MikroTik

Anumrak

AFAIK management not works in vrf. Only clients traffic.

Anumrak

Open two more colon "To Address", "To Ports" and find to which local IP:port you translating your 76.212.90.etc

Anumrak

In a WISP covering a very extensive area with 30 PPPoE servers, more than 300 PtMP and more than 2000 CPE we had problem with MPLS: sometimes MPLS forwarding table doesn't follow OSPF. We decided to split the very big OSPF domain into several little ones using iBGP. Routing tables have diminished f...

Anumrak

Try add a route 2000::/3 on router. And your clients will be routed with ::/0 from RA. And switch off ND on all interfaces, but exacly you need.

Anumrak

What IP do you receive from ISP?

Anumrak

Do you use bfd protocol between peers?

Anumrak

In a single ospf area must be not more than 100 routers I believe. I hope you using lsa type 3 between areas in order to save processors time to recalculate shortest path. With OSPF help you have to announce only tech nets. For large scale better use BGP.

Anumrak

I'm afraid its a reset and re-configure. There's no way to reset a password.

Be safe, netinstall for a Clean router.

Sent from Tapatalk
If i reset and i re-configure, data they will be lost?

Thank You

Yes, of course.

Anumrak

Anumrak

Great, this works on my test environment, thanks for your help :-) # Add static default 0.0.0.0/0 route, necessary since i will not get this route from my full feed /ip route add distance=1 gateway=x.x.x.x # Add in-going filter to the BGP Peer /routing bgp peer set BGPPeerName in-filter=isp1-in # A...

Anumrak

You can block all frames with ethertype 0x86DD on bridge filter. Or, if you have some switches between routers, on them with L2 access list.

Anumrak

First filter rule allow 0.0.0.0/0
Second deny everything else.

Anumrak

Just reset your router ASAP and upload backup. That's it.

Anumrak

Check your RAM on router. Maybe your peer begin to redistribute to you full view, you memory ends and that's it?

Anumrak

If devices in your network have to work on layer 2 better, then use vpls. If not, better use mp-bgp l3 vpn subnets over mpls. mpls ldp will base on ospf protocol. bgp peers loopbacks will announce over ospf and cctv networks will announce over ibgp. On each router create vrf "cctv" and do ...

Anumrak

Just setup your iBGP peers with same AS number.

Anumrak

just add routes

add 10.0.127.2 to your routers via 192.168.2.254

add 192.168.1.0/24,192.168.2.0/23 and 192.168.4.0/24 via 192.168.2.254 (or l2tp ((ipsec))) to 10.0.127.2
Tha doesnt work because DW of each office is unmanaged router, thnks

Use routes + source nat.

Anumrak

First of all: in which IP address resolves your domain from router or your computer? nslookup or smth Second: Did you open tcp 1723 port to MIkrotik PPTP server? If IP address of your ISP terminates on your router modem, the you should allow forwarding this port to IP address 192.168.2.3 with NAT ad...

Anumrak

Why not? In house A set route 0.0.0.0/0 to 192.168.0.1 and in house B set route 0.0.0.0/0 to 192.168.81.1. Router A will always sent packets to Internet through his ISP and B will always sent packets to Internet through vlan tag. Easy

Anumrak

Yes, it can be done with it.

Anumrak

Through your web server + some mysql base with their usernames and + some ROS scripting. In ISP world people suing billing platform.

Anumrak

Hey. Try MAC Telnet access. If there will be no luck, then only hard reset.

Anumrak

Try to connect with wire only. If OK, then see what is a problem with wireless. Solve the problem consistently.

Anumrak

Two /32 routes to 192.168.1.1 interface WAN1, and 0.0.0.0/0 to WAN2 gateway IP interface WAN2 without any marking. Traffic won't go to 10.10.10.1 and 10.10.10.2 though WAN2, because we always have specific long prefix routes in RIB.

Anumrak

https://wiki.mikrotik.com/wiki/Manual:I ... on_example

Anumrak

Nice presentation by the way

Anumrak

Well what happens is that : If I say I use SLAAC (managed=0) My Windows hosts uses SLAAC just all right, but has no DNS If I say I use SLAAC (managed=0) and want to provide DNS throught DHCPV6 (other=1) My Windows hosts uses SLAAC just all right, but still has no DNS : it performs no DHCPV6 request...

