Community discussions

Search found 352 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8
by vecernik87
Wed Dec 12, 2018 7:42 am
Forum: General
Topic: Arp ping vs. ip ping
Replies: 2
Views: 169

Re: Arp ping vs. ip ping

quick "insight" - firewall. Neighbor discovery is not affected by firewall, because it is not considered as IP (L3) communication. ARP is the same thing. I can imagine that your neighbor discovery and ARP pings passes through because it is not stopped by your firewall, while your pings don't pass be...
by vecernik87
Mon Dec 10, 2018 12:38 am
Forum: General
Topic: RouterOS pings devices - why? [SOLVED]
Replies: 7
Views: 343

Re: RouterOS pings devices - why? [SOLVED]

quoting https://tools.ietf.org/html/rfc2131 (DHCP specs) : RFC 2131, section 2.2 As a consistency check, the allocating server SHOULD probe the reused address before allocating the address, e.g., with an ICMP echo request, and the client SHOULD probe the newly received address, e.g., with ARP. RFC 2...
by vecernik87
Sun Dec 09, 2018 11:47 am
Forum: General
Topic: VLAN or Subnetting
Replies: 4
Views: 229

Re: VLAN or Subnetting

VLANS (or other type of L1/L2 separation) is necessary for proper "guest wifi". You can't possibly let guests access same section of the network without making sure, that they can't under any circumstances (even if they fake their IP) affect your staff devices. For internal company stuff, simple sub...
by vecernik87
Sun Dec 09, 2018 11:14 am
Forum: General
Topic: Bridge Leakage in 6.42.x and above.
Replies: 12
Views: 421

Re: Bridge Leakage in 6.42.x and above.

@Jotne : I agree there are more ways to do it and each has some advantages and disadvantages. For now, lets focus on the presented issue that MNDP/CDP/LLDP is somehow passing through NAT. (which shouldn't happen under any circumstances - all these protocols work with L2 broadcasting so they should ...
by vecernik87
Sun Dec 09, 2018 3:19 am
Forum: Beginner Basics
Topic: Transmit loop detected
Replies: 24
Views: 9806

Re: Transmit loop detected

It seems that I had bad luck with this issue as well. I can confirm in my case, switching bridge from RSTP to NONE on one of devices helped (does not seem to matter which one). Also it does not seem to matter, if there is additional switch with RSTP enabled. Also it does not matter if the bridge has...
by vecernik87
Sat Dec 08, 2018 3:03 pm
Forum: General
Topic: Bridge Leakage in 6.42.x and above.
Replies: 12
Views: 421

Re: Bridge Leakage in 6.42.x and above.

Actually, I do the wan-bridge as well sometime. It is much easier to maintain when you somehow need to use different physical port AND you can do L2 filtering, which is impossible with
/ip firewall
by vecernik87
Fri Dec 07, 2018 11:37 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Crowd Funding of v7
Replies: 32
Views: 3081

Re: Crowd Funding of v7

lol, sure... because when I log into to IOS and i run some command.and then i go to another IOS and run exactly same command, the result is different because one IOS is on ASA (firewall) while second is on 887 (router). gimme break please... whole idea of splitting resources and developing multiple ...
by vecernik87
Thu Dec 06, 2018 5:25 am
Forum: Wireless Networking
Topic: cap AC Critical Errors???
Replies: 9
Views: 416

Re: cap AC Critical Errors???

kernel failure = send autosupout to mikrotik. Nobody else will be able to figure out. Kernel failures should not happen - Mikrotik needs to be notified about it so they can fix it in upcoming release. You didn't describe exact conditions very well but maybe I had similar experience earlier - one of ...
by vecernik87
Wed Dec 05, 2018 4:20 am
Forum: Beginner Basics
Topic: Possible Loop Errors.
Replies: 8
Views: 335

Re: Possible Loop Errors.

