MikroTik

tomislav91

Do you get any output from running this form command prompt
Code: Select all
:put [/ip firewall nat find where dst-address=192.168.0.0/16]

nope

tomislav91

:local LocalSubnet [:pick [/ip firewall nat find where dst-add ress=192.168.0.0/16] src-address]]; idea is to use local subnet for further scripting and i have one rule in nat and i want to exclude from that, so src subnets are different but that dst subnet are the same allways, so i want to get th...

tomislav91

Sites blocking is never going to work. At some point user will start using VPN provider and there is no way to block it (e.g. NordVPN can use 443 over TCP as well as obfuscated traffic). we are speaking about users inside company, for sure they will not use vpns. i just wanted to use outlook web, n...

tomislav91

i have two rules add action=accept chain=forward dst-address-list=\ AllowedSites dst-port=80,443 protocol=tcp \ src-address=192.168.50.181 add action=drop chain=forward dst-address=0.0.0.0/0 \ src-address=192.168.50.181 and in AllowedSites list is a list of IPs for outlook from their website https:/...

tomislav91

Should i put parent queue if i enable only one client or i can only put it in lower ID?
So if i have 192.168.5.0/24 and client 192.168.5.22, my q is is it neccesary to put in advanced tab Parent queue?

tomislav91

I am having several end devices and i want to get some range of pool of somesubnet, i will create seperate pool, but how to force that those mac adresses use that pool? I am aware that only first 3 octet in MAC define device, but i will script it somehow, but cant figure out how to force dhcp pool w...

tomislav91

Does this affect some Stellaris microcontrollers, because i am having some issue with communication? Maybe some have information?

tomislav91

Trusted checkbox appears twice in Bridge -> Ports -> <interface> -> General

What that use for?

tomislav91

I'm afraid it's the in-state-sequence-errors value - it doesn't sound related, but apparently there is no separate counter for packets encrypted using a wrong key. So whenever this counter increases, there is at least one "miskeyed" SA. Go to command line of the pfsense and try ip xfrm st...

tomislav91

This is what i use /system script add dont-require-permissions=no name=firmware-updater owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\ \r\ \n\r\ \n\r\ \n# Script name: firmware-updater\r\ \n\r\ \n########## Set variables\r\ \n\r\ \n\r\ \n## Backu...

tomislav91

msatter understood your question and pointed you in the right direction. The linked post contains all you need to know to create a failover solution. Next time, don't quite entire posts especially if it's the most recent post you are replying to.. thanks :) I understand what you say friend, but the...

tomislav91

Very limited info you provide, but if my understanding is correct, then there is a problem with your logic. i.e. you ping 8.8.8.8 from ether 2, if no response, you disable interface, with this interface disabled, you will not be able to ping from it. If reasons for doing this is dual WAN purposes, ...

tomislav91

Greetings friends: I have the following script that disables an interface of my RB when it pings google DNS and they do not respond, I need that same interface to be enabled when google DNS respond to ping, someone can help me. I leave the script that I have. :if ( [/ping 8.8.8.8 interface= "E...

tomislav91

What are those scripts that really help in some various problems you had? We have a topic useful scripts but that topic goes off road.
So just post scripts and tell what did or do use for.

tomislav91

do you add allow ip in /ip services?

tomislav91

Do you have some propose of which book to buy. Not for completely beginers. I found this https://www.amazon.com/Theory-laboratories-exercises-Mikrotik-RouterOS/dp/1686046960 https://www.amazon.com/Networking-MikroTik-MTCNA-Study-Guide/dp/1973206358/ref=pd_sbs_14_2/139-7552241-6977159?_encoding=UTF8&...

tomislav91

None of those firewall rules blocks IPsec as such, nor do they block traffic to/from the subnets reachable via IPsec (unless you've added them to the shodan or pingers or @Services_Phase3 address lists). In fact, the firewall rules block almost nothing. In the printout of the security associations,...

tomislav91

That's magic. First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward....

tomislav91

I migrate ether1 to ether5 and ether2 to ether6 and now seems ok. I will be waiting to Monday to check all, but it seems ok for now. Thanks sindy. Can we somehow improve firewall rules? # nov/02/2020 13:32:24 by RouterOS 6.47.4 add action=fasttrack-connection chain=forward connection-mark=!ipsec \ c...

tomislav91

just for info, how you get 410 or 160mbit/s if total traffic is inclued? What you summarize here? ( in first case of 410Mbit i cant get that if i summarize ether1+ether2 tx and rx bits /s) Assuming that the own traffic of the router (sent by the router itself or received by the router itself) is ne...

tomislav91

I don't get why you are so fond of images where text is much more useful for post-processing. So roughly, when the DVR/monitor wall receiving the streams from the cameras is reachable (when the external switch is connected to ether3), the machine routes about 410 Mbit/s of traffic (and decrypts a g...

