MikroTik

dmitris

fyi, "Openvpn connect" client don't call such error in Mikrotik logs and also much faster bringing up TAP interface than "OpenVPN community" client.

Tried on Win10, macOS Big Sur

dmitris

No he is not first person...use search and you will find my posts also in this thread about the same problem. Our problem was solved with newer ROS. As far as I know, you are the first person to report this lockup under ROS. This entire thread has been about SwOS. P.S Don't use long-term software, u...

dmitris

Hi, we have also in our production CCR1036-8G-2S+ router and it's connected on sfp+_port1 to Juniper qfx5100. A couple days ago we also started seeing warning messages "sfp1_plus - error on link". Version of mtik is 6.46.1. Will try to upgrade to the latest software available.

dmitris

Did you read this manual ? There are is pretty clearly explained how to configure dst-nat.
https://wiki.mikrotik.com/wiki/Manual:I ... nation_NAT

dmitris

https://wiki.mikrotik.com/wiki/Manual:I ... N_examples

dmitris

When you have ping issue peel in Tools>Profile> CPU Total (start) and chek that CPU load usage is ok, maybe it's overloaded in some moments.

dmitris

Still have problem with window size reverted after closing winbox.
Winbox v3.24 - 64bit
Windows 10 Pro - Build 18363
2 x 4k display - Scale 150%

dmitris

Are tcp port 1723 and gre(47) allowed in firewall from wan to input chain of Mtik?

dmitris

The simplest way is adding ether1 to bridge. Don't forget to disable dhcp server and firewall on hap lite, that's all. Also u can change dhcp client from ether1 to bridge.

dmitris

You should know it's not possible to use two default routes simultaneously without marked packets.

Read https://wiki.mikrotik.com/wiki/Manual:PCC

dmitris

We had similar problem with CRS326 switches, Mikrotik support suggested us to upgrade ROS to the latest stable (not long term) and after this upgrade switches still working fine 2-3 months wihtout a problem. Yes, running RouterOS. Initial post amended to include versions of firmware and rOS. The dev...

dmitris

I have to start from quite a faraway point. One would expect that a firewall would only allow a TCP connection to establish when it receives a SYN packet from a client towards the server. But this requires a bit more resources to analyse the packets, so the connection tracking module allows to redu...

dmitris

Hello, i would like to extend this topic further, i have similar situation where lots of connections are established toward my client with 0/0 orig rate and bytes. I see that these connections are established backward only when client established connection to some https server. How i can filter suc...

dmitris

Hi all, i'm alone who have problem with winbox64 v3.22 and v3.21 on MacOS Catalina 10.15.4? To be precise i can't connect to any Mikrotik with latest ROS. Winbox window is splashing for a second and nothing happens. In Mikrotik log i see that user loged in and logout by winbox. Any ideas how to solv...

dmitris

LTS 6.44.5 - 6.44.6 didn't help us and Mikrotik support suggested us to upgrade to latest available software 6.45.7. After upgrade it's working now more than 1 month without problem....

dmitris

Thank you Sob!

It's all what i want to know...

btw,
Juniper devices have ftps-extension alg which does work with such type of traffic and this is why i was so curious about mikrotik ftp helper.
https://kb.juniper.net/InfoCenter/index ... id=KB19444

dmitris

Hello,

I'm just curios, does Mikrotik ftp nat helper working when enryption is used and FTP configured to work in passv mode ?

At this moment i can reach server only when passv ports are dst-nated to host under ip>firewal>nat settings

BR,
Dmitris

dmitris

I see that your static routes with different masks?!
You should check if routers can communicate over eoip tunnel (try ping)...if it works try to disable under firewall settings "drop" forwarding rule.

dmitris

This should work
https://robert.penz.name/1412/accessing ... linux-box/

P.S

Just checked on my Raspberry (debian 10). Working like a charm

upd:
Seems that this utility not working with latest ROS
https://github.com/haakonnessjoen/MAC-Telnet/issues/59

dmitris

Look at the bottom of this Manual page...

https://wiki.mikrotik.com/wiki/Manual:Interface/LTE

dmitris

Glad to hear that your connection performing better.

dmitris

I'm using this one, helps a lot. Look at ssh example.
https://wiki.mikrotik.com/wiki/Brutefor ... prevention

dmitris

Hi, i'll suggest you to apply to certified Mikrotik consultants for such large planning and installation solution.

https://mikrotik.com/consultants

dmitris

I suppose that this one will help you....It's not converting 802.3af/at. It's using power adapter which you received with your hAP ac²
https://mikrotik.com/product/RBGPOE

dmitris

https://mikrotik.com/product/RBSXTLTE3-7 The SXT LTE (product code RBSXTLTE3-7) is a special variant of our popular SXT device, and doesn’t include a 802.11 wireless device. Instead, it has a built in high quality LTE Category 3 modem for speeds of up to 100Mbit/s downlink and 50 Mbit/s uplink. You ...

dmitris

This is why i don't like SwOS at all...no logs, no ssh....but it's very cheap

)

dmitris

In my opinion, Mikrotik switch can't obtain upgrade software info because you defined a static IP on it. As you can see you defined only static IP but there are no fileds for mask, gateway and dns and hence device don't know how to reach update server. P.S Personally i have same behavior on this dev...

dmitris

Go the System>Watchdog is there any IP-address specified ? Watchdog reboot device when your device run in some troubles. (hardware or software). If you didn't specify IP-address under watchdog and reboot was initiated by watchdog then you should see "suppout.rif" under Files menu. https://...

dmitris

How many times you tried to re-insert address-list already?

i'm also using dynamically created lists with 30 days timeout and they works like a charm until reboot or timeout expiration..

dmitris

Why you don't even try to search on the forum? https://forum.mikrotik.com/viewtopic.php?t=37522 When script is ready, you need setup scheduled start of this script. In winbox : System>Scheduler P.S You should know that time-outed address-lists are dynamical entries, if router rebooted then it will d...

dmitris

Seems like your router is rebooted every 24h, can you confirm that? If yes this is why your address-list with timeout is gone.

Instead you can use scheduled script which will disable allowing rule.

dmitris

There is no need of a poe calculator... the omnitik has a psu of 60 watt. The consumption of all the devices ( max ) including the GPeR is less than 50 watt... So? At such distance there will be voltage drop ca 5V and I forget that Mikrotik devices works even in range 11-30V, in theory should work ...

dmitris

This dimitris is just in theory... sorry to dissapoint you but in practice is not exactly like that...! At least you can not be certain... I ve seen UTP CAT5e cables with length of 60-70m perform poorly and i ve seen also UTP cables with length over 100m perform well... Yes, i'm aware about this......

dmitris

Definitely it will not work at all or if it will connection between nodes will be unreliable....

dmitris

The problem with the switches still does presist: ERROR: Could not determine latest version, probably no internet connection. Use manual upgrade. Don't be concerned about this problem now....It's not related to your current issue at all... Find you iPad MAC address, than log in your AP's and look a...

dmitris

You need to establish GRE tunnels between A<>B and B<>C and this will be interface, than you should define /30 on these interfaces and than you can route traffic between sites.

dmitris

From your logs i see that devices is roaming very often in short time for some reason... f.e this one 22:52:34 wireless,info 24:1B:7A:94:74:AF@wlan2: disconnected, registered to other device in network 22:53:33 wireless,info 24:1B:7A:94:74:AF@wlan2: connected, signal strength -70 22:55:46 wireless,i...

dmitris

Maybe you have broadcast storm in your environment...configure lacp on sw side too or configure Broadcast Storm Control, by default it's 100% set it to 5%. https://wiki.mikrotik.com/wiki/SwOS/CSS326#LAG Maybe RSTP playing with you rough game, as you said all switches are with def conf. You should co...

dmitris

Are these PC-s have only single connection to the switches?

dmitris

RSTP - Rapid Spanning Tree Protcol, it help prevent bridge loops in networks.
https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

dmitris

Do not use CCTV over WiFi, only cabel.

dmitris

Please make pictures of your configuration and post here.

dmitris

First of all it's useless in your network topology, the second one that it can be a source of your current problem...i'm just proposing an ideas what can help you...

dmitris

Definetly Mikrotik products is not for all especially for persons whois not tech savvy at all

dmitris

NB! Do backup from all devices before modifying config... 1. On router and all APs define IP-address on the bridge1 not interface. /ip address add address=192.168.88.x/24 comment=defconf interface=bridge1 network=192.168.88.0 - 2. On all APs you have configured dhcp-relay! Why? Disable it because al...

dmitris

Go to the interface>lte>cellularTAB
IMSI = 505 90 0202336000
505 == MCC
90 == MNC;

dmitris

Thx for precise information...

Do you have any PC's which are connected to this network with cable or all devices using internet only over WiFI?

Also i will suggest to check ether1 port on SXT for link downs. Look at Interfaces>ether1>statusTAB>Link downs= number.

dmitris

Let's assume that when interruption occurs and you client connected to the "AP Maja" try to ping all others ap's and switches, what is the result than?

