MikroTik

dot02

you mean, so that non-windows users can stop WINE-ing?

dot02

Indeed! Thanks for the link, I wasn't aware of this feature!

dot02

I did not read any of the replies in order not to get biased. So: 1) Yes, if by "session" you mean what I will describe in point 2. Otherwise, no. 2) I know the "session" concept from Arista. You create a session, configure all the changes without committing them, and at a later ...

dot02

OK in that case, it means that I could use any port for any purpose, because no ports will have the same vlans assigned, and all the traffic will go through the CPU anyway. Therefore, it might be best indeed (and also to keep it visually coherent) to use ports 1-5 for LAN, 6-10 for DMZ and 11-13 for...

dot02

But the second you cross a VLAN boundary, it goes through the CPU, full stop Ok, so that means that even inter-VLAN routing is ALWAYS done on the CPU, no exceptions (e.g if vlan 10 and 20 both belong to the "LAN" Port-group, and both are exclusively tagged on switch1 (for instance port 1 ...

dot02

ok, so in this case you would setup LAGs with 1 port on the 1st switch and 1 port on the other switch?
Do we know how the RB1100 will select which port it uses to send out traffic (like built-in priority for ports able to communicate without running over the CPU)?

dot02

Oh, I see! Well that will never happen. Backups will stay in the internal network, and the whole traffic is running over the internal Firewall. The mikrotik will never see such backup traffic, unless it is for inter-site backups (and it that case, it will use encrypted tunnels over the WAN port). Bu...

dot02

And, while likely LAN-to-LAN might be infrequent... but always possible you'd have HUGE backup/restore over LAN and that's when HW offload ports be handy SO that doesn't overwhelm the CPU if it did happen.

hum...I don't catch your thought, could you re-explain to me what you mean?

dot02

Will LAN hosts communicate between each other? very few. it's anecdotic. The Mikrotik routers are edge routers, and what I've defined as "LAN" segments are actually a transit to the inner firewall, which handles the inter-VLAN LAN traffic. There are a few exceptions but we're talking abou...

dot02

They're dated sure. RB1100AHx4-Dude has 2 x M.2 slots to use as a disks... Plus more ports than RB5009 & redundant power supplies. And at least ARM, so runs ZeroTier. Everything has a use. Indeed. Dated doesn't mean outdated. I completely agree: if it works and fits the needs, why changing it? ...

dot02

the RB1100AHx4 does not have HW offloading from the CPU, but still had HW acceleration to offload some tasks from the CPU (sorry, I wasn't clear): https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration This will be perfectly fine for my needs, as the RB3011 are already "almost&quo...

dot02

Hi fellahs, I just bought a pair of RB1100AHx4 to replace RB3011 routers, especially to be able to do some HW acceleration for AES-GCM/AES-512 as the 3011 CPU’s were redlining most of the time. Before assigning the ports on the new RB1100AHx4, I had a look at the block diagram here: https://i.mt.lv/...

dot02

These missing transistors look like a simple voltage supply regulation with no negative feedback so that the fan does not cause any interference with nearby circuitry. But it could also be for a LM7805 voltage regulator IC (also 3 pins)...That would require some advanced reverse engineering. Therefo...

dot02

OK I found a fan in my garbage. Sunon MF30060V21000UA99 (30x30x6mm)

connection.jpeg

fan.jpeg

Works like a charm. For the moment the fan is blowing the hot air out of the case but it might be better the other way around. I will monitor it to see which way is better.

