MikroTik

ocgltd

This blackhole trick seemed to work:
https://aacable.wordpress.com/2015/09/1 ... -approach/

ocgltd

I'm experimenting with detecting my primary internet connection being down. And it's not working. I've seen lots of good HOW TO posts...but this is simply for me to learn and experiment. (So please don't point me to the recursive routes solution). I have defined a static route to 1.1.1.1/32 with gat...

ocgltd

I want my mAP to take an action when I plug another host into a particular port. However, that host runs a firewall so it will not respond to pings /etc. Basically I want to use the link state (running) for a particular port and tell netwatch to use the result of that script to cause the action to h...

ocgltd

Wow lots of ways to do this.

I used a script from the wiki thinking that was "the right way".

I think I will tinker a bit to explore the ideas...

ocgltd

That was it. I asked MS Copilot and it said I could split them, but obviously not

ocgltd

I know, but I kept having to renew/drop the interface to test the script. So I just copied into the generic /system/scripts area so I could easily launch it. I realize some variables may not be populated when it runs from the new location, but I should at least see some log output. I cut and past th...

ocgltd

I'm writing my first script (from examples found online). The first line SHOULD show a message in the system log, but it does not (when I manually start the script from the /SYSTEM/SCRIPTS window. What is wrong? { :log info "DHCP client being executed for backup internet link" # Find route...

ocgltd

Thank god I fixed it....for anyone else doing something stupid like this:

Go the the Mikrotik HARDWARE page for the mAP. Then go to support, then click download for RouterOS.

There you will see a SECOND package called wireless. That has the driver you need. Now it's running again!

ocgltd

I finally had my mAP running properly, and one of the last things to do was add the NTP client package, which is supposed to be part of the "MAIN" package. And that's when things went to sh!t ! The mAP was running version 6.x (don't recall exact version), and the built in package updater s...

ocgltd

I thought that adding the static IP to eth1 was a good idea, so that some bad actor on the WAN side couldn't access. But I don't understand if that is valid for a bridge, or in that case why the mikrotik let me do it :? I got rid of the DHCP server, and moved the static IP to the bridge, and changed...

ocgltd

Ok here's my config. Note that it's built on the default config, so some garbage left over but I think it is harmless. But after being locked out of the mAP so many times, I did not want to reset the config (since the is no serial interface to this device). Any clues in the below as to why I can't p...

ocgltd

I meant conceptually (since I'm not sure IP firewall rules are even processed between ports that are bridged). But just in case, I added accept rules for in/out/fwd at the top of the list, and no difference. There must be a reason for this I don't understand. BUT!!!! It is working, in that traffic i...

ocgltd

Ok then I have it setup as specified. But something seems strange: 1. I can ping the mAP 's wireless address (received via DHCP), from other hosts on the same subnet. Good! 2. When I tried to connect to the mAP using winbox via the wireless address, it will not connect. Strange ? 3. I can NOT ping t...

ocgltd

First of all I didn't realize I could connect by MAC address...wow what a time saver. Thank you. Next, I'm looking at the script above and I've tried to do each step manually from the WinBOX gui. But I clearly am missing an important concept here...i can't get my head around this: 1. I see you set s...

ocgltd

I've spent around 7 hours messing with my new mAP in total. I just can't get it to do what I want! What's I'm trying to do is: 1. Device acts as a bridge (briding eth1 + wlan1) 2. WLAN1 Acts as station, connecting to my phone's hotspot 3. ETH1 passes the IP config received from the wifi along to the...

ocgltd

It is a text cut & paste!

ocgltd

I'm afraid to post that as : 1. It's embarassingly ugly (I learned how to setup a firewall on this box) 2. I'm afraid I will accidentally let something private slip into the output that now the whole internet can get into my firewall. 3. I've put lots of comment that mention my customer names etc......

ocgltd

I watched a bunch of these. I think I knew MOST of this...but for sure some holes in my basic knowledge. I actually have a routerboard that I setup as my main firewal! So I would say that I've got a handle on the basics. I've setup static routes too. But never recursive routes, never set distance / ...

ocgltd

I have a RB4011iGS+ and have setup one of the ethernet interfaces as 192.168.88.253 and connected to that interface is a device with IP 192.168.88.1 I have setup a forwarding rule to pass all packets going in and out that interface (ether10). But this rule never matches, and I log the failure as sho...

ocgltd

I didn't mean to piss you off, I didn't realize port forwarding impacts the routing solution....still learning...

