MikroTik

dot02

in that case, if there is a HD defect, you should check with your reseller to get the modem replaced if still under warranty.

dot02

I couldn't agree more. Apparently a LTS is supposed to be released "soon-ish". But I'm also craving for it...

dot02

good one!

dot02

apparently is is being added back to ROS 7.18. The 7.18beta2 mentions it in the changelog:

https://mikrotik.com/download/changelog ... lease-tree

dot02

Thanks for your kind words, guys! Well, of course, I completely agree that having it working again now does not mean I should't investigate the root cause. This is now definitely on my task list. But in the meantime, at least I have a stable, running system and I can sleep at night. As you pointed o...

dot02

Thx! (I hope this procedure will also help others in the future). Regarding the reasons for the downgrade: 1) I like to have all production devices running the same version, which is, in my case, 7.11.3 for the time being. I am still craving for a ROS7 long-term to be released... 2) I always read th...

dot02

SOLVED, I found a way around: before downgrading from 7.13 to a pre-7.12 version, you have to remove the wireless package using the following command: /system/package/uninstall wireless then, you have to reboot, and only after this step you can upload the ros .npk files and perform the downgrade usi...

dot02

The device I'm trying to downgrade is a LtAP mini RB912R-2nD-LTm revision 3. Nope, I only tried to downgrade it from the GUI/CLI, not with netinstall (yet). As I am not physically at the device's location, I'd like to exhaust the easy options first. Yes, I always have up-to-date (and tested!) config...

dot02

I tried, unfortunately the wireless package is not available for public download for 7.12 and earlier (and I got the "system, error: missing package wireless" log entry). So for the moment I'm stuck with 7.13 and can't go earlier. I will need to contact support and see if they can send me ...

dot02

Thanks for your replies! Factory-installed version is an old 6.44, so this is definitely not a problem. I was only wondering regarding pre/post 7.13 as the structure of the packages was highly modified starting with 7.13. If you UPGRADE from 7.10 to 7.13+ for instance, you have to go through 7.12 as...

dot02

Hi, referring to this official downgrade procedure here... https://help.mikrotik.com/docs/spaces/RKB/pages/328316/Downgrading+RouterOS ...I am wondering if this also applies if I want to downgrade from a ROS >=7.13 to 7.12.x or earlier, as there were significant changes regarding the packages? Cheers

dot02

I am replying to this old threat because I ran into the same issur and indeed the auto-erase command in /tools/sms seems to have disappeared somewhere between ROS 7.11.2 (still present) and 7.16.1 (missing) without any mention of this in the release notes. (Also, the old "keep-max-sms" fea...

dot02

I wouldn't go to the max voltage (57V). It won't bring you any benefit over 48V. Better to get a beefy 48V PSU than a flimsy 57V. The router's internal electronics (DC/DC converter) will step down the voltage anyway. It's never a good idea to operate a device at its absolute maximum ratings if you w...

dot02

also have a look at the used market for old Cisco PSU's used for Access-points (for those you couldn't or didn't want to use PoE). They are rock solid and cheap to get. I'm talking about really old stuff like for the AP1242AG series...

dot02

1) yes, (a) would be very convenient, [(b) nice to have, but not mandatory for me] 2) (c) Self-hosted server as package on a powerful MikroTik router would fit me best, (b) Self-hosted on x86 is a close second choice. Cloud (a) is a no-go for me, but I can imagine that some users would appreciate it...

dot02

thank you all for your inputs: @larsa: I also had your "2.a" solution in mind. For sure, I would get way more gain with my repurposed satellite dishes than with the built-in reflector of the LHC XL 5 ac. IF the PTP link was possible, then chances would be way better that way. 500-600Mbps w...

dot02

Oh sorry indeed it might be a bit confusing without having more details! Let me correct that right away! First off, let's say it is non-commercial installation in the sense that I don't make any money out of it and there's no actuel business running. That being said, the setups, like the whole IT, i...

dot02

That's what is already in place. The only part we have no control over is the public 4G network. That would be the point of setting up a PTP link we would control over. But as said it might be a lot of efforts for a very small benefit in addition to the huge data volume going over the 4G connection ...

dot02

Yeah that's what I think too. It's almost a lost cause and probably not worth the trouble.

dot02

Thanks for the hints, Larsa! I guess I could get a lattice tower for very little money, maybe even for free, but the main issue may be to get the approvals to install it. In the meantime, the current solution we have in place is the (now discontinued) LDF LTE6Kit installed on a professional offset d...

dot02

I absolutely agree, but unfortunately there are some situations where fiber links cannot be installed for various reasons, e.g. too far away from the public infrastructure, running through private or public property and so on. For instance, I have a site that had to be connected via LTE because FTTH...

dot02

Thank you Normis! This is a clear statement, with valid arguments and I think (most) people will understand those and can live with that for a couple more weeks (months?

