Community discussions

Search found 631 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13
by vecernik87
Fri Jun 14, 2019 11:27 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 15
Views: 464

Re: single IP constantly trying to log to my Mikrotik

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...
by vecernik87
Fri Jun 14, 2019 5:50 am
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 474

Re: hAP ac² as switch + ap

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...
by vecernik87
Fri Jun 14, 2019 4:10 am
Forum: General
Topic: vlan bridge to port [SOLVED]
Replies: 10
Views: 369

Re: vlan bridge to port [SOLVED]

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations
by vecernik87
Fri Jun 14, 2019 3:40 am
Forum: Scripting
Topic: :tobool not working as expected
Replies: 3
Views: 158

Re: :tobool not working as expected

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work with "true"...
by vecernik87
Fri Jun 14, 2019 3:04 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Cablelabs Micronets
Replies: 4
Views: 339

Re: Cablelabs Micronets

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...
by vecernik87
Fri Jun 14, 2019 2:08 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 407

Re: Annoyed with Mikrotik 'Support'

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...
by vecernik87
Thu Jun 06, 2019 6:25 am
Forum: General
Topic: Mikrotik Console Port
Replies: 4
Views: 243

Re: Mikrotik Console Port

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...
by vecernik87
Thu Jun 06, 2019 6:12 am
Forum: RouterBOARD hardware
Topic: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees
Replies: 2
Views: 314

Re: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right? :D )
by vecernik87
Wed Jun 05, 2019 2:16 am
Forum: General
Topic: EOIP - ethernet over IP protocol
Replies: 3
Views: 205

Re: EOIP - ethernet over IP protocol

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...
by vecernik87
Tue Jun 04, 2019 4:07 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 5
Views: 444

Re: Cheapest router for home use with 1Gb

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model would be (again already menti...
by vecernik87
Tue Jun 04, 2019 11:28 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 746

Re: dst-nat with changing port

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.
by vecernik87
Sat May 25, 2019 1:17 am
Forum: Forwarding Protocols
Topic: How to block neighbours Advertisment
Replies: 6
Views: 2444

Re: How to block neighbours Advertisment

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge
by vecernik87
Tue May 21, 2019 9:17 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like it is not...
by vecernik87
Tue May 21, 2019 4:36 am
Forum: General
Topic: Mikrotik offering lease continually without success
Replies: 2
Views: 186

Re: Mikrotik offering lease continually without success

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...
by vecernik87
Mon May 20, 2019 2:28 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 521
Views: 121632

Re: RouterOS v7.0 beta1 - when?

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...
by vecernik87
Mon May 20, 2019 6:36 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 27
Views: 7304

Re: Please add basic portScan tool ( port scanner scan )

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...
by vecernik87
Sun May 19, 2019 5:13 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...
by vecernik87
Sat May 18, 2019 12:10 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...
by vecernik87
Sat May 18, 2019 8:27 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...
by vecernik87
Sat May 18, 2019 3:20 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...
by vecernik87
Fri May 17, 2019 5:14 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...
by vecernik87
Fri May 17, 2019 10:14 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 846

Re: Bridge -> root bridge

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...
by vecernik87
Fri May 17, 2019 8:51 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 268
Views: 55020

Re: v6.45beta [testing] is released!

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...
by vecernik87
Thu May 16, 2019 1:28 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 268
Views: 55020

Re: v6.45beta [testing] is released!

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
by vecernik87
Thu May 16, 2019 3:28 am
Forum: RouterBOARD hardware
Topic: Can't read Voltage via SNMP on CRS112-8P-4S
Replies: 11
Views: 1480

Re: Can't read Voltage via SNMP on CRS112-8P-4S

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think? :D
by vecernik87
Thu May 16, 2019 1:38 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 746

Re: dst-nat with changing port

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the culprit). ...
by vecernik87
Wed May 15, 2019 2:54 pm
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 386

Re: Knock secret daily changeable

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...
by vecernik87
Wed May 15, 2019 2:30 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 361

Re: bridge + eoip + horizon = loop [SOLVED]

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks like this: c...
by vecernik87
Wed May 15, 2019 2:18 pm
Forum: General
Topic: RB3011 Optimal Operating temperature
Replies: 4
Views: 202

Re: RB3011 Optimal Operating temperature

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP rating) Because I can ...
by vecernik87
Wed May 15, 2019 2:07 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2513

Re: v6.43.15 [long-term] is released!