Does that help diagnose what happened?? It does not diagnose the issue but it is necessary step for diagnosis. I definitely agree with @Steveocee - try to change the bridge MAC to something definitely unique. (make sure with bridge hosts before that, if the MAC is really unique and there is nothing...
by vecernik87
Wed Dec 05, 2018 12:33 am
Forum: General
Topic: Bridging and Speed
Replies: 2
Views: 134

Re: Bridging and Speed

I wouldn't dare to say it so simply. As long as your bridge port has the "H" flag, it is hardware offloaded = switched. That does not affect the speed. However bridge without HW offload must be processed in CPU and that will definitely affect the speed. If you use vlan filtering in bridge, all HW of...
by vecernik87
Tue Dec 04, 2018 12:13 pm
Forum: General
Topic: Tls host not work
Replies: 3
Views: 185

Re: Tls host not work

Google, youtube etc... they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.
by vecernik87
Tue Dec 04, 2018 8:28 am
Forum: Beginner Basics
Topic: Possible Loop Errors.
Replies: 8
Views: 335

Re: Possible Loop Errors.

Just to make sure before any assumptions are made - the MAC address does not belong to any interface in your router?
Can you check it with your
/interface bridge host print where mac-address="XX:YY:ZZ"
?
by vecernik87
Tue Dec 04, 2018 8:16 am
Forum: General
Topic: Poor VPN Performance with SSTP VPN
Replies: 9
Views: 423

Re: Poor VPN Performance with SSTP VPN

If it helps, I can confirm that hAP ac^2 has no issues with running over 20Mbps over SSTP (with UDP iperf I actually saw 30Mbps coming through) so it is likely some issue in your customer's config/network. However, I must agree that SSTP is not a good choice for site-to-site. If you had issues with ...
by vecernik87
Tue Dec 04, 2018 7:27 am
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 24
Views: 6719

Re: v6.42.10 [long-term] is released!

... you should disable Cloud DDNS service before an upgrade to v6.43 or later or before a downgrade below v6.43 ... @strods : As I pointed out in previous text, this issue will happen more and more often, because people will migrate between Long-term and Stable without knowledge what was in 6.43 ch...
by vecernik87
Tue Dec 04, 2018 5:40 am
Forum: General
Topic: GRE Tunnel - TCP or UDP
Replies: 2
Views: 298

Re: GRE Tunnel - TCP or UDP

GRE (IP protocol 47) is neither TCP (IP protocol 6) nor UDP (IP protocol 17). GRE does not contain any mechanism for reliability check like TCP (which guarantee that data will come valid and in order, or not at all) or UDP (which guarantee that data will come valid or not at all). GRE has OPTIONAL f...
by vecernik87
Tue Dec 04, 2018 3:18 am
Forum: Announcements
Topic: URGENT security reminder
Replies: 84
Views: 16522

Re: URGENT security reminder

... noobs won't and will be secured. Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay) Noobs will sue mikrotik when the router breaks some config during update as they will wake up one day and device won't work... Right now, people are...
by vecernik87
Tue Dec 04, 2018 2:28 am
Forum: Beginner Basics
Topic: group permission "test"
Replies: 1
Views: 142

group permission "test"

I do not consider myself as beginner but this particular question is so simple that I believe it belongs here. I tried to set up user which could do only testing functions (ping, traceroute etc..), nothing else: /user group add name=pinger policy="ssh,test,winbox,!local,!telnet,!ftp,!reboot,!read,!w...
by vecernik87
Mon Dec 03, 2018 11:32 pm
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 24
Views: 6719

Re: v6.42.10 [long-term] is released!

problem with this version on cloud system on rb750 and rb951. That sounds like typical issue which happens, when you upgrade/downgrade without disabling cloud first. Recommended fix from staff: upgrade/downgrade back to original version, disable cloud, upgrade/downgrade to your target version, enab...
by vecernik87
Mon Dec 03, 2018 2:00 pm
Forum: General
Topic: Mikrotik sniffer droped packets
Replies: 4
Views: 148

Re: Mikrotik sniffer droped packets

another way - mangle has action "sniff-tzsp". If you can define your rule in mangle same way as in filter, it will be evaluated before filter and therefore you can sniff packets which will be dropped in the next step. That of course means almost doubling your whole firewall rules... not sure if it i...
by vecernik87
Mon Dec 03, 2018 4:34 am
Forum: RouterBOARD hardware
Topic: XBOX One connected standby causing port flapping on hAP lite
Replies: 1
Views: 254

Re: XBOX One connected standby causing port flapping on hAP lite

I have seen several times MoBo going from 1Gbit to 100Mbit when computer goes to "off" mode (but no flapping). I guess XBOX goes bit further in the attempt to save power. The "check if the switch port has been disabled for link flap error detection" is probably joke if you sent them the picture - it...
by vecernik87
Mon Dec 03, 2018 4:19 am
Forum: The Dude
Topic: Dude v6 - Feature request list
Replies: 49
Views: 9310