BTW try login into your switches and check that you don't have tx/rx errors on ports.

How long is the cable between sw1 and sw2?

dmitris

Hi, HNAT rule must be first under NAT facility. Try to change position of HNAT rule and it should work. /ip firewall nat add action=masquerade chain=srcnat comment="NAT LOOPBACK, pre NAT pravidla neurcovat SRC interface" dst-address=192.168.2.0/24 log=yes log-prefix=NAT_LOOP: out-interface...

dmitris

I'm just curious, maybe anybody from Mikrotik support team can comment on this issue, do you aware about this behavior?

P.S
At this moment i'm afraid to use Mikortik switches for commercial services in our environment....

dmitris

Hello Rudolfs, thank you for asking me this questions. Yesterday i tried to upgrade MQS only over WiFi, LAN port wasn't connected...
Just tried over LAN connection and upgrade was successful.
Thank you again!

dmitris

I just tried to upgrade from versios 1.1p and i receive continuously following message. ERROR: Upgrade failed - invalid firmware file.
Device reseted and no changes made before upgrade...

File name:
firmwareRouterBoard_MQS_v1.4-1571828907.fwf

dmitris

Try this one..

viewtopic.php?f=2&t=54607&p=571073#p571073

dmitris

Maybe Philips Hue have an old gateway ip addr ? Check ip and dns configuration on this device.

dmitris

I will suggest you to leave mgmt ip in your current subnet so you can monitor switches if some clients start complain and definitely set a password for each switch....

dmitris

Try this command:

/interface wireless export

dmitris

Why you are so concerned about mgmt ip?
Just change swos mgmt ip addres to something like 10.10.10.10 and uncheck all "Allow From Ports".

dmitris

I checked your configuration and i don't see any granting rule to ssh. /ip firewall filter add action=accept chain=input comment="Allow SSH" dst-port=22 protocol=\ tcp * * Second thing i would not recommend to expose Winbox service to all, it's very insecure... Also you can check remotely,...

dmitris

in contradictory i want to say that DST-NAT in PREROUTING chain and it is done before routing decision, not after as you said, check packet flow diagram.... DST-NAT is indeed in prerouting. However, the NAT rules are about SRC-NAT and that's done in postrouting which comes after routing decision. S...

dmitris

When subnets is made, you can simply add src-nat for each subnet.. Is it really this simple? My impression is that dst-nat is done after routing decision is made (which actually selects the out-interface). Which means that src-address property in NAT rules example doesn't help. Instead it would be ...

dmitris

in contradictory i want to say that DST-NAT in PREROUTING chain and it is done before routing decision, not after as you said, check packet flow diagram....

dmitris

I just checked your rule and i think it will not work, correct one is:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 dst-address=192.168.88.246 in-interface=ether1 protocol=tcp to-addresses=192.168.88.246 to-ports=8080

dmitris

Now i see, the simplest way to do that is divide 1 x /24 to 2 x /25 it will give you two separate subnet spaces: IP-s: 192.168.1.2 - 192.168.1.126 MASK 255.255.255.128 GW LAN1 == 192.168.1.1/25 IP-s: 192.168.1.130 - 192.168.1.254 MASK 255.255.255.128 GW LAN2 == 192.168.1.129/25 When subnets is made,...

dmitris

Can you make a network diagram? Maybe than we'll understand better what you want to achieve.

dmitris

Good, so you problem is solved? Please mark this thread as solved.

dmitris

Wire speed can be achieved only on first bridge, all others bridges are software this is why you have low perfomance. /interface bridge add name=TRUNK add name="b-LAN OLD" add name="bridge I/OT" add name="bridge guest WIFI" here explained how to correctly setup Switch R...

dmitris

In particular situation it's just for example. Basically this rule will make dst-nat from WAN network to host 192.168.88.x and port 80, you can modify host and port as you need it. Also as "Anumrak" said, you can use static routes on both ends to achieve net to net connection. On router wi...

dmitris

At least on Mikortik RouterOS packages web page, nothing about SIP...
https://wiki.mikrotik.com/wiki/Manual:System/Packages

dmitris

It's very simple use dst-nat on router with subnet 192.168.88.0/24

/ip firewall nat add chain=dstnat in-interface=ether1-WAN to-addresses=192.168.88.100 to-ports=80

dmitris

For CRS3xx and CSS326, the port lock will restrict MAC address learning (a static host addresses should be configured). You can allow the switch to learn the first frame it receives, this requires both options enabled. Learning of the first MAC address will reset every time an interface status chan...

