MikroTik

sindy

1) if a single IP address is sufficient for the device to do all what you want it to do, the davice acts as a bridge (switch). You may want to access it for management purposes using multiple IP addresses, but another own IP address must not be required to facilitate forwarding of packets/frames fro...

sindy

My question can be reformulted or restated as: How to I ensure that a CRS ROS configuration is such that the CRS is used as a cloud router SWITCH ? The answer to that question has already come from @mkx - if everything works as required while there is only a single IP address up on the CRS326, it o...

sindy

The distinction between bridging and routing indeed lays solely in what information is used to determine where to forward the frame/packet. DHCP is not routing, any kind of VPN handling is not routing; even traffic filtering is, strictly speaking, not routing (you may filter bridged traffic and you ...

sindy

A networking device can take various header fields of an Ethernet frame and of the packet it carries into account when making a decision where to forward that frame. If it only chooses the output interface based on the destination MAC address and, possibly, VLAN ID of the incoming frame, it handles ...

sindy

Making the assumption the OP has 5G in their area, or is likely to have in the future. There are still many areas where 5G isn't available and isn't likely to eventuate anytime soon, mainly in rural or small towns. For the telecom operators and network providers, it is way cheaper to upgrade the eq...

sindy

You have to move the action=none policy before (above) the template from which the actual policy is generated dynamically. The dynamically generated policies are placed right next to the templates they are created from, so if you place the action=none policy between the template and the dynamically ...

sindy

if they're exposed to high temp, sunlight, vapors (anything greasy and especially apolar solvents) ... but they were kept in relatively sane places. Regarding age, the affected one is from the initial series that still had the 256 MB RAM. As for the environment, it has always been in a living room,...

sindy

And the ax2 doesn't have the touchy-feely (polyurethane?) coating. (nor does the hAP ac lite-TC). Which is actually great, because in a few years, the moleskin layer turns out into the same sticky mess the thickier rubberish soft coats normally do. I liked the moleskin feel very much too until I've...

sindy

What I'm trying to achieve here is to not need to send all clients a new OVPN file everytime I have to change my VPS IP. To put @patrikg's suggestion into context: the purpose of using a certificate at server side is to allow the clients to verify that they are connecting (and revealing their crede...

sindy

My post intentionally refers to @Amm0's one in particular, just for the case that someone comes searching and gets mislead by it. But unless @Amm0 edits his, few people will probably notice mine.

sindy

Logically, RoMON is not a tagged packet, so bridge is dropping it. I've made some tests, and although it sounds perfectly logical, the behavior is actually totally different. Most ROMON frames have destination MAC address 01:80:C2:00:88:BF, which fits into the "link local" MAC address ran...

sindy

The protocol specification mandates that it would have to create a lot of SAs and associated traffic selectors based on the address lists, which wouldn't be manageable for the protocol. It would be much better to implement VTI like all major vendors did over time. But Mikrotik stays strictly complia...

sindy

Since the Mikrotik side has rejected the connection, the log on Mikrotik side should be more helpful. On Mikrotik, disable the peer or identity, and enable IPsec logging using /system logging add topics=ipsec,!packet Next, start writing ipsec log into a file: /log print follow-only file=ipsec-start ...

sindy

Is the central router a physical one or is it a virtual one running on some virtualisation platform? A common behavior of virtualisation platforms is that they block traffic to/from MAC addresses other than the one of the virtual NIC, so the virtual machine cannot act as a bridge. This is considered...

sindy

What I suspect and suggest is that the PMTUD (Path MTU Discovery) for the affected TCP traffic fails. You cannot discover this by trying with ICMP (ping). If tcpdump on ESXi doesn't show ICMP, run the sniffer on the Mikrotik as I have suggested initially. But if the tcpdump on ESXi shows 1500-byte o...

sindy

Sorry, the trigger of my reaction was that use of such term leads to misunderstanding of the actual topology. I would be more than happy if someone created a better set of terms to describe the virtual objects in the software than those somehow bulky ones I came up with, but putting an equation betw...

sindy

There is no effing CPU port of a software bridge. There indeed is a CPU port of a hardware switch, but it is not the same thing.

There is the router-facing port of the bridge, which is a virtual object within a software running on the CPU. The router software is not the same thing as the CPU.

sindy

Yup sounds familiar and as CGX pointed out we only need to use one LO address/interface to accomplish same.......... no need for bridge!! /ip address add address=10.20.30.40 interface=lo network=10.20.30.40 Does this even belong here? The src-nat rule in input is the key part of @lurker888's soluti...

sindy

only correctly authenticated connections show up at all - ever - as endpoint addresses. Failed handshake attempts never do. (Even if no multiwan/nat is present.) In Wireguard data, this is correct. In the connection tracking, it's different - any connection attempt to the Wireguard port that comes ...

sindy

Do you have any idea what else should I check or what else could be wrong? You can sniff at both end devices of the tunnel, and you should see packets to arrive to one of them that are larger than the IPIP tunnel MTU so the device cannot forward them, so it sends ICMP "fragmentation needed, MT...

sindy

Only authenticated users show up in the peers as "Current endpoint address". If I understand your solution correctly, thanks to the src-nat rule in input, the current enpoint address is always 172.16.10.2 (as per https://forum.mikrotik.com/viewtopic.php?p=1136875#p1136875) . So to find a ...

sindy

The only real solution working is from @lurker888 with srcnat. But in this case mikrotik does not see the real IP of connected client.

The Mikrotik does. The Wireguard stack running on that Mikrotik doesn't. Why is it important for you that the Wireguard stack knew the actual address of the peer?

sindy

Each SIM card is linked to a subscriber account, and each subscriber account has a "service plan" or whatever is the correct term in English, which determines a lot of parameters of your connection; in addition to limits of both bandwidth and total amount of data transported per some unit ...

sindy

That means that if you want to handle bridging between untagged ports, you have to assign a VLAN to them internally (possibly with only access ports attached). It is customary to reserve vlan 1 for this purpose. How is it "reserved"? Or, how is "bridging between access ports to VLAN ...

sindy

In another words (now it is my turn not to be sarcastic), your description is so vague that the only feedback you can get is consolation - yes, you are not alone, other people also have various sorts of issues with Wireguard, some of then even looking similar to your ones from the outside. If you ne...

sindy

For me, it doesn't make sense, that Phase 1 and 2 can be established, but anyway... For Phase 1, it is enough if one of the peers accepts incoming connections and the other one has a stateful firewall that automatically accepts responses to outgoing requests sent by the router itself or by devices ...

sindy

As both peers are on public addresses and therefore bare ESP is used for Phase 2, you have to make sure that ESP packets coming from the internet are allowed in. The firewall has no way to do that automatically based on information in the IKE (or IKEv2) exhange. So add a rule protocol=ipsec-esp src-...

sindy

Sorry for blurring the picture for you, my response was mainly triggered by @erlinden as I am kind of tired of everyone treating VLAN 1 as black magic that has to be avoided by all means, hence that approach spreads as a meme (in the meaning of a "human software" virus, not the funny pictu...

sindy

You said you had no problem with CPU consumption on the router, so maybe you can try with the action=fasttrack-connection rule disabled. If it starts working that way, you'll know for sure that fasttracking is the cause of the issue. And assuming that the documentation is accurate regarding the L7 m...

sindy

Do you indeed need to "bridge" the networks or would "routing" be sufficient? On one hand, you mention "machine" network, which hints on use of some proprietary L2-only protocols so bridging might indeed be required, on the other hand, you mention a distinct subnet on e...

sindy

am I still missing something? You have to distinguish between packets and connections. A connection consists of multiple packets; the connection tracking module inspects each packet that passes through it and if it concludes that it belongs to an existing connection, it treats it according to the c...

sindy

The "fastrack" mangle rules are default rules created by the OS... These dynamically added mangle rules whose comment mentions fasttrack are indeed used only to approximate the amount of fasttracked traffic, but their mere presence is an indicator that somewhere in filter, there is an act...

sindy

3. the mangle rules you have posted indicate that fasttracking is enabled in filter; one of the key elements of fasttracking is that most packets that belong to fasttracked connections skip mangle rules completely. A TCP connection gets fasttracked as soon as the "three-way handshake" is c...

sindy

In a VLAN world your bridge shouldn't have an IP Address. Since there are /interface/bridge/port rows with the default value of pvid (1) and bridge-the-port also has pvid set to the default value 1, there is nothing wrong about having an IP address attached to bridge-the-router-interface directly. ...

sindy

It is indeed, does it make the description misleading in any way?

sindy

With 7.16+, an /interface/bridge/vlan row is dynamically created for a particular VLAN ID and bridge: whenever an interface is made a member port of that bridge and its pvid is set to that VLAN ID (in this case, the interface name is put to the untagged list on that row) whenever an /interface/vlan ...

sindy

when is chain=detect-ddos processed? First, there is a mistake on the manual page you refer to. In the Configuration Lines section, the rule that invocates the detect-ddos chain is missing, it is only mentioned in the Configuration Explained session: /ip/firewall/filter/add chain=forward connection...

sindy

I want to activate VPN (tunnel to a remote VPN server, not provide VPN endpoint on my router). I then want to configure that specific devices (IP address) and a dedicated WLAN connects via VPN, all other devices without VPN. How can i reach this? Thanks. Depending on the type of your VPN (IPsec vs....

sindy

all should start working the intended way.

(that is, if the actual intention was to make ether1 an access port to VLAN 999, despite having no IP configuration attached to VLAN 999).

sindy

Why is this not the answer to your needs? In my opinion, the only part missing is the possibility to specify the roles of the interfaces via variables, but that only makes sense if you want to use a single template to configure lots of devices, which would make perfect sense for simple cases (where ...

sindy

As soon as you make any interface (in your case, ether1 ) a member port of a bridge, you must not use that interface directly for any other purpose - you must not attach /interface/vlan or an IP address/DHCP client to it, you must not make it a member port of any other bridge, you must not make it a...

sindy

Probably ISP do not asign static IPv6 etc. etc. etc. Paste this on terminal and reboot, see if solve on long term. /ipv6 nd set [ find default=yes ] hop-limit=64 /ipv6 nd prefix default set preferred-lifetime=45m valid-lifetime=1h30m OP has clearly stated that "nothing changes", which (if...

sindy

Is this correct? Either yes or no, why? Does the answer to this lie with the question of whether vlan2 frames need to be processed by the CPU, which is accomplished by tagging bridge? But, because the AP is not acting as a router, the CPU is not necessary? Each VLAN only needs to pass through the b...

sindy

The policy installed by mode-config is src.address 0.0.0.0/0 and dst.address 0.0.0.0/0 OK. So whereas a "normal" responder waits for the initiator to use the data it got in the mode-config message to construct their own policy and propose it, this one apparently uses some inverse logic - ...

sindy

Despite all my efforts the result is still the same: I can see the traffic going out back nothing received from the tunnel. That does not answer what the policy looks like when the tunnel is "up". You don't know what the responder is actually doing, so if it assigns the initiator an addre...

sindy

I have admin-mac defined on all devices, and auto-mac=no. OK, but for some reason, it is the MAC of ether1 on the cAP whereas it is the address of some other interface, or unrelated to any interface, on the NetMetal. It is a "locally administered one" (because the least significant digit ...

sindy

how and/or why ether1 and bridge share the same mac address on the cAP whereas they have different MAC addresses on the NetMetal? That has nothing to do with discovery protocols but with how the bridge is implemented. Unless you specify a MAC address for a bridge manually, it inherits the MAC addre...

sindy

I'd like to understand why there are 2 instances displayed in IP NEIGHBORS on the hEX. Because the neigbor advertisement protocols (any combination of MNDP, LLDP, and CDP depending on the settings) are being sent from all interfaces that are members of the interface list configured in the discover-...

sindy

There were multiple topics in the past that discussed this and the outcome was that even Mikrotik admitted that for LtAP mini, the external antenna for GPS was mandatory, not optional. The current wording in https://mikrotik.com/product/ltap_mini carefully avoids mentioning the existence of the inte...

sindy

Ok, quick update: after changing the PFS group to "none"...