tomislav91

That's magic. First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward....

tomislav91

That's magic. First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward....

tomislav91

So the additional CPU spent on IPsec encryption and decryption per packet does not explain the non-linear growth of the CPU load as the video traffic is added to the mix. At this moment I've got no further ideas. The product page provides no information regarding IPsec throughput of your CCR1009-8G...

tomislav91

Is the other (non-video) traffic coming IPsec-encrypted as well? they are just in terms of ipsec watching cameras. Any other job is standard job as in any office. Sorry, I understand every single word but not the answer as a whole. So again - does any other traffic except the one from cameras need ...

tomislav91

I don't get why you are so fond of images where text is much more useful for post-processing. So roughly, when the DVR/monitor wall receiving the streams from the cameras is reachable (when the external switch is connected to ether3), the machine routes about 410 Mbit/s of traffic (and decrypts a g...

tomislav91

Looking at the file, those about 250 Mbit/s sent out via ether3 are sent as 21000 packets/s in 1500-byte packets, hence I assume the cameras send the video using TCP. The ACK traffic in the opposite direction takes some 9000 packets/s in 64-byte frames (which is fine, TCP doesn't necessarily acknow...

tomislav91

no, that bridge is for video surveillance center. So there is no much l2 traffic in the bridge there. Funny thing is that when i disable that bridge or just pull out cables, cpu level is OK, about 10-20%. As you've mentioned video surveillance, two things come to my mind - the cameras may be sendin...

tomislav91

You may misunderstand that tx and rx. In the list of interfaces, the bridge is an interface through which the router (L3) part of the software sends data to external devices connected to the physical ports included into the bridge, which is the download direction for those devices. Or in generic ca...

tomislav91

can you explain, in the bridge i can see that Tx (transmit=upload) is 246Mb and in queue for that subnet Download is 233Mbps. Like is vice versa? Or I missunderstand that tx and rx? Also when try to speedtest from that 192.168.90.0 subnet upload is 0 (all switches changed) 2020-11-15 15_46_43-Window...

tomislav91

i changed switches, but no signifcally changes

2020-11-13 22_34_55-Window.png

tomislav91

Officially, the 192.168.90.1/24 should be attached to bridgeVN rather than ether3_HQCAM . Practically I have never seen this wrong setup to cause any issues, and even the ROS upgrade script migrating configurations from old "master port" to current "bridge with hardware acceleration&...

tomislav91

Then why doesn't the picture match the configuration? 192.168.90.0/24 is attached to ether3_HQCAM in that configuration; the bridge exists there but has no member ports and no IP configuration is attached to it. Are you constantly updating the configuration? Yeah, i am seeing that now in the my pos...

tomislav91

Not knowing what linux distribution pfSense is based on, nor which IPsec implementation it uses (openswan, strongswan, something else), I cannot give you a more targeted suggestion. Did you issue that command as a linux user with root privileges, or is there some restricted command line of the pfSe...

tomislav91

Are we still talking about the machine where the IPsec tunnels are running? I'm asking because in its configuration export, I've found just an empty bridge with no ports at all. It is theoretically possible that there is so much traffic towards the devices connected to the switches with only 100 Mb...

tomislav91

Što si htio da rekneš ovom rječenicom: "I notice that one bridge when disable cpu goes regular about 10%."? i have one bridge with ports and 200Mb+ bandwidth within. when i disable it, cpu % is ok, there is no loop in network, log also dont write anything. can be problem within 100mb swit...

tomislav91

I am getting cpu about 70%.
I notice that one bridge when disable cpu goes regular about 10%.

2020-11-06 14_28_09-Window.png

is it possibly because link is more than 100mb and pc are only 100mb and thats what suffocate a router cpu?

tomislav91

but fasttrack connection for that is disabled, should i enable that also? No, don't enable the fasttrack connection. The steps need to be taken one by one to see where is the issue. So first you enable only the additional mangle rules and the additional rules in input in filter. If that works, we c...

tomislav91

With. They are in forward, aren't they? yes, they are add action=mark-connection chain=prerouting connection-mark=no-mark dst-port=53 \ layer7-protocol=*4 new-connection-mark=block_connection passthrough=yes \ protocol=udp add action=mark-packet chain=prerouting connection-mark=block_connection \ n...

tomislav91

That's magic. First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward....

tomislav91

OK, and with these three mangle rules enabled, everything works fine? What about the difference in CPU load when the "accept connection-state=!new" is enabled and when it is disabled, is there any? no no, it wasnt fine. I added this with /ip firewall filter add action=fasttrack-connection...