).

dot02

1) non licensed band => yes 2) no visibility => yes 3) 802.11 (WiFi) => could be, but might be other options as well 4) Compromise with somewhat OK speed and somewhat bad visibility. => yes Indeed that would be a good starting point for discussions I guess! Larsa made a good point since the technolo...

dot02

Ur not listening. ????? On the contrary! The title says "Long Term release or new functions" => my personal answer is "Long Term release". If they apply resources doing LTS effort, then those resources are not available on other work. . Exactly. Acknowledged and I would personal...

dot02

as mentioned: The usecase would be to connect 2 sites together (PTP) in non-ideal setups (no direct line-of-sight) without having to use public networks such as 4G/5G nor licenced RF bands. It's (almost) never a good idea to impose technical specs (e.g. Wifi or 60Ghz) when discussing user requiremen...

dot02

Indeed. But on the other hand, the higher le frequency, the hither the throughput (Nyquist Law). This is where compromising in the hardware engineering comes in... I'm not looking in the details of such solutions (yet), I was more thinking about an open discussion about if someone would need such pr...

dot02

OP, clarify what you mean specifically. I think LTE, 5G, LoRA, CAT-M are all non-los technologies

=> good point. I updated the topic description.

dot02

Well, you have 3 types of RF-setups: 1) ideal case, both endpoint can see each other directly, and the Fresnel zone is not obstructed): This is LoS (Line-Of-Sight). 2) both endpoints can see each other, but there is some objects in the Fresnel zone, which impacts RF transmission (even though both en...

dot02

Maybe you could use one of the indoor 5G routers from MT and add an external, outdoor 5G antenna?

dot02

Are any of you looking for Point-to-Point Near- or Non-Line-Of-Sight products from Mikrotik? Or maybe you already managed to tweak the existing products to do so? The usecase would be to connect 2 sites together (PTP) in non-ideal setups (no direct line-of-sight) without having to use public network...

dot02

Hi all, Are there any plans to replace the now discontinued RBLDFR&R11e-LTE6 or is the whole LDF product range being phased out? I guess this was really a niche-product, but we use several of them and these are wonderful little devices, and I'd love to see a beefier version (more processing powe...

dot02

We've had this discussion already a couple months ago: https://forum.mikrotik.com/viewtopic.php?p=998999 And yes, at least IMHO it doesn't need to be perfect, so according to the official doc, officially renaming the most stable, less buggy version as LTS would be a great starting point. Screenshot ...

dot02

Have a look here:
https://mikrotik.com/mfm

dot02

We'd really appreciate the release of a 7.x LTS asap (I mean, REALLY!). It doesn't mean releasing new feature is not important, but at a certain point, it would be wise to slow down (I didn't say "stop"!) the dev of new features in favour of bugfixes and stability from time to time. Then, ...

dot02

yes that's absolutely true.

dot02

Besides the 13 ports, one very neat feature of the RB1100AHx4 is the relay-operated hard bypass port. Most people will never use this, but for a few, it is of utmost importance. They are also very stable (which is not always true for some routers with other architectures) The built-in redundant 230V...

dot02

you mean, so that non-windows users can stop WINE-ing?

dot02

Indeed! Thanks for the link, I wasn't aware of this feature!

dot02

I did not read any of the replies in order not to get biased. So: 1) Yes, if by "session" you mean what I will describe in point 2. Otherwise, no. 2) I know the "session" concept from Arista. You create a session, configure all the changes without committing them, and at a later ...

dot02

OK in that case, it means that I could use any port for any purpose, because no ports will have the same vlans assigned, and all the traffic will go through the CPU anyway. Therefore, it might be best indeed (and also to keep it visually coherent) to use ports 1-5 for LAN, 6-10 for DMZ and 11-13 for...

dot02

But the second you cross a VLAN boundary, it goes through the CPU, full stop Ok, so that means that even inter-VLAN routing is ALWAYS done on the CPU, no exceptions (e.g if vlan 10 and 20 both belong to the "LAN" Port-group, and both are exclusively tagged on switch1 (for instance port 1 ...