I guess you have updated a wrong topic?

sindy

Wireguard does not respond an incoming request from the same IP address to which that request has arrived because it is actually not a server in the narrow sense. So it treats any packet it sends as a standalone one rather than a part of some connection. So even though the initial hanshake packet fr...

sindy

Well... up... I would rather expect an upgrade of the problem description. What means "if Sophos is a gateway" - for what traffic it is a gateway? What means "if we connect both Sophos and Mikrotik on the network"? Which "connection" is down? After reading it several ti...

sindy

It could work without mode-config if the responder ("server") was a device that allows you to configure all the aspects of the IPsec connection. Since it is a blackbox, you have to adjust the configuration of the Mikrotik acting as initiator to its expectations. An IPsec "policy"...

sindy

Despite of many users claiming, that this problem has been resolved in the most recent versions, I am afraid I can't agree. At least for me it is not the case. In order to resolve this issue completely, RouterOS would have to modify the Wireguard behavior to fix 3rd party issues, causing headache t...

sindy

Remove the DHCP relay and try again. The essence of station-pseudobridge operation is an internal mapping table between IP addresses and MAC addresses on the wired side because it can only use a single MAC address towards the AP. Whatever the source address on the wired side of the bridge, when the ...

sindy

logs are filled with the same errors every 10 seconds ... ipsec,error failed to get proposal from first template Is this expected behaviour? ... should it be trying to establish phase2 (is it establishing phase2?) for peer2 every 10 seconds? The Mikrotik approach is based on an assumption that the ...

sindy

I have a similat situation Actually, the whole similarity is just "I also have some issue with IPsec". So please re-post the above in a new dedicated topic instead of piggybacking a loosely related one that is still unresolved. And once at it, post also the complete exports of the two IPs...

sindy

By design, bare IPsec does not permit two distinct policies with identical traffic selectors to be bound to two distinct peers. But the solution here should be to use just a single policy and bind it to both peers: peer=peer1,peer2 . With this setup, the router establishes Phase 1 to both remote pee...

sindy

What normally happens is that the initiator asks for Mode Config information (which is a name used in the IKE (v1) vernacular, so strictly speaking not correct for IKEv2, but let's ignore that), gets an address, and asks the responder to create a policy with only that single address on its side. So ...

sindy

If so, have you set generate-policy on the identity row to something else than no?

sindy

The advantage of ECMP as compared to PCC is simplicity of configuration; the advantage of PCC as compared to ECMP is the possibility to control the distribution more precisely. As for your updated requirements - you can think about the WG tunels as about yet another set of WANs. So one group of LAN ...

sindy

If so, go the other way round, enable (recreate) the mode-config and disable the manually configured policy.

sindy

When you wrote you wanted to pass all the LAN traffic to the CHR, it seemed that you didn't want to use the local WANs for anything else but for the Wireguard tunnels. Hence @anav suggested how you can create a WG tunnel via each WAN and use those WG tunnels instead of the actual WANs for all the LA...

sindy

Complete exports from both routers would have been much better because configuration issues are typically in those parts of the configuration you do not deem related, which is why you don't post them. In your case, you have set up a "cat-dog", in terms that you use a mode-config row on the...

sindy

Because it is the best thing to do from one perspective and the worst one from another. And there is no ideal solution for all cases due to the number of clueless network administrators out there. TCP is designed to automatically adjust the packet size to the lowest MTU on the path between the clien...

sindy

Have you considerd (or performed) a netinstall I have netinstalled a hAP ac² for other reasons and recreated the configuration from the text exports (i.e. no "invisible" data), nevertheless: the Intel 201ax gets thrown out from an AP no matter what (20 MHz channels, 40 MHz channels, 80 MH...

sindy

I was thinking about a script that will make the src-nat rules - the DHCP client will get an IP address... Well, there is a script item in the DHCP client configuration, so you can modify the rules, but you can also use the second routing table (with 7.18.x, you can specify the routing table to whi...

sindy

I just had to hope that my ISP will not change "its own 10.x…" addresses. Well, the possibility that this might happen is exactly the reason why I prefer the solution with two DHCP clients attached to the physical interface and to the macvlan one, although @panisk0's suggestion is fine if...

sindy

Sniffing on WAN would tell you more about what actually happens, but now as I look at your screenshots again, it seems to me that something is rotten in routing - in RouterOS, not in your configuration. While the default route with distance=5 is marked as active and the default route with distance=1...

sindy

There is no point in obfuscating private addresses (anything that begins with 10. is a private address).

Other than that - since the gateway IP is the same, try the change of srcnat rules I've suggested.

sindy

Hope everything redacted correctly :) If you enable the second DHCP client temporarily, do both the default routes added dynamically via DHCP have the same IP address as the gateway ? Anyway, as you haven't added a dedicated routing table, neither by creating a VRF (which needs a name of a routing ...

sindy

wan is on eth2, eth1 is unplugged Well, more importantly, both /interface/wireguard/peer rows say responder=yes so once the connection gets lost, the router itself should not keep updating the pinhole (the tracked connection). So when the Wireguard connection gets interrupted, what are the exact st...

sindy

If you have masquerade on WAN, there must be something else. Can you post the export of your configuration (anonymized as per the usual instructions, no public addresses, serial numbers, usernames for external services, ...)?

sindy

I hope I got your requirements properly. First, you can just functionally replicate your previous setup (Mikrotik and the other router) by engaging the VRF functionality of the Mikrotik and using a macvlan interface also on the LAN side. So like before, each device in the LAN subnet would get a dist...