tomislav91

I'm afraid it's the in-state-sequence-errors value - it doesn't sound related, but apparently there is no separate counter for packets encrypted using a wrong key. So whenever this counter increases, there is at least one "miskeyed" SA. Go to command line of the pfsense and try ip xfrm st...

tomislav91

Without the actual encryption and authentication keys in use, it is not sufficient, as you can only confirm that it is a rekey issue by comparing the keys at both ends for same SPIs. Can you show me you /ip ipsec statistics print ? There is a counter which grows with each packet coming through the ...

tomislav91

i cant enable JUST those three in mangle, because here i mangle some subnet and force it to another ISP in routes and also using for VOIP, so i cant disable it. I had in mind "out of the rules added by my recommendation, enable only the three added to mangle, not the drop ones in filter"....

tomislav91

Let's keep the threads (firewall and IPsec) separate. Here, try to enable only the three mangle rules you've added, but keep those drop ones, which you've eventually added since the point in time when it was working, disabled, and tell me how it works. i cant enable JUST those three in mangle, beca...

tomislav91

In the past, there was an issue in IKEv2 rekey between two Mikrotiks, where in a few percent of rekeys the peers ended up with different keys for the same SA, hence the receiver was rejecting the packets. This particular issue has been fixed somewhere in late 6.43 version. You have one policy per e...

tomislav91

i added that firewall mangle rule before those ipsec. I got aproblem that tunnels goes down, msg1 sent error and i must disable all that i newly created and restart peer and than tunnels go up. I can't get how a rule in forward chain of mangle should break IPsec transport and control traffic which ...

tomislav91

i tried to make like this :set time [/system clock get time] :local file [/ip ipsec installed-sa print] <--- this fills a (string) variable called file with the output of the print command :local contents [/file get $file contents] <--- this tries to extract the contents of a file whose name is the...

tomislav91

is this better? i missread the ipsec in and out in forward. first i add mangle to capture ipsec, router is now at 25,30% Yes, this is yet another way how to do that. With this setup, a packet transported using IPsec is inspected by 1.5 mangle rule on average (those matching on ipsec-policy=out,ipse...

tomislav91

I prefer to let my router perform routing functionality. Assuming you only use Ubiquiti as accesspoint(s), I would use queues. As you mention subnets...are you using VLAN's (already)? yeah, i am using vlan for guest wifi and private. So i just remove user groups and put unlimited to all networks an...

tomislav91

but then i got problem then with dude just "getting stuff" but nothing happend than, and when disable fasttrackk it came and everything is ok. I have explained this in the previous post, which you've quoted as a whole (no idea why you do that) but apparently haven't read or understood it....

tomislav91

So you think this is the best rules to put it on top There is no such thing as "the top of filter". There is the top of chain input in filter, and there is the top of chain forward in filter. Packets always only go through one of these rule chains, not both. So the default firewall of the...

tomislav91

my q was, does it something thats a MUST HAVE this input chain rules to have most of the benefits of the firewall. Is there some updated firewall rules for preventing intrusions?Maybe someone to share their firewall without sensitive data ofc Short answer: yes, it is a must have. Long answer: Fastt...

tomislav91

i have limit on wireless networks on my unify controler. Is it better to put it unlimited and then queue that subnet on mikrotik?

tomislav91

First two rules are for input chain, the 3rd, fasttrack is for forward chain and has nothing to do with first 2 rules. Also not sure I understand your question? my q was, does it something thats a MUST HAVE this input chain rules to have most of the benefits of the firewall. Is there some updated f...

tomislav91

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=fasttrack-connection chain=for...

tomislav91

how is your cpu handle with this rules at the top /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=...

tomislav91

Hi All, OK not really a script, but I thought it may be in the same flavour. I created this Dynamic Blacklist firewall rule set that counts excessive connection attempts from the same IP within a given time frame and eventually blocks them for X number of days. I was initially going to put in a geo...

tomislav91

hi guys, i am just wondering how to stress out one isp from another (some kind of load balancing). If router has 3 LAN interfaces, just maybe to test if second ISP is avaliable catch all IPs from one ether and than i will mangle that address list to another ISP. Any idea from where to start, i thoug...

tomislav91

ping over200 dude.jpg

I wanted to get an info message when there is a ping more than 250ms on isp to know and change to another ISP mannualy.
Why this dont work? I didnt get any notification....

tomislav91

Hello tomislav91 What do you mean by "created your own Traffic Monitor items for inbound / outbound, high / normal)"? What did you label/name the traffic monitor items in your example? Can you at least provide an example with screenshots? Thanks a lot. Regards, M Thats it? 2020-10-21 13_4...

tomislav91

Most likely you are trying to get more than 4096 bytes into a variable: :local contents [/file get $file contents] https://forum.mikrotik.com/viewtopic.php?t=127093 It is limit not to file - it is limit for variable size... If you write text variable to file - you can write maximum 4096 bytes. But,...

tomislav91

does it possible to speed up bgp change from one isp to another? Or more specific, that time which routes push traffic thorugh that isp? Ofcoure on CCR routers.

tomislav91

i tried to make like this :set time [/system clock get time] :local file [/ip ipsec installed-sa print] <--- this fills a (string) variable called file with the output of the print command :local contents [/file get $file contents] <--- this tries to extract the contents of a file whose name is the...

tomislav91

Hi, in the thread "tunnel troubleshot" in the General tab, i posted some issue with tunneling, and i want to get some script to have monitoring ipsec installed sa and append to existing file, but when I run script manualy via GUI, nothing happend, where is mistake? :set time [/system clock...

tomislav91

Could you please create another script which will contain only the /ip ipsec installed-sa print file=ipsec append part and nothing else, run that new one twice, and see whether the file ipsec.txt is there and what is it contents?

yeah, its there.

tomislav91

there should be somefilename.txt if you followed my suggestion literally... what exact command did you type? yeah, so this is a script which i created :set time [/system clock get time] :local file [/ip ipsec installed-sa print file=ipsec append] :local contents [/file get $file contents] :set cont...

tomislav91

i tried to make like this :set time [/system clock get time] :local file [/ip ipsec installed-sa print] <--- this fills a (string) variable called file with the output of the print command :local contents [/file get $file contents] <--- this tries to extract the contents of a file whose name is the...

tomislav91

Yes, the mature ones are in use. And yes, you need one per direction. The dying ones should not exist for more than a couple of seconds, so if they do, it is already weird (or the traffic volume is so low - the dying SA is normally there after a rekey until the first packet arrives through the new ...

tomislav91

From my expirience problem is firewall rules. Try to find out which one. Also, dont know where is dude server, in the same subnet or some remote? Maybe tunnel?

tomislav91

Here is what I have built from jspool's head start (thanks, I owe you a beer). I hope this helps someone else. It is a high bandwidth alert with secondary alert when bandwidth has returned to normal levels... (it assumes you have Tools > Email worked out and you have created your own Traffic Monito...

tomislav91

Yes, the mature ones are in use. And yes, you need one per direction. The dying ones should not exist for more than a couple of seconds, so if they do, it is already weird (or the traffic volume is so low - the dying SA is normally there after a rekey until the first packet arrives through the new ...

tomislav91

i cant ping from mikrotik because vlans are on the cisco below mikrotik, not on router itself. How can you forward traffic using IPsec if the Mikrotik isn't configured as a gateway, i.e. if it doesn't have an IP address in the sender's subnet? The 'Tik must first receive the packet in order to matc...

tomislav91

it looks like a mission impossible so, what we can do than? Maybe the best start is to switch on logging of the IPsec and to run a netwatch pinging through the tunnel which will log failures ( on-down={:log warning message="ping through tunnel down"} ) to see in the logs whether the issue...

tomislav91

Razmišljam da nebi bio razgovor po telefonu mnogo brži... What do you mean by "lower are L2" So this MikroTik have a tunnel between PfSense from another HQ and on that PfSense is created openvpn servers which are remote shops connection (they are using mikrotiks also, but smaller ones, no...

tomislav91

Firewall od the other router are the same, it has just more src or dst nat there, so rules which are for us interesting are the same. But now at this point, tunnel is established thorugh pfsense and there is no much rules on the WAN side except one that we are using for internal purpoeses What tunn...

tomislav91

lifetime on pfsense is 1800sec,and on mikrotik is 30 min. I've only mentioned the lifetime as a troubleshooting hint - if the connections break in 80-100 % of the SA lifetime configured after the connection establishes, it makes sense to look at the PFS settings, as the first rekeying takes place a...

tomislav91

A blind shot here would be a mismatch of PFS settings, causing the first rekeying of the SAs to fail (so the tunnel would work for just about 25 minutes after establishing if default lifetime=30m is set in /ip ipsec proposal ). Another blind shot would be that pinholes in some external firewall on ...

tomislav91

so guys, i am struggling quite some time with my tunnels(ipsec). Status is established, but there is no traffic allowed, I must disable/enable to get that working. So, what is first step, what to do? What i tried? I have several tunnels Mikrotik - Mikrotik, and I change it to Mikrotik - PFSense rout...

tomislav91

Hello guys, i am strugle with block users to watch films, tv show,etc . online. I tried with layer7 but it is a bunch of sites which i want to block and it is impossible to block all of it, and ofc cpu load is problem. this also came as a good solution /ip firewall filter add chain=forward dst-port=...

tomislav91

i solve it

 :global srcIP [/ip firewall nat get [find where dst-address="192.168.0.0/16"] src-address];

tomislav91

hi, i am having rules like this add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.1.0/24 and idea is to get src-addres because it is different on all routers, but this dst address is same. i tried something like this :global Forbid [ip firewall nat find src-address where dynamic src-ad...

tomislav91

is it possible to set a static dns entry and use it for machines?
So i can ping dns entry from router and i get my ip, but i cant ping that static ip dns name from another machine?

tomislav91

Hello guys, i have several ip which i put static IP, but in arp table there are entries for that mac for that STATIC and DYNAMIC ip.
I have restarted device, but result is the same.

How much time i must wait for arp table to be updated

tomislav91

i wanted to get a bit more down a cpu usage, and put this in this order some rules where local are my local subnets, and remote is ipsec remote subnets (without those lists i have a issues to connect to remote subnets its a verrryyyy slow) add action=accept chain=forward dst-address-list=Remote src-...

tomislav91

i solved it and put into variable

:global test ([:pick [/ip arp print as-value where mac-address~"^AA:BB:CC"] 0]->"address")

tomislav91

I want to pick all address which devices from ARP but i got only one IP :put [ip arp print where mac-address~"^AA:BB:CC"] Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete # ADDRESS MAC-ADDRESS INTERFACE 0 DC 10.11.138.130 AA:BB:CC:D7:08:35 lan_bridge 1 D...

tomislav91

Hi guys, i want to automate script which are going to queue ip whenever is come to dhcp lease, reason is simple. I have a bunch of rotuers and one device is going to be on all that routers attached. So I dont want to queue it all 1 by one. I stuck here: I have part of good output for the appropriate...

tomislav91

Idea behind all is to use that ip and set a queue. Do u have idea how to use that IP and set it to queue

tomislav91

No, "~" is a matching operator. Use it instead of "=", not as a part of the expression - which may be as simple as "^B0:6E:BF", meaning any string that begins with "B0:6E:BF".

thats it! THANKS!!!!

tomislav91

You can use regular expressions with "~" operator -- https://wiki.mikrotik.com/wiki/Manual:Scripting#Other_Operators i tried like this put [ip dhcp-server lease get [find mac-address=B0:6E:BF~"^([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])$" address] but nothing.. Where i...

tomislav91

Hi guys, i am having same device on many routers, can I somehow get IP when use only first 3 octets of mac address? put [ip dhcp-server lease get [find mac-address=B0:6E:BF:1D:A1:2D] address] this output me IP, but every device has different last 3 octet. Can I somehow trick this code to use whateve...

tomislav91

Is there some address list or rules for forbid users to connect via teamviewer?
i found some, but somehow it goes throguh.

tomislav91

I got sometimes my ipsec tunnel status expired or established but i cant ping from one subnet to another. Dont sure what causes it. When I disable/enable a couple of time, it works. Can I use maybe

/ip ipsec installed-sa flush

?

tomislav91

Yes, i am having a drop rule which drop address list. Yes, i wanted to say a many requests. Problem wasnt in too much traffic on interface, problem is that icmp flood with many connections (arround 100k) add action=drop chain=input comment="IN-Defend from Ping" src-address-list=ping-evil-p...

tomislav91

Just to add this with my rules?
Can i block somehow connection with same source, but must be a large number of connection, because i dont want to affect my traffic

tomislav91

hi, can you redirect me on best way to defend against icmp packets which came to router, not only ping, or traceroute, and so on. i am having firewall rules add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=mylist add action=accept chain=output comment="...

tomislav91

so genneraly i can add fasttrack when source is ip of server and destination is my local subnet that use that server every day and also add accept for same src and dest?
I just want to somehow speedup connection to my server, as fast as i can with filter.

tomislav91

does it play any role in faster connection between two subnets with this commands /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.3.0/24 add chain=forward action=fasttrack-connection connection-stat...

tomislav91

I cant get psu state, just empty field.

tomislav91

Hi, i found alert configuration manual on https://wiki.mikrotik.com/wiki/Manual:T ... ifications, and it is ok, working as charm, but i get for all services alert when router is down. I want only for ping, can I somehow change it?

tomislav91

Please list your configuration, so it's clear what is where... /export compact hide-sensitive # model = 951Ui-2HnD # serial number = 815708D04500 /interface bridge auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none /interface ethernet set [ find default-name=et...

tomislav91

I am having a 10.106.0/24 local subnet in bridge for my devices, and some pc connected to wifi which subnet is 192.168.100.0/24. How can i manage to get a wifi 192.168.100.40 see local subnet or just one IP 10.10.6.50/24 I tried to add src nat masqaraude but not working add action=masquerade chain=s...

tomislav91

What really means phases from 1 to 3 in defence of brute force? After phase 3 ip is forwarding to address list which has been dropped via rule. But what really means phase 1 2 and 3? I have allways ip in addreess list from phase 1 and dissapear because of timeout. Never goes to phase 2 and 3 and fin...

