MikroTik

pawlisko

I noticed that softether could benefit from it...
ovpn2.png

Do you realize that you were replying to 2 years old post?

Since then a lot has been done.

pawlisko

Strongly, strongly disagree. Having think tanks...err, "standards bodies" dictate how operators that are actually "in the trenches" so to speak should design and engineer their networks is NOT the right answer to the problem at hand. It is exactly this kind of mentality that has...

pawlisko

Maybe they can make it formally forbidden to issue dynamic IPv6 prefixes to fixed line consumers. That would remove a prominent reason for wanting to do address translation. I am reading this thread and I am seeing impending doom (only to a few). Many raised points are valid: - not designed for tha...

pawlisko

Hi all, So my provider finally moved to dynamic dual stack solution. That made HE.net tunnel obsolete, but also gave me some issues - like I don't have static routable IPv6 addressing. Here is the set-up only for IPv6. Some refinement needed but all bones are here. Some issues/workarounds which exis...

pawlisko

Cisco WLC just pushed my addressing scheme to fdc0: I am using iOS so it comes also with some issues but on Edge, Safari, FireFox I can connect to IPv6 websites and it is working. I am writing script myself - multiple functions - detecting IP change, updating dDNS, verifying DNS updates and changing...

pawlisko

Ok, try to understand what I'm screaming about here, for the last time. The clients will not use fec:: to go out the internet, those are Link-Local addresses (LL), they will only reach services inside your network and that's it. Browsers (for example) will not pick a fec:: address to visit .. googl...

pawlisko

So my scenario is a bit convoluted but also very down-to-earth. There is my network behind MT. There are few services that I have inside of my network which (maybe in my head due to security reasons) are available only inside of the network - NAS, Plex, etc. - just to name few. The only ports open t...

pawlisko

I think that I don't understand your question/point. Could you elaborate? I think that we may have different idea of requirements that solution answers for.

pawlisko

What are the clients using those fec:: addresses for? Wireguard clients. So my ISP uses dynamic IPv6 prefix allocation. When prefix changes then I would need to change each of the client's setup. In this case each client has fec:: address (static-non routable) after connecting with WG server (MT) t...

pawlisko

So first part of the issue was solved by me: /ipv6 address add address=fec0:99:95:: advertise=no interface=wg-interface /ipv6 address add address=::1 advertise=no from-pool=ISP-v6 interface=wg-interface /ipv6 firewall address-list add address=fec0:99:95::/64 comment="wg-interface" list=&qu...

pawlisko

Hi all, I couldn't find any discussion on how to do it, maybe I am wrong, and that should be done another way, but hear me out. I run a WG instance on my MT (RB5009). I have multiple interfaces (mostly VPN), but I do have two for my use - let's call them wg0 (family and me) and wg1 (friends). Each i...

pawlisko

It is working.

Verion FiOS issues with routing.

Thanks

pawlisko

3 x Yes.

It was a routing issue with Verizon. IPv6 flies like a magic

pawlisko

So quick question - preferably Y/N: Were you able to connect RB5009 to Verizon FiOS and have working IPv6? Were you able to connect S+RJ10 to Verizon FiOS and have working IPv6? Were you able to connect RB5009 using S+RJ10 to Verizon FiOS and have working IPv6? Hopefully someone will say 3 times yes...

pawlisko

OK, it seems to be Verizon's issue with routing. Several people also have issues using non-Verizon routers. Some claim that it started working with Intel NIC after turning off hardware off-load. I am using S+RJ10 SFP+ connector on RB5009 router. I am able from time to time to go outside with IPv6, a...

pawlisko

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something ...

pawlisko

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something ...

pawlisko

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something ...

pawlisko

You definitely need default route, it can't work without it. The add-default-route=yes in DHCPv6 client is a hack that adds DHCPv6 server as default gateway, which sometimes works and sometimes doesn't, because it isn't always the same machine. Correct way is to get it from RA, but there's a catch,...

pawlisko

You're missing default route. This should do the trick: /ipv6 settings set accept-router-advertisements=yes Didn't change anything, rebooted multiple times. Even with your settings on I tried two options This is when there is no default route added /ipv6 dhcp-client add add-default-route=no disable...

pawlisko

Hi all, So Verizon Fios just turned on IPv6 in my location, and is not working. Before that, I used HE.net 6-in-4 tunnel, and it worked without any issues. Verizon Fios config: /ipv6 settings set max-neighbor-entries=8192 /ipv6 dhcp-client add add-default-route=no disabled=no interface=WAN pool-name...

pawlisko

Given that it behaves oddly, I'd first try to swap the routing marks in the rules to find out whether the issue is related to use of the ProtonVPN-P2P tunnel itself or to the connection marking and routing marking. So P2P connection was showing as working but just in case I created another connecti...

pawlisko

dst-address-type=!local matches on any destination address except the own ones of the router. So adding this match condition to the action=mark-routing rules prevents packets from LAN hosts towards the router itself from being sent to some WG tunnel. If this helped, it means to me that the LAN host...