Enjoy!

dot02

Here are the pictures: Full board: board.jpeg Power section detail: detail.jpeg now, after several tests, I would suggest not to tap one of the DC input PSU's connectors (the white ones). Even though it supplies 24VDC with more than enough current to power bith the board and the fan, these 2 inputs ...

dot02

You have a good point here: Product lineup strategy has a big impact on the dev of LTE vs. stable releases. As Mikrotik is one of the only companies that has both professional and power-consumer devices in their lineup, the users in both cases may have diverging opinions on what's most important. Mo...

dot02

well, development of ROS 6 seems to have stopped by end of 2021, which explains why there is no need for new bugfixes for the long-term: because no new features have been added, most bugs were already fixed in the latest 6.48.6. But it is still fully supported, from the public info available. As you...

dot02

alright, these are internal, strategic decisions which have to be taken, and you guys certainly have good reasons to do so. At long as these strategic choices are communicated to the customers, there's nothing to argue about. Now, my 2 cts (but this is only my personal opinion): I would be very sad ...

dot02

Firstly, "doing so because everyone else does" is not an argument! It does not become the truth just because it is the most popular option. Secondly, it is (sadly) true that because the Time-To-Market was significantly reduced over the past 2 decades, testing is done more and more on the c...

dot02

Hi Normis, It's only a name. If you think 7.8 is stable enough to be called that, just use it, no matter what it's called :shock: C'mon man! I can't believe you just wrote that! Please tell me you had a gun pointed at you and you were forced to write that! :shock: It's not "only a name"! I...

dot02

Honestly, I can understand that testing takes time, especially for a completely new release like the 7.x. If they published a long-term version that was not stable enough, we would be among the first to complain. But it's the lack of communication/roadmap in this regard that I really don't understand.

dot02

by mkx » Wed Jul 20, 2022 5:26 pm I'm sure some slightly more recent version (e.g. 7.2.3) will appear as long-term soon enough. ...Well.... :lol: More seriously, it there any plan to release a long-term 7.x any time soon-ish (let's say, in 2023) or at least a roadmap? We're getting more and more pr...

dot02

okay, in that case, that may not be worth the trouble just to add a fan. If the router is sold fanless and there are no feedbacks or complaints about hardware failures, I think I'll leave it as it is and forget about it.
If the designer of the board reads this, however, feel free to drop in

dot02

Well there's a big difference between both approaches. A fan controller has some logic to drive and control the fan (temp control, fan RPM monitoring, etc.). And it has been made clear that the PCB doesn't have that, and that's perfectly fine. This doesn't mean that the board couldn't have a simple ...

dot02

Hi, just a quick question as I was also planning to add a fan to the enclosure of my RB1100AHx4's: on the PCB tabs labeled "FAN", there is no voltage whatsoever (I was expecting +5V as labeled). I read above that the PCB doesn't have a fan controller, which is not a problem, but why is the...

dot02

Thanks for the feedback! Indeed, the SIP service port function should be disabled. That's actually an issue I had myself when setting up my networks (setup quite similar to yours). If you were using the same ROS version on the Hex S, then yeah, you should have a close look at the FW rules, chances a...

dot02

could you post the parts of your config regarding ike, ipsec and firewall?

dot02

I would try to start with an explicit inbound rule on site B router, which allows Winbox connections. Try that and see if you have matches on that rule.

Are the IP's you get public IP's or CG-NATed?

dot02

As promised, here are some pics of the installation of another LTE6kit (RBLDFR&R11e-LTE6) on a remote site (hangar) near Ham-Sous-Varsberg, France. Same dish (Kathrein CAS06 with special die-cast LNB adapter). It is a 60mm mount, with the anchor bolts chemically sealed into the concrete wall for...

dot02

This LDF LTE6kit (RBLDFR&R11e-LTE6) is used for 4G backup as well as for testing&staging (simulating remote sites to be deployed). It is installed on a professional Kathrein CAS06 dish with an LNB adapter, as the Kathrein attachment is a propriertary clamp. Besides the Mikrotik LTE6kit, the ...

dot02

Did you get a feedback from them yet?

dot02

Yes I would be interested too!

dot02

We are running on 7.5 only to have a standardised deployment across all devices, but waiting desperately for a 7.x long-term version to be released. I'd really like to know that is holding back... I agree with r00t, as long as: There are no security issues the release is still officially supported W...

dot02

Hi,
even though this post is nearly 10 years old (and some other posts on this topic are even older), could you confirm that ad-hoc Wifi mode is still unsupported on MT devices. especially on the mAP lite?

