MikroTik

OriiOn

On our CCR1036-12G-4S router with ROS 7.14.1 it happened already twice (last time like 3 months back) that all links went down, and up again after a second. 11:30:31 interface,info eth4-KASSEN-NEW link down 11:30:31 interface,info eth6 link down 11:30:31 interface,info eth7-SCHLOFFER link down 11:30...

OriiOn

Thanks for your reply Guscht! Here's the correct and complete setup that works - up until ROS 7.2.1 /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-2 new-connection-mark=MARK-WAN-2 passthrough=yes /ip firewall mangle add action=mark-rout...

OriiOn

I am pretty certain this is not a hardware issue, but a software issue. What ROS version are you on?

OriiOn

Reboot does not work for me. In fact the issue is 100% reproducible (eth11-WAN-2 becomes unpingable). The configuration works fine up until 7.2.1 and stops working after 7.2.2. This can be reproduced with a very simple configuration. Tried and tested on RB1100, CCR1036 and RB750r2.

OriiOn

Thanks anav, I know you pointed me to chain=output right at the start of this thread. I tried that of course, however (at least on ROS6) it does NOT route the traffic out on WAN-2, as one would expect. Instead only chain=prerouting does that. However for chain=prerouting to work properly, an additio...

OriiOn

I have set up a very simple configuration on a RB750Gr2, and tested with all releases of ROS7. The following configuration works fine up until 7.2.1. I can ping WAN-2 IP successfully from a remote Windows machine. When upgrading from 7.2.1 to 7.2.2 WAN-2 IP is no longer pingable. I receive "TTL...

OriiOn

@rtlx: if you make suggestions like "fire 90% of the staff" you are completely disqualifying yourself, or any valid points you might be making. Are you a member of the team, knowing all the intrinsic workings of this company? Or do you come to this conclusion perhaps 1000s of km away from ...

OriiOn

Due to the mangle-rule troubles I have not upgraded my router yet to 7.12, but am still on 6.47.1 When doing what you suggest (disable rule #2, and remove the pass-through on rule #3), it appears as if the traffic is NOT routed out through the eth11-WAN-A1 ISP (which has a lower bandwidth), but inst...

OriiOn

I am using two WAN connections on my router on interfaces eth11-WAN-A1 (backup WAN) and eth12-WAN-WE (primary WAN). I used the following 3 mangle rules to make sure that if someone accessed the services via eth11-WAN-A1, the outgoing packets would travel out through eth11-WAN-A1 as well: /ip firewal...

OriiOn

The new device is not within the same network as the old device. In fact they are physically at different locations. The idea was to setup the new machine with the SAME MAC addresses (and configuration) as the old device, and then replace it (remove the old, add the new device). So I actually wanted...

OriiOn

Thank you for your reply! I am sorry, I wasn't clear what "type of migration" I used... I used backup/restore via files. That is probably not the right way to migrate to a different type of hardware? Instead I should use export terse show-sensitive file=config correct? Yes, when using the ...

OriiOn

I want to migrate my configuration from an RB1100Hx2 (13 ether ports) to a CCR1036-12G-4S (12 ether ports). The old router has the ether ports renamed, instead of "ether1" (default) I use "eth1-SWITCH1", and so forth. Before migration, I make sure I use the same RouterOS Version ...

OriiOn

Thanks for your replies! @roadracer96: so which MLAG/LACP compliant switch would you recommend? The ones I am seeing from Cisco or HP cost €5000 and up - per piece. Compared to what we spent on the 3 ESXi's that seems unproportional. Ok, the NetApp filer did cost more (€20.000). But it seems unreaso...

OriiOn

Thanks @roadracer96 Is it true that MLAG is unusable in Mikrotik Switches in it's current state? Can other users confirm that? So are you running the switches without MLAG instead? I wonder if @sirbryan is using MLAG, because I have the impression (from his post) that he is happy with the switches? ...

OriiOn

Thank you for pointing out the MLAG situation! Two questions regarding MLAG: 1) What exactly does using MLAG mean, respectively what's the downside of not using MLAG, and treating the 2 switches as independent individuals? If I understand it correctly, MLAG means that a connected client sees the swi...

OriiOn

I am planing to buy this switch, to use it to connect 3x ESX hosts and a NetApp Filer via 10Gbit. Is this switch potent enough to operate all of its 24x 10Gbit ports "non-blocking" at full speed? I won't need all if its ports, but just to make sure. Also I plan to use RouterOS instead of S...