pawlisko

I would assume it is related to this recent change in RouterOS behaviour . Try to add dst-address-type=!local to all your action=mark-routing rules , it should fix the issue of inability to access the router itself. I think you may be right. So as you know I want to change setup for WG for failover...

pawlisko

Hi, I was about to make some changes to my setup (using 2 providers with failover) but I saw that my setup was not working. I have 4 tunnels (4 different countries), I do routing 2 ways: a) I sent traffic to 3 tunnels using IP rages (based on country IP allocation) - it created about 23k address ent...

pawlisko

So all in all you ask for a link where someone describes a solution exactly for your situation which is fairly unique in multiple aspects. Such a link is not likely to exist, so you have to answer yourself the basic question - do I want to spend time learning that (answer yes inevitably leads to an...

pawlisko

But leaving that aside, the task of failover/load distribution between two Wireguard (or other VPN except bare IPsec) tunnels is exactly the same like the task of failover/load distribution between two WANs with NAT, and for that there are multiple recipes here on the forum, like this one . I went ...

pawlisko

All, Quick question, probably complicated answer. I have 4 wg tunnels I am using at one time. It send traffic to 4 destinations based on either on computer IP or destination IP address - config was forged here: https://forum.mikrotik.com/viewtopic.php?t=184487 Now I need to expand on this. Let say t...

pawlisko

I had my issues with restore from .rsc - mainly with interfaces - problems with bridge, bonding, wireguard. Hence WinBox backup/restore works for me better. After 4000+ installations, .rsc is better than any type of backup, but these three conditions must be true: A) Restore on the same device and ...

pawlisko

Ok, but instead: 1), 2), 3), netinstall, 5b) restore from .rsc, 6)

I had my issues with restore from .rsc - mainly with interfaces - problems with bridge, bonding, wireguard. Hence WinBox backup/restore works for me better.

pawlisko

It sounds like a workaround - instead of reboot everytime do a Restore "just saved" configuration and do this step everytime before upgrade? The proper procedure for config to stick: 1. Create backup via export /export file=Backup.rsc terse show-sensitive 2. Review backup that it is good....

pawlisko

So I did lost config also just via edit and reboot (without upgrade), so maybe the reason for lost config issue could be the WinBox 3.35 x64 itself ?? I had very similar experiences but it does not matter if it is WinBox or WinFig or Terminal. Basically for me to make it stick is to create a backup...

pawlisko

Try to notice if the configuration indeed was lost or simply was returned back to the configuration which was present on the router in the past. Please keep this topic strictly related to this problem and provide information only if you are 100% sure that the configuration indeed was lost. For exam...

pawlisko

in my experience, bridges and wireguard interfaces seem to be most commonly affected by the corruption, along with some firewall rules Absolutely. 100% right. So I never experienced this behavior on RB1100x4AHDude. I just upgraded to RB5009 and I lost my config more than once. And I was perplexed. ...

pawlisko

AFAIK, there's no such thing in RouterOS. Based on this thread I created Reddit post: https://www.reddit.com/r/mikrotik/comments/tvdv25/guide_how_to_set_up_wireguard_clients_with_vpn Hopefully, it will be a good guide for people like me looking for how to create and use wg VPN service using MT. @So...

pawlisko

Unfortunately, there's no list of lists so far. The sad part is that Linux (which RouterOS is based on) supports it, together with other useful list types, but they are not exposed in RouterOS. Hopefully one day... So let me ask you even crazier question - do you know how to create list with MAC ad...

pawlisko

. Hello, There is no obligation for PD to be aware of all other power sources and not require PoE handshake negotiation on PoE-In ports if the device is powered by other power sources. In your case, if you want to use PoE-In ports as backup power you should use Passive-PoE with a forced-on feature....

pawlisko

It's those rules with action=mark-routing, they currently work for both directions, but you want them only for outgoing traffic from LAN, so add in-interface=LAN to them. And they can also have passthrough=no (which will speed up processing by 0.000something%, so nothing to really care about, but p...

pawlisko

I am reffering to the device that gives power to the RB5009 through POE...

In this case I don't have another one. I used to have 2 but when I changed jobs I had to send back all their toys

pawlisko

@pawlisko: If 206 is in local-us, then it will be the same as 202, i.e. third rule will match and it will get connection mark from it. It's simple whatever matches first will be used. /interface wireguard add listen-port=51821 mtu=1420 name=KeepSolidVPN-Germany /interface wireguard add listen-port=...

pawlisko

Did you try to POE power the RB5009 using another POE switch capable of af/at ? No, I am running on this PoE switch 6 WAPs (Cisco AP3700 series), 2 IP Cameras, 1 Raspberry Pi. I was playing with WAPs (as they have an independent power supply) as well as with RaspberryPi. Only MT behaved weirdly. It...

pawlisko

It's another condition. When you have rules with passthrough=yes (and you need that), it means that processing won't stop there, but will continue with following rules. Let's say that with the six rules in my last post the first one matches (because source is in local-pl list), but the last one mat...

