Community discussions

MikroTik App

Search found 234 matches

by dadaniel
Mon Mar 11, 2024 12:14 pm
Forum: Announcements
Topic: v7.14.2 [stable] is released!
Replies: 465
Views: 94260

Re: v7.14.1 [stable] is released!

It worked in 7.14?
don't know, just wanted to let know it does not work in the current version
by dadaniel
Mon Mar 11, 2024 11:33 am
Forum: Announcements
Topic: v7.14.2 [stable] is released!
Replies: 465
Views: 94260

Re: v7.14.1 [stable] is released!

Bug in 7.14.1 on CRS328-24P-4S+: Blink button and blink cli command does not work
blink.png
by dadaniel
Wed Feb 28, 2024 4:19 pm
Forum: Beginner Basics
Topic: VLAN's have reduced throughput, glitch with Unifi
Replies: 5
Views: 434

Re: VLAN's have reduced throughput, glitch with Unifi

Maybe you are affected by this: https://community.ui.com/questions/U7-Pro-VLAN-Tagging-Speed-Bug/9a2f0833-f0ba-46e8-b07e-9053c2b79551 in the release notes it state "SSIDs using RADIUS assigned VLANs or on different VLANs from the native VLAN may operate at slower than expected speeds. This is o...
by dadaniel
Thu Dec 21, 2023 9:37 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 150125

Re: v7.14beta [testing] is released!

Tell me please, what are the advantages of a "exposed lo" interface over the old way? One example is you don't need to create a dummy bridge interface when terminating an EoIP tunnel at the router. Or anything that needs an IP set on a non-physical interface on the router itself. Correct ...
by dadaniel
Mon Dec 18, 2023 2:02 pm
Forum: RouterBOARD hardware
Topic: New L11UG-5HaxD
Replies: 28
Views: 6271

Re: New L11UG-5HaxD

Product code: L11UG-5HaxD CPU Dual-Core IPQ-5010 800 MHz CPU architecture ARM Size of RAM 256 MB Storage 128 MB, NAND Number of 1G Ethernet ports 1 USB port 1 USB 2.0 port type A Wireless band 5 GHz Wireless interface model QCN-6102 Wireless 802.11a/n/ac/ax dual chain Dimensions 107 x 114 x 27 mm O...
by dadaniel
Mon Dec 18, 2023 1:59 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 257754

Re: v7.13 [stable] is released!

Hi, follow this error: [ ] > :put ([/tool fetch url="https://upgrade.mikrotik.com/routeros/NEWEST7.stable" as-value output=user]->"data") 7.12.1 1700221125 It should report: 7.13 and epoch date: 1702542240 approx. AFAIK it will only report 7.12.1 if your current version is below...
by dadaniel
Thu Nov 30, 2023 5:11 pm
Forum: Beginner Basics
Topic: About "Building Your First Firewall" ICMP jump-chain
Replies: 13
Views: 2463

Re: About "Building Your First Firewall" ICMP jump-chain

Also your rules posted here, don't match the current ones that have a limit on the rules, see: https://help.mikrotik.com/docs/display/ ... v4RAWRules
Why are these rules not included in the default-config?
by dadaniel
Fri Sep 29, 2023 3:55 pm
Forum: General
Topic: OVPN drops exactly every 60min with "wrong keyID 1" message
Replies: 3
Views: 790

Re: OVPN drops exactly every 60min with "wrong keyID 1" message

You may want to contact support on this.
supout.rif will be needed as well so better to include it already in the ticket.
Done, SUP-129623
by dadaniel
Wed Sep 27, 2023 5:05 pm
Forum: General
Topic: OVPN drops exactly every 60min with "wrong keyID 1" message
Replies: 3
Views: 790

OVPN drops exactly every 60min with "wrong keyID 1" message

What could be the problem here? V7.12b9, imported .ovpn file: /interface ovpn-client add cipher=aes128-cbc connect-to=xxx.xxx.xxx.xxx mac-address=xx:xx:xx:xx:xx:xx name=ovpn-import1695809348 port=1080 protocol=udp use-peer-dns=no user=xxx 13:53:21 ovpn,debug,error packet with wrong keyID 1, expected...
by dadaniel
Tue Sep 19, 2023 12:40 pm
Forum: Announcements
Topic: Newsletter #114 | September 2023
Replies: 72
Views: 13591

Re: Newsletter #114 | September 2023

Can you guys clarify the use case of 2.5G ports but with PoE output? I thought this kind of switch was great for high end PC's, not for plugging in more routers?
There are many accesspoints with 2.5G PoE-in on the market...
by dadaniel
Mon Sep 18, 2023 4:25 pm
Forum: General
Topic: CRS328 RouterOS MAC winbox server unreachable on VLAN access ports
Replies: 1
Views: 358

CRS328 RouterOS MAC winbox server unreachable on VLAN access ports

I setup bridge VLAN filtering as recommended for CRS3xx series: https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering I need to be able to manage the switch from all access ports. I don't want to create a VLAN interface with IP on each VLAN. MAC s...
by dadaniel
Mon Sep 11, 2023 1:04 pm
Forum: RouterBOARD hardware
Topic: New hAP ax lite LTE
Replies: 199
Views: 25840

Re: New hAP ax lite LTE

Mikrotik LTE did not work good for me ever, not in the days of the old SXT LTE and not now. Always the device supplied from the mobile ISP reach way higher speeds and lower latency. I had the best luck buying bridge-mode capable hardware from the mobile ISP and put a mikrotik router behind.
by dadaniel
Mon Sep 04, 2023 4:14 pm
Forum: General
Topic: IKE2/IPSEC PSK - RB760iGS
Replies: 8
Views: 2715

Re: IKE2/IPSEC PSK - RB760iGS

I wouldn't spend much time on IKE2 PSK, as the OS support is somewhat limited, for example there is no native support for it in Windows. There are tutorials for IKE2/IPSec EAP-MSCHAPv2 using Let's Encrypt certificate and routerboard's User Manager or IKE2/IPSec RSA with self-signed certificates at h...
by dadaniel
Fri Aug 25, 2023 3:08 pm
Forum: General
Topic: CRS1xx/2xx Port Based VLAN question
Replies: 3
Views: 1105

Re: CRS1xx/2xx Port Based VLAN question

Maybe, in most cases you would want to only accept tagged packets on the trunk port... but I need also the packets without VLAN header to be forwarded to the last port.
draw.png
by dadaniel
Fri Aug 25, 2023 1:40 pm
Forum: General
Topic: CRS1xx/2xx Port Based VLAN question
Replies: 3
Views: 1105

CRS1xx/2xx Port Based VLAN question

I am following the guide here with a simple Example 1 (Trunk and Access ports): https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836 My special requirement is: I need to have incoming untagged traffic on the trunk port from and to undefined non-vlan (neither access or trunk) ports s...
by dadaniel
Thu Aug 17, 2023 3:07 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 123497

Re: v7.12beta [testing] is released!

ovpn - added "tls-auth" option support for imported .ovpn profiles; Great work! I'm getting the following error messages in log, but the connection seems to work. Can anyone please comment if they are essential? unsupported configuration parameter 'ns-cert-type server' unsupported configu...
by dadaniel
Fri Aug 11, 2023 1:35 pm
Forum: General
Topic: SFP+ DAC cable, HP J9281B and RB5009
Replies: 4
Views: 1164

Re: SFP+ DAC cable, HP J9281B and RB5009

I have that one working at 10G with CRS317-1G-16S+ and HP 2530-48G-2SFP+ J9855A using auto negotiation at both ends: https://www.amazon.de/dp/B09HHCPYHX For CRS317-1G-16S+ to Aruba Instant On 1930 24G PoE 4SFP/SFP+ 370W JL684A Switch I am using Mikrotik XS+DA0001 using auto negotiation at Mikrotik a...
by dadaniel
Mon Jun 12, 2023 5:05 pm
Forum: Beginner Basics
Topic: Same segment IPs on different LAN ports.
Replies: 27
Views: 1582

Re: Same segment IPs on different LAN ports.

Hi, I have an hEX mikrotik routerboard and I need this configuration:

Eth2: WAN
Eth3: LAN 192.168.17.10
Eth4: LAN 192.168.17.20
Eth5: LAN 192.168.17.30
This could work if you choose a Subnetmask with only a few hosts, for example 192.168.17.10/29, 192.168.17.20/29 and 192.168.17.30/29
by dadaniel
Tue Jun 06, 2023 3:29 pm
Forum: General
Topic: Twice NAT example
Replies: 12
Views: 1352

Re: Twice NAT example

192.168.0.x is customer network, same subnet is used at multiple locations 192.168.111.x is server network 10.208.50.x is customer network seen from the server side (all IPs from 192.168.0.x network get mirrored to it, for example 192.168.0.5 is reachable at 10.208.50.5) # Phase 1 /ip ipsec profile ...
by dadaniel
Tue May 09, 2023 4:26 pm
Forum: Announcements
Topic: Newsletter #113 | May 2023
Replies: 103
Views: 42401

Re: Newsletter #113 | May 2023

Why are you promoting container support on devices with as little as 512MB RAM? Memory is so cheap today!
by dadaniel
Tue Apr 25, 2023 4:22 pm
Forum: General
Topic: share a License
Replies: 6
Views: 768

Re: share a License

CHR will continue to work without any limitation, you will just have to update it manually if you choose to do so (export config, reinstall, import it)
1Mbit Upload limitation according to the wiki?!
by dadaniel
Tue Mar 14, 2023 4:35 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 138808

Re: v7.8 [stable] is released!

RB751U-2Hn running 7.7. Tried to upgrade twice. Same result.
I have the same problem. 7.8 kills 751U-2HnD
It reacts so slow like it is running on 10MHz, login not possible after upgrade. Works after downgrade using netinstall.
by dadaniel
Wed Feb 01, 2023 5:06 pm
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 73264

Re: v7.8beta [testing] is released!

When you want a simple no-certificate-hassle VPN, MikroTik offers more than enough alternatives: IPsec, SSTP, Wireguard, ... When it is about VPN support, there is always somebody who asks for an option (or an entire protocol) that isn't supported... It's all about money: Our software solution prov...
by dadaniel
Wed Feb 01, 2023 2:20 pm
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 73264

Re: v7.8beta [testing] is released!

