MikroTik

sas2k

Wireguard will not help.
I tried unsuccessfully.
Xtls reality works fine .

sas2k

Hi everyone, Someone more familiar can you tell is it already available the following: - fetch the latest data from RIPE (most secure place) - https://ftp.ripe.net/pub/stats/ripencc/2024/ - rewrite the file compatible for Mikrotik way - something like "add address=1.0.0.0/24 comment="Unit...

sas2k

Dear Friends !
I've broken down wifi (2.4+5) antenna on hap ac3.
What is spare part exact name\code ?

"MikroTik HGO-ANTENNA-OUT" looks like what I need.
Is it proper antenna ?
https://mikrotik.com/product/hgo_antenna_out

Thank you !

sas2k

Hi mates, honestly I don't understand why I have to loose so much time to create a VPN for Windows, the videaos in youtube shopw it's so easy to do, most of them using the same sequence of instructions, create a new pool, then a secret on PPP, a profile, and finally assign it to the L2TP server, wh...

sas2k

1) Have you ever used Sessions? (default ones are <own> and <none> and you can make more) 2) Describe in a few words, what you think they do 3) How could we supercharge this feature to actually be useful for everyone? 4) Does the name Sessions actually convey what this feature is meant to do? 5) Af...

sas2k

then look at the hapax3

Is there a possibility to manage old CAPSMAN with hapax3?

sas2k

Hello every1! The lightning struck our office building and ate my old RB2011. Unfortunatly this is where i ran my Capsman server. I have 6 wap ac r2’s as AP’s and they did survived the lightning. Im thinking that i perhaps shouldreplace the RB2011 with the newer L009. Without doing any research(to ...

sas2k

Dear did u know I use this ports dst-port=3478,34784,45395,50318,59234,5222,4244,5223,5228 for Whatsapp call with the help of wireguard I did not get the message or question. Please explain. ps - for past 3-4 years I visit one gulf country 1-2 times a year. I tried ipsec\wireguard\ovpn, everything ...

sas2k

Please make configuration for me I will just copy paste in mikrotik terminal please 🥺 Method 1: add action=fasttrack-connection chain=forward comment="fasttrack not tunneled" connection-state=established,related disabled=no hw-offload=yes in-interface=bridge1 out-interface=ether1 add acti...

sas2k

You should only fasttrack "outer" traffic, not marked for wireguard Two ways. 1. Simple one. Create 2 rules for fasttrack, just like default one. But specify in\out interfaces as ether1\bridge1. And vice versa. 2. Mark new connections for wireguard. Fasttrack 'no-mark'. Lots of examples. ...

sas2k

Thanks!!! it seems to be better, I get around 120Mbps...

How to be sure that it uses Hardware encryption?

Do you use mangle or hard routes?
Mine hex s with mangling works at approx 100 mbit.
I had to buy 4011 to get higher speed.

Try to use wireguard. Is a bit faster.

sas2k

Hi everyone! I'm running L2TP VPN Server on Mikrotik CHR over 1Gbps/1Gbps connection. I'm running L2TP VPN Client on Mikrotik HEX S over 400Mbps/50Mbps connection. I get slow VPN Speeds on VPN at about 100Mbps. I know that it should related on IPsec encryption but I d'on't kown what exactly to chan...

sas2k

Hello dear scientists. Is it possible to use 2 remote vpn ipsec at a time to balance access thru vpn to internet ? I use mikrotik as an ipsec client. Remote ipsec is a vpn\vps to access internet. I use mangle: /ip firewall mangle: add action=mark-routing chain=prerouting dst-address=!192.168.0.0/24 ...

sas2k

What I would like to achieve is a domain-based VPN: some domains are resolved, their addresses put into lists, these lists used by mangle rules to route traffic through VRF. I use domain based vpn with mangle (mark routing). Additionally you have to add ip-route rule to route (what you marked with ...

sas2k

VPN slowed to 180 Mbps or 22.5 MB/s.