Anumrak

Try to add NAT rule which action is accept, chain is srcnat with source ip net 10.10.10.0/24. It's means that you will not nat it, just pass though the tunnel. And lift him above the rest. That's wrong. Just checked with l2tp/ipsec vpn in transport mode, icmp went well in both directions. Looks lik...

Anumrak

Try to add NAT rule which action is accept, chain is srcnat with source ip net 10.10.10.0/24. It's means that you will not nat it, just pass though the tunnel. And lift him above the rest.

Anumrak

What is lan interface? It's a bridge or ethernet port? If it's bridge with added ethernet port in your LAN, then assign in bridge interface arp-proxy mode. If LAN is ethernet port, just assign on it arp-proxy.

Anumrak

Try to find the packet with source IP 10.10.10.255 in torch. We need to know routing decision executes or not.

Anumrak

Then I'm joining question

I believe after the router decapsulates the packet, new IP look up for 10.0.0.211 and router have to choose outbound interface. Don't know why he can't just put packet inside LAN interface.

Sniff the traffic with torch. What can you see there? In LAN interface.

Anumrak

Print here firewall filter rules.

Anumrak

Wow, I meant from 10.0.0.1 to 10.10.10.255

Anumrak

Can you ping from router with source 10.0.0.1 to 10.10.10.2? And show your "ip route print".

Anumrak

Stop all ppp sessions and reconnect.

Anumrak

Show traceroute from 10.10.10.2 to 10.0.0.211. Tracing route to 10.0.0.211 over a maximum of 30 hops 1 29 ms 29 ms 30 ms 10.0.0.1 2 * * * Request timed out. 3 * * * Request timed out. If you have correct new IP 10.10.10.2 from pool 10.10.10.2-10.10.10.255 and local address of ppp profile is 10.10.1...

Anumrak

Show traceroute from 10.10.10.2 to 10.0.0.211.

Anumrak

Post here config of IPv6 - Address. IPv6 - ND. IPv6 - Neighbors.

Anumrak

Your logic is more adapted for L2 VPN. And you have here L3 vpn with ppp base. You already have LAN on Tik with 10.0.0.0/16. Make in ppp profile local address 10.10.10.1 and remote from pool 10.10.10.2-10.10.10.255.

Anumrak

Can LAN device ping vpn PC? 10.0.0.2.

Anumrak

Try below:

VPNConfig.JPG

He done it
0.0.0.0 0.0.0.0 On-link 10.0.0.2 26

Anumrak

Okay, seems you going through the tunnel. Look for firewall settings on 10.0.0.211 or Tik filter for forwarding. Try to ping another device in home LAN. In LAN working and from Tik working too.. https://image.ibb.co/eHjf1T/55.png I mean ping from vpn PC another LAN device. Aka 10.0.0.145 or whateve...

Anumrak

Okay, seems you going through the tunnel. Look for firewall settings on 10.0.0.211 or Tik filter for forwarding. Try to ping another device in home LAN.

Anumrak

Do traceroute from PC to 8.8.8.8.

Anumrak

You won't recieve IP from dhcp server. ROS can't do such thing. What route do you have on pptp client to reach 10.0.0.0/16? And what IP addresses your LAN devices have? I receive IP from DHCP server: 10.0.0.2 and about the route, I post all routes I have. /ip route add check-gateway=ping distance=1...

Anumrak

You better assign input and output interfaces in rules.

Anumrak

You won't recieve IP from dhcp server. ROS can't do such thing. What route do you have on pptp client to reach 10.0.0.0/16? And what IP addresses your LAN devices have?

Anumrak

The fact is that large providers have historically been able to provide services via the PPPoE protocol and vendors that sold them hardware should support it. In fact: vendors got money, providers don't need to change something in their network. Over time, it has not become worse, and cold patches c...

Anumrak

Carefully disable arp on users interfaces(I hope you connecting to router not on this interface) and see arp requests ends or not. If yes, manage dhcp arp inspection with arp reply-only property and create dhcp server with "Add arp for leases" option. After it dynamic arp records will appe...

Anumrak

Just create dhcp server on bridge interface and put in this bridge eth2 and wlan2 interfaces. Should work.

Anumrak

What your firewall filter rules on hex? Can you ping PC's from Tik itself? If yes, check your firewall rules.