dot02

ok, so in this case you would setup LAGs with 1 port on the 1st switch and 1 port on the other switch?
Do we know how the RB1100 will select which port it uses to send out traffic (like built-in priority for ports able to communicate without running over the CPU)?

dot02

Oh, I see! Well that will never happen. Backups will stay in the internal network, and the whole traffic is running over the internal Firewall. The mikrotik will never see such backup traffic, unless it is for inter-site backups (and it that case, it will use encrypted tunnels over the WAN port). Bu...

dot02

And, while likely LAN-to-LAN might be infrequent... but always possible you'd have HUGE backup/restore over LAN and that's when HW offload ports be handy SO that doesn't overwhelm the CPU if it did happen.

hum...I don't catch your thought, could you re-explain to me what you mean?

dot02

Will LAN hosts communicate between each other? very few. it's anecdotic. The Mikrotik routers are edge routers, and what I've defined as "LAN" segments are actually a transit to the inner firewall, which handles the inter-VLAN LAN traffic. There are a few exceptions but we're talking abou...

dot02

They're dated sure. RB1100AHx4-Dude has 2 x M.2 slots to use as a disks... Plus more ports than RB5009 & redundant power supplies. And at least ARM, so runs ZeroTier. Everything has a use. Indeed. Dated doesn't mean outdated. I completely agree: if it works and fits the needs, why changing it? ...

dot02

the RB1100AHx4 does not have HW offloading from the CPU, but still had HW acceleration to offload some tasks from the CPU (sorry, I wasn't clear): https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration This will be perfectly fine for my needs, as the RB3011 are already "almost&quo...

dot02

Hi fellahs, I just bought a pair of RB1100AHx4 to replace RB3011 routers, especially to be able to do some HW acceleration for AES-GCM/AES-512 as the 3011 CPU’s were redlining most of the time. Before assigning the ports on the new RB1100AHx4, I had a look at the block diagram here: https://i.mt.lv/...

dot02

These missing transistors look like a simple voltage supply regulation with no negative feedback so that the fan does not cause any interference with nearby circuitry. But it could also be for a LM7805 voltage regulator IC (also 3 pins)...That would require some advanced reverse engineering. Therefo...

dot02

OK I found a fan in my garbage. Sunon MF30060V21000UA99 (30x30x6mm)

connection.jpeg

fan.jpeg

Works like a charm. For the moment the fan is blowing the hot air out of the case but it might be better the other way around. I will monitor it to see which way is better.

Enjoy!

dot02

Here are the pictures: Full board: board.jpeg Power section detail: detail.jpeg now, after several tests, I would suggest not to tap one of the DC input PSU's connectors (the white ones). Even though it supplies 24VDC with more than enough current to power bith the board and the fan, these 2 inputs ...

dot02

You have a good point here: Product lineup strategy has a big impact on the dev of LTE vs. stable releases. As Mikrotik is one of the only companies that has both professional and power-consumer devices in their lineup, the users in both cases may have diverging opinions on what's most important. Mo...

dot02

well, development of ROS 6 seems to have stopped by end of 2021, which explains why there is no need for new bugfixes for the long-term: because no new features have been added, most bugs were already fixed in the latest 6.48.6. But it is still fully supported, from the public info available. As you...

dot02

alright, these are internal, strategic decisions which have to be taken, and you guys certainly have good reasons to do so. At long as these strategic choices are communicated to the customers, there's nothing to argue about. Now, my 2 cts (but this is only my personal opinion): I would be very sad ...

dot02

Firstly, "doing so because everyone else does" is not an argument! It does not become the truth just because it is the most popular option. Secondly, it is (sadly) true that because the Time-To-Market was significantly reduced over the past 2 decades, testing is done more and more on the c...

dot02

Hi Normis, It's only a name. If you think 7.8 is stable enough to be called that, just use it, no matter what it's called :shock: C'mon man! I can't believe you just wrote that! Please tell me you had a gun pointed at you and you were forced to write that! :shock: It's not "only a name"! I...

dot02

Honestly, I can understand that testing takes time, especially for a completely new release like the 7.x. If they published a long-term version that was not stable enough, we would be among the first to complain. But it's the lack of communication/roadmap in this regard that I really don't understand.

dot02

by mkx » Wed Jul 20, 2022 5:26 pm I'm sure some slightly more recent version (e.g. 7.2.3) will appear as long-term soon enough. ...Well.... :lol: More seriously, it there any plan to release a long-term 7.x any time soon-ish (let's say, in 2023) or at least a roadmap? We're getting more and more pr...

