MikroTik

vecernik87

*) on update, Winbox will check that code is signed by MikroTik and not somebody else; Unfortunately this check still seems insecure. I remember your report ages ago and I always wondered how long till they fix that. I find this unbelievable that update process is vulnerable like that. Well, good t...

vecernik87

Does it matter who hijacks it? Just publish your IP here or on FB/Twitter with hashtag #hackChallenge and soon you will have your results.

vecernik87

Just a follow up on previous answer (which is quite sufficient) Better advice would be to not use vlan 1 at all, as it is used for internal purpose by too many manufacturers. VLANs like 1,2, 4095 etc are quite popular among manufacturers for separating traffic internally and some devices simply stri...

vecernik87

Dude is no longer being actively developed and there is no way to protect the password. If you hide the error message, bad guy will simply replace the EXE with custom made program which shows any argument sent to the program. (that is as easy as it sounds)

vecernik87

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags...

vecernik87

DHCP is L2 protocol. To give IP based on port, you will need to separate those ports from bridge (break L2 segment and therefore L2 broadcast/multicast). Next you create separate DHCP server per each port. Last (optional) step is to set ARP proxy for your LAN. That way, it will look like it is still...

vecernik87

Ok, we are slowly getting to area, which might get us banned (or at least topic locked/deleted) and I don't feel comfy with that. XG is real beast. I agree with you that 1500 is made up number (together with all other "up to XXX clients"), but truth is, that if any device can handle many clients, it...

vecernik87

If you are experienced and know exactly what you are doing, sure. But I guess in such case, you wouldn't be asking. Also, keep in mind that soldering will certainly void any warranty on the product.. If your product is still under warranty and you don't see bent pins, I would recommend to contact yo...

vecernik87

We had similar discussion earlier - people asking to add a confirmation to "disable" and "remove" buttons, because "what if I accidentally click it" ? Well guess what? You can accidentally add a route, which will break stuff. You can accidentally reorder firewall rules which will break stuff. You ca...

vecernik87

few cents from my experience: maximum capacity of 300 people that I need to cover with around 250-300 wireless clients Please decide if you really talk about capacity of the room or about expected amount of clients. By my experience, these are not the same. I have several similar rooms around the ci...

vecernik87

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :) @krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - c...

vecernik87

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.

vecernik87

1) any srcnat (srcnat/masquerade/netmap...) rules with manually specified range of ports? 2) any content/L7 conditions in your firewall rules? if not, what other conditions do you usually use? 3) do you have "accept established/related" filter rule in forward chain on top of your rules? 3) what is t...

vecernik87

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...

vecernik87

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...

vecernik87

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations

vecernik87

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work with "true"...

vecernik87

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...

vecernik87

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...

vecernik87

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...

vecernik87

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right?

)

vecernik87

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...

vecernik87

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model would be (again already menti...

vecernik87

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.

vecernik87

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge

vecernik87

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...

vecernik87

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...

vecernik87

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...

vecernik87

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...

vecernik87

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...

vecernik87

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...

vecernik87

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...

vecernik87

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...

vecernik87

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...

vecernik87

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...

vecernik87

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...

vecernik87

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.

vecernik87

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think?

vecernik87

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...

vecernik87

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...

vecernik87

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...

vecernik87

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...

vecernik87

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...

vecernik87

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...

vecernik87

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF

I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.

vecernik87

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...

vecernik87

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.

vecernik87

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.

vecernik87

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...

vecernik87

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...

vecernik87

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...

vecernik87

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...

vecernik87

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done

vecernik87

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...

vecernik87

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)

vecernik87

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...

vecernik87

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)

vecernik87

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.

vecernik87

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).

Kids control.
'nuff said

vecernik87

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.

vecernik87

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for all interfaces in /in...

vecernik87

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...

vecernik87

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500

vecernik87

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My win...

vecernik87

Hey :) Well, you can use something like this https://mikrotik.com/product/RB951Ui-2HnD or this https://mikrotik.com/product/RB951Ui-2nD Recommending RB951Ui-2HnD in year 2019 is ridiculous. This model has been here for ages. It does not have gigabit ports, CPU has just one core, wifi is just 2.4GHz...

vecernik87

add action=accept chain=input this one is BIG security issue. Your first rule literary say "accept any packet from everywhere, including wan". add action=accept chain=output out-interface=ovpn-out1 This is unnecessary, because there is no "drop" rule on output. Implicitly, every output will be allo...

