Community discussions

MikroTik App

Search found 29 matches

by reetp
Mon Jul 01, 2024 12:57 pm
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Re: Upgrade broke rules?

Thanks for the response. Very much appreciated and it makes sense. I will have a play. The "root" issue could be that for *whatever reasons* your (allow me) "confused" setup worked on 6.49.14 by "sheer luck" or coincidence and 6.49.15 is a little more "strict"...
by reetp
Fri Jun 28, 2024 10:41 pm
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Re: Upgrade broke rules?

Thanks for the long and interesting response! I can clarify a few things for you. Starting with the easy bits :-) 4) you have *something wrong* here: /ip neighbor discovery-settings set discover-interface-list=*2000012 I went back to some old configs from last year and it was like that. I have set i...
by reetp
Sat Jun 15, 2024 3:47 pm
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Re: Upgrade broke rules?

Thanks for the attention and responses. Strange that no one simply put "we need more information" at the start. I was just asked for the firmware versions...... I have a pretty simple setup. The router connects to the ISP with PPPoE through a ISP router that is in bridge mode. 1Gb symmetri...
by reetp
Wed Jun 12, 2024 1:21 pm
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Re: Upgrade broke rules?

Hmmm. I find this place odd. You ask a sensible question and get almost zero help. Some questions seem to get a lot, and then others don't and it doesn't make sense. I do a lot of open source help in other places and none of it makes sense here. The documentation looks great on the surface but is cl...
by reetp
Tue Jun 11, 2024 1:32 am
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Re: Upgrade broke rules?

From 6.49.14 to 6.49.15

(I also have a HEXs behind the RB that runs openvpn to a vps and that also now fails with DNS lookup errors I can see in the RB logs which is possibly related)

No rules were touched on the upgrade (it worked, why would I!)
by reetp
Mon Jun 10, 2024 5:08 pm
Forum: General
Topic: Upgrade broke rules?
Replies: 14
Views: 3331

Upgrade broke rules?

2011UiAS Firmware 6.49.15 I upgraded this box a couple of days ago. Straight away it seemed like we hit DNS/connection issues. Looking in the logs I could see that it seemed like we were getting blocked by the default rule: "Drop all from WAN not DSTNATed" If I disable it then everything w...
by reetp
Thu Feb 29, 2024 2:54 am
Forum: General
Topic: Mikrotik as OpenVPN client is almost perfect
Replies: 2
Views: 645

Re: Mikrotik as OpenVPN client is almost perfect

Do you have the SIP helper disabled?
Yup.
Can you sniff closer to the SIP sever, like on the ingress interface to the openvpn server?
Packets are from tcpdump on the (linux) SIP server - for which I have total control.

Tried to see a relevant ACK but must me misssing something
by reetp
Wed Feb 28, 2024 8:23 pm
Forum: General
Topic: Mikrotik as OpenVPN client is almost perfect
Replies: 2
Views: 645

Mikrotik as OpenVPN client is almost perfect

Running a Mikrotik Hex S/RB760iGS just upgraded to 7.13.5 This is sat behind a nat'ed ISP (long range wifi) router. I am using the Mikrotik to create a OpenVPN tunnel to a remote server/network as I need a SIP phone to connect to a SIP server. I have the tunnel up with using a ovpn file with certifi...
by reetp
Mon Feb 19, 2024 6:18 pm
Forum: General
Topic: IPSEC S2S no traffic flowing [SOLVED]
Replies: 14
Views: 2072

Re: IPSEC S2S no traffic flowing [SOLVED]

This is still baffling to me. If we need to allow proto 50 from peers, how does the Roadwarrier setup work (when the client's public IP will be unknown until it tries to connect)? How safe/unsafe is it to allow proto 50 from any location? I think with a roadwarrior you effectively have to allow %an...
by reetp
Sat Feb 10, 2024 4:12 pm
Forum: General
Topic: openvpn conf client unsupported CRL protocol for URL
Replies: 7
Views: 1277

Re: openvpn conf client unsupported CRL protocol for URL

So the short answer is yes, RouterOS 7 cannot handle older OpenSSL certificates created on v1.x It should have a 'legacy' switch to handle them as they are still legitimate, but it doesn't. I created some tests certificates on a newer openssl (both *buntu 22.04 and Rocky 9)and they work perfectly wi...
by reetp
Fri Jan 26, 2024 1:36 pm
Forum: General
Topic: openvpn conf client unsupported CRL protocol for URL
Replies: 7
Views: 1277

