MikroTik

mozerd

I follow this tutorial All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable" You need to pay very close attention to the following note that the author of that post made specific to your issue: Note: If you get IKE authentication cr...

mozerd

Yes the FQDN does not respond nor does the ipv6 address BUT the ipv4 addresses do respond

159.148.172.251
159.148.147.201

MikroTik will need to fix with their provider.

mozerd

One of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file Very detailed explanations ... study carefully to understand the logic and methods CAVEATE: When you copy the code be aware that some of the variables are miss-constructed...

mozerd

Based on your stated requirements
I suggest the CCR1009-7G-1C-1S+PC

mozerd

Question re: D day is 2025 I was not aware there was a a government D day to drop IPv4 - or is this a government D day to have all government agencies running IPv6 ? North Idaho Tom Jones U.S. Government Paves the Way to IPv6 with Mandate Compliance OMB to Agencies: Time to Finish IPv6 Transition U...

mozerd

I am a ipv6 purist ... not at all interested in NAT64 .... D day is 2025 when US Gov completes its conversion THEN everyone falls in line.

@ZeroByte. you make a good argument ... Good Luck ... :-)

mozerd

As @karlisi states many only try once and do not come back You can add a timeout value to hosts and see what happens after a period of time ... the timeout means that the IP address will be removed from the list when it hits the time out value. Example: /ip firewall address-list add address=185.195....

mozerd

I agree with @jvanhambelgium I have been trapping rogue VPN host over the past 2 years and so far I have 45 entries in my address list. following is my list that you may find helpful ... note that many of the rogue host are placed in networks [CIDR] because many of these rouge host operated in group...

mozerd

Current Tikapp is basically a Winbox copy. What else did you expect? I just installed the Tikapp for IOS on my iPhone8 and from what I can see it does not have anywhere near the functionality of Winbox ??? in fact the functionality is very limited. What am I missing? [Edit] My apologies... found th...

mozerd

@NovaProspekt Just add the logging to you existing rules ... no need to mangle ... I get hit by rouge vpn attempts on a frequent bases and my trap and drop method has worked very effectively in stopping that .... should work well for you as well .. Get yourself a Tool like ipnetinfo from Nirsoft and...

mozerd

My suggestion to trap and then drop any unsolicited VPN traffic is as follows: Create the following address list named rogue_vpn_hosts Create the following Firewall Filter Rules [this assumes ipsec ... if you are using L2TP/ipse you will need to add more dst-ports ports]: /ip firewall filter add act...

mozerd

Using 6,48 and 6,48.1 I am also observing performance issues on my CCR1009 [- 40% (minus) ] .... not 100% sure yet if its the firmware or other but I will be switching firmware to Long Term and do so more testing.

[EDIT] I can confirm that in my case its not the Firmware ... staying on 6.48.1 ...

mozerd

Yes, once you have your VPN connection then you can use Winbox and its WOL tool
/tool wol

or write a scripts to fire the tool ... works great.
https://wiki.mikrotik.com/wiki/Manual:Tools/Wake_on_lan

mozerd

Not sure what you mean but I suspect you are using the GUI vs the CLI ... I use the CLI more or less exclusively ... Also I am not sure what changes have takes place from the version of ROS you are using v6.46.8 versus the current version 6.48.1 .... Following is the latest documentation from MikroT...

mozerd

Establish a IPsec VPN connection and you would be fully secure. You can use a Mode Config method that is perfect for Road Worrier type of requirements. First you have to establish what kind of Internet Connection your ISP provides you ... PPPoE or DHCP ... if PPPoE then consider L2TP/IPsec if DHCP t...

mozerd

OK I found solution .... in Manuel it states that BOOT port can be used for Netinstall and in the case of CCR1009-7G-1C-1S+PC that is ether7

I guess I need to get my reading glasses fixed :-)

mozerd

DOES the MikroTik Manuel [as shown in the link below] for Netinstall apply to all MikroTik Router Models? https://wiki.mikrotik.com/wiki/Manual:Netinstall Why I ask? I have one Client with a CCR1009-7G-1C-1S+PC whose ether1 port suddenly does not function ... shows R but Link Downs shows 2 The Manue...

mozerd

@vili11. very nice .... Thank You.

mozerd

@prawira
The 4011 does not have Hardware Offloading .... The 4011 uses the RTL8367 switch chip and when bridging is used there is no Hardware Offloading

mozerd

Wave2 requires FAR more resources ... ACTIVE Memory Resources [RAM in simple terms] ... Wave 2 cannot be supported on MEMORY deprived devices PERIOD. If you are hoping and praying that its possible you are dreaming in vivid color. :-)

mozerd

My point is that modern software should encompass all the negotiation needed back and forth to opening ports and NOT rely upon client port forwarding ports or UPNP etc.......... Some AI engines when incorporated into apps and exploited will do that but AI has a very long way to go .... maybe in 5 y...

mozerd

Thanks was not aware of the limitations, where I live DFS has never been an issue and I live in a single home on a large lot so significant freq interference is also a non-issue.

@anav, FYI EAP245, V3 firmware 2.3.0 Build 20190731 Rel. 51932 provides support for DFS

mozerd

Hi Mozerd, concur that you are making the rest of the network safe from the 'gaming' computers which are made vulnerable. As long as those computers are never used on the home network later,,,,,,,,,, Gaming consoles are never allowed to communicate with other parts of the network. Computers that ar...

mozerd

I understand about uPNP but trying to see, for testing purposes, if it fixed anything, of which i doubt it would. If it did then perhaps it would give clues to how to solve this by other means. Nonsense, absolute nonsense. When properly done UPNP can be used without any worry ... I have many very s...

mozerd

@mozerd: I test the method /ip smb shares on RouterOS v4. and it CANNOT create new sub-folder like NewDir/NewDir2/NewDir3/ in one command. Can you try.

