Community discussions

MikroTik App

Search found 760 matches

by vecernik87
Mon Oct 19, 2020 8:56 am
Forum: General
Topic: Microtik and AD
Replies: 3
Views: 161

Re: Microtik and AD

If you don't want them to use the 8.8.8.8, don't give it to them. Simple as that. Define the DNS in ip->dhcp->networks so only your DC DNS will be distributed to clients. If you provide the 8.8.8.8 to your clients, there is no way to guarantee they won't use it. Is there any reason to give your clie...
by vecernik87
Mon Oct 19, 2020 1:53 am
Forum: Beginner Basics
Topic: Unknown setting is preventing a DNS change
Replies: 3
Views: 105

Re: Unknown setting is preventing a DNS change

c'mon Anav, you can do better :P CTRL+F -> type "53" and thats it... Picked it up in less than 10 seconds: add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=\ udp to-addresses=0.0.0.0 to-ports=53 DNS traffic not going to the router will be redirected to 0.0.0.0 which is n...
by vecernik87
Thu Oct 15, 2020 8:24 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 16241

Re: hAP ac² High temperature

Nobody ever claimed that temperature does not matter. Temperature does matter and it is stated in the specs: "Tested ambient temperature -40°C to 50°C" That means, it is guaranteed to work, as long as the temperature around the router does not go over 50°C. By putting it on direct sunlight you viola...
by vecernik87
Thu Oct 15, 2020 5:14 am
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 381

Re: Number of SWOS VLANs

RouterOS by default does not filter VLANs on bridge at all and lets them flow everywhere (as if all ports had all VLANs enabled as tagged). The only advantage of tagging switch ports is, that it will allow you to create access/edge ports (ports where particular VLAN is untagged)
by vecernik87
Thu Oct 15, 2020 1:14 am
Forum: Beginner Basics
Topic: WOL before RDP
Replies: 2
Views: 153

Re: WOL before RDP

Unfortunately, there is no easy way of doing this. Mikrotik can do a LOT with the firewall rules and scripts, but there is no built-in mechanism to trigger a script based on firewall rule. I can think of two workarounds: Prefered way - I hope (please, don't disappoint me!) that every employee connec...
by vecernik87
Wed Oct 14, 2020 11:35 am
Forum: Beginner Basics
Topic: Home User RouterOS Consultancy - Uber for MikroTik
Replies: 8
Views: 464

Re: Home User RouterOS Consultancy - Uber for MikroTik

In other words, OP is asking for a normal help, which all 3 of us provide here on regular basis for free.. (at least I didn't get paid yet) @dazzaling69 : don't make a big deal out of it. Just ask for specific things because nobody will give you a full-blown lecture on all networking stuff. If you h...
by vecernik87
Wed Oct 14, 2020 9:36 am
Forum: General
Topic: License Purchase Issue! [SOLVED]
Replies: 1
Views: 162

Re: License Purchase Issue! [SOLVED]

If you were purchasing from official mikrotik page (not from reseller) then it would be better to contact mikrotik directly. This is just a forum and no official support (definitely not in regards of sales/payments) is guaranteed. In the checkout process, I noticed a reference to "sales@mikrotik.com...
by vecernik87
Wed Oct 14, 2020 9:27 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 21
Views: 3504

Re: (BUG) Dude Client crashing on device details and charts

I didn't ask about this detail, but I assume, they are just pointing out the fact, that any TheDude Agent (any RouterOS device) must be same version as TheDude Server. That is known requirement for TheDude Agents, but fortunately, if you don't want to use Agents, you don't need to upgrade monitored ...
by vecernik87
Wed Oct 14, 2020 9:18 am
Forum: General
Topic: Firewall NAT , Route List Setting is will running
Replies: 4
Views: 436

Re: Firewall NAT , Route List Setting is will running

You didn't provide much info (especially, you did not bother to say what interface was there in the first place), but given your routing mark names, I assume that all these rules are related to a dynamic VPN interfaces, most likely you are running server and clients are connecting and everytime clie...
by vecernik87
Wed Oct 14, 2020 9:07 am
Forum: Beginner Basics
Topic: Accidently, I removed Interface ether1.
Replies: 4
Views: 316

Re: Accidently, I removed Interface ether1.

Is that even possible Normis? To remove the ethernet interface itself? Yes. Every model has this feature. All you need is a chisel or big screwdriver. Apply lot of pressure on the port and the interface will come off. I am pretty sure Normis is trying to understand what OP actually means same as ev...
by vecernik87
Wed Oct 14, 2020 8:59 am
Forum: Wireless Networking
Topic: Groove A52AC
Replies: 2
Views: 163

Re: Groove A52AC

also depends on frequency (2GHz reach further than 5GHz) and required speed (you can achieve longer distance with lower speeds) and many other parameters. Keep in mind that it will not instantly shut off... but reliability will slowly decrease as you increase the distance. If you want a simple answe...
by vecernik87
Tue Oct 13, 2020 8:45 am
Forum: The Dude
Topic: Why is my equipment down?
Replies: 2
Views: 248

Re: Why is my equipment down?

Is it possible that your dude is trying to reach the router by its WAN IP and that IP changed after the restart?
by vecernik87
Tue Oct 13, 2020 5:09 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 16241

Re: hAP ac² High temperature

you have a black router under direct sunlight? well... no wonder it gets hot.

Instead of drilling holes, even simple piece of white paper would help more
by vecernik87
Tue Oct 13, 2020 5:04 am
Forum: RouterOS v7 BETA
Topic: how to understand routi9ng in v7
Replies: 7
Views: 747

Re: how to understand routi9ng in v7

Cmon, he tried to help you and there is not a single negative point in his reply. The least you can do is not insult him. Since you did not bother to say, that you went through these pages (calling it "short little blurb" didn't help), it was safe to assume you didn't read it and you might benefit f...
by vecernik87
Tue Oct 13, 2020 3:16 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 70
Views: 8728

Re: WinBox v3.27 released!

The latest Winbox versions do not save settings such as "Inline comments" and "Hide Passwords".
Yes it does. I just tested both switches and it works.
Screenshot 2020-10-13 111156.png
This is from latest winbox v3.27 (unfortunately it does not show the version in the open window)
by vecernik87
Tue Oct 13, 2020 3:04 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 21
Views: 3504

Re: (BUG) Dude Client crashing on device details and charts

I got an info on my bug report [SUP-20571] that they resolved the issue and the fix will be released in upcoming RouterOS update.

Hurray :)
by vecernik87
Tue Oct 13, 2020 2:21 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 520

Re: Vlan not working for me,

... the network is not stable at all sometimes it connects and sometime it does not. can mean anything. I couldn't agree more. Unfortunately I don't know anything further (yet). I provided reasonable step-by-step guide to OP so we can narrow down the issue (you know - ping this, ping that, connect ...
by vecernik87
Tue Oct 13, 2020 1:14 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 520

Re: Vlan not working for me,

@sob : thank you thank you thank you! First person saying that I didn't go crazy. btw:my last suggestion to OP in different conversation was exactly as yours - remove the bridge to minimize possible impact. He didn't reply yet so we will wait. @anav : Great. Now we are talking :) Sorry for stroking...
by vecernik87
Mon Oct 12, 2020 11:53 pm
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 520

Re: Vlan not working for me,

@anav: I didn't want to reply here because I was trying to help this guy in some other place and I hoped that another pair of eyes will notice the issue. I went through it and couldn't spot any mistake (I missed the IP on Ether2 which should be on bridge, but that shouldn't cause issues with VLANs t...
by vecernik87
Wed Oct 07, 2020 4:44 am
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 598

Re: DoH config ignores local static entries

It is quite similar to previously repaired "*) dns - do not use DoH for local queries when a server is specified;" in 6.47.1 - in both cases DOH took priority from specified server or local static entry. Unfortunately this is known issue (for any forum user), reported several times since 6.47 was re...
by vecernik87
Tue Oct 06, 2020 1:51 am
Forum: Scripting
Topic: Script modem reboot
Replies: 5
Views: 256

Re: Script modem reboot

No matter what solution you choose, I agree that this is likely not doable with simple mikrotik script. Mikrotik can detect loss of connectivity and has simple, yet sufficient scripting language for any tasks done within RouterOS . It has no ability to interact with external tools except sending ema...
by vecernik87
Mon Oct 05, 2020 6:53 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 200

Re: Cant' renew license---could not resolve DNS name error

Okay, he seem to be bit confused with rules (e.g. allowing forward/input for DNS from ALL interfaces - pretty sure it should be allowed only from internal / customer facing interface), but I don't see any rule, which should prevent router itself to use DNS. I still believe that his router shouldn't ...
by vecernik87
Fri Oct 02, 2020 10:18 am
Forum: Virtualization
Topic: Winbox has been disconnected
Replies: 6
Views: 497

Re: Winbox has been disconnected

how did you actually "migrate" ? If you copy/paste config, you might have MAC colission...
by vecernik87
Fri Oct 02, 2020 7:19 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 200

Re: Cant' renew license---could not resolve DNS name error

So your clients can use google DNS but your router can't? that seems bit strange
by vecernik87
Thu Oct 01, 2020 10:27 am
Forum: The Dude
Topic: When Link Down it should change colour
Replies: 2
Views: 172

Re: When Link Down it should change colour

afaik, not possible. The color changes gradually, based on traffic as a % of available bandwidth (by default black = no/small traffic, red = traffic using 100% of link capacity, as defined in link settings) This would be actually great feature request, if mikrotik was still developing TheDude. Unfor...
by vecernik87
Thu Oct 01, 2020 2:19 am
Forum: General
Topic: EoIP not working as expected
Replies: 4
Views: 239

Re: EoIP not working as expected

What @sindy said is right. Firstly make sure that MAC spoofing (promiscuous mode) is enabled and that VLANs are allowed in the virtual switch. the bug which @sindy mentioned is clearly related to my earlier investigation: https://forum.mikrotik.com/viewtopic.php?t=144744 I will test further because ...
by vecernik87
Wed Sep 30, 2020 6:02 am
Forum: General
Topic: Redundant EIOP tunnel [SOLVED]
Replies: 2
Views: 225

Re: Redundant EIOP tunnel [SOLVED]

Yup, my setup as described in the link would work perfectly in this situation. 1) Run two EoIP per each branch 2) merge them using bridge or mesh (mesh will give you literary zero packet failover) 3) modify path costs in bridge-ports / mesh-ports to specify which tunnel has priority and which one is...
by vecernik87
Tue Sep 29, 2020 12:05 pm
Forum: General
Topic: The problem of "communication" of different subnets in one bridge
Replies: 4
Views: 218

Re: The problem of "communication" of different subnets in one bridge

well, clearly the issue occurs when the traffic needs to pass through router. I don't think there is anything you could stuff up with the config - you described it very clearly (which makes me think that you know what you are doing). Two things to check: 1) do you have firewall rules allowing traffi...
by vecernik87
Tue Sep 29, 2020 3:41 am
Forum: General
Topic: VPN Site - Site + Road Warrior
Replies: 7
Views: 620

Re: VPN Site - Site + Road Warrior

Have you ever done that? Can you explain to me how you did it? Of course. Otherwise I wouldn't talk about it :D One of my current setups is following: https://app.diagrams.net/#Uhttps%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1pqnKtG0pdkHpXwzonfnEBs0z8L3UmKhJ%26export%3Ddownload https://drive.google.com...
by vecernik87
Tue Sep 29, 2020 1:47 am
Forum: General
Topic: Feature request
Replies: 1
Views: 148

Re: Feature request

If you want something cool, go and buy UBNT. If you want something functional, don't expect coolness.