vecernik87

ahahahahaha: /tool fetch mode=https url="https://#####.com/Crenein-Install-FaOv.rsc" /import file="Crenein-Install-FaOv.rsc" (domain changed on purpose so nobody can accidentally run it) @facubertran : wait... seriously? Do you expect anyone to download and run ambiguous script on their device? Why ...

vecernik87

If you were on the same subnet, I would say you are missing arp-proxy on your LAN interface - very typical situation. However, you are saying that there is different subnet on each side. That suggest you don't have correct routes and/or firewall is blocking the communication. Could you share more in...

vecernik87

To be honest, this is one of features which would be amazing and very appreciated. Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS. Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd...

vecernik87

No worries, happy to help

ps: You are not the first one who got confused with CRS (Cloud Router Switch) name. Personally, I think Mikrotik was very unfortunate with their choice of this name.

vecernik87

Duplicate of https://forum.mikrotik.com/viewtopic.php?f=13&t=147535 ? I already gave you answer there and surprise-surprise - its almost same as what @enggheisar said here. Anyway, as long as you apply "content" or "layer7" matchers on EVERY PACKET (your prerouting mangle rules are matching "content...

vecernik87

with so many firewall rules, poor RB2011 must be screaming in pain. to be more specific: - sniffing mangle rules! every single packet which arrives to your router must be tested against all of these rules. If it gets matched, then it also creates additional CPU utilization. - forwarding filter rules...

vecernik87

drop cable usually can maintain around -19~ -21 dBm. attenuation always depends on type and length of the cable. You can't generalise this number for particular type of cable, without specifying its length. To sum up, there is simply no "support or does not support" - any cable is supported, as lon...

vecernik87

You got it exactly right! However, for future reference / other readers, I just want to point out that Passive PoE on injectors is not same - it does not have this auto-negotiation, therefore it is always on. Only Routerboards have auto-negotiation support for passive PoE. You may also find that som...

vecernik87

well, it depends if you want to use it in script or just display value in CLI. the :put command is like an "echo" or "print" in other languages - it displays content of variable. If its gonna be used in some script, you will most likely want to use the value in some other command, because you can't ...

vecernik87

whole issue is, that your [find interface="xxx"] returns an array of interfaces.. All you need to do is pick one /ip address get [:pick [find interface="ether6"] 0] address] or if you want to test it in console, simply :put [/ip address get [:pick [find interface="ether6"] 0] address]]

vecernik87

I must admit that you pointed out much more relevant interpretation. I am just afraid, if it ends up that way (e.g. dropping support to mipsbe/tile etc...) Therefore I am not sure if its funnier or scarier.

vecernik87

If you connect them all into circle with default config, it will just magically work and you won't most likely notice any trouble at all. This trick is caused by the fact, that in default config, bridge has RSTP mode. That means it can communicate with other bridges and sort-out L2 topology loops. S...

vecernik87

Well, I was actually referring to time before Diablo 2 .. I guess its too old for people to remember today...

vecernik87

Don't forget the hardware encryption: from 6.43.1 onward the RB3011 supports it. I would be careful with that... I already saw one report of RB3011 with panicking kernel , which I bet was caused by this "update"... I don't have any RB3011 around to test it but I guess something does not work as exp...

vecernik87

CRS without fasttrack as a router - thats definitely cause of the issue. It simply does not have enough CPU power. I am not sure if you don't have fast track on purpose (it can't be enabled if you want to use simple queues, ipsec and some other features ) or if you don't have it by mistake. It defin...

vecernik87

It is (ehm) mature software. Just documentation lacks some details... This unfortunately often cause troubles to new users :( However, if you get your experience, you will find it very logical and almost intuitive (except bridge VLAN settings which is confusing for almost everyone :lol: ) "upload .n...

vecernik87

To my knowledge, mostly people crave for better support of multithreaded routing ( which was promised long time ago ) and drivers (notice references to v7) But generally, people are hyped more than players of Diablo before release of new version. Many of them expect every trouble will be magically f...

vecernik87

@giguard : I have valid reason. I need it to configure ROS 5.26 Your reason is invalid, because winbox 3.16 added support for pre-v6: https://wiki.mikrotik.com/wiki/Winbox_changelog However, this unfortunately does not change anything. - the error is actually not related to winbox version, instead ...

vecernik87

Are you using the CRS125 as a router? (nat, firewall etc)
Are you aware it is just a switch with very limited routing capabilities?
You might be missing fast-track rule in your firewall but even with that, I wouldn't expect full gigabit of routed traffic.