@luca1234567
You are 100% correct .... I am not able to create new sub-folders like described ..... no problem with root folders.

mozerd

Following is SUPER easy way of creating a dir using Terminal

/ip smb shares add name=sharethis directory=moab
/ip smb shares remove [find name=sharethis]

The 1st directive will create the directory while the 2nd directive will remove the share that is not needed.

mozerd

Then can you suggest me any other good switches and routers which support inter-vlans switching ?? Am having budget of around 300$ including both router and switch @Banrosss My suggestion for Switch that can do line rate interVLAN routing is as follows: TP Link JetStream 24-Port Gigabit L2 Managed ...

mozerd

https://support.apple.com/en-ca/guide/d ... 2e481c/web
https://support.apple.com/en-ca/guide/d ... a6151e/web

But concur the iphone 12 does have 4x4 mimo.

OOPS .... I was Soooooo VERY Wrong !!! Thanks for correcting me @anav :-)

mozerd

Which devices today use 3x3 ?? . Many Apple wireless devices like the iPhone, iPad, MacBook Air, MacBook Pro support 3x3 and some ones that will be released in 2021 will support 4x4. My knowledge of Android is very poor so I cannot comment on their MIMO support. I also cannot comment on Microsoft w...

mozerd

InterVLAN routing is possible using this switch BUT performance will be slow because this switch model cannot Route at line rate. So if you need performance I would suggest that you use this model as a switch -- where switching performance is excellent --- and select another model as your Router.

mozerd

The great majority of adult [porn] sites are now using SSL -- so currently -- MikroTik's L7 cannot decrypt the packet stream and ID the site -- so a useless exercise. 92% of Internet websites use SSL .... perhaps in the future MikroTik will introduce the ability to use L7 effectively and that requir...

mozerd

@IPANetEngineer
Very Nice L3 Forwarding test ... hopefully in 2021 the production stable version of ROS7 will be completed.

mozerd

There is a new product that does spectrum analysis and its currently FREE
WinFi Lite just runs on any Windows 10 device, any Wi-Fi adapter, any CPU, even on ARM
Give it a try and see if you like it.

mozerd

Nice thing about Mikrotik (as you probably know) you can use ANY Mikrotik device for such a system and play around/extend it as you want. But in overall Wifi throughput you will not be able , today with current ROS, to reach Netgear Wifi throughput. @WeWiNet, I tip my hat to YOU .... outstanding re...

mozerd

Out of curiousity Mozerd, at home do you run MT with mOAB or are you using CISCO with UTM. What do you recommend for your clients.............. ie what threshold do you insist they move to CISCO At home I run MikroTik with MOAB For my clients -- majority is MikroTik + MOAB Threshold = level of clie...

mozerd

To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change? @Sindy provided a very nice description of Layer 7 work :...

mozerd

Thats okay Mozerd is going to pay for them!! ;-P One should be held responsible for promises of 'wow' security!!!!!!!! Yes YOU are 100% correct :-) Because 92% of Internet Traffic today is encrypted .. malware, virus and Ransomewhere hides very easily -- and the only way to detect that is to decryp...

mozerd

On my CCR1009-7G-1C-1S+ updating from 6.47.4 to 6.47.6 went without one hicup On my CRS326-24G-2S+ updating from 6.47.1 [long term] to 6.47.6 [stable] 1. software update .... at the 2 minute mark -- after the update -- could not login into Winbox 2. BUT waiting to the 3 minute mark succeeded in logi...

mozerd

RV340 is severely limited and handicapped - only a dual wan router, NOT multiwan ;-P

@anav :-)
@Bionic does not need multi-wan but Bionic does need dual wan :-) PLUS Bionic would benefit greatly from the security mechanisms that come with the Cisco device.

mozerd

Have you had an opportunity to use the Cisco Business Dashboard? Yes I have .... that’s why I stated outstanding. Btw, it’s really not a fair comparison between the RB4011 and the RV340 ... the Cisco is a security appliance plus it does near line rate NAT +++ Anyway, this is MikroTik forum so let’s...

mozerd

@tippenring .. thanks for sharing .... shodan does a nice job.

mozerd

So to better prepare myself for the future what Mikrotik router would you all recommend? Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard...

mozerd

If you have practical experience that says otherwise, that is more valuable. Many Home networks are far more demanding than Business networks by a country mile :-) There are some niche business networks that require POWER but for the most part the majority of office environments are as boring as wa...

mozerd

One connection is different from many connections and the CPU and ram accordingly is designed for a home environment and you have something far greater in the planning. @anav, I am using the hEX S for some of my business clients [30 people] and they all are very pleased. I 4 1 do not believe that t...

mozerd

The safe move... Like I stated before and have done at home for around 10 years... Get a Boost and wire it to your switch. Setup all Sonos to use SonosNet. You will get YEARS of uptime out of a system like this. I have had to pull the power for cause 2 times in 10 years. I used to use the first ZP ...

mozerd

. Mikrotik can route... But she it comes to wifi... It's an "also ran". @gotsprings, you are being very kind ..... In the modern world -- for the G7 nations -- and in the wireless realm MikroTik wireless is unable to compete. But perhaps its existing product lineup satisfies its current s...

mozerd

For the wireless pro and Spectral Scanning my suggestion is The Chanalyzer Essential Bundle - Professional Spectrum Analysis $900.00 https://shop.metageek.com/products/chanalyzer-essential Chanalyzer Essential is a deep dive into spectrum analysis. Monitor your 2.4 and 5GHz WiFi networks in real tim...

mozerd

Finally you decided to add external antennas to routers, what happened to all the talk how they are not needed you where tell us all this years when we complained about poor signal? :D Sush! Don't bring this out, they might decide not to do it for future devices. Antenna designs for MIMO systems A ...

mozerd

Why not slide the board out of the case?

