MikroTik

djmuk

Sorry to necro this post but it came up when I searched on the original fan reference. Just to add that I have just swapped the fans in a CRS328 (the old ones bearings were shot - but then the internal date stamps are 2017...) I fitted 4 of these ARCTIC S4028-6K (which are cheaper than the noctua on...

djmuk

@anav - sorry that isn't relevant question. FWIW - The voip traffic is actually on the site backup WAN but I have set the primary data WAN as failover for the VOIP traffic... The glitches (xDSL Service) could be anything - telco DSLAM upgrades, ISP work at their DSL breakout point, router upgrades. ...

djmuk

What you are asking is possible but not simple... If you were to say to me "Can you build this ?" then I would say yes... If you say "Can you teach a self-confessed network newbie how to do this?" - Then I would say this will take a lot of time and effort on both our parts especi...

djmuk

Background: I have a site using VOIP with 2 internet links. We have been having issues with the VOIP trunk 'failing' randomly - the symptoms are that the traffic leaves the router but there is no return traffic. Clearing the connection (GUI - IP/Firewall/connection) fixes the issue. The VOIP system ...

djmuk

Support for the Scan / Cell monitor commands seems to be very hit & miss. I am supporting a number of LHG/SXT units and some will allow me to run Cell Monitor and some come up as 'not supported'... Is this a platform (IE LHG) or Modem (R11e-...) limitation? Which platforms / modems / ROs version...

djmuk

I am setting up a RB750gr3 (Hex) as a small SMB server. I put a 256GB SD card in it and it would not format it - I tried both FAT32 and Ext3 and in neither case would it mount the card after 'formatting' - still showed unknown & 0B free... I did try formatting on a PC but that used exFAT and so ...

djmuk

OK i'm a bit late to this party but have exactly the same problem - SXT-LTE on EE (UK), no IP on the LTE interface but interface is up & 'attached'. As I was on the remote site with the issue (LTE is backup link so not immmediately apparent it wasn't working) I have pulled a supout.rif file. Not...

djmuk

OK after further testing - this is a REGRESSION. Netflow 5 works as expected - top conversations shows internal IP address and external site address as endpoints in conversation: 1. [52.97.130.2] 443 PC-5 (192.168.22.100) 53335 6 203 MByte IPFIX and Netflow 9 show the external addess of the router a...

djmuk

Quick & dirty solution - disable DHCP scope so the mikrotik isn't giving out Ip addresses. plug virgin router into a port other than ether 1 - this will connect the virgin router to the 'LAN' side of the mikrotik. Once this is working use winbox in MAC mode to connect to the mikrotik: give the b...

djmuk

I have a RB2011 v6.40.4. this is configured with an internal DATA bridge (ports 3-10) and a WAN bridge (ports 1,2) (with IP DHCP client) with masquerade NAT onto the WAN bridge. ether 3 and 6 are set as master ports with ports 5,6 ->ether 3 and ports 7-10 ->ether 6 I have set up a Trafficflow monito...

djmuk

I'm intrigued - those posts look like you're running ps on the mikrotik - hos do you get a 'proper' shell / bash connection? Or are they grabs from something like a sysinfo file? David Hi again, We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infecte...

djmuk

Any chance this could be added to the Wiki on the OVPN page. Something like:
"As of 2015 many Android (and possibly other) clients default to incompatible tls cipher suites.
Add the following line to the CLIENT config:
tls-cipher DEFAULT
"

djmuk

Running 6.11 - or is there a secret version that works?

David

djmuk

Windows management buttons on the windows in winbox so they can be minimised - finding a window that has gone behind the others is a PAIN...

NO to Tabs unless they can be 'ripped' into separate windows (a'la chrome) - If I am Comparing 2 devices I want them side by side...

djmuk

I cannot get port mirroring to work on a CRS125-24G-1S. Quite simple - I have port 23 as a standalone port (NO master configured) connected to a bridge (it is running a hotspot) and port 24 as a standalone (NO master) port for the analyser. I have configured both via CLI and GUI with: /interface eth...

djmuk

if you block all traffic in range 192.168.1.0/24 then you will not be able to reach gateway also and have you tested the rule i have posted?? The only time that would be a problem is if you wanted the users to access the gateway web interface - Only the MAC address is replaced in the packets when t...

djmuk

Those rules are the wrong way round they drop traffic that is NOT to 192.168.1.0/24 (!192.168.1.0/24). You EITHER want to forward traffic not to 192.168.1.0/24 (which will be !192.168.1.0/24) or DROP traffic to that Range - in which case the address should be 192.168.1.0/24 (without the !) so remove...

