MikroTik

mankomal

your last post said invert src and dst so reconfirming if I understood correctly It only said so because you've apparently already tried with the correct src and dst and it failed, and you haven't given any details regarding which of the subnets is at which end until the previous post, so I wasn't ...

mankomal

If so, that would be wrong. DST at Mikrotik must be the AWS subnet and SRC at Mikrotik must be the remote subnet.

Yea I thought so but your last post said invert src and dst so reconfirming if I understood correctly

Ok I will try with proper src and dst and post config and logs

mankomal

in template src-address and dst-address should not be changed? Not in the template, but maybe in the static policy after all - I have missed that in the original log, the highlighted part was a response from AWS to our suggestion for 0.0.0.0/0<->0.0.0.0/0, so the meaning of the TS_I and TS_R fields...

mankomal

Strange, so try the following: /ip ipsec policy disable [find peer=AWS] /ip ipsec policy group add name=AWS /ip ipsec policy add template=yes group=AWS proposal=AWS-proposal /ip ipsec identity set [find peer=AWS] policy-template-group=AWS generate-policy=port-strict and see what happens. Because in...

mankomal

The answer is in this part: Feb/14/2022 09:09:46 ipsec processing payload: TS_I Feb/14/2022 09:09:46 ipsec 172.31.0.0/16 Feb/14/2022 09:09:46 ipsec processing payload: TS_R Feb/14/2022 09:09:46 ipsec 10.10.10.0/24 Feb/14/2022 09:09:46 ipsec my vs peer's selectors: Feb/14/2022 09:09:46 ipsec 0.0.0.0...

mankomal

Feb/14/2022 09:09:44 ipsec,debug ===== received 348 bytes from 43.254.32.5[500] to 103.54.222.93[500] Feb/14/2022 09:09:44 ipsec no IKEv1 peer config for 43.254.32.5 Feb/14/2022 09:09:46 ipsec ike2 starting for: 34.204.157.120 Feb/14/2022 09:09:46 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED ...

mankomal

My Bad so that is a parallel setup I have created To me, "parallel" to me may still mean either, i.e. another AWS peer on the same Mikrotik or another Mikrotik. Just over the top can different regions have different VPN endpoints (make) and that could cause the problem? The working setup ...

mankomal

A lot of infomation is missing - that "one more config" is at the same Mikrotik device like the working one? And is it a tunnel to another AWS instance, to some completely other IPsec peer, or a modification of the existing one? My Bad so that is a parallel setup I have created Just over ...

mankomal

Hello, I am trying to setup route reflector in new RouterOS v7 and not able to configure the same In the documentation I read `Affects the outgoing NEXT_HOP attribute selection. Note that next-hops set in filters always takes precedence. Also note that next-hop is not changed on route reflection, ex...

mankomal

Congratulations. I read something about IKEv2 compatibility issue with MikroTik and AWS Any chance you could dig the link? Uncle Google doesn't show anything related to me... Hey Sindy, Sorry for the late reply I have been working on you r suggestions and this is the result 1. I got one of the IPSE...

mankomal

WOOT WOOT! GOT IT!
AWS side VPG needed to be attached to VPC
and Route propagation was needed to be added.
Thanks a lot Sindy and Sob for providing all the inputs.

Will be posting a write up anyone else also doing this don't face this issue with the new version.

mankomal

This does not work But this works: If so, their instruction does not match their actual requirements. Or maybe you should indeed use exchange-mode=ike2 as the instruction refers to that, so the handling of Phase 2 may differ at their side depending on what IKE type is used. I made new tunnel with I...

mankomal

Also, your sceenshot shows that only one policy has succeeded, the other one states "no phase 2" which means it has failed to establish. So That failed policy actually allows the ping to go thru (beats my thought process also) Also, if the "established" policy is not on then the...

mankomal

mankomal

Out of all your policies, you need to enable all the ones in green, and disable all the ones in red. The order is correct (here, it only matters that the last one was last). /ip ipsec policy add action=none disabled=yes dst-address=172.16.96.0/19 src-address=0.0.0.0/0 add action=none disabled=yes d...

mankomal

You missed a bit:

d. Exchange Mode: IKE2
So:
Code: Select all
/ip ipsec peer
add ... exchange-mode=ike2