Well, the "official" OpenVPN version 2.6.0 just released has dropped the support for static key, so that would be one possible reason for not bothering with it anymore... Yes, but they write: static key mode (non-TLS) is no longer considered "good and secure enough" for today's ...
by dadaniel
Wed Feb 01, 2023 9:34 am
Forum: Beginner Basics
Topic: Unable to stop Inter-VLAN traffic
Replies: 7
Views: 2118

Re: Unable to stop Inter-VLAN traffic

I think you have to use /interface bridge filter
by dadaniel
Sat Jan 21, 2023 10:39 pm
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 73264

Re: v7.8beta [testing] is released!

It would be great if OVPN would get static key support soon. Can you please tell me what's the problem implementing this?
by dadaniel
Thu Nov 24, 2022 3:06 pm
Forum: Announcements
Topic: v7.7beta [testing] is released!
Replies: 322
Views: 123556

Re: v7.7beta [testing] is released!

@emils: Could you please comment if scenario mentioned in SUP-27777 (CAPsMAN layer 3 provisioning rules don't work "out of the box" for new devices in CAPs mode) could be cared of with wifiwave2-CAPsMAN?
by dadaniel
Mon Nov 14, 2022 3:53 pm
Forum: Scripting
Topic: send MikroTik Notification via WhatsApp
Replies: 55
Views: 35905

Re: send MikroTik Notification via WhatsApp

Is there a way to convert CP1252 to UTF8?
by dadaniel
Wed Nov 02, 2022 12:18 pm
Forum: General
Topic: RB260/RBFTC problem with 1000BASE-LX link and 100BASE-T device
Replies: 1
Views: 275

RB260/RBFTC problem with 1000BASE-LX link and 100BASE-T device

RB260 and RBFTC stop forwarding traffic if there is at least one 100Mbit-only device connected when at the same time a 1000BASE-LX SFP is plugged in.
Is that an intended behavior? Which Mikrotik devices support 1000Mbit fiber and 100Mbit copper at the same time?
by dadaniel
Thu Oct 27, 2022 1:41 pm
Forum: General
Topic: netmap without interface?
Replies: 1
Views: 253

netmap without interface?

I'm facing the same problem which has been solved here before: viewtopic.php?t=107311
But I have to use pure IPSec/IKE2 for the site-to-site VPN, so I don't have an in- or out-interface I could use in the netmap rules or ip route.
Is there any workaround for this case?
by dadaniel
Tue Oct 18, 2022 8:39 pm
Forum: General
Topic: asymmetric IPSec PSK authentication
Replies: 0
Views: 296

asymmetric IPSec PSK authentication

It was mentioned in 2018 that asymmetric PSK authentication will be available in future versions but I still can't define different local PSK / remote PSK in IPSec settings: https://forum.mikrotik.com/viewtopic.php?p=700262&hilit=asymmetric+authentication#p700262 This is a problem because asymme...
by dadaniel
Wed Sep 21, 2022 1:19 pm
Forum: Beginner Basics
Topic: SSTP to Azure
Replies: 2
Views: 511

Re: SSTP to Azure

by dadaniel
Wed Jul 13, 2022 3:22 pm
Forum: RouterBOARD hardware
Topic: RB5009UP wrong description/datasheet?
Replies: 18
Views: 1870

Re: RB5009UP wrong description/datasheet?

Ok, but then they should mention that passive PoE is supported in datasheet. They only wrote 802.3af/at everywhere.
by dadaniel
Wed Jul 13, 2022 2:58 pm
Forum: RouterBOARD hardware
Topic: RB5009UP wrong description/datasheet?
Replies: 18
Views: 1870

RB5009UP wrong description/datasheet?

The description and datasheet of RB5009UP seems to be wrong: PoE-out 802.3af/at require at least 48V. It is not possible to power non-mikrotik 802.3af/at devices with lower voltage. I doubt the routerboard has a built-in step-up converter for PoE-Out.
by dadaniel
Mon Jul 11, 2022 1:20 pm
Forum: General
Topic: RBSXTR&R11e-LTE stubbornly connect to far base station, why? [SOLVED]
Replies: 12
Views: 1562

Re: RBSXTR&R11e-LTE stubbornly connect to far base station, why? [SOLVED]

I gave up using Mikrotik LTE hardware. I always got at least twice the bandwidth and speed using Carrier's hardware. Just make sure you get something with bridge-mode support or an ODU like Huawei B2368 that works standalone and connect it to you mikrotik router.
by dadaniel
Tue Jun 14, 2022 9:56 pm
Forum: General
Topic: Is VLAN's from Mikrotik Tagged or Untagged
Replies: 33
Views: 5755

Re: Is VLAN's from Mikrotik Tagged or Untagged

why this config works with TP-link and not D-Link switch?
D-Link switches have always been a pile of junk...
by dadaniel
Sun May 22, 2022 8:37 pm
Forum: General
Topic: Large share transfers (>100MB) drop over wifi with CAPsMAN
Replies: 8
Views: 1069

Re: Large share transfers (>100MB) drop over wifi with CAPsMAN

Enabling "Use IP firewall" in bridge settings solved this problem for us. Mikrotik support was not helpful: "Maybe packets moving slower and it works now"
by dadaniel
Thu May 05, 2022 2:07 pm
Forum: General
Topic: Download traffic exceeding queue limits?
Replies: 7
Views: 2426

Re: Download traffic exceeding queue limits?

Change queue type to ethernet-default
by dadaniel
Tue Mar 15, 2022 12:03 am
Forum: General
Topic: TLS handshake failing via the WireGuard (PPPoE) [SOLVED]
Replies: 6
Views: 3272

Re: TLS handshake failing via the WireGuard (PPPoE) [SOLVED]

if wireguard interface is member of a bridge, check bridge MTU setting.
by dadaniel
Wed Feb 23, 2022 11:01 am
Forum: Announcements
Topic: v7.1.3 is released!
Replies: 251
Views: 56323

Re: v7.1.3 is released!

export is missing wireless security profiles details like PSK keys. In v6 export is working as expected
by dadaniel
Tue Jan 18, 2022 7:25 am
Forum: General
Topic: L2TP/IPsec Issues with Windows 11 update - kb5009566
Replies: 29
Views: 22879

Re: L2TP/IPsec Issues with Windows 11 update - kb5009566

KB5010793 has been released to fix the problems caused by the January Update
by dadaniel
Fri Jan 14, 2022 12:26 pm
Forum: Scripting
Topic: problem comparing rx-fcs-error value
Replies: 2
Views: 3599

Re: problem comparing rx-fcs-error value

*bump*
by dadaniel
Wed Jan 12, 2022 9:25 pm
Forum: General
Topic: Many L2TP/IPsec VPN failing since power outage
Replies: 3
Views: 1577

Re: Many L2TP/IPsec VPN failing since power outage

Please search before post. A recent Windows Update broke the built-in VPN client.
by dadaniel
Thu Dec 23, 2021 1:32 pm
Forum: General
Topic: Can Mikrotik SFP28 reach 25Gbit/s when block diagram shows 10Gbit/s [Fixed]
Replies: 3
Views: 1077

Re: Can Mikrotik SFP28 reach 25Gbit/s when block diagram shows 10Gbit/s [Fixed]

What is the interest if speed is limited to 10Gb/s?
It essentially is only a "new" DAC cable that supports the higher SFP28 speed on supported hardware, while also being usable with SFP and SFP+ hardware.
I think they will stop selling the old DAC cables soon.
by dadaniel
Thu Dec 23, 2021 12:40 pm
Forum: General
Topic: Can Mikrotik SFP28 reach 25Gbit/s when block diagram shows 10Gbit/s [Fixed]
Replies: 3
Views: 1077

Re: Can Mikrotik SFP28 reach 25Gbit/s when block diagram shows 10Gbit/s

When the block diagram shows 10Gb/s, the port is only SFP+, not SFP28.
AFAIK the only Mikrotik device with SFP28 is CCR2004, so you only could get 25G speed between two of them.
by dadaniel
Wed Nov 03, 2021 3:18 pm
Forum: Scripting
Topic: problem comparing rx-fcs-error value
Replies: 2
Views: 3599

problem comparing rx-fcs-error value

I wrote a script to send me an alert mail when FCS error counter on an interface increases. :local intrxfcs [/interface ethernet get 0 rx-fcs-error] :if ([:tonum $intrxfcs] > 1) do={:set $alert 1} I'm facing two problems: the value of rx-fcs-error contains a space after the first two digits :tonum f...
by dadaniel
Fri Oct 29, 2021 8:00 pm
Forum: General
Topic: Bricked Routers
Replies: 11
Views: 7742

Re: Bricked Routers

Had the same problem on Netmetal ac SHP after updating the bootloader.
Netinstall solved the reboot loop.
by dadaniel
Mon May 03, 2021 3:25 pm
Forum: RouterBOARD hardware
Topic: Module SFP Compatibility Cloud Router Switch CRS109-8G-15-2HdD-INI with Sercomm FGS202
Replies: 2
Views: 1441

Re: Module SFP Compatibility Cloud Router Switch CRS109-8G-15-2HdD-INI with Sercomm FGS202

There is a thread about these GPON modules here: viewtopic.php?f=3&t=116364
Maybe you can find some useful information there.
by dadaniel
Mon Apr 26, 2021 3:46 pm
Forum: SwOS
Topic: LAG between CSS326 and Synology not at full speed?
Replies: 4
Views: 6727

Re: LAG between CSS326 and Synology not at full speed?

yes, using the cheap copper SFP+ DAC cables will also work. They are available up to 10m
by dadaniel
Thu Apr 22, 2021 2:19 pm
Forum: SwOS
Topic: LAG between CSS326 and Synology not at full speed?
Replies: 4
Views: 6727

Re: LAG between CSS326 and Synology not at full speed?

But speed is still like on 1gbit cable.
When I check the speed, the traffic flows almost via only 1 cable of three (or two).
LAG only has effect when doing transfers from/to multiple hosts at the same time.
by dadaniel
Fri Feb 26, 2021 9:10 pm
Forum: Beginner Basics
Topic: PC can not reach internet, router can.
Replies: 9
Views: 1664

Re: PC can not reach internet, router can.

wrong/missing default gateway on the linux machine
by dadaniel
Thu Feb 04, 2021 9:26 pm
Forum: Announcements
Topic: v6.49beta [testing] is released!
Replies: 171
Views: 89763

Re: v6.49beta [testing] is released!

*) sfp - fixed GPON module linking (introduced in v6.47);
What GPON modules are supported as of now? The Mikrotik one is not available anymore?
by dadaniel
Sat Dec 05, 2020 5:14 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 184
Views: 114748

Re: v6.48beta [testing] is released!