Actually a DARN good idea .... would solve the heat [HOT] issue .... but very ugly :-) If mounted on a wood pedestal might just be very attractive. lol

mozerd

I have place it at the middle of the house as a backup fail over WiFi AP for my main Asus RT-AC1300UHP WiFi AP ... Placing the hAPac2 in the middle of your house is excellent ... also consider to give it height ... as much as you possible can ... the higher it is the better will be the dispersion [...

mozerd

IMO, if the hAP AC2 is a Qualcomm MIMO device and truly supports all that MIMO offers then changing antennas is a competes waste of time, money and intellectual energy ... WHY? You have to understand MIMO and the very special algorithms that are specifically tuned for the antennas and radios in play...

mozerd

I agree that RouterOS is far superior to pfSense and especially because of Winbox ... ROS L7 is very limited in its capability and very CPU intensive and most capable techs would not consider that an effective IDS/IPS mechanism .... IDS/IPS requires proper decryption because in the current world 90%...

mozerd

MikroTik ROS is currently not able to do DPI [deep packet inspection] and I do not know if DPI is planned for v7 plus to do DPI properly would require a powerful CHIP [ASIC] ... currently looking at the Tik hardware platform I do not see anything that can possible do it .... would require new class ...

mozerd

I suggest 6.45.9 (Long-term) as the most stable version.

mozerd

As a router, ignoring the wireless interface that Hardware is more powerful, the hEX S or the hAP ac².
Excuse the english

I would suggest the hEX S because it’s very stable and works great. The hAP AC2 gets too hot and the wireless is a complete waste of time,

mozerd

I'm moving away from MikroTik as soon as I have the money. @DarkNate Have some patience.... it is frustrating when they do not respond on a timely manner.... but with this COVID hitting everywhere its a new situation and will take time to adjust. It’s very difficult to beat the MikroTik value propo...

mozerd

This gentlemen wrote an in-depth tutorial for MikroTik site to site VPN: https://rickfreyconsulting.com/wireguard-site-to-site-vpn-example/ It's not rocket science to build up a Wireguard tunnel and route something over it. Do you guys get a cut for traffic generated to his site or out of how many ...

mozerd

You had the same issues with 6.47.2 if I remember correctly? I wonder if this is more for you setup. I have a couple of these switches and I do not have this problem but I run them on Long-Term. I keep all my switches on this release to not have to patch as often. @Kindis If you read my post proper...

mozerd

Switch CRS326-24G-2S+ Software upgrade successful from v6.47.2 TO v6.47.3 but after upgrade no longer able to login using Winbox to upgrade the firmware -- showing the following error message: ERROR could not connect to 192.168.10.88 When using Mac Address to login returns error message: ERROR could...

mozerd

ABSOLUTELY no need for NAT under ipv6 ...... NAT has spoiled everyone .... what is needed is far wider adoption of ipv6 and its PROPER implementation. Yes its been very slow but that is about to change since the US Government will be ipv6 depended by 2025 then no one will have any other choice but t...

mozerd

>In the first quarter of 2020, Cisco had a share of 52 percent of the global market Ethernet switch market, I know that switches can have all sorts of features what with all the layers, VLANs etc. But don't the majority of then end up just switching packets as fast as possible around the LAN? Now r...

mozerd

Does anyone have more than one simultaneous wireguard interface working? I am not running the MikroTik implementation so I have no idea if in its current state of RouterOS 7.1beta2 how may peers can be run .... and yes under ubnt EdgeRouter I have multiple Peers running in client sites. Following l...

mozerd

It's true that many companies still want the "fuzzy warm blanket" of 24/7/365 support whenever it is needed, but we are starting to see that attitude change as budgets get smaller due to the global pandemic. https://www.statista.com/statistics/271853/worldwide-net-sales-of-cisco-systems-s...

mozerd

Most people use MikroTik because 1) It's versatile and reliable ......... 3) The price point is *so* much better than Cisco, Juniper, etc If MikroTik incorporated all of the suggestions to make them more like Cisco and Juniper, the price would go up and we'd lose everything that makes everyone want...

mozerd

and what do you think? https://blog.ipfire.org/post/why-not-wireguard I think WireGuard is simply outstanding ........ Many of my compatriots also think so. Naysayers will always exist and they do raise some points of consideration but from my [and many MANY other] POV WireGuard has hit the BULLSEYE.

mozerd

Yes, there is ONE industry standard for gear in the Enterprise world wide and that is CISCO ... then there is all others that try and compete. The reason that Cisco is the standard is because their product support is OUTSTANDING ..... many of the OTHER name brands work very hard to provide the same ...

mozerd

Companies who want take part of it - all say: Mikrotik is not an option - need to go with poducts form HP ARUBA, Ruckus, FortiNet, PaloAlto, CISCO, JUNIPER - these are INDUSTRY STANDARTS! I ask why - Mikrotik is no safe, not stable, hardware is no qualitative, updates are bugy... so on! One argumen...

mozerd

Not sure what he was testing with. I was doing SMB which may very well be slower over wireguard compared to a dedicated speed test which you optimize for the protocol. One must always remember that the weakest link rate will always determine the vpn throughput; For example .... router1 in location1...

mozerd

But as more and more features are added (e.g. multiple different encryption methods, as in IPsec), it becomes more complicated over time. See how it went with OpenVPN, that was also simple at first but got more complicated on the way, especially because there was little forethought on how to accomo...

mozerd

I don't have it at hand, but I remember someone had posted it in the forum a while ago.

OK thanks .... I found the following that looks very interesting and exciting for MikroTik users :-)
Marvell PRESTERA 98DX83xx Family

In reading the specs I do not see L3 wire-speed benefits.

mozerd

The switch chips used in those RB models (which are ASICs basically) do support L3 routing at wirespeed as per Marvell's datasheet. The hardware support was already there, but MikroTik just started supporting it on ROS. @Cha0s Do you have a link to the Marvell's datasheet.for the Chjp referred to p...

mozerd

https://i.mt.lv/cdn/product_files/CRS326-24Splus2Qplus_200149.png Are you sure that mention switchip doesn't have that feature? @macgaiver I am not familiar with that specific switch chip so I am in part writing out of ignorance of that specific chip. I am familiar with how CISCO does in on their M...

mozerd

This level 3 offloading looks very interesting. Do we have any numbers to show what it can mean as this has the potential to put emphasis on the R in CRS :-) It does routing at wirespeed, in all ports. There are several constraints, and a limit of 4096 connections, if I'm not wrong. But in some use...

