MikroTik

JosipTopic

Hello, i just have a question. This link on the beginig of this thread, for download splunk app for mikrotik, is that the first one(oldest)? Where can be found updated one? Thanks?

JosipTopic

do not fit together well. Your screenshots show that both policies exist, so the linking of the identities to the same peer must have worked too? What is the current setup then? Regarding the ping succeeding in one direction but not in the other one, it's due to your lack of systematic approach: at ...

JosipTopic

when i do traceroute...goes on internet

JosipTopic

Now I finally understand. You cannot have multiple peers accepting incoming connections from the same range of addresses and with the same exchange-mode . If you do that, exactly this happens, because the peer is chosen when processing the initial packet, and the initial packet doesn't carry enough...

JosipTopic

So this is now when everything is connected, R1_IVO 99.0 network can ping 79.0 network and 97.0 network. RB4011 can not ping 99.0 network and can ping 97.0 network on RB4011 there is RED error on Peer for 97.0 network. That error comes when i create 2nd indentity on RB4011. If i kill connections, Th...

JosipTopic

site 79.0/24 gets disconected from site 97.0/24 wiith error "peer unreachable" Is this "peer unreachable" a message in the log, or it is a red warning printed next to the peer in the configuration, like this? Yes, it is red text, printed. Flags: X - disabled; D - dynamic; R - re...

JosipTopic

Update:
when i killed connections, now same story like on the begining.

Site 97.0 and 99.0 are conected, and site 79.0 is disconnected from both sites.
If i delete last site, then 97.0 can ping 99.0, and 97.0 can ping 79.0.
good night.

JosipTopic

I made it to connect to each other.Don't ask me how.

But now site 99.0/24 can ping site 79.0/24 and vice versa is not possible at the moment.
i'm sending new configs.

JosipTopic

And the only change was at the site with the 4011, where the public IP has migrated from the WAN of the old ISP modem (which was a NATing router with port forwarding) directly to the 4011 with PPPoE via new ISP modem in bridge mode? Or the 4011 was not there before and you've copied its configurati...

JosipTopic

Okay, what actually boders me, it worked with 3 sites for 6 months, but now when i create 3rd site the first one get disconected.

JosipTopic

And one more question, now i'm starting to add 3rd location, how should do it?
Same as first client, or should i change something in complete design.
Thanks.

JosipTopic

How to set DF bit? That's the -f option to the ping command on Windows, or the do-not-fragment modifier to the ping command in RouterOS. TCP sets it automatically. Now i pluged, old LTE router just to see his MTU, and is 1500, so that's why I didn't had problems before with Ipsec and with MTU. and ...

JosipTopic

@JosipTopic, your feedback assumes we all know the topology of your network. From the screenshot of the MacOS terminal, it is not clear on which site the Macbook is connected. My Mac is on 79.0/24 segment, and i use windows 10 as guest operating szstem in parallels. There are two distinct situation...

JosipTopic

When you get 1492 or 1480 byte MTU on your Internet PPPoE connection you should try to set MTU and MRU to 1500 and see if it sticks after the reconnect is done. I.e. MTU 1500 is still indicated. If so, that will solve a lot of trouble you have in different situations. If not, ask your ISP to suppor...

JosipTopic

Well there is another thing that I forgot about when sending that response: in some ping programs (e.g. on the MikroTik) you specify the size of the entire packet and it is the same as the MTU. In other programs (e.g. Linux and probably Mac too) you specify the number of data bytes in the ping pack...

JosipTopic

I found this on the web.
http://www.dslreports.com/faq/578

I did downloaded and set it like in the picture and it does increased my download speed on paralles desktop vm.
On Mac, speed was always good.

So, today i learned a lot.

Thank you.

JosipTopic

It means that somewhere you have already set a strange MTU. Either in your PC or in your router. LAN MTU is normally 1500 with no reason to change that. Link to the ISP may already have a smaller MTU e.g. in case you have PPPoE without RFC4638 support. MTU will be 1492 or 1480. That is also often a...

JosipTopic

Here it is.
Is it normal that first ping on LAN is not 1500 bytes allowed?

JosipTopic

How you actually-mtu looks like on br-blackhole interface? @Nichky, the MTU of br-blackhole s irrelevant, what matters is the actual network path. The TCP packet gets encapsulated into the IPsec transport one, the DF flag is inherited into the transport packet, so if the transport packet has to be ...

JosipTopic

Tadaaaaaaa!!!!

Everything works like a charm.

Thank youuuuuuuuu!!!!

JosipTopic

it seems like you have mtu issues. How you actually-mtu looks like on br-blackhole interface?

Here it is.
But if I may ask, isn't this br-blackhole used only to redirect traffic to 79.0 gateway?
i only need to downsize MTU towards 192.168.97.0/24 network, correct me if i'm wrong.

JosipTopic

This is what i figured now.
I suppose i should do it with Mangle, right?

JosipTopic

Just a remark... There is no advantage of a GRE tunnel as compared to an IPIP one, given that Mikrotik doesn't use the optional ID field allowing to set up multiple tunnels between same endpoints, so what remains different as compared to IPIP is some weird handling by the firewall and some extra ov...

JosipTopic

In the meantime, where could i try to modificate MTU for IPSEC?
The method I described automatically fixes that problem as well.
When it does not, set the MTU on the GRE tunnels to a lower value, e.g. 1400, instead of leaving it blank and using the automatic setting.