6.48 beta58 randomly starts dropping traffic. DNS looks ups are fine Some sites load others don’t. After a reboot suddenly starts working again for a few hours then stops again. Reboot fixes it. Internet is up, no packet loss, dns working, disabled fast track, enabled fast track, checked route cach...
by dadaniel
Tue Nov 17, 2020 12:46 pm
Forum: General
Topic: Drop received BPDUs [SOLVED]
Replies: 3
Views: 975

Re: Drop received BPDUs [SOLVED]

wrong port name? I think you have to use the default name sfp-sfpplus1
by dadaniel
Wed Nov 11, 2020 9:06 pm
Forum: General
Topic: BUG: EoIP tunnel, when added as bridge port, breaks [at least] HTTPS to some sites. (Documented/reproducible) [SOLVED]
Replies: 7
Views: 3234

Re: BUG: EoIP tunnel, when added as bridge port, breaks [at least] HTTPS to some sites. (Documented/reproducible) [SOLVED]

Changing MTU setting of the EoIP tunnel itself to 1500 seems to have the same effect, it is even recommended in the wiki.

Is there any drawback doing so?
by dadaniel
Wed Oct 07, 2020 7:28 am
Forum: General
Topic: SFP/SFP+ confuzion [SOLVED]
Replies: 10
Views: 2345

Re: SFP/SFP+ confuzion [SOLVED]

I think you have to disable auto negotiation and set the speed to 1000 full duplex on both ends in this case.
by dadaniel
Tue Sep 15, 2020 5:23 pm
Forum: General
Topic: CAPsMAN provisioning problem
Replies: 0
Views: 503

CAPsMAN provisioning problem

I have to provision new CAPs based on which network they get connected to. So I set the "IP Address Ranges" property, but the provisioning rule is never matched, although the CAP got a matching IP Address via DHCP. The provisioning works ok without this property, but I have to match using ...
by dadaniel
Sat Sep 12, 2020 11:00 pm
Forum: General
Topic: CRS3xx: allow only untagged packets on access ports
Replies: 0
Views: 501

CRS3xx: allow only untagged packets on access ports

I need to make sure that incoming tagged packets on access ports get dropped on my CRS3xx switches. /interface bridge port add bridge=bridge1 interface=ether1 pvid=10 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged Is this the correct way or is there some special other way ...
by dadaniel
Mon Sep 07, 2020 1:46 pm
Forum: General
Topic: CRS328 r2 new hardware revision
Replies: 0
Views: 624

CRS328 r2 new hardware revision

what has been changed?

r1.png
r2.png
by dadaniel
Fri Jul 17, 2020 6:56 am
Forum: RouterOS beta
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 7881

Re: Traffic to blocked address still succeeds. Why? A bug?

Force the DNS resolver to a server you have under control and null the blocked domains out there.
by dadaniel
Thu Jun 04, 2020 4:02 pm
Forum: Wireless Networking
Topic: wAP R 4G registration-status: denied
Replies: 1
Views: 1617

wAP R 4G registration-status: denied

I always have to reboot my wAP R 4G (RouterOS v6.47) twice to get a working connection. One the first boot I get: interface lte info lte1 pin-status: ok registration-status: denied functionality: full manufacturer: MikroTik model: R11e-4G revision: R11e-4G_V007 imei: 359147090019841 imsi: 2321066010...
by dadaniel
Fri May 29, 2020 10:45 am
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 12973

Re: Netmetal AC2 Disappointments [SOLVED]

LOL usually there is a yellow sticker inside that says: Never ever connect without antennas attached.
by dadaniel
Wed Apr 22, 2020 8:49 pm
Forum: General
Topic: RB4011: Untagged Ports Overriden by Default VID1? [SOLVED]
Replies: 13
Views: 7815

Re: RB4011: Untagged Ports Overriden by Default VID1? [SOLVED]

Thank you everyone! I really appreciate your taking a look!
Why do you need "admit-only-untagged-and-priority-tagged" on the ports in your case?
by dadaniel
Wed Apr 22, 2020 11:58 am
Forum: General
Topic: RB4011: Untagged Ports Overriden by Default VID1? [SOLVED]
Replies: 13
Views: 7815

Re: RB4011: Untagged Ports Overriden by Default VID1? [SOLVED]

you can also omit /interface bridge vlan untagged entries ( untagged= ), these will be generated automatically from the /interface bridge port PVID entries ( pvid= ) If I need to change some ports PVID later, will the untagged entries follow automatically? If I define a "management" inter...
by dadaniel
Sun Apr 19, 2020 1:59 pm
Forum: Wireless Networking
Topic: CapsMan VLAN question
Replies: 8
Views: 3049

Re: CapsMan VLAN question

But as i asked in my previous porst, why you want to do that ? You can just configure your VLAN on capsman and thats it.. I really want to avoid any additional configuration on AP side, so that even when it gets unplugged and a normal PC is plugged into the socket it would be inside the main vlan.
by dadaniel
Sat Apr 18, 2020 9:18 am
Forum: Wireless Networking
Topic: CapsMan VLAN question
Replies: 8
Views: 3049

Re: CapsMan VLAN question

If i understood right, you just have to set your eth1 as tagged and then at your AP side you must create an interface VLAN for that VID...
But why would you need to do that ?
I cannot send tagged VLAN to the AP as I have some dumb switches between the CAPS manager and the AP.
by dadaniel
Fri Apr 17, 2020 10:41 pm
Forum: Wireless Networking
Topic: CapsMan VLAN question
Replies: 8
Views: 3049

CapsMan VLAN question

I'm using some RB751G as accesspoints using the default CAP config in CAPsMAN Forwarding Mode (datapath.local-forwarding=no). I have set two SSIDs (main and guest) and assigned two different VLANs to them. Now comes the problem: In this device default-config all ethernet ports are bridged, but I wan...
by dadaniel
Fri Apr 17, 2020 5:50 pm
Forum: Wireless Networking
Topic: CapsMan Slave Configuration question
Replies: 1
Views: 1567

CapsMan Slave Configuration question

Do I have to specify parameters like
channel country distance installation keepalive-frames rx-chains tx-chains
for every slave configuration, or is it taken from master configuration?
by dadaniel
Fri Apr 17, 2020 10:33 am
Forum: Announcements
Topic: v6.46.5 [stable] is released!
Replies: 72
Views: 48877

Re: v6.46.5 [stable] is released!

Hi,
on hAP Lite (RB941-2nD r2), there is again the problem of not enough space to reboot:
2020-04-16 14_11_42-Clipboard.png

Trying to update from 6.46.4. Firmware on the board: 6.46.4.

MartiX
Try this before update: https://www.mikrotik.com/download/share/fix_space.npk
by dadaniel
Tue Apr 14, 2020 12:47 pm
Forum: Announcements
Topic: v6.46.5 [stable] is released!
Replies: 72
Views: 48877

Re: v6.46.5 [stable] is released!

When executing "export compact", the following unnecessary line is displayed now:
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
by dadaniel
Fri Mar 13, 2020 1:30 pm
Forum: Announcements
Topic: MikroTik newsletter March 2020 (#94)
Replies: 40
Views: 46196

Re: MikroTik newsletter March 2020 (#94)

Dear MT! Why CRS354-48P-4S+2Q+RM is equipped with only one power supply (on the right on the photo)? https://i.mt.lv/cdn/rb_images/1913_m.png Surely this is funny thing to have to power 48 gigabit ports with only one China-made power supply which is built in (so even replace it can take time even i...
by dadaniel
Tue Mar 03, 2020 1:36 pm
Forum: Beginner Basics
Topic: Showing double in neigbours Router OS v6.46.4
Replies: 1
Views: 2048

Re: Showing double in neigbours Router OS v6.46.4

It is still not fixed, saw this last year in 6.45:

viewtopic.php?f=2&t=152423
by dadaniel
Wed Jan 22, 2020 3:15 pm
Forum: RouterBOARD hardware
Topic: New hardware NetMetal ac2
Replies: 15
Views: 6883

Re: New hardware NetMetal ac2

I don't know how Mikrotik dares to get new products in arm with the problems he has even if they deny them
What problems you are referring to?
by dadaniel
Thu Dec 05, 2019 5:25 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 68951

Re: v6.46 [stable] is released!

Did you set

/caps-man manager set package-path

correctly?
by dadaniel
Fri Nov 08, 2019 11:59 am
Forum: Beginner Basics
Topic: Simple Queue "Upload Max Limit" does not work [SOLVED]
Replies: 15
Views: 8903

Re: Simple Queue "Upload Max Limit" does not work [SOLVED]

change queue type from "default-small" to "ethernet-default"
by dadaniel
Wed Sep 25, 2019 12:13 pm
Forum: General
Topic: The problem of using netwatch
Replies: 1
Views: 833

Re: The problem of using netwatch

set a static route for the host you are watching, use different hosts for the different interfaces
by dadaniel
Tue Sep 24, 2019 4:38 pm
Forum: General
Topic: CRS default config: Bridge and Interface MAC in IP Neighbors
Replies: 3
Views: 2847

CRS default config: Bridge and Interface MAC in IP Neighbors

I have several CRS connected with 10G fiber using the default config. Now every switch is listed twice in IP neighbors: one time with interface MAC and switch model and the second line is the bridge MAC without any additional information and 0 uptime. Is this a bug or is there a way to hide those en...
by dadaniel
Mon Jul 08, 2019 1:32 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196503

Re: v6.45.1 [stable] is released!

Does someone have a problem with mac telnet login via neighbours?