Personally, I am glad that people who are after coolness aren't buying Mikrotik, because it means less stupid questions and complains from people who have absolutely no idea about networking.
by vecernik87
Thu Sep 24, 2020 11:13 am
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 1056

Re: hAP ac³ switch chip?

..lot of new mikrotik devices have those low-cost retarded switches like RTL .. These "retarded" switches need to be understood as simple port-extenders. Maybe it is the cheapest way to make a multi-port router. I had similar way of thinking like you but then I realised we really should not expect ...
by vecernik87
Thu Sep 17, 2020 8:31 am
Forum: General
Topic: EOIP blocking TCP
Replies: 15
Views: 584

Re: EOIP blocking TCP

Nice job testing and describing the problem! Can it be possibly MTU issue? I have many EoIP tunels and they certainly don't block anything. I literary just tested SSH on my production machines and it went through without any issue. The only other option I can think of is some bridge trouble (bridge ...
by vecernik87
Wed Sep 16, 2020 7:14 am
Forum: General
Topic: Can't login here with my password from 12 September 2020
Replies: 4
Views: 332

Re: Can't login here with my password from 12 September 2020

I second @Znevna - I reset my password with the same which I used previously. And since I already had strong password enough, I had no issue with it.
by vecernik87
Tue Sep 15, 2020 7:58 am
Forum: The Dude
Topic: The Dude - Confusion
Replies: 1
Views: 139

Re: The Dude - Confusion

I usually do this with a VPN to my server. Then, as long as the remote router has access to the internet, I can see them online and connect to them, even if they put the router behind NAT Dude itself is on-demand monitoring (server has to see clients and sends them requests, clients respond). Good t...
by vecernik87
Tue Sep 15, 2020 5:44 am
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 4151

Re: Expected down time for this forum SEPT 11

If password does not work and @krisjanis was upgrading the PHP version, there is likely different hashing algorithm. I mean... it shouldn't be because afaik each hash has short prefix announcing what algorithm is used, but I can imagine that phpBB forum detected new PHP version and forced different ...
by vecernik87
Tue Sep 15, 2020 2:19 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 4700

Re: ERROR: wrong username or password

Interesting finding! thanks for feedback.
If the data are just forwarded (i.e. not ROMON etc), I find it unexpected for any router to modify/corrupt packets. Rather, I would guess that the interim router was accepting the packets and replying on its own possibly?
by vecernik87
Tue Sep 15, 2020 2:07 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 356

Re: Blocking Facebook, Tiktok and other websites

Blocking all IP from particular ASN will work only for services which have their ASN and do not serve their content from any other IP (Google,FB). However, it will also block other services, which are hosted on those IPs (e.g. google has their google cloud platform hosting heaps of 3rd party website...
by vecernik87
Mon Sep 14, 2020 10:50 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 4700

Re: ERROR: wrong username or password

"wrong password" may appear if the user is not allowed to log in from used IP. check your users, whether they have limited addresses. e.g: [vecernik@mikrotik] > /user export /user add group=full name=vecernik add address=10.11.12.0/24 group=read name=test As you can see, user "vecernik" can log in f...
by vecernik87
Mon Sep 14, 2020 10:42 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 356

Re: Blocking Facebook, Tiktok and other websites

Reliable block is impossible. No matter what suggestions will come later, I can guarantee that I will be able to figure out a way to get through, unless you completely block me from the internet. Partially reliable and very easy will be DNS method - force all DNS requests to mikrotik (dst-nat) and t...
by vecernik87
Mon Sep 14, 2020 10:24 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 16
Views: 944

Re: CVE-2020-11881 PATCH [SOLVED]

I do not check them "so closely" and I think in 99% of time few days does not matter. I accept your point that this may be part of the thorough testing process for Longterm branch. (I edited my original post now to reflect this) But if BootlabsDev claims: The bug was reported on 06.04.2020 and wasn'...
by vecernik87
Mon Sep 14, 2020 10:14 am
Forum: General
Topic: Hiding other devices
Replies: 3
Views: 270

Re: Hiding other devices

In theory, you could create bridge-filter rules (not IP filter because it is on the same LAN, therefore L2 traffic, not L3), which will for example block ARP requests to particular IP addresses from your phone, but again, phone can easily change MAC, therefore its not really a protection. Best solut...
by vecernik87
Mon Sep 14, 2020 10:07 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 16
Views: 944

Re: CVE-2020-11881 PATCH [SOLVED]

Normis, I appreciate the new version which includes the fix, but please, do not fake release dates. EDIT: Understood. Date is related to "build" not "release". This release was definitely not live week ago, on 7th September. Why does changelog (and your post) claim it was? The topic with this releas...
by vecernik87
Fri Sep 11, 2020 5:08 am
Forum: General
Topic: Ampache & RouterOS web server on hAP ac2
Replies: 9
Views: 468

Re: Ampache & RouterOS web server on hAP ac2

you got it right - it is not implemented. What you did not get is, that it will never be implemented. As it was said earlier, router is not a multipurpose device and should not be perceived that way. Some people like to tinker with their devices so they managed to run this music screaming server on ...
by vecernik87
Thu Sep 10, 2020 5:54 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 332

Re: VLANs on RouterBoard not working [SOLVED]

I am very glad that it helped :) re. your second question: When working with /interface bridge port , each row has its own number as a unique indentifier (if you know SQL, imagine it as a primary key in the DB). Then, each row has parameters (e.g. interface, pvid etc..). Your command actually said t...
by vecernik87
Thu Sep 10, 2020 5:08 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 332

Re: VLANs on RouterBoard not working [SOLVED]

You need to add "tagged bridge1" to your /interface bridge vlan . The relevant section should look like this: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether9 untagged=ether2 vlan-ids=20 add bridge=bridge1 tagged=bridge1,ether9 untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-i...
by vecernik87
Fri Sep 04, 2020 3:05 pm
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 395

Re: WOL over VPN

Of course you get reply on the ping. Question is whether you get reply from the device or from the router. check your ARP records, your source device should see target IP with the correct MAC. Thats why I asked this - the ARP record in your computer will prove, whether it is the device (therefore yo...
by vecernik87
Thu Sep 03, 2020 8:16 am
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 395

Re: WOL over VPN

WOL is L2 functionality (you are sending packet to particular MAC address, therefore it will work only if your source and target devices are on the same L2 segment (to dumb it down - within the same LAN and same VLAN, not behind a router, not different VLAN). VPN may or may not be bridged (having sa...
by vecernik87
Tue Sep 01, 2020 8:54 am
Forum: Beginner Basics
Topic: [Q] how to add multiple firewall ip address in a single list?
Replies: 5
Views: 279

Re: [Q] how to add multiple firewall ip address in a single list?

It is not unfortunate display. You are not really creating lists. You are creating address entries which have property "list" . As long as the property "list" is same, entries are considered to be part of the same list. Once you use the list somewhere, all entries with the same property will be used...
by vecernik87
Fri Aug 28, 2020 5:13 am
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 38
Views: 10346

Re: RB5011

I had no intention to say that it needs to be modified. I meant that "I wish for it, but I understand that it is not possible". After all, every device is perfect for particular task and it depends how we balance performance/price. I don't think that getting second SFP would be good justification fo...
by vecernik87
Thu Aug 27, 2020 1:42 am
Forum: RouterOS v7 BETA
Topic: Y u no can specify an interface in routers like you used to be able to?
Replies: 5
Views: 422

Re: Y u no can specify an interface in routers like you used to be able to?

its just public beta... half of things does not work and it is expected. You should not use it anywhere else than testing lab...
by vecernik87
Wed Aug 26, 2020 8:30 am
Forum: General
Topic: VPN Site - Site + Road Warrior
Replies: 7
Views: 620

Re: VPN Site - Site + Road Warrior

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.
by vecernik87
Wed Aug 26, 2020 8:21 am
Forum: RouterOS v7 BETA
Topic: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN
Replies: 13
Views: 1144

Re: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN

VSS - that would be nice ZTP - already available, although not completely out-of-box as with UBNT. Only true form of out-of-band management is a serial port and that is available. L3 HW offloading - in development, although it seems having some limitation (quite small amount of connections can be m...
by vecernik87
Tue Aug 25, 2020 6:45 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16347

Re: v6.47.2 [stable] is released!

Very bad! I have hAP ac, after updating to version 6.47.2 I can no longer connect to the 5GHz network, only the 2.4GHz network is available, although the 5GHz module in the router settings has the status "running". I would never recommend MikroTik products because the software is very unstable! I d...
by vecernik87
Mon Aug 24, 2020 10:43 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16347

Re: v6.47.2 [stable] is released!

