Thanks for the response. Very much appreciated and it makes sense. I will have a play. The "root" issue could be that for *whatever reasons* your (allow me) "confused" setup worked on 6.49.14 by "sheer luck" or coincidence and 6.49.15 is a little more "strict"...
Thanks for the long and interesting response! I can clarify a few things for you. Starting with the easy bits :-) 4) you have *something wrong* here: /ip neighbor discovery-settings set discover-interface-list=*2000012 I went back to some old configs from last year and it was like that. I have set i...
Thanks for the attention and responses. Strange that no one simply put "we need more information" at the start. I was just asked for the firmware versions...... I have a pretty simple setup. The router connects to the ISP with PPPoE through a ISP router that is in bridge mode. 1Gb symmetri...
Hmmm. I find this place odd. You ask a sensible question and get almost zero help. Some questions seem to get a lot, and then others don't and it doesn't make sense. I do a lot of open source help in other places and none of it makes sense here. The documentation looks great on the surface but is cl...
(I also have a HEXs behind the RB that runs openvpn to a vps and that also now fails with DNS lookup errors I can see in the RB logs which is possibly related)
No rules were touched on the upgrade (it worked, why would I!)
2011UiAS Firmware 6.49.15 I upgraded this box a couple of days ago. Straight away it seemed like we hit DNS/connection issues. Looking in the logs I could see that it seemed like we were getting blocked by the default rule: "Drop all from WAN not DSTNATed" If I disable it then everything w...
Running a Mikrotik Hex S/RB760iGS just upgraded to 7.13.5 This is sat behind a nat'ed ISP (long range wifi) router. I am using the Mikrotik to create a OpenVPN tunnel to a remote server/network as I need a SIP phone to connect to a SIP server. I have the tunnel up with using a ovpn file with certifi...
This is still baffling to me. If we need to allow proto 50 from peers, how does the Roadwarrier setup work (when the client's public IP will be unknown until it tries to connect)? How safe/unsafe is it to allow proto 50 from any location? I think with a roadwarrior you effectively have to allow %an...
So the short answer is yes, RouterOS 7 cannot handle older OpenSSL certificates created on v1.x It should have a 'legacy' switch to handle them as they are still legitimate, but it doesn't. I created some tests certificates on a newer openssl (both *buntu 22.04 and Rocky 9)and they work perfectly wi...
You can't import p12 files. RouterOS is linux based. Really? First, I know it is linux based, and I only use linux. I don't have a Window to my name. Second, p12 files are just a secure container holding CA, key and cert. They are cross platform. Third..... https://help.mikrotik.com/docs/display/RO...
Here is application examples with detailed instructions on how to apply certs, please check https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Generatingclientcertificates Thanks. in the first instance kindly note that I am not generating certs on the Mikrotik. I am trying to import certs gener...
unsupported CRL protocol for URL: ldap? Just have to ask. Thanks for responding. Indeed. I am in full on stupid mode here. There are no stupid questions :-) No LDAP involved, I know my CRL is generated dynamically by calling a php file that generates the CRL on the fly. So the CRL will be a link li...
So I have a little Hex with RouterOS updated to OS 7.13.2 that I wanted to use as a very simple low traffic OpenVPN client to a linux server I control. I already have a separate certificate server. I have several clients, both ipsec for routers, and Openvpn for mainly phones but some laptops too. I ...
There's no rpm or deb as far as I can see. Just instructions to build with docker or use a local manual install https://github.com/h-haghpanah/mikrotik_traffic_counter_en/tree/main/installation sudo yum install git -y sudo mkdir /etc/mikrotik_traffic_counter_en sudo git clone https://github.com/h-ha...
Well, it looks like some Qos rules involving DSCP seemed to be the source of the issue. If I disable these we work. add action=change-dscp chain=prerouting comment="Voip" disabled=yes dst-address=192.168.98.0/24 new-dscp=6 passthrough=yes add action=change-dscp chain=prerouting comment=&qu...
Well, Got the original router plumbed in. Test ipsec is up, but i have the same issue with it failing to ping one way when it comes up. As soon as the Mikrotik passes traffic to the remote end then the remote can pass back to the Mikrotik. Same as earlier here. https://forum.mikrotik.com/posting.php...
I'll continue talking to myself :-) Interesting. Disabled ipsec connection on the remote end. Fired up old Endian box on old copper ADSL - predecessor to the Miktotik+fibre Connected immediately to asterisk after changing just the Asterisk incoming IP address Connected immediately to Mikrotik here a...
Well, is isn't my ISP - at least on old copper ADSL. So I: Disabled Ipsec for this connection on the Mikrotik router - both Policy and Peer Set a route for the local network to the remote subnet : 10.0.0.0/24 <-> 192.168.98.0/24 via 10.0.0.251 Flipped the ipsec incoming IP on the Libre server - the ...
Something I just noticed. The Libreswan box 192.168.98.1 can ping the remote router 10.0.0.250 but not the IPs behind it eg 10.0.0.1 The remote router 10.0.0.250 cannot ping 192.168.98.1 The local boxes cannot ping 192.168.10.* - 10.0.0.* I guess it must be firewalling but I have no idea why it just...
Hi, Sudden Tuesday morning strangeness :shock: I have two offices with two RB2011UiAS routers with FW 6.49.8. I have them setup pretty well identically. KISS :-) Both sit behind a bridged PPPoE router. No fancy networking - just a few port forwards to a local linux server each end, and a Hurricane I...
Hmmm. Seems that it may be something to do with the BT Business Smart Hub 2 in bridge mode on the cloud connection at least. Fired up the remote old Endian box, set it to a different local IP, fired up the Endian ipsec connections via the old ADSL connections, set a route in the remote Mikrotik, and...
I have two RB2011UiAS units with a pretty basic setup. Both on 6.49.7 One has been running for over a year quite happily. It has an Ipsec connection to a Libreswan server and an Ipsec connection to an Endian router in a remote office (both VPNs used for Voip connections). The remote 'Endian' office ...
Thanks for the response (I struggle to find my own posts here!!) The Mac f4:69:42:0f:e8:10 seems to be for the Movistar Fibre router which is connected to Mikrotik ethernet 1. I presume it is the Movistar router questioning the Mikrotik? The Mikrotik gets it's initial IP (192.168.1.33) from the Movi...
Seasons greetings! I have seen a continual stream of ICMP packets from my WAN router to the Mikrotik pppoe-client that are blocked. Where 192.168.1.1 is the WAN router and 192.168.1.33 is the initlal router IP address. Invalid Input input: in:ether1 out:(unknown 0), src-mac f4:69:42:0f:e8:10, proto ...
So I fixed this: srcnat: in:(unknown 0) out:pppoe-client, src-mac b6:5c:ce:8e:ca:fb, proto ICMP (type 8, code 0), 192.168.10.1->192.168.98.1, len 84 I had forgotten to add these - I had done for the other VPN. Doh. ip firewall raw add chain=prerouting action=notrack src-address=192.168.10.0/24 dst-a...
Thinking aloud I have a suspicion this may be to do with MTU. This is the biggest packer we can send: ping -M do -s 1452 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1452(1480) bytes of data. 76 bytes from 8.8.8.8: icmp_seq=1 ttl=116 (truncated) This breaks ping -M do -s 1454 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1454(1...
Hi, Struggling with basic stuff here. I suspect personal stupidity is to blame, but for the life of me I can't see where :-) Migrating from an Endian distro on my own hardware. Seeming to get dropout with video across a standard network connection, and voip across the VPNs (without much other traffi...