Won't login with any user and pass or without pass, nor admin..
I have the same problem.
by dadaniel
Mon Jan 21, 2019 3:33 pm
Forum: General
Topic: SXT LTE speed after 6.43.8 update
Replies: 5
Views: 1851

Re: SXT LTE speed after 6.43.8 update

As per tests I made at the same spot, where SXT LTE is positioned, with phone and got better download speed.
You will always get a better speed with phone, because Mikrotik is using a very old LTE chipset. Some providers throttle non-phone LTE chip vendors.
by dadaniel
Tue Oct 16, 2018 2:00 pm
Forum: General
Topic: PCP support for CG-NAT on WAN
Replies: 2
Views: 1867

Re: PCP support for CG-NAT on WAN

I didn't find any reference which vendor or operating system supports PCP? Could you please share what hardware your ISP provides usually that is capable of PCP?
by dadaniel
Wed Oct 10, 2018 3:53 pm
Forum: General
Topic: Limiting ICMP on input chain
Replies: 3
Views: 2541

Re: Limiting ICMP on input chain

I have the same problem, any ideas anyone?
by dadaniel
Tue Sep 25, 2018 12:48 pm
Forum: General
Topic: Disable line-break / word-wrap in export
Replies: 1
Views: 1083

Disable line-break / word-wrap in export

Is it possible to disable this nasty line-break / word-wrap in config export?
by dadaniel
Fri Sep 21, 2018 12:28 pm
Forum: Scripting
Topic: get packet-loss value from ping
Replies: 1
Views: 2506

get packet-loss value from ping

Is there a script that gets the built-in packet-loss percentage value of mikrotik's ping command and send a mail when a specific threshold is reached? I'm not very good at scripting, could please someone point me in the right direction?
by dadaniel
Fri Sep 21, 2018 10:31 am
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85175

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

No, a reboot or upgrade will not brick the router. If your router works with 6.43.1, there is no need to upgrade to 6.43.2. Ok, so it isn't the bootloader that bricks the devices? My log says "firmware upgrade successfully, please reboot..." so it hasn't been rebooted since 6.43.1 upgrade.
by dadaniel
Fri Sep 21, 2018 10:08 am
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85175

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

It should be fixed in 6.43.2, you will need to netinstall v6.43.2.
Great, I did an upgrade to 6.43.1 on hEX and auto-upgrade of firmware was active. I did not reboot yet, so what to do now? I cannot upgrade to 6.43.2 bootloader before reboot! Will it be bricked afterwards?
by dadaniel
Thu Sep 20, 2018 2:20 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85175

Re: v6.43.1 [stable] is released!

still cant change any user names.
introduced in 6.43.0
Renaming is not possible anymore due to security changes, please see viewtopic.php?f=2&t=139091#p685742
by dadaniel
Fri Aug 17, 2018 10:44 am
Forum: General
Topic: Forward LACP in bridge?
Replies: 9
Views: 4392

Re: Forward LACP in bridge?

It seems that this is still not working after 10 years:
viewtopic.php?t=21913
by dadaniel
Mon Jul 02, 2018 3:25 pm
Forum: General
Topic: Firewall dst-limit possible bug
Replies: 9
Views: 2548

Re: Firewall dst-limit possible bug

Please, do not send tickets to old versions - there is no point and it just waste support time. Staff will either ignore it or respond with "please update to maintained (bugfix or current) version. You cannot possibly think that anyone will investigate or fix bug from 8 years old version. Even...
by dadaniel
Mon Jul 02, 2018 1:28 pm
Forum: General
Topic: Firewall dst-limit possible bug
Replies: 9
Views: 2548

Re: Firewall dst-limit possible bug

Is this still not fixed? It's actually listed in the wiki at https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking (Expire' value is 10 times lower than you set; so '10s' is actually 1 second)
by dadaniel
Mon Jul 02, 2018 12:46 pm
Forum: General
Topic: LAN side bridge forward filtering options?
Replies: 4
Views: 1648

Re: LAN side bridge forward filtering options?

Enable port-isolation on every switch - only forward packets to upstream Port(or VLAN). Enable wireless isolation, sometimes called client or AP isolation on every accesspoint - only forward packets to upstream Port(or VLAN). So a client could never reach other connected devices (maybe you would hav...
by dadaniel
Fri Jun 29, 2018 12:18 pm
Forum: General
Topic: remove IP on address-list from active connections?
Replies: 7
Views: 3425

Re: remove IP on address-list from active connections?

Could you please share the script part that read addresses from that list into an array? This list is rather large, isn't the array size limited? Why it's not possible to use only one address-list?
by dadaniel
Fri Jun 29, 2018 11:29 am
Forum: General
Topic: remove IP on address-list from active connections?
Replies: 7
Views: 3425

Re: remove IP on address-list from active connections?

I don't think that with rules to add addresses to address list and then drop the traffic, it will apears in conntracker. I've already placed an additional drop rule right after the "add addresses to address list" rule, but it is never triggered. It seems once the packet is matched by the ...
by dadaniel
Thu Jun 28, 2018 3:04 pm
Forum: General
Topic: remove IP on address-list from active connections?
Replies: 7
Views: 3425

Re: remove IP on address-list from active connections?

Yes I also believe the next bruteforce tries get matched by fasttrack established/related, but how to remove the affected IP from conntrack? :(
by dadaniel
Thu Jun 28, 2018 2:06 pm
Forum: General
Topic: remove IP on address-list from active connections?
Replies: 7
Views: 3425

remove IP on address-list from active connections?

I have some firewall-rules in place that will add bruteforcing IPs to a blacklist, but I have the problem that these "established" connections won't be terminated. There is a drop rule in Firewall-Raw but the IP still gets matched in the "add to address list" rule. Any ideas?
by dadaniel
Thu Jun 28, 2018 1:48 pm
Forum: General
Topic: special dummy rule is moveable in firewall-raw
Replies: 0
Views: 782

special dummy rule is moveable in firewall-raw

When I try to move any of the special dummy rules in Firewall-Filter or Firewall-Mangle I get an error message, but I'm able to move it in Firewall-Raw. Is this by intention?
by dadaniel
Thu Jun 28, 2018 11:24 am
Forum: General
Topic: Why am I getting this firewall entry???
Replies: 22
Views: 3845

Re: Why am I getting this firewall entry???

Maybe someone from staff has a second fixed IP address set? The source mac is rather strange, as it belongs to ARRIS Group which is a cable modem manufacturer. Maybe they have some auto-aliased internal IP in place.
by dadaniel
Tue Jun 05, 2018 11:51 am
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 44
Views: 32666

Re: MikroTik News June 2018 (Issue #83)

That is beyond the point. Saying "inferior" compared to previous model is simply incorrect.
You are correct, I think he (the user from Brazil) just used the wrong english word.
by dadaniel
Tue Jun 05, 2018 10:26 am
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 44
Views: 32666

Re: MikroTik News June 2018 (Issue #83)

What do you guys mean? It is much better than SXT LTE first generation:
Yes, but today nearly every cheap smartphone supports LTE-A at 1000Mbps/​150Mbps down/up and you are still using old 150/50 modems. What about LTE bridge mode, is it supported now with SXT LTE kit?
by dadaniel
Thu May 17, 2018 5:34 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212143

Re: Blacklist Filter update script

It is temporary locations to download ... it does not matter where it is ... after importing lists script could be removed form flash, disk etc. But it is imported as static entries because of missing timeout parameter in the script, so they are written to NAND on every change. They should change i...
by dadaniel
Thu May 03, 2018 5:07 pm
Forum: RouterBOARD hardware
Topic: WAP LTE US Kit not seeing SIM
Replies: 6
Views: 3211

Re: WAP LTE US Kit not seeing SIM

Is it standard policy to have the customer pay return shipping on a defective product?
Yes, nearly all vendors handle it that way. For example in the SSD market there is AFAIK only Sandisk that offers pre-paid return stickers.
by dadaniel
Wed Apr 18, 2018 2:35 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 3014

Re: Solutions for cable 1.2km

I would go for fiber, I know there are also copper-based solutions like VDSL extenders but then your bandwith is limited and the risk of lightning damage is very high.
by dadaniel
Thu Mar 29, 2018 11:53 am
Forum: General
Topic: Winbox Not Detecting RouterBoard
Replies: 31
Views: 34938

Re: Winbox Not Detecting RouterBoard

Hello jspool! tried to connect from another Windows 7 PC using a switch, but still not detecting at all... :(
It's a winbox bug, please see viewtopic.php?f=21&t=129034&start=450#p650627
by dadaniel
Sat Mar 17, 2018 11:30 am
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

Re: extremely ugly network bridging

@dadaniel can i have your topology? I don't have a suitable network diagram ready, but you could ask me any question about topology that you don't find in first post. Both LANs use 10.0.0.x/24, both Internet Gateways have the same address 10.0.0.138 and DHCP server active. The solution from Sob wor...
by dadaniel
Fri Mar 16, 2018 11:42 pm
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

Re: extremely ugly network bridging

Thank you very much, it works perfectly!
Is it possible to allow NAS access for more than one camera? Do I just have to add an additional ip address and arp entry for another camera IP? (keeping the router IP unchanged, so have multiple entrys of it with only the network IP changed?)
by dadaniel
Thu Mar 15, 2018 5:55 pm
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

Re: extremely ugly network bridging

That's seems to be a very easy and clean solution. I'll try it this weekend and report back, thank you very much!!
by dadaniel
Thu Mar 15, 2018 4:06 pm
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

Re: extremely ugly network bridging

@Sob:

Do I need static routes on NAS or camera in this case? Do I have to enable (local)proxy-arp in interface settings?

I cannot make this router the default gateway for any device on both LANs!
by dadaniel
Wed Mar 14, 2018 7:38 am
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

Re: extremely ugly network bridging

VPN can work, but might be slow due to VPN technology and will also eat into your internet bandwidth. Then all you do is route from building a to building b subnet and vica versa. And use a default route to Internet gateway for other traffic on both side Yes, VPN is not an option because the intern...
by dadaniel
Wed Mar 14, 2018 1:08 am
Forum: General
Topic: extremely ugly network bridging
Replies: 14
Views: 3123

extremely ugly network bridging

Please help me with the following situation: I have two buildings: A has one internet gateway and one IP camera(AC:CC:8E). B has one internet gateway and a NAS(00:11:32). It is possible to connect both buildings using ethernet wire. Both internet gateways have the same non-changeable IP address, the...
by dadaniel
Tue Mar 13, 2018 5:10 pm
Forum: General
Topic: layer 7 protocols exception [SOLVED]
Replies: 4
Views: 3119

Re: layer 7 protocols exception [SOLVED]

You can only do exceptions for IP address, see viewtopic.php?t=120819
by dadaniel
Tue Mar 13, 2018 2:52 pm
Forum: Announcements
Topic: v6.41.3 [current]
Replies: 139
Views: 57322

Re: v6.41.3 [current]

Is it now really necessary to update routerboard firmware everytime we update ROS since the version numbering now follows ROS version number? I cannot believe there are changes everytime and it is quite annoying to have to reboot twice.
I also have the SIM menu on RB951G-2HnD now.
by dadaniel
Tue Mar 06, 2018 12:13 pm
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 9978

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

Can anyone comment on what this script is doing beside of changing credentials?
by dadaniel
Fri Mar 02, 2018 10:48 am
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 208
Views: 101770

Re: Future of LTE products, user feedback requested

Please ensure that Passthrough mode is supported in your future LTE products! Why does this work only with those crappy usb sticks and not with your own LTE hardware?
by dadaniel
Wed Jan 31, 2018 12:28 pm
Forum: Announcements
Topic: MikroTik News February 2018 (Issue #80)
Replies: 64
Views: 36036