Re: Dude v6 - Feature request list

Option Bind Dude server to an IP address on router for all probes and outgoing traffic. See, this will actually cause some issues, especially when someone has multiple sites/networks connected via different methods/devices. Specifying single IP for all traffic seems like limiting current functional...
by vecernik87
Mon Dec 03, 2018 3:56 am
Forum: Beginner Basics
Topic: Does RouterOS have all functionality of SwOS? [SOLVED]
Replies: 3
Views: 343

Re: Does RouterOS have all functionality of SwOS? [SOLVED]

Does RouterOS have the same switching/VLAN/LAG/PoE+/SFP+ functionality as SwOS? Yes, RouterOS has all functionality of SwOS, however some functions may be bit more complicated to set up (typically VLANs in the bridge are pain in the a** until you fully understand how it works in RouterOS). That is ...
by vecernik87
Mon Dec 03, 2018 3:03 am
Forum: Announcements
Topic: v6.43.4 [stable] is released!
Replies: 78
Views: 15721

Re: v6.43.4 [stable] is released!

Just Updated to this SW release, and I am unable to connect to Groove. It keeps giving me a invalid username and password. Tried resetting a couple of times, but it doesn't seem to reset at all. It connects to the setup network right away. Any help would be appreciated to connect back to Groove. @G...
by vecernik87
Mon Dec 03, 2018 12:22 am
Forum: Wireless Networking
Topic: wireless sniffing seems useless
Replies: 1
Views: 153

Re: wireless sniffing seems useless

you can't run sniffer AND normal operation (ap/station) at the same time on single interface. That simply contradicts how these things work. To be precise, all (unless I missed some) debugging features from /interface wireless ( sniffer , snooper , scan (unless you select background=yes), spectral-s...
by vecernik87
Sun Dec 02, 2018 9:43 am
Forum: General
Topic: How are hardware ports associated with names
Replies: 3
Views: 243

Re: How are hardware ports associated with names

in SNMP, index means nothing. It is just unique number which links different SNMP values together (for example type, description, rx/tx bytes etc...) under same "parent" (in this case interface) ifIndex cannot be in sync with hardware interface number - that is the way how SNMP works everywhere. Ima...
by vecernik87
Fri Nov 30, 2018 11:10 pm
Forum: General
Topic: v6.42.10 [long-term] --- issue
Replies: 2
Views: 197

Re: v6.42.10 [long-term] --- issue

@nescafe2002 Despite the fact his name is different, the guy in the other topic was clearly asked to create separate topic as it was admitted that the issue is not relevant to 6.42.10 specifically, but is happening to 6.43 as well. Please don't point him back. He is asking in the right place now. @...
by vecernik87
Thu Nov 29, 2018 2:51 pm
Forum: Beginner Basics
Topic: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
Replies: 4
Views: 320

Re: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?

Oh! Sorry for such mistake. I didn't realize it may be interpreted that way. They will definitely go through it. Mangle prerouting / raw prerouting / nat prerouting, filter forward / filter input etc etc... (every combination) these are all different blocks on the diagram. Every block is processed a...
by vecernik87
Thu Nov 29, 2018 9:21 am
Forum: Beginner Basics
Topic: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
Replies: 4
Views: 320

Re: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?

Are packets accepted in mangle prerouting still processed in mangle forward and filter forward? yes, they are. It is separate chain and actually in some cases, it is necessary (for example mangle-prerouting happens before dst-nat but you need to later check, if connection is dst-natted) the "accept...
by vecernik87
Thu Nov 29, 2018 7:07 am
Forum: General
Topic: VLAN on a regular switch
Replies: 9
Views: 390

Re: VLAN on a regular switch

the "support VLAN" statement is ambiguous. - Does "support" mean it must do VLAN filtering on ports? - Does "support" mean it pass VLAN-tagged packets? (i.e. it does not drop 0x8100 ethertype frames, it does not drop packets due to size being larger than MTU) - Is there some different definition? My...
by vecernik87
Thu Nov 29, 2018 6:29 am
Forum: General
Topic: Blocking facebook
Replies: 12
Views: 9409