tomislav91

I am having a firewall rules add action=jump chain=input comment="Jump to RFC SSH Chain" jump-target=\ "RFC SSH Chain" log=yes log-prefix=PSD add action=add-src-to-address-list address-list="Black List (SSH)" \ address-list-timeout=none-dynamic chain="RFC SSH Chain...

tomislav91

Winbox is to control the router and the router setup. It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique. Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around...

tomislav91

What about this?
https://rickfreyconsulting.com/basic-mi ... e-version/

I found basic firewall settings.
Can I add this to my routers?

tomislav91

If you need to use winbox from the outside you do not have many option. 1. VPN (best option) 2. Open Winbox but: a. change to other port than 8291 b. set an access list to reduce who can access it c. use port knocking d. setup some monitoring. example getting email every time some logs inn. Hi, i a...

tomislav91

To begin with, remove the value entered with "/ip services set winbox address=X.X.X.X/Y". That's just plain bad! Even if you're coming in from other offices, don't see it as coming in through the WAN port. You're coming in through a point-to-point link (L2TP/IPSEC, which is great) from an...

tomislav91

Winbox is to control the router and the router setup. It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique. If you want access to a LAN from the WAN side, then again if its to a specific server use DESTINATION NAT. In oth...

tomislav91

Hello, Do you realize that by giving your public IP address, you basically invited everybody to test your security? Make sure you have a strong firewall and have secured your router. Best regards, Sent from Tapatalk can you than tell me how to secure winbox port? I want access only within my local ...

tomislav91

I added to ip services winbox that address is my WAN IP.
But i cant access it.
Why?
I wrote this

set winbox address=x.x.x.x/29

tomislav91

Hi, i want to enable one and disable another policy.
Can you check it why give me error no such item?

ip ipsec policy set disabled=no numbers=2
no such item

I have policies
#1 and #2 in IPsec policy tab...

tomislav91

Thanks all for you replies! appreciate!!! I did it like this. Get in the first way, all dhcp lease, and than with some command filter only IP addresses grep -i -w kl locations.txt > locations1.txt;cat locations1.txt | awk -F " " '{print $2, $3}' > locations2.txt; sed 's/D//g' locations2.tx...

tomislav91

I'm not familiar with sshpass but judging from the on-line documentation it will return stdout from remote process just like ssh does. You have two possibilities: you can take whole output from your script (I don't know how exactly does it look like, are data fields comma-separated within single li...

tomislav91

Because a dash was missing in what I wrote. Now I got home and tried using the Tab button:
Code: Select all
[me@MyTik] > put [ip dhcp-server lease get [find host-name=my-HP] address]
192.168.88.254

if I have more than one with same name, it throws me

invalid internal item number

tomislav91

If you're going to fetch lease info from linux box via ssh, then you can easily do filtering with some simple commands on linux box itself. One-liner that does the trick: WANTED=my-host-name; LEASES=$( ssh user@routerboard.my.domain '/ip dhcp-server lease { :foreach i in=[find (!dynamic && ...

tomislav91

If you really do want the file name to be sourced from variable n as you suggest, you have to do what I wrote earlier. There is no file modifier to put , nor there is a way to make print print a single value. So you have to generate a file with any bogus contents: /routing print file=$n and then re...

tomislav91

:global n [ip dhcp-server lease get [find host-name=PC] address];/file print file=$n This line of code says: - set the value of a global-scoped variable named n to the ip address leased to device with hostname PC - print the list of existing files into a file whose name is retrieved from the global...

tomislav91

thanks for reply. Problem lies somewhere alse abvious. When sshpass this command ip dhcp-server lease print file=$n my script execute without problem. I use that variable n in later lines of code. But i dont need all dhcp lease, only with PC hostname, we solve that, but what is difference with that ...

tomislav91

Because a dash was missing in what I wrote. Now I got home and tried using the Tab button: [me@MyTik] > put [ip dhcp-server lease get [find host-name=my-HP] address] 192.168.88.254 thanks man! It works now. Only last problem, i must put that into file. sshpass -p $pass ssh -o $log -n $user@$h -p 41...

tomislav91

it throws me "no such item"

tomislav91

I got via

ip dhcp-server lease print where host-name="pc"

but you help me how to get only Ip address without unnecessary information from result of command?

tomislav91

Sorry, can you use another wording? It is not clear to me what you need. Ok, look, i have my dhcp lease on several computers. I want to get Ip address of hostname PC. SO i wrote a bash script that connect via ssh to mikrotik and run a terminal command. Problem is that I dont know how to get IP addr...

tomislav91

That looks to me as an insufficient indication to bash what it should handle and what not.. Try to place the whole command for Mikrotik into quotes and escape the symbols ",$,\ you need to make it to Mikrotik: sshpass -p $pass ssh -o $log -n $user@$h -p 4111 " /ip dhcp-server lease { :for...