Re: MikroTik News February 2018 (Issue #80)

* Match websites in firewall
What about matching non-secure traffic with wildcards directly in firewall? Still not possible?
by dadaniel
Thu Sep 28, 2017 10:50 am
Forum: General
Topic: Super strange issue with 0.0.0.0
Replies: 5
Views: 2294

Re: Super strange issue with 0.0.0.0

That's an old bug in Webfig that is still not fixed. Hit Stop button and Start button and it will show correct values.
by dadaniel
Thu Sep 21, 2017 6:20 pm
Forum: General
Topic: RB750Gr3 IPsec VPN to Cisco ASA does not work [SOLVED]
Replies: 16
Views: 7884

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work [SOLVED]

Can you please report this to support@mikrotik.com ? They often don't notice bug reports in the forums.
by dadaniel
Fri Jun 30, 2017 1:28 pm
Forum: Wireless Networking
Topic: Capsman and 802.11w
Replies: 3
Views: 2350

Re: Capsman and 802.11w

So how to protect against these Deauthers you can get for $6 at Amazon or even preflashed?!

https://github.com/spacehuhn/esp8266_deauther
https://www.tindie.com/products/lspoplo ... ent-board/
by dadaniel
Tue Jun 13, 2017 9:54 am
Forum: Announcements
Topic: v6.39.2 [current]
Replies: 122
Views: 57653

Re: v6.39.2 [current]

The device is seen in netinstall, when press the install button it last 12 seconds and then go back ready with no actual install.
Close netinstall, open it again and press install a second time. This time it will work.
by dadaniel
Tue Apr 18, 2017 2:40 pm
Forum: Scripting
Topic: Command Needed for Hard Reboot of Router OS
Replies: 6
Views: 7225

Re: Command Needed for Hard Reboot of Router OS

How is this different? What would you like to do instead?
I think he means such a kernel thing:

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
by dadaniel
Fri Feb 03, 2017 10:05 am
Forum: General
Topic: Do any queue types respect Priority markings?
Replies: 26
Views: 7396

Re: Do any queue types respect Priority markings?

Notes: I mark the MSDO packets with ToS-Bulk...
Oh, you've already found a way how to identify MSDO traffic. Do you mind sharing how it's done?
a two seconds search in RavenWing71 posts would have told you that: http://forum.mikrotik.com/viewtopic.php ... 64#p577464
by dadaniel
Fri Jan 13, 2017 9:00 am
Forum: General
Topic: Mark MS services, updates?
Replies: 2
Views: 2459

Re: Mark MS services, updates?

Cool find Ravenwing :)

Please also see http://forum.mikrotik.com/viewtopic.php?f=2&t=51802
by dadaniel
Wed Dec 21, 2016 4:31 pm
Forum: General
Topic: Throttle Windows Updates
Replies: 32
Views: 21772

Re: Throttle Windows Updates

Is there any reason for you doing this in forward chain instead of mangle-prerouting? Is there any downside in marking connections using layer7 directly instead of adding it to an address list? /ip firewall mangle add action=mark-connection chain=prerouting comment=MicrosoftUpdates layer7-protocol=M...
by dadaniel
Wed Nov 23, 2016 11:29 am
Forum: Announcements
Topic: v6.37.2 [current] is released!
Replies: 50
Views: 25954

Re: v6.37.2 [current] is released!

I have a problem with Mikrotik caching DNS Server. I have no IPv6 connectivity nor IPv6 packages installed, but caching DNS Server sometimes gets only IPv6 Adresses and those are not reachable. Please see the following example for forum.mikrotik.com:

Image
by dadaniel
Mon Nov 21, 2016 4:24 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 212143

Re: Blacklist Filter update script

That means that the ip/ subnet is or has been serving malware for at least 12 hours. The list is automated and will remove the address once it has been clean for 24 hours. I will not manually remove addresses. bit.ly is a referer-website (like shorturl), it never serves anything from its own IP add...
by dadaniel
Fri Nov 18, 2016 4:33 pm
Forum: General
Topic: Throttle Windows Updates
Replies: 32
Views: 21772

Re: Throttle Windows Updates

REMEMBER to disable the defconf:fasttrack in the firewall, else the queue will not work
Is there a way to bypass fasttrack for this, so still beeing able to use it on all other connections?
by dadaniel
Wed Nov 16, 2016 12:50 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 51
Views: 27286

Re: Why source-based blackhole instead of firewall drop

Source address can be an individual ip or a network range.
Oh, so is there an easy way to do this for all IPs in a address-list without using mangle/filter/etc before?
by dadaniel
Wed Nov 16, 2016 11:28 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 51
Views: 27286

Re: Why source-based blackhole instead of firewall drop

Can you please share the code for this source based blackhole? From above I can see that I have to packet mark so filter is still involved?!
by dadaniel
Fri Nov 11, 2016 11:25 am
Forum: General
Topic: Throttle Windows Updates
Replies: 32
Views: 21772

Re: Throttle Windows Updates

I would try to make the mangle rule more specific (for ex. port 80 TCP), so that the layer7 matcher does not take up all cpu resources (it matches every single packet at the moment)
by dadaniel
Mon Oct 10, 2016 9:58 am
Forum: General
Topic: ROS 6.36.3 export bug
Replies: 3
Views: 1582

Re: ROS 6.36.3 export bug

It seems that the card is manually set to 100Mbps, otherwise speed value would not be exported
by dadaniel
Fri Sep 30, 2016 3:44 pm
Forum: General
Topic: Problems with contracted speed vs Routerboard
Replies: 8
Views: 2452

Re: Problems with contracted speed vs Routerboard

Some observations - I do not use fast track activated because this function ends with my control internal band. My CPU keeps stable between 10-35% I tested changing the MTU of my WAN interface and the problem continues. And so far I could not solve this problem. Does anyone have any tips of what ca...
by dadaniel
Thu Sep 29, 2016 12:58 pm
Forum: General
Topic: 6.16 import stops when there is a duplicate entry
Replies: 15
Views: 12685

Re: 6.16 import stops when there is a duplicate entry

Could you prepare the script that way do { /ip firewall address-list add address=111.251.111.129 list=blackmail timeout=3h } on-error={} instead of /ip firewall address-list add address=111.251.111.129 list=blackmail timeout=3h I have no 6.16 so it is only my guess that such solution works. works l...
by dadaniel
Mon Sep 26, 2016 11:39 am
Forum: Announcements
Topic: v6.37 [current] is released!
Replies: 197
Views: 67424

Re: v6.37 [current] is released!

I'm not sure where mikrotik going, concerning wireless and radio side I am aware of the limitations imposed by regulatory agencies in terms of DFS and other now is the fact that with the current DFS mode, wireless becomes completely unusable in dense areas DFS just constantly shifting frequency eve...
by dadaniel
Thu Sep 08, 2016 2:00 pm
Forum: General
Topic: strange snmp connection
Replies: 0
Views: 771

strange snmp connection

I got the following log entry in my router: forward: in:bridge1 out:bridge1, src-mac bc:5f:f4:b4:0b:5d, proto UDP, 192.168.0.163:49402->192.168.0.211:161, len 105 0.163 is computer with Epson Status Monitor installed 0.211 is the Epson printer bridge has two interfaces (LAN and WLAN) but WLAN is not...
by dadaniel
Thu Jul 21, 2016 5:27 pm
Forum: Announcements
Topic: v6.36 [current] is released!
Replies: 183
Views: 72616

Re: v6.36 [current] is released!

I noticed another thing after upgrade:

my first filter rule
add action=drop chain=forward connection-state=invalid
got changed to connection-state="" (also in Winbox checkbox is disabled now)
by dadaniel
Thu Jul 21, 2016 3:37 pm
Forum: Announcements
Topic: v6.36 [current] is released!
Replies: 183
Views: 72616

Re: v6.36 [current] is released!

dadaniel - Firewall rules export issue will be fixed within 6.37rc version but UPnP settings are shown in export on my router. Please send supout file to support@mikrotik.com. We will investigate it and see what is wrong. I found out that "set enabled=yes" is exported, but "set enabl...
by dadaniel
Thu Jul 21, 2016 1:43 pm
Forum: Announcements
Topic: v6.36 [current] is released!
Replies: 183
Views: 72616

Re: v6.36 [current] is released!

I noticed that export compact now generates
log-prefix=""
at every firewall line.

And
/ip upnp export
does only generate /ip upnp interfaces output. set enabled=yes/no is missing!
by dadaniel
Tue Jun 14, 2016 12:51 pm
Forum: Announcements
Topic: v6.35.4 [current] is released!
Replies: 51
Views: 34500

Re: v6.35.4 [current] is released!

As far as I know it is not possible to create dynamic rule by static command from console. Though dynamic address-list entries are displayed after /ip firewall address-list print. huh? All "load and block current bogus IP addresses on startup" scripts are useless now?? It makes no sense t...
by dadaniel
Fri Feb 26, 2016 1:01 pm
Forum: General
Topic: Eth1 poe port won't do gigabit
Replies: 13
Views: 3923

Re: Eth1 poe port won't do gigabit

Hi,

I cannot even establish a reliable link on eth1. Other ports are working fine. Network card used is Intel I218-LM
by dadaniel
Tue Feb 02, 2016 11:18 am
Forum: Announcements
Topic: v6.34 [current] is released!
Replies: 91
Views: 40675

Re: v6.34 [current] is released!

6.34 WebFig Torch malfunction, showing two lines of incomplete data (after clicking on start it works):
webfig.png
by dadaniel
Wed Jan 27, 2016 10:32 am
Forum: Scripting
Topic: Script to change hairpin NAT rule DST.Address when public IP changes.
Replies: 7
Views: 6252

Re: Script to change hairpin NAT rule DST.Address when public IP changes.

Is there a script that creates hairpin-rules based on existing port forwards?
by dadaniel
Wed Jan 20, 2016 9:59 am
Forum: General
Topic: 6.34 release candidate version topic!
Replies: 200
Views: 66941

Re: 6.34 release candidate version topic!

Why is to-adresses column not enabled by default? No need to write to-addresses in comment field...! *) upnp - added comment for dynamic dst-nat rules to inform what host/program required it; Nice enhancement! http://content.screencast.com/users/nescafe2002/folders/Snagit/media/45a36763-6eec-4f3b-a6...
by dadaniel
Mon Nov 09, 2015 9:16 am
Forum: Announcements
Topic: Winbox3.0 released!
Replies: 45
Views: 28191

Re: Winbox3.0 released!