mozerd

mozerd - What is the error that you receive? Can you access the router over the MAC connection? @strods My apologies for not identifying the Winbox error message for the Switch connection. I cannot remember the message now. After Software update using Winbox v3.24 I could not access my CRS326-24G-2...

mozerd

Just updated my CRS326-24G-2S+ switch from v6.47.1 to v6.47.2 and now I am not able to login to the switch using Winbox 3.24 to update the firmware. Switch is functional but Winbox cannot connect to switch. Update on my CCR1009-7G-1C-1S+ worked without issue What is my option to fix my CRS326-24G-2S...

mozerd

Following is a RouterOS trick that I use to make a directory via CLI [Terminal] /ip smb shares add name=sharethis directory=nameit /ip smb shares remove [find name=sharethis] So the Trick is to create the SMB share with the name of the directory THEN remove the share works very nicely and is quick a...

mozerd

any hope to see 2.5Gbps sync in the future or hardware is limited to 1 or 10 Gbps only? I do not believe that MikroTik will support 2.5Gbps anytime soon for SFP(+) ..... its either 1Gbps or 10Gbps In Canada most ISP who support FFTH [FTTP] will be going to 1Gbps or 5Gbps or 10Gbps .... 2.5Gbps is j...

mozerd

Secondly, IIRC, Mikrotikdoes not support GPoN SFP interfaces, so my suggestion will be: @CZFan RouterOS v 6.47.1 now provides support for GPON running in SFP(+) Cages ... this has been tested on the RB4011 using the HUAWEI MA5671A as evidenced in the following post . @browntrch ,,,, MikroTik SFP an...

mozerd

DID you know that WireGuard now runs under Windows 10, macOS, IOS, Android and MANY flavors of Linux
https://www.wireguard.com/install/

Amazing !!!

mozerd

nice

mozerd

@anav The link below shows the connection diagram between the OLT and the ONT and the Router. The HUAWEI MA5671A transceiver is the Optical Network Terminal pre-configured by Bell and initialized when the HH3K is first installed in the client premises. After the CPE [HH3K] is installed the GPON Tran...

mozerd

I just bought a RB4011 router to get rid of the bell HH3k router, i know that the GPON module is not compatible with the router but i have a media converter (fiber to rj-45) i also want to configuer the TV on the router. With RouterOS version 6.47.1 you can now use the Bell provided GPON Transceive...

mozerd

Bell makes their GPON complex .....

mozerd

When you say EPON what do you mean. ...... Sounds like you want to plug the fibre directly into the router.......... good luck with that I think that breaks terms of service and is illegal. The EPON connection starts at the headend with optical line terminations (OLT), similar to the DOCSIS CMTS. I...

mozerd

Which fibre are they using. I was told once that the fibre network in Canada is govt owned and only the pole to house and modem are the ISPs concern??? Nope not gov owned although gov may have an interest where certain subsidies are provide. Rogers have been very agressive in Ontario with Fiber ins...

mozerd

https://www.rogers.com/business/product ... rnet/fibre

So a new breed of Routers etc may be upon us very soon

mozerd

SwOS version 2.12 on CSS106-5G-1S do not work with VLAN on trunk port in state "enable" or "strict". Work only in "optional".

not a problem for me ....... maybe you should reset to factory default and start fresh.

mozerd

Of course this concept at this stage is only a solution for a single user only, not for a company (or family) as a whole yet. A closed system is what you are describing .. a concept that has been in effect in Enterprise computing for a very long time ... BUT with the advent of the Internet which by...

mozerd

First 260GS does not want to update. This is par for the course, everytime I update these units its like surgery with an infection. Does anybody at MT actually use these units and test them? @anav I have the 260GS and have no issues updating at each update .... me thinks that your unit must have a ...

mozerd

Got very busy ... sorry I'm late .... but looks like you got lots of help IMO, the firmware + ROS driving the S+RJ10 is got an Ethernet conversion problem and only MikroTik can fix it. The OBVIOUS is that since ether6 works just fine but when the S+RJ10 is introduced it and or ROS are not communicat...

mozerd

Can you do the following please:
/interface print

and paste into code tag here.

Which Mac Addy does the Bell Ethernet interface associate with ? is it the Mac Addy of the S+RJ10 or the Mac Addy of your ether6?

mozerd

Thank You

mozerd

Another small hack I came up with is to reduce the preferred and preferred-lifetime & valid-lifetime to 2 hours in ND>Prefix, it seems to work and forces the client devices to refresh IPv6 addresses every two hours or at least drop whatever it used after 2 hours, but again this is dirty and not...

mozerd

Your local systems remembering old prefixes after the ISP has changed them can be considered a RouterOS bug or at least limitation. (it should send an RA with the old address and zero lifetime when it withdraws the old address to set the new one, but it doesn't) IMO, its a bug but yes perhaps a cur...

mozerd

I think mozerd did not understand the root cause of the problem. @pe1chl, yes you are correct in that I did not understand the root cause of the problem expressed by @DarkNate My apologies to DarkNate ... I do not use PPPoE -- mine is DHCP ..... but I do have similar behavior that DarkNate exposes ...

mozerd

Is there anything wrong with my IPv6 configuration?

Your ipv6 config is fine

I agree that this should not be happening and my suggestion is only a temporary fix.

