Enter your search keyword
By clicking Confirm bid, you commit to buy this item from the seller if you are the winning bidder.
By clicking Confirm bid, you are committing to buy this item from the seller if you are the winning bidder and have read and agree to the Global Shipping Program . Import charges previously quoted are subject to change if you increase you maximum bid amount.
Loading...
, if the page does not update immediately.
Review and confirm your bid
Bid confirmation
FREE shipping
See item description
(Approximately ##1##)
(Enter ##1## or more)
(Enter more than ##1##)
Your max bid:
Increase max bid
Confirm bid
Increase max bid
Change bid
, you've been outbid. Don't let it get away - bid again!
, you're the highest bidder on this item. Hope you win it!
, you're the first bidder. Hope you win!
, you're currently the high bidder, but you're close to getting outbid.
, this auction is almost over and you're currently the high bidder.
, you're the high bidder, but the reserve price hasn't been met.
Please enter your bid again.
Please enter a valid number as the bid price.
Enter an amount that is equal or greater than the minimum bid required. This can be found under the bid entry box.
Maximum bids can't be lowered once they're submitted.
This seller requires the buyer to have a PayPal account to purchase this item. .
Your bid is greater than or equal to the Buy It Now price. We recommend you purchase this item via Buy It Now. If you still wish to bid, you may do so below.
Current bid:
(approximately ##1##)
Your maximum bid:
(approximately ##1##)
Increase your maximum bid:
By clicking 1 Click Bid, you commit to buy this item from the seller if you're the winning bidder.
(approximately ##1##)
Winning bid:
Starting bid:
Congrats! The auction has ended and you're the winner.
The auction has ended, but the reserve price was not met.
Sorry, the auction has ended and you were outbid.
Good news, you're the high bidder.
Sorry, you've been outbid.
You're the high bidder, but the reserve price is not met.
Please enter a higher amount than the current bid.
Maximum bids cannot be lowered once submitted.
Please enter a valid number.You'll Need a Newer Browser to See This Page
You'll Need a Newer Browser to See This Page
To get the full SmugMug experience we recommend using the latest version of , , or .At first glance, one would think this is impossible.
It is NOT impossible, thanks to some scripting and a couple of free services.
This will work for straight IPSec tunnels, PPTP tunnels, IPIP tunnels or even IPIP tunnels encrypted with IPSec
Step 1 is to figure out what our public IP is and a method to share it with the remote site.
We are going to be using .
This is a free service from
that allows you to update multiple different dynamic DNS services via a single interface.
I’m using
for this example.
In a nutshell dyndns.org allows you to update a publicly available DNS entry that is a subdomain of dyndns.org.
In our example we will use gregsowell-siteA.dyndns.org and gregsowell-siteB.dyndns.org.
So, we need a method to update our DNS entry…a SCRIPT!
# DNSoMatic automatic DNS updates
# User account info of DNSoMatic
:global maticuser &user&
:global maticpass &password&
:global matichost &Yourhost&
# No more changes need
:global previousIP
# Print values for debug
:log info &DNSoMatic: Updating dynamic IP on DNS for host $matichost&
:log info &DNSoMatic: User $maticuser y Pass $maticpass&
:log info &DNSoMatic: Last IP $previousIP&
# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address=&checkip.dyndns.org& src-path=&/& dst-path=&/dyndns.checkip.html&
:local result [/file get dyndns.checkip.html contents]
# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result &: & -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result &&/body&& -1]
:global currentIP [:pick $result $startLoc $endLoc]
:log info &DNSoMatic: IP actual $currentIP&
# Touching the string passed to fetch command on &src-path& option
:local str &/nic/update?hostname=$matichost&myip=$currentIP&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG&
:if ($currentIP != $previousIP) do={
:log info &DNSoMatic: Update need&
:set previousIP $currentIP
:log info &DNSoMatic: Sending update $currentIP&
:log info [ :put [/tool fetch host=MT user=$maticuser password=$maticpass mode=http address=&& src-path=$str dst-path=$matichost]]
:log info &DNSoMatic: Host $matichost updated on DNSoMatic with IP $currentIP&
:log info &DNSoMatic: Previous IP $previousIP and current $currentIP equal, no update need&
In order for this script to work correctly, you need to update the dns-o-matic infomation at the top.