dot02

okay, in that case, that may not be worth the trouble just to add a fan. If the router is sold fanless and there are no feedbacks or complaints about hardware failures, I think I'll leave it as it is and forget about it.
If the designer of the board reads this, however, feel free to drop in

dot02

Well there's a big difference between both approaches. A fan controller has some logic to drive and control the fan (temp control, fan RPM monitoring, etc.). And it has been made clear that the PCB doesn't have that, and that's perfectly fine. This doesn't mean that the board couldn't have a simple ...

dot02

Hi, just a quick question as I was also planning to add a fan to the enclosure of my RB1100AHx4's: on the PCB tabs labeled "FAN", there is no voltage whatsoever (I was expecting +5V as labeled). I read above that the PCB doesn't have a fan controller, which is not a problem, but why is the...

dot02

Thanks for the feedback! Indeed, the SIP service port function should be disabled. That's actually an issue I had myself when setting up my networks (setup quite similar to yours). If you were using the same ROS version on the Hex S, then yeah, you should have a close look at the FW rules, chances a...

dot02

could you post the parts of your config regarding ike, ipsec and firewall?

dot02

I would try to start with an explicit inbound rule on site B router, which allows Winbox connections. Try that and see if you have matches on that rule.

Are the IP's you get public IP's or CG-NATed?

dot02

As promised, here are some pics of the installation of another LTE6kit (RBLDFR&R11e-LTE6) on a remote site (hangar) near Ham-Sous-Varsberg, France. Same dish (Kathrein CAS06 with special die-cast LNB adapter). It is a 60mm mount, with the anchor bolts chemically sealed into the concrete wall for...

dot02

This LDF LTE6kit (RBLDFR&R11e-LTE6) is used for 4G backup as well as for testing&staging (simulating remote sites to be deployed). It is installed on a professional Kathrein CAS06 dish with an LNB adapter, as the Kathrein attachment is a propriertary clamp. Besides the Mikrotik LTE6kit, the ...

dot02

Did you get a feedback from them yet?

dot02

Yes I would be interested too!

dot02

We are running on 7.5 only to have a standardised deployment across all devices, but waiting desperately for a 7.x long-term version to be released. I'd really like to know that is holding back... I agree with r00t, as long as: There are no security issues the release is still officially supported W...

dot02

Hi,
even though this post is nearly 10 years old (and some other posts on this topic are even older), could you confirm that ad-hoc Wifi mode is still unsupported on MT devices. especially on the mAP lite?

Cheers
Denis

dot02

Hey Guys, I was thinking, what about a really small, pocket-sized mobile router? Let's say with following parameters to start with: very small enclosure, about the size of the mAP lite if possible 1 SIM slot Wifi 1 usb port (for PWR) 1 ethernet port (for PWR/data). Not even sure if the ethernet port...

dot02

Same here. We'll try to set it up and will report here as we progress.

dot02

Hi all, I was doing some performance tests on a pair of RB3011UiAS-RM running ROS 7.5. I have a GRE/IPSEC tunnel between both devices over a 1GB WAN link. The /ip ipsec profile looks like this on both devices: dh-group=ecp521 dpd-interval=5s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorith...

dot02

I've solved it last night. It is working like a charm now. Even if it is a bit off-topic as it deals more with the PFsense config than the MT, I'd like to share my findings in case someone else is running into a similar issue. The issue in my setup (2 gateway IP's on the same transit subnet) is, as ...

dot02

@Znevna: well it's quite easy. VLAN100 is a transit VLAN. On the Pfsense, I have 2 gateways set. GW1 to the Cisco router and GW2 to the MT. Each rule has automatically GW1 set as the default route (that is default Pfsense behaviour), unless you specify it otherwise (on a rule-by-rule basis, or via p...

dot02

Here's a quick drawing of the setup: Screenshot 2023-01-03 at 12.54.44.png while looking into the captures again, I think I found the cause of the issue. This one is with sdst-nat and src-nat on the MT. From the dst field of this frame (this is the SYN,ACK frame) we can see that the frame is sent to...

dot02

Hi Znevna, thanks for your input, I might need to add some more details to give you more insights here indeed: you didn't replace anything. You just added extra stuff to the existing setup (which was already double nat): Not exactly. The MT will eventually replace the Cisco router. The MT is the new...

dot02

I made some additional investigations, and found something interresting... the setup is as follows: Client is somewhere on the internet (another public IP) Test server behind the PFsense Captures are made on the PFsense, transit VLAN to the Mikrotik 1) Capture with DST-NAT + SRC-NAT on the Mikrotik:...