Cheers
Denis

dot02

Hey Guys, I was thinking, what about a really small, pocket-sized mobile router? Let's say with following parameters to start with: very small enclosure, about the size of the mAP lite if possible 1 SIM slot Wifi 1 usb port (for PWR) 1 ethernet port (for PWR/data). Not even sure if the ethernet port...

dot02

Same here. We'll try to set it up and will report here as we progress.

dot02

Hi all, I was doing some performance tests on a pair of RB3011UiAS-RM running ROS 7.5. I have a GRE/IPSEC tunnel between both devices over a 1GB WAN link. The /ip ipsec profile looks like this on both devices: dh-group=ecp521 dpd-interval=5s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorith...

dot02

I've solved it last night. It is working like a charm now. Even if it is a bit off-topic as it deals more with the PFsense config than the MT, I'd like to share my findings in case someone else is running into a similar issue. The issue in my setup (2 gateway IP's on the same transit subnet) is, as ...

dot02

@Znevna: well it's quite easy. VLAN100 is a transit VLAN. On the Pfsense, I have 2 gateways set. GW1 to the Cisco router and GW2 to the MT. Each rule has automatically GW1 set as the default route (that is default Pfsense behaviour), unless you specify it otherwise (on a rule-by-rule basis, or via p...

dot02

Here's a quick drawing of the setup: Screenshot 2023-01-03 at 12.54.44.png while looking into the captures again, I think I found the cause of the issue. This one is with sdst-nat and src-nat on the MT. From the dst field of this frame (this is the SYN,ACK frame) we can see that the frame is sent to...

dot02

Hi Znevna, thanks for your input, I might need to add some more details to give you more insights here indeed: you didn't replace anything. You just added extra stuff to the existing setup (which was already double nat): Not exactly. The MT will eventually replace the Cisco router. The MT is the new...

dot02

I made some additional investigations, and found something interresting... the setup is as follows: Client is somewhere on the internet (another public IP) Test server behind the PFsense Captures are made on the PFsense, transit VLAN to the Mikrotik 1) Capture with DST-NAT + SRC-NAT on the Mikrotik:...

dot02

I managed to find a couple of minutes to create a test VM on the transit vlan between the MT and pfsense. And indeed, it is perfectly reachable from the outside world using only dst-nat, and no src-nat. When I move the VM on a vlan behing the pfsense, I need dst-nat to be able to reach it from the o...

dot02

I agree. This is why I tried 2 different ways (but with same results). As a starting point, I had the Cisco as the def GW from the PFsense's perspective. Then I did: 1) specifying MT as the gateway for packets coming FROM a specific source (mailserver). The traceroute + packet captures did show that...

dot02

That was my first clue, too, but the fact that the traffic over the old WAN/Cisco (also DST-NATed) works flawlessly. this is what I don't understand. I think I will put a test web server in on the transit VLAN, so that I can test reaching it from outside over both WAN links (MT and Cisco), without t...

dot02

all vlans behind the pfsense have their default route pointing to the Pfsense The Pfsense has 2 WAN links, the old one over the cisco router (waiting to be decommissioned), and the other one over the Mikrotik. The PFsense has no dynamic routing, only a few static toutes for sites connected over VPN....

dot02

Hi all, I have a RB3011 with ROS7.5 running as an edge router. Behind it is a pfsense FW via a transit vlan (172.16.100.0/24), and behind that FW, a mail server on one of the PFsense's legs (mailserver=172.16.15.11). The Mikrotik does the NAT-ing between the internal 172.16.0.0/12 networks and the p...

dot02

The error messages vanished after I checked and adapted the MTU on all GRE interfaces (no errors for over 2 weeks). I don't really understand why MTU settings would trigger a DPD error, but it works now, that's the most important thing.

dot02

+1 for ospf mtu-ignore from my side too...