Re: openvpn conf client unsupported CRL protocol for URL

You can't import p12 files. RouterOS is linux based. Really? First, I know it is linux based, and I only use linux. I don't have a Window to my name. Second, p12 files are just a secure container holding CA, key and cert. They are cross platform. Third..... https://help.mikrotik.com/docs/display/RO...
by reetp
Fri Jan 26, 2024 3:05 am
Forum: General
Topic: openvpn conf client unsupported CRL protocol for URL
Replies: 7
Views: 1277

Re: openvpn conf client unsupported CRL protocol for URL

Here is application examples with detailed instructions on how to apply certs, please check https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Generatingclientcertificates Thanks. in the first instance kindly note that I am not generating certs on the Mikrotik. I am trying to import certs gener...
by reetp
Fri Jan 26, 2024 2:11 am
Forum: General
Topic: openvpn conf client unsupported CRL protocol for URL
Replies: 7
Views: 1277

Re: openvpn conf client unsupported CRL protocol for URL

unsupported CRL protocol for URL: ldap? Just have to ask. Thanks for responding. Indeed. I am in full on stupid mode here. There are no stupid questions :-) No LDAP involved, I know my CRL is generated dynamically by calling a php file that generates the CRL on the fly. So the CRL will be a link li...
by reetp
Thu Jan 25, 2024 2:39 am
Forum: General
Topic: openvpn conf client unsupported CRL protocol for URL
Replies: 7
Views: 1277

openvpn conf client unsupported CRL protocol for URL

So I have a little Hex with RouterOS updated to OS 7.13.2 that I wanted to use as a very simple low traffic OpenVPN client to a linux server I control. I already have a separate certificate server. I have several clients, both ipsec for routers, and Openvpn for mainly phones but some laptops too. I ...
by reetp
Wed Aug 30, 2023 6:18 pm
Forum: Useful user articles
Topic: Anyone able to convert RPM to DEB for mikrotik internet usage data-traffic viewer?
Replies: 1
Views: 7402

Re: Anyone able to convert RPM to DEB for mikrotik internet usage data-traffic viewer?

There's no rpm or deb as far as I can see. Just instructions to build with docker or use a local manual install https://github.com/h-haghpanah/mikrotik_traffic_counter_en/tree/main/installation sudo yum install git -y sudo mkdir /etc/mikrotik_traffic_counter_en sudo git clone https://github.com/h-ha...
by reetp
Tue Aug 29, 2023 6:00 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

Re: VPN stops passing traffic overnight

Well, it looks like some Qos rules involving DSCP seemed to be the source of the issue. If I disable these we work. add action=change-dscp chain=prerouting comment="Voip" disabled=yes dst-address=192.168.98.0/24 new-dscp=6 passthrough=yes add action=change-dscp chain=prerouting comment=&qu...
by reetp
Sat Aug 26, 2023 1:37 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

Re: VPN stops passing traffic overnight

Well, Got the original router plumbed in. Test ipsec is up, but i have the same issue with it failing to ping one way when it comes up. As soon as the Mikrotik passes traffic to the remote end then the remote can pass back to the Mikrotik. Same as earlier here. https://forum.mikrotik.com/posting.php...
by reetp
Wed Aug 16, 2023 3:19 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

Re: VPN stops passing traffic overnight

I'll continue talking to myself :-) Interesting. Disabled ipsec connection on the remote end. Fired up old Endian box on old copper ADSL - predecessor to the Miktotik+fibre Connected immediately to asterisk after changing just the Asterisk incoming IP address Connected immediately to Mikrotik here a...
by reetp
Tue Aug 15, 2023 7:12 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

Re: VPN stops passing traffic overnight

Well, is isn't my ISP - at least on old copper ADSL. So I: Disabled Ipsec for this connection on the Mikrotik router - both Policy and Peer Set a route for the local network to the remote subnet : 10.0.0.0/24 <-> 192.168.98.0/24 via 10.0.0.251 Flipped the ipsec incoming IP on the Libre server - the ...
by reetp
Tue Aug 15, 2023 2:53 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

Re: VPN stops passing traffic overnight

Something I just noticed. The Libreswan box 192.168.98.1 can ping the remote router 10.0.0.250 but not the IPs behind it eg 10.0.0.1 The remote router 10.0.0.250 cannot ping 192.168.98.1 The local boxes cannot ping 192.168.10.* - 10.0.0.* I guess it must be firewalling but I have no idea why it just...
by reetp
Tue Aug 15, 2023 2:00 pm
Forum: General
Topic: VPN stops passing traffic overnight
Replies: 5
Views: 1752