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...
by vecernik87
Wed May 15, 2019 12:39 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 361

Re: bridge + eoip + horizon = loop [SOLVED]

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...
by vecernik87
Wed May 15, 2019 11:54 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 361

Re: bridge + eoip + horizon = loop [SOLVED]

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF 
I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.
by vecernik87
Wed May 15, 2019 11:45 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 361

Re: bridge + eoip + horizon = loop [SOLVED]

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...
by vecernik87
Wed May 15, 2019 11:29 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 361

Re: bridge + eoip + horizon = loop [SOLVED]

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.
by vecernik87
Wed May 15, 2019 11:10 am
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 386

Re: Knock secret daily changeable

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
by vecernik87
Wed May 15, 2019 11:02 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 746

Re: dst-nat with changing port

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...
by vecernik87
Wed May 15, 2019 10:04 am
Forum: Beginner Basics
Topic: Wireless to POE
Replies: 1
Views: 130

Re: Wireless to POE

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...
by vecernik87
Wed May 15, 2019 9:58 am
Forum: Beginner Basics
Topic: VPN PPTP Passthrough Problem
Replies: 4
Views: 229

Re: VPN PPTP Passthrough Problem

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...
by vecernik87
Wed May 15, 2019 9:50 am
Forum: Virtualization
Topic: Server 2019 HV with chr-6.44.3 no bridge function
Replies: 2
Views: 154

Re: Server 2019 HV with chr-6.44.3 no bridge function

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...
by vecernik87
Wed May 15, 2019 9:43 am
Forum: RouterBOARD hardware
Topic: hap ac2 din rail mount [SOLVED]
Replies: 2
Views: 307

Re: hap ac2 din rail mount [SOLVED]

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it and you are done :)
by vecernik87
Wed May 15, 2019 8:00 am
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2513

Re: v6.43.15 [long-term] is released!

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I wouldn't have proble...
by vecernik87
Tue May 14, 2019 5:42 am
Forum: Forwarding Protocols
Topic: Jumbo Frames, L2MTU mismatch with RouterOS crashing
Replies: 3
Views: 365

Re: Jumbo Frames, L2MTU mismatch with RouterOS crashing

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)
by vecernik87
Mon May 13, 2019 4:40 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2513

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...
by vecernik87
Sun May 12, 2019 5:33 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 4
Views: 681

Re: CHR does not transmit frames with VLAN tags from bridge

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)
by vecernik87
Thu May 09, 2019 3:08 pm
Forum: General
Topic: EOIP TCP problem
Replies: 6
Views: 372

Re: EOIP TCP problem

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.
by vecernik87
Tue Apr 30, 2019 9:57 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1095
Views: 187628

Re: formal port knocking

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Kids control.
'nuff said
by vecernik87
Fri Apr 19, 2019 1:59 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 414

Re: 750 gr3 bin bios file

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.
by vecernik87
Thu Apr 18, 2019 6:54 am
Forum: Beginner Basics
Topic: Remove interface from console [SOLVED]
Replies: 2
Views: 221

Re: Remove interface from console [SOLVED]

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for all interfaces in /in...
by vecernik87
Thu Apr 18, 2019 6:24 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 414

Re: 750 gr3 bin bios file

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...
by vecernik87
Mon Apr 15, 2019 9:51 am
Forum: Beginner Basics
Topic: L2 connection mikrotik<->mikrotik breaks some https connections
Replies: 2
Views: 204

Re: L2 connection mikrotik<->mikrotik breaks some https connections

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500 :)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13