I can split that into a separate question. I don't understand the connection...could you explain how that affects the solution you already provided?

ocgltd

Ok some cool ideas! I didn't realize there was a "CHECK GATEWAY" option on each route, and didn't really understand how the distance was used. I found and read the wiki "failover wan backup" https://help.mikrotik.com/docs/spaces/ROS/pages/26476608/Failover+WAN+Backup and I think ...

ocgltd

Ok I will try to provide more clear information. The firewall port 1 is connected to my cablemodem. The cablemodem is in bridge mode, meaning that my firewall gets a public IP assigned from the cable company. (No PPoe). I want to connect port 3 to a different WAN service (let's say its public wifi, ...

ocgltd

I have a mtik routerboard which is my firewall. Port 1 goes out my cable modem. And port 2 is my internal network. I want to add a backup route, which will allow traffic to flow out port 3 (instead of port 1). I'm wondering if there is a BEST way to do this. I can write a simple script to monitor th...

ocgltd

I have a new mAP which I want to use in the reverse of the configuration that it's normally used in. In other words, the ethernet cable will connect my LAN to the mAP port 1. And the WiFi will connect to my phone "hotspot" as a client. I am trying to create a backup route in case my cablem...

ocgltd

Ok I've followed the guide and my site to site seems to be working! The last step is to monitor the connection, and I like the NetWatch solution (#2) so I have copied that script into place on site B in the on Down handler: # WG peer 0 is tunnel to site A :delay 25 /interface wireguard peer disable ...

ocgltd

Ok I'm running 7.10 Perhaps I'm misunderstanding, but it sounds like the WireGuard service starts automatically, but how do I make only one peer connect to the other? (So both peers don't try to connect to the other at the same time) I think you are saying I need to create a script which makes one s...

ocgltd

I am trying to setup a site to site network between 2 Mikrotiks, using wireguard.

How to I make one site initiate the wireguard connection immediately upon startup? (And retry on disconnect)

Do I need to script this? It feels like a predefined setting that I just can't find

ocgltd

I didn't set this MT up initially, but I suspect it went through at least one major RoS upgrade, that may explain naming. I don't have a LAN or WAN lists, but it looks like those are used in your firewall rules. I could create a LAN interface list, but I don't think that will help...because my firew...

ocgltd

If I turn hotspot off all traffic routes perfectly, so I *assume* the problem is not firewall rule related. Your experience (with no traffic through the MT) sounds very similar to mine. I have to admit I dont understand what the /interface>list command really controls. I read the wiki (https://wiki....

ocgltd

Can I export only certain sections of interest you need to see? (I have lots of firewall rules collected over time that may not be relevant, PPP tunnels, etc)

ocgltd

@Buckeye - I've been studying the info you sent, but I'll start with answers to your questions: Cisco default VLAN is set to 1. I *thought* that is different from 'untagged vlan'...which I thought mean no tag, but as I learn more I'm seeing some documentation that seems to treat vlan 1 as untagged. ...

ocgltd

I need to establish a PPTP connection from Linux based client to my Mikrotik PPTP server. (I know PPTP is bad etc...but I need to work with it for now). upon connection the client log shows the error below. According to online docs http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bmanp t...