Anumrak

Do you have proxy arp enabled on some of interfaces in users direction? If users connected to your network with IP network without PPP, they must put IP address of gateway, not interface.

Anumrak

I'm sorry. Lower than 6.41. You have master port default config. Eth 3, 4, 5 are slaves for Eth2. You can see it in interface config.

Anumrak

What version of RouterOS do you have on hAPac2? If lower that 6.40, then you have master port config in each interface. Check it.

Anumrak

You can get IP from dhcp server through pptp tunnel, but not from ROS. Install Ubuntu server behind the MikroTik router, manage strongSwan server dhcpd and pptpd and here you go. What I achieved is I connected with IKEv2 client and one more time connected with pptp client inside IKEv2 tunnel. And go...

Anumrak

Maybe you sould try set static admin mac on a bridge in order he will not send request from multiple macs. But better way, i think, is to switch off ports till this crap is over. And think what can do host behind that port. I have set static admin MAC on the bridge long before this is happening. Al...

Anumrak

Maybe you sould try set static admin mac on a bridge in order he will not send request from multiple macs. But better way, i think, is to switch off ports till this crap is over. And think what can do host behind that port.

Anumrak

OR you can do double nat through second router :) 3074 -> 1301 -> 3074 3074 -> 1302 -> 3074 3074 -> 1303 -> 3074. But it's true that your console needs global addresses :) That's best option. /28 network. OR you can get ipv6 /48 block from hurricane electric and assign public ipv6 addresses fo free :)

Anumrak

I believe problem in switching. Because of TCP MSS negotiation. After this frames with vlan tag of 1512 bytes, for example, can't get through switch ports with MTU 1500. But with PPPoE MTU 1480 it can.

Anumrak

Try in lab with Cisco 7606 with WS-X6724-SFP or WS-X6704-10GE modules. It support simple configuration of layer 2 virtual circuits to downlinks and to uplinks without awful bridge domains.

Anumrak

try action dst-nat instead of netmap and specify in-interface.
No, didn't help.
I have several perfectly working forwards like rdp, vnc and ssh, but problem with samba.

Do you have counters moving in this rule? If yes, then problem in PCs.

Anumrak

I'm not sure action=netmap accepts a single IP address as to-addresses value, you should use action=dst-nat instead. And put back the src-address=your.current.ip.address , as it was not the reason why it did not work. Plus you don't need to use to-ports if you don't need to change the original dst-...

Anumrak

try action dst-nat instead of netmap and specify in-interface.

Anumrak

Before you run your script try to type it in terminal with tab. You could miss some input keys. If you'll try to run it in terminal, in case of mistake, in windows you'll see: incorrect line or reply from code.

Anumrak

I played around with some filter rules. One issue i had with redistributing connected was that some of the connected routes was already in the routing table because of ospf. So what is did is create a bgp-out filter. for example. /routing filter add chain=bgp-out prefix=10.10.0.0/24 prefix-length=2...

Anumrak

If they are in same l2 domain, you can try to ping host in different VPLS. Dump it and see what you got.
not working. I cant ping from different VPLS interface.

Means horizon rule works

It's just ldp signaling traffic you see.

Anumrak

Thanks for the tip. It would work for this contrived example with static routes, but what about with BGP or other protocols which use next hop addresses? My use case is using BGP over PPPoE. As client terminating service, PPPoE not using much in BGP design. BGP using in full mesh IP network or over...

Anumrak

Hi Thank you all for the reply. I have decided to reset the Mikrotik to factory default and started my configuration over again ( Was not much config 3 Ports and 1 additional route + DHCP etc..) Now it works.. ( Must have just been some wrong setting somewhere that I could not see) Both Routing Bet...

Anumrak

You cannot route between subnets by default. That's the point of having different subnets, so the hosts can communicate with those on their subnet but not others. Those dynamic routes that are being made are for Internet access so those subnets can route out to the Internet. If you want 10.0.16.0/2...

Anumrak

Yeah, now it's common behavior for ppp routes. You just need select interface instead of IP address on other side.

Anumrak

If they are in same l2 domain, you can try to ping host in different VPLS. Dump it and see what you got.

Anumrak

You cannot route between subnets by default. That's the point of having different subnets, so the hosts can communicate with those on their subnet but not others. Those dynamic routes that are being made are for Internet access so those subnets can route out to the Internet. If you want 10.0.16.0/2...