You will also need to configure DNS servers on your Mikrotik…how else will it resolve the URLs
set primary-dns=8.8.8.8 secondary-dns=4.2.2.2
Once you get your script in, you will need to schedule it to run at whatever interval you prefer.
I use a 10 minute interval.
/system scheduler
add comment=&& disabled=no interval=10m name=dynamic-dns-schedule on-event=dynamic-dns-script \
start-date=jan/01/1970 start-time=00:00:01
Dynamic IPs on both sides with IPSec
Dynamic IPSec
Setup Dynamic Script
/system script
add name=dynamic-dns-script policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=&\
# User account info of DNSoMatic\r\
\n:global maticuser \&user\&\r\
\n:global maticpass \&password\&\r\
\n:global matichost \&gregsowell-sitea.dyndns.org\&\r\
\n# No more changes need\r\
\n:global previousIP\r\
\n# Print values for debug\r\
\n:log info \&DNSoMatic: Updating dynamic IP on DNS for host \$matichost\&\
\n:log info \&DNSoMatic: User \$maticuser y Pass \$maticpass\&\r\
\n:log info \&DNSoMatic: Last IP \$previousIP\&\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\&checkip.dyndns.org\& src-path=\&/\& dst-\
path=\&/dyndns.checkip.html\&\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \&: \& -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \&&/body&\& -1]\r\
\n:global currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n:log info \&DNSoMatic: IP actual \$currentIP\&\r\
\n# Touching the string passed to fetch command on \&src-path\& option\r\
\n:local str \&/nic/update\?hostname=\$matichost&myip=\$currentIP&wildcard\
=NOCHG&mx=NOCHG&backmx=NOCHG\&\r\
\n:if (\$currentIP != \$previousIP) do={\r\
\n:log info \&DNSoMatic: Update need\&\r\
\n:set previousIP \$currentIP\r\
\n:log info \&DNSoMatic: Sending update \$currentIP\&\r\
\n:log info [ :put [/tool fetch host=MT user=\$maticuser password=\$maticp\
ass mode=http address=\&\& src-path=\$str dst-path=\$\
matichost]]\r\
\n:log info \&DNSoMatic: Host \$matichost updated on DNSoMatic with IP \$c\
urrentIP\&\r\
\n:log info \&DNSoMatic: Previous IP \$previousIP and current \$currentIP \
equal, no update need\&\r\
/system scheduler
add comment=&& disabled=no interval=10m name=dynamic-dns-schedule on-event=dynamic-dns-script \
start-date=jan/01/1970 start-time=00:00:01
Setup NAT Bypass
/ip firewall nat
add action=accept chain=srcnat comment=&NAT bypass& disabled=no dst-address=\
192.168.0.0/16 out-interface=ether1
add action=masquerade chain=srcnat comment=&default PAT& disabled=no out-interface=\
Setup IPSec Peer
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
test send-initial-contact=yes
Setup IPSec Policy
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=\
192.168.1.0/24:any tunnel=yes
Now that we have the basics configured, I’m sure you noticed that I put IP addresses in the IPSec peer and policy.
The whole point here is that we are running our public side via DHCP, so how does this benefit us?
As it is now, it doesn’t.
We need another script to update our peer and policy in the event of an IP change.
Your peers and policies are numbered from 0 up.
This list is a static list that can be referenced, for our update.
The number entry is located right after the word set.
In the below scripts, be sure to update it to the proper peer number and policy number.
You can figure out their numbers by issuing print commands from a terminal:
/ip ipsec peer print
/ip ipsec policy print
You can see that the script resolves the IP address for siteA and siteB, then sets the entries as they should be.
