MikroTik

vecernik87

If you don't want them to use the 8.8.8.8, don't give it to them. Simple as that. Define the DNS in ip->dhcp->networks so only your DC DNS will be distributed to clients. If you provide the 8.8.8.8 to your clients, there is no way to guarantee they won't use it. Is there any reason to give your clie...

vecernik87

c'mon Anav, you can do better :P CTRL+F -> type "53" and thats it... Picked it up in less than 10 seconds: add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=\ udp to-addresses=0.0.0.0 to-ports=53 DNS traffic not going to the router will be redirected to 0.0.0.0 which is n...

vecernik87

Nobody ever claimed that temperature does not matter. Temperature does matter and it is stated in the specs: "Tested ambient temperature -40°C to 50°C" That means, it is guaranteed to work, as long as the temperature around the router does not go over 50°C. By putting it on direct sunlight you viola...

vecernik87

RouterOS by default does not filter VLANs on bridge at all and lets them flow everywhere (as if all ports had all VLANs enabled as tagged). The only advantage of tagging switch ports is, that it will allow you to create access/edge ports (ports where particular VLAN is untagged)

vecernik87

Unfortunately, there is no easy way of doing this. Mikrotik can do a LOT with the firewall rules and scripts, but there is no built-in mechanism to trigger a script based on firewall rule. I can think of two workarounds: Prefered way - I hope (please, don't disappoint me!) that every employee connec...

vecernik87

In other words, OP is asking for a normal help, which all 3 of us provide here on regular basis for free.. (at least I didn't get paid yet) @dazzaling69 : don't make a big deal out of it. Just ask for specific things because nobody will give you a full-blown lecture on all networking stuff. If you h...

vecernik87

If you were purchasing from official mikrotik page (not from reseller) then it would be better to contact mikrotik directly. This is just a forum and no official support (definitely not in regards of sales/payments) is guaranteed. In the checkout process, I noticed a reference to "sales@mikrotik.com...

vecernik87

I didn't ask about this detail, but I assume, they are just pointing out the fact, that any TheDude Agent (any RouterOS device) must be same version as TheDude Server. That is known requirement for TheDude Agents, but fortunately, if you don't want to use Agents, you don't need to upgrade monitored ...

vecernik87

You didn't provide much info (especially, you did not bother to say what interface was there in the first place), but given your routing mark names, I assume that all these rules are related to a dynamic VPN interfaces, most likely you are running server and clients are connecting and everytime clie...

vecernik87

Is that even possible Normis? To remove the ethernet interface itself? Yes. Every model has this feature. All you need is a chisel or big screwdriver. Apply lot of pressure on the port and the interface will come off. I am pretty sure Normis is trying to understand what OP actually means same as ev...

vecernik87

also depends on frequency (2GHz reach further than 5GHz) and required speed (you can achieve longer distance with lower speeds) and many other parameters. Keep in mind that it will not instantly shut off... but reliability will slowly decrease as you increase the distance. If you want a simple answe...

vecernik87

Is it possible that your dude is trying to reach the router by its WAN IP and that IP changed after the restart?

vecernik87

you have a black router under direct sunlight? well... no wonder it gets hot.

Instead of drilling holes, even simple piece of white paper would help more

vecernik87

Cmon, he tried to help you and there is not a single negative point in his reply. The least you can do is not insult him. Since you did not bother to say, that you went through these pages (calling it "short little blurb" didn't help), it was safe to assume you didn't read it and you might benefit f...

vecernik87

The latest Winbox versions do not save settings such as "Inline comments" and "Hide Passwords".

Yes it does. I just tested both switches and it works.

Screenshot 2020-10-13 111156.png

This is from latest winbox v3.27 (unfortunately it does not show the version in the open window)

vecernik87

I got an info on my bug report [SUP-20571] that they resolved the issue and the fix will be released in upcoming RouterOS update.

