Community discussions

Search found 620 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13
by vecernik87
Sat May 25, 2019 1:17 am
Forum: Forwarding Protocols
Topic: How to block neighbours Advertisment
Replies: 6
Views: 2141

Re: How to block neighbours Advertisment

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge
by vecernik87
Tue May 21, 2019 9:17 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...
by vecernik87
Tue May 21, 2019 4:36 am
Forum: General
Topic: Mikrotik offering lease continually without success
Replies: 2
Views: 149

Re: Mikrotik offering lease continually without success

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...
by vecernik87
Mon May 20, 2019 2:28 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117324

Re: RouterOS v7.0 beta1 - when?

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...
by vecernik87
Mon May 20, 2019 6:36 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 27
Views: 7000

Re: Please add basic portScan tool ( port scanner scan )

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...
by vecernik87
Sun May 19, 2019 5:13 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...
by vecernik87
Sat May 18, 2019 12:10 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...
by vecernik87
Sat May 18, 2019 8:27 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...
by vecernik87
Sat May 18, 2019 3:20 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...
by vecernik87
Fri May 17, 2019 5:14 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...
by vecernik87
Fri May 17, 2019 10:14 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 724

Re: Bridge -> root bridge

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...
by vecernik87
Fri May 17, 2019 8:51 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44298

Re: v6.45beta [testing] is released!

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...
by vecernik87
Thu May 16, 2019 1:28 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44298

Re: v6.45beta [testing] is released!

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
by vecernik87
Thu May 16, 2019 3:28 am
Forum: RouterBOARD hardware
Topic: Can't read Voltage via SNMP on CRS112-8P-4S
Replies: 11
Views: 1418

Re: Can't read Voltage via SNMP on CRS112-8P-4S

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think? :D
by vecernik87
Thu May 16, 2019 1:38 am
Forum: General
Topic: dst-nat with changing port
Replies: 18
Views: 557

Re: dst-nat with changing port

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...
by vecernik87
Wed May 15, 2019 2:54 pm
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 319

Re: Knock secret daily changeable

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...
by vecernik87
Wed May 15, 2019 2:30 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 305

Re: bridge + eoip + horizon = loop [SOLVED]

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...
by vecernik87
Wed May 15, 2019 2:18 pm
Forum: General
Topic: RB3011 Optimal Operating temperature
Replies: 4
Views: 164

Re: RB3011 Optimal Operating temperature

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...
by vecernik87
Wed May 15, 2019 2:07 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2325

Re: v6.43.15 [long-term] is released!

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...
by vecernik87
Wed May 15, 2019 12:39 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 305

Re: bridge + eoip + horizon = loop [SOLVED]

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...
by vecernik87
Wed May 15, 2019 11:54 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 305

Re: bridge + eoip + horizon = loop [SOLVED]

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF 
I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.
by vecernik87
Wed May 15, 2019 11:45 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 305

Re: bridge + eoip + horizon = loop [SOLVED]

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...
by vecernik87
Wed May 15, 2019 11:29 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 305

Re: bridge + eoip + horizon = loop [SOLVED]

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.
by vecernik87
Wed May 15, 2019 11:10 am
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 319

Re: Knock secret daily changeable

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
by vecernik87
Wed May 15, 2019 11:02 am
Forum: General
Topic: dst-nat with changing port
Replies: 18
Views: 557

Re: dst-nat with changing port

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...
by vecernik87
Wed May 15, 2019 10:04 am
Forum: Beginner Basics
Topic: Wireless to POE
Replies: 1
Views: 97

Re: Wireless to POE

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...
by vecernik87
Wed May 15, 2019 9:58 am
Forum: Beginner Basics
Topic: VPN PPTP Passthrough Problem
Replies: 4
Views: 183

Re: VPN PPTP Passthrough Problem

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...
by vecernik87
Wed May 15, 2019 9:50 am
Forum: Virtualization
Topic: Server 2019 HV with chr-6.44.3 no bridge function
Replies: 2
Views: 102

Re: Server 2019 HV with chr-6.44.3 no bridge function

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...
by vecernik87
Wed May 15, 2019 9:43 am
Forum: RouterBOARD hardware
Topic: hap ac2 din rail mount [SOLVED]
Replies: 2
Views: 231

Re: hap ac2 din rail mount [SOLVED]

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done :)
by vecernik87
Wed May 15, 2019 8:00 am
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2325

Re: v6.43.15 [long-term] is released!