ocgltd

404Network : I'm trying to break my problem into smaller pieces, and will return to other thread (about Hotspot) in the future. At this point I've narrowed the problem down to my understanding of how to handle the tagged + untagged on a single port. I appreciate the full config you posted, but I'm ...

ocgltd

I am struggling to setup a port (ether3) to allow untagged and VLAN40 tagged packets. I am working on an RB850Gx2. And I have a ubiquiti AP connected to ether3 sending tagged (40) and untagged traffic for my two SSID's. I have two bridges configured, one for internal traffic (with ether2, ether3). T...

ocgltd

Although I have 4 VLAN's working properly across my MT, somehow all of the reading has left me a bit confused. So let me break my problem into 2 steps. First, here's my high level diagram: https://ibb.co/0VZsBbg ( https://ibb.co/0VZsBbg ) You can see bridge-internal has ports ether2 and ether3, whil...

ocgltd

I actually followed that guide and it's not working (as described here https://forum.mikrotik.com/viewtopic.php?p=914127#p914127 ). That guide did work on 2 other MT's but not this one. Same RoS version, but this is an older model MT and slightly different setup. I have not had any luck getting help...

ocgltd

I'm trying to get a hotspot working on an interface with both tagged and untagged traffic. Based on a guide I found online, it said I needed to associate the hotspot with a bridge that is associated with the VLAN. However, while searching through the interface on WinBox there seem to be do different...

ocgltd

Is this in the WiKi ?? If so is it in the right place? (Or are there multiple right places?)

Somehow I didn't find that

ocgltd

For anyone else trying to solve this... Under win10 you setup your whole VPN connection using the Network & Internet Settings > VPN page. However, once you are done, go back to Network & Internet Settings and right click the IKE interface created by your VPN connection. In there you must cha...

ocgltd

I'm still early on the learning curve...so please forgive stupid questions...but... Are you saying that L2TP failed to carry the RoMon traffic? Or that you were unable to test it? I thought L2TP is like EoIP and would pass everything. Though I don't understand why EoIP tunnel doesn't create an inter...

ocgltd

I brought up a L2TP/IPsec tunnel between my sites (in addition to PPTP) - no difference. What's interesting is that I ran torch on each interface individually, and I see the 88bf packets on every interface EXCEPT the PPTP interface. (L2TP does not create an interface so could not test that) I don't ...

ocgltd

I'm in progress of switch from PPTP to L2TP/IPsec...once I get Win10 clients working as IKE VPN clients i will cutover. But at the moment Can't get Win10 clients to authenticate with machine certs....another story

ocgltd

Very strange. I started TORCH on my wired link and I can see MAC protocol 88bf packets moving between my mikrotiks (the RoMon packets) Running torch on my PPTP link I don't see any 88bf packets. Which explains why no RoMon connection. Can anyone explain why? I don't think it's possible to filter out...

ocgltd

OK - I cleared secrets now 2 of my routers are visible across RoMon. I must have made type in secret.

My 3rd mikrotik is one the far side of a site-to-site PPTP link. Will the Romon packets traverse a PPTP link? (if not, if I switch to L2TP instead will they)

ocgltd

I just spent hours diagnosing why my Groove AHn2 died after upgrading from 6.49 to 7.2 Post-upgrade it ends up in a reboot loop. After breaking the loop with a factory reset, I could gain access to Groove. I discovered that simply enabling the WLan radio causes the reboot loop to start again. (No ot...

ocgltd

I have a number of filtering rules on my various Mikrotiks, and am just now experimenting with RoMON. I can't seem to make a romon connection betwee routers. (Since I can enabled/disable by physical interface seems like a reasonable guess) Do the romon packets bypass all firewall rules ? If not, whi...

ocgltd

I have setup a hotspot on 2 MicroTiks, one works great. The other (which I thought I set up the same), does not. To create the most simple of tests, I have a single client (172.31.236.247) connect to the hotspot and open a browser and enter the IP of the mikrotik (HTTP://172.31.236.1). The attempt t...

ocgltd

I was expecting cert errors, but the problem I didn't expect was the MT not redirecting to the login page.