Hurray :)

vecernik87

... the network is not stable at all sometimes it connects and sometime it does not. can mean anything. I couldn't agree more. Unfortunately I don't know anything further (yet). I provided reasonable step-by-step guide to OP so we can narrow down the issue (you know - ping this, ping that, connect ...

vecernik87

@sob : thank you thank you thank you! First person saying that I didn't go crazy. btw:my last suggestion to OP in different conversation was exactly as yours - remove the bridge to minimize possible impact. He didn't reply yet so we will wait. @anav : Great. Now we are talking :) Sorry for stroking...

vecernik87

@anav: I didn't want to reply here because I was trying to help this guy in some other place and I hoped that another pair of eyes will notice the issue. I went through it and couldn't spot any mistake (I missed the IP on Ether2 which should be on bridge, but that shouldn't cause issues with VLANs t...

vecernik87

It is quite similar to previously repaired "*) dns - do not use DoH for local queries when a server is specified;" in 6.47.1 - in both cases DOH took priority from specified server or local static entry. Unfortunately this is known issue (for any forum user), reported several times since 6.47 was re...

vecernik87

No matter what solution you choose, I agree that this is likely not doable with simple mikrotik script. Mikrotik can detect loss of connectivity and has simple, yet sufficient scripting language for any tasks done within RouterOS . It has no ability to interact with external tools except sending ema...

vecernik87

Okay, he seem to be bit confused with rules (e.g. allowing forward/input for DNS from ALL interfaces - pretty sure it should be allowed only from internal / customer facing interface), but I don't see any rule, which should prevent router itself to use DNS. I still believe that his router shouldn't ...

vecernik87

how did you actually "migrate" ? If you copy/paste config, you might have MAC colission...

vecernik87

So your clients can use google DNS but your router can't? that seems bit strange

vecernik87

afaik, not possible. The color changes gradually, based on traffic as a % of available bandwidth (by default black = no/small traffic, red = traffic using 100% of link capacity, as defined in link settings) This would be actually great feature request, if mikrotik was still developing TheDude. Unfor...

vecernik87

What @sindy said is right. Firstly make sure that MAC spoofing (promiscuous mode) is enabled and that VLANs are allowed in the virtual switch. the bug which @sindy mentioned is clearly related to my earlier investigation: https://forum.mikrotik.com/viewtopic.php?t=144744 I will test further because ...

vecernik87

Yup, my setup as described in the link would work perfectly in this situation. 1) Run two EoIP per each branch 2) merge them using bridge or mesh (mesh will give you literary zero packet failover) 3) modify path costs in bridge-ports / mesh-ports to specify which tunnel has priority and which one is...

vecernik87

well, clearly the issue occurs when the traffic needs to pass through router. I don't think there is anything you could stuff up with the config - you described it very clearly (which makes me think that you know what you are doing). Two things to check: 1) do you have firewall rules allowing traffi...

vecernik87

Have you ever done that? Can you explain to me how you did it? Of course. Otherwise I wouldn't talk about it :D One of my current setups is following: https://app.diagrams.net/#Uhttps%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1pqnKtG0pdkHpXwzonfnEBs0z8L3UmKhJ%26export%3Ddownload https://drive.google.com...

vecernik87

If you want something cool, go and buy UBNT. If you want something functional, don't expect coolness.

Personally, I am glad that people who are after coolness aren't buying Mikrotik, because it means less stupid questions and complains from people who have absolutely no idea about networking.

vecernik87

..lot of new mikrotik devices have those low-cost retarded switches like RTL .. These "retarded" switches need to be understood as simple port-extenders. Maybe it is the cheapest way to make a multi-port router. I had similar way of thinking like you but then I realised we really should not expect ...

vecernik87

Nice job testing and describing the problem! Can it be possibly MTU issue? I have many EoIP tunels and they certainly don't block anything. I literary just tested SSH on my production machines and it went through without any issue. The only other option I can think of is some bridge trouble (bridge ...

vecernik87

I second @Znevna - I reset my password with the same which I used previously. And since I already had strong password enough, I had no issue with it.

vecernik87

I usually do this with a VPN to my server. Then, as long as the remote router has access to the internet, I can see them online and connect to them, even if they put the router behind NAT Dude itself is on-demand monitoring (server has to see clients and sends them requests, clients respond). Good t...

vecernik87

If password does not work and @krisjanis was upgrading the PHP version, there is likely different hashing algorithm. I mean... it shouldn't be because afaik each hash has short prefix announcing what algorithm is used, but I can imagine that phpBB forum detected new PHP version and forced different ...

vecernik87

Interesting finding! thanks for feedback.
If the data are just forwarded (i.e. not ROMON etc), I find it unexpected for any router to modify/corrupt packets. Rather, I would guess that the interim router was accepting the packets and replying on its own possibly?

vecernik87

Blocking all IP from particular ASN will work only for services which have their ASN and do not serve their content from any other IP (Google,FB). However, it will also block other services, which are hosted on those IPs (e.g. google has their google cloud platform hosting heaps of 3rd party website...