pawlisko

This way you can do anything. Priority depends on the order of rules. If you need other exceptions, just add them before these. Don't forget connection-mark=no-mark, to avoid re-marking already marked connection. Sorry for stupid question but what do you mean by "Don't forget connection-mark=n...

pawlisko

Same config as for others (routing table, route, masquerade), only routing rule instead of mangle rule: is it a way to do it via lists? OK, let me ask a big picture. What I have now are IPSec tunnels 3 mangeled to countries, 1 dedicated for an one IP Sometimes I have to send entire traffic of anoth...

pawlisko

i think the passive PoE dilemma is a matter of context, In corporate market like cisco aruba hpe etc Standard 802.3 PoE is mostly used But in WISP market passive PoE is the most frequently used MikroTik equipment is very popular in WISP market, not to say that this is its most important market In t...

pawlisko

It shouldn't be difficult. Add new WG interfaces (e.g. wgPL, wgDE, wgUK), configure them according to provider's instructions, and then you should need something like: Awesome what about code for dedicated connection? So lets say WG interface wg-ded-US (another from my provider). This will send ent...

pawlisko

Passive PoE is used in millions of devices serving hundreds of millions of end users around the world I dont think is idiotic the productive contribution will be the need to specify the possible need of passive PoE to achieve HA in power You are absolutely right - but if the specification says you ...

pawlisko

Hi all, So I am in the process of changing my setup. I've already changed RB1100AHx4Dude for RB5009, I am working on creating a proper guest network (I have Cisco Wireless - WLC + WAPs) with proper VLANs, etc. But now I want to move out from IPSec to Wireguard. Presently I have 4 always on tunnels -...

pawlisko

So I made some testing and... Power sources: I. 2-pin terminal (power brick with output - 24V - 1.5A = 36W, exactly the same as a delivered power supply for DC jack with the router) II. ZyXEL GS1920-24HP PoE (802.3at compliant [power modes: legacy, 802.3af, pre-802.3at, 802.3at]) switch (50.0–57.0V ...

pawlisko

So I purchased 5009 and I don't want to experiment as it is in prod but there is an important question Unit has 3 possible way of powering - normal jack, dc green jack, poe on eth1 - what is the priority? so I would like to have it run on PoE and if PoE fails it would do go green jack, but when I di...

pawlisko

Did I miss anything? I was under impression that TLS and LZO will be implemented alongside UDP.

If not - any timeline on this?

Thanks,
Pawlisko

pawlisko

@holvoetn My config is a bit large - 1.5MB, I have about 27k lines of code of different IP lists as I use this for routing through different IKEv2 tunnels (it is country-specific), I am using HE.net for IPv6 traffic as my ISP is not providing IPv6 addresses, also HE.net provides me with Dynamic A-ad...

pawlisko

Hi avav, Thanks for the info - today I've spent an entire day experimenting. What was weird was all the beforementioned issues disappeared after reboot. Which is strange but who I am to judge. There is a bug thou - WG instance becomes useless after the change of port. The only remedy is to delete th...

pawlisko

Hi all, Current working config. MT with multiple IKEv2 tunnels to different VPN providers, splits are working based on IP ranges. On RaspberryPI working WG server in roadwarrior mode. Just upgraded to 7.1 I was able to move the WG server from RPI to MT, it works (interface name wg0 on MT). So I can ...

pawlisko

Hi All, I run multiple VPN tunnels and also use DoH option. Here are some issues that I have. 1st issue: If DoH option is enabled all resolving including VPNs (even with Exclusive use of responder's DNS) is done by DoH server. Is this by design? Should it be just like with "normal" DNS set...

pawlisko

Okay, so there are a few that support AES-256-GCM, they are the most expensive ones. Interestingly, SHA384 is not listed anywhere, I guess it means that SHA384 is not supported on any of them. SHA384 is supported by them - I know I use it. Please reread my original post. SHA384 was added few weeks ...

pawlisko

Well it is worse than that. AES-256-GCM is supported by RouterOS, but it has no hw acceleration on any MikroTik devices that I know of. It means that even though it is usable, you will most probably get poor performance. But it might be a hardware limitation that cannot be solved from software. As ...

pawlisko

First of all let me say thank you for changes in rOS 6.48 but just created even more confusion and I needed to downgrade my setups as it messed-up Phase 2 for me. Awesome changes to Phase 1 (Profile) but: Encryption Algorithm section should be in compliance with https://wiki.strongswan.org/projects/...

pawlisko

I have a VPN which offers IPSec/IKEv2 connection. I set it up on Mikrotik and it is working but...

I would prefer to use AES-256-GCM-SHA384 connection over what I have now AES256-CBC-SHA512.

AES-256-GCM is much much faster than AES-256-CBC.

Any chance of implementing this? Or workarounds?

Thanks,

pawlisko

I followed https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS and it is working.

Now I would like to add second peer for certain local addresses.

How to do it

Search found 60 matches