Anumrak

I might be wrong, but I think redistribute /32 routes from each pppoe address each time it's connected, it's not really good idea.

Anumrak

Maybe it's VPLS management signaling packets? You should dump this and watch in a wireshark. Also, check all interfaces have the same horizon value. And make sure you have latest ROS version.

Anumrak

Why you think Tik can't route? If you see dynamic routes of LANs in routing table, then it routes. Try to traceroute between hosts in different subnets. If you can see first hop as his gateway IP and after trace is snaps, then host in destination just blocks ICMP.

Anumrak

You cannot, but it was not easy to understand that you wanted an IP<->MAC address maping from your original post given that the title of the topics doesn't mention IP address at all. In the arp table there are translations for active IP addresses; if the address has been inactive for some time, the...

Anumrak

I heard about Secure ND(SeND). Does ROS support it/will support it?

Anumrak

Maybe you have a loop in switched network or duplicate IP address. Check these two cases.

Anumrak

Hey. You can look it in switch tab in active hosts. Try to implement it in your script with "get" function.

Anumrak

Cool that you done with it

Anumrak

That dns flood from your LAN, so these requests just flooding your RAM on router, what is not cool. You should block dns queries for this host and figure out how to fix him, then release the host.

P.S.: I bet that's a virus.

Anumrak

I am sure he will be very happy :D Yesterday just called him about 50 times to take a ipconfig/renew on the PCs... :D Shutting down the physical Ethernet port and switching it on again should be enough to make the DHCP client on Windows start from Discovery, no need to call Mr. Kovács for each try....

Anumrak

Try to use in script "else" after "if". In "else" you can add new bridge, when "if" will detect absent of master-port. Experiment!

Anumrak

In 6.41+ there is no master port anymore, that's why your sript can't find it in config. What's new in 6.41 (2017-Dec-22 11:55): Important note!!! Backup before upgrade! RouterOS (v6.40rc36-rc40 and) v6.41rc1+ contains new bridge implementation that supports hardware offloading (hw-offload). This up...

Anumrak

At the moment both local DHCP server has been disabled on the Mikrotiks. I have checked the ARP table on both Mikrotik and I can see some communication from 192.168.10.1. Once I've seen there was an IP offer from the DHCP server but the client refuse it :O BTW yep that a good idea to put directly a...

Anumrak

And if you want more flexible BGP routing, you should switch off synchronizaion with IGP routing table.

https://wiki.mikrotik.com/wiki/Manual%3 ... GP#Network

Anumrak

You should disable DHCP servers on both Tiks and try to recieve IP from WIN server. If Tiks recieving addresses from him, then the problem in switch or in OS of the client. Try to recieve address from WIn server without switch. Connect directly to a Tik with your PC.

Anumrak

Yes, I have a bridge called "EoIP bridge" and an EoIP interface called "EoIP-to-D" (left side) and "EoIP-to-M" (right side). I've created a local DHCP server to "EoIP bridge". And as I mentioned it works properly, but when I enabled the "EoIP" it cr...

Anumrak

On which interface do you create dhcp server on Tik? Maybe you create the server on EoIP interface which bridged with your lan?

Anumrak

What OS is on "DHCP from server"? Can you test it on another OS?

Anumrak

Can interface bridge(new one maybe) on left Tik get IP from Win DHCP Server?
Can anyone get IP from it?

Anumrak

Do you have the only one dhcp server enabled? When you trying to recieve the address from 192.168.10.1.

Anumrak

You should bridge ether interfaces and eoip tunnels on both Tiks for all the way to dhcp client. If this is correct, you should print here your config.

Anumrak

which ports use NDP?

It's ICMPv6 protocol. Number 58 on IPv6 layer. Like OSPF protocol is number 89 on IP layer.

Anumrak

IPv6 using neighbor discovery protocol, so just disable it on EoIP interface or on hardware interface into lan.

Anumrak

You can choose of: 1) Full mesh topology between BGP peers with using of loopback IP's of OSPF process; 2) Route Reflector(s) which can recieve routes from "BGP Clients" and redistribute them to others with no need of full mesh; 3) Use MPLS for BGP peers connectivity over OSPF network. Las...