Is recognized by AVG 2016
winboxvir.jpg
by dadaniel
Wed Sep 23, 2015 4:30 pm
Forum: General
Topic: WinBox 3.0rc15 recognized as malware (IDP.Ares.Generic) by AVG Antivirus
Replies: 1
Views: 1711

WinBox 3.0rc15 recognized as malware (IDP.Ares.Generic) by AVG Antivirus

Mikrotik, please contact AVG to get this resolved...
by dadaniel
Thu Sep 03, 2015 12:51 pm
Forum: Announcements
Topic: v6.32 released [version temporarily removed]
Replies: 116
Views: 47502

Re: v6.32 released [version temporarily removed]

dadaniel - Issue is not fixed yet. It is reported to developers.
Ok, I hope you don't release 6.32 before this is fixed, because RouterOS without working firewall filters is nearly useless :?
by dadaniel
Wed Sep 02, 2015 12:16 pm
Forum: Announcements
Topic: v6.32 released [version temporarily removed]
Replies: 116
Views: 47502

Re: v6.32 released

*) firewall - fixed limit and dst-limit options. requesting more details on this =) the add-dst-to-address-list - rule got triggered before the dst-limit rule above it. One minute later the count on the dst-limit rule started to rise exactly to the value of the add-dst-to-address-list - rule. dst-l...
by dadaniel
Wed Sep 02, 2015 11:29 am
Forum: Announcements
Topic: v6.32 released [version temporarily removed]
Replies: 116
Views: 47502

Re: v6.32 released

What about Ticket #2015082666000269, last message from 28.08 said "Seems that it was not completely fixed"
by dadaniel
Wed Aug 26, 2015 9:48 am
Forum: General
Topic: dst-limit filter rule problem
Replies: 0
Views: 1612

dst-limit filter rule problem

I have made firewall rules as found in http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention to protect my mail-server. They look for authentication failure messages my mail server is sending out and add the destination to a blacklist. add chain=forward action=drop src-address-list=mail_blacklis...
by dadaniel
Fri Jul 31, 2015 3:54 pm
Forum: General
Topic: block Windows 10 update-delivery-optimization
Replies: 20
Views: 13218

Re: block Windows 10 update-delivery-optimization

You will have to sniff the traffic to see what protocol is used.
This could be very hard, because you have to be lucky to catch the moment when it is uploading to some other client. I cannot find any information about protocols and ports used anywhere.
by dadaniel
Fri Jul 31, 2015 3:50 pm
Forum: General
Topic: block Windows 10 update-delivery-optimization
Replies: 20
Views: 13218

Re: block Windows 10 update-delivery-optimization

but why? it will save your bandwidth
No, it will kill my bandwidth. Default setting in non-VL editions of Windows 10 is to upload to other users on the internet.
by dadaniel
Fri Jul 31, 2015 3:42 pm
Forum: General
Topic: drop rule above fasttrack rule not working
Replies: 1
Views: 1263

drop rule above fasttrack rule not working

When not using fasttrack rule, active connections are dropped immediately when they are added to src-address-list. When using fasttrack, active connections are not dropped, although drop rule is above fasttrack rule: add action=drop chain=forward src-address-list=ftp_blacklist add action=fasttrack-c...
by dadaniel
Thu Jul 30, 2015 2:51 pm
Forum: General
Topic: block Windows 10 update-delivery-optimization
Replies: 20
Views: 13218

block Windows 10 update-delivery-optimization

Does anyone know how to block Windows 10 update-delivery-optimization (built-in feature for getting Windows Updates through P2P) using mikrotik firewall rules? Please see http://windows.microsoft.com/en-gb/windows-10/windows-update-delivery-optimization-faq for details. https://cdn2.vox-cdn.com/thum...
by dadaniel
Wed May 27, 2015 5:18 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 204007

Re: FastTrack - New feature in 6.29

best is to fasttrack connection-state=established,related
Is this fasttrack rule replacing the default "accept connection-state=established,related"-rule or do I still need it?
by dadaniel
Thu May 21, 2015 6:06 pm
Forum: General
Topic: filter rule difference?
Replies: 5
Views: 1457

Re: filter rule difference?

Thank you very much for pointing me to this problem :)

I noticed that it is possible to limit by src and dst-address. This would only count too much connection attempts to the same dst-address, but would not work if the attacker is changing dst-addresses all the time, right?
by dadaniel
Thu May 21, 2015 5:17 pm
Forum: General
Topic: filter rule difference?
Replies: 5
Views: 1457

Re: filter rule difference?

last rule will use dst-address as criteria, to do the same it should use src-address as criteria. I think only it's counting is based on dst-address, so 'ignore the first three packets, let the fourth pass and count every other packet that arrives in the same minute to the same dst-address' The fir...
by dadaniel
Thu May 21, 2015 1:21 pm
Forum: General
Topic: filter rule difference?
Replies: 5
Views: 1457

filter rule difference?

Can you please tell me the difference between these firewall rules? Will both of them work? Do I get the same result with both of them? add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w chain=forward connection-state=new dst-port=22 protocol=tcp src-address-list=s...
by dadaniel
Thu May 21, 2015 11:31 am
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 204007

Re: FastTrack - New feature in 6.29

Why not to mark packet at mangle postrouting?
It does only make sense to use FastTrack on specific (known) connections before they enter filter/other routing chains. Using it afterwards makes no sense at all...
by dadaniel
Thu Mar 12, 2015 9:41 pm
Forum: Scripting
Topic: script to add Ip address
Replies: 20
Views: 7426

Re: script to add Ip address

Could you please post the code that allows communication to std gateway so you can access the Internet and block the rest of the net? Above firewall rules seems to block the whole subnet used including the gateway?
by dadaniel
Tue Mar 03, 2015 10:38 pm
Forum: Wireless Networking
Topic: Ubiquitik or Mikroquiti? ;-)
Replies: 1
Views: 1261

Ubiquitik or Mikroquiti? ;-)

Ubiquiti AM-5AC21-60 + Meconet LMR240UF 90° RPSMA + RF-Elements EasyBracket 912 + RB922UAGS-5HPacD-NM

2.jpg
1.jpg
by dadaniel
Fri Feb 13, 2015 8:51 am
Forum: Beginner Basics
Topic: only allow access to default gateway and internet
Replies: 3
Views: 2288

Re: only allow access to default gateway and internet

ISPs router and the rest of the network is plugged into ether0, ether1 to ether4 is hardware switched(master port ether1), ether0 and ether1 are member of bridge1 dhcp-client is running on bridge1 and get dhcp data including default gateway from ISPs modem. These are the only changes I made from def...
by dadaniel
Thu Feb 12, 2015 8:14 pm
Forum: Beginner Basics
Topic: only allow access to default gateway and internet
Replies: 3
Views: 2288

only allow access to default gateway and internet

Can someone please tell me the firewall rules I need to allow only traffic that goes to the current default gateway of the routerboard and to Internet?

Thank you very much in advance!
by dadaniel
Thu Nov 06, 2014 9:44 pm
Forum: General
Topic: 6.22rc7: connection-nat-state matcher
Replies: 0
Views: 1553

6.22rc7: connection-nat-state matcher

Can I use this as a fix for Ticket#2014012266000405 (src-nat with 'accept related' and 'drop all' at the end drops NAT'ed UDP packets)?

Will this matcher also catch NAT'ed UDP packets?
by dadaniel
Tue Oct 28, 2014 4:21 pm
Forum: General
Topic: Does WDS mode means WDS repeating?
Replies: 3
Views: 1690

Re: Does WDS mode means WDS repeating?

Sorry but this does not answer my question, because these things are done in wireless driver imho.
*bump*
by dadaniel
Wed Oct 22, 2014 12:16 pm
Forum: General
Topic: Does WDS mode means WDS repeating?
Replies: 3
Views: 1690

Does WDS mode means WDS repeating?

Is the "bad" WDS repeating mode (sending every station everything, thus -50% speed with every connected station) active when setting wireless mode to WDS?

Or is it the same "transparent Layer 2 mode" like in Ubiquiti AirOS?
by dadaniel
Sun Sep 07, 2014 12:19 pm
Forum: Beginner Basics
Topic: CRS VLAN configuration help
Replies: 1
Views: 1278

CRS VLAN configuration help

I need some help with the VLAN configuration on the CRS109 please: I have an existing managed D-Link Switch where: Port 1 = 802.1Q VLAN1 + VLAN2 = Trunk Port 2-5 = 802.1Q VLAN1 = LAN Port 6-10 = 802.1Q VLAN2 = WAN The CRS109 should be configured like that: Port 1 = 802.1Q VLAN1 + VLAN2 = Trunk Port ...
by dadaniel
Fri Sep 05, 2014 10:44 am
Forum: General
Topic: ARP table not working properly?
Replies: 3
Views: 1814

Re: ARP table not working properly?

Would you mind sharing the reason for this strange configuration? These are Ptmp links where default forward on wlan is disabled and communication is handled by the routing protocol. We do not want to waste ip addresses or subnets (because we would need them for every link in this case). The same c...
by dadaniel
Thu Sep 04, 2014 12:04 pm
Forum: General
Topic: ARP table not working properly?
Replies: 3
Views: 1814

ARP table not working properly?

Hi, I'm using a rather strange configuration on my RB750 with ROS v6.19: ether1 has 10.12.123.123 255.255.0.0 ether2 has 10.12.123.124 and the same subnet as ether1. and I'm using a routing protocol. My problem is that the routing protocol needs some time to start working properly and something stop...
by dadaniel
Mon Aug 18, 2014 5:53 pm
Forum: General
Topic: Newsletter 60: 802.11ac
Replies: 104
Views: 65480

Re: Newsletter 60: 802.11ac

Got my first batch of SXT AC and SXT AC SA.
802.11af works fine. The non SA Version does not have a shield painting inside.
So for ptp on a loaded tower some additional shielding might be neccesary.
Is there any SXT shield kit available?
by dadaniel
Fri Jul 25, 2014 4:10 pm
Forum: General
Topic: Newsletter 60: 802.11ac
Replies: 104
Views: 65480

Re: Newsletter 60: 802.11ac

From SXTac Datasheet: "802.3af/at supported (Mode B. requires crossover cable)" ... Does this mean that it will only link at 100Mbit when using 802.3af/at? Because Wikipedia says that "Mode B delivers power on the spare pairs".