I think 180 mbps pretty decent performance for mt7621a.
Its official test performance for aes-128-cbc +sha256 at 1400 mtu is 472 mbps.
I use 750gr3 for ipsec with mangling , I ve never seen speed more than 120 mbps with it.

sas2k

hap ac2 has got 6.49.10, bios update is done. Unable to upgrade to 7 via winbox. Tried system-packages - check for updates, upgrade channel, download + reboot: Useless, Router reboots as 6.49.10. Tried uploading arm file to root folder and reboot: Useless, Router reboots as 6.49.10. router is remote...

sas2k

both chr . i use l2tp v3 Licenced? Mikrotik over chr without licence limited to 1 mbit! On the vpn side I use 1 cpu, 512 ram, 5 gb hdd ubuntu + libreswan Setup simple like this: https://github.com/hwdsl2/setup-ipsec-vpn On the client side I connect mikrotik devices as l2tp v2 ipsec client I use cip...

sas2k

are going through mangle and tunnel and this reduces the surfing speed . I use same approach with mangle, ipsec tunnel, country ip list , but I managed to get speed of tunnel approx 190mbit\150mbit download and upload . So it is almost as fast as isp. What is the bottleneck in your case? What kind ...

sas2k

What is the temperature of cpu (system health) and temperature of sfp (inside sfp interface, ddm data)? How hex-s is powered? Poe or standard ac-dc? My experience with several years of using it, tells that it overhits (cpu 55 C) because of sfp (60 C) and because of poe (poe adds 5 C to mentioned). ...

sas2k

New problem with DoH. "Verify DoH certificate" was always on. " /certificate/settings/set crl-use=no" was set after update to 7.12. rb4011, after reboot some sites are resolved, some not! For sure before each test I make DNS cache flush. My Config : /ip dns static add address=192...

sas2k

I need an help or more ides!!!
Thanks!!!!!!

Post your config , mask sensitive info .
There will be rain of ideas ...

sas2k

I failed to get working lots of variants of fasttrack that I tried to study. The default action=fasttrack-connection rule doesn't care about packet direction. Packets belonging to a given connection can either be mangled or fasttracked, not both. So no packet of a connection whose traffic needs to ...

sas2k

Btw why wouldn't it work for the tunnel? If it's already connmarked? I dunno, Im the beginner. There are many things that I unable to understand. I failed to get working lots of variants of fasttrack that I tried to study. You may create your own perfect config and share. I share what I could get w...

sas2k

... @sas2k – I've tried this before, I'd really like to have it with connection marks, so I can enable fasttrack later. As for def masquerade rule disabled, I disable it for testing but yes it should be on for Exclude list to work. No problem to make fasttrack. I made it like this, works excellent....

sas2k

disable this: /ip firewall mangle add action=jump chain=prerouting comment="WireGuard: jump to marking" \ connection-state=new jump-target=mark-connections add action=accept chain=prerouting comment=\ "WireGuard: accept return connections" in-interface=wireguard1 add action=mark...

sas2k

@normis, Do you plan to make BTH available for MT7621A?
Thanks

sas2k

Updated 3 devices with similar config from 7.11.2 to 7.12 stable:

fixed my problems.

sas2k

still have message " dns,error DoH server connection error: SSL: ssl: host name validation failed (6) [ignoring repeated messages]" Let's try temporarily switch off cert validation: verify-doh-cert =no /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=no The ...

sas2k

Post config (clean up sensitive info)

sas2k

Hi, after setup DoH: /tool fetch url=https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=”” /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes /ip dns static add address=1.1.1.1 name=cloudflare...

sas2k

1. Please show your ip routing rules. I think you should add there something like: /ip route add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard1 \ pref-src="" routing-table=wireguard scope=30 suppress-hw-offload=no \ target-scope=10 2. Your last 2 rules should be mark routi...

sas2k

send your supout.rif file to support@mikrotik.com from 7.12

No problem, but will it help?
I already set "certificate/settings/set crl-use=no", it resolved DoH problem.

sas2k

sas2k, there are no other checboxes. What RouterOS version are you running? Yesterday posted all the fetails: Updated 3 devices with similar config from 7.11.2 to 7.12 stable: 1. Hex s - works fine, including DoH. 2. Hap ac3- DoH doesnot work. 3. Rb4011 - DoH doesnot work, BtH - unable to connect.

sas2k

There is. Go to Certificates menu I checked it before I wrote: 1. It has another name. 2. It was unchecked! 3. When I did thru cli "certificate/settings/set crl-use=no" it helped. Before that this gui item did not work. Why? 4. Behaviour different on rb750gr3 vs hap ac3. Both uchecked in ...

sas2k

For those who experience issues with the DoH service? Is "/certificate/settings/set crl-use=" set to "yes" on your routers? If it is "yes", then do DoH work if you change value to "no"? There is no such item in the winbox gui. Would you be so kind to provide ...