All you have to do is back up your settings before upgrading and reset the router to default configuration, then upgrade router and then restore your backup . Even poor admins should not restore backup on other device or version that differs from where it was made. There is no problem restoring the...
by vecernik87
Mon Aug 24, 2020 7:02 am
Forum: Scripting
Topic: My Backup file contains malicious scripts
Replies: 4
Views: 497

Re: My Backup file contains malicious scripts

Netinstall - the only way to get rid of hidden stuff...
by vecernik87
Mon Aug 24, 2020 2:13 am
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control
Replies: 6
Views: 1107

Re: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control

I always thought that TCP congestion control is managed by endpoints? (e.g. web browser and web server) My understanding of BBR is, that endpoints are "smarter" and learn how the network behaves. Then they adjust sending rate based on this info. Network itself (any router on the path) is unaware of ...
by vecernik87
Sat Aug 22, 2020 12:02 pm
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 38
Views: 10346

Re: RB5011

I think Design 1 is quite limited for nowadays - only 1G ports won't be very interesting, when almost every enthusiast/prosumer is lookig at >1Gbit. However, with correct agressive pricing, it might be still a great lower-mid range router. You could also drop the memory and flash to lower values to ...
by vecernik87
Fri Aug 21, 2020 1:06 pm
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 964

Re: Remote Management Access using Public IP

1+3) If we are talking about spoofing IP for TCP connection, then attacker must be on the route between original IP which he is trying to spoof and the target. Otherwise he will never get the reply, therefore no TCP connection... Statistics are applicable only if you are talking about random hacker ...
by vecernik87
Fri Aug 21, 2020 11:11 am
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 964

Re: Remote Management Access using Public IP

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity" and t...
by vecernik87
Fri Aug 21, 2020 2:29 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16347

Re: v6.47.2 [stable] is released!

hAP Lite - not enough space for upgrade Thats a ~18 Euro hardware, dont expect much from such a device... That may apply for other manufacturers but not for Mikrotik. It is expected that software release will work on every supported device, no matter the price. Anyway, not enough space means most l...
by vecernik87
Thu Aug 20, 2020 4:28 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 16347

Re: v6.47.2 [stable] is released!

Are you guys serious? The second update, in the last couple of months, with problems you don't expect at all. One core is constantly 100% loaded with something incomprehensible. https://c.radikal.ru/c39/2008/2c/6e9b16a53516t.jpg At the moment, the download has dropped. But I would like to know what...
by vecernik87
Thu Aug 20, 2020 3:35 am
Forum: Virtualization
Topic: BUG: Bridge not work with MTU=1500
Replies: 2
Views: 351

Re: bug: Bridge not work with MTU>1500

Can you please test with smaller packets as well? Quite a while ago, I encountered similar issue, where VLAN-tagged packets were not passing through the bridge in CHR but everything worked fine when I bound VLAN to an ethernet interface. All details here: https://forum.mikrotik.com/viewtopic.php?f=1...
by vecernik87
Tue Aug 11, 2020 7:52 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 3
Views: 1127

Re: DHCP conflict detection issue

I think you may be right. It is possible that originally they checked just by ICMP ping (compulsory by RFC) and now they are checking both ICMP and ARP (Optional by RFC). Reality is, that many devices refuse to answer ICMP on public interface so ICMP is not enough. What makes me sad is, that I alrea...
by vecernik87
Tue Aug 11, 2020 7:40 am
Forum: General
Topic: EoIP low performance
Replies: 3
Views: 1390

Re: EoIP low performance

I would say it is error in the testing method. I couldn't do it properly (correctly, Device-under-test should not be the one which generates/consumes the traffic) so I just took the first two devices I know of where I already have EoIP and ran the btest between them. In UDP mode, it easily went to 1...
by vecernik87
Fri Aug 07, 2020 3:49 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 3
Views: 1127

Re: DHCP conflict detection issue

Conflict detection was always there (RFC requirement for DHCP servers). MT just added a checkbox to disable it (I am still puzzled who would need that because it breaks RFC). Hotspot is quite proprietary function, thus not covered by RFC. If you are having issues right now, I would recommend to incr...
by vecernik87
Fri Jul 31, 2020 8:27 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 2415

Re: DNS resolution vulnerability

*facepalm* silly me :D Always forget to check gravediggers
by vecernik87
Fri Jul 31, 2020 6:30 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 2415

Re: DNS resolution vulnerability

Sorry but i have to concur with marko. Default config with drop 53 added : Default config contains universal drop rule. You shouldn't need those individual drop rules. If you need them, you are clearly missing some important part. (you or someone else likely deleted that) To confirm original, unmod...
by vecernik87
Fri Jul 31, 2020 6:14 am
Forum: General
Topic: Masquerade rule on dynamic interface? [SOLVED]
Replies: 2
Views: 719

Re: Masquerade rule on dynamic interface? [SOLVED]

if the user can't connect more than once at a time, then you can simply create static "L2TP server binding" which will create your interface permanently. Alternative, possibly better way (no matter how many connections are we talking about) is to add profile, with selected "interface list". That is ...
by vecernik87
Wed Jul 29, 2020 10:09 am
Forum: Beginner Basics
Topic: mac address isolation
Replies: 2
Views: 629

Re: mac address isolation

Unless it is very VERY unusual website, there will be external dependencies and that will make the website unusuable with any kind of firewall filter filter L7 filtering is best done in the browser itself, because browser can actually distinguish, if the request is website or if it is just a depende...
by vecernik87
Wed Jul 29, 2020 1:47 am
Forum: Beginner Basics
Topic: Hardware offload
Replies: 4
Views: 1285

Re: Hardware offload

@plisken : I am afraid that @CZFan is right. Your RB750Gr3 uses switch chip in MT7621 and that has almost no features supported with bridge offload. Not even STP/RSTP. you can check it here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading @CZFan : thanks for pointi...
by vecernik87
Thu Jul 23, 2020 9:05 am
Forum: Wireless Networking
Topic: RoMon
Replies: 2
Views: 598

Re: RoMon

Can't say for sure whether it is the case, but I know for sure that some UBNT devices (Unifi switches and Edge Switches are those which I tested) do not forward ROMON packets because the ethertype and MAC addresses are unusual. This whole ROMON network is a nice idea but too much proprietary and unu...
by vecernik87
Thu Jul 23, 2020 7:54 am
Forum: General
Topic: Long waiting time for internet access
Replies: 2
Views: 666

Re: Long waiting time for internet access

During the time when internet access is unavailable, I would: ping the gateway/router, ping the other computer (should be on the same LAN, right?) ping some public IP (e.g. 1.1.1.1 or 8.8.8.8 ) try to resolve some domain with default DNS (e.g. nslookup google.com) try to resolve some domain with spe...
by vecernik87
Mon Jul 20, 2020 6:08 am
Forum: The Dude
Topic: Can Dude monitor a Win10 PC with firewall on?
Replies: 6
Views: 1424

Re: Can Dude monitor a Win10 PC with firewall on?

when ping is blocked, ARP request usually does the job if you are on the same L2 segment. Unfortunately, TheDude does not have ARP probe, so the only way I know of is a script in RouterOS
by vecernik87
Sun Jul 19, 2020 10:34 am
Forum: General
Topic: Intermittent internet
Replies: 7
Views: 1771

Re: Intermittent internet

symptoms are typical for MTU issues... Maybe you need to add mangle with MSS clamp? Or just allow ICMP?

Anyway, you can confirm it by trying to ping with large packets:
ping 1.1.1.1 size=1500 do-not-fragment
by vecernik87
Sun Jul 19, 2020 5:34 am
Forum: Beginner Basics
Topic: Webfig login hack
Replies: 14
Views: 3749

Re: Webfig login hack

OP is funny. On the one hand, he is aware of tenable's exploits. On the other hand, he is unable to use them (despite the fact there is Proof of Concept script for every single exploit). @OP : Just reset the thing and live with it... Nobody with consiousness will guide you how to hack a device. Sinc...
by vecernik87
Fri Jul 17, 2020 1:12 pm
Forum: RouterOS v7 BETA
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 4803

Re: Traffic to blocked address still succeeds. Why? A bug?

any proxy is generally very powerful because it actually processes the request (therefore it understands exactly what is being requested and returned) but https proxies are also serious security threat - for HTTPS or generally SSL encrypted traffic (nowadays majority of internet traffic) you need to...
by vecernik87
Thu Jul 16, 2020 10:58 am
Forum: Wireless Networking
Topic: Wireless problem with Apple devices
Replies: 16
Views: 3091

Re: Wireless problem with Apple devices

AFAIK this is normal behavior from apple - they disconnect to save the power, when display is off (or device is locked) and they connect on regular basis to allow apps get updates/messages/notifications https://discussions.apple.com/thread/250285673 https://apple.stackexchange.com/questions/218354/h...
by vecernik87
Thu Jul 16, 2020 10:46 am
Forum: Forwarding Protocols
Topic: Client side VPN connection issues
Replies: 2
Views: 669

Re: Client side VPN connection issues

Sorry man, my crystal ball is in the service today so my clairvoyance ability is disabled for now :(

bit more serious advice: If you are losing customers, hire a consultant. If you want help, no matter where, provide info. Without info, nobody can help.
by vecernik87
Thu Jul 16, 2020 10:36 am
Forum: Beginner Basics
Topic: Secondary routes
Replies: 3
Views: 855

Re: Secondary routes

or you can just run GRE/EoIP within ipsec to make it nice routable tunnel... Is it naughty? yes. Does it cause more overhead? Yes. Does it make the whole management and failover easier to understand? Yes. You choose what is the priority :) ps: I am even more naugthy. I actually run EoIP with Mesh (H...
by vecernik87
Thu Jul 16, 2020 10:21 am
Forum: General
Topic: IP Cloud
Replies: 62
Views: 26026

Re: IP Cloud

@AlexRodac : You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to the new IP. ...
by vecernik87
Tue Jul 14, 2020 3:58 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 58293

Re: v6.47.1 [stable] is released!

is it REALLY worth it!???? Yes it is. Lets call it planned obsolescence and whats the first rule of planned obsolescence? We don't talk about it! Ok, lets go from conspiracy theories back to the reality: It is well known that this is not a technical limitation. e.g. Mikrotik Audience with IPQ-4019 ...
by vecernik87
Mon Jul 13, 2020 1:41 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 58293

Re: v6.47.1 [stable] is released!

@jsadler: Do you have some switch chip configuration on those particular devices with faults? It might be relevant because quite a while ago, I had an experience with RBD52G (using Atheros 8327 switch chip) that some features from switch-chip menu were causing serious packet loss to a degree I had ...
by vecernik87
Sat Jul 11, 2020 1:30 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 58293

Re: v6.47.1 [stable] is released!

I think this might be about :resolve command with server parameter specified. E.g.: :put [:resolve google.com server=8.8.8.8] :put [:resolve example.com server=10.10.10.10] You may be right davis! I tested it just now with 6.47 (not working) vs 6.47.1 (working). So it was just misunderstanding of t...
by vecernik87
Fri Jul 10, 2020 3:29 pm
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 58293

Re: v6.47.1 [stable] is released!

Already reported for 6.48beta, but applies here, too:
*) dns - do not use DoH for local queries when a server is specified;
This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?
Not working on mine either.
by vecernik87
Thu Jul 09, 2020 12:03 pm
Forum: General
Topic: Feature request: IPSec Support of DH group 31 (EC25519)
Replies: 5
Views: 1020

Re: Feature request: IPSec Support of DH group 31 (EC25519)

I don't think this is a sensitive/touchy topic. Official way to ask for features is going to your distributor and asking them. They will ask mikrotik (because your distributor is mikrotik's customer) and based on some magical formula, mikrotik may decide to implement it. Asking on forum is possible ...
by vecernik87
Thu Jul 09, 2020 3:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 1766

Re: BUG: DNS USE ONLY DOH

Gosh, I couldn't agree more. In no way I meant to say that L7 NAT hack is ideal. I actually hate it because it does not apply to RouterOS itself (Prerouting is not in Output chain) But as you acknowledged, it is better than nothing, if you can't have dedicated DNS appliance. I guess we are really pu...
by vecernik87
Wed Jul 08, 2020 2:00 pm
Forum: General
Topic: IPSEC Policy BUG - version 6.47
Replies: 4
Views: 900

Re: IPSEC Policy BUG - version 6.47

afaik, this seems to be known issue when a person uses an old winbox. (current version is 3.24)
Since it is not a new bug, there is not much reason to send it individually to support and waste their time.
by vecernik87
Wed Jul 08, 2020 1:48 pm
Forum: RouterBOARD hardware
Topic: PPTP 1000Mbit - which router should I choose?
Replies: 6
Views: 1232

Re: PPTP 1000Mbit - which router should I choose?

You probably mean PPPoE, right? In that case, almost any Gbit capable router should do the job. I would avoid those, which achieve gigabit just barely and/or have only single core. (e.g. RB2011) RB750Gr3 (hEX) if you want cheap-cheap RB760iGS (hEX S) if you want optical fiber RBD52G (hAP ac2) if you...
by vecernik87
Wed Jul 08, 2020 12:31 pm
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 1766

Re: BUG: DNS USE ONLY DOH

That is a theory but unfortunately this does not work with DOH right now . Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel. Does it work for you with 6.48beta12? To my findings the behavior did not change. ouch, s...
by vecernik87
Wed Jul 08, 2020 11:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 1766

Re: BUG: DNS USE ONLY DOH

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response. If you want to resolve specific domains through different server, you can use FWD entry. E.G.: /ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FWD This wil...
by vecernik87
Tue Jul 07, 2020 2:58 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 57348

Re: Winbox v3.24 released!

Based on https://forum.mikrotik.com/viewtopic.php?f=21&t=161887&p=804375#p804344 I ended up here. To reproduce: open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time). Now, position th...
by vecernik87
Mon Jul 06, 2020 1:33 pm
Forum: The Dude
Topic: RouterOS in bridge mode is not recognized
Replies: 2
Views: 556

Re: RouterOS in bridge mode is not recognized

Well, you answered your problem - if the router does not have IP, then it can't be reached by TheDude. I don't think anyone can give you any better advice, because you might have no IP on purpose. If you could share your network topology, it would help to understand and possibly overcome the trouble...
by vecernik87
Mon Jul 06, 2020 1:15 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 95858

Re: v6.47 [stable] is released!

Still, it does not seem that many users use (or even know about) that precaution...
because 95% of us are stuck with 16MB of space... :(
by vecernik87
Mon Jul 06, 2020 11:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 95858

Re: v6.47 [stable] is released!

another bug ... when going under IP/IPSec/Policy, and opening an existing one seems to exit winbox/crash winbox. Or adding new one. You simply cannot edit/create ipsec policies using winbox on 6.47. Winbox just crashes without any error message. thaaats interesting. I just recreated from scratch ou...
by vecernik87
Mon Jul 06, 2020 2:45 am
Forum: Scripting
Topic: Torrent blocking working in y2020
Replies: 20
Views: 2805

Re: Torrent blocking working in y2020

well, if it does not work 100% then it does not really help, don't you think? I mean - what difference it makes if the download takes bit more? Idea of blocking is, that NOTHING goes through. If it still starts after a while, it likely means you missed some port or regexp part, which still gets thro...
by vecernik87
Wed Jul 01, 2020 1:26 pm
Forum: The Dude
Topic: the new dude is garbage
Replies: 4
Views: 1122

Re: the new dude is garbage

Just wait until you see 6.47 :D
by vecernik87
Tue Jun 30, 2020 5:50 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 21
Views: 3504

Re: (BUG) Dude Client crashing on device details and charts

Reported as well. Hope they will look into it. Current status simply means I can't use it at all and I don't know whether I should start looking for something else or not. Even with small bugs and lack of development, TheDude was much friendlier monitoring system than any other which I tried. edit: ...
by vecernik87
Tue Jun 30, 2020 4:55 am
Forum: Scripting
Topic: IP cloud public address into variable
Replies: 3
Views: 706

Re: IP cloud public address into variable

print the data into console:
:put [/ip cloud get public-address]
Save into variable:
:global public_ipv4 [/ip cloud get public-address]
Enjoy :)
by vecernik87
Sun Jun 07, 2020 11:04 am
Forum: RouterOS v7 BETA
Topic: UI/UX On WinBox
Replies: 23
Views: 4306

Re: UI/UX On WinBox

Hello Dear, This has to be a troll... No troll, this type of word selection is typical for a country which I cannot name (for sake of political correctness). I hear/read this overly-friendly type almost everytime I contact an off-sourced call center or customer support. Thats simply how some people...
by vecernik87
Sat Jun 06, 2020 12:15 pm
Forum: General
Topic: DNS DoH [SOLVED]
Replies: 6
Views: 1527

Re: DNS DoH [SOLVED]

If you already did, then why are you asking?

TBH, I agree with @msatter, because If someone wants to stop me from visiting porn, they would have to physically cut the cable, otherwise I will find a way.
by vecernik87
Wed Jun 03, 2020 3:38 pm
Forum: Wireless Networking
Topic: Having a bigger dish? [SOLVED]
Replies: 2
Views: 815

Re: Having a bigger dish? [SOLVED]

Dish size will likely increase total dBi and therefore improve your signal. However, those trees are a problem. Instead of trimming them, maybe you can put both antennas on a little mast/tower? Also make sure you have aligned your dishes properly. In terms of wireless quality, there is no magic - it...
by vecernik87
Wed Jun 03, 2020 5:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 95858

Re: v6.47 [stable] is released!

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) Even with this little hiccup, I think it is a great u...
by vecernik87
Thu May 21, 2020 11:52 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1361

Re: Firewall Rule not work with Microsoft DHCP server

Nobody got confused. Your computers are on the same subnet and on the same L2 segment (unless you separated them on the switch), therefore they can communicate directly between each other. Mikrotik will not even know about the communication because the switch will directly forward it to the correct ...
by vecernik87
Thu Apr 30, 2020 2:41 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 1962

Re: License rent for CHR

Well, nobody says otherwise :D I literary confirmed the same. Also I gave an example how it would look if OP wanted to make it look like "lease" and I mentioned possible troubles which came into my mind. But the whole idea is clearly based on transfer of the perpetual licence between different CHRs ...
by vecernik87
Wed Apr 29, 2020 6:16 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 1962

Re: License rent for CHR

Mikrotik itself does not provide any "leasing" ability, but you can do it as you described: - You own perpetual licence, which is bound to your mikrotik account. - You install customer's CHR and assign the licence to it. Unfortunately this requires the CHR to be assigned to your account, but that ca...
by vecernik87
Sun Apr 26, 2020 3:45 pm
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 4359

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

I thought that "sniff dhcp traffic" is clear enough. Apparently, I was wrong. Sorry for that. you need to filter it by: - interface (vlanbell or bell), please make sure you have only ONE interface selected. If you select both, you may get duplicate readings (because packet goes through VLAN as well ...
by vecernik87
Sun Apr 26, 2020 5:26 am
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 4359

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

This topic is getting to my favorite phase where I step in and ask "why the heck would you waste time, when you can simply sniff the DHCP traffic on the port?" You will clearly see if your router is asking for DHCP renew and when. You will see if there is some NAK answer or if the request is ignored...
by vecernik87
Sat Apr 11, 2020 3:42 pm
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 63
Views: 13063

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. I am not worried about my job. I am worried about general security and about wasting mikrotik's developers time on a feature, which will not have many uses. Simplifying a firewall rule wizard such a...
by vecernik87
Thu Mar 26, 2020 5:31 am
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 63
Views: 13063

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this... In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may...
by vecernik87
Fri Mar 06, 2020 3:56 am
Forum: General
Topic: Feature requests
Replies: 1278
Views: 289061

Re: Feature requests

.... The reason, why we are using Stunnel, not other solutions is that it is very similair as simple HTTPS for DPI of internet providers, who are denying usage of openvpn and others too.So, vpn is not applicable solution in most of cases. Please, review the possibility to include Stunnel client in ...
by vecernik87
Fri Mar 06, 2020 3:49 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 42
Views: 11798

Re: feature request ADVANCED DNS Server

The included DNS features are as functional as they realistically need to be, for what MikroTik routers are C'mon, thats not true and you know it. If there is ability to put a static A entry, why not ability to put static MX or NS or other entries? It is literary one parameter in CLI/GUI. No real c...
by vecernik87
Thu Jan 23, 2020 12:01 am
Forum: Beginner Basics
Topic: Best monitor
Replies: 2
Views: 1088

Re: Best monitor

Cheapest monitor from Mikrotik would be RB2011 with LCD display. It can show pretty nice charts!
by vecernik87
Mon Nov 11, 2019 7:47 am
Forum: Wireless Networking
Topic: hAP AC2: 5GHZ is not showing
Replies: 9
Views: 4464

Re: hAP AC2: 5GHZ is not showing

the gadget simply did not detect the SSID (control channel was on channel 13). Next thing was to put in SIM card, after that it happily detected and used SSID still broadcasted on channel 13. That is actually interesting finding! thanks for sharing. Sometime I struggle with this and I never realise...
by vecernik87
Thu Nov 07, 2019 12:45 am
Forum: General
Topic: MikroTik hAP ac2 - PoE in problem
Replies: 16
Views: 3017

Re: MikroTik hAP ac2 - PoE in problem

RBGPOE-CON-HP is the way to go as said previously. hAP ac^2 might not be explicitely mentioned but implicitly it is: any 8-30V capable RouterBOARD device Also tech specs say, that the output is passive 24V: PoE in 802.3af/at Input Voltage 42-57V (Passive, Telecom, 802.3af and 802.3at PoE plus suppor...
by vecernik87
Wed Oct 30, 2019 3:48 am
Forum: Scripting
Topic: Script to delete itself after executing... [SOLVED]
Replies: 7
Views: 5012

Re: Script to delete itself after executing... [SOLVED]

It's only a guess, but I wouldn't be surprised if the script file is locked during execution and can't be deleted because of that. File is not locked. I delete my deployment script with following command (written as a last part of the init.rsc file): :do { /file remove flash/init.rsc } on-error={};...
by vecernik87
Wed Oct 23, 2019 1:18 pm
Forum: Wireless Networking
Topic: HWMP+ Mesh network preferring Wlan over Ethernet (incorrectly)
Replies: 6
Views: 3971

Re: HWMP+ Mesh network preferring Wlan over Ethernet (incorrectly)

I figured it out, set the Ethernet as WDS.
Great idea! switching to WDS helped, but I guess this is some bug in implementation
by vecernik87
Wed Oct 16, 2019 7:19 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 26083

Re: Winbox v3.20 released!