OriiOn

Thank you @sindy, will do that!
Thanks again @sob!

OriiOn

Great, that works!
I have always left local-address in peer empty, but I guess it should be always set for cases where a fixed local-address is used in a site-to-site VPN config?

Thank you @sob and @sindy for your help!

OriiOn

The VPN is a site-to-site IPsec VPN. However, instead of the VPN tunnel being routed through the default route (main ISP), I want the traffic for this particular VPN to go through the secondary ISP (secondary default route). What options (other than the above mentioned /ip route) do I have? You ment...

OriiOn

Okay, let me formulate this differently. I have two ISP's connected to the router. The main ISP is the default route. Now I want to setup an IPsec VPN, and I want its traffic to be routed through the secondary ISP route. This could be easily achieved by adding the following rule (since the remote's ...

OriiOn

I want to setup 2 VPN's that use 2 different ISP GW's on my side, but only one ISP GW on the remote side. Like so: OUR GW YOUR GW OUR LOCAL YOUR LOCAL #1 XXX.YYY.ZZZ.130 XXX.YYY.ZZZ.161 10.3.6.0/24 192.168.16.0/24 #2 XXX.YYY.ZZZ.106 XXX.YYY.ZZZ.161 10.3.7.0/24 192.168.16.0.24 Where XXX.YYY.ZZZ.130 (...

OriiOn

I need to set up a new VPN with a partner (using a Cisco ASA), and they say the network endpoint I want to use 192.168.2.0/24 is already in use. They ask me to use a different network like 192.168.22.0/24, or maybe even only a single address 192.168.22.20/32. How would I do that?

OriiOn

Well it's the configuration that I posted in this thread, for both RouterOS and Cisco. It's a very ordinary setup - one that I have used a dozen times (including to other Cisco routers without any issue what so ever). Why in this case we ran into the 0.0.0.0/0<=>0.0.0.0/0 selector issue we still do ...

OriiOn

We finally got the VPN to work (IKEv1), by making sure the Cisco router only acts as responder (passive). That way we avoid the 0.0.0.0/0<=>0.0.0.0/0 selector issue.
Thanks again to everyone for the help and the insights, which certainly improved my general understanding of VPN's.

OriiOn

I asked for their current full (IKE v1) config. This is what I got: crypto keyring keyring-vpn-livesports local-address GigabitEthernet1 pre-shared-key address 88.XXX.XXX.106 key *********************** crypto isakmp profile isakmp-vpn-livesports keyring keyring-vpn-livesports match identity address...

OriiOn

The log stems indeed from an IKE v1 (main) connection attempt.
So I figure the log does not reveal the cause for selector 0.0.0.0/0 <=> 0.0.0.0/0, neither does it reveal which side (RouterOS or Cisco) is causing this?

OriiOn

Here's the full log
23:05:34 is when phase 1 is initiated
23:05:48 is when a suitable policy can't be found, and the SA's are purged
23:06:02 dont know what happens here
23:06:05 apparently receiving some more data from the cisco

OriiOn

I can get the VPN to establish successfully, by adding a 0.0.0.0/0 <=> 0.0.0.0/0 policy. However, I don't know exactly how I have to setup the "action=none" policies, to avoid ordinary traffic ending up in the tunnel. While the config on this test-router I am using here is quite simple, th...

OriiOn

Have you tried adding this specific, non-template, policy? I haven't. However, to me this seems an odd work around to fix some other underlying issue. Unfortunately I am not a router or VPN expert, and only understand the basics. Neither seems to be the team on the other side, that is supposed to c...

OriiOn

We're still trying to get the VPN to work... this time trying IKE v1 (main). Phase 1 establishes, but phase 2 seems to fail: 12:38:13 ipsec,debug proposal #1: 1 transform 12:38:13 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=255 12:38:13 ipsec,debug got the peer ...

OriiOn

When I add a new profile and a new proposal using command line on my favourite 6.47.10, specifying nothing but the name , the lifetime is set to 1d for a profile and to 30m for a proposal . I can actually confirm that for 6.47.1 I mean the default profile and proposal /ip ipsec profile set [ find d...

OriiOn

So Phase 2 SAs are rekeyed more frequently as they are suspected to transport much more data per unit of time than the Phase 1 SA. What is interesting is that RouterOS generates a default Proposal (phase 2) with a lifetime of 1d, and a default Profile (phase 1) with a lifetime of 1h. Shouldn't the ...

OriiOn

Thank you again for your sophisticated and detailed answer!

