTA
Sun Mar 24, 2019 10:17 pm
Forum: General
Topic: ROS 6.44 - VPN L2TP not working
Replies: 23
Views: 2622

Re: ROS 6.44 - VPN L2TP not working

Since I upgraded to 6.44.*, I currently have patch 6.44.1 and device CCR1036-12G-4S, can not connect Windows 10 clients with IPSEC, get error when trying to connect and I have not changed at all the configuration in the clients or router I have the same problem. I reverted it with version 6.43.13 L...
by JohnTRIVOLTA
Sat Mar 23, 2019 6:02 am
Forum: General
Topic: PPPOE over PPTP or PPPOE over L2TP ?
Replies: 8
Views: 3038

Re: PPPOE over PPTP or PPPOE over L2TP ?

Does nobody have any Idea ;(
Just set MRRU=1610 on ppp connection on both sides !On the ppp profile dont use Change TCP MSS - put NO .
by JohnTRIVOLTA
Thu Mar 14, 2019 7:09 am
Forum: Beginner Basics
Topic: Simplest Route Rule Possible.
Replies: 13
Views: 484

Re: Simplest Route Rule Possible.

Sorry this discussion is NOT to include mangling LOL.
Ooo sorry .... by the way, all is clear and there is nothing to discuss, but I will follow the topic .
by JohnTRIVOLTA
Wed Mar 13, 2019 10:49 pm
Forum: Beginner Basics
Topic: Simplest Route Rule Possible.
Replies: 13
Views: 484

Re: Simplest Route Rule Possible.

Requirement: There is only one IP used in vlan55, I want to direct this ip 129.168.55.25 to go out my ether1 cable WANIP. Right now the cable WANIP is my secondary fail over wanip, the primary is fibre bell. For my email on cable I simply create a route rule with the mail server IP as the destinati...
by JohnTRIVOLTA
Wed Mar 13, 2019 10:32 pm
Forum: General
Topic: Restrict vpn user access
Replies: 1
Views: 114

Re: Restrict vpn user access

Hello, I managed to configure ovpn connection to my router. I set remote address of some user on 192.168.88.195. He is able to connect with every device in 192.168.88.0 network. How i can restrain his access and allow him only to connect only with one specific IP ? For instance, the user should be ...
by JohnTRIVOLTA
Mon Mar 04, 2019 5:01 pm
Forum: Beginner Basics
Topic: VPN server on sxt lte setup
Replies: 7
Views: 327

Re: VPN server on sxt lte setup

So if I put a vpn server under a public ip pc or routerboard I could connect the sxt routerboard to that server and example Android phone to same server and then with this" kind of bridge " see sxt contents with Android phone and viceversa ?
Еxactly !
by JohnTRIVOLTA
Mon Mar 04, 2019 4:14 pm
Forum: Beginner Basics
Topic: VPN server on sxt lte setup
Replies: 7
Views: 327

Re: VPN server on sxt lte setup

The ISP say that is possible by vpn. If would not possible to connect outside then why I can access with some proprietary app as synology or xiaomi to my nas or hub.? I think these app create a tunnel similar or equal to a vpn. A vpn tunnel would be as the vpn server goes outside of lan /internet a...
by JohnTRIVOLTA
Wed Feb 27, 2019 7:11 am
Forum: RouterBOARD hardware
Topic: Wireless USB dongle support?
Replies: 2
Views: 529

Re: Wireless USB dongle support?

ROS Version 6.X no longer supports WiFi USB adapters ! You can only use Woobm for management purpose or an older version of ROS !
by JohnTRIVOLTA
Sat Feb 23, 2019 8:38 pm
Forum: General
Topic: Hotspot - do not bypass dns router role how ?
Replies: 5
Views: 294

Re: Hotspot - do not bypass dns router role how ?