vecernik87

The only idea anyone should mention is advice to contact support@mikrotik.com and send them your autosupout.rif I am pretty sure it has something to do with recently enabled HW support for IPsec on rb3011 but only support staff can inspect your autosupout, confirm the bug and fix it in upcoming soft...

vecernik87

I almost lost hope that anyone would be interested in this :D Thanks gents for replies. Any configuration with routerOS and vlans that I have worked with has bridge vlan-filtering=yes??? That applies if you want to do vlan filtering (i.e. you want to tag/untag stuff). In my case, I have vlan-filteri...

vecernik87

i hope not like this

https://fawove.com/half-life-3-announce ... ease-date/

Does not work. There is just some text file

Gimme HL3 or I'll report ya!

vecernik87

Get Groove 52 ac

DO NOT DO THIS!
Groove has only one radio, therefore you have to select - either 2GHz or 5GHz. It can't do both at the same time like any usual AP.

vecernik87

So there's still hope that the unicorn status v7 has will be changed to something not as mythical.

And I shall be your messiah!
#unicornsArePoniesToo #makeRouterOsGreatAgain

Ps: really thanks for this update. Brings new hopes (and new memes if you don't make it this year)

vecernik87

You would need a particular probe with notification. Probe is not that hard because the function is already predefined in TheDude as cpu_usage() . If you want to create it yourself, just use following code for the function: round(average(oid_column("iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrPr...

vecernik87

compatible with particular brand = proprietary protocol, almost certainly not compatible with anything else. Unfortunately, there is no accessory like this for mikrotik. Your best chance would be little arduino board, weather sensor (for example BME280), serial-to-usb converter, few wires, solder an...

vecernik87

... writing a Python script that remote controls chrome that then cycles through WebFig ...

good thinking. It is sad that there is no developer assigned to focus on TheDude. The idea of this system is wonderful, but lack of development unfortunately creates significant obstacles for serious use.

vecernik87

.. And question did not specify if it is about wifi or routing performance... Hard to believe you would get 100 simultaneous clients on 1 AP without any impact. Just keep-alive frames and their interference would eat your airtime. On the other hand - Routing performance? Not an issue at all, exactly...

vecernik87

hm... tricky. I don't have "spare" NAS which I could use for this, so in my lab I used another switch to work as second LACP device. Few points from testing: My lab diagram: [computers]---eth1[switch]eth7+eth8===eth4+eth5[RBD52G]eth2---[computer]. (= is bonded eth, - is single eth) bonding on RBD52G...

vecernik87

re. network telemetry: Well, idea in theory is nice but I find monitoring through highly-abstract layer a bit suicidal. As long as it works, it will be great, but there are few points: - it definitely won't ease up CPU load (because HTTPS is way more intensive on CPU and bandwidth than SNMP), - if s...

vecernik87

SNMP Traps are not supported by Dude. No matter how hard you try, you won't find a way to make dude a trap manager.

vecernik87

firstly, your mouse cursor changes. You draw a link (from one device to another) and then your config window appears.

vecernik87

RouterOS 7 is here [removed link]! Finally! @krisjanisj: nice! :lol: I think you guys really missed the opportunity to stage the release of v7beta1 on 1st April. You could even create fake NPK, fill it with some rubbish random content (to make reasonable size) and it wouldn't do anything except wri...

vecernik87

@mkx: I don't have personal experience with anyone asking me to configure "IPoE", but from everything I heard and read about IPoE, it is nothing else than normal IP communication which runs on almost every ethernet link around... You don't have any special "IPoE" interface - its literary the Etherne...

vecernik87

Quote from second thread:

Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.

Is that v7 announcement?

Hurray!

vecernik87

That is sad to hear but you must understand that mikrotik can't do anything if you don't give them any hard facts (i.e. autosupout) You actually don't need anyone on site when it happens. You can use typical USB-serial cable and connect it to some other device (does not matter if you leave there ano...

vecernik87

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional. If vendor knows about it for over a year and do nothing? You are actually right: That is irresponsible and unprofe...

vecernik87

@millenium7 : If I understand it correctly, your employee stuff up, make excuses and because of that, you want Mikrotik to adjust setting for whole world? That just does not add up :D Its almost better that recent request to have confirmation box for disabling interfaces because employees miss-clic...

vecernik87

However looking at the complexity of most other IPSEC setups is only an incentive to forget the whole idea.

Wanna hear a secret? In my beginning, I once set up GRE (exactly same config as EoIP) just so I could get the advantage of automatic IPsec setup.