Inquire with MikroTik Support
support@mikrotik.com
and see what they have to suggest.

mozerd

My suggestion for your issue (I have experienced the very same thing) is to do the following: When the IPv6 tests fail go to Winbox ipv6 dhcp Client then highlight the connection and Release wait 5 seconds then Renew Now go back to your test sites and test again ...... when i do that the test sites ...

mozerd

In my case I have a MikroTik AP in addition to my router, and it gets an address via SLAAC. When it receives an address and a route via SLAAC, it doesn't show you what they are. Following is my ipv6 routes pic that shows all the routes I am using: ipv6routing.GIF Compare my ipv6 config against your...

mozerd

The way I do it is as follows:

This directive states do not use ISP DNS

/ip dhcp-client add disabled=no interface=ether1 use-peer-dns=no

This directive tells the Router to use the DNS servers identified

/ip dns set servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001

mozerd

I am not running v7 but I do understand that v7 has the same capabilities as v6.47 ... I use ipv6 SLAAC and my address list does show all my global addresses

ipv6Add.GIF

mozerd

I have Synology NAS server (running web-site, vpn, photostation, download station, so on), around 8-10 port forwarding rules, three network media players, few minor home-automation self-made devices on esp8266. So, my requirements are gigabit Ethernet and good wifi. What Mikrotik router would you s...

mozerd

Make sure case is correct if text, also, might be other characters in the comment string, so maybe also try "like ~" instead of "equal =" Another Test so the following did work :when I added a blank space preceding the word testing /ip firewall filter remove [find comment~"...

mozerd

Does it work when you split it over two lines:
Code: Select all
/ip firewall filter
remove [find where comment="testing"]

Nope does not work

remove works if I

/ip firewall filter remove number=number

@CZFan
Yes I did try with comment~"testing"
did not work.

mozerd

With this stable v6.47 release on my CCR1009

via CLI if I issue the following directive

/ip firewall filter remove [find where comment="testing"]

the directive completes without error but the rule is not removed
Why?

mozerd

ICMP: The Good, the Bad, and the Ugly https://blog.securityevaluators.com/icmp-the-good-the-bad-and-the-ugly-130413e56030?gi=c2433c26dec8 By disabling the ICMP protocol, diagnostics, reliability, and network performance may suffer as a result (see page 4–4 of [2]). Important mechanisms are disabled ...

mozerd

I would suggest that you reset your CCR to factory default and configure from scratch. If you want to be assured that nothing malicious is taking place then run netinstall and that will clean your system properly Its NEVER a good thing to see scripts that YOU did not put into the system .... under t...

mozerd

My Blacklists cover over 615 million IP addresses contained within ipsets typically between 35,000 and 60,000 entries for Tik Routers like any CCR models ... when the lists load every 8 hours the CPU never goes over 25% .... after load is done CPU never goes above 20% in a very active network with t...

mozerd

@sindy, thank you . On the RB260GS I disabled RSTP only on the Trunk port [ether1] and that solved the problem. I have not done extensive testing so I do not know if all reaming 5 ports on that switch will respond as I expect ... so far all the VLANS are responding properly at the expected throughpu...

mozerd

Effective in July 2020 a subscription to MOAB blacklist service will include - as an optional choice - OUTBOUND connection blocking. NEW : MOAB's primary focus is blocking the bad Guys from coming into your network - NOW as an optional add in choice that's included with your MOAB Subscription - bloc...

mozerd

My CCR1009 has ether7 connected to my CRS326-24 on ether24 On the CRS326 ether24 is defined as a Trunk port recently I needed to add some additional ports so on the CRS326 I made ether21 a Trunk port and connected a RB260GS using either1 as a Trunk The Problem is that RouterOS running on the CRS326 ...

mozerd

1 fiber IN, 4 ethernet jacks OUT One of which goes to the hex router (plain jane gig ethernet). Does that make sense............. plus If I use the Sfp+ port (I could still use the SFP port in the combo to one of my 260GS switches that already has an R-J01) """""""...

mozerd

Too funny, the Bell ONT, is an alcatel lucent model. It has fibre line that comes from outside goes in and four ethernet jack are also on the exterior chassis. One of them connects to the ethernet port on the router. As far as I can recall, the hookup to the network was mostly about registering the...

mozerd

I plan on one bridge with many vlans and two WAN ISPs, the other being eastlink plain cable with connections to a number of managed switches You do not need a bridge ..... What makes you think that You do? Bridges are for whooses AND the CCR is not for whooses .... the CCR is for users that LOVE an...

mozerd

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP. This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work. @Jotne All my Apple devices ...

mozerd

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers

@BlackFate
Leave DoH for the browsers is 100% on the mark !

mozerd

None of my Apple gear works when DoH is enabled .... All apple gear is wireless ..... all windows gear works with DoH.
I have not determined why the Apple Gear is not working with DoH .... will do that on another day ...

mozerd

Is it possible for a Mikrotik router to receive a public IPv6 IP with SLAAC? I use SLAAC with the following settings that may be helpful for you: /ipv6 dhcp-client add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\ ether1 pool-name=ipv6 prefix-hint=::/56 request=a...

mozerd

@mozerd ... what is the need to quote "previous post" just write "nice post"? Do you know the funcionality of "post reply" button? @BartoszP --Because what I quoted from @bpwl post is what I supported and that is what I wanted to emphasize . BartoszP, I apologize to yo...

mozerd

If u need WireGuard better install it on a server with powerful cpu.

The opposite is true .... @markwien - ignorance is no excuse!

mozerd

After hearing Normis "the only thing missing for Wave-2 is MU-MIMO", and Strods with his view on the Winbox user interface. And after reading all this stuff about 802.11ac, there are quite some things missing in the Mikrotik (https://www.oreilly.com/library/view/80211ac-a-survival/9781449...

mozerd

My questions was aimed at protecting capacs themselves not the WIFI.

Can you make that quite a bit clearer?
Protect them from what and whom?

mozerd

comment=$description timeout=1d} on-error={}

Thanks .... I just tested @Shumkov code and it works very nicely .... excellent work.

mozerd

What other security options are open to me to either put on the router or on the capac itself to limit access further. (Rest of IP services are off). Am I missing something? Is this insecure in any way...... Greetings anav the prolific poster :-) If you want to be EXTRA secure for all your wireless...

mozerd

Nowhere did I state that Spatial Multiplexing is Beamforming .... grrrr
Then what was your reference to 802.11 and MIMO about?