Anumrak

Routing Filters works more with BGP. You can separate areas of your OSPF domain by several, for ex. 0.0.0.1, 0.0.0.2, 0.0.0.3 and all these will connects to area 0.0.0.0 and then you can create totally stubby area in order to this area can recieve only default route to 0.0.0.0 area. /routing ospf ar...

Anumrak

Try to find some firewall activity on end point machine. Rules are pretty simple.

Anumrak

Paste here firewall filter rules and NAT rules.

Anumrak

Change this "add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new in-interface=ether1" on pppoe-out1 in in-interface, please.

Anumrak

Just bridge eth3 and EoIP tunnel interface on Tik A and EoIP Tunnel and eth2 on Tik B.

Anumrak

Anumrak

Didn't find topic with answers, so do a ROS have such feature? How to prevent IPv6 spoofing on layer 2 from specific multicast mac? Attacker will refresh ND cach with IP - MAC, don't really understand what mechanic from ROS can handle it.

Anumrak

Bridge other Tik interfaces, assign 2.2.2.0/29 network on vlan interface and choose other Tik ports as untagged in bridge ports, I suppose. https://wiki.mikrotik.com/wiki/Manual%3 ... p_examples

Anumrak

Try mschapv2 on both side, encryption must be MPPE 128 bits on both sides(better be) and check mtu on both sides, must match.

Anumrak

is anybody resolved this ?

Maybe a static route into vpn interface?

Anumrak

1) Input chain is using for router itself. Forward is using for hosts between router;
2) In that case you should add filter rule for LAN interface for output chain in order to manipulate local addresses. And dst-address must be local address.

Anumrak

In windows you should set them manually. no, I will kill myself doing this Maybe you can post console commands how to set static ipv6 to my windows server, because I'm not sure that I understand you previous explanation. I understand that I should get /48 prefix in HE. But what should I do next, be...

Anumrak

You can assign IPv6 DNS too in IP - DNS. Just write them next to IPv4. In windows you should set them manually.
You can assign static IPv6 address to server. Static address is not recommended only for laptops, xbox/ps and PC's.

Anumrak

You already have ipv6 address of server and yours. It's /64 network. In order to assign to your clients ipv6 addresses in auto mode, your sould assign to yourself in HE account /48 network, it's about 65536 /64 networks for your devices in LAN. After you get /48 prefix, you can delegate from it /64 ...

Anumrak

And I'm sorry for incorrect sequence: chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of your Hex" chain=input action=drop src-address-list=Port_Scanner chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout...

Anumrak

Try something like this: chain=input action=drop src-address-list=Port_Scanner chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx" chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w or with a whi...

Anumrak

Extract Hex IP from list or deactivate the rule? I would like it if possible to make a white list with the addresses known to be excluded from the rule. sorry but I'm trying to learn! Try something like this: chain=input action=drop src-address-list=Port_Scanner chain=input action=accept protocol=t...

Anumrak

Already found it , tnx to YT.... tnx for the many helpfull answers ;) still have a question that i can't seem to find on www.... how to set mac filtering on the router for wireless ( and maybe also for wired connections) kind regards yoeri You should filter mac address in /interface wireless access...

Anumrak

Extract Hex IP from list or deactivate the rule?

Anumrak

It's nice that ipv6 has priority over ipv4

It is so unusual that ipv4 now more in support role.

Anumrak

What new IP is and on what interface do you change it? Don't use quick set, use just winbox, in which you can see every settings.

Anumrak

So, then it's security issue

Check IP - Services and System - Users. Check IP's from which your Tik can be available.

Anumrak

I think I'll prefer to use just slaac, without statless dhcpv6. Will wait for statefull dhcpv6. But thanks for your answers and help!

Anumrak

Hello. I'm need to implement a double stack IPv4-IPv6 for my LAN. ether2 - DHCP server for (IPv4 with 100.64.0.0/24 pool and IPv6 with the pools that deppends on Hurricane Electric) ether6 - DHCP client, it's the port connected to modem ADSL2+ which implements an dhcp server with a nat to a dinamic...

Anumrak

Maybe that will help
https://support.skype.com/en/faq/FA148/ ... ws-desktop

Anumrak

Why you choose in-interface as ether1 instead of pppoe-out1?

Anumrak

These addresses must be in same broadcast domain. Is that true? If can't do this on running system, then use "Safe mode" or configure IP from mac-telnet connection, without IP connectivity.