sindy

At least in the case we had a chance to analyse in detail, the behavior that annoys you was not a bug of RouterOS or Wireguard but a direct consequence of how the connection tracking in the firewall handles UDP connections and how temporary connectivity outages interact with that. So there is nothin...

sindy

It's most likely the same issue that is discussed here . It seems that the backups do contain some data that are not actually necessary, but even exporting the configuration as text and certificates as .crt ; .key or as .pkcs12 files and reimporting all that to a netinstalled device does not make th...

sindy

the default settings you mentioned for the firewall are maintained in a post [1] within this forum @rextended is indeed doing a good job there. Does anyone happen to know any guides about using the algorithm of WireGuard with IPsec? Would it be recommended? Would it change its behaviour and require...

sindy

Please post complete configs of both devices the way they actually are, because "similar" is not good enough - in your "common" firewall export, there is just one of the LAN subnets in the allowed_to_router address list ( add address=192.168.1.1-192.168.1.254 list=allowed_to_rout...

sindy

That would have been my expectation. Not so much mine, at least not to that extent, given the effort made at Mikrotik side to make the 960 work back then. what I'd check is if fireware upgrade is supported on the Quectel you're using At least for now it is not. So RM520N:FN990 0:0 here. if you ask ...

sindy

a Telit FN990-A28 is waiting in the box to be tested once an adaptor arrives - it is based on the same Qualcomm chipset, just the AT commands differ. It does work, however, it was not such a smooth ride like with the Quectel. At first, RouterOS saw it as a USB device but ignored it as a modem. The ...

sindy

Why is this happening and what is the fix? As part of the "we will make your devices secure no matter whether you like it or not" campaign, certain features now have to be explicitly allowed using exactly the "device mode" setting you haven't touched. So read the manual, check w...

sindy

@Larsa, the scripts and search phrases you've suggested do not address the topic of updating the IPsec identity rows whenever the LE certificate gets renewed; the renewal of the LE certificate happens fully automatically in recent versions of RouterOS so scripts are not necessary for that any more. ...

sindy

Mikrotik traffic flow always starts with the ''Input'' chain. This chain defines everything related to incoming traffic. Then follows the ''forward'' chain, which means the traffic flow that goes through the router. This wording is a bit misleading. In reality, it is an exclusive or: a received pac...

sindy

You can use both (in|out)-interface(-list) and (src|dst)-address(-list) in firewall filter rules, but until recently you could not use in-interface or in-interface-list in the srcnat chain of firewall nat for unclear reason, and you cannot use out-interface(-list) in dstnat and prerouting for obviou...

sindy

Have you set the level parameter of the policies to unique? Is the remote peer a Mikrotik or a device from another vendor?

sindy

BCP indeed does work but it does not interwork with bridges on which vlan-filtering is enabled (unless something has changed recently). But alone it doesn't help with MTU size - you need to use it in conjunction with another "forgotten protocol", MLPPP. The beauty of MLPPP is that it slice...

sindy

I simply don't understand the points along the way -- e.g., "interface/vlan," "bridge.the.interface," "bridge.the.port" a VLAN (sub)interface (abbreviated to interface/vlan on that scheme) is a functional entity that acts as a tagging/untagging pipe. Its "untagged...

sindy

I have got my 520(GL), not 502(EU), for about $180 from Ali. I've never tried a 502.

sindy

This is what I saw in the office the other day: primary-band: B1@20Mhz earfcn: 100 phy-cellid: abc ca-band: n78@80Mhz earfcn: 644640 phy-cellid: def B3@15Mhz earfcn: 1404 phy-cellid: ghi So 3 bands aggregated, one of them n78. In a more rural area where the device has been deployed permanently, stil...

sindy

Not sure whether it is "the best" one but I do successfully use Quectel RM520NGLAA (be careful to obtain the AA version as the USB interface is disabled on the ..AP one). And a Telit FN990-A28 is waiting in the box to be tested once an adaptor arrives - it is based on the same Qualcomm chi...

sindy

Have you resolved the subject of this topic or it's just that the loss of admin access has temporarily prevented you from moving further with this one?

sindy

Unfortunately, I don't really understand what is being demonstrated. I think it shows that the hEX router that has this VLAN config knows that each IP network has a different VLAN (10.11.11.x on VLAN1; 10.22.22.x on VLAN2; 10.33.33.x on VLAN3). Perhaps more specifically, that the broadcast traffic ...

sindy

You have renamed ether3 to OffBridge3, but “a rose by any other name would smell as sweet” - in RouterOS, the configuration items are linked to each other using internal IDs rather than the human-friendly names. So the important point is to disable the /interface bridge port row that makes OffBridge...

sindy

If you decide to specify the list of untagged ports for a VLAN manually (under /interface bridge vlan ), it still must be consistent with the pvid settings on the /interface bridge port rows, which is not the case e.g. for vlan 4 and ether5 (but other port/VLAN combinations are affected too). If fra...

sindy

@sokalsondha, do I understand properly that you want Wireguard user A to use an internal address 10.0.0.2, and if he sends a packet through the Wireguard tunnel towards a public destination address, that request gets its source address translated to the public one x.x.x.154, whereas user B will use ...

sindy

Many vendors allow you to configure a list of VLANs for a given port. So you say "ether5 is a member of VLANs 10,20,27,39" and specify whether it is an "access" or "trunk" member of that VLAN. For just a few VLANs, many users prefer this even if the other way round (spe...

sindy

Can someone please explain, in super clear and complete sentences and throughts (don't be afraid to be overly verbose), the following phrases: Without the surrounding context, those chunks of words alone cannot be translated properly. And some of them may have even been used incorrectly where you h...

sindy

There are multiple issues. First, the IPsec setup. Neither on the responder (home router) nor on the initiator (the roaming hAP) you have configured any particular IPsec policy, you only have templates. So the hAP gets a single address specified by the mode-config row, 10.10.20.41, and since the tem...