tomislav91

does it possible from that script to get only ip addresses with hostname i define?

tomislav91

sshpass -p $pass ssh -o $log -n $user@$h -p 4111 /ip dhcp-server lease { :foreach i in=[find (!dynamic && status="bound")] do={ :local activeAddress [get $i active-address]; :local activeMacAddress [get $i active-mac-address]; :local hostname [get $i host-name]; :put ($outputConte...

tomislav91

can i get via terminal ip address of hostname only?

part of my script is

ip dhcp-server lease print file=$n

but this give me all dhcp lease addresses. can I find somehow ip of hostname="pc"?
My all devices have all the same hostname, and i need all ip addresses for all pc's.

tomislav91

It gives me error. It works directly to mirkotik but from ssh i cant do it.
Does it possible to resolve that issue?

tomislav91

How it possible to do it in one line of code in terminal this command i found here on forum /ip dhcp-server lease { :foreach i in=[find (!dynamic && status="bound")] do={ :local activeAddress [get $i active-address] :local activeMacAddress [get $i active-mac-address] :local hostnam...

tomislav91

i need to change a several address from a mikrotik via terminal. I find how to change a ip address /ip address set [/ip address find address="10.0.0.1/24"] address=20.0.0.1/24 I need also to change /ip dhcp-server network add address=10.10.0.0/24 gateway=10.10.0.1 /ip pool add name=dhcp_po...

tomislav91

binding is not priority for now. Mikrotik reads hostname from a netbios name and it is ok.

Just curious how to make a script to make it easier. I will do it via bash, but how to search it in mikrotik terminal? If for example hostname is "warrior".

tomislav91

Hello, i was wondering does ti possible to have some script which will show a IP address from a hostame.
So if I have pcs and want ip of it, just to search by hostname "PC" and to find an ip.
I have several hostnames, and just want to make things quicker.

tomislav91

which version must i install and put it into router? it is a server.
In download section is more than 1 version

tomislav91

I manage to succeed something. I add in routes of these two routers in destinatiom address whole subnet of second router amd gateway set to l2tp, which I with main router have access to them. Do in my main router i have l2tp connection over ipsec. And now two routers can communicate and can see any...

tomislav91

i make virtual linux machine which connect through ssh to router and backup all..

tomislav91

i have also linux machines and no ping as well..

tomislav91

I manage to succeed something. I add in routes of these two routers in destinatiom address whole subnet of second router amd gateway set to l2tp, which I with main router have access to them. Do in my main router i have l2tp connection over ipsec. And now two routers can communicate and can see anyt...

tomislav91

no subnets are for the different routers, two routers and two subnets, each for router. These two routers are connected via vpn to the main router.

tomislav91

Hello, i have two routers in two different networks. 10.0.8.0/24 and 10.0.58.0/24 I want to manage that that two subnet see each other. I added ip firewall filter add action=accept chain=forward dst-address=10.0.58.0/24 and different in another router, but there is no connection between them. Where ...

tomislav91

How can I check which device consume most upload in my network? And which column should I look for.

tomislav91

why do u use script?

just use route

/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10

tomislav91

i think that u need is in Queue, than in simple queues click + sign and than choose target and bottom you have max limit. There you can do it, if this is what you want

tomislav91

can anyone give me idea what to try?

tomislav91

But i have connected to l2tp and have access to the internet. So l2tp is working, just i cant cant access to 88 where are switches

tomislav91

no? Must I?
And where to configure? ON my router where are switches connected?
I often use l2tp and all works just fine

tomislav91

I have connected to my router via l2tp. To that router is connect several switches with adresses in range 192.168.88.1-254. I set dhcp pool with that l2tp profile to range which switches are configured. But I cant see switches, i cant ping, but tp link easy smart configuration utility cant see them....

tomislav91

Hi guys, i wanted to have some monitor my network.
Configuration is next:
i have my main router and clients routers and i want to have some maybe windows-linux based web server to monitor my rotuers and traffic between (which app users open, downloaded, etc).

tomislav91

I have problem with connecting several switches. I have internet connection to one switch and want to share with all because there is no possibility to connect all,cable goes through wall. I connect main switch where is internrt connection from mikrotik router, on port 24 to port 23 of another switc...

tomislav91

https://drive.google.com/file/d/0Bxq9Ym ... JCYkk/view

Can I make a change of this function to test a more than 1 peek? At least 4, because maybe ping is 24ms,23ms,222ms,10ms, and alert me. I want to have alert, yeah, but when high ping is at leasst 4 passes.

tomislav91

Hi, can you please help me how to set if i need to my vlan1 see vlan2? How can I configure that?