*) on update, Winbox will check that code is signed by MikroTik and not somebody else; Unfortunately this check still seems insecure. I remember your report ages ago and I always wondered how long till they fix that. I find this unbelievable that update process is vulnerable like that. Well, good t...
by vecernik87
Wed Oct 16, 2019 7:12 am
Forum: Beginner Basics
Topic: Is there a place where I may ask whitehat to hijack my ROS?
Replies: 4
Views: 1124

Re: Is there a place where I may ask whitehat to hijack my ROS?

Does it matter who hijacks it? Just publish your IP here or on FB/Twitter with hashtag #hackChallenge and soon you will have your results.
by vecernik87
Sun Aug 11, 2019 1:15 am
Forum: Beginner Basics
Topic: VLAN / DHCP basics
Replies: 4
Views: 994

Re: VLAN / DHCP basics

Just a follow up on previous answer (which is quite sufficient) Better advice would be to not use vlan 1 at all, as it is used for internal purpose by too many manufacturers. VLANs like 1,2, 4095 etc are quite popular among manufacturers for separating traffic internally and some devices simply stri...
by vecernik87
Thu Aug 08, 2019 12:55 am
Forum: The Dude
Topic: Security Issue in The Dude
Replies: 1
Views: 1970

Re: Security Issue in The Dude

Dude is no longer being actively developed and there is no way to protect the password. If you hide the error message, bad guy will simply replace the EXE with custom made program which shows any argument sent to the program. (that is as easy as it sounds)
by vecernik87
Sun Jun 30, 2019 11:04 pm
Forum: General
Topic: vlan on a bridge in a bridge
Replies: 17
Views: 2518

Re: vlan on a bridge in a bridge

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags...
by vecernik87
Tue Jun 25, 2019 7:07 am
Forum: General
Topic: DHCPd specific IP addresses to specific physical ETHx ports.
Replies: 5
Views: 991

Re: DHCPd specific IP addresses to specific physical ETHx ports.

DHCP is L2 protocol. To give IP based on port, you will need to separate those ports from bridge (break L2 segment and therefore L2 broadcast/multicast). Next you create separate DHCP server per each port. Last (optional) step is to set ARP proxy for your LAN. That way, it will look like it is still...
by vecernik87
Sun Jun 23, 2019 3:37 pm
Forum: Wireless Networking
Topic: Need Advice to Cover 300 WiFi Users in Banquet Hall
Replies: 6
Views: 1417

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

Ok, we are slowly getting to area, which might get us banned (or at least topic locked/deleted) and I don't feel comfy with that. XG is real beast. I agree with you that 1500 is made up number (together with all other "up to XXX clients"), but truth is, that if any device can handle many clients, it...
by vecernik87
Fri Jun 21, 2019 12:12 pm
Forum: General
Topic: Mikrotik haplite have port 3-4 led lighting up without cable plugged in
Replies: 4
Views: 1117

Re: Mikrotik haplite have port 3-4 led lighting up without cable plugged in

If you are experienced and know exactly what you are doing, sure. But I guess in such case, you wouldn't be asking. Also, keep in mind that soldering will certainly void any warranty on the product.. If your product is still under warranty and you don't see bent pins, I would recommend to contact yo...
by vecernik87
Fri Jun 21, 2019 11:33 am
Forum: General
Topic: Disable "Reset All Counters" Button from Winbox GUI
Replies: 4
Views: 2899

Re: Disable "Reset All Counters" Button from Winbox GUI

We had similar discussion earlier - people asking to add a confirmation to "disable" and "remove" buttons, because "what if I accidentally click it" ? Well guess what? You can accidentally add a route, which will break stuff. You can accidentally reorder firewall rules which will break stuff. You ca...
by vecernik87
Fri Jun 21, 2019 10:17 am
Forum: Wireless Networking
Topic: Need Advice to Cover 300 WiFi Users in Banquet Hall
Replies: 6
Views: 1417

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

few cents from my experience: maximum capacity of 300 people that I need to cover with around 250-300 wireless clients Please decide if you really talk about capacity of the room or about expected amount of clients. By my experience, these are not the same. I have several similar rooms around the ci...
by vecernik87
Tue Jun 18, 2019 3:12 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 6769

Re: single IP constantly trying to log to my Mikrotik

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :) @krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - c...
by vecernik87
Tue Jun 18, 2019 5:44 am
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 6769

Re: single IP constantly trying to log to my Mikrotik

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.
by vecernik87
Mon Jun 17, 2019 10:49 am
Forum: General
Topic: 1072/1036 : High CPU :
Replies: 2
Views: 593

Re: 1072/1036 : High CPU :

1) any srcnat (srcnat/masquerade/netmap...) rules with manually specified range of ports? 2) any content/L7 conditions in your firewall rules? if not, what other conditions do you usually use? 3) do you have "accept established/related" filter rule in forward chain on top of your rules? 3) what is t...
by vecernik87
Fri Jun 14, 2019 11:27 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 6769

Re: single IP constantly trying to log to my Mikrotik

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...
by vecernik87
Fri Jun 14, 2019 5:50 am
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 1698

Re: hAP ac² as switch + ap

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...
by vecernik87
Fri Jun 14, 2019 4:10 am
Forum: General
Topic: vlan bridge to port [SOLVED]
Replies: 10
Views: 1520

Re: vlan bridge to port [SOLVED]

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations
by vecernik87
Fri Jun 14, 2019 3:40 am
Forum: Scripting
Topic: :tobool not working as expected
Replies: 4
Views: 1638

Re: :tobool not working as expected

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work with "true"...
by vecernik87
Fri Jun 14, 2019 3:04 am
Forum: General
Topic: Cablelabs Micronets
Replies: 4
Views: 1261

Re: Cablelabs Micronets

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...
by vecernik87
Fri Jun 14, 2019 2:08 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 1232

Re: Annoyed with Mikrotik 'Support'

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...
by vecernik87
Thu Jun 06, 2019 6:25 am
Forum: General
Topic: Mikrotik Console Port
Replies: 4
Views: 907

Re: Mikrotik Console Port

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...
by vecernik87
Thu Jun 06, 2019 6:12 am
Forum: RouterBOARD hardware
Topic: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees
Replies: 2
Views: 1040

Re: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right? :D )
by vecernik87
Wed Jun 05, 2019 2:16 am
Forum: General
Topic: EOIP - ethernet over IP protocol
Replies: 3
Views: 805

Re: EOIP - ethernet over IP protocol

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...
by vecernik87
Tue Jun 04, 2019 4:07 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 7
Views: 2546

Re: Cheapest router for home use with 1Gb

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model would be (again already menti...
by vecernik87
Tue Jun 04, 2019 11:28 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 2619

Re: dst-nat with changing port

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.
by vecernik87
Sat May 25, 2019 1:17 am
Forum: Forwarding Protocols
Topic: How to block neighbours Advertisment
Replies: 6
Views: 9062

Re: How to block neighbours Advertisment

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge
by vecernik87
Tue May 21, 2019 9:17 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...
by vecernik87
Tue May 21, 2019 4:36 am
Forum: General
Topic: Mikrotik offering lease continually without success
Replies: 2
Views: 690

Re: Mikrotik offering lease continually without success

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...
by vecernik87
Mon May 20, 2019 2:28 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 189460

Re: RouterOS v7.0 beta1 - when?

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...
by vecernik87
Mon May 20, 2019 6:36 am
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 54
Views: 21042

Re: Please add basic portScan tool ( port scanner scan )

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...
by vecernik87
Sun May 19, 2019 5:13 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...
by vecernik87
Sat May 18, 2019 12:10 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...
by vecernik87
Sat May 18, 2019 8:27 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...
by vecernik87
Sat May 18, 2019 3:20 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...
by vecernik87
Fri May 17, 2019 5:14 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...
by vecernik87
Fri May 17, 2019 10:14 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 4462

Re: Bridge -> root bridge

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...
by vecernik87
Fri May 17, 2019 8:51 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 101099

Re: v6.45beta [testing] is released!

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...
by vecernik87
Thu May 16, 2019 1:28 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 101099

Re: v6.45beta [testing] is released!

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
by vecernik87
Thu May 16, 2019 3:28 am
Forum: RouterBOARD hardware
Topic: Can't read Voltage via SNMP on CRS112-8P-4S
Replies: 25
Views: 7160

Re: Can't read Voltage via SNMP on CRS112-8P-4S

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think? :D
by vecernik87
Thu May 16, 2019 1:38 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 2619

Re: dst-nat with changing port

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...
by vecernik87
Wed May 15, 2019 2:54 pm
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 1436

Re: Knock secret daily changeable

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...
by vecernik87
Wed May 15, 2019 2:30 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1419

Re: bridge + eoip + horizon = loop [SOLVED]

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...
by vecernik87
Wed May 15, 2019 2:18 pm
Forum: General
Topic: RB3011 Optimal Operating temperature
Replies: 4
Views: 799

Re: RB3011 Optimal Operating temperature

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...
by vecernik87
Wed May 15, 2019 2:07 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9179

Re: v6.43.15 [long-term] is released!

