Community discussions

Search found 31 matches

by talz
Tue Jun 25, 2019 8:29 pm
Forum: General
Topic: Netflow Mac Addresses [SOLVED]
Replies: 1
Views: 183

Re: Netflow Mac Addresses [SOLVED]

RouterOS 6.43.7 made changes to Netflow, which now shows the Source MAC of the devices on the LAN.
There's no destination MAC for returning traffic, but you have the LAN IP of the LAN device, so it should be easy enough to create an in-memory map of LANIP<-->MAC on the Netflow collector.
by talz
Tue Jun 25, 2019 7:30 pm
Forum: General
Topic: Netflow Mac Addresses [SOLVED]
Replies: 1
Views: 183

Netflow Mac Addresses [SOLVED]

I have a Router setup with RouterOS 6.38. It has a LAN Bridge that all the LAN ports are a part of, and a WAN interface. NAT, DHCP server on LAN - pretty basic setup. Enabling Traffic Flow, I can see that both in IPFIX mode, and Netflow v9 mode, the exported data has a destinationMacAddress and a po...
by talz
Thu Jun 13, 2019 6:31 pm
Forum: General
Topic: Reading NetFlow Data with Python
Replies: 2
Views: 291

Re: Reading NetFlow Data with Python

Thanks. I haven't tried the Python part of it yet, but the collector seems to be working well with Mikrotik's Netflow V9. I should be able to use that. Netflow V9 is not super efficient though, as it sends me a ton of fields I don't care about. IPFIX is nicer, as you can specify the fields you want....
by talz
Thu Jun 13, 2019 1:37 am
Forum: General
Topic: Reading NetFlow Data with Python
Replies: 2
Views: 291

Reading NetFlow Data with Python

I'm trying to analyze the raw NetFlow data coming from a Mikrotik using Python. The Mikrotik is configured to send IPFIX data to my machine. It looks like one of the few available pieces of code that can analyze IPFIX data is found in PyPi: https://pypi.org/project/ipfix/#description I'm having trou...
by talz
Mon Mar 11, 2019 12:00 am
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

The users don't work for our company. They are our customers. We can tell them "if you're using our service, it's going to have some restrictions". We can't terminate anyone. The best we can do is terminate our services, and if we do that, then we don't have a customer, which is shooting ourselves i...
by talz
Sun Mar 10, 2019 11:24 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

Haha. Exact requirements. Good one. All verbal. All loosely defined. After I build it, if he doesn't like it, he'll make me change it. Like I said - we need to be able to throttle speed based on category. Category being netflix, social media, youtube, etc. His words. We have a network appliance that...
by talz
Sun Mar 10, 2019 9:41 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

Tell me about it...
I didn't setup this challenge - my CEO did. I have 3 weeks to figure out how to do it, and get it done.

Any ideas anyone might have that keep me from shooting myself would be appreciated.
by talz
Sun Mar 10, 2019 9:24 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

As far as I can tell, neither MOAB, nor https://axiomcyber.com/shield/ has anything to do with traffic shaping. They block traffic to and from dangerous IPs. My use case has nothing to do with security. I need to rate limit (not block) traffic based on category. Also, I'm dealing with domain names -...
by talz
Sun Mar 10, 2019 8:43 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Re: Is there any way to do HTTP and HTTPS traffic shaping based on categories?

As far as I know, using the tls-host rule would require me to create 2 million firewall rules, as there are 2 million hosts I'd be checking for. At least a few thousand, if I narrow it down to only certain categories I care about. I'm fairly certain if every single packet going through a mikrotik ha...
by talz
Sun Mar 10, 2019 5:37 pm
Forum: General
Topic: Is there any way to do HTTP and HTTPS traffic shaping based on categories?
Replies: 10
Views: 513

Is there any way to do HTTP and HTTPS traffic shaping based on categories?

I have HTTP and HTTPS traffic on my LAN going to the internet. I need to be able to look at the domain the traffic is destined to, and compare it to a list of domains to determine if the traffic is social media, or business, or porn, or something else. Based on what category it's in, I then want to ...
by talz
Mon Nov 26, 2018 10:42 pm
Forum: General
Topic: Customizing User Manager's Hotspot Login Pages
Replies: 0
Views: 268

Customizing User Manager's Hotspot Login Pages

When a hotspot user wants to buy more time, they get to this page: https://USER_MANAGER/user/SOMETHING and login. When they do that, they see this: Screen Shot 2018-11-26 at 1.37.49 PM.png Are these customizable at all? I looked in the User Manager's files/, and the only thing I see is the umfiles f...
by talz
Fri Nov 23, 2018 2:03 am
Forum: General
Topic: Dynamic Address List Bug
Replies: 1
Views: 225

Re: Dynamic Address List Bug

This was a 493AH.
A different 493AH running RouterOS 6.39.2 didn't seem to have the same issue.
Updating the problem device to 6.40 (the next version, as there is no 6.39.4) seemed to fix the issue.
Sounds like a bug with 6.39.3.
by talz
Thu Nov 22, 2018 10:46 pm
Forum: General
Topic: Dynamic Address List Bug
Replies: 1
Views: 225

Dynamic Address List Bug

I'm using RouterOS 6.39.3, and when I create a dynamic address list with something like: /ip firewall address-list add list=test address=1.2.3.4 timeout=00:40:00 The address list entry shows up, but automatically gets deleted within a few seconds. Sometimes, it takes a minute, or up to 5 minutes. It...
by talz
Thu Nov 01, 2018 10:29 pm
Forum: Virtualization
Topic: Metarouter images
Replies: 365
Views: 245155

Re: Metarouter images

Bloody safari! I did a search in my safari browser on that page for ssl. Turns out it only showed me words that started with ssl! Anything separated by a - or a _ was considered a new word, so it found some ssl packages, but not the main openssl package! I totally missed it. Trying it now. It instal...
by talz
Thu Nov 01, 2018 6:06 pm
Forum: Virtualization
Topic: Metarouter images
Replies: 365
Views: 245155

Re: Metarouter images

i think you can get the ssl packages directly from the openwrt website, available with each release example https://archive.openwrt.org/chaos_calmer/15.05/ar71xx/mikrotik/packages/ The release we are working with is Attitude Adjustment (12.09), so I guess the repo for that would be: https://archive...
by talz
Thu Nov 01, 2018 12:27 am
Forum: Virtualization
Topic: Metarouter images
Replies: 365
Views: 245155

Re: Metarouter images

This may already be covered at some point in the previous 8 pages of this thread, but this has been my experience over the past 24 hours trying to get Python running in Metarouter on RB493AH: Working Image: http://openwrt.wk.cz/trunk/mr-mips/openwrt-mr-mips-rootfs-31411-basic.tar.gz RouterOS Version...
by talz
Wed Oct 31, 2018 11:51 pm
Forum: Virtualization
Topic: Metarouter images
Replies: 365
Views: 245155

Re: Metarouter images

Interesting... It seems like I actually ran into that yesterday. I think I was using http://openwrt.wk.cz/trunk/mr-mips/openwrt-mr-mips-rootfs-31079.tar.gz. It worked for a bit, and then my RB493 started booting up, and then losing power after a few seconds and rebooting. My 493 wasn't new - it was ...
by talz
Wed Oct 31, 2018 10:59 pm
Forum: Virtualization
Topic: Metarouter images
Replies: 365
Views: 245155

Re: Metarouter images

hi guys. I work for a company that heavily uses mikrotiks, and as one of the only software developers that works for my company, I've written tons of code using the mikrotik scripting language. Unfortunately, it is by far the worst programming/scripting language I have ever had the displeasure of wo...
by talz
Tue Oct 02, 2018 10:03 pm
Forum: General
Topic: How to distribute bandwidth evenly?
Replies: 0
Views: 244

How to distribute bandwidth evenly?

We have a site with very limited bandwidth (10 Mbps download/1 Mbps upload), and dozens of users. The main router on site is a mikrotik. We want to have the mikrotik distribute the bandwidth evenly to every user, in such a way that if there's only one active user, he gets the entire 10Mbps/1Mbps, bu...
by talz
Fri Sep 21, 2018 11:13 pm
Forum: General
Topic: How do you add a firewall rule before hotspot dynamic rules?
Replies: 0
Views: 309

How do you add a firewall rule before hotspot dynamic rules?

We have a mikrotik device where the Hotspot feature is turned on by a script. As soon as Hotspot is turned on, it creates a bunch of firewall filter rules at the top, ahead of every other firewall rule. Is there any way to have a firewall filter rule that always comes BEFORE all the dynamic filter r...
by talz
Fri Dec 15, 2017 9:23 pm
Forum: General
Topic: How long does dead peer detection wait before determining a packet was lost?
Replies: 2
Views: 389

Re: How long does dead peer detection wait before determining a packet was lost?

I sent an email to Mikrotik Support, and this is what they told me: the time DPD waits for each packet is directly linked to the max-failures setting. If you set max-failures to 1, it will wait 1 second, once. If you set max-failures to 3, it will wait 3 seconds for each packet, 3 times If you set m...
by talz
Wed Dec 13, 2017 7:46 pm
Forum: General
Topic: How long does dead peer detection wait before determining a packet was lost?
Replies: 2
Views: 389

How long does dead peer detection wait before determining a packet was lost?

I am dealing with an IPsec tunnel over a satellite network. One thing I keep seeing in the logs is that Dead Peer Detection keeps dropping the tunnel because it doesn't get a reply. I see this every few hours. I suspect that this may be caused by Dead Peer Detection not waiting long enough to hear a...
by talz
Mon Mar 27, 2017 6:27 pm
Forum: General
Topic: Can a MikroTik router identify OpenVPN traffic?
Replies: 4
Views: 797

Re: Can a MikroTik router identify OpenVPN traffic?

Ok thanks - I'll have to try it out.
by talz
Mon Mar 27, 2017 6:17 pm
Forum: General
Topic: Can a MikroTik router identify OpenVPN traffic?
Replies: 4
Views: 797

Re: Can a MikroTik router identify OpenVPN traffic?

I'm not using MikroTik's OpenVPN server - I just have OpenVPN traffic going through the mikrotik router.
There's no way to identify the OpenVPN traffic with firewall rules?
by talz
Mon Mar 27, 2017 5:19 pm
Forum: General
Topic: Can a MikroTik router identify OpenVPN traffic?
Replies: 4
Views: 797

Can a MikroTik router identify OpenVPN traffic?

I need to have both HTTPS and OpenVPN traffic going to a mikrotik router, both on port 443. Can I have the MikroTik redirect HTTPS traffic to my web server (ex. 192.168.6.70) and OpenVPN traffic to my OpenVPN server (ex. 192.168.6.75)? Can the MikroTik tell the difference between OpenVPN and HTTPS o...
by talz
Thu Mar 16, 2017 11:56 pm
Forum: General
Topic: Can you setup hotspot on a switch?
Replies: 4
Views: 663

Re: Can you setup hotspot on a switch?

After several hours of messing with it, this is what I found: Since we told the bridge to pass all layer 2 traffic through the firewall rules, Winbox traffic, even when it's using the MAC address to connect will pass through the firewall rules. This means you need firewall rules to allow MNDP and Ma...
by talz
Thu Mar 16, 2017 5:20 pm
Forum: General
Topic: Can you setup hotspot on a switch?
Replies: 4
Views: 663

Re: Can you setup hotspot on a switch?

I did a packet capture on the Mikrotik, and another one on the client. It looks like the client is seeing responses from the DNS server (8.8.8.8 in my case) that aren't actually coming from the DNS server. The mikrotik packet capture shows proper DNS responses that give answers to the DNS queries th...
by talz
Thu Mar 16, 2017 4:54 pm
Forum: General
Topic: Can you setup hotspot on a switch?
Replies: 4
Views: 663

Re: Can you setup hotspot on a switch?

I tried 2 more things: Under Bridge --> Settings, I disabled "Allow Fast Path". According to this page , "Fast path allows to forward packets without additional processing in the Linux kernel". Sounds like a way to bypass the firewall rules that make hotspot work, which I probably don't want. The ot...
by talz
Thu Mar 16, 2017 4:20 pm
Forum: General
Topic: Can you setup hotspot on a switch?
Replies: 4
Views: 663

Re: Can you setup hotspot on a switch?

It looks like none of the firewall rules that are dynamically created when hotspot is enabled were being hit until I went to Bridge --> Settings and set "Use IP Firewall" to on. Now, it kind of sort of works - it redirects clients to the hotspot login page for some web requests, but not others. Any ...
by talz
Wed Mar 15, 2017 11:38 pm
Forum: General
Topic: Please, fix that damend "Quickset" page!
Replies: 3
Views: 520

Re: Please, fix that damend "Quickset" page!

If it's a feature that works as long as you haven't touched anything else, but breaks down if you look at your router the wrong way without any indication after that, it's a pretty crappy feature and should be removed. At the very least, if you modify something that breaks it from functioning proper...
by talz
Wed Mar 15, 2017 9:38 pm
Forum: General
Topic: Can you setup hotspot on a switch?
Replies: 4
Views: 663

Can you setup hotspot on a switch?

If I have an RB751 with all 5 ethernet ports, and the wifi interface part of the same bridge, so that the entire thing is acting as one switch and wireless access point, can I setup hotspot on it?
Or does hotspot need to be on a router?