tomislav91

i want to configure mikrotik to have a vlan and setup is : mikrotik port1 is WAN cable, and access to internet, port2 is configured dhcp pool 88.0/24 and bridged with port4 to have access via port2 to my laptop. Port 4 is connected in port 24 with smart swtich, and in switch port 8 is on my pc. Prob...

tomislav91

Hello, i am having an idea, but i think that is impossible :D So, whole idea is when my l2tp client change wan address i must that address put in ipsec in my mikrotik router. Can I make some script or you can help me, to notify me when some device l2tp client changed wan address? In case of l2tp cli...

tomislav91

I did it.
Just in add in services with your function and notification.

tomislav91

I have earlier post when take a function which all it does is that pop up me when ping is over 200ms (ping 8.8.8.8). I have a probe name ping with type ICMP, packet size 56, retry count 3 and interval 1000. Can I make a function or service that notife me. can I just in services with type "ping&...

tomislav91

Or any other solution for my general problem, to get informed if router has bad ping to 8.8.8.8.
Yeah, I have internet, but when ping is 100,200,300ms it is slow and bad, and want to switch to another interface where is another isp provider. That's whole idea.

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. i can't test with values more than 20...

tomislav91

in agent is only default. it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. i can't tes...

tomislav91

in agent is only default. it means that you have only one ROS device in dude. so, ping rtt from your dude server to 8.8.8.8 is also >100 when you test? I can choose instead of default a device which is in the Device. But it is the same. to device. Problem is when server has higher ping. Dude server...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)? This is a graphgra.png I cant see there is more than 100ms? ok. and our "default" agent is the mikrotik from that site (it also will have >100ms to 8.8.8.8) or it is ...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)? This is a graphgra.png I cant see there is more than 100ms? ok. and our "default" agent is the mikrotik from that site (it also will have >100ms to 8.8.8.8) or it is ...

tomislav91

very strange. on history tab of the service you can see graph with values. what values does it get (when ping is > 100ms)?

This is a graph

gra.png

I cant see there is more than 100ms?

tomislav91

glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster response also notifications to telegram come faster than e-mail i putted notification pop up, but when put a 10ms it give me pop up, but when 100ms there is no pop u...

tomislav91

Must I put an Agent to be like Device in drop down menu? It is a routers.

tomislav91

in error line - you deleted ) at the end i found it, and response with a bit delay notification popup. But it works. Thanks glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster response also notifications to telegram c...

tomislav91

sorry for that, but again parse error.. in error line - you deleted ) at the end i found it, and response with a bit delay notification popup. But it works. Thanks glad to help you can try to change "probe interval", "probe down count", "probe timeout" to have faster r...

tomislav91

sorry for that, but again parse error..
in error line - you deleted ) at the end

i found it, and response with a bit delay notification popup. But it works. Thanks

tomislav91

look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know what to do if this devices are not RB or there are no RB in this site, but if it is mikrotik - as...

tomislav91

Is this that? How can I decide on which device this working? Or that work on all devices in Dude? look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know...

tomislav91

Is this that? How can I decide on which device this working? Or that work on all devices in Dude? look this: https://drive.google.com/open?id=0Bxq9Ym3e0mk-bXptQXRXX2JCYkk i modified this probe to your needs. add it to all devices from which you want to monitor ping to 8.8.8.8 actually, i don,t know...

tomislav91

yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if you want to have a message when 200+ms then you have to make a probe for that also you should remember that you will monitor "ping" from...

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

Can you just tell me about Dude. Does it possible to get an alert for maybe ping to create alarms? Just ask because of much queries to router... yes, you can use it. for example i use it to send e-mail for warnings and not very critical events. and most important are also send to telegram. but if y...

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space: to=to@mail.co mf rom=from@mail.com I have updated it can you just tell me one thing. Server IP for email. What should I put here? If i want to send to gmail, i need to put gmail SMTP wan ip? #Mikrotik Ping more than 200ms to send mail #h...

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space:
to=to@mail.comfrom=from@mail.com
I have updated it

can you just tell me one thing. Server IP for email. What should I put here? If i want to send to gmail, i need to put gmail SMTP wan ip?

tomislav91

Thanks all for reply. Just tell me, maybe here needs a space:

to=to@mail.comfrom=from@mail.com

tomislav91

Does it possible to get some modification of scripts to see external ip from another interface?

tomislav91

Hi, i found a script to get me an ext ip from interface { /tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt local ip [file get mypublicip.txt contents ] put $ip } Also find # Set needed variables :global extinterface "ether1-gateway" :global ExtIpList...

tomislav91

Hi,

i am having a failover over mikrotik router, and want to send me an email when ping to 8.8.8.8 over ethernet 1 / gw 1 send me an email? I am having script to send me email when there is no ping.

Search found 180 matches