sas2k

Updated 3 devices with similar config from 7.11.2 to 7.12 stable: 1. rb750 gr3 - works fine, including DoH. But no BTH feature. 2. Hap ac3- DoH doesnot work. Update: fixed with cli command "/certificate/settings/set crl-use=no"; 3. Rb4011 - DoH doesnot work, BtH - unable to connect. Update...

sas2k

Post your config

sas2k

... few IPSEC VPN to 4 remote locations with 1 Mikrotik routers and 3 FritzBox routers. ....I tried setting with a "change MSS mangle rule" with a very low random MSS value (1350) and this seems to solve the issue ... How do you make ipsec connection? L2tpclient + ipsec ? There is built-i...

sas2k

I’m currently using HexS and only achieving 100MB Thanks I used hex s for the same with mangle. Ipsec around 90/90, wireguard 130 download and.40-50 upload. Now I use 4009, it heats 200/200 mbit of my isp connection with ipsec/wireguard. My guess you may reach higher speeds with routes. Mangle work...

sas2k

Please, help.

Try netinstall.

sas2k

I’ve turned fast track off, makes no difference. There is a way to keep part of fasttrack with 2 simple rules: If you have wan ip on ether1 ( without pppoe): /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related in-interface=bridge1 out-interface=eth...

sas2k

Mine does work but at times it can be stuck loading a page for a while when the CPU is barely being used.

You should make 2 rules for mtu clamp.
That is a cure for stuck.

Copy rules here (change the wireguard interface name):
viewtopic.php?t=200017

sas2k

/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=no tcp-flags=syn protocol=tcp in-interface=wg-iface Most of third-party manuals contain only one clamp, with "out-onterface" when mikrotik acts as wireguard client. Now I think I should make 2 rules ...

sas2k

I need either shadow socks or some kind of obfuscated vpn protocol (v2ray, vless, xtls reality, etc...). Shadow socks seems to me more preferable, as it operates separately tcp-tcp , udp-udp, plus socks5 already in ROS. UNFORTUNATELY nowdays most if restictions cannot be resolved with wireguard/ipse...

sas2k

How can I use the full tunnel speed? Thanks Ipsec requires strong cpu. https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Hardwareacceleration You should use hardware acceleration. E.g. top speed for ipsec for 4011 according to perf specs: https://mikrotik.com/product/rb4011igs_rm#fndtn-testres...

sas2k

....my solution was to create a VPN against a mikrotik with a local public IP.....

... Some bank's app gives you an error that your IP is not a local IP. ......

Kind regards

Please post config here, dont forget to clean up sensitive info

sas2k

(CHR 7.11.2)

https://wiki.mikrotik.com/wiki/Manual:CHR#CHR_Licensing

1 mbit if no licence

sas2k

2) Disabled just for the moment, I do not always need the VPN, only if I want to have access to country-level restricted websites/videos I use mikrotik with wireguard\l2tp for the same. I import country ip list: E.g. lets assume your country is Hungary. /tool fetch url=http://www.iwik.org/ipcountry...

sas2k

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes 1. you should disable this fasttrack for tests. if it helps, later replace this with 2 rules for better speed: /ip firewall filter add action=fasttrack-connecti...

sas2k

But the speed is only about 3Mbps, not more The hardware is a RB1100 and an RB4011. 4011 is extremely powerful, 1100 is not. I mean old 1100. Ax4 is powerful as well. https://mikrotik.com/product/rb1100ahx4#fndtn-testresults Ipsec requires strong cpu. You should select ciphers appropriate for your ...

sas2k

Another thing I did not understand from Anavs last answer is how the nat rules are affected by adding wireguard_internet to the WAN list, maybe that is related to the problem. If you add wireguard to WAN, it is filtered with your firewall. To prevent this I add wireguard to LAN or I change rule add...

sas2k

Capsman should be avoided for new users or where there is no reason to do so.

In general, mikrotik should be avoided for new users

Today there are many friendly wifi systems that provide new users with capability of setting up mesh with couple of mouse clicks.

sas2k

Hi all. I'm fresh new in here so will ask to understand me and apologies if I'm asking in the wrong place. I have a Mikrotik RB4011iGS+ (call it the first router) and another hAP ac^2 (call it the second router) since the first router does not have wireless, I want to connect the ether10 port of th...

sas2k

Any ideas why fasttrack was an issue here?