Wow, okay that is good to know. I wonder why hotspot functionality bypasses NAT rules??
This is my question too !
by JohnTRIVOLTA
Sat Feb 23, 2019 5:54 pm
Forum: General
Topic: Hotspot - do not bypass dns router role how ?
Replies: 5
Views: 294

Re: Hotspot - do not bypass dns router role how ?

Hello Anav, thanks for the quick answer! I already use these rules and work well, but they do not work on the hotspot network unfortunately. There are clients who put a static DNS address and thus jump my router and resolve to the their DNS. I think there must be some rule/s/ between the dynamic one...
by JohnTRIVOLTA
Sat Feb 23, 2019 3:14 pm
Forum: General
Topic: Hotspot - do not bypass dns router role how ?
Replies: 5
Views: 294

Hotspot - do not bypass dns router role how ?

Hello friends. I have a router that has multiple networks and the router has a roll for dns. I have a problem with the hotspot, and can not intercept and redirect the different dns server addresses manually seted from clients. The standard rule can not intercept addresses from hotspots network only....
by JohnTRIVOLTA
Tue Jan 29, 2019 10:23 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 792

Re: block inter VLAN traffic

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!
by JohnTRIVOLTA
Mon Jan 28, 2019 10:54 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 792

Re: block inter VLAN traffic

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...
by JohnTRIVOLTA
Mon Jan 28, 2019 8:57 pm
Forum: Beginner Basics
Topic: block inter VLAN traffic
Replies: 17
Views: 792

Re: block inter VLAN traffic

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs
by JohnTRIVOLTA
Sat Jan 26, 2019 8:32 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 450

Re: Reduce Wi-Fi transmitter power on schedule

Oh man thank you! I did it wrong first time. Then I tried as you said but I cannot succeed. I made this to show how I did it. but it doesn't change anything .. i think https://ibb.co/RzVRqpW You forgot RUN in schedule : /system script run number=1 But this is not the main setup error. You must chan...
by JohnTRIVOLTA
Sat Jan 26, 2019 3:18 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 450

Re: Reduce Wi-Fi transmitter power on schedule

Did you do this?
Аdd the script in the system section - scripts with changed values ​​as desired . Then add a schedule in system - schedule to run the script at a certain interval - an example of 15 minutes. That is all !
Image
by JohnTRIVOLTA
Sat Jan 26, 2019 12:54 pm
Forum: Wireless Networking
Topic: Reduce Wi-Fi transmitter power on schedule
Replies: 6
Views: 450

Re: Reduce Wi-Fi transmitter power on schedule

Simply set a minimum value /10dbm/ for the transmitting power of the wireless interface in the tx power section - all rates fixed and the script will work! Change the desired values in the script too !
by JohnTRIVOLTA
Fri Jan 25, 2019 7:10 am
Forum: General
Topic: IKEv2 Site-To-Site VPN
Replies: 4
Views: 503

Re: IKEv2 Site-To-Site VPN

Hello, the things you want can be configured, but you also need to set some settings in location A if you want a L2 level or extend transparently the LAN , if I understood right !
by JohnTRIVOLTA
Tue Jan 22, 2019 7:20 pm
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 810

Re: IKEv2 site to site between 2 Mikrotik

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.
by JohnTRIVOLTA
Tue Jan 22, 2019 6:57 am
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 810

Re: IKEv2 site to site between 2 Mikrotik

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!
by JohnTRIVOLTA
Mon Jan 21, 2019 6:30 pm
Forum: General
Topic: IKEv2 site to site between 2 Mikrotik
Replies: 10
Views: 810

Re: IKEv2 site to site between 2 Mikrotik

really hoping someone can point out what I'm doing wrong :(
I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?
by JohnTRIVOLTA
Sun Jan 20, 2019 4:26 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 587