Yea, dead simple

vecernik87

Yes, that is what I recommended to OP - use WISP AP in bridge mode and add manually remaining WLANs. Unfortunately, that will require to step out of quickset. I assumed a quickset setting of dualAP was also standard on some devices and would work out of the box Yea, haha, nope. Device works out-of-t...

vecernik87

Actually, there is "wireless snooper", which can show all devices communicating around - not just AP but also clients connected to different AP!
However, it will not show wifi devices which are not communicating (what a surprise, right?)

vecernik87

To be honest, before annoying support staff, I would prefer to inspect full config. I have few devices around, where I specifically focused on any unexpected outgoing packets - and it's just not happening. There must be some setting causing this.

/export hide-sensitive file=somename

vecernik87

That is not DMZ. That is just forwarding. DMZ by definition should be separated from LAN. So you also need another internal subnet, probably on specific port or vlan, add forwarding rules, etc etc... NAT is just part of the whole puzzle. That's why nobody gave a straightforward answer - it is incomp...

vecernik87

2 years is guaranteed for consumers. It does not apply if you buy it as a company.

vecernik87

no, because there is no such command or network feature DMZ is just simplified term, usually understood as separate L2/L3 network with some exposure to outer world. DMZ is not particular network function, rather set of rules and settings which in the end produce desired result. You need to define ea...

vecernik87

Dude probes device based on IP. that is true. However, you can set it up either with no IP (0.0.0.0) or with domain name (provided by your dynamic DNS): 2019-03-27_1415.png Once added, check setting and make sure that you have "dns lookup - name to address" selected. That way, domain name will be re...

vecernik87

10k PPPoE on one machine? Is there any particular reason for not splitting the load? With this amount, you must have automated provisioning anyway (don't tell me you configure those 10k entries manually) so it won't make much difference if the automated provisioning runs on one machine or multiple m...

vecernik87

@okaru : Unfortunately, this can't be done with Quickset. The closest setting to your need would be "WISP AP" in "bridged" mode, but then you still have to manually set wlan1 (2GHz) because "WISP AP" mode sets only wlan2 (5GHz) @anav : You don't need to see whole config. We actually talked about th...

vecernik87

What part of "memory" got full?
Was it RAM? Storage (flash)?
Just plugging USB stick into router won't solve the issue - how is the device supposed to know that it should save data on it?

vecernik87

can I attach a MT router behind the Vodafone unit and still establish an EoIP tunnel. I read that both have to be routable? Theoretically you can, but... what ports would I need to forward to the MT device (47?) EoIP is technically extended GRE, which runs on IP protocol 47 (protocol! not port!). T...

vecernik87

Personally I agree that second bridge would over-complicate situation. If I understand OP's description correctly, he wants the all devices on Site1 to have L2 access to all devices on Site2, except particular device on Site1Ether5, which should have access only to other Site1 devices but not to Sit...

vecernik87

I guess the router name contain some character which can't be used in filename.

vecernik87

sorry, I got triggered by "veeeeeeeeery old" and couldn't help myself

vecernik87

older than promised v7 with multicore routing?

ru14-megis-p27.png

vecernik87

https://i.mt.lv/cdn/rb_files/Block-RB2011UAS-2HnD.pdf beeper is not mentioned in block diagram. Unless they changed it, I guess it was never there... Apparently, all other versions (non-wifi) of RB2011 have it: https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png https://i.mt.lv/cdn/rb_files/RB201...

vecernik87

That was just an example

but at least you can see it is possible and not that complicated

vecernik87

This page describe the priority numbers pretty well: https://wiki.mikrotik.com/wiki/Manual:WMM

Hope it helps.

vecernik87

firstly - no certification (does not matter if cisco or mikrotik or anything else) guarantee that person is bright and creative. It just means that (s)he was able to pass the test. Nothing else. secondly - troubles with suspected loops can't be easily fixed remotely. It would take ages to ask questi...

vecernik87

Dear @neutronblaster , for few month, I have had a chance to read some of your posts/replies. Let me quote a few: https://forum.mikrotik.com/viewtopic.php?f=7&t=145223&p=714808#p714808 https://forum.mikrotik.com/viewtopic.php?f=7&t=145416&p=718172#p718172 Load of shite. https://forum.mikrotik.com/vi...

vecernik87

Not really crazy, just consequence of IPv4 address shortage: Large/old ISP obtained enormous blocks of IPv4 ages ago for ridiculously low prices and they will probably never have an issues. However, small/new ISPs nowadays have serious issues to acquire some reasonable blocks. They often don't have ...

