MikroTik

mdd

Hi Sindy, From my tests that what i was thinking about these policies - they are like "traffic selectors or markers" Also if i use /32 mask on both ends it will be pretty tight p2p between hosts as i guess (no outside access to other IP address). As for the last part of question as far i u...

mdd

Hi just wondering as i see it works, but need to be clear on this: I have P2P Ipsec connection and added with 3 x policy from one subnet to different subsets (in pic) and PH2 is all establish with the same p2p ipsec tunnel and it works. I did not found any information if i can use like that. Tried t...

mdd

Ok thank you all for the good discussion. TA least now i have good understanding about this problem and solutions about this kind "twice nat".

mdd

twice_nat.PNG

Not go too as i have server in a same subnet as a client has in the same subnet ;( Any suggestion welcome again.
I cannot do anything on other side router "BiurasB".

192.168.111.x is server network

is on BiuraA with the same subnet 192.168.1.0/24

mdd

Thank you dadaniel. I will try your setup on lab if this what i was looking for.
For all yes i know about IP subnet planing, but sometimes you have clients with less knowledge about anything like it. More - they do not want do any change on there network for reason.

mdd

Hi all, I am trying NAT rules on MK to mimic this Solution #2 – Policy Twice NAT on One side on this article https://www.practicalnetworking.net/stand-alone/vpn-overlapping-networks/ but cant get it working ;( So asking for you all maybe someone has this kind of knowledge how to implement this ? So ...

mdd

Thanks Sob for correcting. How the rules be written ?

mdd

Not sure if i done right, but seems it works. Here if someone needs help about this too. I have added these rules before main outgoing masquerade rule. /ip firewall nat add action=accept chain=srcnat comment="Client" dst-address=10.168.10.0/24 src-address=10.14.0.0/16 to-addresses=10.168.1...

mdd

Hi all have one question need some advise, as i have very unhelpful client (strong security requirements and no support staff) with ipsec overlapping local sub nets. I have read lots of info and tried few setups, some king of them works half way but not fully (netmap). Does client needs to do any ch...

mdd

Thank you Sindy help me to get some advance knowleague.

mdd

Tried to adapt to see what i will be removing with this command line: So use /ip firewall connection print detail where srcnat and protocol=ipsec-esp . But as it is working now, chances are high that this command will also show nothing because the NATed connection has expired in the meantime due to...

mdd

Where exactly to add this as i am bit now confused. If one of the IPSEC tunnel works, and other dont - how this will affect working one? At worst it would cause a loss of several packets of the working one, until the Mikrotik would send a packet towards the client. Thats not problem :) Tried to /ip...

mdd

Ok. Some how got working both tunnels now. I have added protocol=!ipsec-esp to my main GW .163
/ip firewall nat
add action=masquerade chain=srcnat comment=GW out-interface=ether1 \
src-address=!10.240.240.250 protocol=!ipsec-esp

For the moment seems working. Not 100% sure why ...

mdd

This /ip firewall connection print ... shows that the IPsec stack has bound the connection properly to .163 but the firewall has src-nated it to .162. So do prevent the masquerade rule from acting on ESP by adding a protocol=!ipsec-esp match condition to it as I've suggested in my previous post (it...

mdd

Hi Sindy,

Still not luck.. one of IPSEC tunnel works at the moment, but other one still not Working one use the right gw ip .163.
Other non working /ip firewall print still show ip with .162 for some reason. Same thing i can see in captured packets.

cap_not_right_ip.PNG

mdd

cap_ipsec.PNG One more strange behave ether1 GW has few public IP on it. 162. 163 . 16X. For multiple IPSEC tunnel ends i am trying to use just one .163. For some reason one of IPSEC client .177 using .163 MY GW has established connection and tunnel traffic goes now on both sides // not sure why it...

mdd

I am confused. The packet dissection (bottommost picture) shows a packet from the client to your Mikrotik (src-mac-address Cisco, dst-mac-address Mikrotik). That would mean that the ESP traffic is only coming from the client to your Mikrotik as no ESP sent from your address. In such case, it would ...

mdd

I have tried to capture, but none packets captured even from IP romete or local IP, or fithout filter :( What this could be. Tried to to flush, to disable and enable IPSEC peers but no packets were captured. Connections still showing establised. ???? What was the exact command line you used for sni...

mdd

If the pinging causes the corresponding raw rules to count, it means the traffic does reach your Mikrotik. Ping echo packets are send from my Router, but never gets back. Just to clear. If the the corresponding installed-sa (from your public address to client's one) also counts as you ping, the IPse...

mdd

When we do ping on tunnel's end point we are getting only counters increased from our side to remote side on RAW rules. I have added some of configuration here ips/subnets randomly created here for public view. /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroT...

mdd

Hi Sindy, From that behave and all forums i have read about king of this isues maybe NAT rules affecting the traffic (just presuming). But i have made RAW rules that NAT not be involved in translation. But counters of these rules never grow when no traffic go in/out. Tunnel allways eshablished. /ip ...

mdd

Have two ipsec tunels setups with clients: (clients side can not check, but they say that all other existing tunnels works fine for them only with mine are problems) Can find what is the issue on my side :( On my side > /ip ipsec statistics print in-errors: 0 in-buffer-errors: 0 in-header-errors: 0 ...