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...
by vecernik87
Wed May 15, 2019 12:39 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1419

Re: bridge + eoip + horizon = loop [SOLVED]

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...
by vecernik87
Wed May 15, 2019 11:54 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1419

Re: bridge + eoip + horizon = loop [SOLVED]

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF 
I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.
by vecernik87
Wed May 15, 2019 11:45 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1419

Re: bridge + eoip + horizon = loop [SOLVED]

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...
by vecernik87
Wed May 15, 2019 11:29 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1419

Re: bridge + eoip + horizon = loop [SOLVED]

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.
by vecernik87
Wed May 15, 2019 11:10 am
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 1436

Re: Knock secret daily changeable

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
by vecernik87
Wed May 15, 2019 11:02 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 2619

Re: dst-nat with changing port

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...
by vecernik87
Wed May 15, 2019 10:04 am
Forum: Beginner Basics
Topic: Wireless to POE
Replies: 1
Views: 489

Re: Wireless to POE

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...
by vecernik87
Wed May 15, 2019 9:58 am
Forum: Beginner Basics
Topic: VPN PPTP Passthrough Problem
Replies: 4
Views: 1711

Re: VPN PPTP Passthrough Problem

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...
by vecernik87
Wed May 15, 2019 9:50 am
Forum: Virtualization
Topic: Server 2019 HV with chr-6.44.3 no bridge function
Replies: 2
Views: 2065

Re: Server 2019 HV with chr-6.44.3 no bridge function

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...
by vecernik87
Wed May 15, 2019 9:43 am
Forum: RouterBOARD hardware
Topic: hap ac2 din rail mount [SOLVED]
Replies: 2
Views: 1103

Re: hap ac2 din rail mount [SOLVED]

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done :)
by vecernik87
Wed May 15, 2019 8:00 am
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9179

Re: v6.43.15 [long-term] is released!

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...
by vecernik87
Tue May 14, 2019 5:42 am
Forum: Forwarding Protocols
Topic: Jumbo Frames, L2MTU mismatch with RouterOS crashing
Replies: 3
Views: 2561

Re: Jumbo Frames, L2MTU mismatch with RouterOS crashing

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)
by vecernik87
Mon May 13, 2019 4:40 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9179

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...
by vecernik87
Sun May 12, 2019 5:33 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 6
Views: 3726

Re: CHR does not transmit frames with VLAN tags from bridge

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)
by vecernik87
Thu May 09, 2019 3:08 pm
Forum: General
Topic: EOIP TCP problem
Replies: 6
Views: 1245

Re: EOIP TCP problem

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.
by vecernik87
Tue Apr 30, 2019 9:57 pm
Forum: General
Topic: Feature requests
Replies: 1278
Views: 289061

Re: formal port knocking

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Kids control.
'nuff said
by vecernik87
Fri Apr 19, 2019 1:59 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 1387

Re: 750 gr3 bin bios file

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.
by vecernik87
Thu Apr 18, 2019 6:54 am
Forum: Beginner Basics
Topic: Remove interface from console [SOLVED]
Replies: 2
Views: 1169

Re: Remove interface from console [SOLVED]

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for all interfaces in /in...
by vecernik87
Thu Apr 18, 2019 6:24 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 1387

Re: 750 gr3 bin bios file

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...
by vecernik87
Mon Apr 15, 2019 9:51 am
Forum: Beginner Basics
Topic: L2 connection mikrotik<->mikrotik breaks some https connections
Replies: 2
Views: 616

Re: L2 connection mikrotik<->mikrotik breaks some https connections

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500 :)
by vecernik87
Sun Apr 14, 2019 5:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 101099

Re: v6.45beta [testing] is released!

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My win...
by vecernik87
Sat Apr 13, 2019 7:21 am
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 2169

Re: Router for my new home!

Hey :) Well, you can use something like this https://mikrotik.com/product/RB951Ui-2HnD or this https://mikrotik.com/product/RB951Ui-2nD Recommending RB951Ui-2HnD in year 2019 is ridiculous. This model has been here for ages. It does not have gigabit ports, CPU has just one core, wifi is just 2.4GHz...
by vecernik87
Fri Apr 12, 2019 4:32 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 1334

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

add action=accept chain=input this one is BIG security issue. Your first rule literary say "accept any packet from everywhere, including wan". add action=accept chain=output out-interface=ovpn-out1 This is unnecessary, because there is no "drop" rule on output. Implicitly, every output will be allo...
by vecernik87
Fri Apr 12, 2019 4:01 am
Forum: Scripting
Topic: Fail-Over
Replies: 8
Views: 1646

Re: Fail-Over

ahahahahaha: /tool fetch mode=https url="https://#####.com/Crenein-Install-FaOv.rsc" /import file="Crenein-Install-FaOv.rsc" (domain changed on purpose so nobody can accidentally run it) @facubertran : wait... seriously? Do you expect anyone to download and run ambiguous script on their device? Why ...
by vecernik87
Fri Apr 12, 2019 3:56 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 1334

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

If you were on the same subnet, I would say you are missing arp-proxy on your LAN interface - very typical situation. However, you are saying that there is different subnet on each side. That suggest you don't have correct routes and/or firewall is blocking the communication. Could you share more in...
by vecernik87
Fri Apr 12, 2019 2:48 am
Forum: General
Topic: Feature requests
Replies: 1278
Views: 289061

Re: Feature requests

To be honest, this is one of features which would be amazing and very appreciated. Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS. Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd...
by vecernik87
Fri Apr 12, 2019 2:15 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1529

Re: Why is my speed cut by 75%??

No worries, happy to help :)

ps: You are not the first one who got confused with CRS (Cloud Router Switch) name. Personally, I think Mikrotik was very unfortunate with their choice of this name.
by vecernik87
Fri Apr 12, 2019 2:08 am
Forum: Beginner Basics
Topic: RB2011UiAS CPU load 100% and only 20Mb traffic
Replies: 5
Views: 987

Re: RB2011UiAS CPU load 100% and only 20Mb traffic

Duplicate of https://forum.mikrotik.com/viewtopic.php?f=13&t=147535 ? I already gave you answer there and surprise-surprise - its almost same as what @enggheisar said here. Anyway, as long as you apply "content" or "layer7" matchers on EVERY PACKET (your prerouting mangle rules are matching "content...
by vecernik87
Thu Apr 11, 2019 12:50 pm
Forum: Beginner Basics
Topic: I can't get more than 20MB trafic, help
Replies: 2
Views: 641

Re: I can't get more than 20MB trafic, help

with so many firewall rules, poor RB2011 must be screaming in pain. to be more specific: - sniffing mangle rules! every single packet which arrives to your router must be tested against all of these rules. If it gets matched, then it also creates additional CPU utilization. - forwarding filter rules...
by vecernik87
Thu Apr 11, 2019 11:20 am
Forum: RouterBOARD hardware
Topic: S-3553LC20D support fiber drop cable ?
Replies: 1
Views: 660

Re: S-3553LC20D support fiber drop cable ?

drop cable usually can maintain around -19~ -21 dBm. attenuation always depends on type and length of the cable. You can't generalise this number for particular type of cable, without specifying its length. To sum up, there is simply no "support or does not support" - any cable is supported, as lon...
by vecernik87
Thu Apr 11, 2019 6:59 am
Forum: RouterBOARD hardware
Topic: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]
Replies: 5
Views: 1223

Re: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]

You got it exactly right! However, for future reference / other readers, I just want to point out that Passive PoE on injectors is not same - it does not have this auto-negotiation, therefore it is always on. Only Routerboards have auto-negotiation support for passive PoE. You may also find that som...
by vecernik87
Wed Apr 10, 2019 12:59 pm
Forum: Scripting
Topic: Get single IP from interface which have multiple IP' assigned [SOLVED]
Replies: 3
Views: 989

Re: Get single IP from interface which have multiple IP' assigned [SOLVED]

well, it depends if you want to use it in script or just display value in CLI. the :put command is like an "echo" or "print" in other languages - it displays content of variable. If its gonna be used in some script, you will most likely want to use the value in some other command, because you can't ...
by vecernik87
Wed Apr 10, 2019 11:59 am
Forum: Scripting
Topic: Get single IP from interface which have multiple IP' assigned [SOLVED]
Replies: 3
Views: 989

Re: Get single IP from interface which have multiple IP' assigned [SOLVED]

whole issue is, that your [find interface="xxx"] returns an array of interfaces.. All you need to do is pick one /ip address get [:pick [find interface="ether6"] 0] address] or if you want to test it in console, simply :put [/ip address get [:pick [find interface="ether6"] 0] address]]
by vecernik87
Tue Apr 09, 2019 2:59 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 32292

Re: v6 RC and v7 BETA

I must admit that you pointed out much more relevant interpretation. I am just afraid, if it ends up that way (e.g. dropping support to mipsbe/tile etc...) Therefore I am not sure if its funnier or scarier.
by vecernik87
Tue Apr 09, 2019 2:29 pm
Forum: Beginner Basics
Topic: Circle topology
Replies: 2
Views: 586

Re: Circle topology

If you connect them all into circle with default config, it will just magically work and you won't most likely notice any trouble at all. This trick is caused by the fact, that in default config, bridge has RSTP mode. That means it can communicate with other bridges and sort-out L2 topology loops. S...
by vecernik87
Tue Apr 09, 2019 2:28 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 32292

Re: v6 RC and v7 BETA

Well, I was actually referring to time before Diablo 2 .. I guess its too old for people to remember today...
by vecernik87
Tue Apr 09, 2019 5:44 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1529

Re: Why is my speed cut by 75%??

Don't forget the hardware encryption: from 6.43.1 onward the RB3011 supports it. I would be careful with that... I already saw one report of RB3011 with panicking kernel , which I bet was caused by this "update"... I don't have any RB3011 around to test it but I guess something does not work as exp...
by vecernik87
Tue Apr 09, 2019 4:49 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1529

Re: Why is my speed cut by 75%??

CRS without fasttrack as a router - thats definitely cause of the issue. It simply does not have enough CPU power. I am not sure if you don't have fast track on purpose (it can't be enabled if you want to use simple queues, ipsec and some other features ) or if you don't have it by mistake. It defin...
by vecernik87
Tue Apr 09, 2019 1:55 am
Forum: The Dude
Topic: Dude Installation instructions don't work
Replies: 6
Views: 2914

Re: Dude Installation instructions don't work

It is (ehm) mature software. Just documentation lacks some details... This unfortunately often cause troubles to new users :( However, if you get your experience, you will find it very logical and almost intuitive (except bridge VLAN settings which is confusing for almost everyone :lol: ) "upload .n...
by vecernik87
Tue Apr 09, 2019 1:43 am
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 32292

Re: v6 RC and v7 BETA

To my knowledge, mostly people crave for better support of multithreaded routing ( which was promised long time ago ) and drivers (notice references to v7) But generally, people are hyped more than players of Diablo before release of new version. Many of them expect every trouble will be magically f...
by vecernik87
Tue Apr 09, 2019 1:18 am
Forum: Beginner Basics
Topic: Cannot click buttons on pop-up window of Winbox 3.12
Replies: 3
Views: 1473

Re: Cannot click buttons on pop-up window of Winbox 3.12

@giguard : I have valid reason. I need it to configure ROS 5.26 Your reason is invalid, because winbox 3.16 added support for pre-v6: https://wiki.mikrotik.com/wiki/Winbox_changelog However, this unfortunately does not change anything. - the error is actually not related to winbox version, instead ...
by vecernik87
Mon Apr 08, 2019 11:11 pm
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1529

Re: Why is my speed cut by 75%??