vecernik87

You like working in the dark vecernik87?? Vampire? For the OP, please post your config. /export hide-sensitive file=yourconfigmarch <ot>Vampire? Absolutely! Looking forward to suck your tasty bodily fluids! :twisted: </ot> I don't believe there is any way to misconfigure ROS to cause this. Since we...

vecernik87

According to wiki: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Read_only_properties busy = this address is assigned statically to a client or already exists in the network, so it can not be leased Since it is not really usual to have so many devices which would claim addresses like this, I ...

vecernik87

Most likely your ipsec config prevented IP communication to reach "local in" https://wiki.mikrotik.com/wiki/Manual:Packet_Flow . That can easily happen if you misconfigure your ipsec.

I believe you should still be able to reach your device using mac-winbox or mac-telnet (unless you disabled them)

vecernik87

Files menu calculate space on flash memory (16MB) However, root folder in file menu is actually ramdisk which has usually more than enough free space - as long as your RAM (128MB) is not completely full. Therefore, as long as you load the downgrade files into root folder instead of "flash" folder, y...

vecernik87

[admin@mikrotik] > /ip address add address=192.168.10.1/24 interface=bridge2 [admin@mikrotik] > ping 192.168.10.1 SEQ HOST SIZE TTL TIME STATUS 0 192.168.10.1 56 64 0ms 1 192.168.10.1 56 64 0ms 2 192.168.10.1 56 64 0ms sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms [admin@mikr...

vecernik87

Mine keeps losing all its wireless interfaces on reboot and I have to do factory reset. I noticed similar behavior on hAP ac^2 and according to support, it was caused by graphing enabled -> try to disable graphing on your wifi interfaces and give it try again :) maybe it won't disappear after reboot.

vecernik87

Reminds me old netmetal issue: https://forum.mikrotik.com/viewtopic.php?f=3&t=91150 These RPSMA connectors are covered by hood so the water shouldn't really get to it, neither through it. Sticker seems like reasonable culprit. Since you have so many devices with reasonably high failure rate, I guess...

vecernik87

Hard to say without understanding whole network setting. Most important info is: - what all IP, netmask and routes are active on the second device which is doing the ping? - what all IP, netmask and routes are active on the RouterOS? Anyway, first thing which I consider suspicious is using the 192.1...

vecernik87

some of mentioned ports are known to be used for hacking purposes by infected devices. For example: - port 22 (SSH) can be misused for reverse tunneling . - port 80 is very common for DDoS because nobody filters it. I recently saw an issue where home user had infected device, which was opening thous...

vecernik87

@nbctcp : Since your original config, you changed the DHCP server as well to bridge. That is obviously wrong. DHCP server must be on the interface, where you want to get it running. In your case on relevant VLAN interface. @anav : great summary. You looked more deep into it but I am convinced that ...

vecernik87

Temperature changes are fine. Humidity is the main concern. As long as you don't have water dropping or condensing on it, it will be fine.

vecernik87

Just a short info - mikrotik supports OpenVPN only via TCP. not UDP. That has slight impact on performance.

vecernik87

I have SSTP up and running without any issue. Clients are mostly Win10 machines but I tested it successfully with android phone as well. I agree with @chechito that performance is not great (on 50/20Mbit connection with 60ms latency I get only 12/3Mbit through tunnel) but thats expected issue with a...

vecernik87

Mikrotik for SOHO department never have white case for their products Thats so untrue. Until 2 years ago, there was not a single black SOHO product. (first was RB931-2nD, followed by RB952Ui, RBD52G and finally RB760iGS which is quite unique because it has old boxy design, yet it is black) HAP AC b...

vecernik87

Selamat siang! You shouldn't have VLAN interface bound to Ether2 while having Ether2 bound to bridge. Such setting does not make sense and is described as typical L2 misconfiguration: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_interface_on_a_slave_interface Either remove your...

vecernik87

instead of just white color, I would prefer rather old boxy design which had way better LED indicators as well as thermal properties.

vecernik87

Still waiting for 48 port CRS, which was promised year ago... why is there new hardware promised when old one was never released?

vecernik87

I don't think I need to repeat what other users said before me - that its crazy, scary and terrible idea. However, lets look at the technical way of it: This will make the use of a 3rd party router unusable unless it incorporates the new standards This sounds weird and I assume you misunderstood the...