vecernik87

"wrong password" may appear if the user is not allowed to log in from used IP. check your users, whether they have limited addresses. e.g: [vecernik@mikrotik] > /user export /user add group=full name=vecernik add address=10.11.12.0/24 group=read name=test As you can see, user "vecernik" can log in f...

vecernik87

Reliable block is impossible. No matter what suggestions will come later, I can guarantee that I will be able to figure out a way to get through, unless you completely block me from the internet. Partially reliable and very easy will be DNS method - force all DNS requests to mikrotik (dst-nat) and t...

vecernik87

I do not check them "so closely" and I think in 99% of time few days does not matter. I accept your point that this may be part of the thorough testing process for Longterm branch. (I edited my original post now to reflect this) But if BootlabsDev claims: The bug was reported on 06.04.2020 and wasn'...

vecernik87

In theory, you could create bridge-filter rules (not IP filter because it is on the same LAN, therefore L2 traffic, not L3), which will for example block ARP requests to particular IP addresses from your phone, but again, phone can easily change MAC, therefore its not really a protection. Best solut...

vecernik87

Normis, I appreciate the new version which includes the fix, but please, do not fake release dates. EDIT: Understood. Date is related to "build" not "release". This release was definitely not live week ago, on 7th September. Why does changelog (and your post) claim it was? The topic with this releas...

vecernik87

you got it right - it is not implemented. What you did not get is, that it will never be implemented. As it was said earlier, router is not a multipurpose device and should not be perceived that way. Some people like to tinker with their devices so they managed to run this music screaming server on ...

vecernik87

I am very glad that it helped :) re. your second question: When working with /interface bridge port , each row has its own number as a unique indentifier (if you know SQL, imagine it as a primary key in the DB). Then, each row has parameters (e.g. interface, pvid etc..). Your command actually said t...

vecernik87

You need to add "tagged bridge1" to your /interface bridge vlan . The relevant section should look like this: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether9 untagged=ether2 vlan-ids=20 add bridge=bridge1 tagged=bridge1,ether9 untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-i...

vecernik87

Of course you get reply on the ping. Question is whether you get reply from the device or from the router. check your ARP records, your source device should see target IP with the correct MAC. Thats why I asked this - the ARP record in your computer will prove, whether it is the device (therefore yo...

vecernik87

WOL is L2 functionality (you are sending packet to particular MAC address, therefore it will work only if your source and target devices are on the same L2 segment (to dumb it down - within the same LAN and same VLAN, not behind a router, not different VLAN). VPN may or may not be bridged (having sa...

vecernik87

It is not unfortunate display. You are not really creating lists. You are creating address entries which have property "list" . As long as the property "list" is same, entries are considered to be part of the same list. Once you use the list somewhere, all entries with the same property will be used...

vecernik87

I had no intention to say that it needs to be modified. I meant that "I wish for it, but I understand that it is not possible". After all, every device is perfect for particular task and it depends how we balance performance/price. I don't think that getting second SFP would be good justification fo...

vecernik87

its just public beta... half of things does not work and it is expected. You should not use it anywhere else than testing lab...

vecernik87

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.

vecernik87

VSS - that would be nice ZTP - already available, although not completely out-of-box as with UBNT. Only true form of out-of-band management is a serial port and that is available. L3 HW offloading - in development, although it seems having some limitation (quite small amount of connections can be m...

vecernik87

Very bad! I have hAP ac, after updating to version 6.47.2 I can no longer connect to the 5GHz network, only the 2.4GHz network is available, although the 5GHz module in the router settings has the status "running". I would never recommend MikroTik products because the software is very unstable! I d...

vecernik87

All you have to do is back up your settings before upgrading and reset the router to default configuration, then upgrade router and then restore your backup . Even poor admins should not restore backup on other device or version that differs from where it was made. There is no problem restoring the...

vecernik87

Netinstall - the only way to get rid of hidden stuff...

vecernik87

I always thought that TCP congestion control is managed by endpoints? (e.g. web browser and web server) My understanding of BBR is, that endpoints are "smarter" and learn how the network behaves. Then they adjust sending rate based on this info. Network itself (any router on the path) is unaware of ...

