No one has any thoughts as to what is causing the VPN from the Mikrotik to stop passing traffic randomly until I kill the connections?

A quick overview of my network. I have a main location at my home where I have a Watchguard XTM525 firewall. From here, I have three Sit to Site VPNs. One goes to a Watchguard 26w, another goes to a virtual pfSense firewall, and the third goes to a Mikrotik RB951G-2HnD (6.38.5). The VPNs to the 26w ...

Well, I haven't been able to get any useful logging out of the Mikrotik, despite adding a few parameters (debug, firewall, ipsec, route) and changing most of the defaults to action 'echo', but ont he Watchguard, I can see in the realtime log where ICMP packets from the remote network come into the W...

I just got a RB951G-2HnD to set up for a home environment, and I'm having trouble with the site to site VPN. I used a config from a bunch of 951-2n units that I had configured to sit at end users home ofices that have dynamic addresses and were meant only to initiate a VPN tunnel back to the main of...

Not sure how you are claiming that Mikrotik wins over Cisco with regards to heartbleed - yes, Cisco has affected products - just about everyone does, but if you want to compare apples to apples (or firewall or firewall to firewall), then it's a tie - the Cisco ASAs are unaffected. Switches are unaff...

RB951-2n - VPNs are still broken. Wireless remains to be seen. With Wireless in B/G/N mode, forget it. Couldn't hold a connection. in B/G, it SEEMS reasonably stable. With regards to the VPNS - if ROS considers a 'sa-src-address' of 0.0.0.0 to be invalid, how do you propose to use a MikroTik router ...

zener diode is the simplest over voltage protection

Did not know that - thanks.

What are you trying to do? A site to site VPN over the internet or something else? If you're trying to do a site to site over the internet, unless you've changed the IPs to something other than your actual addresses for security, the sa-src-address and sa-dst-address addresses are wrong. The sa-src-...

you could also set a rule to only allow connections from specific IPs, assuming you don't need access from everywhere.

Well, in doing MORE reading and searching, there are people seeing the same exact issues I'm seeing going back at least two years - I spent some time reading several pages about the same issues on the RB751's, which uses a similar wireless card. It would seem that while the devices perform quite wel...

i checked my post, i did not talk about 802.3af/at - so there is programmable PSU plugged directly into passive poe injector or jack. Ahh. I assumed you were referring to 802.3af POE since you referenced 48v. There's a BIG difference between a passive injector that pretty much amounts to hooking pa...

Could it be "Next server" you searching for???

http://forum.mikrotik.com/viewtopic.php ... 97#p364684

Pretty sure no - that doesn't appear anywhere in the config.

The reason nothing happens when you plug a RB into a 48v 802.3af POE switch is that in order for the switch to start sending power, there needs to be special circuitry in the receiving device that tells the switch that it's capable of receiving POE. Without this circuitry, it would try to send power...

I had posted about this before, when I first started playing with the 951 back in September or so and at the time, I was using the 'default' config. I thought I had it working, but really didn't use it much. I was just about to package up five of the six 951's that I have set up for home users, and ...

Well, after a few more hours of searching and digging through posts, I got this sorted out to where I have the MikroTik handing out MCIPADD, MCPort and TFTPSRVR to the IP Phones. They use option code 176 for these settings. It WOULD still be nice if someone could tell me why the MikroTik was handing...

Well, IDEALLY, it would be THE router. In my testing, I've found there to be about a 50/50 shot it'll actually work through a NAT router (Did work through a linksys, did not work through the uVerse HG NAT), so my preference will be for the users to replace whatever router they have with the Mikrotik...

I have a rather simple setup that I will be deploying out to several end users to function as a VPN endpoint for our phone system. I have not configured any DHCP options in the Mikrotik router (other than a basic pool), but it is handing out its address to the IP Phones as a TFTP server address. I w...

I just set my client as dynamic. It got a new ip and connected to the server again and is working fine. Where are you trying to enter this 0.0.0.0? I see no src-address setting here. edit: but I think ipsec has a src-address setting. Is that what you mean? Yes, 'sa-src-address=' in '/ip ipsec polic...

I think I see your challenge. Which end device is dynamic? The server or client? The client. At the server end I have a Cisco ASA 5510 with a /27 block of static IPs set up with a Dynamic L2L VPN in addition to the static ones. The plan for the Mikrotiks is to have them at the users Home Offices to...

It's a bit scary that 6.9 was released in such a broken state... I have tried this supposed "fail" and I can't find where it is broken. My site-to-site vpn works with v6.9. I agree with karina in this post. http://forum.mikrotik.com/viewtopic.php?f=2&t=81514#p407972 That may be true.....

It's a bit scary that 6.9 was released in such a broken state...

After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9. Now, every time I reboot it, the policy for my VPN says 'Invalid' until I open it and click apply - th...

The Background: I originally got the RB951 to play with and most likely replace my current infrastructure (pfSense) with, but in trying to leafn ROS, I found that my needs are far too complex for me to figure out how to replace my firewalls with Routerboards - The chains have me totally lost in the ...

Yes, more or less. But there was something different about the default setup that didn't work, and the way I have it set now has been working after I set it up manually.

Can someone please give me a rundown on how the chains work and apply? I kinda understand how they flow in a real simple config (such as the 951-2n I set up that will probably end up at my grandparents), but the next thing I need to set up, if I'm going to continue down the MikroTik path, is my home...

Is there any way that I may have missed to enable email alerts when a thread is replied to? This one sat with no answers for enough time that I didn't think to check it.... Anyway, it would appear I got it working, since it seems to have been stable for a bit now. Apparently, the default config is b...

nawshad, yes, I've looked through the wiki and so far it hasn't helped, and tiktube doesn't appear to have much relevant info. pcunite, Thanks for the info. I'll have to check out Gregs videos. I put in your default config in my Routerboard and oddly, I lost my connection to the web interface, but w...

As the title says, I'm new to RouterOS. I've been in IT for almost 15 years, and have a lot of time with Cisco PIX and ASA firewalls, Watchguard, some Sonicwall, all of the consumer routers, pfSense, IPCop and probably a few I can't think of... But RouterOS is unlike anything else I've worked with. ...

I purchased a RB951-2n about a week and a half ago, and haven't had much time to play with it. I started playing with it a bit today, and with the 'default' config, which hear as I can tell, should work for a very simple setup where the only need is a DHCP Server and access to the internet, the wire...