After upgrading from RoS 6.x to 7.x the problem is gone. WOw, wasted lot of time on that one

ocgltd

After much experimenting it seems this issue maybe Chrome specific, and may be related to Chrome trying to detect if it's behnd a captive portal. There are several posts with conflicting advice (eg: create DNS entries for gstatic.com that lead to private IP not in use), or (add gstatic.com to walled...

ocgltd

I have a simple hotspot running, but not quite properly. If I disable HTTPS Redirect, and set SSL cert to none, in the profile then the MT intercepts browsing and shows the login page after connection - for HTTP sites only. I created a (self signed) cert for hotspot.mydomain.com and put in on the MT...

ocgltd

I have a Mikrotik setup as IKE VPN server as described below. Testing with an android phone as client (using StrongSwan) succeeds and works great, but using the exact same config & certs on a Win10 machine yields "Credentials are unacceptable" error on the client. With limited access t...

ocgltd

You're right - that doc was from a party with a particular interest in steering its users towards a particular solution. After hours of more reading it seems like IPsec+L2TP (as suggested by Sindy) is both current and the most effective. I found little on pure IKEv2 site-to-site usage, but based on ...

ocgltd

I have setup an L2TP+IPsec tunnel between sites. In PPP > Profiles I have created a profile for the tunnel which has "Use Encryption" set to yes. in the PPP > Interface > L2TP settings I have Use IPsec = required. Since IPsec does encryption, does the above settings mean that L2TP is also ...

ocgltd

OK - I've pulled out a lot of hair on this IKEv2 tunnel experience. ENough to realize when to pull the plug. I'm going to switch to an L2TP tunnel at this point, and then see if I can add IPsec to it after it's working. (Which seems to be just a checkbox and a PSK). I appreciate all of the help! Goo...

ocgltd

Now the identity for Site B (on site A) says Wrong mod-config. I tried editting the mode config but can't find what options need to be turned on/off to make the mode acceptable. What is it looking for? A few things are still unclear... 1. What is the point of having a responder check box in the Mode...

ocgltd

Ok, peer is now reachable, and new policy is associated with that peer is valid! I'm trying understand what I just did by disabling passive at the peer level. (Since I want site A to be responder, which I thought was like passive) According to doc: When passive mode is enabled will wait for remote p...

ocgltd

Ok - yes I had disabled that peer because WinBox showed it as " This entry is unreachable ". I suspect it is because peer #1 has address "::/0", the same as my Site B peer #2 below. Peer #1 is meant for road warriors connecting from anywhere. But since the address is the same as ...

ocgltd

Interesting, when I add a new policy via WinBox is creates a template by default that is switched to static policy and it refuses to apply. But using command line the policy was accepted. Maybe relates to the next sentence... I already had a proposal and peer created, so I started by adding just a t...

ocgltd

I'm learning about creating a site-to-site GRE tunnel (to replace a PPTP tunnel). Both sites have dynamic IP addresses, and the mikrotik is the edge router at both sites I have some simple questions when defining the tunnel: 1. Can I leave "LOCAL ADDRESS" empty and it will figure out which...

ocgltd

The mikrotiks A and B are both edge routers/firewalls, and both have public IP's which are dynamic. I've been reading about the various options you suggest (balancing my need to minimize an already steep learning curve). I want to avoid learning a technology on the way out, and according to this doc...

ocgltd

Numerous print command create a list of items, each with a # as the leftmost column. If I want to print only the details of number 3, how do I do that? For example

/ip ipsec policy print detail where number=3

THe above obviously doesn't work, but I can't figure out the syntax

ocgltd

I have a site to site tunnel between A and B, running over a PPTP tunnel. Assume A has 3 networks: 1.0.1.0/24 1.0.2.0/24 1.0.4.0/24 and B has 3 networks 1.0.4.0/24 1.0.5.0/24 1.0.3.0/24 I see routes on A and B sending traffic for the other over the 'AB Tunnel' gateway. On A the routes to B are flagg...

ocgltd

I see your point...sharing a cert is risky.