OriiOn

Not sure if I should start this in a new thread? @Admins: feel free to split this. Okay, IPsec basics: I am not a 100% certain, but so far I was under the assumption that RouterOS's "Proposal" settings == Phase1 and "Profile" settings == Phase 2? I think I might be wrong on this ...

OriiOn

Thanks again for your reply! I am learning a lot......

OriiOn

Is this Cisco config using crypto map or tunnel interphase for phase 1? I am wondering since it has the setting " mode tunnel " in it... crypto ikev2 proposal ikev2-prop-partner encryption aes-gcm-256 prf sha512 group 14 crypto ikev2 policy ikev2-policy-partner match fvrf any proposal ikev...

OriiOn

Thank you again for all your explanations! With that information I will approach the Cisco team. Point is, the Cisco should have stopped sending anything by now. If anything it should send SA_INIT packets by now. Either they manually deactivate all IPsec related settings (as I did on my side) and/or...

OriiOn

I followed @Kentzo's advice and exported the Wireshark sniff result as a text file. Please see attached file. I am still receiving NAT-keepalive packets from the Cisco... How to interpret that? Also, oddly, it seems the Mikrotik sends out ICMP packets to the Cisco, of which I am not aware of that I ...

OriiOn

Thank you! Well I will leave the IPsec peer disabled over night, and see what happens tomorrow.
Thank you so much Sir for your help!! You did help me a great deal already

OriiOn

Please forgive me Sir, I only understand 50% of what you are saying

I hope this screenshot reveals the information you wanted me to check?

wireshark2.png

OriiOn

Well, we did experiment with this partner over the last couple of days with various VPN configurations. One of them was a IKEv1 config that actually did manage to establish a connection, but dropped the SA-keys immediately after establishing it. So you want me to disable the entire VPN config (peer,...

OriiOn

Correct. You can even remove the rule accepting anything from 34.XXX.XXX.251.

Sure, it's only an easy way (for me) to see if there is even any traffic coming from that address. Will remove after the VPN actually works

OriiOn

Got the following response: [admin@MikroTik Main-Router] > /ip firewall connection print detail where src-address~"34.XXX.XXX.251" or dst-address~"34.XXX.XXX.251" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 0 S...

OriiOn

in other cases, if your router sends a packet first, the response is accepted by the action=accept connection-state=established rule, so they also do not reach that rule matching on src-address-list=VPN. Ah I see, so the "VPN IPsec filter rule for UDP 500,4500" only ever hits if the other...

OriiOn

Let's hope I have done that right...

wireshark.png

I guess we can see her both incoming and outgoing traffic?
The Cisco seems to send NAT-keepalive and ESP (SPI=xxxxxxxxxxxx) packets.
Where else the Mikrotik sends IKE_SA_INIT packets.

OriiOn

What's interesting is that this rule does not show any traffic: /ip firewall filter add action=accept chain=input comment=VPN protocol=udp src-address-list=VPN src-port=500,4500 34.XXX.XXX.251 is of course part of the VPN address-list. Interestingly, this is something that puzzled me in the past, wh...

OriiOn

Not sure if this is helpful: 20:20:36 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 64 20:20:38 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.2...

OriiOn

Please see attached config file. Thanks for your help!!

OriiOn

Thank you for your response! Traceroute shows this, however, I know the other side wont respond to ping. I know it's there though. 1 88.XXX.XXX.105 0% 10 0.7ms 0.6 0.5 0.7 0.1 2 100% 10 timeout 3 195.3.65.5 30% 10 5ms 5.2 5 5.6 0.2 4 195.3.68.62 90% 10 timeout 5.3 5.3 5.3 0 5 99.82.177.116 0% 10 9.7...

OriiOn

Hello! Having troubles to setup my Mikrotik (RB750GL with 6.47.1) to establish a IPsec IKEv2 VPN with a Cisco router. Here's the config of the Cisco Router that was sent to me: crypto ikev2 proposal ikev2-prop-partner encryption aes-gcm-256 prf sha512 group 14 crypto ikev2 policy ikev2-policy-partne...

OriiOn

This solved my problem! Wish I had asked you 5 hours ago...
Thanks so much!

OriiOn

I fail to setup a simple IPSec VPN between two Mikrotiks. "Active Peer" shows "message 3 sent", I also see "Installed SAs", but only in "one direction", not the return key. I am on v6.47.1 Here's the setup for Mikrotik-1 /ip ipsec mode-config add name=responde...