vecernik87

If you really have two physical gateways, you can use them as Dude Agents: https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Agents That way, you can select for each monitored IP, which Agent (in your case gateway/ISP) should monitor it. You can even monitor the same IP from multiple different agent...

vecernik87

hEX S has in specifications: PoE out Passive PoE up to 57V Based on specs, I suspect it won't support 802.3at output which is required by UAP-AC-IW. That breaks a bit your original idea of powering UAP-AC-IW from RB760iGS and you will need two injectors (one for each device) You might have better lu...

vecernik87

Sorry, I am not aware of any possible way, how to reduce the delay - it depends on the speed of ISP response. :( I tested it on LAN, where i have <1ms latency, and it took >100ms for my CHR to reply with proxied ARP response... For example Cisco gives actual warning about performance impact if simil...

vecernik87

That is right. You can't create manual route with distance 0. For your observed behavior, there is a simple explanation. Let me give you example, how the network works, when you try to ping for example 1.1.1.1 If you use default route with gateway IP, network works this way: 1) your router sends pac...

vecernik87

slightly different suggestion:
why not train tech to use CLI instead of winbox? You can't missclick in CLI.

(cmon, lets be honest... how can they misclick? Are they that bad or are they under so much pressure to do things quickly?)

vecernik87

As long as the antenna support frequency, which you want to use, it is suitable. (you didn't say anything so I am not sure what suggestion would you expect) After that, all you need to worry is : - connector, but that can be easily sorted by a short cable, which you will most likely use anyway, in ...

vecernik87

FYI: Ethernet specs require galvanic isolation (magnetic coupling) anyway... its not like some ordinary audio cable which cause ground loops etc...
Fiber will definitely do better job in terms of transmission quality on this distance, but it is very fragile - be careful to not break it.

vecernik87

"302 redirected" says everything - the request is redirected, exactly as I suspected.. I am not surprised that automatic download in RouterOS didn't work and I don't think it is caused by your device. More like something upstream. this probably brings more questions than answers: - why is it redirec...

vecernik87

ps: same applies for dst-nat - it occurs exactly at the place, where the relevant block is located in the diagram. What a surprise, right?
psst no it doesnt, dst-nat occurs in the pre-routing chain (not post routing)!

I never said that.

vecernik87

I just want it to be clear that people do not have to make DST NAT rules in the configuration to ensure return packets from SOURCE NAT rules get back to the original LANIP. I really didn't expect that anyone might possibly understand it wrongly. There was not a single "rule" or "decision" mentioned...

vecernik87

You can add any amount of domains/addresses to the same list. They just need to be specified as separate entries.
As long as the "name" property (name of the list) is same, all these entries will be linked to the same list name.

vecernik87

Yes, it will, if anyone on the network try to reach capac's IP address. (unless you dst-nat everything)
The rule won't be obviously applied to bridged traffic.
Similarly, it won't be applied to non-IP traffic (mac-winbox for example can't be blocked this way)

vecernik87

Well looking at the diagrams its a puzzle for sure. ... In the PostRouting Chain hey we can see the srcnat block here!!! Exactly. Thats where the block is = thats where both decision and address translation occurs. No complexity, no puzzle. ps: same applies for dst-nat - it occurs exactly at the pl...

vecernik87

terms were defined well enough: dst-nat is the process, not the rule/trigger

I suspect anav will now follow me in every single topic and disagree, since I dared have different opinion about severity of the recent vulnerability

vecernik87

Since the AP is connected to particular interface, it would be more failproof to make firewall rules based on interfaces: First firewall filter rule: Accept forward from unifi to wan: - in-interface: your port where unifi is connected (i assume it is not bridged with anything else) - out-interface: ...

vecernik87

Why are you suddenly evoking a destination nat rule for inbound traffic Nobody really mentioned a rule. We talk about the process of network address translation itself. Term dst-nat was used for sake of simplicity because OP asked about "returning packet ... get its destination adres modified " . (...

vecernik87

The password protection for each connection has a purpose: Even if you connect through VPN, your device itself may be infected with some nasty stuff. per-connection-authentication makes sure that only authorised connection will be accepted. Not authorised device, Not authorised IP address, Not autho...

vecernik87

Hi there, Please be advised that PureVPN does not support split tunneling on routers. Pure VPN does not need to support it. It has no control over client's routes and it is only up to client itself, which routes will be forwarded via VPN interface and which one will go straight through usual WAN. I...

vecernik87

sorry, I can't test hAP AC either :( Few points: 1) do not expect some magical increase of speed when going from 2 to 3 chains. Especially when most of devices (phones, laptops etc) have just 2 chains. 2) It is true that 5GHz has much higher attenuation than 2GHz so it will give you less range (do n...