Please read carefully viewtopic.php?f=7&t=161563&p=796943#p796661

And a VERY good presentation of https://youtu.be/0O179W5Tbzo

mozerd

Beamforming began to appear in routers back in 2008, with the advent of the 802.11n Wi-Fi standard. 802.11n was the first version of Wi-Fi to support multiple-input multiple-output, or MIMO, technology, which beamforming needs in order to send out multiple overlapping signals. Nope. Spatial multipl...

mozerd

You should be aware that when loading lists IF a duplicate IP is present the list will not load and processing stops. Script ignores duplicates via on-error={} , processing is not interrupted. Do you mean this line: on-error={:log warning "Address list <$description> update failed"} ? Whe...

mozerd

This error occurs if the file is for some reason not available for download. The address list does not load SOMETIMES? Or always? They don't load always. @kevinds You should be aware that when loading lists IF a duplicate IP is present the list will not load and processing stops. So it is critical ...

mozerd

Thank you, I'll look into long range antennas for sure. But yeah I don't know why it didn't click in my head that antennas were needed.

YOU should be very embarrassed @archerious .... the Ruckus E510 EATS Netmetal AC2 lunch buy a country mile

mozerd

On a broader term, MIMO neither implies nor requires beamforming. Only MU-MIMO does. And none of the Mikrotik devices currently support MU-MIMO, that is a well-known fact. @andriys Beamforming began to appear in routers back in 2008, with the advent of the 802.11n Wi-Fi standard. 802.11n was the fi...

mozerd

Sorry, there is no Beamforming in Mikrotiks Wifi SW. Beamforming missing from MIMO capable MikroTik offering ??? No wonder MikroTik Wireless under - perform ? So its either Beamforming or Spatial Multiplexing .... normally part of the wireless driver packaging .... and yes it can be disabled or ena...

mozerd

Lv1 was working fine and now it is not. Probably it does not fit anymore. You [everyone] should be aware that: level1 check frequency = 1 minute and average update frequency = 2 hours and 27 minutes level2 check frequency = 1 minute and average update frequency = 17 minutes level3 check frequency =...

mozerd

I have recently bought a new RouterBoard HexS ( RB760iGS ) since my old one could not do Gigabit. The goal being to get ultra fibre, 900MBPS. ....... .................. ................ Is the HexS RB760iGS able to get 900MBPS, using PPPoE together with a VLAN? Testing with: https://www.speedtest.n...

mozerd

Ended up getting a Netmetal ac2, should be in on Tuesday. Absolutely loving the Wireless Wire, highest ping to it was 5ms, usually 1-2ms. Incredible performance so far, powering it over PoE via CRS112 from my shed. @archerious very nice pics and good work .... Yes. the wireless wire is absolutely S...

mozerd

ALL of my MikroTik Router clients use MOAB to prevent External Attacks just like the one you describe.

If your MikroTik Router model qualifies for the MOAB service --- I provide a 10 day Free Trial of MOAB so that you can see for yourself.
If you are interested see my sig below:

mozerd

Hi Mozerd, Out of curiousity what is the load on the router in that gaming situation. More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down?? It all depends on the MikroTik Router Model .... in my prerequisites web page the following is stated: Performance H...

mozerd

BPWL. Now here... 2 cAP ACs will run about $140. The step to $240 is $100. How many phone calls and pissed of users does it take before you think... "Yeah... That's not a smart business decision... Trying to save $100 bucks." Reputation is everything .... ABSOLUTELY everything .... my bus...

mozerd

One of my clients operates a gaming kiosk in Los Angeles that uses MOAB .... they have 26 gaming stations ..... The Router they use is a MikroTik PowerRouter732 .... the LA operation since using MOAB they have zero issues .... before MOAB they has many attacks .... they have been using MOAB now for ...

mozerd

That seems to be the product its built to compete with. Anyone done the comparisons yet? In the Mesh world and for busy home networks, based on my field experiences nobody beats Netgear RBKxx systems -- NOBODY period FULL Stop Ruckus --- The only manufacturer that has successfully exploited Spatial...

mozerd

I use SanDisk 32GB SD cards and 8GB Kingstone DataTraveler USB sticks and works nicely in many CCR1009xxxx
I have not tried large ones because I have no need for larger ones BUT I see no reason they would not work.

mozerd

Don't think so. That Wiki page states : This page was last edited on 18 October 2017 , at 10:37. As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice My sincere apologies -- I did not see the part that After RouterOS v4.0beta4, Lua support is removed until ...

mozerd

According to the following Manual:Scripting-examples -- file size limitation has been removed Read and write large files Many users requested ability to work with files. Now you can do it without limitations Create and write to file: :global newContent "new file content\r\nanother line\r\n"...

mozerd

A ruckus R710 is a pretty dated unit. An R510 or R610 is newer and I would take a R610 over the R710 anyday. Now lets also skip the B--L$h!+. Ruckus has been on Promo for nearly 2 years. The $650 R510 is readily available on Amazon for ~$250. AND STOMPS ALL OVER THE AUDIENCE. There is ABSOLUTELY [w...

mozerd

But most importantly, Winbox is key software that helps you to get things done. As quickly as possible, in simple and efficient manner. With no animations or other design decisions taking your time. No "..." buttons you have to click to show "advanced" options, that you have to ...

mozerd

Next steps are just useless until there is the ethernet connection.

@bpwl --- You do have the patience of Job ..... my deepest respect for your efforts.

mozerd

after research a lot I decided to buy three RBcAPGi-5acD2nD and get rid of my tp link deco p7. For some reasons I didn’t want to buy the fritz repeater 3000 nor the unifi Modells because I liked the Mikrotiks. After playing around on the weekend with different types of setups I am somehow sad. My s...

mozerd

....... I tested the router this morning and it is back online. I have checked its logs and the last thing I see is a reference to an improper shutdown. There does not appear to be anything else in the logs. What happened? I am guessing I pushed the router into net install mode or something else bu...

mozerd

This does not seems to be true. Changing to 20MHz on 2.4GHz improved the speed greatly. Yes the theoretical speed is halved, but in real world, I can get 5x better speeds on every device... If you have lots of competing wireless transmitters in close proximity to your venue ... that means lots of i...

mozerd

How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s). I did not state that you could not use 20MHz channel with MIMO .... I did state that if you want PERFORMANCE you must use 40Mhz ... performance means speed........

mozerd

I for ONE am very impressed with @bpwl contribution .... certainly provides much to contemplate especially if YOU are a GEEK :-) I do not wish to rain on anyone's parade but wireless TODAY wireless is MIMO centric assuming that all devices are MIMO capable [N, AC, AX and 6E] ... so my contribution h...

mozerd

........................ .................... It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu us...

mozerd

You're one very very smart Dude

The ACL's on the 3650 is very rich [granular] but for fire-walling I would use Untangle + this switch .... Check out Untangle .... very rich UTM

mozerd

Any other alternatives?

Cisco Catalyst 3650 Series Switches
This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine.

mozerd

@rkrisi Be a little patient and MikroTik will improve the wireless performance in your RB4011 .... it may take another 6 months ... patience is key My suggestion for you is to buy the Ubiquiti nanoHD access Point Connect that to your RB4011 and you will have superb performance beyond your wildest ex...

mozerd

make it more about proper implementation of existing features that needs to be fixed in hardware: SFP+ slot that's not picky and supports SFP/SFP+/passive DAC/GPON modules without any issues Switch chip that supports at least 8 ports at 0.01/0.1/1/2.5/5Gbit/s with hardware VLAN filtering and other ...

mozerd

I would doubt that the hex Routerboard can handle that many dynamic address list entries... MOAB for the hEX and the HAP AC2 currently has 7692 ipset entries ..... the performance hit on the hEX is close to 13% while the HAP AC2 the performance hit is 8%. For Your Information MOAB for the hEX and t...

mozerd

You create a VLAN for all Guest, then add the port for the guest to this VLAN, same with create a own guest Wifi.
Then you make filter rules.

I do not recommend at all mixing in Layer 2 firewall. Do a VLAN and stick til Layer 3 Routing/firewall. Make it simple.

@Jotne is 100% correct ....

mozerd

I offer a 10 free trial of my blacklist service .... check my sig for links

mozerd

Just bought your book on Amazon because I liked what I saw in the preview.

mozerd

Your internet allocated bandwidth will determine your capability on your local network. Having a 10G connection at the switch level will not help to level the load. The 10G connection is best suited for NAS, stuff you will do locally assuming you will have 10G network .... But your 2 switches provid...

mozerd

This is for performace reason, i need to connetc two switches (CRS326-24G-2S+RM) with 10Gbit fiber connection and the router would slow down my routing. MicroTik Switches are not Multi-Layer Switches so Inter-VLAN Routing will have a performance penalty when L3 is used .... Because the switches you...

mozerd

I am not a networking expert but cannot you not ensure that most traffic is contained within the switches?

VLAN Routing: 3 options

mozerd

What do you think about the webproxy stuff near the end: "Blocking Unwanted Websites", to block http traffic - outdated and not useful?? @anav ..... If one uses their TiK router as a webproxy THAT will mean a significant amount of Read-Write cycles will be made on the NAND memory .... not...

mozerd

Is it only me or there's something wrong with double quotes?.. /user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/," The double quotes is OK but when quotes are used in the actual password as shown in your illustration that quote must be preceded with the escape character as follows:...

mozerd

Maybe I'm a Martian new on planet Earth :-) Update: newly discovered: the answer seems to lie exactly in this document: https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x To me [like YOU :-)] users are Joe users in a LAN w/o login permission to the router or switch they are connected --- that is...

mozerd

Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day). So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) be...

mozerd

Mikrotik have recently introduced port-based access control https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x although you need an external RADIUS server. Many other vendors support port-based access control in fully managed and the better smart/web managed switches, entry-level smart/web manag...

mozerd

by default block everything, explicitly define each protocol/port that shall be allowed/opened ." Ie. this is possibly a diametrically opposed method to what most people do. But to each his own, I've my own experience and view on these things and so my own practical requirements regarding netw...

mozerd

I would prefer Tailscale (wireguard SDWAN) over ZeroTier

100% correct

and 100% faster ..... KISS

https://tailscale.com/

mozerd

@mozerd, thanks for clarification and the links. I want to keep this device as is by default: a switch with RouterOS in Bridge Mode, but will need to use its firewall as well. Is this configuration/setup choice a good/acceptable one, or would there be a better configuration/setup in terms of securi...

mozerd

As said above, in my device there are no such default firewall entries present, as far as I can see; I hope I haven't overlooked anything. @mutluit Your switch CRS326-24G-2SplusRM does not have the same default Firewall rules like a Router would have. Your switch default CONFIGURATION is a switch n...

mozerd

Yes, Multi-layer-switches can route at wire speed - MLS .... A multi Layer switch is just a Switch with Layer 3 capabilities... And am sure their traffic passes the CPU before reaching the Switch... A MLS Switch has a dedicated cpu for routing and a dedicated ASIC for switching plus it has Flow Con...

mozerd

If you want to route at wire speed on the switch YOU will need to look at other brands. Route at wire speed on the Switch ? :? What is that supposed to mean? A switch is a switch, it does not route Traffic... The CPU takes part in the Routing Process... Yes, Multi-layer-switches can route at wire s...

mozerd

The MiktoTik switch/router CRS326-24G-2S+RM ( https://mikrotik.com/product/CRS326-24G-2SplusRM ) can use either SwOS or RouterOS. With RouterOS installed, can it be configured to have more than 1 WAN port for Load Balancing the WAN traffic? This switch is good if you want routing inside your LAN be...

mozerd

Lots of good adice for you here @anav :-) On the subnet [vlan] that your daughter's pc lives on -- are YOU 100% certain that there is not a rogue DHCP server doing its thing. So the question you have to ask yourself is .... which devices are running on that specific subnet --- you must confirm [trus...

mozerd

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some: Yes WireGuard does VPN a little differently -- actually a LOT differently. There is the Old way and now the NEW WireGuard way. Yes, there is The Classic Solutions of Routing BUT now there is The New Namespac...

mozerd

And yes 80% of the rules had hitcounts! Throughput in the same broadcast domain is working with full gigabit speed. Very NICE Lab ..... I suspect that the RB3011 would work out well for your LAB. If you are going to keep the SG200-8 then do consider the RB4011 with its quad core CPU ... the combina...

