If it is a production unit, better wait. Say to yourself that v6.36 does not exist yet.I`ve got hAP ac with RouterOS v6.35.2. But there`re some features in v6.36rc which are interesting me. What will you advice me ? Update to v6.36rc or wait for final release?
I am trying to test this new feature but I haven't got any results yet.*) firewall - added raw table to be able to disable connection tracking on selected packets or drop packets before connection tracking (CLI only)
Since 6.36rc8 it is possible to configure firewall rules in a raw table ("/ip firewall raw", "/ipv6 firewall raw"). These rules have two possible chains - prerouting and output which happens before connection tracking in packet flow.
There is action called "notrack". It means that you can select on which packets you want to use connection tracking. It is also possible to drop packets already before connection tracking.
These rules do not have firewall rule matchers that would depend on connection tracking like "connection-state".
Packets which match rules with action "notrack" also are not being fragmented. In past as soon as you loaded connection tracking packets were fragmented. Now even if connection tracking is on "notrack" packets are not being defragmented.
Now in regular firewall, there is new possible connection-state value called "untracked".
Basically, this raw firewall should be used to protect your devices against DDoS attacks.
There's problem with CNAMEs, when more of them point to same host. If DNS contains records like this:*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
test.test.lan. A 127.0.0.1
test1.test.lan. CNAME test.test.lan.
test2.test.lan. CNAME test.test.lan.
/ip firewall address-list
add address=test1.test.lan list=test
add address=test2.test.lan list=test
/ip firewall address-list print detail
Flags: X - disabled, D - dynamic
0 list=test address=test1.test.lan dynamic=no
1 D ;;; test1.test.lan
list=test address=127.0.0.1 dynamic=yes
2 list=test address=test2.test.lan dynamic=no
I was about to chime in with thisEdit: On second thought, it's correct. It does not make sense to have same address in one list twice. With different lists it works fine. Sorry, my bad. The only valid concern might be when you add several hostnames and you don't know in advance that they resolve to same address, it might look like there's a problem, even though there isn't.
Finally received my first RB3001 for testing. My first issue is minor....Version 6.36rc21 has been released.
Changes since previous version:
*) icmp - fixed kernel failure when icmp packet could not be processed on high load;
*) lte - Huawei MU609 must use latest firmware to work correctly;
*) lte - use only creg result codes as network status indications;
*) proxy - limit max ram usage to 80% for tile and x86 devices;
*) rb3011 - fixed reset button functionality;
*) snmp - fixed interface stats branch from MikroTik MIB;
*) snmp - report current access technology and cell id for lte modems;
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
/system resource print
perhaps you right, its "not completely imlemented" case. same about DNS, IPv6 stack and other things (like netfilter portions, RIP and etc generallty legacy stuff).Please fix OSPFv3, Mikrotik isnt following the RFC.
https://tools.ietf.org/html/rfc5340#appendix-A.2
I cant run OSPFv3 with an EdgeRouter, because of wrong RFC implementation of the Mikrotik.perhaps you right, its "not completely imlemented" case. same about DNS, IPv6 stack and other things (like netfilter portions, RIP and etc generallty legacy stuff).Please fix OSPFv3, Mikrotik isnt following the RFC.
https://tools.ietf.org/html/rfc5340#appendix-A.2
Rb3011 still doesn't see usb disk and partition's tool doesn't work..Version 6.36rc27 has been released.
.. cut ..
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
why-y-y?..*) address-list - make "dynamic=yes" as read-only option;
[admin@TestPlace] /ip firewall address-list> ad ad=99.88.77.77 list=test timeout=3000w
[admin@TestPlace] /ip firewall address-list> pr
Flags: X - disabled, D - dynamic
# LIST ADDRESS TIMEOUT
0 D test 99.88.77.77 17w2d16h28m43s
Bump... No Comment. Neither Winbox 3.4 nor the CLI is displaying anything on any tunnel interface about this feature. What is is about and where can I explore it?*) tunnel - added option to auto detect tunnel local-address;
Can't Seem to find it?