vecernik87

I don't have wifi version of RB2011 available but RBD52G got me average 74Mbit on 20Mhz and average 140Mbit on 20/40MHz Particular wifi configs for reference: /interface wireless set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no frequency-mode=superchannel mode=ap-bridge \ security-profile...

vecernik87

If you have CRS326, I would definitely recommend to connect them with SFP+. That way, you can get 10Gbit link between them with a single (DAC/Fiber) cable! Although, to get more than 1Gbit link to your router, you will still need to bond few links because RB3011 does not have SFP+ port (don't confus...

vecernik87

Your configuration is typical for pre-6.41 age, where bridge did not support VLAN filtering. Despite the fact it is today considered as misconfiguration, it is not technically wrong and it is actually easier to understand and maintain for beginners. On the other hand, it brings a risk of trouble, on...

vecernik87

if I add more interconnections I get more bandwidth? No. Simply said, without proper configuration , connecting more cables between switches will NOT give you more bandwidth. In the best case, switches will notice the loop and disable any excessive ports. In the worst case, your network will collap...

vecernik87

IP: 87.121.0.45

it says "can't connect" for UDP and "test unsupported" for TCP.
Are you certain it works fine?

vecernik87

Gosh... Its not easy to convince you mate :D I am using this approach all around and none of my "agents" has a dude server installed. Even RBmAPL works as agent and that one does not even support Dude Server (there is no package for MIPSBE architecture). Starting from RouterOS 6.38.x any RouterOS de...

vecernik87

it is possible to install the Dude Server/ Agent onto a RouterOS device. To do this, you need to install the Dude package onto RouterOS" I see. That is definitely wrong documentation. Maybe just outdated? Thanks for pointing that out. edit: I just read the wiki page itself - definitely outdated :lo...

vecernik87

@kuz8: his statement is accurate. Dude Agent is part of basic system package. Dude Server has separate package. Dude Server will allow connections from Dude Client (which make sense because server contains the database and all data..) Dude Agent allow only connections from Dude Server. Agent works a...

vecernik87

@sebastia: +1
Thats exactly my understanding.

vecernik87

Hey guys, stop harassing Mikrotik about V7 :D It is a good topic for jokes but bad choice for serious discussion. I am not a blind fan, but in this case, @normis is right. Anyone, who ever did a continuous development, knows that specifying future dates of release is a suicide. If you don't make it ...

vecernik87

For real life application, you can look at your current stats. For example my WAN counter says total RX 129GB over 199 million packets. That means average packet is about 0.6kB. Obviously, this WILL vary a lot, based on content, which users access. Games usually have smaller packets while downloads ...

vecernik87

Do you really believe that placing word "urgent" in title will make it solved faster? Well, good luck.

vecernik87

You are welcome Twinkle Toes

ps: I am not filly. Notice the slight difference in shape of the head

vecernik87

Would it then be correct to overly simply things by saying that the source and destination referred to in the NAT/Mangle etc. settings, are from the perspective of the point of origin (which ever side starts the conversation)? I guess you could say that but it is really overly simplified and thus b...

vecernik87

https://wiki.mikrotik.com/wiki/Manual:I ... Properties
there is full list of all properties including description.

vecernik87

@chechito I am pretty confident he should achieve more unless he stuffs up. I simulated it on RB951G(1*600MHz) instead of RB750Gr3 (2*880MHz) and I reached continuous 100Mbps with TCP iPerf. To be precise, the config was similar as the one you described (basic NAT and firewall, software bridge, no f...

vecernik87

UPDATE1: -Cambium said L2GRE in Mikrotik is not open standard. They only test L2GRE with Cisco and Linux I said that long time ago :D Anyway, they are right: Firstly, there is no L2GRE in RouterOS. Secondly, most similar are EoIP and old plain GRE, both are different and incompatible with L2GRE.

vecernik87

It is the side that started the connection. Thats true only for conntrack. (proof: on computer 1.1.1.1 I will write: "ping 2.2.2.2". If you capture such packets you will see ICMP packet ECHO_REQUEST with SRC_IP 1.1.1.1 and DST_IP 2.2.2.2 and after that there will be second ICMP packet, this time EC...

vecernik87

Maximum bandwidth which RB750Gr3 can handle is 1,972.2 Mbps (for details see https://mikrotik.com/product/RB750Gr3#fndtn-testresults ) That is the simple and exact answer to your question. That is the number, which should be compared with any other manufacturers or models. However, in reality you ca...