dot02

I managed to find a couple of minutes to create a test VM on the transit vlan between the MT and pfsense. And indeed, it is perfectly reachable from the outside world using only dst-nat, and no src-nat. When I move the VM on a vlan behing the pfsense, I need dst-nat to be able to reach it from the o...

dot02

I agree. This is why I tried 2 different ways (but with same results). As a starting point, I had the Cisco as the def GW from the PFsense's perspective. Then I did: 1) specifying MT as the gateway for packets coming FROM a specific source (mailserver). The traceroute + packet captures did show that...

dot02

That was my first clue, too, but the fact that the traffic over the old WAN/Cisco (also DST-NATed) works flawlessly. this is what I don't understand. I think I will put a test web server in on the transit VLAN, so that I can test reaching it from outside over both WAN links (MT and Cisco), without t...

dot02

all vlans behind the pfsense have their default route pointing to the Pfsense The Pfsense has 2 WAN links, the old one over the cisco router (waiting to be decommissioned), and the other one over the Mikrotik. The PFsense has no dynamic routing, only a few static toutes for sites connected over VPN....

dot02

Hi all, I have a RB3011 with ROS7.5 running as an edge router. Behind it is a pfsense FW via a transit vlan (172.16.100.0/24), and behind that FW, a mail server on one of the PFsense's legs (mailserver=172.16.15.11). The Mikrotik does the NAT-ing between the internal 172.16.0.0/12 networks and the p...

dot02

The error messages vanished after I checked and adapted the MTU on all GRE interfaces (no errors for over 2 weeks). I don't really understand why MTU settings would trigger a DPD error, but it works now, that's the most important thing.

dot02

+1 for ospf mtu-ignore from my side too...

dot02

Hi folks, I am running into a issue and your input would be much appreciated. To make it simple, I have 3 MT routers with GRE/IPsec (IKev2) tunnels in a triangle. router A: RB3011, ROS 7.5, static public IP address router B: RB3011, ROS 7.5, static public IP address router C: LDF LTE6kit, ROS 7.5, d...

dot02

In your case I'd definitely go for an outdoor device. I personally use the LDF LTE6 kit (ref. RBLDFR&R11e-LTE6), it does support PoE (both passive and "real" 802.3af/at). You can try to point it directly to the BS with no additional hardware, but as you are not quite close to it, you'd...

dot02

Another cool feature would be to add a timer (In a separate script to give the admin some flexibility) that would disable Wifi after a hard-timeout. After 6 hours for instance. The button could still be used to switch wifi on/off manually with the current script, but if the user leaves the site and ...

dot02

Much appreciated, thanks (I'm serious, this is not sarcasm!). I'm really bad at scripting, and even if I was good at it, I would still appreciate comments and improvements!

dot02

Your script works very well, too, so I switched to this version too. thanks!

dot02

comments are welcome to improve the script! However, the script does work as it is.

dot02

For those interrested in using the button on the mAP lite for turning Wifi on/off on the mAP lite, I modified kelner's script slightly (the button to use is the reset button in this case). Also, you only need a short push (less than 1s) for turning wifi on/off. The LED already reflects the Wifi stat...

dot02

I can confirm, it works! thanks a lot for your hints, I would never have found the solution myself. so, to sum up for others who might have a similar issue: the key is to configure an IP address directly on the interphace (physical ethX or LAG, if any) for the native VLAN, but NOT creating a VLAN 1 ...

dot02

thanks for your reply and hints. You are right regarding the bridge ports in my config. They aren't used...yet! But I need those to setup a Loopback interface which in turn will be used for OSPF and GRE/IPsec tunnels, which will happen in the next couple of days. So I will be needing these bridge po...

dot02

Thanks for your help, guys. Yes, the show-sensitive parameter was already set to hide sensitive data a while ago. I don't remember if the switch was made between 6.x and 7.x release, but it quite likely. I think it was around that time. I stripped the really unrelated lines of config (LCD screen, NT...

dot02

Hi team, I ran into an issue that I am apparently not the only one to have. On one site, I am currently migrating from a Cisco edge router to a MT RB3011, v7.5 stable. eth4+5 bundled as a LAG to a switch, with a trunk on top of it (several tagged vlans, e.g. vl100 (transit VLAN to the “inside” firew...

dot02

Why complicate things if the function already exist... 1) to protect our jobs by adding an extra layer of obscure complexity 2) to make us feel important by configuring stuff that looks impressive when your boss is looking over your shoulder 3) just for the fun of it because we're engineers 4) beca...

dot02

I also confirm the script above works well. I wanted to enhance it and to only reboot it when the SMS message was a specific string, e.g "reboot". #Replace with the authorised phone number :local phone "00000000000" :local rebootSmsMessages [/tool sms inbox find where phone=$phon...

dot02

Here's one of my builds: 3011 (1).jpg 3011 (1).jpg On the mainboard side, be sure to use a soldering iron with at least 50W, especially on the "ground" side, the heat is dissipated across a large area, so you want to be able to heat the soldering point in a few seconds. For those who wonde...

dot02

Hi c2h5oh, with which MT device are you using the Quectel EM12-G modem? Is the integration seamless? Is it stable over time or to you need to reset the modem regularly? cheers, Denis

dot02

Hi, this post seems outdated, but just for the record, in case anyone wants to ask the same question... The LDF LTE6 kit is designed for offset dishes, however we are currently doing some labs with PFA antennas (Prime Focus Antennas, i.e. central-fed, real parabolic dishes with modified feedholders)...

dot02

But of course! Multicast! How could I have overlooked that?! As mentioned in the beginning of this topic, I made a boo-boo... I just corrected the FW rule and the adjacency came up almost immediately (actually, I still had to do a small correction on the MTU size of the GRE interface for the state t...

dot02

Indeed, as you say it's not that straightforward. I think it might be better I try to replicate the config in a lab.
Gimme a few days to put that together.
Cheers

Denis

dot02

I implemented the OSPF setup while running 7.3, and it didnt work either. After an upgrade to 7.4 (current situation) as we could see it, it still doesn't work. When I was running 6.x (which was long ago), I didn't have any OSPF config yet, so I have no experience to share on this release. I will tr...

dot02

On both sides, the FW counters for the input as well as for the output chains for OSPF are 0 packets. That means that the OSPF packets not only don't reach the other router, but they don't even leave the local router. (At least, as a tiny consolation, it seems logical that the packets never reach th...

dot02

Oh sorry my bad, I was too quick. Thx for the editing!

dot02

sure, no problem. here's the HQ config: # jul/22/2022 17:19:03 by RouterOS 7.4 # software id = GTSP-YUM6 # # model = RB3011UiAS # serial number = <HIDDEN> /interface bridge add name=loopback0 /interface ethernet set [ find default-name=ether1 ] name=eth1-WAN set [ find default-name=ether4 ] name=&qu...

dot02

Hi Alex, thanks for your hints. I already had such rules on both ends for debugging, and I have no incoming OSPF packets originating from the other side. I even have an output rule for OSPF, and the funny thing is that I don't see any outgoing packets as well. From that perspective, it is logical th...

dot02

Hi fellahs,
any idea on this matter?
cheers
Denis

dot02

I don't know if this topic is still relevant as it's been open for quite a while, but anyhow, as a RBLDFR&R11e-LTE6 owner and user here's my feedback on the subject: 1. Which LTE Category you are interested in most - CAT6, CAT7, CAT9, CAT11, CAT12, CAT16 or some other? CAT7 or 12 would be great ...

dot02

Hi, have you figured it out yet or shall we look into it?

dot02

Hi Guys (and Girls), I think I have a boo-boo in my config. I am trying to get OSPFv2 working over a GRE tunnel. The tunnel works just fine between 2 locations and static routes: 172.20.0.0/16 ---R1--- GRE=172.30.2.1/30=========172.30.2.2/30---R2---172.18.0.0/16 OSPF is configured correctly (I think...

dot02

Thanks for your reply. To answer your questions 1. all the other VLANs have static IP’s, DHCP is not needed. And even the existing DHCP config is temporary, another DHCP server is being staged and will be ready in a couple of weeks. 2. Bridge filter: This was part of an old config as far as I can re...

dot02

My thought was to have the management port completely separated from the data traffic. I might change the design in the future, though...

dot02

Here we go. the OSPF config is in progress, please ignore that part completely. My issue regarding the reachability of the eth10/vlan2 IP is unrelated to the OSPF config in progress (which I only started 2 or 3 days ago). The FW rules are also being staged (a lot of try&guess) as I was tshooting...

dot02

Hi all, I have another question, I am overlooking something very simple I guess. I’ve set up my RB3011 with several VLANs. They are all connected to the network via trunk, which is linked to a port-aggregation (eth 4+5) In parallel, I have eth10 acting as a management port (VLAN 2 - 172.20.2.0/24) h...