Anumrak

Sorry for misunderstanding about "now". It was "not". If I set "other options" with dhcpv6 server active on advertising interface, I will not get dnsv6 servers to my PC. DNSv6 are set in IP - DNS. There are v4 and v6 servers. I know about dhcp options, but did not try y...

Anumrak

Very interested in answer

For smallest model.

Anumrak

I have a ring of 7 routers, running MPLS and VPLS with OSPF routing.
I am picking up high latency issues between two points, so I suspect looping somewhere along the line.
I am thinking about cancelling OSPF routing and just creating static routes, what are your thoughts?

Simple OSPF is better.

Anumrak

Try it "pw-type=tagged-ethernet" with raw type. And bridge ether ports with vpls interface to client side.

Anumrak

Maybe you should make static dhcp leases with arp records? With arp reply only function on physical port. Your situation reminds me dhcp starvation attack, if you have a lot of macs with zeros.

Anumrak

Unfortunately, there is now way to forward traffic to you from ISP router, except you working in this ISP

Anumrak

Stateless DHCPv6 now working. Works only ND and RA and static DNSv6.

Can anyone confirm this?

Anumrak

Stateless DHCPv6 not working. Works only ND and RA and static DNSv6.

Anumrak

admin - /29, office - /27, guests - /22. Don't know why everybody are silent

Anumrak

You already have advertising, so you just need to enable other config in options, add DHCPv6 server to same interface without specifying pool and it will work in stateless mode and provide info to clients that ask (as instructed by other config flag in RA). That's what I meant. Will try, thanks! :)

Anumrak

Microsoft only added support for DNS from RA not so long ago. And as far as I know, only to Windows 10, no backports. But you can use DHCPv6, RouterOS supports stateless server.

You mean I need to manage dhcpv6 server + IPv6 advertising?

Anumrak

Hi everyone. I've managed IPv6 to my LAN, in IPv6 network discovery I've enabled DNS advertising and advertising IPv6 address itself from prefix. My laptop got addresses and DNSv6 too. PC's with win 8.1 also got addresses, but didn't get dnsv6 servers addresses. Is it true that windows OS can't inst...

Anumrak

А прокси через socks5 не пробовал? Вроде работает хорошо и логина, пароля не требует.

Anumrak

OSPF must work just fine if all of your interfaces in area 0, because ldp will work only in one area as a vpls. If you did the same in higher version, then it might be a bug.

Anumrak

So you mean at first ipsec side to side and then over that eoip? Correct?
Thanks!

Correct

Anumrak

Route to 192.168.0.0/22 from each client. Or specific /24 route, doesn't matter.

Anumrak

You can imagine several private addresses and use ospf over EoIP over IPsec. If network belongs to his company, he can use nets without encryption.

Anumrak

You only need to see these rules in config. I think it's "and".

Anumrak

No. Then use custom IPsec profile.

Anumrak

Use access list in wireless + static dhcp leases with "add arp for dhcp lease" option.

Anumrak

Yahoo!

Anumrak

What network exactly you want to connect? Layer 2 or 3? If 2, use EoIP + IPsec. If 3 use L2TP + IPsec. Hi Anumrak, Layer 2 mean bridged network and Layer 3 for routed network.. why you prefer to use pppoe over L2TP ( if mean carrying pppoe_client customer to pppoe_server over l2tp )connection on La...

Anumrak

Maybe you should assign this address in ppp secret user profile as remote address? Hi Anumrak, Thank you for your reply, it was late last night when I wrote this post so I left out the stuff that I did try to solve this. I added the static IP to the ppp secret as remote address and in gives the sta...

Anumrak

Post here routes on router, nat and firewall rules.

Anumrak

Have one project, but it can't use multiple wan address. I've a trouble with it, because I use PCC and two ISPs. At somethimes this project define second rout and reserve second ISPs' WAN address. Can somebody tell how I can block second ISP route on my client in bride interface? Thanks. Simple. Ju...

Anumrak

If you want connect to ssh server in LAN you need to add nat dst rule for 22 port. If you want to connect to router, you need accepting rule for 22 port in input chain. But be careful, I recommend you to use source address list.

I meant that packets counter increase - rule works.