Does it solve changing ip in conjuction of auto ipsec aswell? Otherwise please ad that.
Address lists can still be dynamic. Creating an item with a timeout makes it dynamic. it really should not be a big issue. My scripts only required very minor changes.as for "dynamic-only" adress-list options - i still don' get whole idea of removing tweaking that option from ROS
if its used not for operrational management(eg marking and balancing, routing traffic)but for example for tracking emerging threats, then persistent elements in adress-lists - a must(preferably with timestamp in). i think that should remain tweakable. but not on "record-level" but on "adress-list level" to adjust it for Both purposes, depend needs.
And what if I need infinite timeout?Address lists can still be dynamic. Creating an item with a timeout makes it dynamic. it really should not be a big issue.
Wouldn't that be, by definition, static?And what if I need infinite timeout?Address lists can still be dynamic. Creating an item with a timeout makes it dynamic. it really should not be a big issue.
I don't want to backup some data that is continuously synced to billing system. and I don't want to kill NAND by writing that data to persistent storagehow to add dynamic entry in this version? the goal is excluding such entries from export and NOT writing them to NAND
well, config versioning and NAND resource doesn't make sense for you? welcome to the world of telecomThat doesn't make sense
exactly. if your router reboots once a year just for OS upgrade and in a few dozens seconds after that your billing system recreates all dynamic lists - you don't want them to disturb you in your everyday workYou want an item permanently in an address list, but you don't want it backed up and you don't want it saved?
sounds like working spike-nail, but the main question is: why silly destroy what was working before?It sounds like your only option is to write a script that will refresh your permeant-dynamic lists.
thats EXACTLY my point.sounds like working spike-nail, but the main question is: why silly destroy what was working before?
EXACTLY! This change was also made in 6.35.4. It makes no sense to eliminate a configuration capability that was working just fine. Perhaps MT could explain what the problem was that needed to be resolved by total removal of a configuration option.why-y-y?..*) address-list - make "dynamic=yes" as read-only option;
how to add dynamic entry in this version? the goal is excluding such entries from export and NOT writing them to NAND
Haven't played with this feature, but I would presume that leaving "local address" field empty is the way to invoke the auto detection....Bump... No Comment. Neither Winbox 3.4 nor the CLI is displaying anything on any tunnel interface about this feature. What is is about and where can I explore it?*) tunnel - added option to auto detect tunnel local-address;
Can't Seem to find it?
Does it solve changing ip in conjuction of auto ipsec aswell? Otherwise please ad that.
ThanksBefore you was able to manually add dynamic entry without timeout. Now there's no such possibility.
He was adding them via command line, and including dynamic=yes in the command. Mikrotik has removed this ability going forward, so if you've never used this ability before, it's probably a bad idea to fall in love with it now.ThanksBefore you was able to manually add dynamic entry without timeout. Now there's no such possibility.
But how was possible? Never used this function
Because I always set ip and hit ok for me that is a static entry
Thanks,He was adding them via command line, and including dynamic=yes in the command. Mikrotik has removed this ability going forward, so if you've never used this ability before, it's probably a bad idea to fall in love with it now.ThanksBefore you was able to manually add dynamic entry without timeout. Now there's no such possibility.