OriiOn

Yes, the NAT rule solved the problem nicely. I forward traffic from the imaginary VPN address 192.168.33.1 to the actual PC inside the LAN (192.168.2.20). /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.33.1 dst-port=80 protocol=tcp to-addresses=192.168.2.20 comment=VPN In addit...

OriiOn

I have successfully established an IPSec tunnel via a software VPN Client (running on a PC with local IP 10.42.1.43) to a Mikrotik router. If I specify the correct IP-range of the LAN behind the router (192.168.2.0/24) the remote PC has access to the entire LAN. /ip ipsec policy add src-address=192....

OriiOn

No. Mangle rules in this thread mark connections to both router and forwarded ports. But routing is marked only in prerouting, which covers only forwarded ports, not router's own output. If you'd get rid of your routing rule, you'd have to add another mangle rule, to mark routing for output (as in ...

OriiOn

And if I correctly understand what you mean with SSTP (router as VPN server, you connect to it as client, and access internet through tunnel), then what you see is correct. Even if you connect to address on WAN2, it's only the tunnel. Traffic inside the tunnel going to internet uses default route, ...

OriiOn

Thank you Sob :) Mangle rules still work. But they are in prerouting, literally before the routing decision happens. Result of your mangle rules is (for some packets) a new routing mark. If there isn't anything else, it means that routing decision will use given routing table. But then there's optio...

OriiOn

I mentioned before that I already used a routing rule before (that I found somewhere in the forums, many moons ago) /ip route rule add action=lookup src-address=[IP-WAN2]/32 table=WAN-2 This rule is supposed to make sure that all communication with the router itself (ping, winbox and sstp) will send...

OriiOn

Sob, thank you so much for your help and explanation! It works! This rule (in conjunction with the two mangle rules) fixes the problem: /ip route rule add action=lookup-only-in-table dst-address=10.42.0.0/16 table=main However, I still don't understand what this rule actually does? I can totally fol...

OriiOn

Btw, I do have another rule in my setup: /ip route rule add action=lookup src-address=[IP-WAN2]/32 table=WAN-2 This rule is supposed to make sure that all communication with the router (ping, winbox and sstp) will send their packets back out on WAN-2, if being accessed from WAN-2. If it works, I am ...

OriiOn

Thank you Sob for your explanations and help! So I will keep these two mangle rules /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-2 \ new-connection-mark=MARK-WAN-2 passthrough=yes add action=mark-routing chain=prerouting connection-ma...

OriiOn

Sob's original post (where I got this solution from) also used "jump" rules, which I understood even less, and therefor ignored entirely. I understood they were further (speed) optimizations...?

OriiOn

Well, I am totally not an expert, but I understood that the "return" rule being run BEFORE the "mark-routing" rule acts as a sort of "if-then clause", with the effect that any traffic that is "local" and won't go out through the WAN-interface(s) will not even ...

OriiOn

I like simple solutions, because that is all my little brain can handle ;) So you say that this rule will make sure that incoming traffic from WAN1 will go out at WAN1, and incoming traffic from WAN2 will go out at WAN2? /ip route rule add action=lookup-only-in-table dst-address=10.42.0.0/16 table=m...

OriiOn

I've got two WAN's (main-fast = WAN-1, backup-slow=WAN-2). I want that all incoming traffic from WAN-2 (eth11-WAN-2) also goes out through the same gateway (WAN-2). /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-2 \ new-connection-mark=...

OriiOn

How can I make netwatch watch 2 or more hosts, and only execute a script if all specified hosts (IP's) fail? I am pretty sure it's not possible out of the box. But I guess if I have several Netwatch entries (one per host/IP), and each of them sets a "flag", I could test that flag inside th...

OriiOn

Just like IP address-list functionality, you can define a list of interfaces and make firewall rules match the groups.

Oh, that is interesting! I might need that in the future

OriiOn

/ip firewall filter
add chain=forward in-interface=br-lan10 out-interface=br-lan-local action=reject

That way I make sure that traffic from "br-lan10" stays within "lan10" and still has access to any WAN ports there may be.

Thanks again ZeroByte!

OriiOn

Got it, thank you very much! Now, using this firewall rule to keep its traffic separate from others, is clear. /ip firewall filter add chain=forward in-interface=vlan10 out-interface=!ether1-gateway action=reject However, what do I do if I had 2 WAN gateway interfaces (one backup/fallback in case th...

OriiOn

I want to thank you for sharing your time and insight, and helping me make things understand better! I know I still have a LOT left to learn about these matters though... So in my "special case" I don't really need the VLAN functionality, but I just go with grouping a bunch of physical int...