Anumrak

I have one Mikrotik Routerboard with 6.41.3 firmware. VLAN for multiple areas are configured in Cisco 3560 Gigabit switches and TRUNK is connected with CCR. PPPoE Server with proper settings is configured for each vlan. RB resources are OK, no heating , CPU usage 3 to 4 % max , PING from users PC (...

Anumrak

I was always wondering why the default value is 1480. Isn't best practise 1492? Yeah! Exactly my point! How would there be fragments when the PPPoE Client packs everything into a 1492 large paket? Exactly. Where the additional 12 bytes (1492 - 1480) come from? Please MK guys, enlight us! :) Headers...

Anumrak

I meant EoIP + IPsec secret. Default is sha1/aes128cbc.

Anumrak

WTF TS??

Anumrak

1) Why you using 22 port? Ypu allowed only 80;
2) Does counters of your NAT rule ticking?

Anumrak

Maybe you should assign this address in ppp secret user profile as remote address?

Anumrak

Well, I believe there is some transit node, maybe switch, that drops all frames with mtu higher than 1506 bytes. In bad case, you have 1518(1492+8(pppoe)+18(ethernet + vlan). With 1492 MTU in PPPoE interface (for web surfing, f.e.) PC generating TCP MSS segments with web site with 1452 bytes. Means ...

Anumrak

EoIP over IPsec. If optical links between cities would be yours, then VPLS.

Anumrak

so I take it 1492 is good for general PPPoE on it's own? why would fragmentation cause issue for some CPE to drop PPPoE session?

So, maybe it's not fragmentation? Maybe it's enabled compression it pppoe profile? It is drop PPPoE connection with tense traffic.

Anumrak

What network exactly you want to connect? Layer 2 or 3? If 2, use EoIP + IPsec. If 3 use L2TP + IPsec.

Anumrak

Anyway it's firewall job. Search for rules in PC or in router.

Anumrak

1480 bytes in PPPoE tunnel came from extra overheads in frames, if want to use pppoe over vpls or over eoip or all these over l2tp/ipsec

Anumrak

Create new address family and vrf with new router distinguisher and route target for export and import through mp-bgp, attache interfaces to this vrf and redistribute these neworks into iBGP

At all the route though all bgp neighbores your new RD must be in routing filters as accepted.

Anumrak

The counters ticking on this rule? If yes, check firewall filters rules with source addresses, static arp records and mangle rules. Put config here. Or maybe you'll find a mistake by yourself

Anumrak

Why your ttl is changing? If network would be at 1 hop, ttl would be 64 and won't be routable. Make traceroute to gateway, check every interface on every hop, check crc errors on interfaces. If you have fiber cables, check Tx/Rx optical attenuation, if it's lower or higher interface threshold, chang...

Anumrak

Or you may use DHCP server in ROS in option "Add arp for dhcp lease" and set terminating interface with ARP reply-only. You'll got static dhcp leases and unknown mac addresses won't connect to you gateway.

Anumrak

I think you can't, because it working not on config level, but on ROS level. So you can use IP updating from other dns hoster based on script.

Anumrak

Hi Anumrak, I don't quite follow... Du you suggest that i narrow down my firewall rules by selecting an interface? I have other routers conneted to all interfaces of this device, and will want LDP to work for all of them. I have the allow TCP 646 output firewall rule on top of my list, and the coun...

Anumrak

I think cause of this is using NAT Masq rule instead of src-nat. Masq rule need to flush all relative connections when link fails. And you have it 2k.

Anumrak

Try to select the output and input interfaces in rules.

Anumrak

Imagine that the useful data is you. And VPN is an underground tunnel. In a normal situation, you can not cross the road, because it will forbid you to traffic rules and an impassable number of different cars. But if you use an underground tunnel, you'll end up on the other side of the street and no...

Anumrak

Before.

Anumrak

Use HSRP/VRRP. It will create virtual mac-address of the virtual gateway over real net.

Anumrak

Uhhh.... Guys. Rule is correct. If you google the range of 100.100.100.101 you'll find network 100.64.0.0/10. Means 100.64.0.0 - 100.127.255.255. It is Carrier Grade NAT. User is behind NAT of his ISP. Means that global IP in Internet is not 100.100.100.101. It's defferent. So, he can't do port forw...

Anumrak

You should create static routes to both these networks via ipsec tunnel interfaces or create masq nat rule on one side. Print here your main routing table and firewall nat.

Anumrak

Ping with "don't fragment" bit.