mdd

Unfortunately the issue still exis :( Traffics goes one way (seems to me by counters on rules incress) RAW.PNG when pingin remote. Again were working for few days after disabled/enable peers tunnel is up but no traffic passing. Pinging from 10.254.0.0/24. Any suggestion how to trace this traffic by ...

mdd

ok guys found what the issue was - hw could not coupe with high encryption levels. Now when we change encryption to lover settings it works.

mdd

2Sindy - yes they are both on pub IPs. Input chaings are added to accept ESP. 2memelchenkov - select "none" in profiles PFS. I will wait until other side will change this too to see if this helps. No i am using 6.45.9 version, but other side use newer version - this what worries me more as...

mdd

Any advise at least how to troubleshoot or look for the issues ?

mdd

Hi All, Have strange issue with IPSEC P2P setup. All works for a while and after random time tunnel traffic just not forwarding any more. The ipsec says connection established but no traffic getting in/out. And if i try disable peers and policy and after re-enable them - traffic starts forwarding, b...

mdd

Yep thats WIN10 issues with Metro GUI. Sorted out now. Thanks all.

mdd

Ok good people. One thing i have found out already is that WIN10 issues. For some reason service was disabled "IKE and AuthIP IPsec Keying Modules" and when i enabled and started VPN trys connecting now and hits the Router... As always but... event if i change on adapter configuration and ...

mdd

Hello all good people. Just this day realized that i cannot connect to my office using setup, which was working fine before. I have Mikrotik Router setup with IKEv2 vpn. All my clients use win10 build-in client with cert login without password. And now when i trying connect - get this message "...

mdd

Its seems this did helped. Thank you! All the best!

mdd

Hi i was thinkign about similar setuo but with different configuration anntenas:

1 x Ubiquiti Air Max 13dBi 5GHz DualOmni Antenna (AMO-5G13) connect to two RSPMA
1 x Normal Antenna Omnit connect to last ont RSPMA but pointig down.

Interesting what whould be ?

mdd

Hello all, Not sure what this is but i need some help. I have 1 mANTBox 2 12s setup in AP mode and 2 basebox 2 as repeaters setup in 300 m. AP1-------RP2--------RP1 What i am trying to do is to connect those 2 repeaters to AP. Few time i have successfully connected but most of the time 1 reapeter co...

mdd

Hi guys we have similar issues. But in our case we think it is condensation. So weather this year was mixing between cold and warm and this gave us few device dead because of this. Not sure if this a case of condensation, or leaky leds. We needs to be checked.

mdd

Hi all, We have CAMsMAN install for our wifi network. Few weeks ago we notice some strange behavior of our guest SSID. The previously used mobile phones connects to guest wifi without any issue, but the phones never used on the network cannot get to internet. I have checked IP on the phone it looks ...

mdd

Hello i have general question about why i see in CAPSMAN-> RemoteCAP |Address| bar two types of it: MAC address and IP address.
Remote CAPs working fine, but i still want to know if there arent an issue and not suppose to be like that? Could someone explain for me ?

mdd

Hi i just have one small suggestion about logs in mikrotik window. It would be nice to have filter feature on log in real time on winbox (similar watchguard fw windows tools). It would save a lot of time to digging ports access or specific ips acces on logs when you need most. At the moment you can ...

mdd

Thank you all. After disabled SIP Helper all works now fine.

mdd

Hi,

It will hold those 10 users. Just make sure it has good bandwidth. later you just keep an i eye on resource.

mdd

It happens just for some calls not for all (70 cisco phones). Just randomly from different network places where the phones are. I have added on switches qos for voice vlan prority 7. But the issue still exists. Trying to sniff out as phone service provider suggested to turn of ALG too. Bandwidth i h...

mdd

Hi flyno,

After i disabled it lost all device registration. What next step could be ?

mdd

Hello, Network: Voip provided by external provider and all hard phones are provisioned from service providers server. Mikrotik egde routers CCRXX. VLAN for voip are created. On all swithes (HP 23xx). The voip issue we have are: when calls comes in to hard phone and the person picks up the phone - yo...

mdd

Ok this would not fit my purpose (2in1). But as i got some information it will be good for rural area to get connected to 4g/lte. Thanks again gotprings for nice conversation. Now i have all answers.

mdd

What about this SXT LTE kit ? Could this be used too for the same purpose ?

mdd

Thanks for update gotsprings!!!

I was looking something modem/router 4g/lte based on mikrotik (2in1) for remote client to get connected to internet without dedicated 4g/lte modem + extra tik router.
So i am guessing i will need to try same setup like you have and see how it goes. Hope it will work.

mdd

Can we use RBwAPR-2nD&R11e-LTE as modem/router for 4G/LTE connection ?

mdd

Hi Petri, RB are attched next to annthena (dual eggs) on pole (30cm cables). From RB lan cable goes to coms cabinet the lenght is just 20m. All coms cabinets are connected to distribution switch with fibre cables. So cables not giving any issues. I was trying to play with TX power and channels selec...

mdd

Hi all this is my first post to this forums. So i am sorry if i will be incorrect on some things or words. The situation i am having is that i have poor wireless performance (sometimes loosing to much packets) in in ship yard between container storage areas: AP (912UAG-2HPnD) with antennas are locat...

Search found 48 matches