Community discussions

MikroTik App

Search found 48 matches

by jgro
Mon Dec 02, 2019 2:03 am
Forum: General
Topic: Procedure for replacing SD card?
Replies: 4
Views: 701

Re: Procedure for replacing SD card?

First idea that comes to mind is to not insist on "while the hEX is running" part. Turn it off, remove the card, use something to clone it, put the new one in, turn it back on. If I could do that, I would not have said "I don't readily have access to any other device that supports ext3 format or mi...
by jgro
Sun Dec 01, 2019 1:33 pm
Forum: General
Topic: Procedure for replacing SD card?
Replies: 4
Views: 701

Procedure for replacing SD card?

I have an SD card (Transcend 16GB High Endurance TS16GUSDHC10V) in my hEX RB750Gr3 that I am using to store logs and the dude database and everything else I can have on it rather than the internal flash drive. I want to replace the SD card before it wears out (side note, is there any way to check on...
by jgro
Mon Dec 31, 2018 8:32 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 103571

Re: Feature Request: OpenVPN [ovpn] udp tunnels

In a similar situation (which involved only us and 1 other party) I was successful in convincing them that only offering OpenVPN and not IPsec, L2TP/IPsec or similar was not very flexible. What options does Mikrotik have for a UDP (or at least not TCP) based secure connection that I could use to tu...
by jgro
Tue Nov 13, 2018 1:39 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 103571

Re: Feature Request: OpenVPN [ovpn] udp tunnels

I wonder what router equipment you are going to change to (with software supported by the router manufacturer ) that will do what you need... I understand the OpenVPN license is problematic. It would be fine with me if Mikrotik would only support OpenVPN udp and drop support for tcp. It would also ...
by jgro
Tue Nov 06, 2018 3:40 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 103571

Re: Feature Request: OpenVPN [ovpn] udp tunnels

Count me as +10 for OpenVPN over UDP. If you do not know why this is important, see http://sites.inka.de/bigred/devel/tcp-tcp.html I have iOS programs that simply do not work because of the transmission problems caused by trying to run their TCP connections over TCP-based OpenVPN. They just get into...
by jgro
Sun Mar 25, 2018 4:47 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

It's been a nice run. Almost 3 years, and over 2200 active users. But I am shutting down the this service. Thank you, Dave, for a valiant effort. For everyone who was using Dave's Blacklist, let me recommend the Malicious IP blacklist from SquidBlackList.org, available for download from https://www...
by jgro
Sun Feb 25, 2018 1:36 pm
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 19370

Re: v6.40.6 [bugfix] is released!

so between the 2 bugfix releases this is the actual difference if i understand properly ... As I currently understand it, to get the actual difference, you would take the list you put together and then delete everything in "What's new in 6.39.3" This means, for example, that you do not need to upgr...
by jgro
Sat Feb 24, 2018 8:17 am
Forum: General
Topic: IPv6 SLAAC troubleshooting
Replies: 2
Views: 907

Re: IPv6 SLAAC troubleshooting

Thanks, I didn't know about radvd logging. RouterOS logs say the interface is receiving Router Solicitation messages and responding with Router Advertisement messages. The log then says "adding link-layer address option" and "adding prefix". So that is good, right? I haven't seen those packets with ...
by jgro
Sat Feb 24, 2018 1:23 am
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 19370

Re: v6.40.6 [bugfix] is released!

.... What's new in 6.40.6 (2018-Feb-20 11:04): ..... IMHO it means that Mikrotik reports new things. All changes you can trace here: https://mikrotik.com/download/changelogs/ I'm pretty sure not everything in 6.40.6 is new compared to 6.42.rc30, so my question remains, "new compared to what?" (For ...
by jgro
Sat Feb 24, 2018 12:12 am
Forum: General
Topic: IPv6 SLAAC troubleshooting
Replies: 2
Views: 907

IPv6 SLAAC troubleshooting

I had IPv6 working fine, but then I broke it and I don't know how. Now I need help figuring out what is broken so I can fix it. I have a hEX getting a prefix from the ISP over the WAN port and putting it in a DHCPv6 pool. On the LAN side, there is one ethernet port that runs the regular LAN plus a V...
by jgro
Fri Feb 23, 2018 10:14 pm
Forum: Announcements
Topic: v6.40.6 [bugfix] is released!
Replies: 58
Views: 19370

Re: v6.40.6 [bugfix] is released!

