I've started a series of class videos that include slides on the Mikrotik Router OS.

This is the main listing, all current and new videos will be listed here:http://gregsowell.com/?page_id=951

Mikrotik Basics- getting a standard network configured/some tools/functions :http://gregsowell.com/?p=957

Mikrotik Security- some security best practices/using the firewall:http://gregsowell.com/?p=1076

Intro to Networking- Basically a CCNA Boot camp video:http://gregsowell.com/?p=954

*Update 01/04/2010*Mikrotik VPN-http://gregsowell.com/?p=1290
This class covers:
# PPTP Client connections
# IPSec – Mikrotik to Mikrotik
# IPSec – Mikrotik to Mikrotik – Multiple Subnets
# IPSec – Mikrotik to Mikrotik – Private IP on WAN Interface
# IPSec – Mikrotik to Cisco Router
# IPSec – Mikrotik to Cisco ASA
# IPSec – Mikrotik to Cisco Router Multiple Subnets
# IPIP Tunnel w/IPSec – Mikrotik to Mikrotik
# IPIP Tunnel w/IPSec – Mikrotik to Cisco Router
# DPD
# Some basic troubleshooting

*Update 03/15/2010*Mikrotik Routing-http://gregsowell.com/?p=1611
This class covers:
# The concept of routing
# Static routing
# Concept of RIP
# OSPF and its implementation
# BGP implementation and some of its options

All I ask in return is a little feedback.

Thanks,

Greg

Wow, this is so great! Thank you for that and I hope everyone enjoys it.

Wow, this is so great! Thank you for that and I hope everyone enjoys it.

Normunds,谢谢taking a look! =)

Nice one! very good work

Nice one! very good work

Ha, thanks Fosben.

Awesome great stuff.

Thanks,

rgs Pilgrim

Awesome great stuff.

Thanks,

rgs Pilgrim

Thanks Pilgrim...I aims to please...heh.

Realy it's great.

Thanks gregsowell.

Realy it's great.

Thanks gregsowell.

Crown...thanks...I'm honored to see this is your first post...hehe

Nice work ...
Thank you so much for the good work you've done

Big thanks, It's great pdf slides. Continue in the same spirit, it's very helpful and very clear. I would like to see more information on QoS (simple queue, queue tree, examples, equal bandwidth sharing with NAT), most standard QoS applications.

good work

Thanks guys!

Right now I'm working on a VPN class. I'm about half way through it. The battle is how much detail to put into them...I want to put enough to cover most situations, but not so much that people get lost. Also, if I put in too much time I risk suffering the wrath of my wife...hehehe

Again, thanks for checking them out and leaving feedback!

Greg

Greg,
Thanks for the great instructional videos. I say this because being visual I tend to get lost in specification and technical reading material. One of the criticisms I have of online documentation is that it often doesn't describe the context of the examples adequately enough for me. In my opinion, you've made a pretty good stab at that. You've indicated that your next project will deal with VPN's. I await it with great anticipation. I might suggest a future project dealing with Proxy's such as the WEB Proxy that is built in, IGMP-Proxy, and deploying something like Squid and how to take advantage of it.

Thanks again o' MTK Guru,

-tp

TP,

Thanks dude! I'm very much a hands on, physical kind of person, so videos work well for me too.

Some proxy stuff does sound interesting, though I think I'm going to do a lite QoS one first. I'm not looking forward to the QoS one because it's going to take me forever to build the slides...sooo many options and scenarios. I'm thinking about doing a two part class. Part one will be the average stuff, then part two will be more advanced...we'll see.

Greg

**Spam post was removed**

Shameless Plug - Dennis

Just so I look as cool as everyone else

what, Greg doesn't have any MikroTik certificates? Janis says you were in his class

Just so I look as cool as everyone else

what, Greg doesn't have any MikroTik certificates? Janis says you were in his class

HA! Normands I have my MCNA, MikrotikCNA...Even if I had some M$ certs I would deny it...hehehehe

Didn't you also attend the advanced training by MikroTik ?

不。我没有任何钱培训…呵呵。I did ask him a lot of questions, though...questions are free

Great Work.

Thanks. These will help heaps.

Laurence,

Great! I'm glad you found them useful.

顺便说一句,我完成了VPN类!我会再发布when I have it scheduled, but I think I will put it up next Monday.

Alright, as per the update at the top, I've completed the VPN class(link is in the top of the thread). I poured quite a few hours into this one, so I hope you enjoy it.