dot02

Hi folks, I am running into a issue and your input would be much appreciated. To make it simple, I have 3 MT routers with GRE/IPsec (IKev2) tunnels in a triangle. router A: RB3011, ROS 7.5, static public IP address router B: RB3011, ROS 7.5, static public IP address router C: LDF LTE6kit, ROS 7.5, d...

dot02

In your case I'd definitely go for an outdoor device. I personally use the LDF LTE6 kit (ref. RBLDFR&R11e-LTE6), it does support PoE (both passive and "real" 802.3af/at). You can try to point it directly to the BS with no additional hardware, but as you are not quite close to it, you'd...

dot02

Another cool feature would be to add a timer (In a separate script to give the admin some flexibility) that would disable Wifi after a hard-timeout. After 6 hours for instance. The button could still be used to switch wifi on/off manually with the current script, but if the user leaves the site and ...

dot02

Much appreciated, thanks (I'm serious, this is not sarcasm!). I'm really bad at scripting, and even if I was good at it, I would still appreciate comments and improvements!

dot02

Your script works very well, too, so I switched to this version too. thanks!

dot02

comments are welcome to improve the script! However, the script does work as it is.

dot02

For those interrested in using the button on the mAP lite for turning Wifi on/off on the mAP lite, I modified kelner's script slightly (the button to use is the reset button in this case). Also, you only need a short push (less than 1s) for turning wifi on/off. The LED already reflects the Wifi stat...

dot02

I can confirm, it works! thanks a lot for your hints, I would never have found the solution myself. so, to sum up for others who might have a similar issue: the key is to configure an IP address directly on the interphace (physical ethX or LAG, if any) for the native VLAN, but NOT creating a VLAN 1 ...

dot02

thanks for your reply and hints. You are right regarding the bridge ports in my config. They aren't used...yet! But I need those to setup a Loopback interface which in turn will be used for OSPF and GRE/IPsec tunnels, which will happen in the next couple of days. So I will be needing these bridge po...

dot02

Thanks for your help, guys. Yes, the show-sensitive parameter was already set to hide sensitive data a while ago. I don't remember if the switch was made between 6.x and 7.x release, but it quite likely. I think it was around that time. I stripped the really unrelated lines of config (LCD screen, NT...

dot02

Hi team, I ran into an issue that I am apparently not the only one to have. On one site, I am currently migrating from a Cisco edge router to a MT RB3011, v7.5 stable. eth4+5 bundled as a LAG to a switch, with a trunk on top of it (several tagged vlans, e.g. vl100 (transit VLAN to the “inside” firew...

dot02

Why complicate things if the function already exist... 1) to protect our jobs by adding an extra layer of obscure complexity 2) to make us feel important by configuring stuff that looks impressive when your boss is looking over your shoulder 3) just for the fun of it because we're engineers 4) beca...

dot02

I also confirm the script above works well. I wanted to enhance it and to only reboot it when the SMS message was a specific string, e.g "reboot". #Replace with the authorised phone number :local phone "00000000000" :local rebootSmsMessages [/tool sms inbox find where phone=$phon...

dot02

Here's one of my builds: 3011 (1).jpg 3011 (1).jpg On the mainboard side, be sure to use a soldering iron with at least 50W, especially on the "ground" side, the heat is dissipated across a large area, so you want to be able to heat the soldering point in a few seconds. For those who wonde...

dot02

Hi c2h5oh, with which MT device are you using the Quectel EM12-G modem? Is the integration seamless? Is it stable over time or to you need to reset the modem regularly? cheers, Denis

dot02

Hi, this post seems outdated, but just for the record, in case anyone wants to ask the same question... The LDF LTE6 kit is designed for offset dishes, however we are currently doing some labs with PFA antennas (Prime Focus Antennas, i.e. central-fed, real parabolic dishes with modified feedholders)...

dot02

But of course! Multicast! How could I have overlooked that?! As mentioned in the beginning of this topic, I made a boo-boo... I just corrected the FW rule and the adjacency came up almost immediately (actually, I still had to do a small correction on the MTU size of the GRE interface for the state t...