But how was possible? Never used this function
Because I always set ip and hit ok for me that is a static entry
yeah. i used that in 3 things: 1. store 2rd stage emergin threats, detected. 2. entries for advertisment filtering, fetched and upadted periodically. 3. full bogons list. 4. unconditional "funky/hostile" datacenters, companies(spammers, offenders, malware, whatever else you may encounter in. aside moving to asia, chinaand pacific from central and east europe now its greatly shifted to NA and Africa s-holes in terms of percentage generated threats)EXACTLY! This change was also made in 6.35.4. It makes no sense to eliminate a configuration capability that was working just fine. Perhaps MT could explain what the problem was that needed to be resolved by total removal of a configuration option.why-y-y?..*) address-list - make "dynamic=yes" as read-only option;
how to add dynamic entry in this version? the goal is excluding such entries from export and NOT writing them to NAND
I don't like the idea of establishing BGP peer to my billing system, sometime in a future. I prefer RouterOS API and nowThis will open the gates for amazing dynamic realtime blacklists distributed via BGP, and would totally obviate the problem with the adding-as-dynamic issue (as being discussed here anyway)
in-interface-list=*1389
OK. Then it is not possible with ipsec witch i was hoping for. when are we going to be able to set upp crypted tunnels from a dynamic localpoint without hasseling with scripts?Haven't played with this feature, but I would presume that leaving "local address" field empty is the way to invoke the auto detection....Bump... No Comment. Neither Winbox 3.4 nor the CLI is displaying anything on any tunnel interface about this feature. What is is about and where can I explore it?*) tunnel - added option to auto detect tunnel local-address;
Can't Seem to find it?
Does it solve changing ip in conjuction of auto ipsec aswell? Otherwise please ad that.
Do you use L2TP over IPsec? In case you do, please make sure your inner-tunnel IPsec traffic isn't fasttracked (otherwise it bypasses the IPsec policies). This is the expected behaviour.L2TP tunnel stops routing traffic when any version later than 6.35 is installed.
Seems like fastpath/fasttrack isn't working.
that wasn't option in several applications "at all". also BGP usage imply rather bigger resource consumption, while adress lists implementation - would(and actually was. except DNS static overrides since i think ~ 6.10 or 6.11 somewhere)work perfectly even on mid to low -grade devices(sometimes with moderate impact on boottime, but that expected consequences/drawback).When the mystical unicorn that is ROSv7 comes out, it's supposed to have an enhancement to the routing filters with a new action of add prefix to address list.
This will open the gates for amazing dynamic realtime blacklists distributed via BGP, and would totally obviate the problem with the adding-as-dynamic issue (as being discussed here anyway)
No I can't becaus if I specify crypto on tunnel interface then routeros complaint and localendpoint must be specified. This is truely unintuitive. I do understand that it is because of reasons with ipsec engine not able to handle dns and other stuff. But, if I want an encrypted tunnel with a dynamic internet connection it is messy to be polite. I can offcoruse solve this by using script but it is a bad user experience and the tunnel will surly go down till script is triggered again. This SHOULD be leaner, meaner, greater implemented with tunnels and ipsec supporting dns on local endpoint as they are now with remote end point. so why not the local endpoint?You may be able to accomplish what you want by using GRE or L2TP with hooks to IPSec available in those services.
RB3011 on 6.36rc30 (rebooted 2 times after) doesn't see usb disk (USB kingston datatraveler 8GB); item present in system resources usb list but not in system disks.Version 6.36rc30 has been released.
*) rb3011 - fixed usb driver load (introduced in 6.36r22);
If you experience version related issues.. [cut]..
I got it, so I must wait..bajodel - This is different fix for other issue.
Any news on that?Hello,
I just gave IPFIX a try on version 6.36rc19 on a RB2011UAS and it seems that it exports the flows with 'random' timestamps in the year 1970.
The time on the RB2011 is correct (double checked).