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...
by vecernik87
Tue May 14, 2019 5:42 am
Forum: Forwarding Protocols
Topic: Jumbo Frames, L2MTU mismatch with RouterOS crashing
Replies: 3
Views: 316

Re: Jumbo Frames, L2MTU mismatch with RouterOS crashing

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)
by vecernik87
Mon May 13, 2019 4:40 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2325

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...
by vecernik87
Sun May 12, 2019 5:33 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 4
Views: 620

Re: CHR does not transmit frames with VLAN tags from bridge

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)
by vecernik87
Thu May 09, 2019 3:08 pm
Forum: General
Topic: EOIP TCP problem
Replies: 6
Views: 355

Re: EOIP TCP problem

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.
by vecernik87
Tue Apr 30, 2019 9:57 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1087
Views: 185167

Re: formal port knocking

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Kids control.
'nuff said
by vecernik87
Fri Apr 19, 2019 1:59 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 373

Re: 750 gr3 bin bios file

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.
by vecernik87
Thu Apr 18, 2019 6:54 am
Forum: Beginner Basics
Topic: Remove interface from console [SOLVED]
Replies: 2
Views: 192

Re: Remove interface from console [SOLVED]

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for all interfaces in /in...
by vecernik87
Thu Apr 18, 2019 6:24 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 373

Re: 750 gr3 bin bios file

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...
by vecernik87
Mon Apr 15, 2019 9:51 am
Forum: Beginner Basics
Topic: L2 connection mikrotik<->mikrotik breaks some https connections
Replies: 2
Views: 179

Re: L2 connection mikrotik<->mikrotik breaks some https connections

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500 :)
by vecernik87
Sun Apr 14, 2019 5:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 219
Views: 44298

Re: v6.45beta [testing] is released!

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My win...
by vecernik87
Sat Apr 13, 2019 7:21 am
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 810

Re: Router for my new home!

Hey :) Well, you can use something like this https://mikrotik.com/product/RB951Ui-2HnD or this https://mikrotik.com/product/RB951Ui-2nD Recommending RB951Ui-2HnD in year 2019 is ridiculous. This model has been here for ages. It does not have gigabit ports, CPU has just one core, wifi is just 2.4GHz...
by vecernik87
Fri Apr 12, 2019 4:32 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 338

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

add action=accept chain=input this one is BIG security issue. Your first rule literary say "accept any packet from everywhere, including wan". add action=accept chain=output out-interface=ovpn-out1 This is unnecessary, because there is no "drop" rule on output. Implicitly, every output will be allo...
by vecernik87
Fri Apr 12, 2019 4:01 am
Forum: Scripting
Topic: Fail-Over
Replies: 8
Views: 631

Re: Fail-Over

ahahahahaha: /tool fetch mode=https url="https://#####.com/Crenein-Install-FaOv.rsc" /import file="Crenein-Install-FaOv.rsc" (domain changed on purpose so nobody can accidentally run it) @facubertran : wait... seriously? Do you expect anyone to download and run ambiguous script on their device? Why ...
by vecernik87
Fri Apr 12, 2019 3:56 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 338

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

If you were on the same subnet, I would say you are missing arp-proxy on your LAN interface - very typical situation. However, you are saying that there is different subnet on each side. That suggest you don't have correct routes and/or firewall is blocking the communication. Could you share more in...
by vecernik87
Fri Apr 12, 2019 2:48 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1087
Views: 185167

Re: Feature requests

To be honest, this is one of features which would be amazing and very appreciated. Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS. Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd...
by vecernik87
Fri Apr 12, 2019 2:15 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 522

Re: Why is my speed cut by 75%??

No worries, happy to help :)

ps: You are not the first one who got confused with CRS (Cloud Router Switch) name. Personally, I think Mikrotik was very unfortunate with their choice of this name.
by vecernik87
Fri Apr 12, 2019 2:08 am
Forum: Beginner Basics
Topic: RB2011UiAS CPU load 100% and only 20Mb traffic
Replies: 5
Views: 322

Re: RB2011UiAS CPU load 100% and only 20Mb traffic

Duplicate of https://forum.mikrotik.com/viewtopic.php?f=13&t=147535 ? I already gave you answer there and surprise-surprise - its almost same as what @enggheisar said here. Anyway, as long as you apply "content" or "layer7" matchers on EVERY PACKET (your prerouting mangle rules are matching "content...
by vecernik87
Thu Apr 11, 2019 12:50 pm
Forum: Beginner Basics
Topic: I can't get more than 20MB trafic, help
Replies: 2
Views: 187

Re: I can't get more than 20MB trafic, help

with so many firewall rules, poor RB2011 must be screaming in pain. to be more specific: - sniffing mangle rules! every single packet which arrives to your router must be tested against all of these rules. If it gets matched, then it also creates additional CPU utilization. - forwarding filter rules...
by vecernik87
Thu Apr 11, 2019 11:20 am
Forum: RouterBOARD hardware
Topic: S-3553LC20D support fiber drop cable ?
Replies: 1
Views: 160

Re: S-3553LC20D support fiber drop cable ?

drop cable usually can maintain around -19~ -21 dBm. attenuation always depends on type and length of the cable. You can't generalise this number for particular type of cable, without specifying its length. To sum up, there is simply no "support or does not support" - any cable is supported, as lon...
by vecernik87
Thu Apr 11, 2019 6:59 am
Forum: RouterBOARD hardware
Topic: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]
Replies: 5
Views: 309

Re: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]

You got it exactly right! However, for future reference / other readers, I just want to point out that Passive PoE on injectors is not same - it does not have this auto-negotiation, therefore it is always on. Only Routerboards have auto-negotiation support for passive PoE. You may also find that som...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13