dot02

niiiice, it was the mode config indeed! now my IPSec SA's are up! The GRE is up&running as well, I used the following parameters: GRE interface config HQ router: local address: Loopback address HQ (172.20.0.1) remote-address: Loopback address 4G (172.18.0.1) GRE interface config 4G router: local...

dot02

I played a bit with the configs and it looks promising. policy: peer=anyone src-address=172.20.x.y/16 dst-address=172.18.z.t/16 If I use lookback interfaces (bridge with no physical interface linked to it, and 172.20.0.1/32 on HQ side ; 172.18.0.1/32 on the 4G side), The IPsec policy should look lik...

dot02

Alright, now I think I get it! Thanks very much for the detailed explanation! At first I didn't realise that my current setup has to be considered as an exception due to the fact that BOTH gateways had public&static IP's. And frankly, after having configured dozens of IPsec tunnels over the year...

dot02

I'm lost... I tries that config yesterday but the ipsec tunnel still doesn't establish. I compared your config with another (ikev1) config I have on the HQ router (which is running rock-stable for weeks) and it is the other ways around: /interface gre add allow-fast-path=no mtu=1300 name=gre-tunnel1...

dot02

are you sure about the src-address/dst-address vs. sa-src-address/sa-dst-address? I'm pretty sure it is the other way around: the SA (as the name tells) deals with the security associations, so the addresses in the PRIVATE range. The src/dst-addresses however are used in the IPsec policies to CREATE...

dot02

Thanks for the feedback! the identity settings must match each other, i.e. the remote-id of one peer must match my-id of the other peer Sure. But can I put a different ID for each side, for instance: Site A: my ID=fqdn ; remote ID=key_ID Site B: my ID: key_ID ; remote ID=fqdn I have valid fqdn's for...

dot02

Hi guys, I'm struggeling setting up a VPN (MT to MT) between a main site (public DNS record and static IP) and a remote site (4G) which is behing CGN, and of course it has a dynamic IP in the 10.64.0.0/10 range. The should not be a problen since I have a script that updates the DNS record according ...

dot02

good to know! The script does update 100.64.0.0/10, though.

dot02

Thanks! Your version looks much cooler indeed! I'll update my router this evening! One question though. If we look at these lines: :local ovhresult [/file get "OVHDynDNS.$ovhddnshost" contents] /file remove [find where name="OVHDynDNS.$ovhddnshost"] is this file only stored in th...

dot02

nope, no hidden chars. You only need to adapt the 1st few lines according to your OVH subscription. You onky need to be careful on the OVH format (which you get from your OVH dashboard). Let's say your dynamic sub-domain is plop.mydomain.com, then it should look like this (be very careful with the l...

dot02

sorry guys, I didnt see there were replies. Here is an updated version of the script that updates the real Public IP, even if your router is behind CGNAT , I tested it and it works. Comments are more than welcome if anyone sees anything that could be improved. :local ovhddnsuser "<OVH_USERNAME>...

dot02

Hi, the script works great as long as the IP address on the WAN really is a public IP. In my case for instance, I have a remote site router behind CG-NAT (LTE connection thanks to a MT LDF LTE6 kit), so the IP I grab is a NAT-ed 100.64.0.0/10, which is to be expected since this is the IP that the IS...

dot02

Here's a working example of a Mikrotik - Cisco IOS site-to-site VPN. I hope it will help some of you who, like me, struggled to make it work. You have to use GRE tunnel mode, I was unable to make transport mode work! MIKROTIK SIDE: /interface gre add allow-fast-path=no mtu=1300 name=gre-tunnel1 remo...

dot02

GRE is in tunnel mode for the moment. I will check tonight is I can put it in transport mode or if it fails. I don't yet know which one I end up using in production. IPsec is taking care of the encryption between the public IP's of both endpoints and I don't NAT anything on these interfaces, so it s...

dot02

SOLVED! Alright, I found the problem: It was indeed an issue between the generic GRE implementation used by MT and the based-on-GRE-ish VTI implementation by Cisco. this works: interface Tunnel1 description TUNNEL TO MIKROTIK ip address 172.30.1.1 255.255.255.0 ip mtu 1300 qos pre-classify tunnel so...

dot02

@Sob: well, that depends of where you come from! Im my case it's the opposite, I am quite comfortable with cisco IOS as I've been working with it for 15+ years, and it's the MT RouterOS that I find less intuitive. The good thing is that the more you work with different vendors, the more comfortable ...