djmuk

For traffic from 192.168.88.0/24 BLOCK access to 192.168.1.0/24 (firewall action drop).
Set MT default gateway to router (192.168.1.1).

djmuk

What ack timeout do you have set?

djmuk

I am writing some scripts & Scheduler tasks to do backups of the config. I tested them on one RB and then did an export of the script and scheduler config so I could paste it into the console on the other boards. The export seems to be broken - it splits lines arbitrarily (for example in the mid...

djmuk

never mind the script - at present I just want it to work from the CLI... This works OK: [ROS] > /tool bandwidth-test 192.168.42.11 direction=transmit duration=10s protocol=udp status: done testing duration: 10s tx-current: 20.5Mbps tx-10-second-average: 17.8Mbps tx-total-average: 17.8Mbps random-da...

djmuk

I am trying to set up a script to run a bandwidth test but can't get it to log the output to a file. The entry in the wiki seems to be out of date as it doesn't list all the available options. The following options are listed in the CLI but not in the Wiki append -- as-value -- do -- file -- once --...

djmuk

That IS awesome! On some units when I click on update licence key I get 'invalid key' - I tried a unit this morning (that had failed yesterday) and it updated... Is this a 'glitch'? Ah - think I just realised - the failing ones are on 3.6 and doesn't it need to be 3.25 to recognise the new key forma...

djmuk

I just updated the licence key on a 3.31 Level 4 box and it is now saying upgradeable to V6.x... Is that right - I am not complaining just wanting to check! I know that updating the key should get me an upgrade to V4.x but do I then get +2 versions as well?

David

djmuk

Thanks for doing that - I grabbed the trunk down to that commit and successfully did a build & put faifa in the kernel & it all works on the 750GL I'm using! It is also a much smaller kernel as I didn't put a lot of modules in there. I think it was the compile fail that threw me off using tr...

djmuk

Guys you have saved my sanity! I have been trying to get a metarouter image compiled for the last 3 days without success. Build against 8.09 fails to complete, build against backfire or trunk completes but the code crashes with kernel alignment error... I found this thread but didn't read to the end...

djmuk

Well as one of your VLAN's will have to be the untagged (default) Vlan I would leave everything on the default, set up the VLAN interfaces on the router with IP addresses, DHCP etc, then move one port to the new VLAN (IE set the untagged VLAN on that port to the new VLAN) connect your PC to it and c...

djmuk

Duh - said it was a dumb question...

For some reason the MAC connection dropped randomly, was uploading new 5.9 & it dropped so once I set an usable IP (actually DHCP Client on LAn ports) then I could connect & amend firewall settings & then connect on Wan port..

David

djmuk

Not sure if I am being really dumb here... I have a new RB750GL, powered it up & connected via winbox on default 192.168.88.1 (actually via MAC). I wanted to allow management via Ether1 (gateway port) so went into ip firewall & changed drop rule on ether 1 to accept. I then got 'router disco...

djmuk

Hmmm edit the code in memory & then execute it - MESSY! Have worked around issue by setting up shortcuts for each router with address / user / pwd on command line. But would seem a simple change to the program to add the option of a command line path for the config file - with a "file not f...

djmuk

OK now I see...

Looks like the NTP server being used might be 'dead' - as suggested earlier try another pair from pool.ntp.org - if you use nslookup you should get the list of servers...

David

djmuk

I don't know the details of how bigpond is set up but the address / network on the bigpond interface looks 'wrong' - Normally the address wouldn't be a /32 but /29 or lower and the network would tally with the interface IP address. Can't you use DHCP on the internet facing address? Can users on the ...

djmuk

If it is against company policy then you don't want to block it - you want to log it, present it to HR and discipline the culprit. a couple of high profile roastings or even dismissals for a 2nd offence will solve the problem... Trying to enforce policy through blocking or other technical means is a...

djmuk

is it possible to use multiple sets of 'saved' settings with winbox (yes I know I can import/export but that is a PITA) EG can I give winbox a command line parameter so it uses a specific file/location to store the saved router details, then I can have different shortcuts pointing at different confi...

djmuk

Well I would expect to at least be able to restore a backup onto the same model of router - otherwise the backup is not a lot of use.. "Oh my box has blown up oh & by the way the backup is useless as well...". Especially as it is a binary file so you can't even 'read' it to get the con...

djmuk

Well to make the config I went to the top level (/) on the terminal window & typed export <filename> so it should contain all config. I assumed the order in the output would be the 'correct' order to enter the config commands but that may not be the case I suppose! Interestingly when I pasted th...

djmuk

I want to set up a 'boilerplate' (template) config file that I can use as a base for configuring new units. I have saved off the config from the first unit to my PC. I edited the file to remove the mac addresses from the interface config lines. I copied the template to the new unit I 'imported' the ...

djmuk

hmmm - well it's a start and I might have a play with it - once I upgrade..!

but certainly doesn't compete with the wi-spy yet!