Thanks, Greg, really great stuff again.

rgs Pilgrim

Thanks for checking out the new one Pilgrim, glad you liked it.

good work do you have anything on mikrotik and squid as i see that there is lots of info on your webpage

good work do you have anything on mikrotik and squid as i see that there is lots of info on your webpage

Xezen,

I wish I could say that I do, but I've never had the need to run a cache server. Sorry, sir.

thats a good reason why not

Thank you very much

Thank you very much

NP Titius. Just by me lunch next time I'm in your neck of the woods

Hey Gregsowell.

Many, many thanks for all the work you have put in to produce these.
For someone like me, struggling and starting with Mikrotik they are a great help.
I'm hoping I can find a solution to my VPN routing issue in your latest one

Long may you continue and thanks again - your help is greatly appreciated.

Jack.

Hey Gregsowell.

Many, many thanks for all the work you have put in to produce these.
For someone like me, struggling and starting with Mikrotik they are a great help.
I'm hoping I can find a solution to my VPN routing issue in your latest one

Long may you continue and thanks again - your help is greatly appreciated.

Jack.

Ha, thanks Jack! I hope the solution to your VPN issue is in there also...If not, drop me a line and let me know.

hi gregg

i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?

hi gregg

i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?

Myron,

If you went to system->logging-> and added IPSec to go to memeory, then saw nothing in the logs while testing, you most likely don't have a policy configured correctly. When you try and ping via winbox, specify source interface and test...does it say packet rejected? Did you add the src-nat accept?

Greg

hi gregg

i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?

Myron,

If you went to system->logging-> and added IPSec to go to memeory, then saw nothing in the logs while testing, you most likely don't have a policy configured correctly. When you try and ping via winbox, specify source interface and test...does it say packet rejected? Did you add the src-nat accept?

Greg

im gonna reconfig tonight gregg i update you soon whats resultanyway thanks for reply

regards

hi gregg

i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?

Myron,

If you went to system->logging-> and added IPSec to go to memeory, then saw nothing in the logs while testing, you most likely don't have a policy configured correctly. When you try and ping via winbox, specify source interface and test...does it say packet rejected? Did you add the src-nat accept?

Greg

im gonna reconfig tonight gregg i update you soon whats resultanyway thanks for reply

regards

hi gregg heres my setup

router a

/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=ipsec

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=x.x.x.202/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=\
disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 \
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=12345 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.2.1.0/24:any ipsec-protocols=esp level=require priority=0 proposal=\
default protocol=all sa-dst-address=x.x.x.202 sa-src-address=x.x.x.201 src-address=10.2.2.0/24:any \
tunnel=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=WAN disabled=no out-interface=WAN
add action=masquerade chain=srcnat comment="Hotel src nat" disabled=no src-address=10.12.0.0/24

router b

/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=ipsec

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default \
pfs-group=modp1024
/ip ipsec peer
add address=x.x.x.202/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=yes hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret=12345 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.2.2.0/24:any ipsec-protocols=esp level=require \
priority=0 proposal=default protocol=all sa-dst-address=x.x.x.201 sa-src-address=\
x.x.x.202 src-address=10.2.1.0/24:any tunnel=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="to outbound" disabled=no out-interface=ether1
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.2.1.0/24

in log it shows nothing to handsakeor maybe need to reboot the mikrotik?

hi gregg atlast the log shows invalid hehehe >>>>>>> invalid exchange type 243 from 98.237.177.6(500) is this someone/other IP's?

Add this asnat rule # 0on both of your routers.
You need to make sure traffic that needs to traverse your tunnel isn't being NAT'd. This, when placed first in your nat rules, will perform no action on traffic headed to 10.0.0.0/8.

Hi Greg

Great work here, thanks very much. I just have one question if I may?

My set-up is site A connecting to sites B and C and both VPNs are IPSec. All have dynamic IP addresses and I managed to get these to work with the use of a script to resolve the dynamic host names of the respective sites.

When the connection drops to one of the remote sites, these are re-established by manually flushing the installed SAs. How could I flush the installed SA for only one of the VPNs? I don't want to drop the one that is still up?

Thanks again.

Hi Greg

Great work here, thanks very much. I just have one question if I may?

My set-up is site A connecting to sites B and C and both VPNs are IPSec. All have dynamic IP addresses and I managed to get these to work with the use of a script to resolve the dynamic host names of the respective sites.

When the connection drops to one of the remote sites, these are re-established by manually flushing the installed SAs. How could I flush the installed SA for only one of the VPNs? I don't want to drop the one that is still up?

Thanks again.

Hilton, hello.