sindy

L2TP/IPsec does work on 7.16.2 so the issue must be something in the configuration or the Windows may have another glitch. Please post the export of the configuration, of course after obfuscating any sensitive information.

sindy

I have the same problem You don't. The OP's problem was that the two connections were killing each other due to the INITIAL_CONTACT notification. According to your description, the INITIAL_CONTACT option is disabled by default. ... The tables are there and the marking rules are there too. However, ...

sindy

The whole OP was aimed to explain that in fact, there is no single "bridge itself", because the "bridge" term actually represents three distinct functional entities that are tightly linked to each other, and that a clear distinction between these entities in the respective contex...

sindy

How do i get the intermediate CA (R11) on the mikrotik and how do i make it so that this stays correct when the domaincertificate is renewed? Sorry for late reaction, life is intense these days. The ACME agent in RouterOS requests a new certificate every 60 days, so in any case you need a script th...

sindy

OK, so you use mangle rules to choose a specific routing table for packets depending on their origin ( source-address(-list) and/or in-interface(-list) ). So you have to make these rules match also on dst-address-list so that they would not act on packets whose destination address is in another loca...

sindy

With bonding, a single connection (TCP session, UDP stream) always uses only one of the bonded paths - unless you use the round robin (balance-rr) mode but that causes other issues. But the aggregate throughput may reach the sum of the bandwidths under favourable conditions (a sufficient number of i...

sindy

Since a router normally allows routing among all networks connected to it unless you explicitly ask it not to do so (using firewall rules and/or routing rules and/or VRF settings), it is clear that something in your configuration is set differently from what you actually want to happen. Until you po...

sindy

Running scripts loads the device several orders of magnitude less than routing packets, so you can literally run the check every second without a noticeable impact. The phone will send the SYN packet to establish a connection to a new server multiple times before giving up so running the script once...

sindy

The phone must send its SRV query first, or use dig as you did before. The TTL was an hour when I tried a while ago.

sindy

The only workaround currently available requires scripting. RouterOS is unable to generate a SRV query at all, not just as a way to populate an address list, but it does cache the responses to SRV queries issued by clients. So you can schedule a script that will keep reading the cached responses and...

sindy

In general yes, in detail not so much. I mean, I could not find any important bit to miss in the configuration, but the actual behavior may not fulfil your expectations. The overhead of Wireguard takes 80 bytes (hence MTU 1420 if the path between the peers has MTU 1500) and the overhead of VXLAN tak...

sindy

If there are no VLANs, everything should sit in a single common subnet, so there should be one DHCP server with a single range and a single "network". So assuming it is a /20 network (192.168.0.0-192.168.15.255.255), there would be a gateway on 192.168.0.1/20 and the dynamic pool could spa...

sindy

Who is "MSP"? VLANs are an L2 thing. If you want devices in different VLANs, they normally have to be also in different subnets, and each subnet needs an interface of a router with an address within that subnet, to be used as a gateway from that subnet to the rest of the world. So typicall...

sindy

Many devices are unable to handle a gateway outside their subnet, so giving all of them 192.168.1.1 is most likely wrong. By giving all a netmask /20 you put all of them to the same subnet, but then having them in distinct VLANs is weird to me - they will be unable to talk to each other that way eve...

sindy

When a Mikrotik DHCP server serves an incoming request, it first chooses the pool based on the interface and, if configured, the matcher rules (the pool attached to the DHCP server is used if matcher does not choose another one). Once the address is chosen, it is compared with the address items of t...

sindy

Mikrotik should handle only the DHCP part. DNS is dandled by windows domain controller server and Internet by Fortigate. That's OK, but the DHCP server must tell the clients which DNS servers to use. If you are going to give each new device an address from 192.168.12.0/24 and then make that lease s...

sindy

When someone says they want "separate VLANs", it normally means they actually want separate subnets. And if so, you need an IP interface in each subnet (typically, a VLAN interface) to which a dedicated DHCP server or a DHCP relay for that subnet is attached, and a router with an IP interf...

sindy

I guess it took that too litterally. I installed the LE certificate on the windows VPN-client via import. There is no reason to import the LE certificate issued for the FQDN of the Mikrotik server to the Windows. But as you said you wouldn't take the Let's Encrypt path, I probably did not give enou...

sindy

It may be OK if you have some matching rules in place (under ip dhcp-server/matcher) that allow to identify the various classes of hosts as specified in the comments, based on vendor-class-id or some other DHCP options in the clients' requests, and choose the corresponding pool for each class.

sindy

For me, it was the simplest possible setup on Windows - no powershell needed. The Windows must have the certificate of the signing CA of the Mikrotik's certificate among its trusted root CAs. No own certificate of the Windows client is required if you choose username/password authentication. The cer...

sindy

ID of the peer is not really relevant as in the current configuration, it should be ignored when matching the /ip/ipsec/identity row. As the Windows throw the error upon receiving the certificate from the Mikrotik, you are most likely right that they do not like the contents of the certificate. And,...

sindy

Run Wireshark simultaneously with logging on Mikrotik and compare whether the packets shown in firewall log of Mikrotik indeed made it to Windows. It is strange that it behaves different in the individual attempts.

sindy

I guess something is wrong there.

If you use the trick with public address on the Mikrotik itself, it must be set as a local-address on the peer. The dst-nat rules are OK.

sindy

To me it seems that the initiator (Windows) auth requests (fragment 1 of 3 etc.) do not reach the Mikrotik, as I can see retransmissions in both the Mikrotik log and the Wireshark from Windows. Do you forward also UDP port 4500 from the public IP to Mikrotik's WAN?

sindy

Windows are not famous for useful error messages, they report unnacceptable for almost everything :( What I can see in the logs that Windows either do not get the auth response from us or they do not bother to send NOTIFY with rejection payload in response. Can you verify which case it is using Wire...

sindy

So what is in the EKU of the my.dnsname.com certificate - is the tls-server bit set? And does the certificate use an ECP key, as you use one in DH-group in Phase 1 and Phase 2 proposals?

sindy

Does the log show that IPsec sends a query to RADIUS?

sindy

please let me know when you have free time that i provide you anydesk access and you can check the config.