dmitris

Thank you, this is what i expected to see =)

dmitris

Can you run commands on your R2 and post here output :
/ip route print detail
/ip dhcp-client print detail

dmitris

If i understood correctly....This rule will forward udp 49049 port from WAN to your LAN solar inverter

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1-gateway dst-port=49049 protocol=udp to-addresses=IP-OF-SOLAR-DEVICE to-ports=49049

dmitris

I checked your configuration of R1 and R2 and i'm totally confused. Your configuration should not work.... On R1 ether5 removed from bridge ... and on R2 ether1 used as WAN with dhcp-client on it.....it means that R2 will not get WAN ip and will not work.. Are u sure that R2 connected to eth5 on R1?...

dmitris

try to add ...

dst-port=25,587,465,110,995,143,993

dmitris

Sorry my fault..

Look at mikrotik packet flow diagramm:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

"hotspot-in" on prerouting chain and it's first stage where packet goes this is why u can't block others ip. I think you should setup ip blocking in hotspot itself....

dmitris

What encryption and ciphers on ipsec configured ?

viewtopic.php?t=94931

dmitris

Try in mangle on prerouting chain...

/ip firewall mangle
add action=drop chain=prerouting in-interface=ether5 log=yes log-prefix="Dropped " src-address-list="!ether5 allowed ip"

dmitris

If you want reach mail server outside you organization, you can use src-nat for this... /ip firewall nat add action=masquerade chain=srcnat disabled=no dst-port=25,587,465,110,995 \ out-interface=WAN1 protocol=tcp add action=masquerade chain=srcnat disabled=no src-address=YOUR-SUBNET-HERE \ out-inte...

dmitris

check under /tool profile, what exactly using RB CPU so heavily

dmitris

indeed, rb2011 don't support ipsec hw acceleration at all. When CPU usage is permanently 100% than router behaves unpredictable (internal facilities like nat, dhcp, ipsec,etc not working) BTW what encryption are used under ipsec peer and policies. Do you use encryption on PPPoE also? Look at PPPoE p...

dmitris

What is CPU load on both sides when you copying files?

dmitris

Also i will suggest using for each site different VLAN\subnet, than you can have fine tuned firewall between sites. Also use on wireless PtP strong password and hide SSID on receiving side it will help you from passers by, but not from directed attacks.

dmitris

Maybe this one will be helpful for you?

https://youtu.be/YJxVm6jZYiU?list=PLfpN ... EM5&t=1678

dmitris

On R1: /interface bridge port add bridge=bridge comment=defconf disabled=no interface=ether5 This should help you... When you enable ether5 back, try to ping on R2, 8.8.8.8 Basicaly your R2 should get ip from R1 and use it as WAN ip. If it still not working, please post here export from R2: /interfa...

dmitris

Can you post your configuration here not in PDF file ? Example conf /interface bridge add admin-mac=4C:5E:0C:25:00:00 auto-mac=no name=bridge protocol-mode=none /interface wireless set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\ 20/40mhz-Ce country=etsi distance=indoor...

dmitris

If you want solve this issue, you need post here 2 things:

1. HMA Requirements for PPTP
2. You RB configuration

dmitris

So, then you should check configuration of your RB under these options, look below.

/interface pptp-client
/ppp secret
/ppp profile

dmitris

Check on your RB server allowed encryption types and then on your client side that that might be issue. What is saying your client logs? Also post here your RB config parts. /interface pptp-server export hide-sensitive /interface pptp-client export hide-sensitive /ppp secret export hide-sensitive /p...

dmitris

I think you are using wrong config to detect youtube traffic with L7 protocol, because this traffic is encrypted, and you can't simply see detail in the packet
You should look at TLS Host option in advanced tab.

dmitris

You should provide more information about your environment, both client and server.
What saying RB log?

dmitris

Maybe you need something like this?

On R2:

/ip dhcp-client
add comment=uplink dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="Masq LAN" out-interface=\
ether1 src-address=10.0.1.0/24

dmitris

We are also using in our production 10 x CRS326-24G-2S+ and two of them experienced the same issue. The devices itself are not at heavy load, on uplink max 5Mbit/s and cpu load 0-5%....BTW i can connect to hanged devices over console port, logs are ok but traffic is not passing in/out....Last hang 0...

dmitris

use execute {command}
if ([execute {ping 8.8.8.8 count=3}]!= 0) do={put "ok"}

Hi There, seems this solution not working as expected. Does anybody solve this task in other manner ?

[admin@mtik] > :put [:execute {/ping 192.168.88.1 count=5}]
Output:
*d3

Search found 94 matches