OriiOn

I highly appreciate that you take the extra effort to explain what is going on under the hood! It's really helpful, and I guess I did understand what you said for the most part. But I am not quite there yet... /ip firewall filter add chain=forward in-interface=vlan10 out-interface=!ether1-gateway ac...

OriiOn

Yes, sorry, I did mean for the two VLAN's to gain access to the internet. Adding the masquerade rule indeed did do the job, so THANK YOU for your help! A follow up question to extend my (little) understanding about VLANs: I did setup the the VLAN according to the instructions in the Vlans on Mikrot...

OriiOn

I've got VLAN10 (192.168.10.0/24) on eth2 and eth3, and VLAN20 (192.168.20.0/24) on eth4 and eth5.
How can I "connect" these two VLANS with the WAN port eth1 that has the IP 192.168.1.20 (in my test setup)?

OriiOn

I am using a RB750GL as a switch, where one port is the master port and ports 2-5 are configured as slaves. As a result I can only see the traffic going in and out of the master port (Interfaces List in WinBox), but I can't see how much traffic is transmitted on the individual (switch ports). Basica...

OriiOn

Thank you very much! I will try that.

OriiOn

We had a few 750's die too (3 out of 10). If you take them apart, you will see 2 large capacitors in the middle. Most likely they are deformed and the top is blown or split. Replace them with solid state capacitors. They are in the $1 range each, so your total fixing cost is $2. Thanks for the valu...

OriiOn

I think you are right about the "heat" problem: the failing devices did operate in a warmer environment. But really nothing unusual, there's lots of other equipment that performs without any problems. So that is not really satisfactory. My question would be, which other RB models are known...

OriiOn

I am now having my third RB750 out of 10 which has died with all LEDs on/green, within a 18 month time period. Usually the hardware dealer replaces it without any problem, but I wonder how reliable the routers really are? A 30% hardware failure rate within 18 months is quite unusual. Was it just bad...

OriiOn

Coming back to my original problem with "possible IP conflicts", or what ever else reason is causing the linux machines losing their connection to the internet - I discovered the following behavior: after rebooting these machines (and obtaining a fresh DHCP lease), they work for a couple o...

OriiOn

I am using a RB750 (Router OS 4.5) in one of our offices, which has some linux based machines provided by a 3rd party company attached to the router, using DHCP. Now after 2 or 3 weeks since this office is up an running, I am hearing of reports that the linux machines "lose their access to the ...

OriiOn

Thank you for your very detailed answer! Both your suggestions work.

Then I gave this a try:

move [find action="drop"]

And it worked also...

OriiOn

That is good news! So that means the limit is basically how much the CPU can handle. Since we are pushing through very little data, chances are that we can handle dozens of IPSec VPN tunnels? That certainly sounds good

OriiOn

In 4.5 move uses the "numbers" and "destination" parameters. But anyway, that does not work either. However, it gets even more weird. For the "destination" parameter passing a variable seems to work! It's just that for the "numbers" parameter passing a variabl...

OriiOn

It should be src-port. Since you use TCP port 1723 I presume you are using a PPTP tunnel. If you do that, you also need to create a firewall rule to let through all traffic via the GRE protocol. But I am not sure on this, first use TCP 1723 only, if that does not work add the GRE rule. And please re...

OriiOn

Myron, I'm a noob with VPN too, but I figured it is necessary to set rules that allow a VPN tunnel to be opened up. For IPSec this would be UDP port 500, and ipsec-esp protocol. /ip firewall filter add action=accept chain=input comment=VPN disabled=no protocol=ipsec-esp add action=accept chain=input...

OriiOn

Thanks for the replies. I know the "trick" with setting a comment for the rules, and reference them by their comment name. That works just fine. However, my goal is to come up with a script that adds those rules right after the first time (self) configuration of the router. At this point a...

OriiOn

Thanks for the reply! That depends how you do it, maybe that holds a hint for me how it could be done in a different way than the approach I am currently using.

So yes please, post a sample of your script

OriiOn

I am trying to come up with a script, that adds 2 new filter rules, and after that makes sure the "drop" rule is moved to the end. In this script I assume that what ever is at the end of the filter list BEFORE I add my rules, must be the drop rule. So I determine the index of that rule fir...

OriiOn

How many concurrent VPN IPsec tunnels can be open on a RB750. What is the technical limit, and/or is there a license limit?

Search found 89 matches