Does the "What's new in 6.40.6" show what is new compared to the previous bugfix release 6.39.3 or only what is new compared to 6.40.5? Is everything that is in 6.40.5 also in 6.40.6? I want to see the complete list of what has changed between what I'm currently running (6.39.3) before I upgrade.
by jgro
Thu Jul 20, 2017 11:03 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

I go away for a week and everything has changed. :shock: @IntrusDave, thank you again for all your work on this blacklist. Unfortunately for me, the automated scripting is now too intrusive and is itself a serious security risk, so I'm out. If in the future you resume publishing a blacklist of addre...
by jgro
Thu Jul 06, 2017 10:46 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

ROFL oops. I fixed it. Should have been NOW not NOT Glad we are all laughing. :D Here is a "best practices" tweak: save and restore log state rather than reset it #instead of: /system logging set numbers=0 topics=info; :local logTopics [/system logging get number=0 value-name=topics] /system loggin...
by jgro
Thu Jul 06, 2017 9:01 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

New script updated. I'm not including a change log on in the first post. I'm not sure if that was directed at me, but in case it was, I want to say I was never asking you to include a change log. What I wanted was for you to keep up-to-date whatever is true about the current system, things like whe...
by jgro
Thu Jul 06, 2017 1:16 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

I've stated here many time before - this list and the script are built for my own routers that I manage.... If a recommendation helps my clients or myself, I will likely implement it. If I see no benefit, it will not likely be added. That is completely fair and understandable and I thank you again ...
by jgro
Tue Jul 04, 2017 10:48 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

Unfortunately it's not possible to tell the source of the block. The lists are generated from 12 different high profile blocklists, as well as a network of over 200 routers. Fair enough. So I can do my own investigation, would you please post (and keep updated) the block lists you are including? Of...
by jgro
Tue Jul 04, 2017 3:55 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

please keep in mind that with all the chaos in the world now, the list is regenerated every 4 hours. I don't recommend holding on to an older list for more than 8 hours. Also, I have no bandwidth caps so I have no issue with people downloading several times a day - But I don't want it abused and pu...
by jgro
Mon Jul 03, 2017 5:24 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

I have modified the scripts in a few ways and am publishing the modified scripts here for whoever wants them. @IntrusDave is welcome to incorporate them into his script or not. Renamed globals so as not to interfere with other scripts Added lots of error handling and corresponding error logging Keep...
by jgro
Sun Jul 02, 2017 5:10 am
Forum: General
Topic: Road Warrior: Routing WAN away from EoIP tunnel
Replies: 5
Views: 1035

Re: Road Warrior: Routing WAN away from EoIP tunnel

Remove your reliance on the same broadcast domain by implementing DNS based service discovery. Thank you for the idea. I have not heard of anyone being successful with that kind of setup. Are you using it? I see 2 problems with it. First, it completely defeats the purpose of zero configuration by r...
by jgro
Sat Jul 01, 2017 7:09 am
Forum: General
Topic: Road Warrior: Routing WAN away from EoIP tunnel
Replies: 5
Views: 1035

Re: Road Warrior: Routing WAN away from EoIP tunnel

An easy but not totally reliable hack would be to just setup a DHCP server with a small pool on the EoIP device. It will almost certainly answer first. Just an IP to each EoIP bridge and make the gateway for that DHCP server match that IP. Split DHCP is a nightmare I want to avoid. I am still far f...
by jgro
Fri Jun 30, 2017 8:26 am
Forum: General
Topic: Best MTUs for EoIP+SSTP? [PARTLY SOLVED]
Replies: 4
Views: 2390

Re: Best MTUs for EoIP+SSTP?