Using IKEv1, IKEv2 is not working out don't know why will be testing once this setup works

mankomal

/ip ipsec profile add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=aws-profile nat-traversal=no /ip ipsec peer add address=3.226.95.68/32 local-address=164.52.192.253 name=AWS profile=aws-profile /ip ipsec proposal add enc-algorithms=aes-128-cbc l...

mankomal

OK, it starts making sense. The vernacular in the IPsec log when IKE (v1) is used is confusing, as it names the local and remote prefix of the Phase 2 traffic selector IDci and IDcr. The AWS IPsec implementation uses the "Virtual Tunnel Interface" approach, so each IPsec Phase 2 SA is rep...

mankomal

OK, it starts making sense. The vernacular in the IPsec log when IKE (v1) is used is confusing, as it names the local and remote prefix of the Phase 2 traffic selector IDci and IDcr. The AWS IPsec implementation uses the "Virtual Tunnel Interface" approach, so each IPsec Phase 2 SA is rep...

mankomal

OK, it starts making sense. The vernacular in the IPsec log when IKE (v1) is used is confusing, as it names the local and remote prefix of the Phase 2 traffic selector IDci and IDcr. The AWS IPsec implementation uses the "Virtual Tunnel Interface" approach, so each IPsec Phase 2 SA is rep...

mankomal

Well after lot of hit and trials I was finally able to get the VPN to UP status. Seems that there is a chronology of steps to follow and then only it seems to work. i.e. you need to make IPSEC policies before you make the IPSEC peer/Identities. Reboot doesnt seems to help in this case. Now the probl...

mankomal

It looks like different config. I see ESP in old log, but AH in new one. Old has ID type IPv4_address, new one has IPv4_subnet. What is the exact info you got from them, i.e. pameters for tunnel that you're supposed to use? configuration given by AWS ================================================...

mankomal

It looks like different config. I see ESP in old log, but AH in new one. Old has ID type IPv4_address, new one has IPv4_subnet. What is the exact info you got from them, i.e. pameters for tunnel that you're supposed to use? sorry, I think I had been trying different configurations, below is the con...

mankomal

I was able to set up an AWS site to site VPN and get both required ipsec tunnels working following this procedure https://medium.com/@autogun/aws-site-to-site-vpn-with-mikrotik-routeros-5977ca5e50ae A few tips: It only works on very recent firmware (6.48.1 for me). Make sure in your BGP instances t...

mankomal

Log from starting: Jan/08/2022 06:07:04 ipsec,debug === Jan/08/2022 06:07:04 ipsec,info initiate new phase 1 (Identity Protection): 164.52.192.253[500]<=>34.198.222.127[500] Jan/08/2022 06:07:04 ipsec,debug new cookie: Jan/08/2022 06:07:04 ipsec,debug 0a4f2796630f5f1d Jan/08/2022 06:07:04 ipsec,debu...

mankomal

Right, but it seems that IPSec thinks there is some NAT in the way.

rebooted the router

mankomal

One more thing, you have nat-traversal=no, but log says:
Code: Select all
09:05:56 ipsec NAT detected -> UDP encapsulation (ENC_MODE 1->3).

nat-traversal is no

mankomal

I don't know, but maybe it's something with my-id in identity? 09:05:57 ipsec,debug 34.198.222.127 notify: INVALID-ID-INFORMATION 09:05:57 ipsec 34.198.222.127 fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. 09:05:57 ipsec,debug 34.198.222.127 notification message 18:INVALID...

mankomal

Hello, I have been trying for 2 days now and been unsuccessful in getting AWS VPN done, can someone share their experience or share what could be the issue. I am posting the configuration I am using and the debug logs /ip ipsec profile add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 en...

mankomal

Is it me or extra-package has no container.npk in 7.1rc6

mankomal

You have to use HTTPS, see documentation for more info:
https://help.mikrotik.com/docs/display/ROS/REST+API

I have a tutorial on this on YouTube

mankomal

any help on this ???