But there are no spare pairs when using Gigabit
by dadaniel
Wed Jul 09, 2014 10:42 am
Forum: General
Topic: Winbox: Could Not get Index: Fatal error
Replies: 33
Views: 63638

Re: Winbox: Could Not get Index: Fatal error

I have also had this problem one time, it was caused by a ssh port forward to an internal linux machine.
by dadaniel
Thu Jul 03, 2014 3:18 pm
Forum: General
Topic: PPTP without add-default-route - how to get gateway address?
Replies: 3
Views: 2028

Re: PPTP without add-default-route - how to get gateway addr

(I suppose default Gateway: "remote-address"):
This field is empty, only local address is visible.
as this is tunnel interface you can use interface name as default gateway. And you can assign static name for PPTP-out tunnel.
I will try this, thank you.
by dadaniel
Thu Jul 03, 2014 10:51 am
Forum: General
Topic: PPTP without add-default-route - how to get gateway address?
Replies: 3
Views: 2028

PPTP without add-default-route - how to get gateway address?

Every time I connect to my Internet provider using PPTP client, I get a dynamic public IP and a dynamic default gateway.
How can I get this gateway address when using add-default-route=no?
by dadaniel
Tue Jul 01, 2014 12:16 pm
Forum: Scripting
Topic: 3G failover script
Replies: 1
Views: 1766

3G failover script

Could anyone please share a simple 3G failover script? The 3G connection should only be activated when for example 8.8.8.8 is not reachable via ethernets default route and disabled if 8.8.8.8 is reachable via ethernet again.
by dadaniel
Sat Jun 28, 2014 5:03 pm
Forum: General
Topic: RB260GSP is it giga POE OUT?
Replies: 15
Views: 7719

Re: RB260GSP is it giga POE OUT?

1000poe.png
by dadaniel
Fri Jun 27, 2014 2:18 pm
Forum: SwOS
Topic: RB 260GS transmit multicast trafic
Replies: 4
Views: 4995

Re: RB 260GS transmit multicast trafic

have you sent bug report to MikroTik Technical Support ( support@mikrotik.com )?
by dadaniel
Fri Jun 27, 2014 10:54 am
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 168
Views: 111698

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Is it somehow possible to make these rules more efficient? Currently every new connection is counted, jumped into new chain and there again counted and if below the threshold returned to forwarding chain...
by dadaniel
Sun Jun 22, 2014 2:39 pm
Forum: RouterBOARD hardware
Topic: routerboard with Gbit-PoE-out like 260gsp?
Replies: 2
Views: 1699

routerboard with Gbit-PoE-out like 260gsp?

Will there ever be a routerboard with Gigabit and PoE-out?
by dadaniel
Sun May 18, 2014 1:59 pm
Forum: General
Topic: wrong tx power calculation and change on DFS activation?
Replies: 1
Views: 1184

wrong tx power calculation and change on DFS activation?

I have set these values on SXT SA: antenna-gain=14 band=5ghz-onlyn country=austria dfs-mode=radar-detect disabled=no frequency=5600 frequency-mode=regulatory-domain mode=ap-bridge wireless-protocol=nv2 Now current Tx power stays on 3/6dBm (+14dBi = 20dbm = 0,1W) Without dfs-mode current TX power sta...
by dadaniel
Thu Apr 17, 2014 4:44 pm
Forum: General
Topic: Easiest Way to have Netwatch Ping More than Once
Replies: 25
Views: 8986

Re: Easiest Way to have Netwatch Ping More than Once

is it possible to use
local i
in more than one script at the same time?
by dadaniel
Wed Apr 02, 2014 5:57 pm
Forum: Beginner Basics
Topic: default-config 802.1Q Trunk
Replies: 1
Views: 2033

default-config 802.1Q Trunk

Is it possible to adapt the ether1-gateway-->NAT-->ether2-lan default-config so that both lan and wan is served through one interfaces 802.1Q Trunk?
by dadaniel
Wed Mar 19, 2014 2:02 pm
Forum: General
Topic: Roaming features?
Replies: 0
Views: 1242

Roaming features?

Does Mikrotik support any roaming features like PMK Caching, Pre-Authentication or 802.11r, 802.11v, 802.11k?
by dadaniel
Mon Feb 10, 2014 1:05 pm
Forum: Beginner Basics
Topic: proxy: how to block a specific url sub-directory?
Replies: 3
Views: 2306

Re: proxy: how to block a specific url sub-directory?

Thanks,

is there a way to do without proxy?
by dadaniel
Thu Feb 06, 2014 12:26 pm
Forum: Beginner Basics
Topic: proxy: how to block a specific url sub-directory?
Replies: 3
Views: 2306

proxy: how to block a specific url sub-directory?

for example:

I want to allow www.website.com but block www.website.com/badsite/notgood

In fact I want to block http://*/badsite/notgood


How to?
by dadaniel
Thu Jan 23, 2014 5:30 pm
Forum: Beginner Basics
Topic: src-nat problem
Replies: 4
Views: 3566

Re: src-nat problem

/ip firewall address-list add address=123.123.123.108/28 list=ournetwork add address=192.168.0.0/24 list=ournetwork /ip firewall filter add action=drop chain=forward connection-state=invalid add chain=input in-interface=ether5-lan add chain=input connection-state=established add chain=input connecti...
by dadaniel
Wed Jan 22, 2014 12:18 pm
Forum: Beginner Basics
Topic: src-nat problem
Replies: 4
Views: 3566

src-nat problem

I'm using the following firewall rule for the internet connectivity of my internal network, so the src address of outgoing connections is one of my official ips (123.123.123.111). /ip firewall nat add action=src-nat chain=srcnat src-address=192.168.0.0/24 to-addresses=123.123.123.111 My problem is t...
by dadaniel
Tue Jan 14, 2014 11:50 am
Forum: General
Topic: v6.7 released
Replies: 225
Views: 133199

Re: v6.7 released

Will Ticket#2013112866000182 be fixed in v6.8?
by dadaniel
Thu Nov 28, 2013 9:49 am
Forum: General
Topic: CRS switch-groups
Replies: 3
Views: 1461

Re: CRS switch-groups

That VLAN rule table does not apply to CRS125, the features which will allow similar functionality are currently being developed.
Will this VLAN processing run at hardware level and is capable of wire-speed?
by dadaniel
Wed Nov 27, 2013 2:39 pm
Forum: General
Topic: CRS switch-groups
Replies: 3
Views: 1461

CRS switch-groups

How many switch groups can be created on Cloud Router Switch?
Is it possible to use the hardware VLAN Rule table ( http://wiki.mikrotik.com/wiki/Manual:Sw ... Rule_Table )? How many rules can be created?
by dadaniel
Wed Nov 27, 2013 2:19 pm
Forum: General
Topic: Changelog RouterOS 6.7
Replies: 27
Views: 21108

Re: Changelog RouterOS 6.7

it should be more precise and report proper values as there where issues observed that sometimes unrealistic reading was displayed. could you please comment on the following questions: which max. initial PoE current is possible with the current hardware/firmware? which protection is built in and is...
by dadaniel
Wed Nov 20, 2013 12:04 pm
Forum: General
Topic: Known issues and bugs - a list
Replies: 284
Views: 170952

Re: Known issues and bugs - a list

In support emails, 90% of bugs are not bugs, but mistakes.
Your e-mail-support is very good, but getting an answer takes way to long. I do not have the time to wait 1 week for each reply of the same case number. Sorry...
by dadaniel
Wed Oct 09, 2013 2:20 pm
Forum: General
Topic: Inter-VLAN routing RB750GL on switch level?
Replies: 2
Views: 1512

Re: Inter-VLAN routing RB750GL on switch level?

AFAIK it is not possible, only VLAN switching and some sort of ACL is possible in hardware: http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features
by dadaniel
Fri Sep 20, 2013 3:37 pm
Forum: Scripting
Topic: script + address-list
Replies: 3
Views: 7277

Re: script + address-list

I have the same question. Anyone?
by dadaniel
Mon Sep 02, 2013 8:51 am
Forum: General
Topic: vlan-id, vlan-priority, new-vlan-id not supported
Replies: 2
Views: 1562

Re: vlan-id, vlan-priority, new-vlan-id not supported

Every single one, because RouterOS implements 802.1q
sorry, I forgot to add "wirespeed VLAN capable (via switch chipset)"
by dadaniel
Fri Aug 30, 2013 4:32 pm
Forum: General
Topic: vlan-id, vlan-priority, new-vlan-id not supported
Replies: 2
Views: 1562

vlan-id, vlan-priority, new-vlan-id not supported

Which currently available fanless routerboard is fully wirespeed VLAN capable (via switch chipset)?
by dadaniel
Fri Aug 30, 2013 3:46 pm
Forum: General
Topic: Switch chip rules and delivering packets to VLAN interfaces
Replies: 5
Views: 6301

Re: Switch chip rules and delivering packets to VLAN interfa

Is there any news about that? Is this resolved in v6.x?
by dadaniel
Sun Aug 18, 2013 2:39 pm
Forum: General
Topic: action after X ammount of pings?
Replies: 7
Views: 2051

Re: action after X ammount of pings?

Try this:

add chain=forward comment="allow 10 ICMP-requests per second per source IP" dst-limit=10,2,src-address protocol=icmp
add action=add-src-to-address-list address-list=icmpflooders address-list-timeout=60m chain=forward protocol=icmp
by dadaniel
Fri Aug 16, 2013 12:54 pm
Forum: General
Topic: firewall rule interface: using hw-sw master-port sufficient?
Replies: 2
Views: 1114

Re: firewall rule interface: using hw-sw master-port suffici

Thank you very much for the clarification :-D
by dadaniel
Fri Aug 16, 2013 11:11 am
Forum: General
Topic: firewall rule interface: using hw-sw master-port sufficient?
Replies: 2
Views: 1114

firewall rule interface: using hw-sw master-port sufficient?

I have enabled port switching ( http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features ) on some of my routerboard's interfaces.