Are you using the CRS125 as a router? (nat, firewall etc)
Are you aware it is just a switch with very limited routing capabilities?
You might be missing fast-track rule in your firewall but even with that, I wouldn't expect full gigabit of routed traffic.
by vecernik87
Mon Apr 08, 2019 10:21 pm
Forum: General
Topic: RB3011 reboot itself - kernel panic
Replies: 2
Views: 602

Re: RB3011 reboot itself - kernel panic

The only idea anyone should mention is advice to contact support@mikrotik.com and send them your autosupout.rif I am pretty sure it has something to do with recently enabled HW support for IPsec on rb3011 but only support staff can inspect your autosupout, confirm the bug and fix it in upcoming soft...
by vecernik87
Sun Apr 07, 2019 4:23 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 6
Views: 3726

Re: CHR does not transmit frames with VLAN tags from bridge

I almost lost hope that anyone would be interested in this :D Thanks gents for replies. Any configuration with routerOS and vlans that I have worked with has bridge vlan-filtering=yes??? That applies if you want to do vlan filtering (i.e. you want to tag/untag stuff). In my case, I have vlan-filteri...
by vecernik87
Fri Apr 05, 2019 9:10 am
Forum: Forwarding Protocols
Topic: Video: ROS v7 BGP performance
Replies: 3
Views: 2511

Re: Video: ROS v7 BGP performance

Does not work. There is just some text file :( Gimme HL3 or I'll report ya!
by vecernik87
Fri Apr 05, 2019 4:50 am
Forum: Wireless Networking
Topic: WiFi in garden - wouldn't cAP AC be better than wAP AC?
Replies: 15
Views: 2304

Re: WiFi in garden - wouldn't cAP AC be better than wAP AC?

Get Groove 52 ac
DO NOT DO THIS!
Groove has only one radio, therefore you have to select - either 2GHz or 5GHz. It can't do both at the same time like any usual AP.
by vecernik87
Thu Apr 04, 2019 8:07 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 32292

Re: v6 RC and v7 BETA

So there's still hope that the unicorn status v7 has will be changed to something not as mythical.
And I shall be your messiah!
#unicornsArePoniesToo #makeRouterOsGreatAgain

Ps: really thanks for this update. Brings new hopes (and new memes if you don't make it this year)
by vecernik87
Thu Apr 04, 2019 1:28 am
Forum: The Dude
Topic: CCR CPU % monitoring
Replies: 2
Views: 2392

Re: CCR CPU % monitoring

You would need a particular probe with notification. Probe is not that hard because the function is already predefined in TheDude as cpu_usage() . If you want to create it yourself, just use following code for the function: round(average(oid_column("iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrPr...
by vecernik87
Wed Apr 03, 2019 9:38 am
Forum: Useful user articles
Topic: USB Outdoor temperature sensor
Replies: 16
Views: 7548

Re: USB Outdoor temperature sensor

compatible with particular brand = proprietary protocol, almost certainly not compatible with anything else. Unfortunately, there is no accessory like this for mikrotik. Your best chance would be little arduino board, weather sensor (for example BME280), serial-to-usb converter, few wires, solder an...
by vecernik87
Wed Apr 03, 2019 9:31 am
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 2801

Re: Programmatically adjust devices?

... writing a Python script that remote controls chrome that then cycles through WebFig ...
good thinking. It is sad that there is no developer assigned to focus on TheDude. The idea of this system is wonderful, but lack of development unfortunately creates significant obstacles for serious use.
by vecernik87
Tue Apr 02, 2019 6:21 pm
Forum: Wireless Networking
Topic: hAP AC
Replies: 8
Views: 1340

Re: hAP AC

.. And question did not specify if it is about wifi or routing performance... Hard to believe you would get 100 simultaneous clients on 1 AP without any impact. Just keep-alive frames and their interference would eat your airtime. On the other hand - Routing performance? Not an issue at all, exactly...
by vecernik87
Tue Apr 02, 2019 7:52 am
Forum: General
Topic: HAP AC2 + NAS + MTU (Jumbo Frames)
Replies: 3
Views: 1179

Re: HAP AC2 + NAS + MTU (Jumbo Frames)

hm... tricky. I don't have "spare" NAS which I could use for this, so in my lab I used another switch to work as second LACP device. Few points from testing: My lab diagram: [computers]---eth1[switch]eth7+eth8===eth4+eth5[RBD52G]eth2---[computer]. (= is bonded eth, - is single eth) bonding on RBD52G...
by vecernik87
Tue Apr 02, 2019 4:00 am
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 189460

Re: RouterOS v7.0 beta1 - when?

re. network telemetry: Well, idea in theory is nice but I find monitoring through highly-abstract layer a bit suicidal. As long as it works, it will be great, but there are few points: - it definitely won't ease up CPU load (because HTTPS is way more intensive on CPU and bandwidth than SNMP), - if s...
by vecernik87
Tue Apr 02, 2019 1:19 am
Forum: The Dude
Topic: Dude as a trap manager?
Replies: 3
Views: 2674

Re: Dude as a trap manager?

SNMP Traps are not supported by Dude. No matter how hard you try, you won't find a way to make dude a trap manager.
by vecernik87
Mon Apr 01, 2019 11:44 pm
Forum: The Dude
Topic: Cannot add a link
Replies: 2
Views: 2035

Re: Cannot add a link

firstly, your mouse cursor changes. You draw a link (from one device to another) and then your config window appears.
by vecernik87
Mon Apr 01, 2019 5:19 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 32292

Re: v6 RC and v7 BETA

RouterOS 7 is here [removed link]! Finally! @krisjanisj: nice! :lol: I think you guys really missed the opportunity to stage the release of v7beta1 on 1st April. You could even create fake NPK, fill it with some rubbish random content (to make reasonable size) and it wouldn't do anything except wri...
by vecernik87
Mon Apr 01, 2019 4:28 pm
Forum: Beginner Basics
Topic: The provider does not see the MAC interface Mikrotik RB2011UiAS (necessary for IPoE) [SOLVED]
Replies: 3
Views: 881

Re: The provider does not see the MAC interface Mikrotik RB2011UiAS (necessary for IPoE) [SOLVED]

@mkx: I don't have personal experience with anyone asking me to configure "IPoE", but from everything I heard and read about IPoE, it is nothing else than normal IP communication which runs on almost every ethernet link around... You don't have any special "IPoE" interface - its literary the Etherne...
by vecernik87
Fri Mar 29, 2019 9:58 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 50865

Re: UKNOF 43 CVE

Quote from second thread:
Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.
Is that v7 announcement? :D Hurray!
by vecernik87
Fri Mar 29, 2019 1:17 am
Forum: RouterBOARD hardware
Topic: CRS328 Lock Ups
Replies: 9
Views: 3430

Re: CRS328 Lock Ups

That is sad to hear but you must understand that mikrotik can't do anything if you don't give them any hard facts (i.e. autosupout) You actually don't need anyone on site when it happens. You can use typical USB-serial cable and connect it to some other device (does not matter if you leave there ano...
by vecernik87
Fri Mar 29, 2019 12:26 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 20959

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional. If vendor knows about it for over a year and do nothing? You are actually right: That is irresponsible and unprofe...
by vecernik87
Thu Mar 28, 2019 4:23 am
Forum: General
Topic: Mikrotik: Change the default Powerbox config!
Replies: 16
Views: 2904

Re: Mikrotik: Change the default Powerbox config!

@millenium7 : If I understand it correctly, your employee stuff up, make excuses and because of that, you want Mikrotik to adjust setting for whole world? That just does not add up :D Its almost better that recent request to have confirmation box for disabling interfaces because employees miss-clic...
by vecernik87
Thu Mar 28, 2019 1:11 am
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 978

Re: EOIP when Behind another Router - A No Go?

However looking at the complexity of most other IPSEC setups is only an incentive to forget the whole idea. :-)
Wanna hear a secret? In my beginning, I once set up GRE (exactly same config as EoIP) just so I could get the advantage of automatic IPsec setup. :D

Yea, dead simple :)
by vecernik87
Thu Mar 28, 2019 12:29 am
Forum: Wireless Networking
Topic: dual AP qick setup
Replies: 5
Views: 1631

Re: dual AP qick setup

Yes, that is what I recommended to OP - use WISP AP in bridge mode and add manually remaining WLANs. Unfortunately, that will require to step out of quickset. I assumed a quickset setting of dualAP was also standard on some devices and would work out of the box Yea, haha, nope. Device works out-of-t...
by vecernik87
Wed Mar 27, 2019 11:41 pm
Forum: Wireless Networking
Topic: How to list devices around mk?
Replies: 5
Views: 1061

Re: How to list devices around mk?

Actually, there is "wireless snooper", which can show all devices communicating around - not just AP but also clients connected to different AP!
However, it will not show wifi devices which are not communicating (what a surprise, right?)
by vecernik87
Wed Mar 27, 2019 1:23 pm
Forum: General
Topic: Cloud IPs need to be blocked
Replies: 13
Views: 2377

Re: Cloud IPs need to be blocked

To be honest, before annoying support staff, I would prefer to inspect full config. I have few devices around, where I specifically focused on any unexpected outgoing packets - and it's just not happening. There must be some setting causing this.
/export hide-sensitive file=somename
by vecernik87
Wed Mar 27, 2019 1:05 pm
Forum: Beginner Basics
Topic: How do you turn on hEX's DMZ?
Replies: 16
Views: 4967

Re: How do you turn on hEX's DMZ?