Those netflow packets where exported to wireshark by mikrotik every 2 seconds.Code: Select allTimestamp: Jul 5, 1970 11:05:20.000000000 GTB Daylight Time Timestamp: Jul 5, 1970 11:38:40.000000000 GTB Daylight Time Timestamp: Jul 5, 1970 12:12:00.000000000 GTB Daylight Time
The full capture:Reverting back to NetFlow v9 the timestamp fields contain the right date/time.Code: Select allNo. Time Source Destination Protocol Length Info 383778 748.591451000 10.10.153.218 10.26.35.34 CFLOW 542 IPFIX partial flow (500/5 bytes) Frame 383778: 542 bytes on wire (4336 bits), 542 bytes captured (4336 bits) on interface 0 Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY) Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34) User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055) Cisco NetFlow/IPFIX Version: 10 Length: 5 Timestamp: Jul 5, 1970 11:05:20.000000000 GTB Daylight Time ExportTime: 16013120 FlowSequence: 384 Observation Domain Id: 0 Set 1 FlowSet Id: (Data) (258) FlowSet Length: 484 Flow 1 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16010.600000000 seconds EndTime: 16010.600000000 seconds Packets: 3 Octets: 192 SrcPort: 2000 DstPort: 39216 InputInt: 4 OutputInt: 0 Protocol: 6 IP ToS: 0x00 TCP Flags: 0x18 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.10.153.217 (10.10.153.217) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 64 UDP Length: 0 TCP Sequence Number: 1439408172 TCP Acknowledgement Number: 786858282 TCP Windows Size: 905 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 2 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16011.120000000 seconds EndTime: 16011.120000000 seconds Packets: 2 Octets: 1056 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.26.35.34 (10.26.35.34) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 528 UDP Length: 508 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 3 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16011.120000000 seconds EndTime: 16011.120000000 seconds Packets: 2 Octets: 800 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.21 (10.69.110.21) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 400 UDP Length: 380 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 4 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16012.000000000 seconds EndTime: 16012.000000000 seconds Packets: 3 Octets: 194 SrcPort: 33353 DstPort: 179 InputInt: 0 OutputInt: 4 Protocol: 6 IP ToS: 0xc0 TCP Flags: 0x18 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.10.153.217 (10.10.153.217) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 71 UDP Length: 0 TCP Sequence Number: 131047850 TCP Acknowledgement Number: 1912585720 TCP Windows Size: 1016 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 5 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16012.000000000 seconds EndTime: 16012.000000000 seconds Packets: 3 Octets: 175 SrcPort: 179 DstPort: 33353 InputInt: 4 OutputInt: 0 Protocol: 6 IP ToS: 0xc0 TCP Flags: 0x10 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.10.153.217 (10.10.153.217) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 52 UDP Length: 0 TCP Sequence Number: 1912585720 TCP Acknowledgement Number: 131047869 TCP Windows Size: 1082 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 No. Time Source Destination Protocol Length Info 384733 750.593356000 10.10.153.218 10.26.35.34 CFLOW 638 IPFIX partial flow (596/6 bytes) Frame 384733: 638 bytes on wire (5104 bits), 638 bytes captured (5104 bits) on interface 0 Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY) Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34) User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055) Cisco NetFlow/IPFIX Version: 10 Length: 6 Timestamp: Jul 5, 1970 11:38:40.000000000 GTB Daylight Time ExportTime: 16015120 FlowSequence: 385 Observation Domain Id: 0 Set 1 FlowSet Id: (Data) (258) FlowSet Length: 580 Flow 1 IPVersion: 04 [Duration: 1.820000000 seconds] StartTime: 16011.220000000 seconds EndTime: 16013.040000000 seconds Packets: 3 Octets: 288 SrcPort: 0 DstPort: 0 InputInt: 4 OutputInt: 0 Protocol: 1 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.69.110.16 (10.69.110.16) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 63 IsMulticast: 0 IP Header Length: 5 IP Total Length: 96 UDP Length: 0 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 8 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.69.110.16 (10.69.110.16) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 2 IPVersion: 04 [Duration: 