Thank you...

JosipTopic

Anyway, i'm so gratefull for you guys, that you helped me and that you are willing to help others and share your knowledge with others. This is huge....😁 Two days been going in the circle, couldnt find the exit...and posted here, in two minutes everything was solved. Would like to buy you a beer.🍻 o...

JosipTopic

Is there a way to configure network other (better way) but stil using IPsec. ( you wrote, "when the network configured this way") Well, my preferred way of configuring it does not use such a direct IPsec tunnel but rather a GRE/IPsec tunnel between the routers. When you add a GRE interfac...

JosipTopic

Is there some resolution for this, or just to leave like this. There are several possibilities, e.g.: /interface bridge add name=br-blackhole /ip route add dst-address=192.168.97.0/24 gateway=br-blackhole pref-src=192.168.79.254 Why are you so smart....:) IT WORKS....unbeleiveable... and...this web...

JosipTopic

Regarding the problem to open the web page at PC2, the first suspicion in these cases is always an MTU-related problem and PMTU discovery failing for some reason. The export from the client contains almost nothing, so hard to say whether it is breaking PMTUD or not. [/quote] Sending complete export ...

JosipTopic

More detail on what @pe1chl wrote: On R2, the only /ip ipsec policy row says dst-address=192.168.97.0/24 ... src-address=192.168.79.0/24 tunnel=yes so only packets with source addresses from 192.168.79.0/24 are matched by that policy. When the router itself sends a packet, it finds the route to des...

JosipTopic

You are right!
It works.
But what is with that web page on .97.0 network, that doesn't want to open.( i can't open even the ISP router page).

Is there a way to configure network other (better way) but stil using IPsec. ( you wrote, "when the network configured this way")
Thanks.

JosipTopic

Please, help. I have thhose 2 Mikrotiks, and IPsec running. everything worked fine, unitl i changed ISP. They brought their own router, which they have put it to the bridge, and then i've connected my Mikrotik RB 4011 to PPOE and i have internet. Then i 've configured Ipsec. Only thing that is not w...

JosipTopic

Thank you Sindy, I wish that i have a knowledge to understand this what you just wrote...:-) Nevermind, i'll keep tryin... The whole conception of what you're trying to tell me is to much for my head, if you could put it little simplier it would be great, or maybe even better, you could point me wha...

JosipTopic

[/quote] . You can use e.g. the br-loopback as the gateway of such route. [/quote] I would like to try to make this second approach, because we have windows server 2019 that is DNS , and DHCP, i could try though to make him to deliver to PCs IP configuration with 192.168.97.78 as deault gateway and ...

JosipTopic

One more thing, like you said Sindy, ping works only for PC that has 192.168.97.78 Gateway, all other PC's aren't reachable. So what could i do? How to make other PCs know to reach other side. Should i put Site A Mikrotik router to be default gateway on windows DHCP, and in Mikrotik router put defau...

JosipTopic

Hello, Thanks for help, what was wrong, is that i had wrong networks in Policies on both routers. On router on SIte A 1. I had networks for tunnel which are 10.0.01 --> 10.0.0.2 and 192.168.97.0/24 --> public ip of Router on Site B , which i changed in to 192.168.79.0/24. On router on Site B 2. I ha...

JosipTopic

Hello Sindy! You are close. Ip addresses are being delivered by DHCP on windows server 2019. So yes, default gateway is Huaweis address 192.168.97.254. But i've changed default gateway on PC-192.168.97.99 to be 192.168.97.78. What do you think i could do? By the way, from Site B PC192.168.79.109 I c...

JosipTopic

Hello CZFan!

I did check windows firewall, it's turned off.
But i can't even ping from Site A routers src adress 10.0.0.1 to 192.168.97.99.

Anyone else, or any other tip?

Josip.

JosipTopic

Hello! Been trying to figure out how to accomplish this task of mine, but it's not going. I have two sites, Site A and Site B let's say. This is common case here in Croatia, because a lot of times internet operator is not capable/can't put his router in bridge, so this is one of the answers i'm look...

JosipTopic

Hello, just to tell you, i put wrong username.
😡☺️

JosipTopic

Hello guys, i was wondering if anyone here could give me a hand, with configuration of Mikrotik RB951-2n v6.47 I'm trying to connect to vpnptp.com using ovpn.( would like to avoid geo restrictions) In all of that i'm receiving error that states "vpn pptp: terminating... - could not negotiate TL...

JosipTopic

Hello, Everything is up and working. So, to tell you the problem, third router(2nd client) didn't had routes to my client router. so this is it. i just wrote manually routes in third router and instantly i could ping all six subnets. Because where i live situation is like this. everybody has interne...

JosipTopic

I’m sorry for being late. Ok i configured PPTP just for training myself. Want to learn networking. I’m working in IT company, so for purposes of the company I want to master one by one. And idea behind setting interface-list=all in ppp profile is “don’t know”. For days I’m wandering around and canno...

JosipTopic

Hi everyone! I want ask for help. This is what i have: 3 mikrotik routers on three locations. i've configured one Mikrotik as PPTP Server, and other two as clients. Both of these two client are connecting successfully to Mikrotik server. the problem is that those clients can't ping each other. Can a...

Search found 43 matches