Ros version?
I had an issue with fasttrack when using 7.11, but 7.11.2 resolved it.

viewtopic.php?t=198945

sas2k

Boa tarde meus amigos, minha RB estava em perfeito funcionamento, quando resolvi dar um reset nela e voltar a configurar tudo do começo, a placa de rede não está reconhecendo a RB, não aparece no winbox e diz que está como "Rede não identificada", em nenhuma outra máquina está reconhecend...

sas2k

something changed with 7.11.1 Now initial fasttrack rules work fine : add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yes \ in-interface=bridge out-interface=pppoe-out1 add action=fasttrack-connection...

sas2k

added extra condition (routing-mark=!ipsec), seems works fine: add action=fasttrack-connection chain=forward comment="fasttrack not ipsec" \ connection-state=established,related hw-offload=yes in-interface=bridge \ out-interface=pppoe-out1 routing-mark=!ipsec add action=fasttrack-connectio...

sas2k

, the router was bricked during the upgrade

Could you please specify exact model?

sas2k

Hello Dear Friends! Again my voice is at the door... So I have pretty simple setup. RB4011 (ros 7.11) is connected via sfp via pppoe to internet. RB4011 has got l2tp ipsec client + mangle rule that marks routing for some connections not included in ip addresses list. /interface l2tp-client add allow...

sas2k

It's interesting that the local CAPsMAN can be discovered without that setting if no WireGuard is present but is needed with WireGuard active. Is this something we need to inform Mikrotik about?

There is no old-school capsman starting with hap ax2, ax3....
Get ready for new pain )

sas2k

Hi, I was setting up my three routers (all RB4011iGS+5HacQ2HnD) up with ROS7 from scratch. I started with the IP settings (IP address and DHCP server) and then configured CAPsMAN which worked as expected for my access points (all set up in CAPS mode) and the local wifi of the router. After that I s...

sas2k

Dear holvoetn ! Dear anav ! Thank you for your help! I sold new ax3, bought used 4011, moved ipsec vps to another cluster (ping now 21 ms, was 35 ms) and now I'm almost happy. Speed test 185 mbit (measure at pppoe interface >200) download, 160-175 mbit upload. 4011 still has got capsman interface f...

sas2k

No worries, the requirement is very well explained thanky ou and interesting. Challenges are fun!. How do you know if a dest IP is local or foreign? Do you simply use whitelists etc........... how often do you update them?? Seems like a daunting task for an individual to take on. Dear Anav, I use t...

sas2k

You know what you need best, my point is that for a single subnet, there is no need to decrease throughput due to mangling or at least negate the faster processing due to enabling fastrack. Good plan to equalize the speed of internet connection to the same capacity as your VPS. I still dont get why...

sas2k

I use mangle as I need to compare with ip address list. That tells me nothing concrete. There is nothing in your config that does any comparing!!! What are the traffic flow requirements for wireguard. a. do you have external users coming in? OR b. do you have only some users that need to go to the ...

sas2k

Check test results page for AX3 and see which combination they use there for IPSEC testing. Not all combo's are possible (yet ?) for HW offload on IPQ-6010. At least you will then have the same base to compare. PS and wireguard is faster then IPSEC :lol: Dear Holvoetn, Wireguard faster indeed, but ...

sas2k

Did you try wireguard vice ipsec? Why are you mangling? Why are you using fastrack since you are mangling? Hello Dear Anav, Thank you for helping. Tried wireguard on all devices: 760igs, 750gr3, ac3, ax3. All produce low upload. Ax3 wireguard produces 180 download, 60 upload. Ac3 wireguard produces...

sas2k

Seems I should consider of buying hap ax3 !

bought AX3 and tested.
New Unexpected Problems
viewtopic.php?t=197688

sas2k

Hello Dear Friends. I use 760igs as internet (200\200 mbit, pppoe , mtu 1492) fiber router (7.10.1), and its speed as ipsec client (mtu,mru 1400) using mangle - mark routing was approx 90\80 mbit download and upload. Seems this mode (using mangle - mark routing) requires strong cpu, so I tested HAP ...

sas2k

Use a decent CPU and your bottleneck will almost always become your internet connection at which point the whole HW offloading discussion becomes useless. borrowed hap ac3 for tests and connected it as a dhcp client after 760igs, which is fiber channel wan device. 1) l2tp ipsec client to same vps -...

sas2k

7.10beta5: ipsec - added hardware acceleration support for IPQ-5010 (hAP ax lite)

@holvoetn
If you are bored and don't know what to do... can you do a performance test?