VPN stops passing traffic overnight

Hi, Sudden Tuesday morning strangeness :shock: I have two offices with two RB2011UiAS routers with FW 6.49.8. I have them setup pretty well identically. KISS :-) Both sit behind a bridged PPPoE router. No fancy networking - just a few port forwards to a local linux server each end, and a Hurricane I...
by reetp
Sat Apr 29, 2023 1:47 am
Forum: General
Topic: VPN firewall (?) blockages
Replies: 1
Views: 294

Re: VPN firewall (?) blockages

Hmmm. Seems that it may be something to do with the BT Business Smart Hub 2 in bridge mode on the cloud connection at least. Fired up the remote old Endian box, set it to a different local IP, fired up the Endian ipsec connections via the old ADSL connections, set a route in the remote Mikrotik, and...
by reetp
Wed Apr 26, 2023 8:52 pm
Forum: General
Topic: VPN firewall (?) blockages
Replies: 1
Views: 294

VPN firewall (?) blockages

I have two RB2011UiAS units with a pretty basic setup. Both on 6.49.7 One has been running for over a year quite happily. It has an Ipsec connection to a Libreswan server and an Ipsec connection to an Endian router in a remote office (both VPNs used for Voip connections). The remote 'Endian' office ...
by reetp
Mon Jan 17, 2022 2:17 pm
Forum: General
Topic: ICMP from WAN router to Mikrotik in PPPoE mode
Replies: 2
Views: 1327

Re: ICMP from WAN router to Mikrotik in PPPoE mode

Thanks for the response (I struggle to find my own posts here!!) The Mac f4:69:42:0f:e8:10 seems to be for the Movistar Fibre router which is connected to Mikrotik ethernet 1. I presume it is the Movistar router questioning the Mikrotik? The Mikrotik gets it's initial IP (192.168.1.33) from the Movi...
by reetp
Thu Jan 06, 2022 12:09 am
Forum: General
Topic: ICMP from WAN router to Mikrotik in PPPoE mode
Replies: 2
Views: 1327

ICMP from WAN router to Mikrotik in PPPoE mode

Seasons greetings! I have seen a continual stream of ICMP packets from my WAN router to the Mikrotik pppoe-client that are blocked. Where 192.168.1.1 is the WAN router and 192.168.1.33 is the initlal router IP address. Invalid Input input: in:ether1 out:(unknown 0), src-mac f4:69:42:0f:e8:10, proto ...
by reetp
Wed Dec 08, 2021 3:05 pm
Forum: Beginner Basics
Topic: Basic setup advice + Video & Sip dropout issues
Replies: 2
Views: 966

Re: Basic setup advice + Video & Sip dropout issues

So I fixed this: srcnat: in:(unknown 0) out:pppoe-client, src-mac b6:5c:ce:8e:ca:fb, proto ICMP (type 8, code 0), 192.168.10.1->192.168.98.1, len 84 I had forgotten to add these - I had done for the other VPN. Doh. ip firewall raw add chain=prerouting action=notrack src-address=192.168.10.0/24 dst-a...
by reetp
Mon Dec 06, 2021 8:52 pm
Forum: Beginner Basics
Topic: Basic setup advice + Video & Sip dropout issues
Replies: 2
Views: 966

Re: Basic setup advice + Video & Sip dropout issues

Thinking aloud I have a suspicion this may be to do with MTU. This is the biggest packer we can send: ping -M do -s 1452 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1452(1480) bytes of data. 76 bytes from 8.8.8.8: icmp_seq=1 ttl=116 (truncated) This breaks ping -M do -s 1454 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1454(1...
by reetp
Mon Dec 06, 2021 7:54 pm
Forum: Beginner Basics
Topic: Basic setup advice + Video & Sip dropout issues
Replies: 2
Views: 966

Basic setup advice + Video & Sip dropout issues

Hi, Struggling with basic stuff here. I suspect personal stupidity is to blame, but for the life of me I can't see where :-) Migrating from an Endian distro on my own hardware. Seeming to get dropout with video across a standard network connection, and voip across the VPNs (without much other traffi...
by reetp
Tue Jan 24, 2017 1:02 am
Forum: Beginner Basics
Topic: My first VPN
Replies: 3
Views: 1393

Re: My first VPN

Do yourself a favour and dump PPTP.

It's been insecure for years.

Use IPsec or openvpn. A bit more of a learning curve but more future proof as support for PPTP gets dropped (best thing Apple have done)

B. Rgds
John