vecernik87

I think Design 1 is quite limited for nowadays - only 1G ports won't be very interesting, when almost every enthusiast/prosumer is lookig at >1Gbit. However, with correct agressive pricing, it might be still a great lower-mid range router. You could also drop the memory and flash to lower values to ...

vecernik87

1+3) If we are talking about spoofing IP for TCP connection, then attacker must be on the route between original IP which he is trying to spoof and the target. Otherwise he will never get the reply, therefore no TCP connection... Statistics are applicable only if you are talking about random hacker ...

vecernik87

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity" and t...

vecernik87

hAP Lite - not enough space for upgrade Thats a ~18 Euro hardware, dont expect much from such a device... That may apply for other manufacturers but not for Mikrotik. It is expected that software release will work on every supported device, no matter the price. Anyway, not enough space means most l...

vecernik87

Are you guys serious? The second update, in the last couple of months, with problems you don't expect at all. One core is constantly 100% loaded with something incomprehensible. https://c.radikal.ru/c39/2008/2c/6e9b16a53516t.jpg At the moment, the download has dropped. But I would like to know what...

vecernik87

Can you please test with smaller packets as well? Quite a while ago, I encountered similar issue, where VLAN-tagged packets were not passing through the bridge in CHR but everything worked fine when I bound VLAN to an ethernet interface. All details here: https://forum.mikrotik.com/viewtopic.php?f=1...

vecernik87

I think you may be right. It is possible that originally they checked just by ICMP ping (compulsory by RFC) and now they are checking both ICMP and ARP (Optional by RFC). Reality is, that many devices refuse to answer ICMP on public interface so ICMP is not enough. What makes me sad is, that I alrea...

vecernik87

I would say it is error in the testing method. I couldn't do it properly (correctly, Device-under-test should not be the one which generates/consumes the traffic) so I just took the first two devices I know of where I already have EoIP and ran the btest between them. In UDP mode, it easily went to 1...

vecernik87

Conflict detection was always there (RFC requirement for DHCP servers). MT just added a checkbox to disable it (I am still puzzled who would need that because it breaks RFC). Hotspot is quite proprietary function, thus not covered by RFC. If you are having issues right now, I would recommend to incr...

vecernik87

*facepalm* silly me

Always forget to check gravediggers

vecernik87

Sorry but i have to concur with marko. Default config with drop 53 added : Default config contains universal drop rule. You shouldn't need those individual drop rules. If you need them, you are clearly missing some important part. (you or someone else likely deleted that) To confirm original, unmod...

vecernik87

if the user can't connect more than once at a time, then you can simply create static "L2TP server binding" which will create your interface permanently. Alternative, possibly better way (no matter how many connections are we talking about) is to add profile, with selected "interface list". That is ...

vecernik87

Unless it is very VERY unusual website, there will be external dependencies and that will make the website unusuable with any kind of firewall filter filter L7 filtering is best done in the browser itself, because browser can actually distinguish, if the request is website or if it is just a depende...

vecernik87

@plisken : I am afraid that @CZFan is right. Your RB750Gr3 uses switch chip in MT7621 and that has almost no features supported with bridge offload. Not even STP/RSTP. you can check it here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading @CZFan : thanks for pointi...

vecernik87

Can't say for sure whether it is the case, but I know for sure that some UBNT devices (Unifi switches and Edge Switches are those which I tested) do not forward ROMON packets because the ethertype and MAC addresses are unusual. This whole ROMON network is a nice idea but too much proprietary and unu...

vecernik87

During the time when internet access is unavailable, I would: ping the gateway/router, ping the other computer (should be on the same LAN, right?) ping some public IP (e.g. 1.1.1.1 or 8.8.8.8 ) try to resolve some domain with default DNS (e.g. nslookup google.com) try to resolve some domain with spe...

vecernik87

when ping is blocked, ARP request usually does the job if you are on the same L2 segment. Unfortunately, TheDude does not have ARP probe, so the only way I know of is a script in RouterOS

vecernik87

symptoms are typical for MTU issues... Maybe you need to add mangle with MSS clamp? Or just allow ICMP?