Can you follow the instructions in viewtopic.php?p=902082#p902082 ?

sindy

What is far more important is that the string that follows the ~ operator is not a text constant - it is a regular expression, so you can e.g. set that string to "e....1" when matching on the interface name and ether1 will still match (but so would e. g. ester1 or eeeee1 ). Why the name~et...

sindy

OK. This is in fact very similar to having two uplinks connected directly to CCR2 and using each of them for access to internet from another set of local subnets. In another words, you can think of CCR1 as of another ISP router providing internet access for CCR2. The key here is that the routing mus...

sindy

I don't understand what the addition of "->0" does. A list is implicitly also an array indexed by integers starting from 0. So ($thisList->0) is a reference to the first ("zeroth") element of thisList . To make it even crazier, you can mix different types of indice in the same a...

sindy

I would add ... Well, this is actually a bit more complicated. If you issue a command that refers to the user-friendly ID before you use the first print for that configuration branch, RouterOS silently assigns the user-friendly IDs the same way it would if you issued a print for that branch without...

sindy

Almost correct, except that there are two kinds of IDs - the internal one that stays the same as long as the object exists and is shown as *1fe or something alike (a 32-bit number in hexadecimal representation prefixed with an asterisk). These are the IDs that [find ...] returns. As @mkx has already...

sindy

I am not a cryptographic expert so I cannot suggest which of the encryption algorithms is more secure. When it comes to throughput and CPU load, the available information is quite inconsistent. The Mikrotik product page does not mention support of encryption in hardware for the L009, but its block d...

sindy

What does "my Mikrotik" mean in terms of model number? How many client devices are connected to the Mikrotik? What tools do you use to test the speed? Is the Mikrotik itself the WiFi AP or you use some external one?

sindy

OK, so most likely the 7.17.2 IPsec doesn't like something about the ESP packets it receives from 7.15.x and doesn't decrypt them. Since you use an individual proposal for each peer even though their contents is the same, it will not affect the other connections if you change the relevant proposals ...

sindy

OK. So run /ip/ipsec/statistics/print interval=1s on Router 1, then start pinging the private address in Router 1 LAN from Router 2, then stop again. Does any value in the statistics grow while the ping is running and stays the same while it is not?

sindy

You forgot to obfuscate the addresses in the /tool sniffer command.

Do the ESP packets come synchronously with the ping ones, i.e. when you stop the pings, do the ESP ones stop coming?

sindy

I wasn't precise enough. Do ping from one LAN (private) address to another, but sniff for the public address of the remote router. It is enough to show Router 1 and the opposite router (2 or 3). And make the windows where you run the /tool sniffer as wide as your screen allows - Mikrotik dynamically...

sindy

return a single blank line I just wanted to check that VLAN "filtering" was indeed disabled on bridgeWAN as the configuration export suggested, so a blank line is a correct result. but now works.... is possibly that connecting Fritz to ONT for the test and re-connecting on Eth8...? Maybe ...

sindy

Looks fine to me, so what does /interface bridge vlan print where bridge=bridgeWAN show?

sindy

If so, moving the VLAN 200 subinterface from ether1 to br-wan1 should be all you need to do.

sindy

So in my words: the ISP will see two MAC addresses trying to establish a PPPoE connection in VLAN 200; one will be the PPPoE client on RB4011 (using one set of credentials) and the other one will be the PPPoE client behind the Fritzbox in bridge mode (using another set of credentials)? is it OK if V...

sindy

I don't think it is a matter of English. First you have mentioned that the Fritzbox uses VLAN 300, now you mention VLAN 200; from the first post I've got an impression that the Frizbox is in bridge mode and provides a second WAN to the 4011, now it seems that you want to provide a second WAN to the ...

sindy

To check that, start pinging the LAN address of Router1 from Router2 and the LAN address of Router2 from Router1, specifying the correct source address so that the ping request packets would match the respective IPsec policies. While the two pings are running, run the following command on both route...

sindy

Why you cannot copy the existing setup, where the subinterface for VLAN 200 is directly attached to ether1, also for the other uplink, i.e. attach the subinterface for VLAN 300 directly to ether8? What am I missing?

sindy

Since Router1 uses DHCP to obtain its WAN address, it is not clear whether said address is a public one. The way you describe it, it seems most likely to me that it is a public one and that the ISP serving Router1 is blocking ESP, but that's just a feeling based on some experience from the past. So ...

sindy

I have my 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16, and other prefixes in the Router B routing table with /16 subnet and I want to send prefixes shared in the image with /24 subnet. So after all it is not that simple as you've outlined in your first post, thus my suspicion that I was missing som...

sindy

/interface ethernet print where name=ether2 (no find required/allowed here)

but

/interface ethernet set [find where name=ether2] comment="this is ether2, yay!"

sindy

My gut says the same, I have even experienced it practically while still in ROS 6 - I haven't noticed those complaints but after a reboot, everything was running fine except that I have lost a few ppp secrets I have added over last several weeks. Since I am using the command line almost exclusively,...

sindy

"While passing, they may either retain the tag (trunk mode) or lose it on egress and obtain it on ingress (access mode)" What does that mean? Sorry, the bold words went missing as I was editing the sentence multiple times to make it clearer 🤦 A single port may be a member of multiple VLAN...

sindy

I would like to know, for my clarity, if multiple PVIDs can be placed on a single frame? A P VID is not a property of a frame. It is a property of a bridge port that says "if a frame without any VLAN tag arrives through the cable, attach a tag with this VID (Virtual LAN IDentifier) to it while...

sindy

I personally don't have a problem comprehending the adding or stripping of a tag to a frame, the presence or absense of which guides devices to make routing (or availability) decisions. My understanding of VLANS fails after that. But VLANs are nothing more than that... Each VLAN is a collection of ...