Are you able to confirm the ICMP message indicating the reduced MTU size is in fact headed back to the web server (you're not dropping the ICMP packet going out)? Are you able to give us a URL to test. I'll kill my MTU behind a tunnel on a network and give it a try. I captured packets with the Rout...
by jgro
Fri Jun 30, 2017 6:31 am
Forum: General
Topic: Best MTUs for EoIP+SSTP? [PARTLY SOLVED]
Replies: 4
Views: 2390

Best MTUs for EoIP+SSTP? [PARTLY SOLVED]

I have RB750Gr3 running 6.39.2 and broke the setup by adding EoIP. I set up SSTP server and EoIP tunnel using default MTUs to support traveling workers. As recommended in documentation, I created a bridge and added EoIP tunnel and LAN (ether2) to it. After doing this, some websites failed to load on...
by jgro
Fri Jun 30, 2017 5:56 am
Forum: Wireless Networking
Topic: Disabling master station without disabling virtual AP
Replies: 3
Views: 1048

Re: Disabling master station without disabling virtual AP

Client will use same frequency as in master interface . So setting it up AP as master with same frequency your client will use would get around this, you'll be able also to connect wirelessly to manage it, and you'll be able to shutdown the client without shutting down the AP. Sorry if I didn't mak...
by jgro
Thu Jun 29, 2017 11:26 am
Forum: General
Topic: DHCP over EoIP not working [SOLVED]
Replies: 9
Views: 4384

Re: DHCP over EoIP not working

If you are using SSTP to secure the EoIP tunnel then the routes you added need to reflect the SSTP interface not the EoIP interface. Instead of using interface and pref-src, I prefer to set the gateway to the IP of the remote side of the SSTP tunnel. Thank you for that information. I prefer using i...
by jgro
Thu Jun 29, 2017 10:37 am
Forum: General
Topic: Road Warrior: Routing WAN away from EoIP tunnel
Replies: 5
Views: 1035

Road Warrior: Routing WAN away from EoIP tunnel

I'm coming along with my Road Warrior setup for the hAP. I need help with what I hope will be the last step, which is such a common idea that I'm surprised I haven't found it already documented somewhere. Currently, the hAP has: WAN access with NAT (standard configuration) Local subnet (standard con...
by jgro
Thu Jun 29, 2017 10:06 am
Forum: Wireless Networking
Topic: Disabling master station without disabling virtual AP
Replies: 3
Views: 1048

Disabling master station without disabling virtual AP

I have a hAP and have set wlan1 as a station to connect to whatever public internet I have access to. Then I have a virtual AP on it, wlan-VAP, that lets me log into the hAP and also connect all my devices to the WAN without having to log each one into the public WiFi. I have the master wlan1 set up...
by jgro
Thu Jun 29, 2017 9:50 am
Forum: Beginner Basics
Topic: Fasttrack on input chain?
Replies: 4
Views: 1408

Re: Fasttrack on input chain?

it only work for forward, all input/output traffic needs to be in slowpath as it always requires some kind of processing.
Running SSTP it seems like a lot of packets are going through fasttrak on the input chain once I enabled it, and the connection quality improved.
by jgro
Thu Jun 29, 2017 7:38 am
Forum: General
Topic: DHCP over EoIP not working [SOLVED]
Replies: 9
Views: 4384

[SOLVED] DHCP over EoIP not working

OK, my particular problem solved (but don't worry there's more). Sorry it's not more universally helpful, but I'll post the resolution anyway. When I set up the EoIP on the Office router, I did the following: Create an EoIP Tunnel Create a bridge for the Office LAN Move the DHCP server from ether2 t...
by jgro
Thu Jun 29, 2017 7:04 am
Forum: General
Topic: DHCP over EoIP not working [SOLVED]
Replies: 9
Views: 4384