Re: how to do Dynamic nat 100 private ip with /24 public ip

I think this rules will work : /ip firewall address-list add address=192.168.0.1-192.168.0.100 list=100private_addresses #just add your private ip addresses in address list# /ip firewall nat add action=accept chain=srcnat src-address-list=!100private_addresses add action=netmap chain=srcnat src-addr...
by JohnTRIVOLTA
Sun Jan 20, 2019 12:52 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 587

Re: how to do Dynamic nat 100 private ip with /24 public ip

Hi
Can you please help me how to do Dynamic nat of apporx 100 private ip with /24 public ip pool . thanks
Use NETMAP for source nat !?
by JohnTRIVOLTA
Sun Jan 20, 2019 10:23 am
Forum: General
Topic: No country [SOLVED]
Replies: 4
Views: 455

Re: No country [SOLVED]

Try Debug and then russia2 for other frequencies .
by JohnTRIVOLTA
Mon Jan 07, 2019 3:51 pm
Forum: Beginner Basics
Topic: SSTP VPN speed is too slow between MT router and client
Replies: 3
Views: 473

Re: SSTP VPN speed is too slow between MT router and client

30/5 Mbps respectively only you have maximum 5 Mbps on client downstream !
by JohnTRIVOLTA
Thu Dec 20, 2018 10:19 pm
Forum: General
Topic: Ipsec Site to Site with certificate
Replies: 5
Views: 499

Re: Ipsec Site to Site with certificate

Hi I try to configure a connection between two ccr1009 and encrypt this with ipsec. If I try to use psk everything works fine. But I wanna use instead certificates. I search for some time but I didn't found any tutorial how to do this. So I wanna ask would this be possible? Thanks Just try , use IK...
by JohnTRIVOLTA
Mon Dec 17, 2018 12:25 am
Forum: Wireless Networking
Topic: wAP ac is slow with manager forwarding and high CPU
Replies: 9
Views: 762

Re: wAP ac is slow with manager forwarding and high CPU

I have same issue ! With netbox 5 , 1 client /my laptop/ achieved max only 46 mbit/s when i transfer some file/s/ via ftp from my local nas. The laptop wireless adapter AR5BWB222 300/300 connectivity .
Image
by JohnTRIVOLTA
Sun Dec 16, 2018 10:59 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 589

Re: Connect three locations

I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules: In one of remote routers: 0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24 dst-address=192.168.11.0/24 log=no log-prefix="" In other remote router: 0 chain=srcnat actio...
by JohnTRIVOLTA
Sun Dec 16, 2018 9:30 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 589

Re: Connect three locations

My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ... + must select outgoing interface in ...
by JohnTRIVOLTA
Sun Dec 16, 2018 8:35 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 589

Re: Connect three locations

I do nor heva any limitations in filter
You don't have rules in the routers at all ?
by JohnTRIVOLTA
Sun Dec 16, 2018 8:02 pm
Forum: Beginner Basics
Topic: Connect three locations
Replies: 9
Views: 589

Re: Connect three locations

May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers
by JohnTRIVOLTA
Sun Dec 16, 2018 9:20 am
Forum: Beginner Basics
Topic: Blocking traffic on the same NAT doesn't work
Replies: 10
Views: 609

Re: Blocking traffic on the same NAT doesn't work

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering. Remove the hardware offload of the desired bridgeports /ether2 and ether4/ ! https://i.postimg.cc/5...
by JohnTRIVOLTA
Tue Dec 11, 2018 11:22 pm
Forum: General
Topic: 6.43.7 bootloop on hAP AC
Replies: 2
Views: 266

Re: 6.43.7 bootloop on hAP AC

ixirion has the same issue ! After downgrade to 6.43.4 the routerboard works normally again! The reboots were in a different range from 1 minute to 5 .
by JohnTRIVOLTA
Mon Dec 10, 2018 12:07 am
Forum: General
Topic: ikev2 ports [SOLVED]
Replies: 6
Views: 769

Re: ikev2 ports [SOLVED]

Okay.... never easy with MT. There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy. When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... a...