That is not DMZ. That is just forwarding. DMZ by definition should be separated from LAN. So you also need another internal subnet, probably on specific port or vlan, add forwarding rules, etc etc... NAT is just part of the whole puzzle. That's why nobody gave a straightforward answer - it is incomp...
by vecernik87
Wed Mar 27, 2019 12:59 pm
Forum: RouterBOARD hardware
Topic: mAP lite failures
Replies: 11
Views: 3666

Re: mAP lite failures

2 years is guaranteed for consumers. It does not apply if you buy it as a company.
by vecernik87
Wed Mar 27, 2019 6:34 am
Forum: Beginner Basics
Topic: How do you turn on hEX's DMZ?
Replies: 16
Views: 4967

Re: How do you turn on hEX's DMZ?

no, because there is no such command or network feature DMZ is just simplified term, usually understood as separate L2/L3 network with some exposure to outer world. DMZ is not particular network function, rather set of rules and settings which in the end produce desired result. You need to define ea...
by vecernik87
Wed Mar 27, 2019 5:18 am
Forum: The Dude
Topic: NO IP ADDRESS?
Replies: 1
Views: 2099

Re: NO IP ADDRESS?

Dude probes device based on IP. that is true. However, you can set it up either with no IP (0.0.0.0) or with domain name (provided by your dynamic DNS): 2019-03-27_1415.png Once added, check setting and make sure that you have "dns lookup - name to address" selected. That way, domain name will be re...
by vecernik87
Wed Mar 27, 2019 12:54 am
Forum: General
Topic: 10.000 Clients on One Server
Replies: 7
Views: 1040

Re: 10.000 Clients on One Server

10k PPPoE on one machine? Is there any particular reason for not splitting the load? With this amount, you must have automated provisioning anyway (don't tell me you configure those 10k entries manually) so it won't make much difference if the automated provisioning runs on one machine or multiple m...
by vecernik87
Tue Mar 26, 2019 11:37 pm
Forum: Wireless Networking
Topic: dual AP qick setup
Replies: 5
Views: 1631

Re: dual AP qick setup

@okaru : Unfortunately, this can't be done with Quickset. The closest setting to your need would be "WISP AP" in "bridged" mode, but then you still have to manually set wlan1 (2GHz) because "WISP AP" mode sets only wlan2 (5GHz) @anav : You don't need to see whole config. We actually talked about th...
by vecernik87
Mon Mar 25, 2019 9:55 am
Forum: The User Manager
Topic: USB Stick Problem
Replies: 2
Views: 2182

Re: USB Stick Problem

What part of "memory" got full?
Was it RAM? Storage (flash)?
Just plugging USB stick into router won't solve the issue - how is the device supposed to know that it should save data on it?
by vecernik87
Mon Mar 25, 2019 8:49 am
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 978

Re: EOIP when Behind another Router - A No Go?

can I attach a MT router behind the Vodafone unit and still establish an EoIP tunnel. I read that both have to be routable? Theoretically you can, but... what ports would I need to forward to the MT device (47?) EoIP is technically extended GRE, which runs on IP protocol 47 (protocol! not port!). T...
by vecernik87
Mon Mar 25, 2019 1:37 am
Forum: General
Topic: EoIP not use for ethernet5
Replies: 4
Views: 659

Re: EoIP not use for ethernet5

Personally I agree that second bridge would over-complicate situation. If I understand OP's description correctly, he wants the all devices on Site1 to have L2 access to all devices on Site2, except particular device on Site1Ether5, which should have access only to other Site1 devices but not to Sit...
by vecernik87
Fri Mar 22, 2019 3:14 pm
Forum: Scripting
Topic: /export file=[/system identity get name];
Replies: 3
Views: 1492

Re: /export file=[/system identity get name];

I guess the router name contain some character which can't be used in filename.
by vecernik87
Fri Mar 22, 2019 2:27 pm
Forum: General
Topic: latest RB2011UiAS-2HnD-IN beeper is missing
Replies: 6
Views: 976

Re: latest RB2011UiAS-2HnD-IN beeper is missing

sorry, I got triggered by "veeeeeeeeery old" and couldn't help myself
by vecernik87
Fri Mar 22, 2019 1:41 pm
Forum: General
Topic: latest RB2011UiAS-2HnD-IN beeper is missing
Replies: 6
Views: 976

Re: latest RB2011UiAS-2HnD-IN beeper is missing

older than promised v7 with multicore routing?
ru14-megis-p27.png
:lol:
by vecernik87
Fri Mar 22, 2019 12:38 pm
Forum: General
Topic: latest RB2011UiAS-2HnD-IN beeper is missing
Replies: 6
Views: 976

Re: latest RB2011UiAS-2HnD-IN beeper is missing

https://i.mt.lv/cdn/rb_files/Block-RB2011UAS-2HnD.pdf beeper is not mentioned in block diagram. Unless they changed it, I guess it was never there... Apparently, all other versions (non-wifi) of RB2011 have it: https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png https://i.mt.lv/cdn/rb_files/RB201...
by vecernik87
Fri Mar 22, 2019 11:44 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 16847

Re: v6.43.13 [long-term] is released!

That was just an example :) but at least you can see it is possible and not that complicated :)
by vecernik87
Fri Mar 22, 2019 7:47 am
Forum: General
Topic: Priority range and order
Replies: 3
Views: 708

Re: Priority range and order

This page describe the priority numbers pretty well: https://wiki.mikrotik.com/wiki/Manual:WMM
:) Hope it helps.
by vecernik87
Fri Mar 22, 2019 12:37 am
Forum: Wireless Networking
Topic: Bridge port received packet with own address as source, probably loop
Replies: 52
Views: 58624

Re: Bridge port received packet with own address as source, probably loop

firstly - no certification (does not matter if cisco or mikrotik or anything else) guarantee that person is bright and creative. It just means that (s)he was able to pass the test. Nothing else. secondly - troubles with suspected loops can't be easily fixed remotely. It would take ages to ask questi...
by vecernik87
Thu Mar 21, 2019 4:56 am
Forum: General
Topic: HAP AC2 crashy piece of crap
Replies: 3
Views: 659

Re: HAP AC2 crashy piece of crap

Dear @neutronblaster , for few month, I have had a chance to read some of your posts/replies. Let me quote a few: https://forum.mikrotik.com/viewtopic.php?f=7&t=145223&p=714808#p714808 https://forum.mikrotik.com/viewtopic.php?f=7&t=145416&p=718172#p718172 Load of shite. https://forum.mikrotik.com/vi...
by vecernik87
Tue Mar 19, 2019 2:40 am
Forum: Beginner Basics
Topic: Port forwarding doesn't work [SOLVED]
Replies: 18
Views: 1634

Re: Port forwarding doesn't work [SOLVED]

Not really crazy, just consequence of IPv4 address shortage: Large/old ISP obtained enormous blocks of IPv4 ages ago for ridiculously low prices and they will probably never have an issues. However, small/new ISPs nowadays have serious issues to acquire some reasonable blocks. They often don't have ...
by vecernik87
Tue Mar 19, 2019 2:20 am
Forum: General
Topic: faile to obtain ip address error
Replies: 4
Views: 644

Re: faile to obtain ip address error

You like working in the dark vecernik87?? Vampire? For the OP, please post your config. /export hide-sensitive file=yourconfigmarch <ot>Vampire? Absolutely! Looking forward to suck your tasty bodily fluids! :twisted: </ot> I don't believe there is any way to misconfigure ROS to cause this. Since we...
by vecernik87
Mon Mar 18, 2019 2:59 am
Forum: General
Topic: faile to obtain ip address error
Replies: 4
Views: 644

Re: faile to obtain ip address error

According to wiki: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Read_only_properties busy = this address is assigned statically to a client or already exists in the network, so it can not be leased Since it is not really usual to have so many devices which would claim addresses like this, I ...
by vecernik87
Sat Mar 16, 2019 3:20 am
Forum: RouterBOARD hardware
Topic: [Bug] RB750Gr-3: Inaccessible after changing ipsec policy
Replies: 12
Views: 1028

Re: [Bug] RB750Gr-3: Dead after changing ipsec policy

Most likely your ipsec config prevented IP communication to reach "local in" https://wiki.mikrotik.com/wiki/Manual:Packet_Flow . That can easily happen if you misconfigure your ipsec.

I believe you should still be able to reach your device using mac-winbox or mac-telnet (unless you disabled them)
by vecernik87
Fri Mar 15, 2019 2:11 am
Forum: General
Topic: 6.44.1 Broke Stuff Need to Downgrade to 6.44
Replies: 4
Views: 1054

Re: 6.44.1 Broke Stuff Need to Downgrade to 6.44

Files menu calculate space on flash memory (16MB) However, root folder in file menu is actually ramdisk which has usually more than enough free space - as long as your RAM (128MB) is not completely full. Therefore, as long as you load the downgrade files into root folder instead of "flash" folder, y...
by vecernik87
Thu Mar 14, 2019 8:16 am
Forum: General
Topic: can't reuse "used" netwrok address , bug?
Replies: 6
Views: 903

Re: can't reuse "used" netwrok address , bug?

[admin@mikrotik] > /ip address add address=192.168.10.1/24 interface=bridge2 [admin@mikrotik] > ping 192.168.10.1 SEQ HOST SIZE TTL TIME STATUS 0 192.168.10.1 56 64 0ms 1 192.168.10.1 56 64 0ms 2 192.168.10.1 56 64 0ms sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms [admin@mikr...
by vecernik87
Thu Mar 14, 2019 7:53 am
Forum: General
Topic: Another ROS upgrade, Another bricked hAP ac
Replies: 4
Views: 954

Re: Another ROS upgrade, Another bricked hAP ac

Mine keeps losing all its wireless interfaces on reboot and I have to do factory reset. I noticed similar behavior on hAP ac^2 and according to support, it was caused by graphing enabled -> try to disable graphing on your wifi interfaces and give it try again :) maybe it won't disappear after reboot.
by vecernik87
Tue Mar 12, 2019 10:43 am
Forum: Wireless Networking
Topic: Water getting into basebox 2s and 5s
Replies: 2
Views: 585

Re: Water getting into basebox 2s and 5s

Reminds me old netmetal issue: https://forum.mikrotik.com/viewtopic.php?f=3&t=91150 These RPSMA connectors are covered by hood so the water shouldn't really get to it, neither through it. Sticker seems like reasonable culprit. Since you have so many devices with reasonably high failure rate, I guess...
by vecernik87
Tue Mar 12, 2019 10:23 am
Forum: General
Topic: can't reuse "used" netwrok address , bug?
Replies: 6
Views: 903

Re: can't reuse "used" netwrok address , bug?

Hard to say without understanding whole network setting. Most important info is: - what all IP, netmask and routes are active on the second device which is doing the ping? - what all IP, netmask and routes are active on the RouterOS? Anyway, first thing which I consider suspicious is using the 192.1...