Anumrak

In theory, there must be NAT rule on border and correct firewall rules on second router-server. With default rules on second router(establish, related connections), there must be no problems, because initiator of first packets is client.

Anumrak

I have no need for schemes like yours, so there are no scripts themselves. Try searching for the answer here: viewforum.php?f=9

Anumrak

Make a masquerade rule with defined out-interface.

If it won'thelp, post here your config from terminal.

Anumrak

What MTU do you have on tunnel interfaces?

Anumrak

Dear Shavnary Better & Long Lasting solution is to provide Real Ip / Public IP to those users whom are getting issue.. Use "Proxy-Arp" on your WAN Interface.. then release static Real IP to your these users. Smile Kashif Khan ARP table will be filled with entries for subscribers as lo...

Anumrak

Firewall forward drop rule with source and destination. But you better google about these connections, maybe it needs these cameras.

Anumrak

Dear Shavnary Better & Long Lasting solution is to provide Real Ip / Public IP to those users whom are getting issue.. Use "Proxy-Arp" on your WAN Interface.. then release static Real IP to your these users. Smile Kashif Khan ARP table will be filled with entries for subscribers as lo...

Anumrak

Try to use ldp signaling, not bgp.

Anumrak

Just set pppoe server up, assign local address as public IP on your side, remote ip is ip you want to give to user. Other BRAS stuff is more complex, you should google it.

Anumrak

This is the problem I could use some help on. Both routes below are provided by dhcp servers. Route zero (0) is the only route to the ( 10.0.0.0/24 ) network. Route one (1) is the only path to non ten (10) net addresses. How do I setup the routes so all ten (10) net addresses %99.99999 with the exc...

Anumrak

Better solution is to sell static IP's forwarded to requested users by phone call from them or from your web site script. Biggest providers living just like that.

Anumrak

Your PPPoE MTU is 1500
Then you maximum ICMP payload is 1472(1500-20(IP header)-8(ICMP Header).
By default PPPoE 1480 bytes and maximum ICMP payload is 1452 bytes.

Anumrak

Issue of your clients in NAT technology. All these applications need opened ports right in themselves. They don't care on your provider's NAT. They think they have global IP in order outside servers can interact with them. You have to do static NAT 1:1 to these users, or give them public routable IP.

Anumrak

You need the correct NAT rule. Please post a simple scheme to be more clear.

Anumrak

vpls is established, i can ping with 1500, and there is one vlan interface on this vpls tunnel, i have increased advertise mtu to 1526, and also MTU to 1526 to see if it allows bigger packets, but it would fragment. and i have put IP address on both ends to test. Can you ping with 1500 payload with...

Anumrak

Any soho router.

Anumrak

You can set up different ports on WAN side being forwarded to different internal IP addresses (regardless of port) in the following manner: /ip firewall nat add action=dst-nat chain=dstnat comment="inbound port 80 goes to LAN host 1 port 80" dst-port=80 \ in-interface="your WAN inter...

Anumrak

Just make static routing to exact destinations?

Anumrak

Thank you for the response, but how can i test 1508 on VPLS, i tried pinging from a Mikrotik connected to one end of VPLS circuit to an ip on other end, but it cannot ping. Does vpls tunnel is tagged with some vlan? Or it's just bridged with interface bridge with IP address? Does vpls tunnel is est...

Anumrak

Post here your firewall config. You should block them just on layer 3.

Anumrak

Additionally i'm a bit confused about the MPLS MTU size needing to be changed at all? We currently have 1500 byte VPLS interfaces working just fine with the MPLS MTU size set to the default of 1508 (L2MTU at 1600) MPLS MTU have to include vpls header(one more mpls header), that's why mpls mtu bigge...

Anumrak

As you can see, 0.0.0.0/0 go through L2TP, because of a distance. 0 is better than 1. You need put in pptp client "add default gateway" or make static routing to resourses in net which you want to be reachable via pptp client. That's it.

Anumrak

Of course. Through destination nat.

Anumrak

I'm of the understanding that MPLS needs 2 labels if not directly connected? so 8 byte overhead for MPLS not 4 is that correct? And in that case, does VPLS replace one of the labels (8 byte overhead), or add to it (12 bytes)? The reason I need to know exact MTU is we have multiple vendors for radio...

Search found 1174 matches