Is it sufficient to use the master-port in my firewall rules? Or do I have to add a rule for each interface in the port switching group?
by dadaniel
Fri Aug 16, 2013 9:40 am
Forum: General
Topic: simple firewall question
Replies: 2
Views: 1130

simple firewall question

Is
add action=drop chain=input connection-state=invalid
necessary when the last rule is
add action=drop chain=input
and there are several add action=accept rules in between?
by dadaniel
Tue Jul 30, 2013 4:52 pm
Forum: General
Topic: addr-list delay
Replies: 4
Views: 1696

Re: addr-list delay

Is that ip in the address list? If it is, then insure you are blocking the request from the client. You are adding the dst-address of the fail packet (response to client), but you want to block that src-address on any further port 110 requests from that client. Sorry, i forgot to paste the block ru...
by dadaniel
Tue Jul 30, 2013 4:03 pm
Forum: General
Topic: addr-list delay
Replies: 4
Views: 1696

addr-list delay

Based on several mikrotik examples found in www, I put in the following firewall rules to protect our mail server from getting bruteforced: add address=213.47.xxx.xxx/28 list=ournetwork add address=192.168.0.0/24 list=ournetwork add action=drop chain=forward comment="block POP3 bruteforcers&quo...
by dadaniel
Thu Jun 06, 2013 5:39 pm
Forum: General
Topic: Connection Tracking
Replies: 20
Views: 16132

Re: Connection Tracking

try at least RouterOS 6.0 version. Already tried with v6... no difference. Great that this is "no problem" for Sergejs... but why loading CPU when it is absolutely not neccesary? Please look at the starting date of this thread ... 2007 :? Hello, Yes, connection tracking uses CPU, I do not...
by dadaniel
Thu Jun 06, 2013 11:44 am
Forum: General
Topic: Connection Tracking
Replies: 20
Views: 16132

Re: Connection Tracking

Any news about this topic? I'm also running into CPU load problems :(
by dadaniel
Thu May 16, 2013 5:02 pm
Forum: General
Topic: Firewall filter: log&drop problem on heavy bruteforce attack
Replies: 0
Views: 1519

Firewall filter: log&drop problem on heavy bruteforce attack

These are my firewall rules, they worked as expected... until today: add action=drop chain=forward comment="gesperrte POP3 IPs blockieren" disabled=no src-address-list=pop3_blacklist add action=drop chain=forward comment="gesperrte RDP IPs blockieren" disabled=no src-address-list...
by dadaniel
Thu May 16, 2013 2:16 pm
Forum: General
Topic: Bypass nat by dst-address
Replies: 3
Views: 3825

Re: Bypass nat by dst-address

This works but CPU load does not decrease, so it seems that conntracking is still active for these connections.
Is there a way to avoid this? I need that because the connection is maxing out at 100Mbps now, but according to Mikrotik performance tests RB750G* should be capable of routing >100Mbps.
by dadaniel
Thu May 16, 2013 11:27 am
Forum: General
Topic: Optimizing queue trees / packet marking
Replies: 2
Views: 1100

Re: Optimizing queue trees / packet marking

NAT translation is loading the CPU, this boards hardly reach 100Mbit. The chipset does not support hardware NAT acceleration.
Also firewall rules containing "content=" using a huge amount of CPU.
by dadaniel
Wed May 15, 2013 10:36 am
Forum: General
Topic: Accept connections from pptp clients rule?
Replies: 0
Views: 648

Accept connections from pptp clients rule?

Can you please give me a hint how to allow pptp clients to access the router via Winbox or Webfig (regardless of their ip range!) when the last firewall rule is "add action=drop chain=input comment=drop_all"?
by dadaniel
Thu Mar 28, 2013 11:47 am
Forum: General
Topic: ROS 5.24: simple queue 'target upload/download' bug
Replies: 1
Views: 1299

ROS 5.24: simple queue 'target upload/download' bug

Hello, when entering both RxMaxLimit/TxMaxLimit and direction=both the rule works and is displayed ok. BUT if direction=upload it is displayed wrong and does not work! Please see attached screenshot (target upload is checked = ok, but download(!) value is displayed instead of upload). queue error.jpg
by dadaniel
Wed Feb 27, 2013 5:36 pm
Forum: General
Topic: 5.24 released!
Replies: 160
Views: 60707

Re: 5.24 released!

Hi, The target upload/download captions seem to be reversed in simple queue settings. Please see attached screenshot. Additionally it is not possible to set queues using terminal, for example: add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=upload disabled=no interface=ether1-mode...
by dadaniel
Mon Nov 26, 2012 5:25 pm
Forum: General
Topic: 5.22 released!
Replies: 104
Views: 58939

Re: 5.22 released!

by dadaniel
Wed Nov 07, 2012 4:33 pm
Forum: General
Topic: 5.21 released
Replies: 78
Views: 27119

5.21: config export error

/interface ethernet export file=if.rsc expected output: /interface ethernet set 0 name=ether1-modem set 1 name=ether2-wan1 set 2 name=ether3-wan2 master-port=ether2-wan1 set 3 name=ether4-wan3 master-port=ether2-wan1 set 4 name=ether5-lan actual output: /interface ethernet switch set 0 mirror-source...
by dadaniel
Wed Nov 07, 2012 3:32 pm
Forum: General
Topic: firewall filter rules: multiple SRC or DST adr or if?
Replies: 1
Views: 1093

firewall filter rules: multiple SRC or DST adr or if?

I want to use multiple SRC or DST adresses or interfaces in one rule, until now I have to create a bunch of rules to get things working right... :(

Is this on the to-do list for future releases?
by dadaniel
Thu Jun 28, 2012 3:59 pm
Forum: General
Topic: show "To Addresses" in IP-Firewall-NAT?
Replies: 1
Views: 836

show "To Addresses" in IP-Firewall-NAT?

Is it possible to display a row displaying "To Addresses" in IP-Firewall-NAT?
by dadaniel
Thu Jun 28, 2012 3:54 pm
Forum: General
Topic: Firewall/Filter/PSD recognize DNS answers as UDP scan?
Replies: 1
Views: 1095

Firewall/Filter/PSD recognize DNS answers as UDP scan?

When I set a filter rule with psd=20,3s,3,1 my DNS servers soon get blocked. When I enable psd only for TCP traffic all is ok.

Any ideas?
by dadaniel
Tue Jun 12, 2012 1:39 pm
Forum: General
Topic: upgrade v.3.25 to 5.17
Replies: 7
Views: 2995

Re: upgrade v.3.25 to 5.17

yes, you can. if you need any help, email support, we will help if any licensing issues arise. Sorry,but didn't find e-mail of support.So may I post message here? I downloaded routeros-4.17.It has 5 directories,1 .iso file and 4 files.Which of them I have to copy in Files of router? Alex This is th...
by dadaniel
Fri May 11, 2012 2:32 pm
Forum: General
Topic: is there a more simple way to count new connections?
Replies: 2
Views: 1194

is there a more simple way to count new connections?

I found this one in the wiki, is there a way to do the same without the need for four rules? add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w chain=forward comment="put Src IP on blocklist after 4 new SSH connections in one minute" connection-state=new ...
by dadaniel
Thu Feb 23, 2012 11:09 pm
Forum: General
Topic: v5.14 released
Replies: 73
Views: 27155

Re: v5.14 released

Port flapping on RB750G seems to be fixed :)
by dadaniel
Wed Feb 22, 2012 11:11 pm
Forum: General
Topic: v5.13 released
Replies: 64
Views: 13513

Re: v5.13 released

Doesn't appear to be even acknowledged by MT as yet, even though there is more than one report of the issue mentioned on this topic.
has anybody written to support@? :)
Hello,

Thank you for reporting this with attached supout.rif file.
We will try to fix it as soon as possible.

Regards,...
by dadaniel
Wed Feb 15, 2012 5:59 pm
Forum: General
Topic: v5.13 released
Replies: 64
Views: 13513

Re: v5.13 released

When updated to 5.13 from 5.12 I have got a problem with interfaces going up and down in irregular intervals. It can be running fine for a long time and then more often then on minute apart go up and down up and down. I see the same behaviour, it seems that the interface stays up when a winbox conn...
by dadaniel
Mon Jan 23, 2012 5:33 pm
Forum: General
Topic: v5.12 released
Replies: 144
Views: 38029

Re: v5.12 released

Remove default configuration does not work anymore on RB750G. When you click on the button all settings seem to remain the same, interface names are not changed to ether1 and so on...

:(
by dadaniel
Thu Nov 10, 2011 11:46 am
Forum: General
Topic: UPnP and NAT-PMP
Replies: 13
Views: 10437

Re: UPnP and NAT-PMP

It would be great to have the same features as seen here in Tomato Firmware:
upnpnat.jpg
by dadaniel
Mon Sep 19, 2011 3:00 pm
Forum: General
Topic: RouterOS v5.7 released
Replies: 227
Views: 87110

Re: RouterOS v5.7 released

UPnP 'Forced external IP' is still broken (first IP of external Interface is used instead of the 'forced' one).
Sent supout and screenshots: Ticket#2011091666000168
by dadaniel
Wed May 18, 2011 12:45 pm
Forum: General
Topic: UPnP Dst. Address
Replies: 1
Views: 971

Re: UPnP Dst. Address

*bump* Is there any way to do this? :?:
by dadaniel
Sun May 15, 2011 12:59 am
Forum: General
Topic: [Solved] RB750G ROS 5.2 serious performance issue.
Replies: 15
Views: 4911

Re: RB750G ROS 5.2 100/100 Mbps link serious performance iss

This is a known problem with v5.2

switch back to the latest 4.x firmware and your problem is solved
by dadaniel
Thu May 05, 2011 4:09 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 632172

UPnP Dst. Address

I have multiple IPs on my external interface. I need to set the Dst. Address of the dst-nat made by UPnP, but I have not found a way to do this.

Thank you!
by dadaniel
Thu May 05, 2011 12:32 pm
Forum: General
Topic: DHCP Assigned and Deassigned
Replies: 10
Views: 23969

Re: DHCP Assigned and Deassigned

I have the same problem with 4.17 and RB750G.

Please help!
by dadaniel
Wed May 04, 2011 11:55 am
Forum: General
Topic: UPnP Dst. Address
Replies: 1
Views: 971

UPnP Dst. Address

I have multiple IPs on my external interface. Where can I set the Dst. Address UPnP should use?
by dadaniel
Mon May 02, 2011 11:28 pm
Forum: General
Topic: v5.2 released
Replies: 161
Views: 44571

Re: v5.2 released

5.2 still has the througput issue.
I am also having throughput issues with 5.2 on RB750G. I only get ~30Mbps of my 100Mbps connection. No problem with 4.17
by dadaniel
Mon May 02, 2011 11:18 pm
Forum: General
Topic: What the hell is going on (after upgrade to v5.1)
Replies: 11
Views: 2430

Re: What the hell is going on (after upgrade to v5.1)

I am having WAN to LAN throughput issues with 5.2 on RB750G. I only get ~30Mbps of my 100Mbps connection.
No problem with 4.17
by dadaniel
Fri May 14, 2010 11:52 pm
Forum: General
Topic: Dynamic Upnp rules, how long?
Replies: 8
Views: 2486

Re: Dynamic Upnp rules, how long?

Is there a solution now?