I'm investigating using a UN/PW (in Win10 VPN client ) to identify users but apparently Mikrotik firmware pre 7.2 can't do this in a way compatible with Win10. (Discussed in another thread)

ocgltd

I'm not sure I understand:

except the interface, there is none.

Are you saying I should just apply a second IP address to the existing VPN bridge interface I created?

ocgltd

Yes I modified my question as I started figuring things out :) I didn't realize I could get more detailed logging on IPsec. With that advice I managed to figure out what was missing! THanks - solved Regarding UN/PW for connection, I'm running routerOS 6.49, I think upgrading the OS is more than I ca...

ocgltd

I will have multiple users at a remote site connecting into my local site using IKEv2. I have created my first IKEv2 server on my Mikrotik and it seems to work well. So now I want to somehow treat some remote users (managers) differently in terms of filter rules, and possibly also set upload/downloa...

ocgltd

I'm new to IKE/IPSEC, finally giving up on PPTP (which made my life very simple). I have setup a Mikrotik router per some online posts. Upon connection by my client (testing with Android) Mikrotik shows: no policy found/generated can't get private key got fatal error: AUTHENTICATION_FAILED I have al...

ocgltd

I have a Groover A-2Hn with a 2.4Ghz YAGI antenna pointing the signal in the right direction (from the house). So I'm hoping for some routerOS device with 2.4 + 5 GHz radios (one to the home link, the other as the local AP). I imagine external antenna's we be preferable as that should have higher ga...

ocgltd

Can I use the 2.4Ghz link to my house, and 5GHz out the other side? (So I don't need the $250 audience model)?

Is there a model with higher output radios? I see the HAP AC3 claims high power.

Also, is there a guide to setting up this kind of dual extended + AP mode?

ocgltd

I live in the country and want to extend my wifi to a building some distance away. I've used Mikrotik routerOS boxes for my firewall, so I thought I would try building a wifi extender using Mikrotik. I have wifi 'n' at the main house. I need to connect to the n network on one side, and want to offer...

ocgltd

I did a speed test (to internet) from each port, and all run 36Mbps download with a slope upwards. Port 5 is 2 Mbps download with a flat graph (i.e. capped)

ocgltd

I have a RB850Gx2 and one of my ports is limiting TX to 2Mbps. I can't figure out why. This model does NOT allow bandwidth limits tx/rx per port (that I can see) There are no queues setup What is causing the speed cap? Is there somewhere else that speed can be capped? I've spent an hour and can't fi...

ocgltd

I'm using the DSCP setup script that creates the queue tree. I notice that the script sets the max upload speed for the queue.

Why would the queue need to know the max upload speed? Should packets just be handled based on tagged priority?

ocgltd

This has been asked before, but no one seems to answer...too bad, I'd like to know too!

ocgltd

We've installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you're targetting home/small office then FREE is certainly the way to go...

ocgltd

Take a look at SecAst ( http://www.telium.ca?secast ). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP's. It's Asterisk specific (but based o...

ocgltd

I would love to hear an answer from MikroTik on this one. When (if at all) will the RB support IKEv2 ?

ocgltd

Sadly no one answered your question...did you ever make progress on this?

We can make use of the C++ api as is, but we too we prefer to use the native Qt calls network IO, events, etc. Did you modify the sample code or create your own wrapper?

ocgltd

I am building a Linux app that needs to talk to my RB450G router. I simple want to add an IP onto a list.

I'm looking for the simplest way to have my happ talk to the RB to accomplish this. Does the routerboard offer a REST API which would permit this?