mankomal

hello,

I want to understand what could be possible issues with assignment of IP address on the interface here PPPoE Server is running

cheers

mankomal

Hey, tried to run pi-hole on CHR getting this (445): Fatal Error Unable to allocate shared memory segment of 134217728 bytes: shmget: Function not implemented (38) I saw the same error the first time I tried to start the container. I checked the amount of memory I gave the CHR (128MB). I changed th...

mankomal

Hey, tried to run pi-hole on CHR getting this (445): Fatal Error Unable to allocate shared memory segment of 134217728 bytes: shmget: Function not implemented (38) [api@RouterOS] > container envs/pri 0 list="pihole" name="TZ" value="Asia/Kolkata" 1 list="pihole&qu...

mankomal

Hey, tried to run pi-hole on CHR getting this (445): Fatal Error Unable to allocate shared memory segment of 134217728 bytes: shmget: Function not implemented (38) [api@RouterOS] > container envs/pri 0 list="pihole" name="TZ" value="Asia/Kolkata" 1 list="pihole&quo...

mankomal

While importing the new 7.1rc4 image on AWS its returning error: "Status": "deleted", "StatusMessage": "ClientError: Unknown OS / Missing OS files.", "Tags": [] I am following the https://wiki.mikrotik.com/wiki/Manual:CHR_AWS_installation guide avail...

mankomal

I am getting this error in 4.20 msingh@MKS-Air ~ % wine64 Downloads/winbox64.exe wine: created the configuration directory '/Users/msingh/.wine' 0009:fixme:esync:do_esync eventfd not supported on this platform. 000b:fixme:esync:do_esync eventfd not supported on this platform. 0009:err:environ:run_wi...

mankomal

Was wondering if you were able to get this done as I am also struck in the same thing.

mankomal

broadcast?

not exactly so what happens is that all clients start to transmit on dst-port 23(telnet) and just freeze the network for 2~5 seconds
although we have firewall rule that they cannot do this but still they generate traffic

mankomal

Hey everyone I have got a peculiar problem where the users on routers like Tp-Link, D-link etc are randomly uploading and causing CCR1036 CPU usage to go upto 100% causing packet loss we have filtered lot of garbage: 1. any unknown traffic generated from the network 2. any spoof traffic coming into ...

mankomal

When I tried via the API it didn't ask for a confirmation. The router reset it's config and rebooted immediately. <<< /system/reset-configuration <<< =no-defaults=yes <<< =skip-backup=yes <<< >>> !done in my case its not doing anything could it be that i am executing a script ?

mankomal

hello, Our clinet usually from not-IT background need help in resetting the router but the issue is that they are not able to put IP address or gateway once they reset as they dont know how to use winbox, webfig etc, so I thought we will give them a URL to reset the router and in that we will implan...

mankomal

@Jarda Its totally possible. You look in the frame of the wireless packet and you will see MAC addresses. Devices are constantly looking for known SSIDs to connect to and send out Probe requests to determine if those SSIDS are nearby. You can capture those and get the required information. You can ...

mankomal

Hello I am running hotspot where I want the same user to have multiple-session but the problem is whenever user tries to create a second session I get an error "no more session allowed for the user" 2 MACs per user enabled in hotspot and Simultaneous-Use:=2 in Radius still this error is co...

mankomal

Hi, I have CCR MT 6.35rc33 users have ip and rate limit from radius I need to change rate limit speed I try: # echo "Framed-IP-Address=192.168.101.5,Mikrotik-Rate-Limit=128k/750k" | radclient -x 10.5.5.xxx:3799 coa xoxoxox Sending CoA-Request of id 177 to 10.5.5.xxx port 3799 Framed-IP-Ad...

mankomal

That's it, that could be a way.

thanks for your help pukkita
But the problem is I dont have a known distinguisher for the users

mankomal

No. On ROS you can define more than one radius, but 2nd, 3d only will get used if previous one doesn't respond. You can however setup proxying on your radius and "route" from there. in that case username or realm or something have to be known. right? So like @abc.com go to one server and ...

mankomal

Hello

Is it possible to create two or more Virtual APs and point each of their respective security profiles(using EAP) to two separate RADIUS??

mankomal

I am trying to do this but have been unable to...