sindy

I'm just still trying to understand.... So what about the colored cars - are they helpful or not? Instead of cars, you can be given a flower at an entry, you can only carry a single flower at a time, etc., but it is still a matter of obtaining some attribute when entering the maze and being strippe...

sindy

All analogies suck. What if I go along the lines "a bridge is a system of roads where no pedestrians are allowed; the only way for a person can travel across the bridge is to board a car at an entry point and let the car bring it to the destination exit point. The cars are of different colors, ...

sindy

While vlan-filtering is set to no on a bridge, no stripping or adding a VLAN tag happens on the bridge ports. So when a tagless frame gets in, through a physical interface, it stays tagless until it hits the IP stack listening at the internal port of the bridge (the "switch-facing interface of ...

sindy

I then attempted to connect the hAP ax Lite to a RB951G (because that is what the customer has at their location). ... Is this a known issue? Is it related to ROS versions or is it related to chipset or driver issues? If I read the manual correctly, it is a matter of wireless/wifi drivers incompati...

sindy

It seems so easy that I am afraid I have missed some important point. And if there is indeed none, it may be the reason why you cannot find anything online - this is a very basic routing scenario so no one bothers to boast "I have made it". assign addresses from the subnets you want to liv...

sindy

What you describe (attaching the openvpn server to some non-conflicting TCP port and using a dst-nat rule that matches on a particular local dst-address and dst-port=443 to redirect traffic to that non-conflicting port) should work normally. I am afraid that the unavailability after some time is cau...

sindy

Except RouterOS and Strongswan, I haven't seen any IKEv2 implementation yet that would support PSK. Just as a little factoid ...and this, kids, is what happens when you lose concentration when posting :D What I actually wanted to say was that I haven't seen any other kind of VPN client on a PC or p...

sindy

with IPv4, only CGNAT

(unless you pay a beefy surcharge to get a public one).

sindy

Interested in what u mean by the behind-NAT-trick. I'm using 500/4500 nat-traversal now. The ability to use ESP encapsulation into UDP and related stuff to traverse NAT is a capability of IPsec as a protocol; not accepting a responder behind NAT is a default behavior of the Windows embedded VPN cli...

sindy

It's not a PGP key, it is an RSA one. I referred to an instruction for open ssl on GitHub, so I reiterate it here: create file key.pub and copy my public key from that forum post into it echo --your-phone-number-and/or-e-mail-address-- > zezeme.txt openssl rsa utl -in zezeme.txt -out zezeme.enc -pub...

sindy

Certificate: the IPsec responder has to present the complete certificate chain that starts with its own certificate and contains any intermediate certificates all the way to the root CA - the certificate item on the /ip/ipsec/identity row is actually a list. The Windows machine acting as an IKEv2 in...

sindy

I'm still watching some videos but so far I have this

Learning by doing is the most efficient way, but when it comes to internet security, it has its drawbacks, so I repeat my offer for remote assistance: viewtopic.php?p=1123221#p1123221

sindy

Maybe it is time to post the export of the configuration?

sindy

It may, because my assumption was that the NFS client and the NFS server "take a shortcut" in terms that the communictaion between them doesn't get to the router's CPU. If your device supports IP routing in hardware (L3HW), this variant is still possible although they are in different subn...

sindy

I'm not sure what other information to provide, but I would appreciate help/guidance anyone is willing to share. The first thing you have to post to get any useful response is the export of the current configuration: from the command line (use the [Terminal] button in Winbox to open a command line ...

sindy

Could it be that the NFS client and server are in the same LAN, connected to different ports of the Mikrotik, that are bridged together?

sindy

Ah, yes, I totally forgot about the existence of the M flag - so under /ipv6/nd, set managed-address-configuration to yes for the interface (unless it gets set automatically if the DHCPv6 server is attached to that interface) to let the clients know a DHCPv6 server is available.

sindy

Can somebody read from log where is problem and why mikrotik kill SA on the end of rekey? These are the important bits: Feb/04/2025 16:55:44 ipsec,debug ===== received 80 bytes from Y.Y.Y.Y[45760] to X.X.X.X[4500] ... Feb/04/2025 16:55:44 ipsec payload seen: ENC (52 bytes) Feb/04/2025 16:55:44 ipse...

sindy

Is this something specific to starlink router that always use this ip or is general in ipv6. It's indeed from the category "$1 for turning the screw, $99 for knowing which one". It did take me some minutes to figure out. Maybe there are better ways I haven't found, though. Now i m struggl...

sindy

The only stupid questions are those not asked. you have only got a single /56 pool, the one you have requested and received from the Starlink DHCPv6 server. to let hosts connected to bridge have their IPv6 addresses, you do not need to use DHCPv6, nor you actually could use it until ROS 7.17+ (the f...

sindy

Higher gain dishes will give you gain on 'both' sides of a link. So if you saw -80dbm with a pair of 24dbi dishes (not counting radio transmit power itself) then a pair of 31dbi dishes (with another assumption that it doesn't lie and is tuned at that same frequency) will see a 14dbi increase in sig...

sindy

Bare IPsec with traffic selectors is a voucher for migraines for any setup that is not predictable, and potentially overlapping remote subnets are another one. So I'd definitely prefer GRE encrypted using IPsec in transport mode for such a scenario.

sindy

I do have some small houses all connected via twisted pair that I would consider changing to fiber. This is overhead (exposed to UV, cold, rain, etc.), so it's not exactly trench/pipe/blow. For this purpose, self-supporting and UV-resistant outdoor jumpers (reinforced by metallic or load-bearing fi...

sindy

Hm, so it apparently depends on the particular modem type: [me@myTik] > /interface/lte/monitor lte1 status: radio off pin-status: SIM not inserted functionality: tx and rx rf circuit disabled manufacturer: "MikroTik" model: "R11e-LTE" revision: "MikroTik_CP_2.160.000_v021&qu...

sindy

Where do I check for this info?