dot02

Indeed, as you say it's not that straightforward. I think it might be better I try to replicate the config in a lab.
Gimme a few days to put that together.
Cheers

Denis

dot02

I implemented the OSPF setup while running 7.3, and it didnt work either. After an upgrade to 7.4 (current situation) as we could see it, it still doesn't work. When I was running 6.x (which was long ago), I didn't have any OSPF config yet, so I have no experience to share on this release. I will tr...

dot02

On both sides, the FW counters for the input as well as for the output chains for OSPF are 0 packets. That means that the OSPF packets not only don't reach the other router, but they don't even leave the local router. (At least, as a tiny consolation, it seems logical that the packets never reach th...

dot02

Oh sorry my bad, I was too quick. Thx for the editing!

dot02

sure, no problem. here's the HQ config: # jul/22/2022 17:19:03 by RouterOS 7.4 # software id = GTSP-YUM6 # # model = RB3011UiAS # serial number = <HIDDEN> /interface bridge add name=loopback0 /interface ethernet set [ find default-name=ether1 ] name=eth1-WAN set [ find default-name=ether4 ] name=&qu...

dot02

Hi Alex, thanks for your hints. I already had such rules on both ends for debugging, and I have no incoming OSPF packets originating from the other side. I even have an output rule for OSPF, and the funny thing is that I don't see any outgoing packets as well. From that perspective, it is logical th...

dot02

Hi fellahs,
any idea on this matter?
cheers
Denis

dot02

I don't know if this topic is still relevant as it's been open for quite a while, but anyhow, as a RBLDFR&R11e-LTE6 owner and user here's my feedback on the subject: 1. Which LTE Category you are interested in most - CAT6, CAT7, CAT9, CAT11, CAT12, CAT16 or some other? CAT7 or 12 would be great ...

dot02

Hi, have you figured it out yet or shall we look into it?

dot02

Hi Guys (and Girls), I think I have a boo-boo in my config. I am trying to get OSPFv2 working over a GRE tunnel. The tunnel works just fine between 2 locations and static routes: 172.20.0.0/16 ---R1--- GRE=172.30.2.1/30=========172.30.2.2/30---R2---172.18.0.0/16 OSPF is configured correctly (I think...

dot02

Thanks for your reply. To answer your questions 1. all the other VLANs have static IP’s, DHCP is not needed. And even the existing DHCP config is temporary, another DHCP server is being staged and will be ready in a couple of weeks. 2. Bridge filter: This was part of an old config as far as I can re...

dot02

My thought was to have the management port completely separated from the data traffic. I might change the design in the future, though...

dot02

Here we go. the OSPF config is in progress, please ignore that part completely. My issue regarding the reachability of the eth10/vlan2 IP is unrelated to the OSPF config in progress (which I only started 2 or 3 days ago). The FW rules are also being staged (a lot of try&guess) as I was tshooting...

dot02

Hi all, I have another question, I am overlooking something very simple I guess. I’ve set up my RB3011 with several VLANs. They are all connected to the network via trunk, which is linked to a port-aggregation (eth 4+5) In parallel, I have eth10 acting as a management port (VLAN 2 - 172.20.2.0/24) h...

dot02

niiiice, it was the mode config indeed! now my IPSec SA's are up! The GRE is up&running as well, I used the following parameters: GRE interface config HQ router: local address: Loopback address HQ (172.20.0.1) remote-address: Loopback address 4G (172.18.0.1) GRE interface config 4G router: local...

dot02

I played a bit with the configs and it looks promising. policy: peer=anyone src-address=172.20.x.y/16 dst-address=172.18.z.t/16 If I use lookback interfaces (bridge with no physical interface linked to it, and 172.20.0.1/32 on HQ side ; 172.18.0.1/32 on the 4G side), The IPsec policy should look lik...

dot02

Alright, now I think I get it! Thanks very much for the detailed explanation! At first I didn't realise that my current setup has to be considered as an exception due to the fact that BOTH gateways had public&static IP's. And frankly, after having configured dozens of IPsec tunnels over the year...