Other simple ways?

ocgltd

I have two routers on my network: the Mikrotik (firewall) and a Cisco (routes between offices). Although my DHCP server serves up static routes (option 121), some dumb devices ignore option 121 and send all traffic to the default gateway (the Mikrotik firewall). I would like the Mikrotik firewall to...

ocgltd

I didn't believe the 25db gain claim, but I assumed 10db gain was reasonable. (I didn't expect an antenna which attenuates the output)... I can't understand how they build and ship an antenna from China for US$8. At least with some repair it appears to work ok. The upside: even if I just keep the N-...

ocgltd

I finally put a 3 inch wire into the groove as an omnidirection and my signal increased dramatically. So, I opened up the antenna and found the shield was not properly soldered to a ring (drive element) on the yagi. So, I resoldered it and now power is way up!! woohoo... (and instead of a variable c...

ocgltd

I'm using a laptop for testing, not sure how relevant the card/etc is since this same laptop is comparing the signal from 2 different transmitters (both transmitting on 2.4Ghz N)...

ocgltd

I'm trying to setup a wireless link from my house to a house 200 feet away. I'm trying to avoid flooding my own home with excessive wifi, so the yagi which is a 20+db gain should focus most of the signal out the front.

ocgltd

I just purchased my first Groove A2Hn and have it connected to a 2.4Ghz Yagi (which claims 20db gain, but hey it's $8 from ebay so who knows). As well, 10 feet away, I have a generic Linksys wrt router with built in MIMO antenna's. When I check my laptop, it shows the Linksys at 99% power, the Groov...

ocgltd

I'm a bit confused about the use of 'disk' for storing stuff on a mikrotik router. First, under store I see my micro-sd card as 'ready' (I formated). Next, under system logging I have name 'disk' set to 'disk' (there is no micro-sd option for type). And third, under graphing I have 'save on disk' ch...

ocgltd

I am trying to setup a pptp tunnel between to RB's, and am setting up an interface called "tunnel" on the client. The interface is a pptp-client. (not dial on demand) I *THOUGHT* that I would have to start the tunnel manually (somehow), and use netwatch to restart it if the tunnel goes dow...

ocgltd

I have my L2TP/IPSEC vpn working now (with RB450g as concentrator/endpoint). I noticed that even after my remote client disconnects the VPN, the IPSEC tab in winbox still shows REMOTE PEERS as alive. I have DPD set to 120s (which I thought meant that if there is nothing on the ipsec channel for 120s...

ocgltd

Greg

Thanks for your posting! Your idea about disabling NAT rules had escaped me, so I tried it and it started to work!

I then re-enabled my NAT rules, and it STILL works. AAAHHHH.....what is going one with this RB!

At least I have something to chase now.

Thanks,

ocgltd

5 days and no answers...and no response from MT tech support....frustrating. I'm just about ready to rip this RB out and go back to Linux firewalls. I contacted a couple of MT certified consultants, but at $100+/hr and 2 hours minimums, and open ended estimates to diagnose and fix, I may as well hav...

ocgltd

*** Please don't hijack with specific issues (perhaps link to another top where your details are) *** I'm still waiting for a response to: http://forum.mikrotik.com/viewtopic.php?f=2&t=65316 This is a showstopper for me...(keeping old router on standby to switch back in case this is not resolvab...

ocgltd

OK - so the address list is associated with the profile, and the profile is associated with one or more users/secrets.

OK - thanks.

ocgltd

There's no easy to add each user to the address list (road warrior scenario)...or perhaps you could be more specific (maybe Im missing something).

ocgltd

but that means I would have to create one new interface for EACH user. Then, I would have to replicate the firewall rules for EACH interface. Is there a way to reference all interfaces by prefix like pptp-* otherwise I would have to now create one (or more) firewall rules to EACH interface (for EACH...

ocgltd

Under linux I could setup iptables rules which affected all pptp users, by referencing the interface like pptp-*

Under RBOS I can no longer do so - I think. Does that mean I can only create filters for PPTP control based on their source address? That seems very risky!