Re: DHCP over EoIP not working

Side-note, what's your need for Bonjour? You may be able to do it with DNS-SD instead and it can be routed. It's not just Bonjour, it's that and Dropbox and Chromecast and if I can get the EoIP to work I can eliminate a lot of "why doesn't this work over VPN" questions. If you are using SSTP to sec...
by jgro
Thu Jun 29, 2017 4:40 am
Forum: Beginner Basics
Topic: Firewall filters on in/out interface with bridges
Replies: 0
Views: 426

Firewall filters on in/out interface with bridges

Is it correct that when writing firewall filters based on in-interface and out-interface, the relevant interfaces are only bridges and master ports, and that they will never match ports connected to a bridge or otherwise marked as slaves? If that is wrong, please explain when you would filter based ...
by jgro
Thu Jun 29, 2017 4:35 am
Forum: Beginner Basics
Topic: Fasttrack on input chain?
Replies: 4
Views: 1408

Fasttrack on input chain?

The default firewall configurations do not include action=fasttrack-connection on the input chain. Why is this? Is there any reason it is a bad idea? It seems to me to be a good idea when using VPN or PPP.
by jgro
Thu Jun 29, 2017 3:05 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

Hi Dave, So I have updated the start-up schedule so that dynamic.rsc files older than one day are not imported from flash/disk1/usb and the normal updateBlacklist script is run. I think you need to check that you have a reliable date in the first place. It can be a while between boot up and acquiri...
by jgro
Thu Jun 29, 2017 3:01 am
Forum: General
Topic: DHCP over EoIP not working [SOLVED]
Replies: 9
Views: 4384

Re: DHCP over EoIP not working

Thanks for the steps. You sort of lost me at loopback with a /32 address. I read this wiki article and it said you can just create a bridge with no members, assign an IP address to the bridge, and it will work. I'm seeing behavior I don't understand. Office LAN is using 172.16.1.0/24 as private subn...
by jgro
Wed Jun 28, 2017 3:44 pm
Forum: General
Topic: DHCP over EoIP not working [SOLVED]
Replies: 9
Views: 4384

DHCP over EoIP not working [SOLVED]

I guess a lot of people have trouble with EoIP, so if someone can add some basic theory to explain how broadcast packets are supposed to flow through the router to and from the EoIP tunnel and what determines if packets are removed from a bridge to be routed, that might help. I want to give an hAP a...
by jgro
Wed Jun 28, 2017 2:40 pm
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org. Done. Thank you! Unfortunately, it seem...
by jgro
Tue Jun 27, 2017 12:34 pm
Forum: Wireless Networking
Topic: How to get past login page when using hAP as WiFi client?
Replies: 1
Views: 484

How to get past login page when using hAP as WiFi client?

I want to use the hAP as a client to connect to an AP I do not control that has a login page (same kind of thing Hotspot provides). How do I get to see the login page and log the hAP into the other network?
by jgro
Thu Jun 22, 2017 8:45 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org. # CHAIN ACTION BYTES PACKETS 0 D ;;; spe...
by jgro
Wed Jun 21, 2017 10:18 am
Forum: Scripting
Topic: Blacklist Filter update script
Replies: 632
Views: 127888

Re: Blacklist Filter update script

Thank you for this, David! Curious why you use a loop: :foreach i in=[/ip firewall address-list find ] \ do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \ do={ /ip firewall address-list remove $i } } instead of /ip firewall address-list remove [find list="dynamicBlacklist"]...
by jgro
Wed Jun 21, 2017 2:06 am
Forum: General
Topic: Why is everything going through Mangle Forward?
Replies: 0
Views: 460

Why is everything going through Mangle Forward?

On my hEX v6.39.2 there are 3 dummy Mangle rules automatically created because I'm using fasttrack. There is a passthrough on each of the chains prerouting, forward, and postrouting. They all have exactly the same packet count. I thought traffic intended for the CPU (e.g. ssh connection to the CLI) ...
by jgro
Sun Jun 18, 2017 4:27 am
Forum: General
Topic: Why turn off Neighbor Discovery (ND)?
Replies: 4
Views: 6278

Re: Why turn off Neighbor Discovery (ND)?