David

djmuk

I need to create a remote wi-spy 'drone' to track down some interference - it needs to be weatherproof as I want to stick it on a pole! Also I am pretty sure the interference is non-802.11... Is it possible to run the wi-spy remote software (or the spectools package) on a routerboard? Or is it possi...

djmuk

OK good call - I needed to exempt the traffic to 10.55.12.0/24 from the NAT rule...

All working OK now!!

Thanks

David

djmuk

Nat rules are simple - Nat 192.168.42.0/24 to the internet interface address. (also nat another subnet 192.168.43.0/24 to the same address) this traffic is not Nat'd and shouldn't be.... It should be caught by the IPSEC VPN before it gets nat'd, other devices on 192.168.42.0 work correctly & I c...

djmuk

There is only NAT for the internal Clients out to the internet. Do you mean I should have NAT rules? How do I specify the source address - this is traffic originated internally to the ROS box so it's source address will vary according to the route it takes out of the box - which is what I am trying ...

djmuk

I am trying to log to a remote syslog server over a VPN. So I set up the remote syslog action & specify a source address of 192.168.42.1 (the LAN IP of the ROS board) which is part of the VPN tunneled range (192.168.42.0/23). However the Syslog entries don't arrive. using the Packet Sniffer on t...

djmuk

That was my next question - do I use an interface MAC address or not. From similar usages on other kit it is usual that the interface HAS to be 'up' if you are re-using the MAC address so I assume it is the same on ROS. IIRC the locally administered MAC address range has a bit set at the high order ...

djmuk

Duh - how did I not see those (although the integrated help in winbox does go to the 'old' PDF manuals...)

Ok so admin-mac=0's and auto-mac=no so that's why it won't play!

David

djmuk

I have a couple of devices where the active MAC address changes (which breaks the hotspot bypass setup so I can't manage them!). This is happening when the WLAN interface comes up because a client has connected - because the newly active WLAN has a lower MAC address than the current bridge MAC addre...

djmuk

I put a pre-configured RB onto a remote network today. When I get back to the office I find that it will ONLY talk to the local network (no routing at all). It had a static address and a DHCP client on the bridge interface & I could talk to it on the DHCP address but not the static. Anyway to cu...

djmuk

Thanks - that is what I was expecting & I am bypassing by IP address only (not including the MAC)..

Will this change if I go over to radius authentication?

David

djmuk

Hey guys can we move the argument to a new thread and get on with working out what is happening and fixing the problem... I'll use whatever's to hand & yes I have a windows XP box running bind... I have an install with the same problem, What I did notice was: my dns servers are resolver1.opendns...

djmuk

That is exactly the behaviour I DON'T want.....

effectively the question is - when using radius login is it the IP address or the MAC that is authenticated? Even worse - if I bypass the IP address for the bridge will that then bypass the users behind it as well.....?

David

djmuk

I have set up VPN's from my cisco router to the RouterOS box. Because I want to access each of the 3 separate IP networks on the ROS box I had to set up 3 sets of address matching ACLs (policies in ROS world). It wasn't working well as the first VPN to establish would work OK but then the next one w...

djmuk

What happens with a hotspot if you have users behind a (standard) wireless client where the wireless client 'MAC NAT' translates all the traffic to it's own MAC address? Does the hotspot still require each IP to be authenticated (So I just need to allow multiple IPs per MAC) or is the authentication...

djmuk

Hmm even more strange... I installed dude on my main machine (which is connected to the network over a VPN & ADSL connection so has quite high round trip latency) and it discovered the network without any issues so it must be something on the network management machine. What are the dependencies...

djmuk

I have just installed the Dude to play with (I haven't any mikrotik units - yet!) but I am having trouble getting discovery to find all the units on the network. I have a variety of units most of which talk snmp and http, some are Http on port 8080, some are telnet / ping only... Dude only finds a f...

Search found 54 matches