dot02

@Sob: yeah, good idea, indeed as the original config was 100% fine, it might be a good idea to keep it as it is and to check on the MT side. Is there a way to display the logs on CLI? I looked into the config again, and maybe I have a hint: Here's the config of the Cisco that is the other endpoint: ...

dot02

On the cisco side(ipsec debug), I see packets from MT => Cisco coming in:

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
no errors listed....

dot02

No luck so far, The only way to get the GRE tunnel UP/UP is to put it in tunnel mode, not transport. Regarding the ACL's on the WAN interface, I don't get any matches on the GRE-specific ones. On the Cisco side, I see the GRE tunnel flapping regularly, and also on the MT side I see the IPsec SA's be...

dot02

I made rthe following modifications on the Cisco side: crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac mode transport # ACL's on the WAN interface: ip access-list extended INBOUND permit gre host 2.2.2.2 host 1.1.1.1 [...] ip access-list extended OUTBOUND permit gre host 1.1.1.1 ho...

dot02

I've added the transport mode, the GRE tunnel comes up, and I have a route in the routing table, seen as "directly connected" as it should: 172.30.0.0/24 is subnetted, 1 subnets C 172.30.1.0 is directly connected, Tunnel1 However I can still only ping my local interface (.1), not the remot...

dot02

Thanks for the hint about Winbox. Indeed I was using the webGUI instead. I will check with Firefox tonight and see if I can type in a different protocol.

I have access to the Cisco router from here, so let me try to change the transform-set to transport mode right away...

dot02

this is what I mean: crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac crypto ipsec df-bit clear ! crypto ipsec profile MIKROTIK set transform-set TSET_MIKROTIK set pfs group5 ! versus: crypto ipsec transform-set aes-sha-transp esp-aes esp-sha-hmac mode transport ! crypto ipsec profi...

dot02

You can type in the drop-down list in the GUI Definitely not! I cannot enter anything else then what is already in the list. Neither the name of the protocol, not the corresponding protocol number. It could be linked to the browser I was using, I tried with Safari yesterday, but I'll check with Chr...

dot02

Here's the config of the Cisco that is the other endpoint: ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key <same key as on the Mikrotik> address 2.2.2.2 crypto isakmp keepalive 10 periodic // I also removed this for the test yesterday ! crypto ...

dot02

Hi Guys, yes I saw that once entered via CLI, the GUI shows the protocol you entered, I just find it very weird that you have a limited choice from the GUI and that you can't even enter a protocol or protocol number from there as it is a drop-down list to choose from. That feels like a bug to me. bt...

dot02

Interestingly, it turns out that the protocol=gre option is only available through CLI. From the WebGui, you can only choose among all, egp, ggp, icmp, igmp, ip-encap, ipsec, tcp, udp. I modified the entry according to your suggestion (via CLI - and the config is properly reflected on the GUI too), ...

dot02

This is my config, at least the relevant part. 1.1.1.1 and 2.2.2.2 are the public IP addresses on each site (MT=2.2.2.2, HQ=1.1.1.1) ===== STARTS HERE ===== # apr/12/2022 19:52:55 by RouterOS 7.1.1 # software id = GTSP-YUM6 # # model = RB3011UiAS # serial number = xx /interface gre add allow-fast-pa...

dot02

Hi, what I wrote was probably misleading. Of course what I have configured is like your 2nd drawing: MT IPSEC (------GRE tunnel------) IPSEC CISCO I agree with you, the first drawing makes no sense and is not secure as data sent over the GRE wouldn't be encrypted in that case (Good thing to point it...

dot02

Hi all, I've come a long way since my last question in this forum. While I'm still on the beginning of the learning curve, I start linking MT more and more. However, I am stuck in what I believe is a configuration or even misconception of how some things are done in the MT world. I read several othe...

dot02

Hi tdw, and thanks for your reply. Well, what I meant by “Out-Of-Band” is a independent Network port which is hard-wired for management only can cannot be used for something else (e.g. routing or traffic processing). I admit that for most scenarios this means “wasting” a port for management only, bu...

dot02

Hi folks, I am completely new to the Mikrotik world, but not quite new to the Networking world (10+ years as a Network & Security Engineer, Cisco and Radware Certified, etc.) While playing with my new RB3011 (FW 6.46.8 - I can’t upgrade to a newer release as they don’t support/recognise the SFP ...

Search found 148 matches