Thanks

ocgltd

Although my PPTP tunnels seem to be working properly from the users perspective, I'm seeing strange traffic on the RB. Hoping someone can explain what is going on / why... My internal network is 172.31.254.0/24 and my PPTP server (the RB) draws from the pool 172.31.248.0/24 for clients. Clients can ...

ocgltd

Yes - I see to SA's (one for in, one for out) appear.

Interestingly, the INBOUND shows 1700 bytes, the OUTBOUNG shows 0 bytes. Makes me thinking outbound traffic is going outside the IPSEC secure channel.

ocgltd

I'm new to Mikrotik, just bought a couple of RB to play with thinking I could start to deploy these at clients. My first week with the RB has been rough...including: - Discover OpenVPN is over TCP only (not practical) - Discover PPTP/IPSec rules/design is a mess (i set this up easily on Linux...). A...

ocgltd

That was the problem...I downloaded the community edition and now its making sense.

Thanks

ocgltd

I'm experiencing the same loop of "resend phase1 packet". But my clients are dynamic (road warrior) so I don't think a static policy will work.

Could you post your policy?

ocgltd

Perhaps its a Vista issue...but it the message onscreen showed only TUN support...

ocgltd

I have devices (eg: Playbook) which will only do L2TP/IPSEC so I don't have a choice on vpn protocols unfortunately.

I have a peer setup with 0.0.0.0/0 and the connection starts, it just dies and I have no understanding of why. I appreciate any help!

Thanks

ocgltd

I've read some postings about creating a NAT rule to prevent IPSEC traffic one way from going outside of tunnel...but I'm not sure if that applies. Seems like a possibility since the SA list shows bytes have gone one way but not the other. However, this L2TP/IPSEC vpn is for road warriors (different...

ocgltd

I tried using TAP mode, but one end didn't support it (I think Windows OpenVPN complained)...

ocgltd

I finally have an LT2P/IPSEC connection up and running, with the RB450g as the server. However, within 5 seconds of being up the VPN connection goes down. I see the error "resend phase1 packet" in the log below (in RED) - and I believe that is related (but I can't figure out how to fix thi...

ocgltd

The problem was my PPP profile was requiring encryption (set to YES). Once I switched it back to DEFAULT then the connection succeeded.

I *think* this is because L2TP does not support encryption (it relies on IPSEC), so it failed.

ocgltd

For anyone else facing this problem, cause was: 1. OpenVPN client for Windows demands /32 for local and remote addresses (on same subnet). So setup lots of pairs in the pool and chain one to the next. 2. Need to force client to use connection as default gateway (in openvpn config on client) Now work...

ocgltd

I am trying to get a L2TP/IPSEC vpn tunnel up and running between a Windows 7 laptop (client, dynamic public IP) and a RB450g (server, static public IP). I have followed the wiki and the VPN tunnel starts but then fails. In particular, once the laptop initiates the tunnel, I see it appear as a remot...

ocgltd

Ok, I figured out that I needed auth-user-pass since MT doesn't support client based certificates to authenticate. Now, the connection stays up and the interface <ovpn-username> appears and stays up! YAY The next problem is that traffic will not go to from my client! The problem relates to client an...

ocgltd

I am setting up my first MikroTik router, with ovpn. (Also setup a CA on linux, generated certificates for windows client, generated CA cert and client cert, extract client private key)....wow! I when I initiate the connection on windows client, it just diconnects and retries like this: Mon Sep 03 1...

ocgltd

I wish someone had posted an answer...I have the same issue

ocgltd

I have a head office with address range 172.31.254.0/24, and an pool of remote IP addresses 172.31.248.0/24 In my PPP profiles, I have setup a LOCAL address of 172.31.254.5 Is this ok to do? Should the local address be on a different subnet? or is it OK for all remote users (who pptp into the head o...

Search found 112 matches