dot02

I'm lost... I tries that config yesterday but the ipsec tunnel still doesn't establish. I compared your config with another (ikev1) config I have on the HQ router (which is running rock-stable for weeks) and it is the other ways around: /interface gre add allow-fast-path=no mtu=1300 name=gre-tunnel1...

dot02

are you sure about the src-address/dst-address vs. sa-src-address/sa-dst-address? I'm pretty sure it is the other way around: the SA (as the name tells) deals with the security associations, so the addresses in the PRIVATE range. The src/dst-addresses however are used in the IPsec policies to CREATE...

dot02

Thanks for the feedback! the identity settings must match each other, i.e. the remote-id of one peer must match my-id of the other peer Sure. But can I put a different ID for each side, for instance: Site A: my ID=fqdn ; remote ID=key_ID Site B: my ID: key_ID ; remote ID=fqdn I have valid fqdn's for...

dot02

Hi guys, I'm struggeling setting up a VPN (MT to MT) between a main site (public DNS record and static IP) and a remote site (4G) which is behing CGN, and of course it has a dynamic IP in the 10.64.0.0/10 range. The should not be a problen since I have a script that updates the DNS record according ...

dot02

good to know! The script does update 100.64.0.0/10, though.

dot02

Thanks! Your version looks much cooler indeed! I'll update my router this evening! One question though. If we look at these lines: :local ovhresult [/file get "OVHDynDNS.$ovhddnshost" contents] /file remove [find where name="OVHDynDNS.$ovhddnshost"] is this file only stored in th...

dot02

nope, no hidden chars. You only need to adapt the 1st few lines according to your OVH subscription. You onky need to be careful on the OVH format (which you get from your OVH dashboard). Let's say your dynamic sub-domain is plop.mydomain.com, then it should look like this (be very careful with the l...

dot02

sorry guys, I didnt see there were replies. Here is an updated version of the script that updates the real Public IP, even if your router is behind CGNAT , I tested it and it works. Comments are more than welcome if anyone sees anything that could be improved. :local ovhddnsuser "<OVH_USERNAME>...

dot02

Hi, the script works great as long as the IP address on the WAN really is a public IP. In my case for instance, I have a remote site router behind CG-NAT (LTE connection thanks to a MT LDF LTE6 kit), so the IP I grab is a NAT-ed 100.64.0.0/10, which is to be expected since this is the IP that the IS...

dot02

Here's a working example of a Mikrotik - Cisco IOS site-to-site VPN. I hope it will help some of you who, like me, struggled to make it work. You have to use GRE tunnel mode, I was unable to make transport mode work! MIKROTIK SIDE: /interface gre add allow-fast-path=no mtu=1300 name=gre-tunnel1 remo...

dot02

GRE is in tunnel mode for the moment. I will check tonight is I can put it in transport mode or if it fails. I don't yet know which one I end up using in production. IPsec is taking care of the encryption between the public IP's of both endpoints and I don't NAT anything on these interfaces, so it s...

dot02

SOLVED! Alright, I found the problem: It was indeed an issue between the generic GRE implementation used by MT and the based-on-GRE-ish VTI implementation by Cisco. this works: interface Tunnel1 description TUNNEL TO MIKROTIK ip address 172.30.1.1 255.255.255.0 ip mtu 1300 qos pre-classify tunnel so...

dot02

@Sob: well, that depends of where you come from! Im my case it's the opposite, I am quite comfortable with cisco IOS as I've been working with it for 15+ years, and it's the MT RouterOS that I find less intuitive. The good thing is that the more you work with different vendors, the more comfortable ...

dot02

@Sob: yeah, good idea, indeed as the original config was 100% fine, it might be a good idea to keep it as it is and to check on the MT side. Is there a way to display the logs on CLI? I looked into the config again, and maybe I have a hint: Here's the config of the Cisco that is the other endpoint: ...

dot02

On the cisco side(ipsec debug), I see packets from MT => Cisco coming in:

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
no errors listed....

