![]() ![]() Unfortunately this presents a problem as there is vpls between the loopback of all of the devices, and there is corresponding loss over the vpls tunnel.ĭoes anyone have any suggestions on steps to troubleshoot this or have an idea of what it could be? My best guess is it's related to ospf or mpls. While you can use any interface address to determine if the device is online, the loopback address is the preferred method. it shows random packet loss with no obvious pattern to the loopback of the 2004, but not to either of the physical interfaces on the device(one connected to fiber, one connected to wireless). Introduction A loopback interface is a virtual interface that is always up and reachable as long as at least one of the IP interfaces on the switch is. I have smokeping running on a third server in the same location as the 2 CHRs, with a ping probe doing 5 pings 20sec. They all have a bridge (no ports on it) acting as the loopback for ospf. Wireless interface cost is 20, fiber is 10 on all 3 devices. Mpls, vpls, ospf between the 3(full mesh) across 2 different connections, 1 is a wireless connection, the other a fiber connection. However if the Mikrotik LAN interface is down when the IPSec tunnel is being established, then HQ is unable to access the loopback interface (even after PH1/PH2 successfully establishes) until the Mikrotik LAN interface is brought up.Īdd dh-group=XXXX enc-algorithm=XXXX hash-algorithm=XXXX name=PHASE1_XXXX nat-traversal=no proposal-check=exactĪdd address=2.2.2.2/32 exchange-mode=ike2 name=PEER_XXXX-XXXX profile=PHASE1_XXXXĪdd address=1.1.1.1/32 exchange-mode=ike2 name=PEER_XXXX-XX profile=PHASE1_XXXXĪdd auth-algorithms=XXXX enc-algorithms=XXXX lifetime=XXXX name=PHASE2_XXXX pfs-group=XXXXĪdd address=192.168.0.1/24 interface=loopback network=192.168.0.0Īdd auth-method=digital-signature certificate=XXXX.cer_0 peer=PEER_XXXX-XXĪdd auth-method=digital-signature certificate=XXXX.cer_0 peer=PEER_XXXX-XXXXĪdd action=none dst-address=192.168.0.0/24 src-address=192.168.0.0/24Īdd dst-address=0.0.0.0/0 peer=PEER_XXXX-XX,PEER_XXXX-XXXX proposal=PHASE2_XXXX sa-dst-address=1.1.1.1 sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yesĪny idea what we are missing on the config to enable hitting the loopback bridge interface from the IPSec tunnel when its member ports are down during IPSec establishment?Īdd address=192.168.255.1/32 interface=MGMT network=192.168.255.1Īdd dst-address=0.0.0.0/0 peer=PEER_XXXX-XX,PEER_XXXX-XXXX proposal=PHASE2_XXXX sa-dst-address=1.1.1.1 sa-src-address=0.0.0.0 src-address=, I have 2 CHRs(running vrrp), and a ccr2004. If the Mikrotik LAN interface goes down AFTER the IPsec tunnel is established, HQ can still ping/connect to the Mikrotik loopback interface. Add Loopback Interface (TAP Interface on Linux/Mac Go to Control PanelNetwork and InternetNetwork Connections then rename the loop back adapter, to make it. However, currently HQ is only able to access the loopback interface if the Mikrotik LAN interface is up at the time the IPSec tunnel was established. ![]() The network prefix and the broadcast address are calculated automatically. Use a dummy interface to make an inactive SLIP (Serial Line Internet Protocol) address look like a real address for local programs. In most cases, it is enough to specify the address, the netmask, and the interface arguments. The purpose of a dummy interface is to provide a device to route packets through without actually transmitting them. The 'multiple recursive next-hop resolution' feature is used to achieve that. In these examples we show how to do load balancing when there are multiple equal cost links between two BGP routers. ![]() NB: RouterOS version 3.13 or later with routing-test package is required for this to work. We have an IPv4 loopback interface built on the Mikrotik for management, and would like HQ to be able to access this loopback interface via the IPSec tunnel at all times even if the Mikrotik's LAN interface is down. A dummy interface is entirely virtual like, for example, the loopback interface. Manual:BGP Load Balancing with two interfaces. We are able to successfully establish PH1/PH2, and can pass traffic between both sides whether traffic is initiated from our HQ or from the remote Mikrotik CPE. On the 6.47.x code train specifically for new feature 'ipsec - allow specifying two peers for a single policy for failover'. We have IPSec configured between a Mikrotik CPE and our HQ location using a non-Mikrotik firewall. To list the MikroTik firewall filter rules through the WinBox/WinFig interface, open the IP or IPv6 menu and click on the Firewall : To get more detailed information about all the MikroTik firewall settings and to see the commands that have been used to configure the firewall, execute: admin MikroTik > /ip firewall. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |