MikroTik

ucs75

+100000 I would love to deploy MT switches all day long if they supported LLDP-MED. But without it, they're useless in offices with VoIP phones (all offices we support and upgrade). That's about 300 switches not sold in the last two years just with the deployments I managed. Can we get a bug-free LL...

ucs75

Thank you for adding with the s'xxx' option. I tried to amend my answer last night, but the page kept timing out whenever I attempted. Looking at the logging, it is sending the IP address as four hexadecimal numbers. Prefixing the opening single quote with an s forces it to send the ip address as a ...

ucs75

Does AllWorx have a firmware upgrade to fix this? The problem is that it cannot understand an IP address sent in hex form. It must receive the dotted decimal notation (hex encoded).

--See below answers for workaround

ucs75

If I create, for example, a GRE tunnel and add a passphrase to each side of it, RouterOS will dynamically create an IPSec tunnel between my two endpoints. It will use the default proposal, which allows me to set the PFS DH Group, but not the Phase 1 DH Group. It always uses Group 2 -- which has been...

ucs75

Jaytscd, Think of IP-->IPSEC-->Policy-->General as a matching filter. Only packets that match the Source Address, Destination Address, and Protocol will be matched and acted upon. Everything else will be processed as normal. If you leave this too broad, you can shoot yourself in the foot by blocking...

ucs75

One inconvenience exists. I cannot ping (access) WAN IP of branch Cisco892 and vice versa (From remote side I cannot ping WAN IP of Mikrotik). Is it fixable? In your IPSec Policy, General Tab -- look for the Protocol Field. Set this to 4. This will restrict the encryption policy to only match on th...

ucs75

Without having reviewed everything, I did notice that you have three ISPs and three Masquerade rules all on the same Routerboard. This has never worked for me. Masquerade often NATs using the wrong public IP in this setup. I've resolved this by adding a routerboard for each ISP/Required-Masquerade. ...

ucs75

Create a specific route for Center's External IP that utilizes the ISP. This is necessary to create the tunnel. Now create a default route (0.0.0.0/0) that utilizes the tunnel. Any route more specific than the default will take precedence. Otherwise, your traffic will all be routed over the tunnel.

ucs75

Is your IPSec setup at transport or tunnel mode? I would venture to guess that it's setup in tunnel mode. If so, try changing the config to use gre/ipsec with transport mode (restricted to protocol 47). This will change your policy to only match the packets with source of MT Router and Destination o...

ucs75

I realize this is an old thread at the time of my reply, but thought it a good place to post a simple scripting solution to update the GRE tunnel remote-address when that remote-address is dynamic. This does assume the GRE tunnel is already functional and that the remote-address WAN ip is registere...

ucs75

I guess it comes back to the age old question? Would you rather do a bit of extra work and save a large amount of cash. Or do you spend big bucks and make it a no brainer? In the business were in we go for the first one and we love Mikrotik for giving us that chance. After all that's actually their...

ucs75

Thanks again. I think I'll try loading a VM with RouterOS strictly for the eoip tunnels and run the rest of the connectivity and security on the main gateway.

ucs75

I noticed that your config disables connection tracking. Did you happen to take note of the performance difference with and without conn-tracking enabled? If it's significant, I may need to look into adding a dedicated router for eoip tunnels -- because I'm not sure that disabling connection-trackin...

ucs75

Thank you for your post, CKJ. Although I am disappointed to not see any further activity on this thread, I wanted to at least thank you. Your post caused me to do a little looking into the different flavors of AES-128. Previously I had just been clicking the first one (CBC). CBC's performance was ab...

ucs75

Sorry, forgot to include RouterOS 6.34.6

ucs75

Am I missing something? The background / setup. ======================== Router A CCR1009-8G-1S-1S+ Bridge-LAN [ether-2, eoip-tunnel] ether-8 Static IP on /30 (directly connected to Router B) Router B CCR1009-8G-1S-1S+ Bridge-LAN [ether-2, eoip-tunnel] ether-8 Static IP on /30 (directly connected to...

ucs75

Could you please post a sample config with GCM? There's clearly more to it than just changing the encryption algorithm in the proposal. I wasn't able to achieve a tunnel after updating the proposal. What else needs to be set?!

ucs75

I'd just like my COMMERCIAL certificate to work. I ([+] Create)-ed a certificate from Winbox, and selected "crl sign", and "key cert. sign" as the only Key Usages. Filled in the various fields, including Days Valid: 1825 and Key Size 2048 I then [Create Cert. Request], using this...

ucs75

Unfortunately that link didn't really help. I don't have the option of swapping around who is the hub and who is the spoke whenever the problem rears it's head. This has now happened to 6 or 8 of my production units. I've tried 6.18 through 6.22 hoping that a newer version has fixed the problem. But...

ucs75

Bump!!!!!

ucs75

Two Dead CCR1009-8G-1S-1S+ units within 30 days here...