Re: Blocking facebook

there is not really 100% working solution. Closest is blocking with TLS-HOST because it works on HTTPS and does not consume too much CPU (at least not as much as L7 filtering which is useless anyway when FB works over HTTPS) presentation: https://youtu.be/XkKj9rj4quQ?t=1511 /ip firewall filter add c...
by vecernik87
Wed Nov 28, 2018 10:51 pm
Forum: General
Topic: How to sniff traffic between wifi clients (same subnet)
Replies: 11
Views: 447

Re: Packet sniffer does not sniff UDP packets

is "default-forwarding" enabled in the wireless intrerface - YES (I want the clients to be able to talk to each other) You don't really need default-forwarding enabled, if your wifi is connected to any bridge: When it is enabled, packets go from client, to wireless chip and then to second client. W...
by vecernik87
Wed Nov 28, 2018 2:48 am
Forum: Beginner Basics
Topic: How to update to separate packages? [SOLVED]
Replies: 2
Views: 160

Re: How to update to separate packages? [SOLVED]

Just short note for other readers: "reboot" means really
/system reboot
. It will not work with power-cycle (which some people perceive same way as restart/reboot)
by vecernik87
Tue Nov 27, 2018 3:41 am
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 61
Views: 8184

Re: v6 RC and v7 BETA

No way! If they do it, what will we make fun of?
by vecernik87
Sat Nov 24, 2018 1:06 am
Forum: RouterBOARD hardware
Topic: 48 Port Switches
Replies: 16
Views: 4787

Re: 48 Port Switches

Some sample of CRS354-48P-4S+2Q+ was shown on MUM Indonesia on early august.
Not sure how far the development is, but I guess they have some issues unresolved. Better wait than release faulty product (especially the one which targets high-end segment)
by vecernik87
Sat Nov 24, 2018 12:38 am
Forum: General
Topic: MOAB mother of all blacklists
Replies: 42
Views: 3200

Re: MOAB mother of all blacklists

there is a "system-id" in
/system license
by vecernik87
Fri Nov 23, 2018 3:24 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Crowd Funding of v7
Replies: 32
Views: 3081

Re: Crowd Funding of v7

I fully agree with your statement that it is not easy to quickly hire person who can jump a train. However, we both know that it would be easier with money, than without money :D Anyway, this isn't really useful discussion. sorry for wasting your time. Certainly the idea of crowdfunding isn't really...
by vecernik87
Fri Nov 23, 2018 1:58 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Crowd Funding of v7
Replies: 32
Views: 3081

Re: Crowd Funding of v7

I don't know which particular feature you don't have in v6 OP clearly stated he is missing multi-threaded BGP. I guess it was promised? If I should speak for myself, I would like to point out there are many LTE modems which are marked as "available in v7". And when I say resources, I mean people-ho...
by vecernik87
Thu Nov 22, 2018 11:51 pm
Forum: General
Topic: EoIP doenst work without torch
Replies: 5
Views: 327

Re: EoIP doenst work without torch

@sebastia : fast-track (L3 feature - configured in /ip firewall filter ) is not the same as fast-path (L2 feature - configured in /interface bridge settings ). @globalrebel : I am quite surprised to be honest. I have EoIP on few routers and it works fine even with enabled fast-path. In addition, ac...
by vecernik87
Wed Nov 21, 2018 7:20 am
Forum: The Dude
Topic: Link Full
Replies: 4
Views: 594

Re: Link Full

Sorry for gravedigging but I feel need to react - that answer is not really correct. As far as I know, in TheDude, "link full" can be found in setting->apperance->link and it sets color which link will turn into, once it reaches predefined maximum speed. Each link can have this speed defined either ...
by vecernik87
Wed Nov 21, 2018 7:05 am
Forum: Beginner Basics
Topic: DHCP showing Red
Replies: 9
Views: 490

Re: DHCP showing Red

Anav pointed it out right - /ip dhcp-server needs correct /ip address on the same interface as well as properly configured /ip dhcp-server network and /ip pool in order to run correctly. However, only missing /ip address will make the DHCP server red. Missing /ip dhcp-server network and /ip pool wil...
by vecernik87
Wed Nov 21, 2018 6:49 am
Forum: General
Topic: Block MNDP with IP Neighbors running? [SOLVED]
Replies: 2
Views: 154

Re: Block MNDP with IP Neighbors running? [SOLVED]