Yes, I'm talking about IPv6 Neighbor Discovery, not anything specific to RouterOS. The reason for the dimwittedness remark is because RouterOS does not have a DHCPv6 server implementation. Also, even if it did certain devices, namely Android phones, require IPv6 ND to function. RouterOS does have a ...
by jgro
Sat Jun 17, 2017 12:51 am
Forum: General
Topic: Why turn off Neighbor Discovery (ND)?
Replies: 4
Views: 6278

Why turn off Neighbor Discovery (ND)?

On the MikroTik wiki, under Securing Your Router, MikroTik recommends turning off IPv6 Neighbor Discovery (ND). What security risk exists with having ND turned on? What will break when it is turned off?
by jgro
Fri Jun 16, 2017 10:50 pm
Forum: General
Topic: Create subnet with client isolation in IPv6
Replies: 11
Views: 1790

Re: Create subnet with client isolation in IPv6

Right, Idlemind, what I didn't realize was that there were two separate VLAN implementations in RouterOS, one at the switch level and one at the router level. The more advanced chips can do not only routing but blocking, preventing traffic from the wrong VLAN from entering the switch. I am not sure ...
by jgro
Fri Jun 16, 2017 11:53 am
Forum: Beginner Basics
Topic: IPv6 firewall with IPv4 bridge?
Replies: 2
Views: 699

Re: IPv6 firewall with IPv4 bridge?

I gave up on this approach once I found that the WiFi can, without DHCP and NAT, still provide separation of the main and guest networks. It does it by putting the guest traffic on a separate VLAN. Once I figured that out, I just moved all the DHCP and NAT to the hEX and put the WiFi in Access Point...
by jgro
Fri Jun 16, 2017 11:28 am
Forum: General
Topic: Create subnet with client isolation in IPv6
Replies: 11
Views: 1790

Re: Create subnet with client isolation in IPv6

ZeroByte, I appreciate your help. Idlemind, I have come to see it your way and gave up on client isolation, settling for keeping the guests on an isolated subnet instead. I was confused by the documentation at Wiki:Manual:Switch Chip Features and the error messages I got from /interface ethernet swi...
by jgro
Thu Jun 15, 2017 12:39 pm
Forum: General
Topic: Create subnet with client isolation in IPv6
Replies: 11
Views: 1790

Re: Create subnet with client isolation in IPv6

I think I understand the DHCPv6 and subnetting now. We'll have to see how it goes when leases expire. This VLAN stuff doesn't work. I'm using a hEX RN750Gr3 and it barely supports VLANs. Deal killer is that it cannot add VLAN tags on egress, so traffic from the internet cannot be sent to the WAP on ...
by jgro
Wed Jun 14, 2017 12:45 am
Forum: General
Topic: Create subnet with client isolation in IPv6
Replies: 11
Views: 1790

Re: Create subnet with client isolation in IPv6

Thanks, ZeroByte. Our APs support client isolation and I can connect them directly to the hEX, putting guest traffic on a separate tagged VLAN, and while I see how to separate the subnets (well, sort of, see additional questions below) I don't see how to keep the hEX from letting the guests talk to ...
by jgro
Tue Jun 13, 2017 10:53 pm
Forum: General
Topic: Create subnet with client isolation in IPv6
Replies: 11
Views: 1790

Create subnet with client isolation in IPv6

How do I create a subnet with client isolation on a hEX router? Is that even possible? I want to have one normal subnet for the office and another subnet with client isolation (clients on the subnet cannot talk to each other, can only access the internet); both subnets firewalled from the internet a...
by jgro
Sat Jun 10, 2017 8:41 am
Forum: Beginner Basics
Topic: IPv6 firewall with IPv4 bridge?
Replies: 2
Views: 699

IPv6 firewall with IPv4 bridge?

I thought I knew what I was doing when I bought the hEX RB750Gr3 but apparently I'm out of my league. I only know as much networking stuff as I need to in order to set up high-availability web services and Open VPN, which is apparently not enough. :) Please help me come up with a plan of attack for ...