/interface/lte/monitor lte1

sindy

Not sure what you mean. If you need to access just the router itself, RA doesn't bother you - give the DHCPv6 client a name of a pool to use, and attach an IPv6 address to any interface on the router, indicating the name of the pool to get the prefix from and specifying the lower 64 bits if you want...

sindy

the ATL magically started working again That indeed reinforces trust :( I hate this kind of mysteries. Condensation or an insect? I've heard of a spider squatting in a satellite receiver LNA but he did not interrupt electrical contacts, just changed the capacity/inductance of something there, chang...

sindy

I assume some type of rigid snake would be use to feed a pull wire through? Professional companies push the cables themselves through the tubes using air compressors; I usually use a vacuum cleaner on the destination side to pull the air in which works surprisingly nice for pushing a lightweight pu...

sindy

The mobile ISPs use different approaches, but typically either the SIM is banned from logging into the network or just the data service is suspended. I hazily remember some old SIMs were treated as "invalid" in a phone but I have never seen the phone to see a SIM as absent. So if you give ...

sindy

I don't understand what you mean by Rural LTE/5G would be easily address by connecting a 5G stick approved by Verizon to a router of my choice. Well, that's two separate things - the cell congestion issue is one thing, and the fact that Verizon seems to have changed approach is another one. All the...

sindy

guy wires will definetly fail the wife approval test (I could get an override if I won the lottery and explained the observation deck tower idea). Well, a tower that can safely hold an observation deck normally does not need any guy wires (and costs accordingly more); on the other hand, I've seen s...

sindy

DHCP as such has been designed with and embedded active-active redundancy - the client broadcasts a discover message when it has no address yet, but once it receives an offer, it unicasts the request for assignment of the offered address and subsequent renewal requests to the server that has sent th...

sindy

What do /interface wireless monitor wlan1 and /interface wireless scan wlan1 background=yes show?

sindy

Dear Support, This forum is not a vendor support in the traditional sense. Some more (or even less) experienced users volunteer to help others by giving their advice. I tried to isolate gateways from each other but not able to do, configuration in the below, please follow and provide the solution. ...

sindy

Am I understanding correctly that ... there's no way ...? Indeed. Non-line of sight (NLOS) radio systems do exist but they rely on strong enough reflection of the signal from buildings and other solid structures. Vegetation rather absorbs the signal than reflects it (the 2.4 GHz band in particular ...

sindy

You get what you get (in common 192.168.x.x range) That is a surprise for me - my experience so far was that in bypass mode, you get a single address from 100.64.0.0/10 with gateway 100.64.0.1, and it is up to you how you organize your LAN. And also when not in bypass mode, the bundled router was g...

sindy

In short, you need to implement the following default rules: ... And additionally the following four: Leaving aside that this set of forward rules would prevent the VPN clients from reaching the devices in LAN, if the OP did exactly this, they would lose the IPsec and/or L2TP connection to the rout...

sindy

I have no idea how to properly configure the firewall rules honestly. I'm very new to this

If you feel like that, you can follow the instruction in this post.

sindy

From the remote PCs I can ping every device in the headoffice but I cannot ping any devices on the store1, I do can ping them from any devices in the headoffice. So something must be wrong with the routes or the firewall rules, is there a way to solve that? To allow to analyse this, the obfuscation...

sindy

The situation would be very bad if I add that or the situation is already bad? The firewall already is a joke, no matter what you do regarding the IPsec and L2TP. So you should concentrate on fixing that first. While the devices on the LAN side are partially protected by the fcat that they are runn...

sindy

Does ROS maybe uses swap file for VM on flash and it's changing depending on RAM usage? :) By chance, one of the affected hAP ac² has 256 MB RAM too, so that is not a remedy. And no containers run on any of them, so it's not them swapping to the flash - plus, if the RouterOS itself needed to swap t...

sindy

If you create the properly set and linked peer, identity, policy template group, and policy template items manually, you do not need to set use-ipsec=yes in the L2TP server settings, the behavior of the manually created items will be the same like the one of the dynamically created ones, i.e. the L2...

sindy

Regarding the posting - it is considered useful to place the code between [ code] and [ /code] tags that can be obtained by pressing the [</>] button above the editing form. The obfuscation did not hide any internal relationship as the configuration is quite simple. As I suspected, your IKEv2 peer n...

sindy

Probably this disk space growths depends which configuration is changed and how often. Nope. On mine, the free disk space shrinks by 4096 bytes every 5 to 10 minutes currently, and every 128 kBytes it gets freed in bulk and the cycle repeats, and neither me nor any script touch the configuration du...

sindy

that gave me healthy 2.8MB of free space before filling up the address lists ok, and that amount of free space does not "autonomously" change, i.e. remains the same unless you cnahge something in the configuration? If so, let me call you "mkx the lucky" :) I'm pulling my hair ov...

sindy

what can I do? You can post the text export of your actual configuration. There are numerous descriptions here on the forum that explain how to create it and how to properly obfuscate it before posting it so that the internal consistency of the information is preserved. But you may not need to do t...

sindy

@mkx, since you are already watching this topic anyway, I react to your statement from the 7.17.(1) topic here. My use case for my hAP ac2 doesn't require any wireless driver and it's not available for experimenting. https://forum.mikrotik.com/viewtopic.php?p=1122624#p1122624 explains why I have quo...

sindy

The big problem of hAP ac2 and wifi-qcom-driver is lack of flash storage. ... wifi-qcom-ac drivers offer greatly improved throughputs and stability of wireless service ... until it (quite quickly) ran out of flash space @mkx, would you mind creating a dedicated topic to discuss the points above out...

sindy

If you do it that way, there is even no need to add the /interface/bridge/port row as it is added dynamically instead. You can think of the datapath row as of a template for that. It means you have to remove the statically added /interface/bridge/port row before re-provisioning the radios with the d...

Search found 11511 matches