Dear friends,
Is there any information regarding ipsec hw acceleration for this device?
Thanks.

sas2k

Hi @sas2k (Alexander), I have the same issue with wireguard upload speed but in my case the difference between download and upload far higher because my ISP provides me more speed. My setup is quite simple, in one city I have HAP AX3 (500/500 link) and in another RB4011 (1G/1G), overall 10ms latenc...

sas2k

The "drop all at the end what is not already allowed" rule makes the list completely useless My only goal of using lists: to access local addresses directly + to access foreign addresses thru vpn. (Local isp block my access to foreign sites + Local sites block foreign access , perhaps due...

sas2k

When the lists are updated...

Will you please make an advise, how can I find updated lists?
Thank you in advance.

sas2k

The user already have one reply...

viewtopic.php?p=1004654#p1004689
Sorry, but now (from 8 May...) Youtube use TLS 1.3..... and not only TCP....

Indeed, just checked up - tls search for *youtube* works unstable now.
But region ip list still works fine

sas2k

*occasional dub post*

sas2k

1. Ip-firewall - Filter rules tab, fastrack rule should be disabled! 2. Your mangle rule with adding to address list better works since v7 as RAW rule. Simply do same at the Raw tab. 3. Why do you use address list ? If you want to access some blocked sites by ISP in your region, redirecting foreign ...

sas2k

I have an L2TP setup road warrior that has been working for months and suddenly stopped working It's a pretty basic setup created in the PPP menu, in L2TP Server with a preshared key. We haven't done any OS update nor any modifications to the configuration on the router side when this happened. We ...

sas2k

Samsung...
viewtopic.php?t=138356

sas2k

... - netinstall device, default config - re-import earlier exported config block by block ONLY taking over Wireguard config (default again to 1420 MTU) and needed things for router services (DHCP, DNS, firewall, ...). Leave out LT2P for now. - don't change anything else. What happens then ? OK, I ...

sas2k

How was your device brought to ROS7-level coming from ROS6 ? Upgrade, upgrade, upgrade, ... ? Never did netinstall in between ? upgrade, never netinstall Just did a test with Hex lying around here (not the same but exactly the same CPU/RAM/Storage as Hex-s). Tests where done from Hex -> AX3 -> RB50...

sas2k

And once again. If I use android smartphone connected with Wap AC wired to this rb760igs: 1) Wireguard Mobile app using exactly same wireguard client config (same remote wireguard vps), speedtest to exactly same server = 95\95 mbit ! 2) rb760igs as a client to remote wireguard vps, speedtest to exac...

sas2k

Please remove your serial number from export. Not that it makes that much difference but better to stay on the safe side. done. - Default MTU for wireguard should be 1420, why did you change it ? My guess 1420 is calculated as 1500-80. Since my pppoe mtu = 1492, I did 1492-80=1412. Anyway , I tried...

sas2k

*here was unrelevant info*

sas2k

Hello Dear Friends, So I have got RB760iGS (hex-s) , 7.8 stable (fresh NET Installed). And I've got remote vps (tried centos 7, ubuntu 22) with Wireguard server installed (no mtu in config) and Libreswan server ipsec+l2tp (hardcoded configs mtu 1280). RB760iGS set as: - wireguard client. - ipsec l2t...

sas2k

No, this is not the end.
Just took NEW hap ac2.
Initially region = etsi, antenna gain = 3.
Factory firmware 6.47, so no possibility to set antenna-gain thru GUI.

sas2k

Did you set the "antenna gain" as relative parameter before the upgrade? It will be invisible now. Correct it with CLI. https://forum.mikrotik.com/viewtopic.php?t=170014#p832501 For 2 WAP ACs: I ve made hardware reset by button. I did firmware update and then firmware upgrade. These simpl...

sas2k

ok, antenna-gain was removed from GUI since 6.46.8 (great !). Command line only. Found some information: Even for CAPSMAN managed caps "...only 2 values are taken from the local interface configuration: antenna-gain and antenna-mode" Printing out params when capsman enabled does not print ...

sas2k

Hello. I ve got 2 identical wap ac. Both wap ac has got same configuration: - wlan2 (5ghz) : managed by CAPSMAN, - wlan1 (2.4ghz) : disabled. CAPSMAN configured with: -2 different channels 5 ghz with different frequences, tx power 13dbm; -2 different configurations with channels mentioned above; -p...

Search found 89 matches