MikroTik

I have a number of filtering rules on my various Mikrotiks, and am just now experimenting with RoMON. I can't seem to make a romon connection betwee routers. (Since I can enabled/disable by physical interface seems like a reasonable guess)

Do the romon packets bypass all firewall rules ? If not, which ports/protocols do I need to open?

Yes, it's operates at the Ethernet/Layer2 level, so /ip/firewall wouldn't see anything. Perhaps the /interface/bridge/firewall MIGHT. But if you enable it, it should work: The "secrets" has to match on ALL devices. And all routers need to have it enabled for to be found by RoMON. Leave all the other setting alone unless you know what you're doing, and it should work.

You generally use it from the winbox login screen saying "Connect to RoMON" to a Mikrotik router that works (with RoMON) FIRST. Then, it will show an "RoMON Neighbors" tab at bottom of winbox login screen that the router you connected to (via "Connect to RoMON") can see. From that list "ReMON Neighbors", you can then connect to RoMON-enabled router that FIRST router can find via RoMON.

AFAIK, RoMON does NOT let winbox discover directly on RoMON. Basically SOME Mikrotik as to be the "RoMON Agent" before you can use RoMON to find more routers. Thus the "Connect to RoMON" step.

OK - I cleared secrets now 2 of my routers are visible across RoMon. I must have made type in secret.

My 3rd mikrotik is one the far side of a site-to-site PPTP link. Will the Romon packets traverse a PPTP link? (if not, if I switch to L2TP instead will they)

OK - I cleared secrets now 2 of my routers are visible across RoMon. I must have made type in secret.

My 3rd mikrotik is one the far side of a site-to-site PPTP link. Will the Romon packets traverse a PPTP link? (if not, if I switch to L2TP instead will they)

I dunno, I'd like to think either PPTP or L2TP should work.

Be curious what you find out PPTP vs L2TP.

Just did my tests... PPTP, SSTP, OVPN all work for RoMON.
I have no L2TP set up, but was comparing SSTP,PPTP and OVPN performance for remote management. Just had to enable RoMON for the test.
MTU size is set to 1450bytes to avoid fragmentation.

Very strange. I started TORCH on my wired link and I can see MAC protocol 88bf packets moving between my mikrotiks (the RoMon packets)

Running torch on my PPTP link I don't see any 88bf packets. Which explains why no RoMon connection.

Can anyone explain why? I don't think it's possible to filter out mac packets...so I'm concluding that PPTP can't transport those packets.

I'm glad you tried that, because after my research I had concluded that PPTP would only pass layer 3 packets. But if it works for you then those sites must be wrong.

UPDATE: I cannot get the RoMon packets to traverse my PPTP link. Can a 3rd person test to confirm ?

Not an expert on the specifics. I think @bpwl used PPTP to connect to the first RoMON agent, but didn't need PPTP for the 2nd link (e.g. your remote router with RoMON but only connected via PPTP). When you do the first "Connect to RoMON" that uses winbox protocols, and it "proxies winbox protocol" via RoMON is my best guess. So since winbox work, "Connect to RoMON" would work for @bpwl's case, but I'm guess the next router he connected to was using an "ethernet-like connection"

Maybe the rule is if an "interface type" can be bridge port (e.g. "ethernet-like"), RoMON will run. Otherwise, no RoMON. Both PPTP and GRE can't be a bridge port. And now that I think about, PPTP uses GRE - while GRE can transport other protocols, it isn't strictly "ethernet-like" .

If that's true, hope for L2TP working – that can be a bridge port. You'd also prevent/solve the new RouterOS message in winbox/CLI:
;;; PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

I'm in progress of switch from PPTP to L2TP/IPsec...once I get Win10 clients working as IKE VPN clients i will cutover. But at the moment Can't get Win10 clients to authenticate with machine certs....another story

Not an expert on the specifics. I think @bpwl used PPTP to connect to the first RoMON agent, but didn't need PPTP for the 2nd link (e.g. your remote router with RoMON but only connected via PPTP). When you do the first "Connect to RoMON" that uses winbox protocols, and it "proxies winbox protocol" via RoMON is my best guess. So since winbox work, "Connect to RoMON" would work for @bpwl's case, but I'm guess the next router he connected to was using an "ethernet-like connection"

The details of my test (192.168.x.y) .... starting from a laptop (2.41) connect to wifi to a hAP ac2 (2.23) , which is on the same L2 network as the wAP ac (2.25) with RoMON enabled.
Connect with Winbox to "Connect to RoMON" on the wAP ac (green markings on screenshot) . So far only wifi and ethernet is used, all is bridged, and on same L2 network.