Can you share a conf of this working?

ok, I dont have a running configuration anywhere but I can guide you, follow the process:
1. Set up BCP, to bridge the tunnel,
2. Run hotspot on this bridge interface

Let me know if you run into any problem

mankomal

Why not use pppoe server ppp > profile > Queue tab for that?

but when doing from FreeRadius, how is that possible?

mankomal

This is relevant to my interest. Seems jst like introducing a new radius attribute into the MikroTik dictionary and sending that back in an access-accept's would work. new Radius attribute should be understandable to Mikrotik also, not only to FR, right? so how to achieve the same if MT will not un...

mankomal

Did you find a solution I am also looking for something similar

mankomal

Sorry to rake up an old post This is possible tested and working Currently only tested on MT AP, but we are increasing AP and following APs will be tested in next 2 days: 1. BelAir Ericsson 2. Aruba 3. Cambium 4. UniFi UAPs in case you need some radio to test we can setup a test environment for your...

mankomal

Then it definitely looks like a bug. Make supout and send it to support.

Done doing it now

mankomal

add the vlan to your in interface - and bridge them. This is correct for this. From what I understand this is what we did in interface is SFP and out interface is ether4 VLAN on both and bridged them THIS causes whole traffic on the interfaces to STOP i.e. all layer-2 connectivity is lost (to other...

mankomal

Well put the two vlans under the same bridge, and ip/dhcp server on that bridge? I tried that but all the other VLANs on the interface stop working, No DHCP on the bridge No IP also as want to create a seamless Layer-2 for customer Customer end point 1 <--(VLAN10)--> Mikrotik CCR ether 4 Mikrotik C...

mankomal

Having little to no luck on BGP communities from Upstream so I started with Prepending the lesser preferred path now what happens is that this path still receives inbound traffic to my network for specified pools but no traffic of the pools is going thru it though. Its downloading around 100M and u...

mankomal

Hello I have a VLAN on ether4 and another VLAN on SFP, I need to bridge these 2 to make a Layer-2 network for the customer, problem is as soon as I bridge these two all other VLANs on these interfaces go down i.e. traffic stops to flow and these 2 VLANs still don't come on the same Layer-2 How can I...

mankomal

Hello
Over last 2-3 weeks I am seeing several random Cisco IP addresses attacking Mikrotik routers via port 1025,1028 and 1030 UDP packets all packets of 10030 length
Anyone else also facing this issue??
Does any one know what is this and how to stop this

mankomal

You should also find out whether your ISPs have their own looking glasses as well. (or public route servers you can access) Obviously this is the best way to see what your advertisements look like to your ISPs themselves, because looking at LGs further away from you is useful too, but many networks...

mankomal

Alright - one thing I noticed upon re-reading my post - the looking glass you're showing is obviously not in your ISPs network, so take my actual local_pref recommended values as only examples - not sure what Vodafone is using, but certainly they can give you their published BGP policy. Zerobyte T...

mankomal

In your posted output from the looking glass - the second path has local_pref of 90. Local pref is more important than as-path length, so the first path having local_pref 100 will win every single time. You need to ask the ISP what communities you may send to them to modify local_pref on their sid...

mankomal

so basically we discussed with registrar and found that it could be done with AS-SET route set which they created for our customer and now its working

Also in India the restriction of 2 ASNs is there we just have to give undertaking to them for paperwork not actually be linked to them,

mankomal

Hello Trying to do BGP multihoming facing a few challenges, We have 2 ISPs we have total of 3x /22 pools , we want to broadcast 2x /22 pools out of ISP1 and 1x/22 out of ISP2 In simple scenario i.e. we broadcast only the pools that need to broadcast everything works good but when we try to cross...

mankomal

There are lot of wiki pages available please go thru
wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
wiki.mikrotik.com/wiki/DoS_attack_protection
wiki.mikrotik.com/wiki/Basic_universal_firewall_script
wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

mankomal

Any reason why you are marking route when there is only one single line on your router as per your configuration. Also the NAT rule states everything is going out via eoip tunnel ?

mankomal

Hello , One of our customers wants to advertise their own IPv4 and ASN we are the only upstream provider that they have, want to know how can we advertise their subnet and ASN, our upstream provider asked us to register our ASN as AS-SET in the whois database and the same is done, what do we need t...