1.820000000 seconds] StartTime: 16011.220000000 seconds EndTime: 16013.040000000 seconds Packets: 3 Octets: 288 SrcPort: 0 DstPort: 0 InputInt: 0 OutputInt: 4 Protocol: 1 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.16 (10.69.110.16) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 96 UDP Length: 0 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.16 (10.69.110.16) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 3 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16013.120000000 seconds EndTime: 16013.120000000 seconds Packets: 2 Octets: 1056 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.26.35.34 (10.26.35.34) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 528 UDP Length: 508 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 4 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16013.120000000 seconds EndTime: 16013.120000000 seconds Packets: 2 Octets: 800 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.21 (10.69.110.21) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 400 UDP Length: 380 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 5 IPVersion: 04 [Duration: 1.010000000 seconds] StartTime: 16012.600000000 seconds EndTime: 16013.610000000 seconds Packets: 4 Octets: 256 SrcPort: 2000 DstPort: 39216 InputInt: 4 OutputInt: 0 Protocol: 6 IP ToS: 0x00 TCP Flags: 0x18 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.10.153.217 (10.10.153.217) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 64 UDP Length: 0 TCP Sequence Number: 1439408196 TCP Acknowledgement Number: 786858306 TCP Windows Size: 905 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 6 IPVersion: 04 [Duration: 2.030000000 seconds] StartTime: 16011.580000000 seconds EndTime: 16013.610000000 seconds Packets: 9 Octets: 528 SrcPort: 39216 DstPort: 2000 InputInt: 0 OutputInt: 4 Protocol: 6 IP ToS: 0x00 TCP Flags: 0x18 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.10.153.217 (10.10.153.217) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 64 UDP Length: 0 TCP Sequence Number: 786858282 TCP Acknowledgement Number: 1439408184 TCP Windows Size: 913 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 No. Time Source Destination Protocol Length Info 385861 752.592360000 10.10.153.218 10.26.35.34 CFLOW 830 IPFIX partial flow (788/8 bytes) Frame 385861: 830 bytes on wire (6640 bits), 830 bytes captured (6640 bits) on interface 0 Ethernet II, Src: Routerbo_XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: YY:YY:YY:YY:YY:YY (YY:YY:YY:YY:YY:YY) Internet Protocol Version 4, Src: 10.10.153.218 (10.10.153.218), Dst: 10.26.35.34 (10.26.35.34) User Datagram Protocol, Src Port: 2055 (2055), Dst Port: 2055 (2055) Cisco NetFlow/IPFIX Version: 10 Length: 8 Timestamp: Jul 5, 1970 12:12:00.000000000 GTB Daylight Time ExportTime: 16017120 FlowSequence: 386 Observation Domain Id: 0 Set 1 FlowSet Id: (Data) (258) FlowSet Length: 772 Flow 1 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16014.870000000 seconds EndTime: 16014.870000000 seconds Packets: 2 Octets: 192 SrcPort: 0 DstPort: 0 InputInt: 4 OutputInt: 0 Protocol: 1 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.69.110.16 (10.69.110.16) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 63 IsMulticast: 0 IP Header Length: 5 IP Total Length: 96 UDP Length: 0 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 8 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.69.110.16 (10.69.110.16) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 2 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16014.870000000 seconds EndTime: 16014.870000000 seconds Packets: 2 Octets: 192 SrcPort: 0 DstPort: 0 InputInt: 0 OutputInt: 4 Protocol: 1 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.16 (10.69.110.16) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 96 UDP Length: 0 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.16 (10.69.110.16) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 3 IPVersion: 04 [Duration: 27.660000000 seconds] StartTime: 15987.450000000 seconds EndTime: 16015.110000000 seconds Packets: 411 Octets: 32667 SrcPort: 65470 DstPort: 8291 InputInt: 4 OutputInt: 0 Protocol: 6 IP ToS: 0x00 TCP Flags: 0x18 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.26.35.34 (10.26.35.34) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 61 IsMulticast: 0 IP Header Length: 5 IP Total Length: 523 UDP Length: 0 TCP Sequence Number: 537131081 TCP Acknowledgement Number: 3081807626 TCP Windows Size: 65184 