I've tested IKE2 on CHR 7.12.1 - it works with certificates generated by Mikrotik but doesn't work with certificates from Windows.

I'll try with CHR in lab, only with ike2 functionality. When it will be work, I'll set chr only as vpn server, not router. I have no time to downtime after upgrade ROS to 7.x

I've updated ROS to 6.49.10. There is nothing readable in log after 2 minutes.

When I upgraded Windows Server to 2022, all of directly connected computers have refreshed their certificates. And these computers can't connect to VPN. All computers which didn't have connect and didn't get new certificate, still work.

I can upload certificate but connection can't establish correct - on pc I have message "IKE authentication credentials cannot be accepted", on ROS I see connection established but with no traffic - it disappears after 2 minutes.

Hello, I'm using RB4011 with ROS 6.48.6 and IPSEC IKEv2. Certificates are issued on Windows Server and uploaded to router. It works correctly since last 2 years but 2 days ago I've upgraded my servers from 2012R2 to 2022 and it stopped to work. Can anybody help me with fix it?

Hello,
I'm using CRS125-24G-1S-2HnD router and I need to install sniffer-host in my network. I was trying with Packet Sniffer but that method is using a lot of cpu.
How can I configure port mirroring on that router to sniffing on another machine?

If the users are on the domain anyway, why not just push out the cert to them?

If there are in domain it's not problem to push out the certs for them. About half of computers are not in domain (shitty Windows Home Premium) and I don't want to configure them.

Can I authenticate wireless clients with AD without installing server certificate on each computer? Only with username/password.

I'm using Mikrotik as router and dhcp server for LAN clients and Unifi APs. There is an AD server so I want to authenticate wifi clients with Windows credentials, not WPA key. I've set up radius on mt (wireless, ppp & login checked), dhcp with option "use radius", and on Windows: Secur...

Radius on routerboard, vpn authentication by radius. Windows 2012 R2 domain, acting as radius client. I need Windows to authenticate by domain credentials. Connection is created by CMAK so it's not possible to change parameters after installing. I've created 2 versions of connection: one with MS-CHA...

Can routerboard authenticate pptp client with eap-mschap v2? I need to use it with Windows 2012 R2 and client need to be authenticated with his windows credentials. It works with mschap v2 (windows login and password is typed manually bu user) but if I create connection with eap-mschap v2 I've got 6...

I've fixed it. Install note in readme text shows how to create ssh user but there's no info that I have to create password for that user

I've got the same problem. It works great but doesn't show hostnames. I'm using DHCP on my MT. I've tested on 2 MT's with the same effect.

I've found what was the reason of problem. On bridge of router 2 was set proxy-arp instead of arp enabled.

I've noticed today that traceroute from 10.1.1.1 to 10.1.1.41 is going by 10.1.1.101, then returns to 10.1.1.1 .
It is very very strange.

Tunnel is still up, I only disable/enable it in bridge. Nothing changes in routing table, default route for PC in LAN1 is 10.1.1.1.

My default route for MT is WAN interface. So why it can routes any traffic by eoip tunnel (in bridge? It seems not possible but it's true.

Yes, exactly. Address and default gateway is provided by own dhcp server. Only routing trace is changing dynamically (I'm testing windows tracert to 8.8.8.8 ). When eoip is disabled in bridge, first hop is router private ip 10.1.1.1 , when I enable eoip in bridge, first hop changes to 10.1.1.101 (re...

"Add default route" on PPtP client (which is on router2) could cause such situation but in LAN2. I'm still talking about issues in LAN1 where is PPtP server located. So that's not it. (however that options is disabled).

Ok, I've been isolated dhcp traffic in eoip tunnel - both LANs get address from own dhcp but issue with routing still exists. Routing from LAN1 is going by 10.1.1.101 until I disable eoip tunnel in bridge.

You'd have to set up some firewall rules to block DHCP and enable IP firewall on your bridge.

But this is not the answer for my question - I would like to know what is wrong that I've got ip assigned by proper dhcp and it's not working good, blocking dhcp traffic will not resolve my problem.

As I wrote, I want broadcast traffic, I want to use LAN Messenger in both (and probably next ones) networks.

I've got such situation: Router 1: LAN1 10.1.1.0/24 with dhcp server public IP PPTP server EOIP with router 2: local ip 10.1.1.1 , remote ip 10.1.1.101 Router 2: LAN2 192.168.2.0/24 with dhcp server behind NAT PPTP client to router 1 EOIP with router 1: local ip 10.1.1.101, remote ip 10.1.1.1 Scenar...

Hello everybody, I would like to configure scenario like that: On MT I've got DHCP server with one pool for trusted macs and one another with untrusted (I mean untrusted are users which know wpa key but aren't my employees). So the trusted mac should get address from one pool and untrusted from seco...

If you want the VLANs isolated at layer 3 you need to use forwarding filters in IP Firewall.

So that means that VLANs are not isolated and are visible to each other with default configuration?