mozerd

I have a small home test environment and use a HEX S (6.45.8) for routing and firewalling: Bridge VLAN filtering setup Vlan ~ 15 via Trunk on eth2 to a cisco sg200-08 IP Firewall Filter rules ~ 75 IP Mangle rules ~ 10 IP NAT rules ~ 10 I am truly impressed with this many rules ... WOW ... How may o...

mozerd

I recommend RouterOS and especially Winbox the GUI administration Tool. Anytime a security issue is discovered MikroTik makes the immediate effort to determine if that security issue is legitimate and fixes the problem if its real The following link is where you can find information on security issu...

mozerd

Right now we are on manufacturing process, as soon as we receive the first batch on our warehouse and be ready to sell and shipping we will notify you with all the details (Cost, Payment Methods, Specs, Shipping, etc,.) please send an email with your details to contacto@ carlitoxxpro.com to we can ...

mozerd

A FYI item:

Install illustration is now available online for Mother of all Blacklists:

The How-To for MikroTik Routers like the RB4011 and CHR
and
The How-To for all other MikroTik Routers having 1G or more of RAM with external file storage

mozerd

Rethinking VPN: Tailscale startup packages Wireguard with network security A whole bunch of tunnels': Mesh networking with per-node permissions and OAuth security ..... Tailscale's product includes several pieces. First, it's based on peer-to-peer VPNs rather than piping all VPN traffic through a si...

mozerd

And .. my subggestion should actually be /ipv6 address add address=::1 from-pool=rogers-ipv6 interface=bridge The address=::1 generated an error condition stating it must be a 64 The good news is that after Router Reboot the bridge unreachable condition became reachable. I switched to a hint ::/56 ...

mozerd

What happens if you set it like this: /ipv6 address=::1 add from-pool=rogers-ipv6 interface=bridge ... or something else instead of ::1 ? In addition, how big is address prefix, received from ISP? ( /ipv6 pool print ) i cannot /ipv6 pool print now as the unit is in another jurisdiction and I will r...

mozerd

ipv6 is configured on the hap ac2 and ether1 [WAN] gets an ipv6 address and the bridge gets an ipv6 address but the bridge is unreachable so non of the attached laptops are getting an ipv6 address. By looking at the config below can anyone please advise why the bridge is unreachable? Redacted Config...

mozerd

Man they should hire you Mozerd! You could bring some sweet stuff to the functionality and to the team some pure Canadian Maple Syrup too!! :-) I am only for hire based on the services I offer from my website ... :) Yep, the MikroTik Team would love Canadian Maple Syrup ... the very best .... even ...

mozerd

"Development" is a download category. There are actual download links. https://mikrotik.com/download You can install it on one of your important gateways and later report how ready you feel it is. Your opinion is valued. Thanks. Once MikroTik adds Wireguard Support and LUA System v4 or wh...

mozerd

v7 is a public beta.

Do you think it's ready for a 7.0 stable release ?

I just checked and do not see v7 under testing, but I do see v7 under development.

So @normis we are far beyond April 1 [April Fools day] so I guess you have a lot more info?

mozerd

MikroTik should be aware of the following

https://www.theregister.co.uk/2020/03/0 ... ment_ipv6/

The site is currently down .... something wrong with the UK but it will be up soon

mozerd

Please include LUA system in v7 so that RouterOS users can make fetching address lists of any size a reality.

mozerd

@pe1chl provided YOU with very good direction and I would highly encourage you to follow .... very specifically the following is absolutely critical in your situation: However, you still will need to invest in some IT consultancy. It is not a good idea to setup such complex networks without knowledg...

mozerd

https://i.mt.lv/cdn/rb_files/1568200626Audience%20-%20qg.pdf Interesting devices. One 5ghz Chain just for audience to audience connectivity (but can be used for other purposes). A dedicated 5ghz Chain for the MESH is very desirable so that the mesh will work effectively. I 4 1 would not recommend d...

mozerd

Very Well Done and great example .... Thank You!

mozerd

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. I have not loaded v7 Bx and will not until v7 RC is out -- but I wanted t...

mozerd

Just do the right thing: hire a brand/Product manager and staff who focus on the forums, documentation, and howtos. Make it fun to be a part of the MikroTik community.

@pcunite 100% AGREE
@screamingservers ... good post!

mozerd

it would be a dream because now i have a routerboard+raspberry(wireguard) for every single sites of my fullmesh vpn

Yes absolutely !!!
Dream along with me I am on the way to the STARS

mozerd

That IP address returns the following: person: Piotr Najduk address: Vectra S.A. address: Al. Zwyciestwa 253 address: 81-525 Gdynia address: POLAND phone: +48 58 6248352 e-mail: p.najduk@vectra.pl nic-hdl: PN3299-RIPE mnt-by: PN97052-MNT created: 2012-03-13T10:55:37Z last-modified: 2012-09-24T16:39:...

mozerd

Problem with SFTP server and WinSCP I use WinSCP to move files from my CCR1009 to my Network Server. According to WinSCP Developer RouterOS has a issue in it's SFTP server The SFTP server returns an error But when WinSCP queries the server for a target of those links, the server returns an error. I ...

mozerd

I would suggest that you seriously consider the MikroTik Audience ... especially if you exclusively dedicate one of the 5 GHz radios for the wireless backhaul assuming that you may need to add another Audience to provide FAR superior performance for the 100 hosts you want to service. Audience is a t...

mozerd

@mozerd, I understand that encryption using CPU will tax the CPU, but did not expect it to tax the Hap AC2 cpu by that much, i.e. from OP stats it was 10 fold, i.e. from 23Mb/s to 238Mb/s by disabling TKIP and these figures just did not add up for me. i.e. what did we get back in the day on device ...

mozerd

I understand that tkip is old technology and deprecated and fully anderstand that it can have a huge performance impact on devices like hap lite or even RB2011. Now the hap ac2 is not a beast, but this CPU runs circles around the 2011. So my question is why such a big performance hit on hap ac2? Ye...

Search found 499 matches