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.26.35.34 (10.26.35.34) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 4 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16015.120000000 seconds EndTime: 16015.120000000 seconds Packets: 2 Octets: 1248 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.26.35.34 (10.26.35.34) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 624 UDP Length: 604 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.26.35.34 (10.26.35.34) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 5 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16015.120000000 seconds EndTime: 16015.120000000 seconds Packets: 2 Octets: 936 SrcPort: 2055 DstPort: 2055 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.21 (10.69.110.21) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 255 IsMulticast: 0 IP Header Length: 5 IP Total Length: 468 UDP Length: 448 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.21 (10.69.110.21) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 6 IPVersion: 04 [Duration: 0.000000000 seconds] StartTime: 16015.600000000 seconds EndTime: 16015.600000000 seconds Packets: 3 Octets: 192 SrcPort: 2000 DstPort: 39216 InputInt: 4 OutputInt: 0 Protocol: 6 IP ToS: 0x00 TCP Flags: 0x18 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.10.153.217 (10.10.153.217) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 64 UDP Length: 0 TCP Sequence Number: 1439408232 TCP Acknowledgement Number: 786858342 TCP Windows Size: 905 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.217 (10.10.153.217) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 7 IPVersion: 04 [Duration: 8.370000000 seconds] StartTime: 16007.320000000 seconds EndTime: 16015.690000000 seconds Packets: 50 Octets: 3700 SrcPort: 42989 DstPort: 161 InputInt: 4 OutputInt: 0 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) SrcAddr: 10.69.110.15 (10.69.110.15) DstAddr: 10.10.153.218 (10.10.153.218) NextHop: 10.10.153.218 (10.10.153.218) SrcMask: 0 DstMask: 0 IP TTL: 63 IsMulticast: 0 IP Header Length: 5 IP Total Length: 74 UDP Length: 54 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.69.110.15 (10.69.110.15) Post NAT Destination IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0 Flow 8 IPVersion: 04 [Duration: 6.340000000 seconds] StartTime: 16009.350000000 seconds EndTime: 16015.690000000 seconds Packets: 48 Octets: 3600 SrcPort: 161 DstPort: 42989 InputInt: 0 OutputInt: 4 Protocol: 17 IP ToS: 0x00 TCP Flags: 0x00 Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post Source Mac Address: Routerbo_ZZ:ZZ:ZZ (ZZ:ZZ:ZZ:ZZ:ZZ:ZZ) SrcAddr: 10.10.153.218 (10.10.153.218) DstAddr: 10.69.110.15 (10.69.110.15) NextHop: 10.10.153.217 (10.10.153.217) SrcMask: 0 DstMask: 0 IP TTL: 64 IsMulticast: 0 IP Header Length: 5 IP Total Length: 75 UDP Length: 55 TCP Sequence Number: 0 TCP Acknowledgement Number: 0 TCP Windows Size: 0 IGMP Type: 0 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: 10.10.153.218 (10.10.153.218) Post NAT Destination IPv4 Address: 10.69.110.15 (10.69.110.15) Post NAPT Source Transport Port: 0 Post NAPT Destination Transport Port: 0
Those bad timestamps cause software like nfacct/pmacct to insert bad data to the database.
Also it discards many flows due to bad sequence number (although checking the capture the sequence numbers seem ok. Maybe nfacct consults the timestamp along with the sequence number to detect if a received flow is valid)
Here's my traffic flow configuration:
[Ticket#2016052966000463]Code: Select all> /ip traffic-flow export verbose # may/29/2016 22:35:09 by RouterOS 6.36rc19 # software id = # /ip traffic-flow set active-flow-timeout=1m cache-entries=32k enabled=yes inactive-flow-timeout=1s interfaces=ether3-ibgp /ip traffic-flow ipfix set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes \ icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes \ last-forwarded=yes nat-dst-address=yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes \ protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \ tcp-window-size=yes tos=yes ttl=yes udp-length=yes /ip traffic-flow target add disabled=no dst-address=10.69.110.21 port=2055 src-address=0.0.0.0 v9-template-refresh=20 v9-template-timeout=1m version=9 add disabled=no dst-address=10.26.35.34 port=2055 src-address=0.0.0.0 v9-template-refresh=20 v9-template-timeout=1m version=ipfix
PleaseI got it, so I must wait..bajodel - This is different fix for other issue.
Please.. answer.. when do you plan to make partitions work on RB3011/ARM ?