On the same network is also a hEX (2.12) with RoMON enabled, same secret) (orange marking on screenshot) . That hEX makes a tunnel to my hAP Lite (tunnel concentrator). The tunnel uses IP subnet 221.0/24 network for the 2 endpoints. Tunnel can be changed for testing PPTP,SSTP or OVPN.
The hAP Lite is NOT on the same subnet. It is separated and is on the WAN side of my Draytek router/firewall. The hEX on the LAN side (2.0/24) can reach a device on the WAN side. (111.0/24)
If connected to the hAP Lite wifi , nothing on the Draytek LAN side can be reached. There is no L2 connection either besides the tunnel. There is no routing defined over that tunnel.

On the laptop the hAP Lite MAC address is chosen in RoMON Neighbors as given by the RoMON Agent wAP ac. (blue marking)
RoMON discover knows about multiple hops by itself. wAP ac -> hEX -> hAP Lite. RoMON passes over ethernet from wAP ac to hEX, and over PPTP from hEX to hAP Lite.
The hEX is not selected at any time. It's the intermediate RoMON device, the 3 RoMON devices have the same secret. No other MT has RoMON enabled.

The PPTP tunnel, just as the SSTP and OVPN did, clearly carries the RoMON interdevice and MAC based traffic. EDIT: NOT! See edit below
The tunnel endpoints are NOT connected to the local bridge in hEX and hAP Lite. The only IP routes are the automatic 'distance=0' route for the connected network 221.0/24.

Sorry to blur some things a bit in the screenshot.
.
.
.
EDIT: this test is not as expected. There is a "forgotten" other path between the hEX and the hAP Lite, not passing over the Draytek router but also using ether1 on the hAP Lite (so same MAC address.) That path is used for RoMON !

Not an expert on the specifics. I think @bpwl used PPTP to connect to the first RoMON agent, but didn't need PPTP for the 2nd link (e.g. your remote router with RoMON but only connected via PPTP). When you do the first "Connect to RoMON" that uses winbox protocols, and it "proxies winbox protocol" via RoMON is my best guess. So since winbox work, "Connect to RoMON" would work for @bpwl's case, but I'm guess the next router he connected to was using an "ethernet-like connection"

The PPTP tunnel, just as the SSTP and OVPN did, clearly carries the RoMON interdevice and MAC based traffic.
The tunnel endpoints are NOT connected to the local bridge in hEX and hAP Lite. The only IP routes are the automatic 'distance=0' route for the connected network 221.0/24.

@bpwl consider myself corrected. All remember is the PPTP could carry even stuff like NetBIOS and IPX eons ago, so kinda figure RoMON could/should be too. But yeah it's not like there is some protocol doc on this RoMON, so sometimes hard to know without trying...

RoMON has it's own ethertype is about what I know, and has worked when I tired it, but never tired it over PPTP/ L2TP/any-VPN – since if I have a VPN, in my cases, I also have IP/Layer3 and can adjust any firewalls for winbox/mgmt stuff (and thus not needing RoMON if that's the case).

But yeah it's not like there is some protocol doc on this RoMON, so sometimes hard to know without trying...

Don't worry, I tried before reading, that was my luck. After reading the googled information on PPTP (wiki, experts, on-line books, RFC's, etc etc ....) I would never have tried it.
There is no mention what so ever of other protocols, besides these very old protocols IP,IPX,Netbios (1970's).

Now I even get the idea to be able to RoMON from the hAP Lite VPN concentrator to my remote hEX/Dude network controllers as emergency entry. (I once locked myself out of one with firewall fiddling, and "Safe mode" didn't help, as it did not drop the existng connection. hEX at 1200km from here). One can always get new ideas on this forum.
.
.
.
EDIT: this test is not as expected. There is a "forgotten" other path between the hEX and the hAP Lite, not passing over the Draytek router but also using ether1 on the hAP Lite (so same MAC address.) That path is used for RoMON !