One was up for about 30 days, the other less than 24 hours.

ucs75

Update:

I just had this happen on a CCR1009 --> CCR1009.

So the problem is not isolated by platform. Both RouterOS 6.18.

I hate to have to downgrade to 6.7 because of the performance losses, but so far, that's all I know to do!

ucs75

I've searched repeatedly for weeks, and not found anything. Hence my asking.

Perhaps a link to the thread you referenced? Just saying "yep" really doesn't help much!

ucs75

I have been running into this problem repeatedly lately. Client -- RB951G-2HnD RouterOS 6.18 Firmware 3.18 Server -- CCR1009-8G-1S-1S+ RouterOS 6.18 Firmware 3.10 and 3.18 Client establishes SSTP connection, and server assigns IP address as defined in the username/password (Secret Section). Sometime...

ucs75

Well, I'm glad I could have this conversation with myself! Hope this helps someone in the future.... RouterOS Version was the problem. The trouble occurred on v5.24 So RouterOS v5.24 has a serious bug in the l2tp client, which prevents it from negotiating mppe encryption is a perfect match is not ha...

ucs75

Update: I found one problem in my config. I had noccp set in the pppd config, blocking mppe from being supported. So now it's coming up but telling me that the Mikrotik is failing to negotiate. May 2 20:18:06 ubuntu pppd[1791]: rcvd [CCP ConfReq id=0x84 <mppe +H -M +S +L -D -C>] May 2 20:18:06 ubunt...

ucs75

What's up with the:

Warning: can't open options file /root/.ppprc: Permission denied

It looks like the process has no permissions to read it's own config file.

ucs75

I've spent hours on this now and made very little headway. If I 'require' Encryption on the MT Client, the resulting pppd log shows: ... May 2 17:29:01 ubuntu pppd[1367]: rcvd [LCP TermReq id=0x18 "Encryption negotiation rejected\000"] May 2 17:29:01 ubuntu pppd[1367]: LCP terminated by pe...

ucs75

Taking time to encapsulate would result in higher latency, not packet loss. I have previously been able to run six concurrent tests at 5ms with 0% packet loss. Good thought though...and thanks for responding! That being said, the problem is not resolved - although I don't have a full root-cause anal...

ucs75

Local Office: RB751 v5.24 Remote Office: CCR1016-12G 6.4 With, or without Encryption, I am consistently getting 20% packet loss through an l2tp tunnel between these devices. To test, I am using a linux box, and sending 10000 packets at 5ms intervals. Pinging the external interface of the CCR (no tun...

ucs75

BUMP!!

ucs75

I didn't see anyone ask what his logging settings were. If 'flash' means writing to disk, is it possible that he has some logging rules set to write to disk that are active during usage -- and therefore crippling the unit?

Search found 32 matches

Re: LLDP

Re: DHCP options not working since 6.7 (MIPS)

Re: DHCP options not working since 6.7 (MIPS)

Insecure VPN

Re: IPSec dual links

Re: IPSec dual links

Re: Mikrotik RB2011UiAS + UniFi AP configuration problem

Re: Route all traffic through ipsec

Re: IPSec dual links

Re: GRE Tunnel on Dynamic IP address

Re: MikroTik why not turn to new Cisco/Juniper?

Re: CCR EOIP over IPSEC performance

Re: CCR EOIP over IPSEC performance

Re: CCR EOIP over IPSEC performance

Re: EoIP on CCR without fastpath = HORRIBLE performance

EoIP on CCR without fastpath = HORRIBLE performance

Re: GRE over IPSEC, CCR, VERY SLOW

Re: SSTP certificate problem

Re: SSTP Client marking IP Addresses as DI (Dynamic Invalid)

Re: SSTP VPN with AES on Windows

Re: Traffic generator killed ccr1009 ?

Re: SSTP Client marking IP Addresses as DI (Dynamic Invalid)

Re: SSTP Client marking IP Addresses as DI (Dynamic Invalid)

SSTP Client marking IP Addresses as DI (Dynamic Invalid)

Re: Mikrotik -> Linux xl2tp fails to negotiate mppe

Re: Mikrotik -> Linux xl2tp fails to negotiate mppe

Re: Error connecting Mikrotik PPTP VPN Client to a Linux VPN

Mikrotik -> Linux xl2tp fails to negotiate mppe

Re: l2tp 20% Packet Loss

l2tp 20% Packet Loss

Re: Winbox use and readout

Re: RB751 CPU usage get too high