dot02

No luck so far, The only way to get the GRE tunnel UP/UP is to put it in tunnel mode, not transport. Regarding the ACL's on the WAN interface, I don't get any matches on the GRE-specific ones. On the Cisco side, I see the GRE tunnel flapping regularly, and also on the MT side I see the IPsec SA's be...

dot02

I made rthe following modifications on the Cisco side: crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac mode transport # ACL's on the WAN interface: ip access-list extended INBOUND permit gre host 2.2.2.2 host 1.1.1.1 [...] ip access-list extended OUTBOUND permit gre host 1.1.1.1 ho...

dot02

I've added the transport mode, the GRE tunnel comes up, and I have a route in the routing table, seen as "directly connected" as it should: 172.30.0.0/24 is subnetted, 1 subnets C 172.30.1.0 is directly connected, Tunnel1 However I can still only ping my local interface (.1), not the remot...

dot02

Thanks for the hint about Winbox. Indeed I was using the webGUI instead. I will check with Firefox tonight and see if I can type in a different protocol.

I have access to the Cisco router from here, so let me try to change the transform-set to transport mode right away...

dot02

this is what I mean: crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac crypto ipsec df-bit clear ! crypto ipsec profile MIKROTIK set transform-set TSET_MIKROTIK set pfs group5 ! versus: crypto ipsec transform-set aes-sha-transp esp-aes esp-sha-hmac mode transport ! crypto ipsec profi...

dot02

You can type in the drop-down list in the GUI Definitely not! I cannot enter anything else then what is already in the list. Neither the name of the protocol, not the corresponding protocol number. It could be linked to the browser I was using, I tried with Safari yesterday, but I'll check with Chr...

dot02

Here's the config of the Cisco that is the other endpoint: ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key <same key as on the Mikrotik> address 2.2.2.2 crypto isakmp keepalive 10 periodic // I also removed this for the test yesterday ! crypto ...

dot02

Hi Guys, yes I saw that once entered via CLI, the GUI shows the protocol you entered, I just find it very weird that you have a limited choice from the GUI and that you can't even enter a protocol or protocol number from there as it is a drop-down list to choose from. That feels like a bug to me. bt...

dot02

Interestingly, it turns out that the protocol=gre option is only available through CLI. From the WebGui, you can only choose among all, egp, ggp, icmp, igmp, ip-encap, ipsec, tcp, udp. I modified the entry according to your suggestion (via CLI - and the config is properly reflected on the GUI too), ...

dot02

This is my config, at least the relevant part. 1.1.1.1 and 2.2.2.2 are the public IP addresses on each site (MT=2.2.2.2, HQ=1.1.1.1) ===== STARTS HERE ===== # apr/12/2022 19:52:55 by RouterOS 7.1.1 # software id = GTSP-YUM6 # # model = RB3011UiAS # serial number = xx /interface gre add allow-fast-pa...

dot02

Hi, what I wrote was probably misleading. Of course what I have configured is like your 2nd drawing: MT IPSEC (------GRE tunnel------) IPSEC CISCO I agree with you, the first drawing makes no sense and is not secure as data sent over the GRE wouldn't be encrypted in that case (Good thing to point it...

dot02

Hi all, I've come a long way since my last question in this forum. While I'm still on the beginning of the learning curve, I start linking MT more and more. However, I am stuck in what I believe is a configuration or even misconception of how some things are done in the MT world. I read several othe...

dot02

Hi tdw, and thanks for your reply. Well, what I meant by “Out-Of-Band” is a independent Network port which is hard-wired for management only can cannot be used for something else (e.g. routing or traffic processing). I admit that for most scenarios this means “wasting” a port for management only, bu...

dot02

Hi folks, I am completely new to the Mikrotik world, but not quite new to the Networking world (10+ years as a Network & Security Engineer, Cisco and Radware Certified, etc.) While playing with my new RB3011 (FW 6.46.8 - I can’t upgrade to a newer release as they don’t support/recognise the SFP ...

Search found 112 matches