MikroTik

vecernik87

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags...

vecernik87

DHCP is L2 protocol. To give IP based on port, you will need to separate those ports from bridge (break L2 segment and therefore L2 broadcast/multicast). Next you create separate DHCP server per each port. Last (optional) step is to set ARP proxy for your LAN. That way, it will look like it is still...

vecernik87

Ok, we are slowly getting to area, which might get us banned (or at least topic locked/deleted) and I don't feel comfy with that. XG is real beast. I agree with you that 1500 is made up number (together with all other "up to XXX clients"), but truth is, that if any device can handle many clients, it...

vecernik87

If you are experienced and know exactly what you are doing, sure. But I guess in such case, you wouldn't be asking. Also, keep in mind that soldering will certainly void any warranty on the product.. If your product is still under warranty and you don't see bent pins, I would recommend to contact yo...

vecernik87

We had similar discussion earlier - people asking to add a confirmation to "disable" and "remove" buttons, because "what if I accidentally click it" ? Well guess what? You can accidentally add a route, which will break stuff. You can accidentally reorder firewall rules which will break stuff. You ca...

vecernik87

few cents from my experience: maximum capacity of 300 people that I need to cover with around 250-300 wireless clients Please decide if you really talk about capacity of the room or about expected amount of clients. By my experience, these are not the same. I have several similar rooms around the ci...

vecernik87

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :) @krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - c...

vecernik87

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.

vecernik87

1) any srcnat (srcnat/masquerade/netmap...) rules with manually specified range of ports? 2) any content/L7 conditions in your firewall rules? if not, what other conditions do you usually use? 3) do you have "accept established/related" filter rule in forward chain on top of your rules? 3) what is t...

vecernik87

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...

vecernik87

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...

vecernik87

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations

vecernik87

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work with "true"...

vecernik87

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...

vecernik87

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...

vecernik87

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...

vecernik87

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right?

)

vecernik87

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...

vecernik87

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model would be (again already menti...

vecernik87

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.

vecernik87

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge

vecernik87

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...

vecernik87

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...

vecernik87

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...

vecernik87

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...

vecernik87

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...

vecernik87

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...

vecernik87

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...

vecernik87

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...

vecernik87

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...

vecernik87

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...

vecernik87

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...

vecernik87

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.

vecernik87

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think?

vecernik87

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...

vecernik87

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...

vecernik87

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...

vecernik87

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...

vecernik87

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...

vecernik87

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...

vecernik87

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF

I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.

vecernik87

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...

vecernik87

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.

vecernik87

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.

vecernik87

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...

vecernik87

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...

vecernik87

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...

vecernik87

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...

vecernik87

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done

vecernik87

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...

Search found 640 matches