Anyway, you can confirm it by trying to ping with large packets:

ping 1.1.1.1 size=1500 do-not-fragment

vecernik87

OP is funny. On the one hand, he is aware of tenable's exploits. On the other hand, he is unable to use them (despite the fact there is Proof of Concept script for every single exploit). @OP : Just reset the thing and live with it... Nobody with consiousness will guide you how to hack a device. Sinc...

vecernik87

any proxy is generally very powerful because it actually processes the request (therefore it understands exactly what is being requested and returned) but https proxies are also serious security threat - for HTTPS or generally SSL encrypted traffic (nowadays majority of internet traffic) you need to...

vecernik87

AFAIK this is normal behavior from apple - they disconnect to save the power, when display is off (or device is locked) and they connect on regular basis to allow apps get updates/messages/notifications https://discussions.apple.com/thread/250285673 https://apple.stackexchange.com/questions/218354/h...

vecernik87

Sorry man, my crystal ball is in the service today so my clairvoyance ability is disabled for now

bit more serious advice: If you are losing customers, hire a consultant. If you want help, no matter where, provide info. Without info, nobody can help.

vecernik87

or you can just run GRE/EoIP within ipsec to make it nice routable tunnel... Is it naughty? yes. Does it cause more overhead? Yes. Does it make the whole management and failover easier to understand? Yes. You choose what is the priority :) ps: I am even more naugthy. I actually run EoIP with Mesh (H...

vecernik87

@AlexRodac : You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to the new IP. ...

vecernik87

is it REALLY worth it!???? Yes it is. Lets call it planned obsolescence and whats the first rule of planned obsolescence? We don't talk about it! Ok, lets go from conspiracy theories back to the reality: It is well known that this is not a technical limitation. e.g. Mikrotik Audience with IPQ-4019 ...

vecernik87

@jsadler: Do you have some switch chip configuration on those particular devices with faults? It might be relevant because quite a while ago, I had an experience with RBD52G (using Atheros 8327 switch chip) that some features from switch-chip menu were causing serious packet loss to a degree I had ...

vecernik87

I think this might be about :resolve command with server parameter specified. E.g.: :put [:resolve google.com server=8.8.8.8] :put [:resolve example.com server=10.10.10.10] You may be right davis! I tested it just now with 6.47 (not working) vs 6.47.1 (working). So it was just misunderstanding of t...

vecernik87

Already reported for 6.48beta, but applies here, too:

*) dns - do not use DoH for local queries when a server is specified;
This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?

Not working on mine either.

vecernik87

I don't think this is a sensitive/touchy topic. Official way to ask for features is going to your distributor and asking them. They will ask mikrotik (because your distributor is mikrotik's customer) and based on some magical formula, mikrotik may decide to implement it. Asking on forum is possible ...

vecernik87

Gosh, I couldn't agree more. In no way I meant to say that L7 NAT hack is ideal. I actually hate it because it does not apply to RouterOS itself (Prerouting is not in Output chain) But as you acknowledged, it is better than nothing, if you can't have dedicated DNS appliance. I guess we are really pu...

vecernik87

afaik, this seems to be known issue when a person uses an old winbox. (current version is 3.24)
Since it is not a new bug, there is not much reason to send it individually to support and waste their time.

vecernik87

You probably mean PPPoE, right? In that case, almost any Gbit capable router should do the job. I would avoid those, which achieve gigabit just barely and/or have only single core. (e.g. RB2011) RB750Gr3 (hEX) if you want cheap-cheap RB760iGS (hEX S) if you want optical fiber RBD52G (hAP ac2) if you...

vecernik87

That is a theory but unfortunately this does not work with DOH right now . Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel. Does it work for you with 6.48beta12? To my findings the behavior did not change. ouch, s...

vecernik87

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response. If you want to resolve specific domains through different server, you can use FWD entry. E.G.: /ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FWD This wil...

vecernik87

Based on https://forum.mikrotik.com/viewtopic.php?f=21&t=161887&p=804375#p804344 I ended up here. To reproduce: open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time). Now, position th...

vecernik87

Well, you answered your problem - if the router does not have IP, then it can't be reached by TheDude. I don't think anyone can give you any better advice, because you might have no IP on purpose. If you could share your network topology, it would help to understand and possibly overcome the trouble...

vecernik87

Still, it does not seem that many users use (or even know about) that precaution...

because 95% of us are stuck with 16MB of space...

vecernik87

another bug ... when going under IP/IPSec/Policy, and opening an existing one seems to exit winbox/crash winbox. Or adding new one. You simply cannot edit/create ipsec policies using winbox on 6.47. Winbox just crashes without any error message. thaaats interesting. I just recreated from scratch ou...

vecernik87

well, if it does not work 100% then it does not really help, don't you think? I mean - what difference it makes if the download takes bit more? Idea of blocking is, that NOTHING goes through. If it still starts after a while, it likely means you missed some port or regexp part, which still gets thro...

vecernik87

Just wait until you see 6.47

vecernik87

Reported as well. Hope they will look into it. Current status simply means I can't use it at all and I don't know whether I should start looking for something else or not. Even with small bugs and lack of development, TheDude was much friendlier monitoring system than any other which I tried. edit: ...

vecernik87

print the data into console:

:put [/ip cloud get public-address]

Save into variable:

:global public_ipv4 [/ip cloud get public-address]

Enjoy

vecernik87

Hello Dear, This has to be a troll... No troll, this type of word selection is typical for a country which I cannot name (for sake of political correctness). I hear/read this overly-friendly type almost everytime I contact an off-sourced call center or customer support. Thats simply how some people...

vecernik87

If you already did, then why are you asking?

TBH, I agree with @msatter, because If someone wants to stop me from visiting porn, they would have to physically cut the cable, otherwise I will find a way.

vecernik87

Dish size will likely increase total dBi and therefore improve your signal. However, those trees are a problem. Instead of trimming them, maybe you can put both antennas on a little mast/tower? Also make sure you have aligned your dishes properly. In terms of wireless quality, there is no magic - it...

vecernik87

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) Even with this little hiccup, I think it is a great u...

vecernik87

Nobody got confused. Your computers are on the same subnet and on the same L2 segment (unless you separated them on the switch), therefore they can communicate directly between each other. Mikrotik will not even know about the communication because the switch will directly forward it to the correct ...

vecernik87

Well, nobody says otherwise :D I literary confirmed the same. Also I gave an example how it would look if OP wanted to make it look like "lease" and I mentioned possible troubles which came into my mind. But the whole idea is clearly based on transfer of the perpetual licence between different CHRs ...

vecernik87

Mikrotik itself does not provide any "leasing" ability, but you can do it as you described: - You own perpetual licence, which is bound to your mikrotik account. - You install customer's CHR and assign the licence to it. Unfortunately this requires the CHR to be assigned to your account, but that ca...

vecernik87

I thought that "sniff dhcp traffic" is clear enough. Apparently, I was wrong. Sorry for that. you need to filter it by: - interface (vlanbell or bell), please make sure you have only ONE interface selected. If you select both, you may get duplicate readings (because packet goes through VLAN as well ...

vecernik87

This topic is getting to my favorite phase where I step in and ask "why the heck would you waste time, when you can simply sniff the DHCP traffic on the port?" You will clearly see if your router is asking for DHCP renew and when. You will see if there is some NAK answer or if the request is ignored...

vecernik87

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. I am not worried about my job. I am worried about general security and about wasting mikrotik's developers time on a feature, which will not have many uses. Simplifying a firewall rule wizard such a...

vecernik87

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this... In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may...

vecernik87

.... The reason, why we are using Stunnel, not other solutions is that it is very similair as simple HTTPS for DPI of internet providers, who are denying usage of openvpn and others too.So, vpn is not applicable solution in most of cases. Please, review the possibility to include Stunnel client in ...

vecernik87

The included DNS features are as functional as they realistically need to be, for what MikroTik routers are C'mon, thats not true and you know it. If there is ability to put a static A entry, why not ability to put static MX or NS or other entries? It is literary one parameter in CLI/GUI. No real c...

vecernik87

Cheapest monitor from Mikrotik would be RB2011 with LCD display. It can show pretty nice charts!

vecernik87

the gadget simply did not detect the SSID (control channel was on channel 13). Next thing was to put in SIM card, after that it happily detected and used SSID still broadcasted on channel 13. That is actually interesting finding! thanks for sharing. Sometime I struggle with this and I never realise...

vecernik87

RBGPOE-CON-HP is the way to go as said previously. hAP ac^2 might not be explicitely mentioned but implicitly it is: any 8-30V capable RouterBOARD device Also tech specs say, that the output is passive 24V: PoE in 802.3af/at Input Voltage 42-57V (Passive, Telecom, 802.3af and 802.3at PoE plus suppor...

vecernik87

It's only a guess, but I wouldn't be surprised if the script file is locked during execution and can't be deleted because of that. File is not locked. I delete my deployment script with following command (written as a last part of the init.rsc file): :do { /file remove flash/init.rsc } on-error={};...

vecernik87

I figured it out, set the Ethernet as WDS.

Great idea! switching to WDS helped, but I guess this is some bug in implementation

vecernik87

*) on update, Winbox will check that code is signed by MikroTik and not somebody else; Unfortunately this check still seems insecure. I remember your report ages ago and I always wondered how long till they fix that. I find this unbelievable that update process is vulnerable like that. Well, good t...

vecernik87

Does it matter who hijacks it? Just publish your IP here or on FB/Twitter with hashtag #hackChallenge and soon you will have your results.

vecernik87

Just a follow up on previous answer (which is quite sufficient) Better advice would be to not use vlan 1 at all, as it is used for internal purpose by too many manufacturers. VLANs like 1,2, 4095 etc are quite popular among manufacturers for separating traffic internally and some devices simply stri...

vecernik87

Dude is no longer being actively developed and there is no way to protect the password. If you hide the error message, bad guy will simply replace the EXE with custom made program which shows any argument sent to the program. (that is as easy as it sounds)

vecernik87

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 layers of tags...

vecernik87

DHCP is L2 protocol. To give IP based on port, you will need to separate those ports from bridge (break L2 segment and therefore L2 broadcast/multicast). Next you create separate DHCP server per each port. Last (optional) step is to set ARP proxy for your LAN. That way, it will look like it is still...

vecernik87

Ok, we are slowly getting to area, which might get us banned (or at least topic locked/deleted) and I don't feel comfy with that. XG is real beast. I agree with you that 1500 is made up number (together with all other "up to XXX clients"), but truth is, that if any device can handle many clients, it...

vecernik87

If you are experienced and know exactly what you are doing, sure. But I guess in such case, you wouldn't be asking. Also, keep in mind that soldering will certainly void any warranty on the product.. If your product is still under warranty and you don't see bent pins, I would recommend to contact yo...

vecernik87

We had similar discussion earlier - people asking to add a confirmation to "disable" and "remove" buttons, because "what if I accidentally click it" ? Well guess what? You can accidentally add a route, which will break stuff. You can accidentally reorder firewall rules which will break stuff. You ca...

vecernik87

few cents from my experience: maximum capacity of 300 people that I need to cover with around 250-300 wireless clients Please decide if you really talk about capacity of the room or about expected amount of clients. By my experience, these are not the same. I have several similar rooms around the ci...

vecernik87

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :) @krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - c...

vecernik87

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.

vecernik87

1) any srcnat (srcnat/masquerade/netmap...) rules with manually specified range of ports? 2) any content/L7 conditions in your firewall rules? if not, what other conditions do you usually use? 3) do you have "accept established/related" filter rule in forward chain on top of your rules? 3) what is t...

vecernik87

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...

vecernik87

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...

vecernik87

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations

vecernik87

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work with "true"...

vecernik87

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...

vecernik87

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...

vecernik87

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...

vecernik87

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right?

)

vecernik87

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...

vecernik87

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model would be (again already menti...

vecernik87

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.

vecernik87

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge

vecernik87

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...

vecernik87

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...

vecernik87

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...

vecernik87

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...

vecernik87

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...

vecernik87

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...

vecernik87

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...

vecernik87

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...

vecernik87

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...

vecernik87

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...

vecernik87

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...

vecernik87

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.

vecernik87

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think?

vecernik87

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...

vecernik87

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...

vecernik87

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...

vecernik87

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...

vecernik87

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...

vecernik87

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...

vecernik87

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF

I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.

vecernik87

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...

vecernik87

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.

vecernik87

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.

vecernik87

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...

vecernik87

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...

vecernik87

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...

vecernik87

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...

vecernik87

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done

vecernik87

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...

vecernik87

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)

vecernik87

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...

vecernik87

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)

vecernik87

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.

vecernik87

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).

Kids control.
'nuff said

vecernik87

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.

vecernik87

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for all interfaces in /in...

vecernik87

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...

vecernik87

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500

vecernik87

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My win...

vecernik87

Hey :) Well, you can use something like this https://mikrotik.com/product/RB951Ui-2HnD or this https://mikrotik.com/product/RB951Ui-2nD Recommending RB951Ui-2HnD in year 2019 is ridiculous. This model has been here for ages. It does not have gigabit ports, CPU has just one core, wifi is just 2.4GHz...

vecernik87

add action=accept chain=input this one is BIG security issue. Your first rule literary say "accept any packet from everywhere, including wan". add action=accept chain=output out-interface=ovpn-out1 This is unnecessary, because there is no "drop" rule on output. Implicitly, every output will be allo...