But yeah it's not like there is some protocol doc on this RoMON, so sometimes hard to know without trying...

Now I even get the idea to be able to RoMON from the hAP Lite VPN concentrator to my remote hEX/Dude network controllers as emergency entry. (I once locked myself out of one with firewall fiddling, and "Safe mode" didn't help, as it did not drop the existng connection. hEX at 1200km from here). One can always get new ideas on this forum.

All the Mikrotik stuff I manage is remote too (and I generally have only LTE or satellite as backhaul). I've been using ZeroTier on the few boxes I can (V7 & ARM = wAPacR in my case), but ZT has been handy as a "backup winbox path". But now I'm used winbox's neighbors showing all my remote routers, since neighbor discovery works over a ZT network. Since RoMON is in all platform (and V6), I realized it give me the same "global neighbors" view in winbox as ZeroTier has gotten me so far – at least sites with a L2 tunnel someplace else with RoMON.

But now why your PPTP+RoMON works, and OP's doesn't, is still a bit of mystery. Although at least with L2TP the red warning in winbox goes away .

I brought up a L2TP/IPsec tunnel between my sites (in addition to PPTP) - no difference.

What's interesting is that I ran torch on each interface individually, and I see the 88bf packets on every interface EXCEPT the PPTP interface. (L2TP does not create an interface so could not test that)

I don't have any interfaces marked forbidden in RoMon. So I can't figure out why the RoMon packets are not even showing up on the PPTP interface of the send MT.

My bad. My bad test. In the long running transition of replacing the Draytek with the hEX, the hEX also got it's own WAN connection, so Draytek, hEX and hAP Lite are in the same LAN of the ISP modem.

Forgot about that "ether5" connection on the hEX, sorry for that, as it is not actually in use yet for all user traffic. (only some VLAN)
It answers the question: "Does ROMON bypass firewall rules?". Yes it does as hAP Lite and hEX are connected with their mutual WAN ports, and cannot communicate except for the allowed tunnel.

Disabled "ether5" and did test again ..... Aaaargh .... PPTP does not carry RoMON, the traffic counters I saw were those for SNMP and Syslog from and to the hEX/Dude.
Idem dito for SSTP and for OVPN. (OVPN is connectable to the bridge, but not done here). None of the 3 protocols worked for RoMON discover.

Tried to make a L2TP link over the Draytek between hEX and hAP Lite. Did not succeed , not with and not without IPsec. There is NAT involved and I see attempts on port 500 not 4500.

OK next step then. Just added EoIP over the PPTP link. Yep that worked, and "ether5" IS down this time. Multihop works as well as discovery.
EoIP tunnel is not a port on the bridge.

I'm still early on the learning curve...so please forgive stupid questions...but...

Are you saying that L2TP failed to carry the RoMon traffic? Or that you were unable to test it? I thought L2TP is like EoIP and would pass everything.

Though I don't understand why EoIP tunnel doesn't create an interface (like PPTP does), so maybe that is what Amm0 means by needing and ethernet like link for RoMon to traverse. I suppose I could create an EoIP/IPIP tunnel on top of my LT2P tunnel to create an interface...but my gut is telling me thats making things too complicated.

Didn't succeed in setting up an L2TP (never done this before, maybe just forgetting something small, like proper L2TP secret with IP address?)
It is initializing, connecting but then terminating.

EoIP is creating a bridge port-able interface : "eop-tunnel1". Just used the IP address of the far end of the PPTP tunnel for creating EoIP, and tunnel ID = 1
OVPN also has a bridge-port selectable interface, but is not carrying RoMON multi/broadcast. SSTP and PPTP are not selectable as bridge port.
.
.
Not at the end of the options yet. There is also BCP bridging : https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

Just did my tests... PPTP, SSTP, OVPN all work for RoMON.
I have no L2TP set up, but was comparing SSTP,PPTP and OVPN performance for remote management. Just had to enable RoMON for the test.
MTU size is set to 1450bytes to avoid fragmentation.

Hi bpwl,
I got ovpn tunnel, and i'm my case RoMON doesn't work for some reason.
I have to say the ping betwene the tunnel is around 400ms (becouse of the distance)
and the MTU betwene is 1400 without fragmentation
any tips?