Well... even using the binary backup, certificates are messed up... I've tried to migrate from RB2011UiAS-RM to RB3011UiAS-RM using binary and encrypted backup. Everything worked fine, except... all the private keys are missing! Manually import of the keys is of course not working... Hence I only ne...

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway: 0 ADS 0.0.0.0/0 10.10.0.1 1 so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works. thank you mooks, so basically there is nothing can be...

as I said earlier the problem is, that your hap also has the rb4011 defined as the primary gateway:
0 ADS 0.0.0.0/0 10.10.0.1 1

so if isp1 is down, rb4011 uses the hap as gateway, but the hap is using rb4011 as gateway -> loop and nothing works.

do you use the hap_ac only for LTE uplink? If not: no need to configure the vlans on hap_ac2 just configure the hap as a normal router and configure a differen subnet for e.g. 192.168.42.1/24 then connect the rb4011 to the hap as a client with static ip (for e.g. 192.168.42.2). sourcenat rule to 192...

So if the Uplink of MikroTik_RB4011 fails it should use the LTE uplink of MikroTik_hap_ac2 instead? The easyest way would be the add a static route with 0.0.0.0/0 "local IP of hap_ac2" distance 10 or higher on RB4011. However your hap_ac is using the uplink of your rb4011 and LTE only as a...

I hardly use L2TP any more. IPSec + IKEv2 is much saver and more stable.
Also it's allways a good idea to use a different subnet for VPN.

Maybe there's something blocking your packets in your firewall forward rules, could you please post your configuration?

ROS also supports automatic certificate enrolment protocol (check SCEP) so for large amount of clients it can be used. Yes SCEP would be an option. However we have a lot of different customers, usually with 5-10 VPN-Clients. For that small amount of clients a PKI+SCEP is overkill. On the other hand...

AFAIK there's no official way how to do this. I guess that restoring binary backup should work. That's also not officially supported between different device types, but aside from messing up some things (like interfaces' MAC addresses, but you can reset those) it worked when I tried it. If you're s...

Hi Mikrotik-fellows. Usually we use the following script for creating CA and server certificate for OpenVPN: ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU&q...

Thank you so much for your detailed response! Well all the extra features of the RB4011 aren't needed or can't be used :D However, the RB4011 is about 100€ cheaper than the RB1100AHx4, so I'll go with two RB4011 :) The most important thing for me is that the Router shouldn't limit the 300MBit Uplink...

Thanks for the Table :) I've also checked those and wasn't sure which of those values I should use for sizing. I've found this analysis about the package size over Internet: https://www.caida.org/research/traffic-analysis/pkt_size_distribution/graphs.xml The last chart is the interesting one: Using ...

Would the RB1100AHx4 be also sufficient for a 300mbps Uplink?

Hello Mikrotik-Fellows, I need your help for sizing of a two networks in the same house. Network 1: Uplink1: 300MBit/s download 30MBit/s upload. + LTE for backup, connected over ethernet 3 VLANs One VLAN is used for VoIP, QoS needed, guess a Limiter of the other VLANs should be enough Probably one I...