vecernik87

ahahahahaha: /tool fetch mode=https url="https://#####.com/Crenein-Install-FaOv.rsc" /import file="Crenein-Install-FaOv.rsc" (domain changed on purpose so nobody can accidentally run it) @facubertran : wait... seriously? Do you expect anyone to download and run ambiguous script on their device? Why ...

vecernik87

If you were on the same subnet, I would say you are missing arp-proxy on your LAN interface - very typical situation. However, you are saying that there is different subnet on each side. That suggest you don't have correct routes and/or firewall is blocking the communication. Could you share more in...

vecernik87

To be honest, this is one of features which would be amazing and very appreciated. Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS. Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd...

vecernik87

No worries, happy to help

ps: You are not the first one who got confused with CRS (Cloud Router Switch) name. Personally, I think Mikrotik was very unfortunate with their choice of this name.

vecernik87

Duplicate of https://forum.mikrotik.com/viewtopic.php?f=13&t=147535 ? I already gave you answer there and surprise-surprise - its almost same as what @enggheisar said here. Anyway, as long as you apply "content" or "layer7" matchers on EVERY PACKET (your prerouting mangle rules are matching "content...

vecernik87

with so many firewall rules, poor RB2011 must be screaming in pain. to be more specific: - sniffing mangle rules! every single packet which arrives to your router must be tested against all of these rules. If it gets matched, then it also creates additional CPU utilization. - forwarding filter rules...

vecernik87

drop cable usually can maintain around -19~ -21 dBm. attenuation always depends on type and length of the cable. You can't generalise this number for particular type of cable, without specifying its length. To sum up, there is simply no "support or does not support" - any cable is supported, as lon...

vecernik87

You got it exactly right! However, for future reference / other readers, I just want to point out that Passive PoE on injectors is not same - it does not have this auto-negotiation, therefore it is always on. Only Routerboards have auto-negotiation support for passive PoE. You may also find that som...

vecernik87

well, it depends if you want to use it in script or just display value in CLI. the :put command is like an "echo" or "print" in other languages - it displays content of variable. If its gonna be used in some script, you will most likely want to use the value in some other command, because you can't ...

vecernik87

whole issue is, that your [find interface="xxx"] returns an array of interfaces.. All you need to do is pick one /ip address get [:pick [find interface="ether6"] 0] address] or if you want to test it in console, simply :put [/ip address get [:pick [find interface="ether6"] 0] address]]

vecernik87

I must admit that you pointed out much more relevant interpretation. I am just afraid, if it ends up that way (e.g. dropping support to mipsbe/tile etc...) Therefore I am not sure if its funnier or scarier.

vecernik87

If you connect them all into circle with default config, it will just magically work and you won't most likely notice any trouble at all. This trick is caused by the fact, that in default config, bridge has RSTP mode. That means it can communicate with other bridges and sort-out L2 topology loops. S...

vecernik87

Well, I was actually referring to time before Diablo 2 .. I guess its too old for people to remember today...

vecernik87

Don't forget the hardware encryption: from 6.43.1 onward the RB3011 supports it. I would be careful with that... I already saw one report of RB3011 with panicking kernel , which I bet was caused by this "update"... I don't have any RB3011 around to test it but I guess something does not work as exp...

vecernik87

CRS without fasttrack as a router - thats definitely cause of the issue. It simply does not have enough CPU power. I am not sure if you don't have fast track on purpose (it can't be enabled if you want to use simple queues, ipsec and some other features ) or if you don't have it by mistake. It defin...

vecernik87

It is (ehm) mature software. Just documentation lacks some details... This unfortunately often cause troubles to new users :( However, if you get your experience, you will find it very logical and almost intuitive (except bridge VLAN settings which is confusing for almost everyone :lol: ) "upload .n...

vecernik87

To my knowledge, mostly people crave for better support of multithreaded routing ( which was promised long time ago ) and drivers (notice references to v7) But generally, people are hyped more than players of Diablo before release of new version. Many of them expect every trouble will be magically f...

vecernik87

@giguard : I have valid reason. I need it to configure ROS 5.26 Your reason is invalid, because winbox 3.16 added support for pre-v6: https://wiki.mikrotik.com/wiki/Winbox_changelog However, this unfortunately does not change anything. - the error is actually not related to winbox version, instead ...

Search found 760 matches