Did you enable wireless-rep package and upgrade firmware ? If it does no help, please write to support and add supout file in attachment.*) wap-ac - fixed performance problems with 2.4GHz wireless (additional reboot after upgrade required);
After update signal become worse (wAP-ac working as repeater, main router hap AC). wAP-ac loosing connections constantly...
I just tested my mAP Lite and clock works fine now.Version 6.36rc36 has been released.
Changes since previous version:
*) clock - fixed time keeping for SXT ac, 911L, cAP, mAP lite, wAP;
Hello,*) l2tp - fixed crash when rebooting or disabling l2tp while there are still active connections;
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!pppoe-out1 src-address=\
192.168.88.8
Re-ordering works the same as in the other tables.can i make suggestion about newly-implemented "raw table"?
its lack support for dragging/re-ordering rules there like in "firewall" and "nat", "mangle" was. that would be helpful i think.
To which bugs are you referring to?I noticed lots of issues with the RB3011 router board, and unanswered questions. I'm new to the product and wondering if Mikrotik will provide adequate support for errors released on it's behalf. Are all of the bugs with RB3011 cured yet?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=!pppoe-out1 src-address=\
192.168.88.8
*) firewall - fixed interface list matcher showing incorrect name for NAT rules;
works fine on sxt lte. thanks (Ticket#2016062466000121)*) lte - added use-peer-dns option (will work only combined with add-default-route);
No, this is service beststresser.com. My firewall:Don't you have dns service opened to the wan port, do you?
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related \
log-prefix=""
add action=accept chain=input comment="default configuration" icmp-options=!5:0-255 log-prefix="" \
protocol=icmp
add action=accept chain=input comment="igmp proxy" log-prefix="" protocol=igmp
add action=accept chain=input comment=traceroute connection-state=new dst-port=33430-33530 \
log-prefix="" protocol=udp
add action=drop chain=input comment="default configuration" in-interface=wan1 log-prefix=""
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\
established,related log-prefix=""
add action=accept chain=forward comment="default configuration" connection-state=established,related \
log-prefix=""
add action=drop chain=forward comment="default configuration" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat \
connection-state=new in-interface=wan1 log-prefix=""
/ip firewall nat
[size=85][font=monospace]add action=masquerade chain=srcnat out-interface=!pppoe-out1 src-address=\[/font][/size]
192.168.88.8
/ interface wireless scan 0 save-file = file
[admin@MikroTik-CHR-Dude] > /interface export compact
# jul/19/2016 15:29:29 by RouterOS 6.36rc30
# software id =
#
/interface list
add name=TEST
/interface list member
add interface=ether1 list=TEST
admin@MikroTik-CHR-Dude] > /ip firewall export compact
# jul/19/2016 15:29:36 by RouterOS 6.36rc30
# software id =
#
/ip firewall filter
add action=accept chain=input in-interface-list=TEST log-prefix=""
[admin@MikroTik-CHR-Dude] > /interface export compact
# jul/19/2016 15:31:53 by RouterOS 6.36rc40
# software id =
#
/interface list
add name=TEST
/interface list member
add interface=ether1 list=TEST
admin@MikroTik-CHR-Dude] > /ip firewall export compact
# jul/19/2016 15:32:01 by RouterOS 6.36rc40
# software id =
#
/ip firewall filter
add action=accept chain=input in-interface-list="" log-prefix=""
Same here... router was not accessible after upgrade because of this. I had to write a script to manually add all interface-lists from a rc38 backup-file again.After the update: add action=accept chain=input in-interface-list="" log-prefix=""
/ipv6 address add address=fc00::1/126 advertise=no interface=vlan4091
[admin@MikroTik] > ping fc00::0 count=5
SEQ HOST SIZE TTL TIME STATUS
0 fc00::1 56 64 0ms echo reply
1 fc00::1 56 64 0ms echo reply
2 fc00::1 56 64 0ms echo reply
3 fc00::1 56 64 0ms echo reply
4 fc00::1 56 64 0ms echo reply
sent=5 received=5 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms