Community discussions

MikroTik App

Search found 786 matches

by vecernik87
Wed Apr 14, 2021 8:41 am
Forum: General
Topic: Cloutik feedback ?
Replies: 11
Views: 847

Re: Cloutik feedback ?

Thats exactly my point. In the past, unifi cloud was optional (so it can be considered same as 3rd party). Then they released UDM and guess what? It is compulsory. You can't set up the device without cloud. (therefore even serious networking people had no choice...) Now they got hacked and literary ...
by vecernik87
Wed Apr 14, 2021 4:21 am
Forum: General
Topic: Cloutik feedback ?
Replies: 11
Views: 847

Re: Cloutik feedback ?

No serious network techs will ever use third party cloud service to manage their own devices. Thus, no discussion needed.

Its a nice toy but thats about it. For anyone concious about security, it is another unnecessary attack vector.
by vecernik87
Fri Apr 02, 2021 2:04 pm
Forum: Beginner Basics
Topic: EoIP problem, MAC addresses
Replies: 2
Views: 331

Re: EoIP problem, MAC addresses

You didn't post much info so the best guess I have is, that you enabled arp proxy on that bridge from the second router.

If you disable it, your bridge should stop responding with arp answers and your double entries should disappear.
by vecernik87
Fri Mar 26, 2021 9:43 pm
Forum: General
Topic: WARNING _ DO NOT USE UPS Feature on MT
Replies: 5
Views: 543

Re: WARNING _ DO NOT USE UPS Feature on MT

I have cyberpower UPS connected to my home RBD52G and it is stable. In the office, I had some random reboots which were caused by the UPS communication in the past (interestingly same RB and UPS) . I guess it depends on more things, possibly even unrelated config which will affect the behavior.
by vecernik87
Wed Mar 17, 2021 8:19 am
Forum: General
Topic: Mutiple SSTP servers
Replies: 4
Views: 263

Re: Mutiple SSTP servers

No. Unfortunately Mikrotik's implementation supports only one server per router. You would probably need to create port-forwarding to a virtual router in order to create multiple servers.
by vecernik87
Wed Mar 03, 2021 8:13 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 539

Re: Block Router Admin Access from the Wireless Interfaces

The OP has clearly stated he is concerned with people accessing the router besides the admin. That is just untrue. Look again on the original question - it barely provides any info. You simply arrived late as always, after there was more info provided. I have sharper hooves so save yourself for ano...
by vecernik87
Wed Mar 03, 2021 1:14 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 539

Re: Block Router Admin Access from the Wireless Interfaces

@go4030 : Just one question...if my network is /24, I would change the /32 to /24? No. we are talking about dst-address so you are selecting only the destination mikrotik device (single host = /32). If you put /24, you may block access to other devices in theory, depending on your network setup. I'...
by vecernik87
Tue Mar 02, 2021 7:49 am
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 539

Re: Block Router Admin Access from the Wireless Interfaces

If they are bridged, it won't be as easy. To be precise - it can't be done with a firewall, because the packet goes to the firewall from the bridge (therefore bridge is the in-interface). In order to block only wireless clients, you need to create the rule in bridge filters: /interface list add name...
by vecernik87
Mon Mar 01, 2021 8:29 am
Forum: Wireless Networking
Topic: WIFI 6 Roadmap
Replies: 88
Views: 50897

Re: WIFI 6 Roadmap

WHere are the 60hz smartphones
Well, talking about that... my friend was testing 5G at his place and came up with some ridiculous number over 600Mbit download... If that really works all around, wifi will be irrelevant in the next decade.
by vecernik87
Wed Feb 24, 2021 3:35 am
Forum: Beginner Basics
Topic: simple switch and WiFi AP (no dhcp, no nat)
Replies: 8
Views: 7789

Re: simple switch and WiFi AP (no dhcp, no nat)

Byt default the wireless interface operates in the station mode. I am not sure if the SSID/key config should be the same SSID as the AP. This would make sense since the station could connect to the AP. The default value probably changed over the years. My understanding was that OP wanted to set the...
by vecernik87
Thu Feb 18, 2021 6:59 am
Forum: General
Topic: Forward between subnets on Bridge
Replies: 1
Views: 197

Re: Forward between subnets on Bridge

Without complete config of router as well as your VPN server it is not easy to solve. My, best wild guess would be that you need to add a firewall-forward rule. (But not to the end, somewhere before "forward - drop all" rule.) If you are unsure or just want to test it, you can put it on to...
by vecernik87
Wed Feb 17, 2021 3:11 am
Forum: Beginner Basics
Topic: WAN & LAN Speed Difference
Replies: 6
Views: 625

Re: WAN & LAN Speed Difference

I would start with Tools->Torch: zGfg3K8aD1.png If that is not sufficient, you may also go to IP->Firewall->Connections: FlE6De5VpQ.png that should give you enough overview about your WAN connections. From there on, hard to say what you need to do - depends what kind of connections you find
by vecernik87
Tue Feb 09, 2021 11:19 pm
Forum: Beginner Basics
Topic: v6.48.1 - missing comment
Replies: 1
Views: 268

Re: v6.48.1 - missing comment

That is perfectly fine. Comment is related to the connect item, not to the registration item. I know the registration item looks like copy/dependant of connect-item, but it is not. Registration-list is made up from purely dynamic entries and thus, does not have comments.
by vecernik87
Tue Feb 09, 2021 1:02 pm
Forum: RouterBOARD hardware
Topic: bridge hardware offload [SOLVED]
Replies: 2
Views: 695

Re: bridge hardware offload [SOLVED]

Because your RB750Gr3 features a MT7621 switch chip which does not have many features: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features Almost any setting will disable hardware offload: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading So - you can't use STP...
by vecernik87
Tue Dec 29, 2020 2:19 am
Forum: General
Topic: Tis the Season
Replies: 9
Views: 902

Re: Tis the Season

I know I took this year easier but... heh... I feel offended now.
As+a+ponykin+i+am+offended+by+that+last+part+_e6521e11bb8f2dd0e0074227198047ae.png
don't take it too seriously :D Happy new year to you too from a land down under
by vecernik87
Mon Dec 21, 2020 11:43 pm
Forum: Beginner Basics
Topic: Site to site VPN with the same IP subnet?
Replies: 2
Views: 376

Re: Site to site VPN with the same IP subnet?

The VPN settings in quickset isn't really "site to site". It is rather typical road-warrior setup and there is no need for same subnet - your devices will be able to communicate with each other so why limit yourself by putting everything on the same subnet? If they are not able to communic...
by vecernik87
Fri Nov 13, 2020 1:58 pm
Forum: Announcements
Topic: v6.47.7 [stable] is released!
Replies: 45
Views: 12701

Re: v6.47.7 [stable] is released!

I think that a lot of people ask on the forum, dont write to support (the only official contact), and threatens to migrate thousand of devices every time... eventually they stick with MT because it is cheap and they cannot afford something more expensive... :D I often ask on forum, when I suspect t...
by vecernik87
Thu Oct 29, 2020 9:52 am
Forum: General
Topic: What does the advantage put the router before firewall and internet?
Replies: 8
Views: 714

Re: What does the advantage put the router before firewall and internet?

Be careful with that router ! There is no security if you do not process the logs and alerts. (Ethical hackers first compromise the upfront router, and change the DNS flow) Good point, but that applies to every device, no matter if it is in front or behind the firewall. If the router is correctly s...
by vecernik87
Thu Oct 29, 2020 4:11 am
Forum: RouterBOARD hardware
Topic: PoE power from hAP AC to hAP ac lite?
Replies: 3
Views: 472

Re: PoE power from hAP AC to hAP ac lite?

Yes it can. RB962UiGS (hAP ac) PoE-out is passive, 11-57V (same as input) up to 700mA, therefore with standard 24V power adapter about 16W RB952Ui (hAP ac lite) PoE-in is also passive, 10-28V, requires 8W for on its own (and up to 20W total if there is another PoE daisy-chained device) The only car...
by vecernik87
Tue Oct 27, 2020 11:00 pm
Forum: General
Topic: Permanent NAT interface
Replies: 6
Views: 501

Re: Permanent NAT interface

Another way would be to create a static "server binding" interface. But that can be used only if the client makes only one connection at a time.
by vecernik87
Mon Oct 26, 2020 9:16 am
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 520

Re: Old bug, PING SRC-ADDRESS does not work

If you don't want to post your config (of course make it anonymous by replacing all identifiable data) it is hard to understand what could be wrong. Also, you didn't explain in detail what exactly does not work. (i.e. describe in detail your action, expected behavior and observed behavior). This des...
by vecernik87
Mon Oct 26, 2020 4:01 am
Forum: Beginner Basics
Topic: Lots of crap in Firewall logs - request rules review please? [SOLVED]
Replies: 6
Views: 631

Re: Lots of crap in Firewall logs - request rules review please? [SOLVED]

Excellent example of " do NOT trust that " video. The video itself is nice and well explained but there are two major issues which are easy to miss: 1) Those rules are are opening your network to the world. The author did not specify which interface it applies to, therefore it will allow a...
by vecernik87
Mon Oct 26, 2020 12:21 am
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 520

Re: Old bug, PING SRC-ADDRESS does not work

I tested it just now, to confirm... Works as expected: by setting up the src-address in the source router, the destination router sees different source ip address (confirmed by running /tool sniffer quick on the destination router: [admin@mikrotik1] > ping 10.245.24.1 src-address=192.168.0.1 SEQ HO...
by vecernik87
Fri Oct 23, 2020 1:14 pm
Forum: General
Topic: What does the advantage put the router before firewall and internet?
Replies: 8
Views: 714

Re: What does the advantage put the router before firewall and internet?

This topology makes sense if your router can't do required firewalling and firewal unable to do required routing. Typical for NGFW or IPS - these systems need to see data flowing including client's IP, therefore if they are before the router, client's IP might be NATted and in that case, it will be ...
by vecernik87
Fri Oct 23, 2020 7:03 am
Forum: Beginner Basics
Topic: System,error,critical login failure
Replies: 6
Views: 11531

Re: System,error,critical login failure

i have recent problem.. someone/thing tried to login via winbox but from the router IP itself (172.26.0.1) pics attached.. please, need help.. thank you.. this looks more like TheDude ... Probably added the device and now its trying to log in (enabled by default). find the device and uncheck "...
by vecernik87
Wed Oct 21, 2020 8:30 am
Forum: RouterOS v7 BETA
Topic: Feature Request : Non routable Management VLAN
Replies: 6
Views: 858

Re: Feature Request : Non routable Management VLAN

There should be a setting for this in the router (and Mikrotik switches too) to avoid routing between other interfaces and the management VLAN interface. There is such setting: /ip firewall filter add action=drop chain=forward place-before=0 out-interface=vlan-mgmt Obviously, replace the vlan-mgmt ...
by vecernik87
Mon Oct 19, 2020 8:56 am
Forum: General
Topic: Microtik and AD
Replies: 3
Views: 328

Re: Microtik and AD

If you don't want them to use the 8.8.8.8, don't give it to them. Simple as that. Define the DNS in ip->dhcp->networks so only your DC DNS will be distributed to clients. If you provide the 8.8.8.8 to your clients, there is no way to guarantee they won't use it. Is there any reason to give your clie...
by vecernik87
Mon Oct 19, 2020 1:53 am
Forum: Beginner Basics
Topic: Unknown setting is preventing a DNS change [SOLVED]
Replies: 4
Views: 424

Re: Unknown setting is preventing a DNS change [SOLVED]

c'mon Anav, you can do better :P CTRL+F -> type "53" and thats it... Picked it up in less than 10 seconds: add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=\ udp to-addresses=0.0.0.0 to-ports=53 DNS traffic not going to the router will be redirected to 0.0.0.0 ...
by vecernik87
Thu Oct 15, 2020 8:24 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 19059

Re: hAP ac² High temperature

Nobody ever claimed that temperature does not matter. Temperature does matter and it is stated in the specs: "Tested ambient temperature -40°C to 50°C" That means, it is guaranteed to work, as long as the temperature around the router does not go over 50°C. By putting it on direct sunlight...
by vecernik87
Thu Oct 15, 2020 5:14 am
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 861

Re: Number of SWOS VLANs

RouterOS by default does not filter VLANs on bridge at all and lets them flow everywhere (as if all ports had all VLANs enabled as tagged). The only advantage of tagging switch ports is, that it will allow you to create access/edge ports (ports where particular VLAN is untagged)
by vecernik87
Thu Oct 15, 2020 1:14 am
Forum: Beginner Basics
Topic: WOL before RDP
Replies: 2
Views: 376

Re: WOL before RDP

Unfortunately, there is no easy way of doing this. Mikrotik can do a LOT with the firewall rules and scripts, but there is no built-in mechanism to trigger a script based on firewall rule. I can think of two workarounds: Prefered way - I hope (please, don't disappoint me!) that every employee connec...
by vecernik87
Wed Oct 14, 2020 11:35 am
Forum: Beginner Basics
Topic: Home User RouterOS Consultancy - Uber for MikroTik
Replies: 12
Views: 1082

Re: Home User RouterOS Consultancy - Uber for MikroTik

In other words, OP is asking for a normal help, which all 3 of us provide here on regular basis for free.. (at least I didn't get paid yet) @dazzaling69 : don't make a big deal out of it. Just ask for specific things because nobody will give you a full-blown lecture on all networking stuff. If you h...
by vecernik87
Wed Oct 14, 2020 9:36 am
Forum: General
Topic: License Purchase Issue! [SOLVED]
Replies: 1
Views: 302

Re: License Purchase Issue! [SOLVED]

If you were purchasing from official mikrotik page (not from reseller) then it would be better to contact mikrotik directly. This is just a forum and no official support (definitely not in regards of sales/payments) is guaranteed. In the checkout process, I noticed a reference to "sales@mikroti...
by vecernik87
Wed Oct 14, 2020 9:27 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 24
Views: 4786

Re: (BUG) Dude Client crashing on device details and charts

I didn't ask about this detail, but I assume, they are just pointing out the fact, that any TheDude Agent (any RouterOS device) must be same version as TheDude Server. That is known requirement for TheDude Agents, but fortunately, if you don't want to use Agents, you don't need to upgrade monitored ...
by vecernik87
Wed Oct 14, 2020 9:18 am
Forum: General
Topic: Firewall NAT , Route List Setting is will running
Replies: 4
Views: 613

Re: Firewall NAT , Route List Setting is will running

You didn't provide much info (especially, you did not bother to say what interface was there in the first place), but given your routing mark names, I assume that all these rules are related to a dynamic VPN interfaces, most likely you are running server and clients are connecting and everytime clie...
by vecernik87
Wed Oct 14, 2020 9:07 am
Forum: Beginner Basics
Topic: Accidently, I removed Interface ether1.
Replies: 5
Views: 723

Re: Accidently, I removed Interface ether1.

Is that even possible Normis? To remove the ethernet interface itself? Yes. Every model has this feature. All you need is a chisel or big screwdriver. Apply lot of pressure on the port and the interface will come off. I am pretty sure Normis is trying to understand what OP actually means same as ev...
by vecernik87
Wed Oct 14, 2020 8:59 am
Forum: Wireless Networking
Topic: Groove A52AC
Replies: 2
Views: 350

Re: Groove A52AC

also depends on frequency (2GHz reach further than 5GHz) and required speed (you can achieve longer distance with lower speeds) and many other parameters. Keep in mind that it will not instantly shut off... but reliability will slowly decrease as you increase the distance. If you want a simple answe...
by vecernik87
Tue Oct 13, 2020 8:45 am
Forum: The Dude
Topic: Why is my equipment down?
Replies: 2
Views: 515

Re: Why is my equipment down?

Is it possible that your dude is trying to reach the router by its WAN IP and that IP changed after the restart?
by vecernik87
Tue Oct 13, 2020 5:09 am
Forum: RouterBOARD hardware
Topic: hAP ac² High temperature
Replies: 61
Views: 19059

Re: hAP ac² High temperature

you have a black router under direct sunlight? well... no wonder it gets hot.

Instead of drilling holes, even simple piece of white paper would help more
by vecernik87
Tue Oct 13, 2020 5:04 am
Forum: RouterOS v7 BETA
Topic: how to understand routi9ng in v7
Replies: 7
Views: 1266

Re: how to understand routi9ng in v7

Cmon, he tried to help you and there is not a single negative point in his reply. The least you can do is not insult him. Since you did not bother to say, that you went through these pages (calling it "short little blurb" didn't help), it was safe to assume you didn't read it and you might...
by vecernik87
Tue Oct 13, 2020 3:16 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 104
Views: 23969

Re: WinBox v3.27 released!

The latest Winbox versions do not save settings such as "Inline comments" and "Hide Passwords". Yes it does. I just tested both switches and it works. Screenshot 2020-10-13 111156.png This is from latest winbox v3.27 (unfortunately it does not show the version in the open window)
by vecernik87
Tue Oct 13, 2020 3:04 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 24
Views: 4786

Re: (BUG) Dude Client crashing on device details and charts

I got an info on my bug report [SUP-20571] that they resolved the issue and the fix will be released in upcoming RouterOS update.

Hurray :)
by vecernik87
Tue Oct 13, 2020 2:21 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 809

Re: Vlan not working for me,

... the network is not stable at all sometimes it connects and sometime it does not. can mean anything. I couldn't agree more. Unfortunately I don't know anything further (yet). I provided reasonable step-by-step guide to OP so we can narrow down the issue (you know - ping this, ping that, connect ...
by vecernik87
Tue Oct 13, 2020 1:14 am
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 809

Re: Vlan not working for me,

@sob : thank you thank you thank you! First person saying that I didn't go crazy. btw:my last suggestion to OP in different conversation was exactly as yours - remove the bridge to minimize possible impact. He didn't reply yet so we will wait. @anav : Great. Now we are talking :) Sorry for stroking...
by vecernik87
Mon Oct 12, 2020 11:53 pm
Forum: General
Topic: Vlan not working for me,
Replies: 13
Views: 809

Re: Vlan not working for me,

@anav: I didn't want to reply here because I was trying to help this guy in some other place and I hoped that another pair of eyes will notice the issue. I went through it and couldn't spot any mistake (I missed the IP on Ether2 which should be on bridge, but that shouldn't cause issues with VLANs t...
by vecernik87
Wed Oct 07, 2020 4:44 am
Forum: General
Topic: DoH config ignores local static entries
Replies: 7
Views: 818

Re: DoH config ignores local static entries

It is quite similar to previously repaired "*) dns - do not use DoH for local queries when a server is specified;" in 6.47.1 - in both cases DOH took priority from specified server or local static entry. Unfortunately this is known issue (for any forum user), reported several times since 6...
by vecernik87
Tue Oct 06, 2020 1:51 am
Forum: Scripting
Topic: Script modem reboot
Replies: 5
Views: 625

Re: Script modem reboot

No matter what solution you choose, I agree that this is likely not doable with simple mikrotik script. Mikrotik can detect loss of connectivity and has simple, yet sufficient scripting language for any tasks done within RouterOS . It has no ability to interact with external tools except sending ema...
by vecernik87
Mon Oct 05, 2020 6:53 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 390

Re: Cant' renew license---could not resolve DNS name error

Okay, he seem to be bit confused with rules (e.g. allowing forward/input for DNS from ALL interfaces - pretty sure it should be allowed only from internal / customer facing interface), but I don't see any rule, which should prevent router itself to use DNS. I still believe that his router shouldn't ...
by vecernik87
Fri Oct 02, 2020 10:18 am
Forum: Virtualization
Topic: Winbox has been disconnected
Replies: 6
Views: 1030

Re: Winbox has been disconnected

how did you actually "migrate" ? If you copy/paste config, you might have MAC colission...
by vecernik87
Fri Oct 02, 2020 7:19 am
Forum: Beginner Basics
Topic: Cant' renew license---could not resolve DNS name error
Replies: 3
Views: 390

Re: Cant' renew license---could not resolve DNS name error

So your clients can use google DNS but your router can't? that seems bit strange
by vecernik87
Thu Oct 01, 2020 10:27 am
Forum: The Dude
Topic: When Link Down it should change colour
Replies: 2
Views: 476

Re: When Link Down it should change colour

afaik, not possible. The color changes gradually, based on traffic as a % of available bandwidth (by default black = no/small traffic, red = traffic using 100% of link capacity, as defined in link settings) This would be actually great feature request, if mikrotik was still developing TheDude. Unfor...
by vecernik87
Thu Oct 01, 2020 2:19 am
Forum: General
Topic: EoIP not working as expected
Replies: 4
Views: 421

Re: EoIP not working as expected

What @sindy said is right. Firstly make sure that MAC spoofing (promiscuous mode) is enabled and that VLANs are allowed in the virtual switch. the bug which @sindy mentioned is clearly related to my earlier investigation: https://forum.mikrotik.com/viewtopic.php?t=144744 I will test further because ...
by vecernik87
Wed Sep 30, 2020 6:02 am
Forum: General
Topic: Redundant EIOP tunnel [SOLVED]
Replies: 2
Views: 396

Re: Redundant EIOP tunnel [SOLVED]

Yup, my setup as described in the link would work perfectly in this situation. 1) Run two EoIP per each branch 2) merge them using bridge or mesh (mesh will give you literary zero packet failover) 3) modify path costs in bridge-ports / mesh-ports to specify which tunnel has priority and which one is...
by vecernik87
Tue Sep 29, 2020 12:05 pm
Forum: General
Topic: The problem of "communication" of different subnets in one bridge
Replies: 4
Views: 343

Re: The problem of "communication" of different subnets in one bridge

well, clearly the issue occurs when the traffic needs to pass through router. I don't think there is anything you could stuff up with the config - you described it very clearly (which makes me think that you know what you are doing). Two things to check: 1) do you have firewall rules allowing traffi...
by vecernik87
Tue Sep 29, 2020 3:41 am
Forum: General
Topic: VPN Site - Site + Road Warrior [SOLVED]
Replies: 8
Views: 1072

Re: VPN Site - Site + Road Warrior [SOLVED]

Have you ever done that? Can you explain to me how you did it? Of course. Otherwise I wouldn't talk about it :D One of my current setups is following: https://app.diagrams.net/#Uhttps%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1pqnKtG0pdkHpXwzonfnEBs0z8L3UmKhJ%26export%3Ddownload https://drive.google.com...
by vecernik87
Tue Sep 29, 2020 1:47 am
Forum: General
Topic: Feature request
Replies: 1
Views: 243

Re: Feature request

If you want something cool, go and buy UBNT. If you want something functional, don't expect coolness.

Personally, I am glad that people who are after coolness aren't buying Mikrotik, because it means less stupid questions and complains from people who have absolutely no idea about networking.
by vecernik87
Thu Sep 24, 2020 11:13 am
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 1512

Re: hAP ac³ switch chip?

..lot of new mikrotik devices have those low-cost retarded switches like RTL .. These "retarded" switches need to be understood as simple port-extenders. Maybe it is the cheapest way to make a multi-port router. I had similar way of thinking like you but then I realised we really should n...
by vecernik87
Thu Sep 17, 2020 8:31 am
Forum: General
Topic: EOIP blocking TCP
Replies: 16
Views: 1176

Re: EOIP blocking TCP

Nice job testing and describing the problem! Can it be possibly MTU issue? I have many EoIP tunels and they certainly don't block anything. I literary just tested SSH on my production machines and it went through without any issue. The only other option I can think of is some bridge trouble (bridge ...
by vecernik87
Wed Sep 16, 2020 7:14 am
Forum: General
Topic: Can't login here with my password from 12 September 2020
Replies: 4
Views: 523

Re: Can't login here with my password from 12 September 2020

I second @Znevna - I reset my password with the same which I used previously. And since I already had strong password enough, I had no issue with it.
by vecernik87
Tue Sep 15, 2020 7:58 am
Forum: The Dude
Topic: The Dude - Confusion
Replies: 1
Views: 408

Re: The Dude - Confusion

I usually do this with a VPN to my server. Then, as long as the remote router has access to the internet, I can see them online and connect to them, even if they put the router behind NAT Dude itself is on-demand monitoring (server has to see clients and sends them requests, clients respond). Good t...
by vecernik87
Tue Sep 15, 2020 5:44 am
Forum: Announcements
Topic: Expected down time for this forum SEPT 11
Replies: 42
Views: 6208

Re: Expected down time for this forum SEPT 11

If password does not work and @krisjanis was upgrading the PHP version, there is likely different hashing algorithm. I mean... it shouldn't be because afaik each hash has short prefix announcing what algorithm is used, but I can imagine that phpBB forum detected new PHP version and forced different ...
by vecernik87
Tue Sep 15, 2020 2:19 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 6452

Re: ERROR: wrong username or password

Interesting finding! thanks for feedback.
If the data are just forwarded (i.e. not ROMON etc), I find it unexpected for any router to modify/corrupt packets. Rather, I would guess that the interim router was accepting the packets and replying on its own possibly?
by vecernik87
Tue Sep 15, 2020 2:07 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 1434

Re: Blocking Facebook, Tiktok and other websites

Blocking all IP from particular ASN will work only for services which have their ASN and do not serve their content from any other IP (Google,FB). However, it will also block other services, which are hosted on those IPs (e.g. google has their google cloud platform hosting heaps of 3rd party website...
by vecernik87
Mon Sep 14, 2020 10:50 am
Forum: Beginner Basics
Topic: ERROR: wrong username or password
Replies: 9
Views: 6452

Re: ERROR: wrong username or password

"wrong password" may appear if the user is not allowed to log in from used IP. check your users, whether they have limited addresses. e.g: [vecernik@mikrotik] > /user export /user add group=full name=vecernik add address=10.11.12.0/24 group=read name=test As you can see, user "vecerni...
by vecernik87
Mon Sep 14, 2020 10:42 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 1434

Re: Blocking Facebook, Tiktok and other websites

Reliable block is impossible. No matter what suggestions will come later, I can guarantee that I will be able to figure out a way to get through, unless you completely block me from the internet. Partially reliable and very easy will be DNS method - force all DNS requests to mikrotik (dst-nat) and t...
by vecernik87
Mon Sep 14, 2020 10:24 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 16
Views: 1899

Re: CVE-2020-11881 PATCH [SOLVED]

I do not check them "so closely" and I think in 99% of time few days does not matter. I accept your point that this may be part of the thorough testing process for Longterm branch. (I edited my original post now to reflect this) But if BootlabsDev claims: The bug was reported on 06.04.2020...
by vecernik87
Mon Sep 14, 2020 10:14 am
Forum: General
Topic: Hiding other devices
Replies: 3
Views: 426

Re: Hiding other devices

In theory, you could create bridge-filter rules (not IP filter because it is on the same LAN, therefore L2 traffic, not L3), which will for example block ARP requests to particular IP addresses from your phone, but again, phone can easily change MAC, therefore its not really a protection. Best solut...
by vecernik87
Mon Sep 14, 2020 10:07 am
Forum: General
Topic: CVE-2020-11881 PATCH [SOLVED]
Replies: 16
Views: 1899

Re: CVE-2020-11881 PATCH [SOLVED]

Normis, I appreciate the new version which includes the fix, but please, do not fake release dates. EDIT: Understood. Date is related to "build" not "release". This release was definitely not live week ago, on 7th September. Why does changelog (and your post) claim it was? The to...
by vecernik87
Fri Sep 11, 2020 5:08 am
Forum: General
Topic: Ampache & RouterOS web server on hAP ac2
Replies: 9
Views: 769

Re: Ampache & RouterOS web server on hAP ac2

you got it right - it is not implemented. What you did not get is, that it will never be implemented. As it was said earlier, router is not a multipurpose device and should not be perceived that way. Some people like to tinker with their devices so they managed to run this music screaming server on ...
by vecernik87
Thu Sep 10, 2020 5:54 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 564

Re: VLANs on RouterBoard not working [SOLVED]

I am very glad that it helped :) re. your second question: When working with /interface bridge port , each row has its own number as a unique indentifier (if you know SQL, imagine it as a primary key in the DB). Then, each row has parameters (e.g. interface, pvid etc..). Your command actually said t...
by vecernik87
Thu Sep 10, 2020 5:08 am
Forum: General
Topic: VLANs on RouterBoard not working [SOLVED]
Replies: 8
Views: 564

Re: VLANs on RouterBoard not working [SOLVED]

You need to add "tagged bridge1" to your /interface bridge vlan . The relevant section should look like this: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether9 untagged=ether2 vlan-ids=20 add bridge=bridge1 tagged=bridge1,ether9 untagged=ether3,ether4,ether5,ether6,ether7,eth...
by vecernik87
Fri Sep 04, 2020 3:05 pm
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 773

Re: WOL over VPN

Of course you get reply on the ping. Question is whether you get reply from the device or from the router. check your ARP records, your source device should see target IP with the correct MAC. Thats why I asked this - the ARP record in your computer will prove, whether it is the device (therefore yo...
by vecernik87
Thu Sep 03, 2020 8:16 am
Forum: General
Topic: WOL over VPN
Replies: 5
Views: 773

Re: WOL over VPN

WOL is L2 functionality (you are sending packet to particular MAC address, therefore it will work only if your source and target devices are on the same L2 segment (to dumb it down - within the same LAN and same VLAN, not behind a router, not different VLAN). VPN may or may not be bridged (having sa...
by vecernik87
Tue Sep 01, 2020 8:54 am
Forum: Beginner Basics
Topic: [Q] how to add multiple firewall ip address in a single list?
Replies: 5
Views: 628

Re: [Q] how to add multiple firewall ip address in a single list?

It is not unfortunate display. You are not really creating lists. You are creating address entries which have property "list" . As long as the property "list" is same, entries are considered to be part of the same list. Once you use the list somewhere, all entries with the same p...
by vecernik87
Fri Aug 28, 2020 5:13 am
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 40
Views: 13118

Re: RB5011

I had no intention to say that it needs to be modified. I meant that "I wish for it, but I understand that it is not possible". After all, every device is perfect for particular task and it depends how we balance performance/price. I don't think that getting second SFP would be good justif...
by vecernik87
Thu Aug 27, 2020 1:42 am
Forum: RouterOS v7 BETA
Topic: Y u no can specify an interface in routers like you used to be able to?
Replies: 5
Views: 690

Re: Y u no can specify an interface in routers like you used to be able to?

its just public beta... half of things does not work and it is expected. You should not use it anywhere else than testing lab...
by vecernik87
Wed Aug 26, 2020 8:30 am
Forum: General
Topic: VPN Site - Site + Road Warrior [SOLVED]
Replies: 8
Views: 1072

Re: VPN Site - Site + Road Warrior [SOLVED]

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.
by vecernik87
Wed Aug 26, 2020 8:21 am
Forum: RouterOS v7 BETA
Topic: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN
Replies: 13
Views: 1732

Re: Feature Request - Enterprise features like VSS, ZTP, IPv6 L3 HW offloading and SD-WAN

VSS - that would be nice ZTP - already available, although not completely out-of-box as with UBNT. Only true form of out-of-band management is a serial port and that is available. L3 HW offloading - in development, although it seems having some limitation (quite small amount of connections can be m...
by vecernik87
Tue Aug 25, 2020 6:45 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 19397

Re: v6.47.2 [stable] is released!

Very bad! I have hAP ac, after updating to version 6.47.2 I can no longer connect to the 5GHz network, only the 2.4GHz network is available, although the 5GHz module in the router settings has the status "running". I would never recommend MikroTik products because the software is very uns...
by vecernik87
Mon Aug 24, 2020 10:43 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 19397

Re: v6.47.2 [stable] is released!

All you have to do is back up your settings before upgrading and reset the router to default configuration, then upgrade router and then restore your backup . Even poor admins should not restore backup on other device or version that differs from where it was made. There is no problem restoring the...
by vecernik87
Mon Aug 24, 2020 7:02 am
Forum: Scripting
Topic: My Backup file contains malicious scripts
Replies: 5
Views: 1048

Re: My Backup file contains malicious scripts

Netinstall - the only way to get rid of hidden stuff...
by vecernik87
Mon Aug 24, 2020 2:13 am
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control
Replies: 6
Views: 1615

Re: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control

I always thought that TCP congestion control is managed by endpoints? (e.g. web browser and web server) My understanding of BBR is, that endpoints are "smarter" and learn how the network behaves. Then they adjust sending rate based on this info. Network itself (any router on the path) is u...
by vecernik87
Sat Aug 22, 2020 12:02 pm
Forum: RouterBOARD hardware
Topic: RB5011
Replies: 40
Views: 13118

Re: RB5011

I think Design 1 is quite limited for nowadays - only 1G ports won't be very interesting, when almost every enthusiast/prosumer is lookig at >1Gbit. However, with correct agressive pricing, it might be still a great lower-mid range router. You could also drop the memory and flash to lower values to ...
by vecernik87
Fri Aug 21, 2020 1:06 pm
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 4427

Re: Remote Management Access using Public IP

1+3) If we are talking about spoofing IP for TCP connection, then attacker must be on the route between original IP which he is trying to spoof and the target. Otherwise he will never get the reply, therefore no TCP connection... Statistics are applicable only if you are talking about random hacker ...
by vecernik87
Fri Aug 21, 2020 11:11 am
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 4427

Re: Remote Management Access using Public IP

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity&q...
by vecernik87
Fri Aug 21, 2020 2:29 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 19397

Re: v6.47.2 [stable] is released!

hAP Lite - not enough space for upgrade Thats a ~18 Euro hardware, dont expect much from such a device... That may apply for other manufacturers but not for Mikrotik. It is expected that software release will work on every supported device, no matter the price. Anyway, not enough space means most l...
by vecernik87
Thu Aug 20, 2020 4:28 am
Forum: Announcements
Topic: v6.47.2 [stable] is released!
Replies: 90
Views: 19397

Re: v6.47.2 [stable] is released!

Are you guys serious? The second update, in the last couple of months, with problems you don't expect at all. One core is constantly 100% loaded with something incomprehensible. https://c.radikal.ru/c39/2008/2c/6e9b16a53516t.jpg At the moment, the download has dropped. But I would like to know what...
by vecernik87
Thu Aug 20, 2020 3:35 am
Forum: Virtualization
Topic: BUG: Bridge not work with MTU=1500
Replies: 2
Views: 744

Re: bug: Bridge not work with MTU>1500

Can you please test with smaller packets as well? Quite a while ago, I encountered similar issue, where VLAN-tagged packets were not passing through the bridge in CHR but everything worked fine when I bound VLAN to an ethernet interface. All details here: https://forum.mikrotik.com/viewtopic.php?f=1...
by vecernik87
Tue Aug 11, 2020 7:52 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 3
Views: 2499

Re: DHCP conflict detection issue

I think you may be right. It is possible that originally they checked just by ICMP ping (compulsory by RFC) and now they are checking both ICMP and ARP (Optional by RFC). Reality is, that many devices refuse to answer ICMP on public interface so ICMP is not enough. What makes me sad is, that I alrea...
by vecernik87
Tue Aug 11, 2020 7:40 am
Forum: General
Topic: EoIP low performance
Replies: 3
Views: 1589

Re: EoIP low performance

I would say it is error in the testing method. I couldn't do it properly (correctly, Device-under-test should not be the one which generates/consumes the traffic) so I just took the first two devices I know of where I already have EoIP and ran the btest between them. In UDP mode, it easily went to 1...
by vecernik87
Fri Aug 07, 2020 3:49 am
Forum: General
Topic: DHCP conflict detection issue
Replies: 3
Views: 2499

Re: DHCP conflict detection issue

Conflict detection was always there (RFC requirement for DHCP servers). MT just added a checkbox to disable it (I am still puzzled who would need that because it breaks RFC). Hotspot is quite proprietary function, thus not covered by RFC. If you are having issues right now, I would recommend to incr...
by vecernik87
Fri Jul 31, 2020 8:27 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 2834

Re: DNS resolution vulnerability

*facepalm* silly me :D Always forget to check gravediggers
by vecernik87
Fri Jul 31, 2020 6:30 am
Forum: General
Topic: DNS resolution vulnerability
Replies: 14
Views: 2834

Re: DNS resolution vulnerability

Sorry but i have to concur with marko. Default config with drop 53 added : Default config contains universal drop rule. You shouldn't need those individual drop rules. If you need them, you are clearly missing some important part. (you or someone else likely deleted that) To confirm original, unmod...
by vecernik87
Fri Jul 31, 2020 6:14 am
Forum: General
Topic: Masquerade rule on dynamic interface? [SOLVED]
Replies: 2
Views: 889

Re: Masquerade rule on dynamic interface? [SOLVED]

if the user can't connect more than once at a time, then you can simply create static "L2TP server binding" which will create your interface permanently. Alternative, possibly better way (no matter how many connections are we talking about) is to add profile, with selected "interface ...
by vecernik87
Wed Jul 29, 2020 10:09 am
Forum: Beginner Basics
Topic: mac address isolation
Replies: 2
Views: 767

Re: mac address isolation

Unless it is very VERY unusual website, there will be external dependencies and that will make the website unusuable with any kind of firewall filter filter L7 filtering is best done in the browser itself, because browser can actually distinguish, if the request is website or if it is just a depende...
by vecernik87
Wed Jul 29, 2020 1:47 am
Forum: Beginner Basics
Topic: Hardware offload
Replies: 4
Views: 2306

Re: Hardware offload

@plisken : I am afraid that @CZFan is right. Your RB750Gr3 uses switch chip in MT7621 and that has almost no features supported with bridge offload. Not even STP/RSTP. you can check it here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading @CZFan : thanks for pointi...
by vecernik87
Thu Jul 23, 2020 9:05 am
Forum: Wireless Networking
Topic: RoMon
Replies: 2
Views: 748

Re: RoMon

Can't say for sure whether it is the case, but I know for sure that some UBNT devices (Unifi switches and Edge Switches are those which I tested) do not forward ROMON packets because the ethertype and MAC addresses are unusual. This whole ROMON network is a nice idea but too much proprietary and unu...
by vecernik87
Thu Jul 23, 2020 7:54 am
Forum: General
Topic: Long waiting time for internet access
Replies: 2
Views: 769

Re: Long waiting time for internet access

During the time when internet access is unavailable, I would: ping the gateway/router, ping the other computer (should be on the same LAN, right?) ping some public IP (e.g. 1.1.1.1 or 8.8.8.8 ) try to resolve some domain with default DNS (e.g. nslookup google.com) try to resolve some domain with spe...
by vecernik87
Mon Jul 20, 2020 6:08 am
Forum: The Dude
Topic: Can Dude monitor a Win10 PC with firewall on?
Replies: 6
Views: 1767

Re: Can Dude monitor a Win10 PC with firewall on?

when ping is blocked, ARP request usually does the job if you are on the same L2 segment. Unfortunately, TheDude does not have ARP probe, so the only way I know of is a script in RouterOS
by vecernik87
Sun Jul 19, 2020 10:34 am
Forum: General
Topic: Intermittent internet
Replies: 7
Views: 2042

Re: Intermittent internet

symptoms are typical for MTU issues... Maybe you need to add mangle with MSS clamp? Or just allow ICMP?

Anyway, you can confirm it by trying to ping with large packets:
ping 1.1.1.1 size=1500 do-not-fragment
by vecernik87
Sun Jul 19, 2020 5:34 am
Forum: Beginner Basics
Topic: Webfig login hack
Replies: 14
Views: 8008

Re: Webfig login hack

OP is funny. On the one hand, he is aware of tenable's exploits. On the other hand, he is unable to use them (despite the fact there is Proof of Concept script for every single exploit). @OP : Just reset the thing and live with it... Nobody with consiousness will guide you how to hack a device. Sinc...
by vecernik87
Fri Jul 17, 2020 1:12 pm
Forum: RouterOS v7 BETA
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 5526

Re: Traffic to blocked address still succeeds. Why? A bug?

any proxy is generally very powerful because it actually processes the request (therefore it understands exactly what is being requested and returned) but https proxies are also serious security threat - for HTTPS or generally SSL encrypted traffic (nowadays majority of internet traffic) you need to...
by vecernik87
Thu Jul 16, 2020 10:58 am
Forum: Wireless Networking
Topic: Wireless problem with Apple devices
Replies: 16
Views: 3444

Re: Wireless problem with Apple devices

AFAIK this is normal behavior from apple - they disconnect to save the power, when display is off (or device is locked) and they connect on regular basis to allow apps get updates/messages/notifications https://discussions.apple.com/thread/250285673 https://apple.stackexchange.com/questions/218354/h...
by vecernik87
Thu Jul 16, 2020 10:46 am
Forum: Forwarding Protocols
Topic: Client side VPN connection issues
Replies: 2
Views: 947

Re: Client side VPN connection issues

Sorry man, my crystal ball is in the service today so my clairvoyance ability is disabled for now :(

bit more serious advice: If you are losing customers, hire a consultant. If you want help, no matter where, provide info. Without info, nobody can help.
by vecernik87
Thu Jul 16, 2020 10:36 am
Forum: Beginner Basics
Topic: Secondary routes
Replies: 3
Views: 1019

Re: Secondary routes

or you can just run GRE/EoIP within ipsec to make it nice routable tunnel... Is it naughty? yes. Does it cause more overhead? Yes. Does it make the whole management and failover easier to understand? Yes. You choose what is the priority :) ps: I am even more naugthy. I actually run EoIP with Mesh (H...
by vecernik87
Thu Jul 16, 2020 10:21 am
Forum: General
Topic: IP Cloud
Replies: 72
Views: 32381

Re: IP Cloud

@AlexRodac : You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to th...
by vecernik87
Tue Jul 14, 2020 3:58 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 64425

Re: v6.47.1 [stable] is released!

is it REALLY worth it!???? Yes it is. Lets call it planned obsolescence and whats the first rule of planned obsolescence? We don't talk about it! Ok, lets go from conspiracy theories back to the reality: It is well known that this is not a technical limitation. e.g. Mikrotik Audience with IPQ-4019 ...
by vecernik87
Mon Jul 13, 2020 1:41 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 64425

Re: v6.47.1 [stable] is released!

@jsadler: Do you have some switch chip configuration on those particular devices with faults? It might be relevant because quite a while ago, I had an experience with RBD52G (using Atheros 8327 switch chip) that some features from switch-chip menu were causing serious packet loss to a degree I had ...
by vecernik87
Sat Jul 11, 2020 1:30 am
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 64425

Re: v6.47.1 [stable] is released!

I think this might be about :resolve command with server parameter specified. E.g.: :put [:resolve google.com server=8.8.8.8] :put [:resolve example.com server=10.10.10.10] You may be right davis! I tested it just now with 6.47 (not working) vs 6.47.1 (working). So it was just misunderstanding of t...
by vecernik87
Fri Jul 10, 2020 3:29 pm
Forum: Announcements
Topic: v6.47.1 [stable] is released!
Replies: 147
Views: 64425

Re: v6.47.1 [stable] is released!

Already reported for 6.48beta, but applies here, too:
*) dns - do not use DoH for local queries when a server is specified;
This is about forwarding? Looks like queries are still sent via DoH for me.
Anybody made this work?
Not working on mine either.
by vecernik87
Thu Jul 09, 2020 12:03 pm
Forum: General
Topic: Feature request: IPSec Support of DH group 31 (EC25519)
Replies: 5
Views: 1339

Re: Feature request: IPSec Support of DH group 31 (EC25519)

I don't think this is a sensitive/touchy topic. Official way to ask for features is going to your distributor and asking them. They will ask mikrotik (because your distributor is mikrotik's customer) and based on some magical formula, mikrotik may decide to implement it. Asking on forum is possible ...
by vecernik87
Thu Jul 09, 2020 3:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 2218

Re: BUG: DNS USE ONLY DOH

Gosh, I couldn't agree more. In no way I meant to say that L7 NAT hack is ideal. I actually hate it because it does not apply to RouterOS itself (Prerouting is not in Output chain) But as you acknowledged, it is better than nothing, if you can't have dedicated DNS appliance. I guess we are really pu...
by vecernik87
Wed Jul 08, 2020 2:00 pm
Forum: General
Topic: IPSEC Policy BUG - version 6.47
Replies: 4
Views: 1157

Re: IPSEC Policy BUG - version 6.47

afaik, this seems to be known issue when a person uses an old winbox. (current version is 3.24)
Since it is not a new bug, there is not much reason to send it individually to support and waste their time.
by vecernik87
Wed Jul 08, 2020 1:48 pm
Forum: RouterBOARD hardware
Topic: PPTP 1000Mbit - which router should I choose?
Replies: 6
Views: 1505

Re: PPTP 1000Mbit - which router should I choose?

You probably mean PPPoE, right? In that case, almost any Gbit capable router should do the job. I would avoid those, which achieve gigabit just barely and/or have only single core. (e.g. RB2011) RB750Gr3 (hEX) if you want cheap-cheap RB760iGS (hEX S) if you want optical fiber RBD52G (hAP ac2) if you...
by vecernik87
Wed Jul 08, 2020 12:31 pm
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 2218

Re: BUG: DNS USE ONLY DOH

That is a theory but unfortunately this does not work with DOH right now . Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel. Does it work for you with 6.48beta12? To my findings the behavior did not change. ouch, s...
by vecernik87
Wed Jul 08, 2020 11:26 am
Forum: General
Topic: BUG: DNS USE ONLY DOH
Replies: 8
Views: 2218

Re: BUG: DNS USE ONLY DOH

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response. If you want to resolve specific domains through different server, you can use FWD entry. E.G.: /ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FW...
by vecernik87
Tue Jul 07, 2020 2:58 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 106
Views: 62440

Re: Winbox v3.24 released!

Based on https://forum.mikrotik.com/viewtopic.php?f=21&t=161887&p=804375#p804344 I ended up here. To reproduce: open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time)...
by vecernik87
Mon Jul 06, 2020 1:33 pm
Forum: The Dude
Topic: RouterOS in bridge mode is not recognized
Replies: 2
Views: 832

Re: RouterOS in bridge mode is not recognized

Well, you answered your problem - if the router does not have IP, then it can't be reached by TheDude. I don't think anyone can give you any better advice, because you might have no IP on purpose. If you could share your network topology, it would help to understand and possibly overcome the trouble...
by vecernik87
Mon Jul 06, 2020 1:15 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 112614

Re: v6.47 [stable] is released!

Still, it does not seem that many users use (or even know about) that precaution...
because 95% of us are stuck with 16MB of space... :(
by vecernik87
Mon Jul 06, 2020 11:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 112614

Re: v6.47 [stable] is released!

another bug ... when going under IP/IPSec/Policy, and opening an existing one seems to exit winbox/crash winbox. Or adding new one. You simply cannot edit/create ipsec policies using winbox on 6.47. Winbox just crashes without any error message. thaaats interesting. I just recreated from scratch ou...
by vecernik87
Mon Jul 06, 2020 2:45 am
Forum: Scripting
Topic: Torrent blocking working in y2020
Replies: 26
Views: 9123

Re: Torrent blocking working in y2020

well, if it does not work 100% then it does not really help, don't you think? I mean - what difference it makes if the download takes bit more? Idea of blocking is, that NOTHING goes through. If it still starts after a while, it likely means you missed some port or regexp part, which still gets thro...
by vecernik87
Wed Jul 01, 2020 1:26 pm
Forum: The Dude
Topic: the new dude is garbage
Replies: 4
Views: 1442

Re: the new dude is garbage

Just wait until you see 6.47 :D
by vecernik87
Tue Jun 30, 2020 5:50 am
Forum: The Dude
Topic: (BUG) Dude Client crashing on device details and charts
Replies: 24
Views: 4786

Re: (BUG) Dude Client crashing on device details and charts

Reported as well. Hope they will look into it. Current status simply means I can't use it at all and I don't know whether I should start looking for something else or not. Even with small bugs and lack of development, TheDude was much friendlier monitoring system than any other which I tried. edit: ...
by vecernik87
Tue Jun 30, 2020 4:55 am
Forum: Scripting
Topic: IP cloud public address into variable
Replies: 3
Views: 1071

Re: IP cloud public address into variable

print the data into console:
:put [/ip cloud get public-address]
Save into variable:
:global public_ipv4 [/ip cloud get public-address]
Enjoy :)
by vecernik87
Sun Jun 07, 2020 11:04 am
Forum: RouterOS v7 BETA
Topic: UI/UX On WinBox
Replies: 23
Views: 5115

Re: UI/UX On WinBox

Hello Dear, This has to be a troll... No troll, this type of word selection is typical for a country which I cannot name (for sake of political correctness). I hear/read this overly-friendly type almost everytime I contact an off-sourced call center or customer support. Thats simply how some people...
by vecernik87
Sat Jun 06, 2020 12:15 pm
Forum: General
Topic: DNS DoH [SOLVED]
Replies: 6
Views: 1804

Re: DNS DoH [SOLVED]

If you already did, then why are you asking?

TBH, I agree with @msatter, because If someone wants to stop me from visiting porn, they would have to physically cut the cable, otherwise I will find a way.
by vecernik87
Wed Jun 03, 2020 3:38 pm
Forum: Wireless Networking
Topic: Having a bigger dish? [SOLVED]
Replies: 3
Views: 1182

Re: Having a bigger dish? [SOLVED]

Dish size will likely increase total dBi and therefore improve your signal. However, those trees are a problem. Instead of trimming them, maybe you can put both antennas on a little mast/tower? Also make sure you have aligned your dishes properly. In terms of wireless quality, there is no magic - it...
by vecernik87
Wed Jun 03, 2020 5:07 am
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 112614

Re: v6.47 [stable] is released!

It seems to me that DNS FWD does not work if there is DoH set up. I can imagine people who want to FWD their internal domain zones while securing all external/public requests. (If you want to test it, remember to flush cache before every request) Even with this little hiccup, I think it is a great u...
by vecernik87
Thu May 21, 2020 11:52 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1677

Re: Firewall Rule not work with Microsoft DHCP server

Nobody got confused. Your computers are on the same subnet and on the same L2 segment (unless you separated them on the switch), therefore they can communicate directly between each other. Mikrotik will not even know about the communication because the switch will directly forward it to the correct ...
by vecernik87
Thu Apr 30, 2020 2:41 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 2368

Re: License rent for CHR

Well, nobody says otherwise :D I literary confirmed the same. Also I gave an example how it would look if OP wanted to make it look like "lease" and I mentioned possible troubles which came into my mind. But the whole idea is clearly based on transfer of the perpetual licence between diffe...
by vecernik87
Wed Apr 29, 2020 6:16 am
Forum: Virtualization
Topic: License rent for CHR
Replies: 8
Views: 2368

Re: License rent for CHR

Mikrotik itself does not provide any "leasing" ability, but you can do it as you described: - You own perpetual licence, which is bound to your mikrotik account. - You install customer's CHR and assign the licence to it. Unfortunately this requires the CHR to be assigned to your account, b...
by vecernik87
Sun Apr 26, 2020 3:45 pm
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 5404

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

I thought that "sniff dhcp traffic" is clear enough. Apparently, I was wrong. Sorry for that. you need to filter it by: - interface (vlanbell or bell), please make sure you have only ONE interface selected. If you select both, you may get duplicate readings (because packet goes through VLA...
by vecernik87
Sun Apr 26, 2020 5:26 am
Forum: Beginner Basics
Topic: Lease Expiry Causing DHCP Critical Error [SOLVED]
Replies: 23
Views: 5404

Re: Lease Expiry Causing DHCP Critical Error [SOLVED]

This topic is getting to my favorite phase where I step in and ask "why the heck would you waste time, when you can simply sniff the DHCP traffic on the port?" You will clearly see if your router is asking for DHCP renew and when. You will see if there is some NAK answer or if the request ...
by vecernik87
Sat Apr 11, 2020 3:42 pm
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 71
Views: 15897

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. I am not worried about my job. I am worried about general security and about wasting mikrotik's developers time on a feature, which will not have many uses. Simplifying a firewall rule wizard such a...
by vecernik87
Thu Mar 26, 2020 5:31 am
Forum: RouterOS v7 BETA
Topic: FEATURE REQUEST: Add Basic Firewall Rule Wizard
Replies: 71
Views: 15897

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this... In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defco...
by vecernik87
Fri Mar 06, 2020 3:56 am
Forum: General
Topic: Feature requests
Replies: 1343
Views: 325317

Re: Feature requests

.... The reason, why we are using Stunnel, not other solutions is that it is very similair as simple HTTPS for DPI of internet providers, who are denying usage of openvpn and others too.So, vpn is not applicable solution in most of cases. Please, review the possibility to include Stunnel client in ...
by vecernik87
Fri Mar 06, 2020 3:49 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 42
Views: 12993

Re: feature request ADVANCED DNS Server

The included DNS features are as functional as they realistically need to be, for what MikroTik routers are C'mon, thats not true and you know it. If there is ability to put a static A entry, why not ability to put static MX or NS or other entries? It is literary one parameter in CLI/GUI. No real c...
by vecernik87
Thu Jan 23, 2020 12:01 am
Forum: Beginner Basics
Topic: Best monitor
Replies: 2
Views: 1194

Re: Best monitor

Cheapest monitor from Mikrotik would be RB2011 with LCD display. It can show pretty nice charts!
by vecernik87
Mon Nov 11, 2019 7:47 am
Forum: Wireless Networking
Topic: hAP AC2: 5GHZ is not showing
Replies: 9
Views: 7256

Re: hAP AC2: 5GHZ is not showing

the gadget simply did not detect the SSID (control channel was on channel 13). Next thing was to put in SIM card, after that it happily detected and used SSID still broadcasted on channel 13. That is actually interesting finding! thanks for sharing. Sometime I struggle with this and I never realise...
by vecernik87
Thu Nov 07, 2019 12:45 am
Forum: General
Topic: MikroTik hAP ac2 - PoE in problem
Replies: 16
Views: 4156

Re: MikroTik hAP ac2 - PoE in problem

RBGPOE-CON-HP is the way to go as said previously. hAP ac^2 might not be explicitely mentioned but implicitly it is: any 8-30V capable RouterBOARD device Also tech specs say, that the output is passive 24V: PoE in 802.3af/at Input Voltage 42-57V (Passive, Telecom, 802.3af and 802.3at PoE plus suppor...
by vecernik87
Wed Oct 30, 2019 3:48 am
Forum: Scripting
Topic: Script to delete itself after executing... [SOLVED]
Replies: 7
Views: 6081

Re: Script to delete itself after executing... [SOLVED]

It's only a guess, but I wouldn't be surprised if the script file is locked during execution and can't be deleted because of that. File is not locked. I delete my deployment script with following command (written as a last part of the init.rsc file): :do { /file remove flash/init.rsc } on-error={};...
by vecernik87
Wed Oct 23, 2019 1:18 pm
Forum: Wireless Networking
Topic: HWMP+ Mesh network preferring Wlan over Ethernet (incorrectly)
Replies: 6
Views: 4405

Re: HWMP+ Mesh network preferring Wlan over Ethernet (incorrectly)

I figured it out, set the Ethernet as WDS.
Great idea! switching to WDS helped, but I guess this is some bug in implementation
by vecernik87
Wed Oct 16, 2019 7:19 am
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 33262

Re: Winbox v3.20 released!

*) on update, Winbox will check that code is signed by MikroTik and not somebody else; Unfortunately this check still seems insecure. I remember your report ages ago and I always wondered how long till they fix that. I find this unbelievable that update process is vulnerable like that. Well, good t...
by vecernik87
Wed Oct 16, 2019 7:12 am
Forum: Beginner Basics
Topic: Is there a place where I may ask whitehat to hijack my ROS?
Replies: 4
Views: 1315

Re: Is there a place where I may ask whitehat to hijack my ROS?

Does it matter who hijacks it? Just publish your IP here or on FB/Twitter with hashtag #hackChallenge and soon you will have your results.
by vecernik87
Sun Aug 11, 2019 1:15 am
Forum: Beginner Basics
Topic: VLAN / DHCP basics
Replies: 4
Views: 1162

Re: VLAN / DHCP basics

Just a follow up on previous answer (which is quite sufficient) Better advice would be to not use vlan 1 at all, as it is used for internal purpose by too many manufacturers. VLANs like 1,2, 4095 etc are quite popular among manufacturers for separating traffic internally and some devices simply stri...
by vecernik87
Thu Aug 08, 2019 12:55 am
Forum: The Dude
Topic: Security Issue in The Dude
Replies: 1
Views: 2134

Re: Security Issue in The Dude

Dude is no longer being actively developed and there is no way to protect the password. If you hide the error message, bad guy will simply replace the EXE with custom made program which shows any argument sent to the program. (that is as easy as it sounds)
by vecernik87
Sun Jun 30, 2019 11:04 pm
Forum: General
Topic: vlan on a bridge in a bridge
Replies: 18
Views: 3181

Re: vlan on a bridge in a bridge

One thing that nobody mentioned: vlan interfaces are "dumb" tag injectors. They don't implement any logic. Just inject tag or strip tag, depending on the direction and that pose a risk of tagging already tagged frames. And I am not talking about QinQ. I am talking about 3, 4 or even 5 laye...
by vecernik87
Tue Jun 25, 2019 7:07 am
Forum: General
Topic: DHCPd specific IP addresses to specific physical ETHx ports.
Replies: 5
Views: 1195

Re: DHCPd specific IP addresses to specific physical ETHx ports.

DHCP is L2 protocol. To give IP based on port, you will need to separate those ports from bridge (break L2 segment and therefore L2 broadcast/multicast). Next you create separate DHCP server per each port. Last (optional) step is to set ARP proxy for your LAN. That way, it will look like it is still...
by vecernik87
Sun Jun 23, 2019 3:37 pm
Forum: Wireless Networking
Topic: Need Advice to Cover 300 WiFi Users in Banquet Hall
Replies: 6
Views: 1681

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

Ok, we are slowly getting to area, which might get us banned (or at least topic locked/deleted) and I don't feel comfy with that. XG is real beast. I agree with you that 1500 is made up number (together with all other "up to XXX clients"), but truth is, that if any device can handle many c...
by vecernik87
Fri Jun 21, 2019 12:12 pm
Forum: General
Topic: Mikrotik haplite have port 3-4 led lighting up without cable plugged in
Replies: 4
Views: 1458

Re: Mikrotik haplite have port 3-4 led lighting up without cable plugged in

If you are experienced and know exactly what you are doing, sure. But I guess in such case, you wouldn't be asking. Also, keep in mind that soldering will certainly void any warranty on the product.. If your product is still under warranty and you don't see bent pins, I would recommend to contact yo...
by vecernik87
Fri Jun 21, 2019 11:33 am
Forum: General
Topic: Disable "Reset All Counters" Button from Winbox GUI
Replies: 4
Views: 3140

Re: Disable "Reset All Counters" Button from Winbox GUI

We had similar discussion earlier - people asking to add a confirmation to "disable" and "remove" buttons, because "what if I accidentally click it" ? Well guess what? You can accidentally add a route, which will break stuff. You can accidentally reorder firewall rules ...
by vecernik87
Fri Jun 21, 2019 10:17 am
Forum: Wireless Networking
Topic: Need Advice to Cover 300 WiFi Users in Banquet Hall
Replies: 6
Views: 1681

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

few cents from my experience: maximum capacity of 300 people that I need to cover with around 250-300 wireless clients Please decide if you really talk about capacity of the room or about expected amount of clients. By my experience, these are not the same. I have several similar rooms around the ci...
by vecernik87
Tue Jun 18, 2019 3:12 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 7864

Re: single IP constantly trying to log to my Mikrotik

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :) @krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - c...
by vecernik87
Tue Jun 18, 2019 5:44 am
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 7864

Re: single IP constantly trying to log to my Mikrotik

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.
by vecernik87
Mon Jun 17, 2019 10:49 am
Forum: General
Topic: 1072/1036 : High CPU :
Replies: 2
Views: 763

Re: 1072/1036 : High CPU :

1) any srcnat (srcnat/masquerade/netmap...) rules with manually specified range of ports? 2) any content/L7 conditions in your firewall rules? if not, what other conditions do you usually use? 3) do you have "accept established/related" filter rule in forward chain on top of your rules? 3)...
by vecernik87
Fri Jun 14, 2019 11:27 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 7864

Re: single IP constantly trying to log to my Mikrotik

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules. Raw-prerouting is great for specific purpose - when y...
by vecernik87
Fri Jun 14, 2019 5:50 am
Forum: General
Topic: hAP ac² as switch + ap
Replies: 9
Views: 2164

Re: hAP ac² as switch + ap

Thanks a lot for all the help and information. I just needed to know that it's possible but you've given me plenty more than just that info. As long as it's doable I'm sure I can make it work (eventually). I'm going to go ahead and place my order. Absolutely doable. I use this very often. I actuall...
by vecernik87
Fri Jun 14, 2019 4:10 am
Forum: General
Topic: vlan bridge to port [SOLVED]
Replies: 10
Views: 1864

Re: vlan bridge to port [SOLVED]

Exactly as Anav said. This is not adidas (more stripes = more adidas = better). More bridges are not better. More bridges are bad and lead to serious misconfigurations
by vecernik87
Fri Jun 14, 2019 3:40 am
Forum: Scripting
Topic: :tobool not working as expected
Replies: 4
Views: 1875

Re: :tobool not working as expected

@ADahi : That is not a solution. He clearly wants to work with string . If you do local string true; , then you got variable named "string" containing boolean value. There would be no point in converting it to boolean if it already is boolean. @sin3vil : If you really require it to work w...
by vecernik87
Fri Jun 14, 2019 3:04 am
Forum: General
Topic: Cablelabs Micronets
Replies: 4
Views: 1476

Re: Cablelabs Micronets

Any reason to create multiple topics? viewtopic.php?f=2&t=145875

I am really starting to believe that you are shareholder in one of key companies and you want to promote this craziness...
by vecernik87
Fri Jun 14, 2019 2:08 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 1457

Re: Annoyed with Mikrotik 'Support'

I have a list of 4 or 5 questions This is typical trouble with ticket-based support. It is not designed for multi-question cases. I did this mistake few times as well (although not with mikrotik) and I learned quickly that putting multiple questions into single ticket is impossible. Even with norma...
by vecernik87
Thu Jun 06, 2019 6:25 am
Forum: General
Topic: Mikrotik Console Port
Replies: 4
Views: 1192

Re: Mikrotik Console Port

I am not 100% sure because I didn't test it, but there is protected-routerboot option. This is extremely dangerous as it disables both netinstall and console access. If your device malfunctions and you can't log in via network, you will have little chances to restore it. Due to that, I would also su...
by vecernik87
Thu Jun 06, 2019 6:12 am
Forum: RouterBOARD hardware
Topic: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees
Replies: 2
Views: 1160

Re: wAP AC (RBwAPG-5HacT2HnD) - How to reduce temperature by 8-10 degrees

If you drilled several holes next to each other (making a little grid), it would have same function but nothing could fall inside.

Maybe I should share my own hack - remove whole cover and temperature will be reduced even more! (what a surprise, right? :D )
by vecernik87
Wed Jun 05, 2019 2:16 am
Forum: General
Topic: EOIP - ethernet over IP protocol
Replies: 3
Views: 986

Re: EOIP - ethernet over IP protocol

Just clarification of previous post - you don't need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik. RouterOS can be either on physical device (RouterBoard) or on vi...
by vecernik87
Tue Jun 04, 2019 4:07 pm
Forum: RouterBOARD hardware
Topic: Cheapest router for home use with 1Gb
Replies: 7
Views: 3103

Re: Cheapest router for home use with 1Gb

I think replies above forgot what "cheapest" means. literary "cheapest" is rb750gr3 (hEX) as it costs only 59 USD. slightly more expensive is already mentioned rbd52g (hAP ac^2) which is 69 USD but gives you twice as many CPU cores and integrated wifi. top "cheap" model...
by vecernik87
Tue Jun 04, 2019 11:28 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 3711

Re: dst-nat with changing port

Thanks for feedback! This info is very appreciated. I was really wondering what will be the issue and I definitely didn't expect something like that.
by vecernik87
Sat May 25, 2019 1:17 am
Forum: Forwarding Protocols
Topic: How to block neighbours Advertisment
Replies: 6
Views: 11168

Re: How to block neighbours Advertisment

You can't do it with ip firewall. It works only with bridge filter. That means you must have the nterface in bridge, even if it is a single port bridge
by vecernik87
Tue May 21, 2019 9:17 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

I thought others might provide answer. well... Do I need to set RSTP bridge too for my CRS (switch) or let my STP protocol mode on my CRS set to NONE since CCR already handle the root bridge? (R)STP is designed to work with non-STP bridges (Setting to "none" will make it behave almost like...
by vecernik87
Tue May 21, 2019 4:36 am
Forum: General
Topic: Mikrotik offering lease continually without success
Replies: 2
Views: 819

Re: Mikrotik offering lease continually without success

DHCP is very simple protocol with just 4 steps: Discovery->Offer->Request->Acknowledge. If anything goes wrong, It is usually very clearly visible. 1) do you have any DHCP relays or is it just pure L2 network? 2) Is there any response or is there no response at all from your client? If the Request c...
by vecernik87
Mon May 20, 2019 2:28 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 203241

Re: RouterOS v7.0 beta1 - when?

Some more difficult parts need to be done and we can release a public beta. @normis : so in another words, the easier parts are done and now we are just couple of decades from release? (nah, don't get offended. I really, really appreciate everything you do as long as you don't lie to us or keep sil...
by vecernik87
Mon May 20, 2019 6:36 am
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 57
Views: 25074

Re: Please add basic portScan tool ( port scanner scan )

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each ...
by vecernik87
Sun May 19, 2019 5:13 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

8000 hex (32768 dec) is very common default value all around (cisco, juniper, hp, ubnt) although I am not aware of any specs saying that it must to be this way. I remember very well an issue with UBNT EdgeRouterLite, which had default STP priority 0 on it's LAN bridge. On one hand, it make sense tha...
by vecernik87
Sat May 18, 2019 12:10 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

I see, to keep bridge MAC consistency, I'll just enable admin-mac with its original IP MAC then. Personally I keep consistency only of first 3 bytes which denote vendor/function. second 3 bytes are usually just serially increasing and have no function. Thats why I usually change the 4th byte. Keepi...
by vecernik87
Sat May 18, 2019 8:27 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

So this issue is caused by my CCR Ethernet mac starts with 74::::: No. Your issue was caused by not specifying priority. You cannot depend on MAC addresses because in future, you or anyone else might plug in another device anywhere on the network, which will have even lower MAC address and bang! Yo...
by vecernik87
Sat May 18, 2019 3:20 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

http://www.firewall.cx/images/stories/stp-root-bridge-election-1.png The lower one of course: 0x8000. 4 C:5E:0C:B3:EA:E5 < 0x8000. 7 4:4D:28:38:AA:0A However, if you change the priority of second bridge with higher MAC, it will be opposite: 0x 8 000.4C:5E:0C:B3:EA:E5 > 0x 1 000.74:4D:28:38:AA:0A As...
by vecernik87
Fri May 17, 2019 5:14 pm
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

Will specifying admin-mac can remedy this issue? No, it will not. Theoretically you could find a MAC address which would give it priority but that is wrong approach. And how can I make my bridge as the root bridge (even if there's other root ports in the network?) I already told you - give your bri...
by vecernik87
Fri May 17, 2019 10:14 am
Forum: Beginner Basics
Topic: Bridge -> root bridge
Replies: 20
Views: 6184

Re: Bridge -> root bridge

Each bridge has STP priority. Default is 8000 hex. If you set it lower, it signals to STP protocol, that the bridge is more close to the root. Usually you can see people using numbers like 1000 / 2000 / 4000 etc , to prioritize their root bridge. You can read more about it here: https://wiki.mikroti...
by vecernik87
Fri May 17, 2019 8:51 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 109499

Re: v6.45beta [testing] is released!

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised) If we talk about VM, then RouterOS (CHR) vulnerabi...
by vecernik87
Thu May 16, 2019 1:28 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 109499

Re: v6.45beta [testing] is released!

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
by vecernik87
Thu May 16, 2019 3:28 am
Forum: RouterBOARD hardware
Topic: Can't read Voltage via SNMP on CRS112-8P-4S
Replies: 28
Views: 8398

Re: Can't read Voltage via SNMP on CRS112-8P-4S

Long time? Not even 10 years yet. You seem to be bit impatient, don't you think? :D
by vecernik87
Thu May 16, 2019 1:38 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 3711

Re: dst-nat with changing port

Thanks for update. Personally I don't think this has something with the version. If you are sure that packet enters Mikrotik on port 8122 but nothing leaves, it is good - that means you can do something with it. I would suspect other firewall rules (all tables except "raw" can contain the ...
by vecernik87
Wed May 15, 2019 2:54 pm
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 1878

Re: Knock secret daily changeable

So as a very simple first layer, why not. You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll: Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking...
by vecernik87
Wed May 15, 2019 2:30 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1776

Re: bridge + eoip + horizon = loop [SOLVED]

"default forwarding" on wlan is something different: default-forwarding=yes - data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge) It looks li...
by vecernik87
Wed May 15, 2019 2:18 pm
Forum: General
Topic: RB3011 Optimal Operating temperature
Replies: 4
Views: 1036

Re: RB3011 Optimal Operating temperature

let me rephrase, if I understand that correctly (I am also curious about this) "The device is guaranteed to perform the same way, within whole temperature range" Is that right? Or are there any catches? (similar to the "waterproof" phones which must not be submerged despite IP ra...
by vecernik87
Wed May 15, 2019 2:07 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9943

Re: v6.43.15 [long-term] is released!

It is not a happy event, but no need to panic. Things like this have happened to bigger organizations, like the famous Tuesday Patch of Microsoft which used to cause more worry than security. I am not panicking :) I have really great time on older version while waiting for others to take the beat f...
by vecernik87
Wed May 15, 2019 12:39 pm
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1776

Re: bridge + eoip + horizon = loop [SOLVED]

:( I guess last idea: Can you try to sniff the data? That's how I figured out it was caused by RSTP in my case. If you put /tool sniffer on your EoIP, it should show few packets before it gets down for another minute - one or more of these packets will be most likely those which cause issues. Or may...
by vecernik87
Wed May 15, 2019 11:54 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1776

Re: bridge + eoip + horizon = loop [SOLVED]

/interface bridge filter
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF 
I guess you could specify ports/bridges to make sure your local bridge will be unaffected.

Edit: removed second rule. I didnt realize that one is ROMON block, not STP.
by vecernik87
Wed May 15, 2019 11:45 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1776

Re: bridge + eoip + horizon = loop [SOLVED]

just remember that rstp can be forwarded from another device. It can be identified as having DST mac 01:80:C2:00:00:00 / 01:80:C2:00:00:08 - all these dst mac must be blocked. sorry to hear it didn't work for you :( It did in my case and it helped many people earlier. What if you really have a loop ...
by vecernik87
Wed May 15, 2019 11:29 am
Forum: Beginner Basics
Topic: bridge + eoip + horizon = loop [SOLVED]
Replies: 10
Views: 1776

Re: bridge + eoip + horizon = loop [SOLVED]

Most likely known bug: EOIP generates this everytime it receives an (R)STP frame. On my devices I solved it by blocking all input/output/forward (R)STP frames in bridge-filter on both ends of EoIP.
Not sure if it will be ever fixed.
by vecernik87
Wed May 15, 2019 11:10 am
Forum: Scripting
Topic: Knock secret daily changeable
Replies: 10
Views: 1878

Re: Knock secret daily changeable

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
by vecernik87
Wed May 15, 2019 11:02 am
Forum: General
Topic: dst-nat with changing port
Replies: 20
Views: 3711

Re: dst-nat with changing port

@cwsupport : Netmap is not necessary. It's only advantage is, that it allows range of addresses to be translated to another range of addresses. In this case, dst-nat is fine because OP needs just one ip/port. I have done this kind of forwarding countless times and there is no special catch on it. @...
by vecernik87
Wed May 15, 2019 10:04 am
Forum: Beginner Basics
Topic: Wireless to POE
Replies: 1
Views: 579

Re: Wireless to POE

Firstly you need to figure out what kind of PoE your camera support. Not every device is same. Some require 802.3af, some require 802.3at, Some only passive 24V or other.... Even if its same 802.3af/at, it can still differ in modes: A or B (endspan/midspan) Be very cautious, if you receive an from s...
by vecernik87
Wed May 15, 2019 9:58 am
Forum: Beginner Basics
Topic: VPN PPTP Passthrough Problem
Replies: 4
Views: 2147

Re: VPN PPTP Passthrough Problem

Do you have both rules in NAT table (chain dst-nat, action dst-nat) and FILTER table (chain forward, action accept)? Or even better - can you export related rules or whole ip/firewall? /ip firewall export hide-sensitive file=asdf.txt Once you download file, feel free to hide any sensitive data befor...
by vecernik87
Wed May 15, 2019 9:50 am
Forum: Virtualization
Topic: Server 2019 HV with chr-6.44.3 no bridge function
Replies: 2
Views: 2327

Re: Server 2019 HV with chr-6.44.3 no bridge function

If something so simple as bridge does not work, it is either mis-configuration or bug. - Could you firstly describe closer, what are you trying to achieve and what exactly does not work? (i.e. how to reproduce the error). - Does normal forwarding or at least Rx/Tx on Ethernet ports works? - Is it re...
by vecernik87
Wed May 15, 2019 9:43 am
Forum: RouterBOARD hardware
Topic: hap ac2 din rail mount [SOLVED]
Replies: 2
Views: 1285

Re: hap ac2 din rail mount [SOLVED]

Haven't tried but if you look for "din rail universal bracket" or "din rail universal mount", you will find thousands of little plastic clips. Some of them might be easy to screw on existing hap ac^2 transparent stand. Then you clip your stand to din rail, clip your router on it ...
by vecernik87
Wed May 15, 2019 8:00 am
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9943

Re: v6.43.15 [long-term] is released!

Support got back really fast. No wonder. Memory leak in "long-term" (previously "bug-fix") branch is ridiculous failure of their QA team. I find it sad if we can't rely even on the most stable branch. Maybe its time to offer money for better support? If the fee is reasonable, I ...
by vecernik87
Tue May 14, 2019 5:42 am
Forum: Forwarding Protocols
Topic: Jumbo Frames, L2MTU mismatch with RouterOS crashing
Replies: 3
Views: 2831

Re: Jumbo Frames, L2MTU mismatch with RouterOS crashing

Thanks for sharing! This is actually very interesting to know.
I wouldn't expect it but I am also not very surprised since ROMON has unresolved issues when connection has less than 1500 MTU (typically L2 tunnels etc..)
by vecernik87
Mon May 13, 2019 4:40 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 9943

Re: v6.43.15 [long-term] is released!

*) webfig - improved file handling; *) winbox - improved file handling; Which CVE is it this time? :lol: Did it at least require authorised user? (before you start hating me, remember that I don't mind about vulnerabilities. They are everywhere. I mind, when vulnerability is silently fixed without ...
by vecernik87
Sun May 12, 2019 5:33 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 6
Views: 4497

Re: CHR does not transmit frames with VLAN tags from bridge

update: I just got chance to test this config on ESXi 5.5 and surprise-surprise, it works! (obviously, vlans and promiscuous mode must be enabled on virtual switch)
by vecernik87
Thu May 09, 2019 3:08 pm
Forum: General
Topic: EOIP TCP problem
Replies: 17
Views: 2350

Re: EOIP TCP problem

Without eoip, on the same latency, do you get better results?
I can't imagine how could you get any reasonable speed on tcp with 60ms latency. That delay is just killing it.
by vecernik87
Tue Apr 30, 2019 9:57 pm
Forum: General
Topic: Feature requests
Replies: 1343
Views: 325317

Re: formal port knocking

I think that does not fit within the design philosophy of RouterOS (where you get low-level tools rather than high-level blocks that perform a complex task).
Kids control.
'nuff said
by vecernik87
Fri Apr 19, 2019 1:59 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 1784

Re: 750 gr3 bin bios file

well, the "fwf" file is exactly the firmware which I talked about and which is part of every "bundle" or "system" NPK package.
If OP thinks he needs a "bin", well, thats his choice. I already told him there is no such thing.
by vecernik87
Thu Apr 18, 2019 6:54 am
Forum: Beginner Basics
Topic: Remove interface from console [SOLVED]
Replies: 2
Views: 1801

Re: Remove interface from console [SOLVED]

remove all dynamic interfaces: /interface sstp-server remove [/interface find dynamic] remove particular interface (in this case connected SSTP client): /interface sstp-server remove [/interface find name="<sstp-vecernik>"] As far as I know, you can't issue command "remove" for a...
by vecernik87
Thu Apr 18, 2019 6:24 am
Forum: RouterBOARD hardware
Topic: 750 gr3 bin bios file
Replies: 5
Views: 1784

Re: 750 gr3 bin bios file

There is no such thing published by Mikrotik. If you want, you can download NPK and unpack it (Not that hard - all tools were made public by security researches over year ago. If you can't, don't really bother with anything else). Once unpacked, you can go through files and identify the one which yo...
by vecernik87
Mon Apr 15, 2019 9:51 am
Forum: Beginner Basics
Topic: L2 connection mikrotik<->mikrotik breaks some https connections
Replies: 2
Views: 744

Re: L2 connection mikrotik<->mikrotik breaks some https connections

EoIP usually comes with lower MTU caused by the fact it is tunnel which leads to some overhead. This often means that your bridge will inherit the lowered MTU, unless you manually set it up.

Try to change MTU on your bridge manually to 1500 :)
by vecernik87
Sun Apr 14, 2019 5:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 109499

Re: v6.45beta [testing] is released!

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll i...
by vecernik87
Sat Apr 13, 2019 7:21 am
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 2605

Re: Router for my new home!

Hey :) Well, you can use something like this https://mikrotik.com/product/RB951Ui-2HnD or this https://mikrotik.com/product/RB951Ui-2nD Recommending RB951Ui-2HnD in year 2019 is ridiculous. This model has been here for ages. It does not have gigabit ports, CPU has just one core, wifi is just 2.4GHz...
by vecernik87
Fri Apr 12, 2019 4:32 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 1727

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

add action=accept chain=input this one is BIG security issue. Your first rule literary say "accept any packet from everywhere, including wan". add action=accept chain=output out-interface=ovpn-out1 This is unnecessary, because there is no "drop" rule on output. Implicitly, every...
by vecernik87
Fri Apr 12, 2019 4:01 am
Forum: Scripting
Topic: Fail-Over
Replies: 8
Views: 1953

Re: Fail-Over

ahahahahaha: /tool fetch mode=https url="https://#####.com/Crenein-Install-FaOv.rsc" /import file="Crenein-Install-FaOv.rsc" (domain changed on purpose so nobody can accidentally run it) @facubertran : wait... seriously? Do you expect anyone to download and run ambiguous script o...
by vecernik87
Fri Apr 12, 2019 3:56 am
Forum: General
Topic: OpenVPN. Connected. Hex can ping, local pc's can't.
Replies: 6
Views: 1727

Re: OpenVPN. Connected. Hex can ping, local pc's can't.

If you were on the same subnet, I would say you are missing arp-proxy on your LAN interface - very typical situation. However, you are saying that there is different subnet on each side. That suggest you don't have correct routes and/or firewall is blocking the communication. Could you share more in...
by vecernik87
Fri Apr 12, 2019 2:48 am
Forum: General
Topic: Feature requests
Replies: 1343
Views: 325317

Re: Feature requests

To be honest, this is one of features which would be amazing and very appreciated. Although it is possible to do through third-party device, it would be much more convenient to do it directly through ROS. Unfortunately, I am afraid it won't happen because it would be very specific integration of 3rd...
by vecernik87
Fri Apr 12, 2019 2:15 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1824

Re: Why is my speed cut by 75%??

No worries, happy to help :)

ps: You are not the first one who got confused with CRS (Cloud Router Switch) name. Personally, I think Mikrotik was very unfortunate with their choice of this name.
by vecernik87
Fri Apr 12, 2019 2:08 am
Forum: Beginner Basics
Topic: RB2011UiAS CPU load 100% and only 20Mb traffic
Replies: 5
Views: 1218

Re: RB2011UiAS CPU load 100% and only 20Mb traffic

Duplicate of https://forum.mikrotik.com/viewtopic.php?f=13&t=147535 ? I already gave you answer there and surprise-surprise - its almost same as what @enggheisar said here. Anyway, as long as you apply "content" or "layer7" matchers on EVERY PACKET (your prerouting mangle rul...
by vecernik87
Thu Apr 11, 2019 12:50 pm
Forum: Beginner Basics
Topic: I can't get more than 20MB trafic, help
Replies: 2
Views: 807

Re: I can't get more than 20MB trafic, help

with so many firewall rules, poor RB2011 must be screaming in pain. to be more specific: - sniffing mangle rules! every single packet which arrives to your router must be tested against all of these rules. If it gets matched, then it also creates additional CPU utilization. - forwarding filter rules...
by vecernik87
Thu Apr 11, 2019 11:20 am
Forum: RouterBOARD hardware
Topic: S-3553LC20D support fiber drop cable ?
Replies: 1
Views: 772

Re: S-3553LC20D support fiber drop cable ?

drop cable usually can maintain around -19~ -21 dBm. attenuation always depends on type and length of the cable. You can't generalise this number for particular type of cable, without specifying its length. To sum up, there is simply no "support or does not support" - any cable is support...
by vecernik87
Thu Apr 11, 2019 6:59 am
Forum: RouterBOARD hardware
Topic: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]
Replies: 5
Views: 1520

Re: PowerBox and non-Poe devices: Will it damage devices like a laptop? [SOLVED]

You got it exactly right! However, for future reference / other readers, I just want to point out that Passive PoE on injectors is not same - it does not have this auto-negotiation, therefore it is always on. Only Routerboards have auto-negotiation support for passive PoE. You may also find that som...
by vecernik87
Wed Apr 10, 2019 12:59 pm
Forum: Scripting
Topic: Get single IP from interface which have multiple IP' assigned [SOLVED]
Replies: 3
Views: 1185

Re: Get single IP from interface which have multiple IP' assigned [SOLVED]

well, it depends if you want to use it in script or just display value in CLI. the :put command is like an "echo" or "print" in other languages - it displays content of variable. If its gonna be used in some script, you will most likely want to use the value in some other command...
by vecernik87
Wed Apr 10, 2019 11:59 am
Forum: Scripting
Topic: Get single IP from interface which have multiple IP' assigned [SOLVED]
Replies: 3
Views: 1185

Re: Get single IP from interface which have multiple IP' assigned [SOLVED]

whole issue is, that your [find interface="xxx"] returns an array of interfaces.. All you need to do is pick one /ip address get [:pick [find interface="ether6"] 0] address] or if you want to test it in console, simply :put [/ip address get [:pick [find interface="ether6&quo...
by vecernik87
Tue Apr 09, 2019 2:59 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 35437

Re: v6 RC and v7 BETA

I must admit that you pointed out much more relevant interpretation. I am just afraid, if it ends up that way (e.g. dropping support to mipsbe/tile etc...) Therefore I am not sure if its funnier or scarier.
by vecernik87
Tue Apr 09, 2019 2:29 pm
Forum: Beginner Basics
Topic: Circle topology
Replies: 2
Views: 724

Re: Circle topology

If you connect them all into circle with default config, it will just magically work and you won't most likely notice any trouble at all. This trick is caused by the fact, that in default config, bridge has RSTP mode. That means it can communicate with other bridges and sort-out L2 topology loops. S...
by vecernik87
Tue Apr 09, 2019 2:28 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 35437

Re: v6 RC and v7 BETA

Well, I was actually referring to time before Diablo 2 .. I guess its too old for people to remember today...
by vecernik87
Tue Apr 09, 2019 5:44 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1824

Re: Why is my speed cut by 75%??

Don't forget the hardware encryption: from 6.43.1 onward the RB3011 supports it. I would be careful with that... I already saw one report of RB3011 with panicking kernel , which I bet was caused by this "update"... I don't have any RB3011 around to test it but I guess something does not w...
by vecernik87
Tue Apr 09, 2019 4:49 am
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1824

Re: Why is my speed cut by 75%??

CRS without fasttrack as a router - thats definitely cause of the issue. It simply does not have enough CPU power. I am not sure if you don't have fast track on purpose (it can't be enabled if you want to use simple queues, ipsec and some other features ) or if you don't have it by mistake. It defin...
by vecernik87
Tue Apr 09, 2019 1:55 am
Forum: The Dude
Topic: Dude Installation instructions don't work
Replies: 6
Views: 3531

Re: Dude Installation instructions don't work

It is (ehm) mature software. Just documentation lacks some details... This unfortunately often cause troubles to new users :( However, if you get your experience, you will find it very logical and almost intuitive (except bridge VLAN settings which is confusing for almost everyone :lol: ) "uplo...
by vecernik87
Tue Apr 09, 2019 1:43 am
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 35437

Re: v6 RC and v7 BETA

To my knowledge, mostly people crave for better support of multithreaded routing ( which was promised long time ago ) and drivers (notice references to v7) But generally, people are hyped more than players of Diablo before release of new version. Many of them expect every trouble will be magically f...
by vecernik87
Tue Apr 09, 2019 1:18 am
Forum: Beginner Basics
Topic: Cannot click buttons on pop-up window of Winbox 3.12
Replies: 3
Views: 1926

Re: Cannot click buttons on pop-up window of Winbox 3.12

@giguard : I have valid reason. I need it to configure ROS 5.26 Your reason is invalid, because winbox 3.16 added support for pre-v6: https://wiki.mikrotik.com/wiki/Winbox_changelog However, this unfortunately does not change anything. - the error is actually not related to winbox version, instead ...
by vecernik87
Mon Apr 08, 2019 11:11 pm
Forum: Beginner Basics
Topic: Why is my speed cut by 75%??
Replies: 9
Views: 1824

Re: Why is my speed cut by 75%??

Are you using the CRS125 as a router? (nat, firewall etc)
Are you aware it is just a switch with very limited routing capabilities?
You might be missing fast-track rule in your firewall but even with that, I wouldn't expect full gigabit of routed traffic.
by vecernik87
Mon Apr 08, 2019 10:21 pm
Forum: General
Topic: RB3011 reboot itself - kernel panic
Replies: 2
Views: 783

Re: RB3011 reboot itself - kernel panic

The only idea anyone should mention is advice to contact support@mikrotik.com and send them your autosupout.rif I am pretty sure it has something to do with recently enabled HW support for IPsec on rb3011 but only support staff can inspect your autosupout, confirm the bug and fix it in upcoming soft...
by vecernik87
Sun Apr 07, 2019 4:23 am
Forum: Virtualization
Topic: CHR does not transmit frames with VLAN tags from bridge
Replies: 6
Views: 4497

Re: CHR does not transmit frames with VLAN tags from bridge

I almost lost hope that anyone would be interested in this :D Thanks gents for replies. Any configuration with routerOS and vlans that I have worked with has bridge vlan-filtering=yes??? That applies if you want to do vlan filtering (i.e. you want to tag/untag stuff). In my case, I have vlan-filteri...
by vecernik87
Fri Apr 05, 2019 9:10 am
Forum: Forwarding Protocols
Topic: Video: ROS v7 BGP performance
Replies: 3
Views: 2669

Re: Video: ROS v7 BGP performance

Does not work. There is just some text file :( Gimme HL3 or I'll report ya!
by vecernik87
Fri Apr 05, 2019 4:50 am
Forum: Wireless Networking
Topic: WiFi in garden - wouldn't cAP AC be better than wAP AC?
Replies: 15
Views: 2652

Re: WiFi in garden - wouldn't cAP AC be better than wAP AC?

Get Groove 52 ac
DO NOT DO THIS!
Groove has only one radio, therefore you have to select - either 2GHz or 5GHz. It can't do both at the same time like any usual AP.
by vecernik87
Thu Apr 04, 2019 8:07 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 35437

Re: v6 RC and v7 BETA

So there's still hope that the unicorn status v7 has will be changed to something not as mythical.
And I shall be your messiah!
#unicornsArePoniesToo #makeRouterOsGreatAgain

Ps: really thanks for this update. Brings new hopes (and new memes if you don't make it this year)
by vecernik87
Thu Apr 04, 2019 1:28 am
Forum: The Dude
Topic: CCR CPU % monitoring
Replies: 2
Views: 2757

Re: CCR CPU % monitoring

You would need a particular probe with notification. Probe is not that hard because the function is already predefined in TheDude as cpu_usage() . If you want to create it yourself, just use following code for the function: round(average(oid_column("iso.org.dod.internet.mgmt.mib-2.host.hrDevice...
by vecernik87
Wed Apr 03, 2019 9:38 am
Forum: Useful user articles
Topic: USB Outdoor temperature sensor
Replies: 18
Views: 8786

Re: USB Outdoor temperature sensor

compatible with particular brand = proprietary protocol, almost certainly not compatible with anything else. Unfortunately, there is no accessory like this for mikrotik. Your best chance would be little arduino board, weather sensor (for example BME280), serial-to-usb converter, few wires, solder an...
by vecernik87
Wed Apr 03, 2019 9:31 am
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 3170

Re: Programmatically adjust devices?

... writing a Python script that remote controls chrome that then cycles through WebFig ...
good thinking. It is sad that there is no developer assigned to focus on TheDude. The idea of this system is wonderful, but lack of development unfortunately creates significant obstacles for serious use.
by vecernik87
Tue Apr 02, 2019 6:21 pm
Forum: Wireless Networking
Topic: hAP AC
Replies: 8
Views: 1567

Re: hAP AC

.. And question did not specify if it is about wifi or routing performance... Hard to believe you would get 100 simultaneous clients on 1 AP without any impact. Just keep-alive frames and their interference would eat your airtime. On the other hand - Routing performance? Not an issue at all, exactly...
by vecernik87
Tue Apr 02, 2019 7:52 am
Forum: General
Topic: HAP AC2 + NAS + MTU (Jumbo Frames)
Replies: 3
Views: 1501

Re: HAP AC2 + NAS + MTU (Jumbo Frames)

hm... tricky. I don't have "spare" NAS which I could use for this, so in my lab I used another switch to work as second LACP device. Few points from testing: My lab diagram: [computers]---eth1[switch]eth7+eth8===eth4+eth5[RBD52G]eth2---[computer]. (= is bonded eth, - is single eth) bonding...
by vecernik87
Tue Apr 02, 2019 4:00 am
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 203241

Re: RouterOS v7.0 beta1 - when?

re. network telemetry: Well, idea in theory is nice but I find monitoring through highly-abstract layer a bit suicidal. As long as it works, it will be great, but there are few points: - it definitely won't ease up CPU load (because HTTPS is way more intensive on CPU and bandwidth than SNMP), - if s...
by vecernik87
Tue Apr 02, 2019 1:19 am
Forum: The Dude
Topic: Dude as a trap manager?
Replies: 3
Views: 3138

Re: Dude as a trap manager?

SNMP Traps are not supported by Dude. No matter how hard you try, you won't find a way to make dude a trap manager.
by vecernik87
Mon Apr 01, 2019 11:44 pm
Forum: The Dude
Topic: Cannot add a link
Replies: 2
Views: 2201

Re: Cannot add a link

firstly, your mouse cursor changes. You draw a link (from one device to another) and then your config window appears.
by vecernik87
Mon Apr 01, 2019 5:19 pm
Forum: General
Topic: v6 RC and v7 BETA
Replies: 126
Views: 35437

Re: v6 RC and v7 BETA

RouterOS 7 is here [removed link]! Finally! @krisjanisj: nice! :lol: I think you guys really missed the opportunity to stage the release of v7beta1 on 1st April. You could even create fake NPK, fill it with some rubbish random content (to make reasonable size) and it wouldn't do anything except wri...
by vecernik87
Mon Apr 01, 2019 4:28 pm
Forum: Beginner Basics
Topic: The provider does not see the MAC interface Mikrotik RB2011UiAS (necessary for IPoE) [SOLVED]
Replies: 3
Views: 1165

Re: The provider does not see the MAC interface Mikrotik RB2011UiAS (necessary for IPoE) [SOLVED]

@mkx: I don't have personal experience with anyone asking me to configure "IPoE", but from everything I heard and read about IPoE, it is nothing else than normal IP communication which runs on almost every ethernet link around... You don't have any special "IPoE" interface - its ...
by vecernik87
Fri Mar 29, 2019 9:58 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 59496

Re: UKNOF 43 CVE

Quote from second thread:
Yes, it is kernel level and is very hard to fix, since RouterOS v6 has an older kernel version and we can't just change the kernel.
Is that v7 announcement? :D Hurray!
by vecernik87
Fri Mar 29, 2019 1:17 am
Forum: RouterBOARD hardware
Topic: CRS328 Lock Ups
Replies: 9
Views: 3818

Re: CRS328 Lock Ups

That is sad to hear but you must understand that mikrotik can't do anything if you don't give them any hard facts (i.e. autosupout) You actually don't need anyone on site when it happens. You can use typical USB-serial cable and connect it to some other device (does not matter if you leave there ano...
by vecernik87
Fri Mar 29, 2019 12:26 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 22488

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional. If vendor knows about it for over a year and do nothing? You are actually right: That is irresponsible and unprofe...
by vecernik87
Thu Mar 28, 2019 4:23 am
Forum: General
Topic: Mikrotik: Change the default Powerbox config!
Replies: 16
Views: 3509

Re: Mikrotik: Change the default Powerbox config!

@millenium7 : If I understand it correctly, your employee stuff up, make excuses and because of that, you want Mikrotik to adjust setting for whole world? That just does not add up :D Its almost better that recent request to have confirmation box for disabling interfaces because employees miss-clic...
by vecernik87
Thu Mar 28, 2019 1:11 am
Forum: General
Topic: EOIP when Behind another Router - A No Go?
Replies: 6
Views: 1194

Re: EOIP when Behind another Router - A No Go?

However looking at the complexity of most other IPSEC setups is only an incentive to forget the whole idea. :-)
Wanna hear a secret? In my beginning, I once set up GRE (exactly same config as EoIP) just so I could get the advantage of automatic IPsec setup. :D

Yea, dead simple :)
by vecernik87
Thu Mar 28, 2019 12:29 am
Forum: Wireless Networking
Topic: dual AP qick setup
Replies: 5
Views: 2453

Re: dual AP qick setup

Yes, that is what I recommended to OP - use WISP AP in bridge mode and add manually remaining WLANs. Unfortunately, that will require to step out of quickset. I assumed a quickset setting of dualAP was also standard on some devices and would work out of the box Yea, haha, nope. Device works out-of-t...
by vecernik87
Wed Mar 27, 2019 11:41 pm
Forum: Wireless Networking
Topic: How to list devices around mk?
Replies: 5
Views: 1256

Re: How to list devices around mk?

Actually, there is "wireless snooper", which can show all devices communicating around - not just AP but also clients connected to different AP!
However, it will not show wifi devices which are not communicating (what a surprise, right?)
by vecernik87
Wed Mar 27, 2019 1:23 pm
Forum: General
Topic: Cloud IPs need to be blocked
Replies: 13
Views: 2819

Re: Cloud IPs need to be blocked

To be honest, before annoying support staff, I would prefer to inspect full config. I have few devices around, where I specifically focused on any unexpected outgoing packets - and it's just not happening. There must be some setting causing this.
/export hide-sensitive file=somename