mankomal

Well I found the problem it was related to a third party firewall in the network which was causing some issues and its now resolved. Apparently it was blocking all traffic to Port 89, as soon as I had put an exception everything started working normally

mankomal

Hello We are trying to set OSPF in our network for backbone, on the edge router we had enabled option REDISTRIBUTE DEFAULT as always(type 1) in all remote routers we can see this route coming in ospf routing route print , but when we do ip route print the route is not reflecting there. What could be...

mankomal

ok it works once the interface is bridged and VLAN is created on the bridge . Dnt know why it cant work directly but only on a bridged interface thou

mankomal

thanks for your reply zerobyte,

currently not doing NATting or Route to PCs just checking from router to router

mankomal

so the setup is :
PC <---> CCR1009(Vlan 3521) <--->ERLite (Vlan 3521) <---> PC
IP on CCR is 192.168.48.1/30
IP or ER Lite is 192.168.48.2/30
both routers are not able to ping each other.

there is no switch in between

mankomal

no that's the problem the basic of the basic even ping doesn't works, I tried configuring IP directly on the interfaces it works. But once put on VLAN they don't work

mankomal

yes tried that also
infact just made a setup in office with following setup with UBNT EdgeRouter- Lite
its not working here also
please see pics:
VLAN of main Router:

VLAN.PNG

IP Address of Main Router:

ipadd_main.PNG

Vlan and IP Address of ER-LITE:

vlan_er.PNG

mankomal

I am assigning IPs to VLAN interfaces
192.168.48.0/30

mankomal

So we are trying to configure a VLAN connection for one of the clients thru our distribution port the devce on client side is a cyberoam router/firewall, but VLAN doesnt seems to work can any one suggest some tips on this ? USING CCR1009-8G-1S-1S+ on service provider side VLAN.PNG on other end we ar...

mankomal

In a server with IP address 103.43.xx.x , I am assigning Public IPs to customers and also giving out Public dynamic IPs defined in IP pool all are in the subnet of 103.43.xx.0/24 The curious case is that the customers who are assigned IPs in RM-ACP are able to ping RM-server but all other customers ...

mankomal

Hello

I dont know if this is a bug or a normal practice but PPPoE users always get the same IP address from IP->pool no matter how many times they logoff and logon for the same calender date

In any case can this be undone i.e. user always get a fresh available IP from pool.

Cheers

mankomal

In webfig

There is End USER License, the Webfig logo, the MANUAL link, the System->Routerboard, system-> resources link good enough to identify the product is there any way to block these

mankomal

Syed
With hotspot we can even create custom page but custom PPPoE dialer if possible will be awesome.

mankomal

Hi
I am using Windows 7 and facing problem with Netsinstall for last 2 months now, I am getting following error :
bind bootp failed: An attempt was made to access a socket in a way
forbidden by its access permissions.
(10013)
(See pic)

Please help me resolve this

mankomal

Is there any way to advertise a webpage on PPPoE, such as everytime a customer logs in (a fresh PPP connection is established) a pop-up advertisement comes ?

mankomal

yea thats easy but everytime router restarts the Static rule(transparent proxy) goes above the hotspot dynamic rules so people are not able to see the login page After we drag the rule below the dynamic rules then everything works fine, It would be great if there is no human intervention required af...

mankomal

really want this .. can somebody not help
or is it not possible in MT

mankomal

Hello I have a HotSpot running for my clients and have transparent web-proxy running to log URLs, Problem is everytime I restart my router the NAT settings for transparent proxy become rule 0 in Firewall Nat and all dynamic hotspot rules come below it so user is not able to see the hotspot login pag...

mankomal

hello I have been trying to search for this and was not able to find any topic so far. Is it possible to log URL traffic hotspot username based instead of their IP addresses 14:07:16 web-proxy,account 192.168.200.102 GET http://bg2.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2013/03/00443bbd-67d2-4...

mankomal

Hello everyone, Is there a way to set up some kind of a reminder so that I remind users their account will expire in 3 days, 2 days and finally 1 day? I use user manager and RB750 V. 5.20 Maybe redirect them to a page that will tell them: YOUR ACCOUNT WILL EXPIRE IN 3 DAYS. PLEASE RENEW TO STAY CON...

mankomal

Spike,

I am trying to replicate your problem at my end ... you can add me on skype my id is singh.mankomal
I got this working 3 days back only on one of my servers with similar problems

mankomal

No no spike15mk I wrote install on USB not from USB Sorry my mistake. Well I will wrote an email to support, and tomorrow I will remove one hdd and install MikroTik on desktop PC, then I will put it back in server(hopefully it will work). But I will not have raid this way...I am out of options Spik...

mankomal

hello, I was trying UM to make my clients authenticate thru it. But some how its not working MY network is like this: ADSL Router connected to RB433GL(r52H 5GHz link) RB433GL(r52H 5Ghz link) TRANSPARENT BRIDGE (2nd R52H distributing thru 2.4GHz link) my UM is on 1st router IP address 192.168.1.200 c...

mankomal

hello, I was trying UM to make my clients authenticate thru it. But some how its not working MY network is like this: ADSL Router connected to RB433GL(r52H 5GHz link) RB433GL(r52H 5Ghz link) TRANSPARENT BRIDGE (2nd R52H distributing thru 2.4GHz link) my UM is on 1st router IP address 192.168.1.200 c...

mankomal

so your devices are damaged by high voltage? use grounding and you will not have such problems No Normis our boards were not damaged by high voltage, we use 12v adapters on a line conditioner specifically for the reason that in case there is a high voltage the line conditioner trips and power is cu...

mankomal

Normis, Please dont close this thread for sometime as I need others o report on this problem also... http://forum.mikrotik.com/viewtopic.php?f=3&t=59203&p=302904&hilit=711#p302904 http://forum.mikrotik.com/viewtopic.php?t=56747 1. The Connector falling off is a real problem and needs to ...

mankomal

HI, can anyone help me with setting up of hotspot wherein the username and password comes via SMS. I guess you must have all been to airport and all and if you have to use the wireless service you just give money via credit card or any other online banking service and the username and password comes...

mankomal

normis,
there are many cards which are not even detected by RBs any specific reason ???

rgds/MS

mankomal

any one knows of any mini-pci cards or are there only express cards
if some one has tried can they share their experience and results
also if someone could please let me know any reseller from where I can buy these cards

rgds/MS

mankomal

Hi,

I used 8GB sandisk extreme II. I think 16 GB will be ok too.

I read from Normis that sandisk it's fully compatible, kingston have some problems.

regards,

can we put 16gb X 2 cards
any suggestion on what card to use ?

mankomal

can anyone tell me what is the maximum CF card we can put in 1000U and if anyone had tried it with some particular make of CF card please share...

regards
Mankomal Singh

mankomal

it would be awesome something like rb 2000 or 10000 with some asics do hardware routing and other hardware based features like allot cisco and others, coz its incredible the allot netenforcer (slackware) can do 1gbit of traffic shaping ( layer7 ) with a 300mhz cpu. it would be great if we could hav...

mankomal

approximately what thru put you get machine to machine at both ends as we have a similar requirement where in we have to transport 50mbps full-duplex to a Sub-ISP from the main Hub .

regards

Mankomal Singh

mankomal

Hi,

I just did a similar link in India, let me know the exact distance and all other relvant details I might be able to help you in this. Where are you located?

regards

Mankomal Singh
mankomal [at] gmail [dot] com

mankomal

you check the cards and ask your sales team to quote me the price i will buy 4-5 units

thanks

mankomal

dude i will be placing an order in next week let me know what will be the price of TESTED cf cards because this time you'll be sending me the cards. I have tested A-data Speedy also it is not working

thanks

mankomal

ok i just posted this on one more thread that the ether3 light starts to blink and the board doesnt boots when we insert the 8gb CF card ( transcend x133)...

anything we are doing wrong or do we have to do something in the hyperterminal at boot-up

thanks

mankomal

hi,
I just tried Transcend x133 speed Cf card 8gb on RB600 but, there seem to be some problem the board doesnot detects it... That is the Ether 3 light starts to blink and there is no booting action on the board... ANY SUGGESTIONS ANYOONE??

Thanks

Search found 106 matches