Peer/Policy Update Script
:global LocalSite [:resolve gregsowell-siteA.dyndns.org]
:global RemoteSite [:resolve gregsowell-siteb.dyndns.org]
/ip ipsec policy set 0 sa-dst-address=$RemoteSite sa-src-address=$LocalSite
/ip ipsec peer set 0 address=&$RemoteSite/32:500&
Peer/Policy Update Script – Copy and paste Version
/system script
add name=dynamic-router-update policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=&\
:global LocalSite [:resolve gregsowell-siteA.dyndns.org]\r\
\n:global RemoteSite [:resolve gregsowell-siteb.dyndns.org]\r\
\n/ip ipsec policy set 0 sa-dst-address=\$RemoteSite sa-src-address=\$Loca\
\n/ip ipsec peer set 0 address=\&\$RemoteSite/32:500\&&
You can either create a new schedule to run the peer/policy update, or you can just add the script to your existing schedule, which is what I recommend.
/system scheduler
add comment=&& disabled=no interval=10m name=dynamic-dns-schedule on-event=\
&dynamic-dns-script\r\
\ndynamic-router-update& policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
start-date=jan/01/1970 start-time=00:00:01
Site B should configure the same, only in reverse order for the IP addresses.
IPIP with IPSec
IPIP Tunnel with a Cherry on Top
The dynamic script and scheduler is the same as above.
Setup IPIP Tunnel Interface
/interface ipip
add comment=&& disabled=no local-address=1.1.1.1 mtu=1480 name=ipip1 \
remote-address=2.2.2.2
Setup IPSec Peer
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
test send-initial-contact=yes
Setup IPSec Policy
/ip ipsec policy
add action=encrypt disabled=no dst-address=2.2.2.2/32:any ipsec-protocols=esp \
level=require priority=0 proposal=default protocol=ip-encap \
sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=1.1.1.1/32:any \
We’re going to add an additional step to the update script to take into account the new entries for our policy and for the IPIP interface
You can see that the script resolves the IP address for siteA and siteB, then sets the entries as they should be.
Peer/Policy Update Script
:global LocalSite [:resolve gregsowell-siteA.dyndns.org]
:global RemoteSite [:resolve gregsowell-siteb.dyndns.org]
/ip ipsec policy set 0 sa-dst-address=$RemoteSite sa-src-address=$LocalSite dst-address=&$RemoteSite/32:any& src-address=&$LocalSite/32:any&
/ip ipsec peer set 0 address=&$RemoteSite/32:500&
/interface ipip set ipip1 local-address=$LocalSite remote-address=$RemoteSite
Peer/Policy Update Script – Copy and paste Version
/system script
add name=dynamic-router-update policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=&\
:global LocalSite [:resolve gregsowell-siteA.dyndns.org]\r\
\n:global RemoteSite [:resolve gregsowell-siteb.dyndns.org]\r\
\n/ip ipsec policy set 0 sa-dst-address=\$RemoteSite sa-src-address=\$Loca\
lSite dst-address=\&\$RemoteSite/32:any\& src-address=\&\$LocalSite/32:any\
\n/ip ipsec peer set 0 address=\&\$RemoteSite/32:500\&\r\
\n/interface ipip set ipip1 local-address=\$LocalSite remote-address=\$Rem\
You can either create a new schedule to run the peer/policy update, or you can just add the script to your existing schedule, which is what I recommend.
/system scheduler
add comment=&& disabled=no interval=10m name=dynamic-dns-schedule on-event=\
&dynamic-dns-script\r\
\ndynamic-router-update& policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
start-date=jan/01/1970 start-time=00:00:01
Well, there you have it folks.
So if you have DHCP at both ends and you are trying to establish a service that requires IP addressing, you can use this script to make it all work.
If you feel so inclined, please leave me some feedback if you found this useful.
Categories
Cacti Links
Contact Me
Categories}