You should be able to use DPD (Dead Peer Detection). DPD will check to see if the peer is responding and if it becomes unresponsive, it should flush the old SAs. See if that doesn't do the trick for you.

On a side note, I wouldn't mind having a peek at that script you wrotehehe.

Hi Greg

Thanks for the quick response.

Firstly here is the script. It's VERY basic which makes me wonder what I forgot?
I run this on both sides.

I have set the DPD to 10 seconds with a max failure of 2. Let's see what happens.

Hi Greg

Thanks for the quick response.

Firstly here is the script. It's VERY basic which makes me wonder what I forgot?

Code:Select all

/ ip ipsec策略et numbers=0 sa-dst-address=[:resolve remote.host.tld] /ip ipsec peer set numbers=0 address=[:resolve remote.host.tld]

I run this on both sides.

I have set the DPD to 10 seconds with a max failure of 2. Let's see what happens.

Cool

Alright, I know it took me forever, but I've got the routing video complete and up. I recorded this one at the end of a long day so I get tongue tied a couple of times, but other than that it should be intelligible...heh.

Have a look:http://gregsowell.com/?p=1611

Thanks Greg!

Thanks Greg!

Say that after you have seen the video...heheheI'm hoping this one is as useful as the others!

Can't wait to the cat nail you :-)

Can't wait to the cat nail you

Hilton, I'm glad to see you are so concerned with my personal well being...hehehe

hii greg thnx for ur effort .. i have a ques , i provide internet to clients of about 100 , my prob is that whenever a problem occurs in a single client all others are affected , high latency ping times are shown , even wireless links are affected with latency , but when i block this client everything works fine .. my ques is how to isolate each client on network so that no one is affected ?

hii greg thnx for ur effort .. i have a ques , i provide internet to clients of about 100 , my prob is that whenever a problem occurs in a single client all others are affected , high latency ping times are shown , even wireless links are affected with latency , but when i block this client everything works fine .. my ques is how to isolate each client on network so that no one is affected ?

Doctor,

You would be better served asking this question as a new topic in the beginner forum as you will have many users offering advice. I would say that you first need to find out what they are doing that is affecting you so you know how to properly combat the issue. Are they using too much bandwidth, are they attacking other users, are they attacking your infrastructure, etc?

well , actually sometimes it's just a virus affecting and attacking the whole network , sometimes a client network card that is causing the high ping delays and other stupid reasons that break down the network ... i tried firewall filters rules for blocking virus but no effect cuz they may pass through network pcs be4 passing through mikrotik .. what do u think we can do greg ?

If you are routing at every tower, you can put RLs on clients out there. You can also do mangles for people opening high numbers of connections and block them if need be.

is there any place were i can download the video as i have low bandwith and cant stream so good


avi or mp4? or something like that your videos are a grate help helps with small detailed problems

Xezen,

I don't have a direct download, as I'm trying to force you poor soles to keep returning to my site

But if you were to get any number of "flash downloaders", I'm betting you could find them. You could also do a wireshark to see what the mp4 file is named...I can't make it too easy, now can I?

hi gregg thanks for your videos and guidelines and i learn a lot your the man gregg , my IPSEC works fine without any issue, now my question is what is the defrence between ipsec and ipsec+ipip tunnel? which more secure and more stable?

thanks

I don't see how IPIP over IPSec makes any sense to use.

One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over IPSec tunnels. Many routing protocols require multicast packets, and many other applications require broadcasts to function right. One of IPSec's advantages is that it provides excellent security.
A common solution to this conflict of interests is to first encapsulate the traffic in a tunneling protocol that can tunnel broadcasts, multicasts and unicasts (such as GRE, for example, or EoIP on RouterOS). Those the original packets are now encapsulated in the packets of the tunnel, and those tunnel packets are unicast, so you can send them across an IPSec tunnel - effectively sending broadcasts and multicasts over IPSec by adding another layer of abstraction.

IPIP is limited to unicast IPv4 only, so I don't see what you gain by wrapping your packets in IPIP before sending them across IPSec. IPIP provides absolutely no security whatsoever, so IPSec+IPIP is exactly as secure as IPSec by itself since the only security provided is coming from the IPSec portion.

You cannot ever gain stability from adding more tunnel layers as communication is going to be as stable as the least stable tunneling protocol used. If IPIP were more stable than IPSec then the combination would still be as stable as IPSec is by itself. If IPIP were less stable than IPSec the combination would be as stable IPIP is by itself.

Hope that helps explain the concepts adequately.

I don't see how IPIP over IPSec makes any sense to use.

One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over IPSec tunnels. Many routing protocols require multicast packets, and many other applications require broadcasts to function right. One of IPSec's advantages is that it provides excellent security.
A common solution to this conflict of interests is to first encapsulate the traffic in a tunneling protocol that can tunnel broadcasts, multicasts and unicasts (such as GRE, for example, or EoIP on RouterOS). Those the original packets are now encapsulated in the packets of the tunnel, and those tunnel packets are unicast, so you can send them across an IPSec tunnel - effectively sending broadcasts and multicasts over IPSec by adding another layer of abstraction.

IPIP is limited to unicast IPv4 only, so I don't see what you gain by wrapping your packets in IPIP before sending them across IPSec. IPIP provides absolutely no security whatsoever, so IPSec+IPIP is exactly as secure as IPSec by itself since the only security provided is coming from the IPSec portion.

You cannot ever gain stability from adding more tunnel layers as communication is going to be as stable as the least stable tunneling protocol used. If IPIP were more stable than IPSec then the combination would still be as stable as IPSec is by itself. If IPIP were less stable than IPSec the combination would be as stable IPIP is by itself.

I don't see how IPIP over IPSec makes any sense to use.

One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over

Hope that helps explain the concepts adequately.


Hope that helps explain the concepts adequately.

wow!! fully detailed information and excellent explanation fewi, damn now i know the flow, function and combination in tunneling method.

thanks fewi

I don't see how IPIP over IPSec makes any sense to use.

One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over IPSec tunnels. Many routing protocols require multicast packets, and many other applications require broadcasts to function right. One of IPSec's advantages is that it provides excellent security.
A common solution to this conflict of interests is to first encapsulate the traffic in a tunneling protocol that can tunnel broadcasts, multicasts and unicasts (such as GRE, for example, or EoIP on RouterOS). Those the original packets are now encapsulated in the packets of the tunnel, and those tunnel packets are unicast, so you can send them across an IPSec tunnel - effectively sending broadcasts and multicasts over IPSec by adding another layer of abstraction.

IPIP is limited to unicast IPv4 only, so I don't see what you gain by wrapping your packets in IPIP before sending them across IPSec. IPIP provides absolutely no security whatsoever, so IPSec+IPIP is exactly as secure as IPSec by itself since the only security provided is coming from the IPSec portion.

You cannot ever gain stability from adding more tunnel layers as communication is going to be as stable as the least stable tunneling protocol used. If IPIP were more stable than IPSec then the combination would still be as stable as IPSec is by itself. If IPIP were less stable than IPSec the combination would be as stable IPIP is by itself.

Hope that helps explain the concepts adequately.

Pretty great assessment fewi! IPIP actuallycantransmit multicast, so it it suitable for dynamic routing. I've done ipip tunnels with ipsec encryption and running pim inside!

I was unaware that IPIP can do multicast.

The Linux Foundation IPIP documentation claims they can only do unicast IPv4:
http://www.linuxfoundation.org/collabor ... /tunneling

IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol.

The Mikrotik wiki does refer to RFC2003 - I read that and while it does mention that multicast tunneling for the purposes of getting routing protocols across tunnels can be a motivation, that is the only mention I can find.

Do you have any insight on why the Linux Foundation says it can't be done?

I'm genuinely curious. I usually use EoIP or GRE

I was unaware that IPIP can do multicast.

The Linux Foundation IPIP documentation claims they can only do unicast IPv4:
http://www.linuxfoundation.org/collabor ... /tunneling

IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol.

The Mikrotik wiki does refer to RFC2003 - I read that and while it does mention that multicast tunneling for the purposes of getting routing protocols across tunnels can be a motivation, that is the only mention I can find.

Do you have any insight on why the Linux Foundation says it can't be done?

I'm genuinely curious. I usually use EoIP or GRE

I wish I knew...MTK does some modification and they seem to occasionally leave out features...

You have some crazy karma, BTW and not without reason...thanks for your insight!

我有太多的业力。但是工作让我空闲here all day...you have too little, given the rather awesome videos in this thread, and your other posts. I'm looking forward to your MUM troubleshooting presentation.

I'll play with IPIP in a lab some tomorrow.

我有太多的业力。但是工作让我空闲here all day...you have too little, given the rather awesome videos in this thread, and your other posts. I'm looking forward to your MUM troubleshooting presentation.

I'll play with IPIP in a lab some tomorrow.

hehehe...I look forward to making a fool of myself in front of youLets hope that if you don't learn anything that you will at least get a couple of good laughs

Hi, gregsowell
People like me behind the great firewall would appreciate if you can upload your videos to somewhere else for us to download.
Thank you.