vecernik87

It was fixed before Tenable made the issue public. MikroTik and Tenable gave users time to upgrade before making any announcements. The first sentence is irrelevant truth and the second one is like a slap in everyone's face. - Users were given just 10 days (respectively 14 days for stable branch) w...

vecernik87

already done. Just not properly described.
viewtopic.php?f=2&t=145600#p716522

vecernik87

Mikrotik suports GRE and EoIP. Technically, EoIP is very similar to L2GRE but its not same. EoIP also supports L2 and is based originaly on GRE, but the protocol is proprietary and most likely there will be difference (I can't tell for sure because L2GRE is also poprietary protocol) Same way, GRE is...

vecernik87

@msatter To me Tenable went public to soon. Absolutely agree, however, I wonder why would they do it... This is pure hypothesis : Maybe Tenable originally agreed to keep it secret for some period of time, but after they saw that the security fix was silently released as "improvement", they decided ...

vecernik87

@mkx: I don't think full detail disclosure is necessary. I even agree that it is not wise. (however that is what actually happened) All I ask, is having correct info in changelog which will at least give me info that it might be good to upgrade the router for security reasons. Given current situatio...

vecernik87

@anav Until then, all this rhetoric does is feed trolls --- don't become one ............... There is no troll feeding. @mrz admitted it was fixed so it is confirmed issue. (if there is not and issue, there wouldn't need to be a fix, right?) Page with CVE contains timeline which shows how fast it wa...

vecernik87

I think maybe I didn't state this entirely clearly.

Ohh! now it makes way more sense!

thanks heaps for this clarification! you really deserve cookies (or internetz or kudos or whatever currency you like)!

vecernik87

There was a version 6.42.5

vs

It is confirmed that this was another case of hacked router due to a insecure firewall configuration in combination with old RouterOS version

these two statements seems mutually exclusive.. how is that possible?

vecernik87

Personally, I would just run the sniffer which will give all answers: /tool sniffer start interface=ether1-uplink port=68 and after some time (look at logs and wait until you lose and reacquire your IP few times) /tool sniffer save file-name=dhcp.pcap /tool sniffer stop In the file, there will be DH...

vecernik87

"print" is just a list of entries. To get a full config, you need to use an "export" command:

/interface ethernet export
or
/interface ethernet poe export

(I don't have RB with poe available right now so I can't check which one is it)

vecernik87

/caps conf unset [find where name="somethingsomething"] datapath.local-forwarding

vecernik87

that is just syntax error: There is no "interface" parameter for simple queues. You can easily list all available parameters with "TAB" key: [admin@mikrotik] > /queue simple add {[PRESSED TAB KEY]} bucket-size burst-threshold comment disabled limit-at name parent priority time target burst-limit bur...

vecernik87

@ukracer : Well, this config is clearly default one. I wrongly assumed that you did the config reset with "no-defaults" as mentioned in the original text which you quoted: This can be easaly done by resetting the device with no default configuration: viewtopic.php?t=71522 If you start with some con...

vecernik87

@olivier2831: there is nice summary about the bypass function with pictures: https://forum.mikrotik.com/viewtopic.php?t=106092 It even mentions how the user applied bypass, to achieve WAN redundancy - I assume that is very similar to your case. Only single thing worth mentioning myself - if you get ...

vecernik87

@sob: good point. I automatically expected he talks about HTTP because the domain is completely irrelevant in ICMP and most other protocols. @vklpt: Nope. Layer7 communication starts AFTER the L4 is established. And NAT has to occur on first packet of connection. Even the definition of L7 matcher di...

vecernik87

True :( Unfortunately the "Home AP" or "Home AP dual" is not just pure AP but router+AP. This seems to be solved in the "WISP AP" which offers choice between "router" and "bridge" mode (and really adds everything into one bridge) Unfortunately it offers only 5G wifi config within quickset, so user h...

vecernik87

@macsrwe: gosh! I didnt know

i wrongly assumed that any inner instance of curly brackets will inherit all variables from outside.
Thanks for pointing that out. I didn't really want to use "global" variable to avoid messing with rest of system, but I guess there is not much choice, is there?

vecernik87

board looks way smaller than the case: http://km.mk/1533335167_12_mikrotik_rb4011_interbal_view.png From the picture it seems like 215mm, which means you can easily put two boards into one case, next to each other and it will nicely fit! If you believe there is such market potential (which I politel...

Search found 644 matches