Despite the fact MNDP is located in /ip neighbor menu, it should be considered as L2 protocol because both dst-MAC and dst-IP are broadcasts. Due to that, /ip firewall (both filter and raw) see the packets but can't drop them. (personally I consider that as bug - either it should count matched packe...
by vecernik87
Tue Nov 20, 2018 2:29 am
Forum: Announcements
Topic: Security announcement blog
Replies: 119
Views: 20259

Re: Security announcement blog

Interesting.. I found myself unsubscribed from everything, including security info
by vecernik87
Tue Nov 20, 2018 2:05 am
Forum: Beginner Basics
Topic: alternate DNS for specific IP on LAN, is it possible? [SOLVED]
Replies: 19
Views: 914

Re: alternate DNS for specific IP on LAN, is it possible? [SOLVED]

Gosh, I didn't even go through firewall rules. so obvious :lol:

If you need it for your lan, you can always exclude your special IP from it:
/ip firewall nat
add action=redirect src-address=!YOUR_SPECIAL_IP chain=dstnat comment=DNS dst-port=53 protocol=udp to-ports=53
by vecernik87
Mon Nov 19, 2018 6:55 am
Forum: General
Topic: Is http://www.mikrotik-routeros.net a legit site?
Replies: 5
Views: 493

Re: Is http://www.mikrotik-routeros.net a legit site?

according to https://mikrotik.com/buy/europe/croatia the Pondi d.o.o. is legit "master distributor" but their official site is http://www.mikrotik-hrvatska.com Site you linked is listed among links on mikrotik-hrvatska.com so it is reasonable to expect it really is from them. Also the price of licen...
by vecernik87
Mon Nov 19, 2018 6:37 am
Forum: Beginner Basics
Topic: User access to RouterBoard
Replies: 11
Views: 750

Re: User access to RouterBoard

Thanks for feedback and congrats that you made it working! I couldn't figure out what you might get wrong as I don't really have much experience with webfig. Just last piece of advice - letting your customer to update software is risky. Especially last year, it is not uncommon that new versions come...
by vecernik87
Mon Nov 19, 2018 6:21 am
Forum: General
Topic: ISP Setup
Replies: 4
Views: 396

Re: ISP Setup

Mistry7 is right. In case of business, you need reliability and you should hire professional engineer for such task. You can't possibly depend on random people guiding you over forum. (remember - it is your money and your reputation. If things go wrong, customers never accept "its not my fault" excu...
by vecernik87
Mon Nov 19, 2018 4:57 am
Forum: General
Topic: ip cloud Mikrotik service has any "Cache?"
Replies: 6
Views: 325

Re: ip cloud Mikrotik service has any "Cache?"

I believe this does not need support attention as it is most likely caused by misconfiguration of old vs new cloud service. Thing is that pre-6.43 RouterOS is using old cloud service. If you upgrade your device WITHOUT disabling cloud service first, the entry will be stuck there forever. New version...
by vecernik87
Sun Nov 18, 2018 9:16 am
Forum: Beginner Basics
Topic: alternate DNS for specific IP on LAN, is it possible? [SOLVED]
Replies: 19
Views: 914

Re: alternate DNS for specific IP on LAN, is it possible? [SOLVED]

quick tip: You don't need to calculate hex values. If you follow manual , you will find that IP can be added with apostrophes This is working example from my tests: /ip dhcp-server option add code=6 name=dns-cloudflare value="'1.1.1.1'" (notice the apostrophes within quotation marks. in GUI, you jus...
by vecernik87
Sat Nov 17, 2018 2:39 am
Forum: General
Topic: How to secure port on the switch?
Replies: 8
Views: 441

Re: How to secure port on the switch?

It does not really matter if switch has or does not have MAC. All it matters is, that switch does not modify packet - it just forward it to correct port. So unless OP is talking about blocking communication of switch itself (that seems rather unusual, more likely he wants to block communication of d...
by vecernik87
Sat Nov 17, 2018 1:46 am
Forum: Beginner Basics
Topic: alternate DNS for specific IP on LAN, is it possible? [SOLVED]
Replies: 19
Views: 914

Re: alternate DNS for specific IP on LAN, is it possible? [SOLVED]

You are right... It is not specified, therefore it is not guaranteed. I guess I figured out some time ago on my own. I adjusted the answer. It is truly not "easier" solution because it is not clear from the lease, if there will be something special. The DHCP option might be actually better due to th...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8